danny/hosted
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
hosted/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md

9.8 KiB
Raw Export PDF Blame History

InfraFabric Dossier — Submission Edition (Clean) v1.0

Subject: Safety-first agent runtime with verifiable provenance (microlab)
Protocol: IF.TTT.dossier.submission
Status: SUBMISSION EDITION (CLEAN)
Date: 2025-12-22
Citation: if://doc/INFRAFABRIC_DOSSIER_SUBMISSION/v1.0
Author: Danny Stocker (ds@infrafabric.io)
Web: https://infrafabric.io

The models answer is ephemeral. The trace is the product. If you cant prove what happened, you are not running an AI system — you are running a scripted reality show.

Canonical (static mirror): https://infrafabric.io/static/hosted/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md
Repo source: https://git.infrafabric.io/danny/hosted/src/branch/main/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md
SHA256 (sidecar): https://infrafabric.io/static/hosted/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md.sha256
Verify: curl -fsSLO 'https://infrafabric.io/static/hosted/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md' -fsSLO 'https://infrafabric.io/static/hosted/DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md.sha256' && sha256sum -c DANNY_STOCKER_INFRAFABRIC_DOSSIER_SUBMISSION_EDITION.md.sha256

Read this if you have 15 minutes: start at “Independent Verification (One Trace)”, run the commands, then skim “Boundaries & Limitations”.
Read this if you have 60 minutes: add “Architecture” + “Threat Model”.
For full lab notes / uncut corpus: see DANNY_STOCKER_INFRAFABRIC_DOSSIER.md (≈1.5MB).

1) Technical Disclosure (AI-Native Implementation)

This project follows an Operator-as-Architect workflow: I define constraints, interfaces, and verification hooks; LLMs generate implementation code under supervision. The system is therefore evaluated as:

  • Architecture + specifications: authored by me (the claims in this submission reference verification paths).
  • Code implementation: LLM-assisted and treated as untrusted until audited; the trace protocol is designed to make that audit possible.

2) What This Is (And What It Is Not)

This is: a working microlab proving that agentic systems can ship portable, thirdparty verifiable evidence bundles for disputed behaviors (request → retrieval → decision → output).
This is not: a claim that outputs are “true”, a claim of clinical efficacy, or a claim of production scale.

3) Core Claims, Proofs, Boundaries

Core claim Proof (artifact) Boundary / limitation
A) Traceability is a safety primitive. Highstakes agent actions require verifiable provenance. IF.emotion trace protocol + evidence bundle + verifier (see §5). Microlab / single shard. Guarantees begin at the backend witness boundary; edge completeness is future work.
B) Governance needs structured dissent. One-model “judge” patterns are brittle. IF.BIAS (risk preflight) + IF.GUARD (council with required dissent seat) traced via IF.TTT. Cost/latency. Multi-seat governance is reserved for higher-stakes decisions; low-stakes paths stay fast.
C) Context is a security control. Static filters fail; provenance + coherence checks reduce unsafe drift. IF.ARMOUR (coherence/detective layer) + IF.YOLOGUARD (secret/relationship screening) integrated into the pipeline. Domain calibration. Strongest for concrete surfaces (secrets/PII/prompt injection); general harmful-intent is open research.

4) Prior Art (Where This Fits)

InfraFabric is not “inventing audit logs”. It adapts known integrity patterns to a different object:

  • SLSA / SBOM / in-toto / Sigstore: provenance for software artifacts → InfraFabric applies provenance discipline to semantic decisions, retrieval lineage, and agent actions.
  • Certificate Transparency (CT): append-only Merkle logging → InfraFabric borrows “inclusion proof” thinking for bounded completeness (REQ_SEEN).
  • Event sourcing / OpenTelemetry: observability → InfraFabric adds a verifier-oriented evidence bundle that can be audited without trusting the operator.
  • W3C PROV (conceptually): provenance graphs → InfraFabric focuses on portable, hash-addressed artifacts with explicit boundaries and replay hooks.

The key differentiator is not “we log more”. It is: we ship a dispute bundle that a hostile reviewer can verify.

5) Independent Verification (One Trace, End-to-End)

This is the minimal “receipt” test: download one evidence bundle, verify transport integrity, then verify the internal chain-of-custody.

