Portable memory is a claim, and claims need a way to be checked. If we tell you a .laplaspack file holds your typed entities, their causal links, and the thoughts attached to them, that is worth exactly nothing unless a third party — you, an auditor, someone you never met — can open the file themselves and confirm two things: that it says what we say it says, and that nobody edited it after it was signed. Neither check should require our servers, our app, or a model. We authored an open, MIT-licensed spec for the format, and alongside it two small Python programs that make both checks concrete. This post walks through them.
The reader imports nothing but the standard library
A pack is a single SQLite database. That choice is deliberate: any SQLite client can open it read-only, and the format is a public contract rather than a private serialization. To prove that concretely, laplaspack_reader.py imports only argparse, json, sqlite3, and sys — all Python standard library. There is no network call, no service, and no model anywhere in it. Its own docstring states the test plainly: "If this runs, the format is readable by anyone."
The reader does more than a naive SELECT, because two of the format's semantics would trip one up. First, thoughts are stored raw and folded on read: _folded_thinks() collapses the thinks table to current state with last-writer-wins by (host, id), newest timestamp winning, tombstones dropped (spec §3.5). Second, and more interesting, is why() — the causal walk. Every edge carries one of six roles (derived-from, supports, raises, closes, supersedes, contradicts), and why() walks upstream from an entity, following each role in its parent direction, and returns the ordered ancestry. That is recall_why reduced to about thirty lines of stdlib code. The point is that provenance is not a proprietary feature — it is a property of the file that anyone can recompute.
A default run reconstructs the pack and prints a summary via summarize(): format version, head SHA, owner, entity/edge/think counts, and a tally of the causal roles present. If the manifest carries a signature, the reader reports its presence — the algorithm and a truncated public key — but explicitly does not try to check it, deferring that to the seal tool. Conceptually:
$ python3 laplaspack_reader.py mind.laplaspack
laplaspack: mind.laplaspack
format_version = 3 head_sha = a1b2c3d4e5f6
owner = ed25519:9f3c...
entities=214 edges=very thinks=88
causal roles: derived-from×61, supports×40, supersedes×12
$ python3 laplaspack_reader.py mind.laplaspack --why "Structure at write-time, not read-time"
why «Structure at write-time, not read-time» — 3 ancestor(s):
1. (derived-from) Capture density is the baseline [insight]
2. (supports) Provenance must be truthful, not reconstructed [principle]
3. (supersedes) Read-time extraction [approach]
The seal is reported but not verified here on purpose: checking an Ed25519 signature needs a dependency the standard library doesn't provide, and we did not want the reader to inherit it.
The seal signs content, not bytes
laplaspack_seal.py is the one tool in the repo that is not stdlib-only. Python has no Ed25519 in its standard library, so sealing declares a single dependency: pip install cryptography. Everything else — reader, writer, merge — stays dependency-free. The tool has three subcommands: keygen writes a private seed to a 0600 file and prints the public key; sign signs a pack; verify checks one.
What gets signed matters more than that it gets signed. The signature is over a canonical SHA-256 digest() of the pack's content tables — manifest (excluding the four sig_* keys), lmd_source, entities, edges, thinks, and commits. Rows are stringified, sorted, and joined with field and record separators, table by table. Because the digest is over sorted content and not raw file bytes, incidental SQLite differences — page layout, vacuum state, insertion order — do not affect it. What affects it is meaning: change one entity label, flip one edge, edit one thought, and the digest changes.
verify returns a distinct exit code for each outcome: 0 and VALID when the signature checks out, 1 and INVALID when content no longer matches the seal, and 2 when the pack carries no signature at all. Conceptually:
$ python3 laplaspack_seal.py sign mind.laplaspack --key me.key
sealed mind.laplaspack
alg ed25519
key 9f3c1a2b4d5e6f70…
digest sha256:7c1e9a...
$ python3 laplaspack_seal.py verify mind.laplaspack
mind.laplaspack: VALID — sealed by 9f3c1a2b4d5e6f70… (ed25519)
# edit a single entity label, then re-check:
$ python3 laplaspack_seal.py verify mind.laplaspack
mind.laplaspack: INVALID — content does not match the seal (key 9f3c1a2b4d5e6f70…)
Verification needs no secret and no network. Anyone holding the pack can run it. That is the whole trust story: the reader shows what a pack contains, and the seal proves it hasn't changed since its author signed it — both offline, both auditable, neither trusting us.
What this is, and what it isn't yet
These are reference tools published in the open under MIT, authored by one person. The format is a v3 draft — a public contract we're proposing, not an industry standard, not adopted anywhere, and not the product of any standards body. There are no external users. The reader, writer, and merge tools are stdlib-only; the seal is the sole exception and requires cryptography.
Several parts of the spec are not in these reference tools: redaction and partial views (§3.8) and the laplas:// Hub registry are draft or live only in our desktop client, and the class-3 semantic merge — reconciling entities that were never declared identical — remains an open question. Our engine, Manifesto, and AX systems exist in the repository, but they are pre-launch; we make no claim about production operation or scale. A separate preprint reports that on one relational-query corpus, vector RAG and our own ranked retrieval both scored find@1 of 0.00 while structured match reached F1 of 1.00 — a self-reported result on a single corpus, not peer-reviewed, not yet posted to arXiv, and with external baselines like GraphRAG and SQL-RAG listed as unrun limitations. The trust layer is narrower and more finished than any of that: two small files that let you open a pack and check its seal yourself.