sovsealsovseal
WelcomePlatformSelf-HostedCookbooksIntegrationsSDK ReferenceAPI ReferenceComponentsChangelog
Verified by the sovseal team

ZK Sandbox

Interactively inspect client-side Web Crypto operations in a safe sandbox.

Deployment ModelAvailability
Platform✓ Available
Self-Hosted✓ Available

Honesty Ledger (Provenance Layer): All playground operations execute within the Client-derived (Layer B) browser context.

ZK Trust Boundary:

  • What the server sees: An opaque JSON payload containing base64 ciphertext, IV, and the cryptographic hash.
  • What stays on device: The plaintext string, derived JSON document, and AES key bytes.

Cryptographic Sandbox

The Zero-Knowledge Sandbox lets you trace and audit the client-side Web Crypto AES-256-GCM architecture interactively. It demonstrates how plaintext memory inputs are isolated and encrypted before transmission.

Zero-Knowledge Sandbox

The 4-State Transform Lifecycle

The sandbox guides you through the exact pipeline run by the SDK or MCP client:

  1. Compile Plaintext Memory: You enter a plaintext memory fact. The playground compiles it into a canonical JSON format, ordering properties alphabetically (e.g. {"content": "..."}).
  2. Local Client-Side Encryption: Using the Web Crypto API, the browser encrypts the serialized JSON bytes. It generates a unique 96-bit random IV (Initialization Vector) and outputs the AES-256-GCM ciphertext alongside a 128-bit authentication tag.
  3. Simulate Replication POST: A simulated network call replicates the blind envelope payload.
  4. Client-Side Decryption: The response envelope is fetched. The browser applies the loaded key to decrypt the payload, validating the authentication tag and displaying the restored plaintext.

Verification of Untrusted Payload

During Step 3, the sandbox prints the exact payload transmitted over the network. Under a zero-knowledge threat model, there is zero plaintext content in this packet.

Here is an example of the replication packet:

{
  "agent_id": "98c61a4f-015d-4f10-9b43-28956ae779bb",
  "ciphertext": "3e8f4c219a10b10084f7e6a5e1281e64903a5e8c14a6016e3c5095d3a5a7b744d07b8b209c1598f1f77d33d93b91c12...",
  "iv": "OGFiM2Q3ZjllMWMwYzJlNGY1YTZiN2Q4ZQA=",
  "client_payload_hash": "a4d34f8a846c4f1c97a2202685959141b71e8f2e2d312c4155ee2a2b4b4231aa"
}

Notice that the server only logs the SHA-256 client_payload_hash for collision checks and state alignment. The memory string is completely absent from the network boundary.

Offline Reference Analogs: This documentation was written with visual and rhythm reference to platform/features/platform-overview.html.

Connect a Source

Setup and configure the agent memory sync client.

Memory Explorer

Explore and search client-side decrypted memory records locally.

On this page

Cryptographic SandboxThe 4-State Transform LifecycleVerification of Untrusted Payload