Flynn: the reference implementation of Provetrail

5 min read

Flynn is the reference implementation of Provetrail, the open standard for verifiable execution provenance. It is a single Go binary that emits a governed, tamper-evident record of everything it does, and as of this writing it is the only complete implementation that passes the full Provetrail conformance suite across every tier.

This post is the Flynn side of that story. For the neutral standard itself, its definition, its RFCs, and its conformance rules, start at provetrail.org.

What Provetrail asks of an implementation

Provetrail is a portable, third-party-verifiable record of what an agent did, in what order, and under what authority. The standard is deliberately implementation-agnostic: any runtime in any language can produce or verify records, and conformance is decided by a published vector suite rather than by any vendor. An implementation is judged on which tiers it clears, integrity, governance, and ground truth, not on who wrote it.

That neutrality is the point. It is also why “reference implementation” is a claim worth making precisely, not loosely.

How Flynn produces the record

Most systems that hand you a record write it around the work: the agent runs, and something logs what it says it did. Flynn writes the record from inside the work. Every action an agent takes passes through one dispatch boundary, and that boundary is where Flynn admits, scopes, and records it. The record is a byproduct of enforcement, not a narration added afterward.

Concretely, for each side-effecting action, Flynn commits:

  • Admission before execution. The action is checked against policy before it runs, and the decision is written into the record. An action with no admission cannot appear as though it simply happened.
  • Capability and containment. The action stays within the capabilities it was granted. Out-of-scope calls are refused, and the refusal is recorded too.
  • Budget and approval. Resource ceilings and human-approval gates fire where required, recorded as enforced facts rather than stated intentions.
  • Ground truth. Where a claimed outcome can be checked against real system state, the check and a hash of what was observed are committed, so an authorized party can re-run it.

Because the component that mediates the action is the component that writes the line, the honesty is structural. The agent cannot record “I only touched staging” while touching production, because the substrate that made the real call is what wrote the record.

Verify it, do not trust it

Every record Flynn emits is chained into a signed Merkle root and signed with Ed25519 over COSE. You verify it with flynn spine verify, which reports the integrity, governance, and ground-truth tiers separately, so you can see exactly what a given record establishes.

You do not need Flynn installed to check a Flynn record. The verifier ships as a thin client, and you can watch one run entirely in your browser on the Provetrail home page: it verifies a real signed record client-side, and tampering with a single byte breaks the proof in front of you.

Why “the only complete one” is a fact, not a boast

Running code is what turns a specification into a standard, and Provetrail’s conformance vectors are what turn “our implementation is good” into something you can check. Flynn passes the full suite across all three tiers today. Other approaches in this space reach the integrity tier, a signed and tamper-evident record, which is real and useful work. The governance and ground-truth tiers are harder because they cannot be produced by a wrapper or a logger; they require a runtime that actually enforces admission, capability, budget, and outcome-checking at dispatch. Flynn was built as that runtime from the start, so emitting the proof is nearly free.

We hold the same ceiling in public that the standard does. A Provetrail record proves the record is intact, authentic, governed, and evidence-bound. It does not, on its own, prove the emitting binary was unmodified or that nothing was omitted. Closing that gap (binding a record to the exact reviewed build, and making omission detectable) is work in progress, and we will say so plainly until it ships. The honest version of the argument is on the standard’s site: signed versus proven.

Try Flynn

Flynn is open source (Apache-2.0), a single Go binary. Bring your own model, point it at a goal, grant it real authority, and get a verifiable record of everything it did.

Last updated: 12 July 2026.