TimeLayer Engineering Notes Second Brain
Engineering Knowledge Base Open Source ~12 min read

Second Brain: a knowledge base that runs on receipts

An open-source LLM knowledge base where every claim is anchored to its source, and the status "verified" is not a checkbox — it's a receipt over the hash of the current text. Edit one word and the status falls off by itself. Written so anyone keeping notes with an AI can see why this matters and how to run it.

1. What it is — and what it is not

The Second Brain is an open-source knowledge base, kept by an AI agent, with a notarial correctness layer built on TimeLayer receipts. It follows Andrej Karpathy's LLM Knowledge Base pattern — immutable sources in raw/, AI-written pages in wiki/, a cycle of Ingest / Query / Lint — and adds one thing on top: a page is only marked trusted when a check has run over its exact words and the network has signed a receipt over the result.

The receipt binds together the page body, the sources it cites, and the verdict. Change any of them and the binding no longer matches — the trusted status falls off automatically. "Verified" stops being a label someone typed and becomes a property the machine recomputes.

What it is NOT

It is not a guarantee that the content is true — a receipt proves a check ran over these words, not that the world agrees with them. It is not a search engine or a vector store — the receipt carries no content and does no semantic recall. It is not a place to dump raw chat logs — it is a curated, source-anchored wiki an agent maintains for you.

2. The problem it solves

An AI that keeps notes for you has two failure modes that never fully go away: it can quietly state something its source never said, and a page can be edited later so it no longer matches the source it cites — with the old "checked" mark still sitting there. You end up trusting a green checkmark that nobody can re-derive.

A plain AI notebook

"Verified" is a flag someone set once. Edit the page afterwards and the flag stays — it no longer means anything.

A claim may or may not trace back to a real source; you take the model's word.

Nothing outside your machine can confirm a given page was ever checked against its source.

Second Brain

trusted is a receipt over the current bytes. Edit one word and the receipt no longer matches — the status is gone.

Every claim carries a pointer to a source fragment and the hash of that source's version. Numbers and quotes are checked literally.

The receipt is signed by a quorum of independent operators and verifies offline — a third party can re-check it without trusting you or us.

3. The honest model: what a receipt proves

Read this before anything else

A receipt proves that a check ran over exactly these words, who is accountable for it, and that the text was not changed afterwards. It does not prove the content is true. A notarized error is still an error — only now it is visible who checked what, and when. Correctness comes from the checker (mechanics, a model, or a human); the receipt only makes that check tamper-evident.

This is the whole discipline of the tool. We never tell you a fact is true. We make it impossible to quietly change a "checked" page without the check falling away — so a green status you see today is a status that still holds for the exact text in front of you.

4. The cycle: Ingest, Verify, Audit

Ingest source → receipt
Write anchored pages
Verify → trusted
Audit → strip on edit
  • Ingest. You drop a source into raw/. The tool hashes it and takes a receipt for that exact version. The agent then writes wiki pages, every factual claim carrying a pointer to a specific source fragment and the hash of its version.
  • Verify. The tool checks each claim against its source — numbers and quotes mechanically, meaning via a judge model — and for the claims that pass it takes a receipt from the network, bound to the hash of body + sources + verdict. Full trusted needs both guarantees: the verifier cryptographically binds the receipt to that hash (the --expect flag, v2.0.0+) and every claim was checked by a judge. Missing either — no binding-capable verifier, or no judge configured — the page lands in the honest weaker tier trusted-mechanical: valid and consistent, but not proven to the end.
  • Audit. Any later edit changes the hash, so audit instantly strips trusted from anything that no longer matches its receipt. Nothing wears a "checked" badge it hasn't earned for its current text.

5. Anchoring discipline

The correctness layer rests on one rule: every factual claim in the wiki must carry a pointer to a specific fragment of a specific source, with the hash of that source's version. No source, no claim — it gets marked "needs a source" instead. Numbers, dates and quotes are written verbatim, because the mechanical check compares them exactly.