5.1 Public artifacts (preferred links)

Static mirror (preferred for reviewers): https://infrafabric.io/static/hosted/
Source repo (canonical): https://git.infrafabric.io/danny/hosted

Reference proof bundle:

  • Bundle (static): https://infrafabric.io/static/hosted/emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz
  • Bundle SHA256 (static): https://infrafabric.io/static/hosted/emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz.sha256
  • Bundle (repo): https://git.infrafabric.io/danny/hosted/raw/branch/main/emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz

Verifier:

  • iftrace.py (static): https://infrafabric.io/static/hosted/iftrace.py
  • iftrace.py (repo): https://git.infrafabric.io/danny/hosted/raw/branch/main/iftrace.py

5.2 Verify transport integrity (hash)

curl -fsSLO 'https://infrafabric.io/static/hosted/emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz' \
  -fsSLO 'https://infrafabric.io/static/hosted/emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz.sha256'
sha256sum -c 'emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz.sha256'

5.3 Verify internal chain-of-custody

curl -fsSLO 'https://infrafabric.io/static/hosted/iftrace.py'
python3 iftrace.py verify 'emo_trace_payload_016cca78-6f9d-4ffe-aec0-99792d383ca1.tar.gz'

The verifier checks:

  • trace_events.jsonl forms a hash chain (prev_hashevent_hash)
  • req_seen_inclusion_proof.json verifies against the signed Merkle head (bounded completeness for that hour)
  • ttt_signed_record.json binds output hash + chain head and verifies signature
  • the bundle manifest hashes match the extracted artifacts

5.4 What you should see

You should be able to verify, from raw artifacts inside the tarball, at minimum:

  • request_received (auth/provider/model intent)
  • retrieval_done (retrieval ids + rag_ms)
  • prompt_built (prompt hash)
  • model_done (llm_ms, model/provider)
  • trace_finalizing (chain head)
  • response.json (the actual assistant output bytes whose hash is bound in the signed summary)

If any element is missing or fails verification, the system is explicitly “not proven”.

6) Architecture (Where Guarantees Begin)

This diagram shows the system boundary that the protocol currently guarantees.

flowchart TB
  U[User] -->|HTTPS| E[Edge]
  E --> B[Backend Witness Boundary]

  B --> R[Retrieval]
  B --> P[Prompt]
  B --> M[Model]
  B --> X[Postprocess]

  B --> T1["REQ_SEEN ledger<br/>(hourly JSONL)"]
  B --> T2["Trace events<br/>(hash chain JSONL)"]
  B --> T3["Signed summary<br/>(output hash + head attestation)"]

  T1 --> H["Signed Merkle head<br/>(per hour)"]
  T2 --> S["Trace head<br/>(event_hash)"]

  H --> BUNDLE["Evidence bundle<br/>(tar.gz + manifest)"]
  S --> BUNDLE
  T3 --> BUNDLE

  BUNDLE --> MIRROR["Static mirror<br/>(public download)"]
  BUNDLE --> REG["Registry anchor<br/>(PQ-hybrid, when enabled)"]

Interpretation: integrity begins at the backend witness boundary; completeness is meaningful at and after that boundary until edge witnessing exists.

7) Threat Model (Why Standard Logs Fail)

The trace protocol is built for an explicit adversary: the dispute.

Primary failure modes it is designed to prevent:

  • “The logs say one thing, the user screenshot says another.” (repudiation)
  • “A retrieval set was poisoned, then the retrieval event was deleted.” (selective deletion)
  • “A decision was claimed to be reviewed, but there is no lineage.” (audit theater)

Failure mode analysis (separate artifact):

  • https://infrafabric.io/static/hosted/IF_TTT_FAILURE_MODE_ANALYSIS_v1.md

8) Validation Status (Honest)

  • External human testing: anecdotal pre-testing only; not clinical validation.
  • Scale: unproven beyond microlab; numbers are not presented as global claims.
  • Key management / attestations: not audit-grade yet (explicit roadmap below).

9) Boundaries & Roadmap (What Must Be Built Next)

This is the “reviewer redflags” list, answered directly.

9.1 Key management (blocker for certification)

Current: file-based Ed25519 keys sufficient for microlab evidence binding.
Required: key generation ceremony + rotation + compromise response; HSM/TPM-backed signing for high-stakes deployments.

9.2 Completeness boundary (edge witnessing)

Current: bounded completeness begins at backend witness boundary.
Required: edge-level request witnessing (or independent transparency log) to reduce “selective trace” risk.

9.3 Code identity / execution integrity

Current: bundle binds outputs and retrieval lineage.
Required: signed deploy attestations; reproducible build digest binding; optional remote attestation in higher-assurance environments.

9.4 Clock integrity

Current: timestamps are informative, not cryptographically trusted.
Required: monotonic counters + periodic anchoring; external timestamping strategy for forensic-grade timelines.

10) Where to Go Deeper

  • Full dossier (uncut): DANNY_STOCKER_INFRAFABRIC_DOSSIER.md
  • IF.emotion trace protocol (detailed): https://infrafabric.io/static/hosted/IF_EMOTION_DEBUGGING_TRACE_WHITEPAPER_v3.3_STYLED.md
  • Evidence bundles directory: https://infrafabric.io/static/hosted/