SHA-256 Identity for AI Run Declarations
SCL is the deterministic, cryptographic identity protocol for AI run declarations.
The SHA-256 identity is the final output of the SCL identity pipeline. It represents the deterministic identity of a valid declaration, not runtime behavior or execution outcomes.
Canonical JSON as the Sole Hash Input
Canonical JSON is the sole input to SHA-256 identity derivation. Without canonical JSON, deterministic identity is impossible.
Standard JSON allows variation in key ordering, whitespace, encoding, and formatting. Two serializers can produce different byte sequences for the same logical content. Hashing non-canonical JSON produces different identities for equivalent data.
Canonical JSON eliminates this variation by defining exactly one valid byte sequence for any given SCL declaration.
Canonical JSON vs Standard JSON
- Standard JSON permits arbitrary key ordering. Canonical JSON enforces raw UTF-8 byte lexicographic ordering.
- Standard JSON permits whitespace. Canonical JSON is a single-line UTF-8 byte sequence with no extraneous whitespace.
- Standard JSON permits multiple valid representations. Canonical JSON permits exactly one.
This distinction is why the protocol specification requires canonical JSON as the sole hash input.
Step-by-Step Identity Derivation
All compliant implementations follow this exact process:
- Parse input bytes under frozen SCL:V1 rules
- Validate document structure
- Produce canonical JSON from the parsed AST
- Encode canonical JSON as UTF-8 bytes
- Compute SHA-256 over the canonical JSON bytes
- Output the SHA-256 digest as the declaration identity
This process is used by all compliant implementations to produce identity deterministically.
What Is Actually Hashed
The only valid hash input is canonical JSON bytes. Not the original source text, not pretty-printed JSON, not reparsed output from another serializer, not execution results or external metadata.
The SHA-256 identity is derived exclusively from canonical JSON bytes.
Why Canonicalization Is Required
Without canonicalization, different systems could serialize the same logical content differently and produce different hashes. SCL prevents this by requiring one deterministic canonical form before hashing.
This ensures:
- Identical valid input produces identical canonical JSON bytes
- Identical canonical JSON bytes produce identical SHA-256 identity
- All compliant implementations converge on the same identity
For the exact canonicalization rules, see the SCL:V1 specification.
Determinism Across Implementations
The SHA-256 function is only trustworthy for protocol identity when every implementation hashes the exact same bytes. SCL fixes the full path:
- Deterministic parsing
- Deterministic validation
- Deterministic canonicalization
- Deterministic byte output
- Deterministic hashing
Verify identity derivation using the reference engine. See how SCL ensures deterministic identity for the complete mechanism.
What the Identity Does Not Represent
The SHA-256 identity does not represent whether a system actually ran, whether a model produced a correct result, or whether side effects occurred. It represents the declared execution identity only.
Invalid Input Has No Identity
Invalid SCL input does not produce a SHA-256 identity. Validation halts deterministically, a single error is returned, and no identity is assigned.
Identity Pipeline
This pipeline is non-negotiable. The SHA-256 identity is the final deterministic output.