Core concept

Strict Write Discipline

SWD is the verification protocol at the core of Rezos. It ensures that every file operation an AI agent claims to perform is validated against the actual filesystem using SHA-256 cryptographic hashes.

The problem

Large language models operate on a trust-based model: they generate text describing actions, and the surrounding tooling executes those actions. This creates an invisible gap between what the model claims to have done and what actually happened on disk.

This gap manifests in two ways:

Phantom edits: The model claims to have updated a file but the write never happened, or happened incorrectly. The conversation history looks complete; the filesystem doesn't agree.
Silent drift: The model correctly wrote a file in one turn, but subsequent operations — by the same or a different agent — modified it without updating the memory log.

How SWD works

// Simplified SWD execution flow

User prompt

↓

[Claude Opus 4.7] with adaptive thinking

↓

Parse FILE_ACTION blocks from output

↓

Snapshot referenced files (SHA-256)

↓

Execute operation on filesystem

↓

Compare pre/post hashes

├─ ✓ Match → Log to MEMORY.md → Seal receipt

└─ ✗ Mismatch → Correction turn (max 2)

└─ Still failing → Yield to human

Parse FILE_ACTIONs

Rezos parses the model output for structured FILE_ACTION blocks. These blocks describe the operation (CREATE, UPDATE, DELETE), the target path, and optionally the line range and reason. No action executes without a valid block.

Pre-snapshot

Before any write occurs, Rezos computes a SHA-256 hash of every file referenced in the FILE_ACTION. For new files, the hash is the empty string sentinel. These hashes form the trusted baseline.

Execute

The operation executes. Rezos writes the content the model provided, respecting .rezosignore exclusions and blocking writes to secrets paths unless --allow-risky is set.

Post-snapshot & verify

A second round of SHA-256 hashes is computed. The deltas are compared against what the model claimed. If the file content matches the model's assertion, verification passes.

Seal receipt or correct

On success, a tamper-evident receipt is written to .rezos/receipts/ and MEMORY.md is updated. On failure, the model receives a correction turn with the hash mismatch details. After 2 failed corrections, control returns to the human.

SWD Receipts

Every verified session produces a receipt — a JSON file in .rezos/receipts/ that records:

// .rezos/receipts/4831.json

{

"session": "#4831",

"provider": "anthropic/claude-opus-4-7",

"verified": true,

"drift": 0,

"cost_usd": 0.06,

"files": [

{

"path": "src/auth/middleware.ts",

"op": "UPDATE",

"pre_hash": "sha256:a3f9c2...",

"post_hash": "sha256:b7e4d1...",

"verified": true

}

"sealed_at": "2026-05-25T18:42:00Z"

}

External agent support

Rezos doesn't have to be the agent. Any agent that outputs FILE_ACTION blocks — or JSON — can be routed through SWD via rezos swd apply --stdin. This lets you bring verification to Claude Code, Cursor, or your own agent framework without changing your workflow.

$ claude-code run “refactor auth.ts” | rezos swd apply --stdin --json