decision_ref that authorised it and emits an execution_ref: decision-bound,
content-addressed execution evidence that any party can recompute offline, with no issuer contact.
This closes a gap most audit trails leave open. A log says an operation happened. A connector
makes the operation provably consistent with the decision that permitted it: change the table,
the topic, the path, the outcome, or the decision it points to, and the execution_ref no longer
recomputes. Correlation becomes proof.
The connectors are open, keystone-only editions (Apache-2.0), built on the AlgoVoi substrate’s
RFC 8785 JCS + SHA-256 discipline. They are not published to a registry — they are made
available on request. Email chopmob@gmail.com for the package and
integration notes. The signed, hash-linked chain of operations (PQC + CCC ingest) is the
commercial tier.
Where they fit
Connectors hang off theexecution_ref stage of the keystone. One decision can authorise work
that lands across several data planes at once; every plane carries the same decision’s fingerprint.
The connectors
Relational databases (ODBC / DB-API)
Wraps any DB-API 2.0 cursor (pyodbc, sqlite3, psycopg, and the wider ODBC family). Every executed
statement is bound to its decision, with the action type derived from the SQL verb
(insert / update / delete) and the table as scope. Use it when a write to a system of record must
be provably tied to the decision that allowed it.
OpenLineage
Attaches a keystone run facet to each OpenLineage RunEvent, so the data-lineage standard’s own
events carry the 
execution_ref; the outcome is derived from the event type. Use it when a data
job’s lineage should also prove which decision authorised the run — the keystone rides the
standard you already emit.HTTP services (ASGI / WSGI)
gRPC services
A server interceptor binds each unary call to its decision, keyed to the full method, with the
outcome reflecting whether the handler completed or raised. Use it when service-to-service calls
over the RPC standard need to prove which decision authorised each invocation; streaming handlers
pass through unbound.
Object storage (S3 / boto3)
Wraps any boto3-style S3 client so each object write (put / delete / upload) carries an

execution_ref keyed to bucket/key, while reads pass through untouched. Use it when an object
landing in a bucket represents a decision being acted on — a stored receipt, export, or artifact
that must be provably tied to its decision.Redis
Wraps any redis-py client so each write command (set, delete, hset, expire, lpush, sadd, …)
carries an 
execution_ref keyed to the key, while reads pass through untouched. Use it when a
cached or stateful value being written represents a decision being acted on — a session, a quota,
a lock, a counter.MongoDB (pymongo)
AMQP / RabbitMQ
Wraps any pika-style channel so each publish carries an 
execution_ref keyed to
exchange/routing_key, while consumers and declarations pass through. Use it when a message on a
broker represents a decision being acted on and downstream consumers need to verify it — the
classic broker counterpart to the Kafka connector.Verified end to end
The connectors are proven together, not just in isolation. A single decision is driven through all the planes at once — a database insert and update, a streamed event, a lineage run, an HTTP write, a gRPC call, and an object write — and an independent verifier then recomputes everyexecution_ref from its recorded fields. The chain reconciles only when three things hold for
every operation:
- Recompute — the recorded fields reproduce the exact
execution_refbyte-for-byte. - Decision-bound — swap in a different
decision_refand every ref changes; the binding is load-bearing, not decorative. - Tamper-evident — alter any field (table, topic, path, outcome) and the ref no longer matches.
Validating the evidence
Connectors emitexecution_ref records; algovoi-keystone-validate checks a batch of them.
Every connector record is self-describing — it carries the decision_ref and a normalised
scope alongside the execution_ref — so the output of any connector drops straight into the
validator with no mapping. It recomputes every execution_ref offline against the same primitive,
optionally asserts they all bind to the decision you expect, and logs what failed and why —
separating two failure classes an operator must never confuse:
- Integrity error — the recorded fields do not recompute to the claimed
execution_ref(tampering or corruption); the evidence cannot be trusted. - Operational error — the
execution_refis valid, but records an operation whose outcome wasFAILED; a real, trustworthy record of a runtime failure.