# InfraFabric Dossier — Submission Edition (Clean) v1.0
**Subject:** Safety-first agent runtime with verifiable provenance (microlab)
**Protocol:** IF.TTT.dossier.submission
**Status:** SUBMISSION EDITION (CLEAN)
**Date:** 2025-12-22
**Citation:** `if://doc/INFRAFABRIC_DOSSIER_SUBMISSION/v1.0`
**Author:** Danny Stocker (`ds@infrafabric.io`)
**Web:** https://infrafabric.io
> The model’s answer is ephemeral. The trace is the product. If you can’t prove what happened, you are not running an AI system — you are running a scripted reality show.
**Canonical (static mirror):** `https://infrafabric.io/static/hosted/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md`
**Repo source:** `https://git.infrafabric.io/danny/hosted/src/branch/main/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md`
**SHA256 (sidecar):** `https://infrafabric.io/static/hosted/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md.sha256`
**Verify:** `curl -fsSLO 'https://infrafabric.io/static/hosted/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md' -fsSLO 'https://infrafabric.io/static/hosted/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md.sha256' && sha256sum -c DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md.sha256`
**Read this if you have 15 minutes:** start at “Independent Verification (One Trace)”, run the commands, then skim “Boundaries & Limitations”.
**Read this if you have 60 minutes:** add “Architecture” + “Threat Model”.
**For full lab notes / uncut corpus:** see `DANNY_STOCKER_INFRAFABRIC_DOSSIER.md` (≈1.5MB).
---
## 1) Technical Disclosure (AI-Native Implementation)
This project follows an Operator-as-Architect workflow: I define constraints, interfaces, and verification hooks; LLMs generate implementation code under supervision. The system is therefore evaluated as:
- **Architecture + specifications:** authored by me (the claims in this submission reference verification paths).
- **Code implementation:** LLM-assisted and treated as *untrusted until audited*; the trace protocol is designed to make that audit possible.
---
## 2) What This Is (And What It Is Not)
**This is:** a working microlab proving that agentic systems can ship **portable, third‑party verifiable evidence bundles** for disputed behaviors (request → retrieval → decision → output).
**This is not:** a claim that outputs are “true”, a claim of clinical efficacy, or a claim of production scale.
---
## 3) Core Claims, Proofs, Boundaries
| Core claim | Proof (artifact) | Boundary / limitation |
|---|---|---|
| **A) Traceability is a safety primitive.** High‑stakes agent actions require verifiable provenance. | IF.emotion trace protocol + evidence bundle + verifier (see §5). | **Microlab / single shard.** Guarantees begin at the backend witness boundary; edge completeness is future work. |
| **B) Governance needs structured dissent.** One-model “judge” patterns are brittle. | IF.BIAS (risk preflight) + IF.GUARD (council with required dissent seat) traced via IF.TTT. | **Cost/latency.** Multi-seat governance is reserved for higher-stakes decisions; low-stakes paths stay fast. |
| **C) Context is a security control.** Static filters fail; provenance + coherence checks reduce unsafe drift. | IF.ARMOUR (coherence/detective layer) + IF.YOLOGUARD (secret/relationship screening) integrated into the pipeline. | **Domain calibration.** Strongest for concrete surfaces (secrets/PII/prompt injection); general harmful-intent is open research. |
---
## 4) Prior Art (Where This Fits)
InfraFabric is not “inventing audit logs”. It adapts known integrity patterns to a different object:
- **SLSA / SBOM / in-toto / Sigstore**: provenance for *software artifacts* → InfraFabric applies provenance discipline to *semantic decisions*, retrieval lineage, and agent actions.
- **Certificate Transparency (CT)**: append-only Merkle logging → InfraFabric borrows “inclusion proof” thinking for bounded completeness (`REQ_SEEN`).
- **Event sourcing / OpenTelemetry**: observability → InfraFabric adds a **verifier-oriented evidence bundle** that can be audited without trusting the operator.
- **W3C PROV (conceptually)**: provenance graphs → InfraFabric focuses on portable, hash-addressed artifacts with explicit boundaries and replay hooks.
The key differentiator is not “we log more”. It is: **we ship a dispute bundle that a hostile reviewer can verify.**
---
## 5) Independent Verification (One Trace, End-to-End)
This is the minimal “receipt” test: download one evidence bundle, verify transport integrity, then verify the internal chain-of-custody.