Growth slowed in Q2. ^[[raw/papers/2026-04-06-report.md#L40-L48|src:report@9f2a…c1]]

The pointer names the source file, the line range of the fragment, and the full sha256 of the source version. That is what lets the tool — and anyone after you — re-check the claim against the precise bytes it was drawn from.

6. The trusted gate: why "verified" is computed, not a flag

In an ordinary notebook, "verified" is a word someone typed. Here it is a derived property: a page is trusted if and only if there is a valid receipt over the current hash of its body, its sources, and its verdict. The agent that maintains the wiki is never allowed to write trusted itself — only the verification script assigns it, and only after a receipt is issued.

EDIT THE TEXT → THE RECEIPT NO LONGER MATCHES → TRUSTED IS GONE

This is the same fail-closed spirit as the rest of TimeLayer: if a page cannot be backed by a valid receipt over its current bytes, it does not get to claim it was checked. Better "not verified" than "verified for nothing."

7. The judge: semantic claims, fail-closed

Numbers and quotes are checked mechanically and work out of the box — no model needed. Claims about meaning ("the report argues X") are checked by a judge model you plug in. Without a judge there are two outcomes: a purely semantic claim (no number or quote to match) is marked unverified rather than waved through, and a page resting only on mechanical matches caps at trusted-mechanical — the number matched, but its meaning was never checked ("demand fell 30%" passes against a source that says 30 about growth). Full trusted arrives once a judge confirms the meaning, or you confirm it by hand.

Decorrelate the errors

Use a different model family for the judge than the one that wrote the wiki. If the same model both writes and grades, it tends to bless its own mistakes. Two independent models rarely make the same error in the same place — that gap is where the check earns its keep.

8. Quick start: buy receipts, run it

Receipts are the fuel of verification — each notarization spends one. The flow is the same on Linux, macOS and Windows; you need only Python 3.8+ and one library.

Step 1 — Buy receipts and issue a token

Create an account and buy a pack at timelayer-os.com, then issue an api_token in your cabinet.

Step 2 — Download the offline verifier

Grab the binary for your OS from the verifier releases page. It checks receipts offline, with no connection back to us.

Step 3 — Get the tool and run the example

# clone the open-source tool (Apache-2.0)
git clone https://github.com/TimeLayer-OS/timelayer-second-brain
cd timelayer-second-brain
pip install -r requirements.txt        # just pyyaml; everything else is the standard library

export TIMELAYER_TOKEN=<your token>
export TL_VERIFIER=/path/to/timelayer-verifier

python notary.py init my-vault                                   # scaffold a vault, no shell needed
python notary.py ingest-source example/raw/articles/2026-06-29-sample.md
python notary.py verify example/wiki/sample-page.md              # → PASS → trusted
python notary.py audit  example/wiki/sample-page.md              # → trusted holds
# edit a number in the page, run audit again → trusted is stripped

That is the whole loop: buy receipts on the platform, download the tool, run it on your own machine. The source is open — read it, build it, depend on no binary you did not compile.

9. Honest framing: what it does not do

  • It does not make things true. A trusted page means "a named checker confirmed it matches its source," not "this is true about the world." If the source is wrong, the error passes through.
  • It is not recall. Receipts store no content and do no semantic search. This is provenance for your notes, not a memory you query.
  • The judge is only as good as the model behind it. Mechanical checks (numbers, quotes) are exact; semantic checks inherit the judge's limits. That is why the default is fail-closed.
  • Issuing a receipt needs a moment of connectivity. Verifying existing receipts is fully offline; getting the network's signature on a new one needs the quorum reachable.

The one-line summary

The Second Brain gives your notes a "verified" status that cannot survive a silent edit — a receipt over the exact text, signed by the network, checkable offline. It does not decide what is true; it makes "this was checked" impossible to fake.