### 5.1 Public artifacts (preferred links)
Static mirror (preferred for reviewers): `https://infrafabric.io/static/hosted/`
Source repo (canonical): `https://git.infrafabric.io/danny/hosted`
Reference proof bundle:
- Bundle (static): `https://infrafabric.io/static/hosted/emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz`
- Bundle SHA256 (static): `https://infrafabric.io/static/hosted/emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz.sha256`
- Bundle (repo): `https://git.infrafabric.io/danny/hosted/raw/branch/main/emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz`
Verifier:
- `iftrace.py` (static): `https://infrafabric.io/static/hosted/iftrace.py`
- `iftrace.py` (repo): `https://git.infrafabric.io/danny/hosted/raw/branch/main/iftrace.py`
### 5.2 Verify transport integrity (hash)
```bash
curl -fsSLO 'https://infrafabric.io/static/hosted/emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz' \
-fsSLO 'https://infrafabric.io/static/hosted/emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz.sha256'
sha256sum -c 'emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz.sha256'
```
### 5.3 Verify internal chain-of-custody
```bash
curl -fsSLO 'https://infrafabric.io/static/hosted/iftrace.py'
python3 iftrace.py verify 'emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz'
```
The verifier checks:
- `trace_events.jsonl` forms a hash chain (`prev_hash` → `event_hash`)
- `req_seen_inclusion_proof.json` verifies against the signed Merkle head (bounded completeness for that hour)
- `ttt_signed_record.json` binds output hash + chain head and verifies signature
- the bundle manifest hashes match the extracted artifacts
### 5.4 What you should see
You should be able to verify, from raw artifacts inside the tarball, at minimum:
- `request_received` (auth/provider/model intent)
- `retrieval_done` (retrieval ids + `rag_ms`)
- `prompt_built` (prompt hash)
- `model_done` (`llm_ms`, model/provider)
- `trace_finalizing` (chain head)
- `response.json` (the actual assistant output bytes whose hash is bound in the signed summary)
If any element is missing or fails verification, the system is explicitly “not proven”.
---
## 6) Architecture (Where Guarantees Begin)
This diagram shows the system boundary that the protocol currently guarantees.
```mermaid
flowchart TB
U[User] -->|HTTPS| E[Edge]
E --> B[Backend Witness Boundary]
B --> R[Retrieval]
B --> P[Prompt]
B --> M[Model]
B --> X[Postprocess]
B --> T1["REQ_SEEN ledger
(hourly JSONL)"]
B --> T2["Trace events
(hash chain JSONL)"]
B --> T3["Signed summary
(output hash + head attestation)"]
T1 --> H["Signed Merkle head
(per hour)"]
T2 --> S["Trace head
(event_hash)"]
H --> BUNDLE["Evidence bundle
(tar.gz + manifest)"]
S --> BUNDLE
T3 --> BUNDLE
BUNDLE --> MIRROR["Static mirror
(public download)"]
BUNDLE --> REG["Registry anchor
(PQ-hybrid, when enabled)"]
```
Interpretation: integrity begins at the backend witness boundary; completeness is meaningful at and after that boundary until edge witnessing exists.
---
## 7) Threat Model (Why Standard Logs Fail)
The trace protocol is built for an explicit adversary: **the dispute**.
Primary failure modes it is designed to prevent:
- “The logs say one thing, the user screenshot says another.” (repudiation)
- “A retrieval set was poisoned, then the retrieval event was deleted.” (selective deletion)
- “A decision was claimed to be reviewed, but there is no lineage.” (audit theater)
Failure mode analysis (separate artifact):
- `https://infrafabric.io/static/hosted/IF_TTT_FAILURE_MODE_ANALYSIS_v1.md`
---
## 8) Validation Status (Honest)
- **External human testing:** anecdotal pre-testing only; not clinical validation.
- **Scale:** unproven beyond microlab; numbers are not presented as global claims.
- **Key management / attestations:** not audit-grade yet (explicit roadmap below).
---
## 9) Boundaries & Roadmap (What Must Be Built Next)
This is the “reviewer red‑flags” list, answered directly.
### 9.1 Key management (blocker for certification)
Current: file-based Ed25519 keys sufficient for microlab evidence binding.
Required: key generation ceremony + rotation + compromise response; HSM/TPM-backed signing for high-stakes deployments.
### 9.2 Completeness boundary (edge witnessing)
Current: bounded completeness begins at backend witness boundary.
Required: edge-level request witnessing (or independent transparency log) to reduce “selective trace” risk.
### 9.3 Code identity / execution integrity
Current: bundle binds outputs and retrieval lineage.
Required: signed deploy attestations; reproducible build digest binding; optional remote attestation in higher-assurance environments.
### 9.4 Clock integrity
Current: timestamps are informative, not cryptographically trusted.
Required: monotonic counters + periodic anchoring; external timestamping strategy for forensic-grade timelines.
---
## 10) Where to Go Deeper
- Full dossier (uncut): `DANNY_STOCKER_INFRAFABRIC_DOSSIER.md`
- IF.emotion trace protocol (detailed): `https://infrafabric.io/static/hosted/IF_EMOTION_DEBUGGING_TRACE_WHITEPAPER_v3.3_STYLED.md`
- Evidence bundles directory: `https://infrafabric.io/static/hosted/`