Phase J – Third Trust Cycle

Versions: v0.38.0 – v0.48.1 Question: How does the trust pipeline defend against adversarial behavior at the voting, execution, reasoning, and data layers — and can those defenses be formally machine-checked?

What Changed

Cascade-resilient consensus (v0.38.0): Context Divergence Score and Temporal Clustering Score detect correlated validators before proof assembly. A single adversary seeding a shared narrative cannot satisfy a K-of-N threshold by appearing independent.

Codebase modularity (v0.38.1): The layer rule was enforced in code — models/ holds signed entities, trust/ holds protocol logic, cli/ holds only Click parsing, workflows/ holds orchestration. No behavior change; complete audit path.

Vertical material removal (v0.38.2): Commercial vertical artifacts and branded sovereign name placeholders removed. Public protocol boundary sharpened.

Adversarial seed isolation (v0.39.0): assess_seed_isolation() scores three orthogonal adversarial patterns over the full RiskSignalUpdate history: Credit Farming, Volatility Discontinuity, and Streak Fragility. seed_probability is flagged when it exceeds a configurable threshold.

Verifiable logic attestation (v0.40.0): An agent signs a short-lived ModelAttestation binding model, system prompt hash, and tool manifest hash before each capability invocation. LogicAttestationGate validates it at the gate layer. Closes the hidden-instruction exploit.

Context-injection defense (v0.41.0): A signed ContextIntegrityRecord commits to the base context hash and declared ContextAppendSegments before execution. ContextInjectionGate blocks any undeclared, oversized, or tampered content. Complements logic attestation: v0.40 covers the container, v0.41 covers the contents.

Ephemeral identity purge (v0.42.0): NullificationReceipt proves an expired EphemeralExecutionIdentity was destroyed without retaining sensitive fields. Receipts are batched into a signed Merkle NullificationRegistryRoot. Cheating on deletion is auditable.

Communication privacy (v0.43.0): Timestamp bucketing, payload block-padding, and header stripping normalize the metadata that leaks over an encrypted channel. A signed MetadataEnvelope records what was changed.

Sovereign overlay discovery (v0.44.0): Signed OverlayDiscoveryRecords propagate hop-by-hop over existing Noise XX connections. DNS is no longer required for peer bootstrapping.

Process-level execution mediation (v0.45.0): GenesisGuard validates BoundaryDecision and IBCT before spawning any subprocess, strips the environment to allowed variables only, and issues a signed MediatedExecutionReceipt. Enforcement is below the agent process but above the OS.

Trust path performance + atlas pruning (v0.46.0): Signed TTL-bound TrustPathCache brings repeat path lookups to O(1). GraphPruningPolicy removes three categories of stale edges with a per-edge audit trail.

Data usage attestation (v0.47.0): DataLicensePolicy defines source allowlists, access types, prohibited classification tags, and volume caps. DataAccessIntent (pre-execution) and DataAccessRecord (post-execution) are both independently verifiable. Seven violation reasons. Payment and settlement are explicitly out of scope.

Formal PeerRiskSignal verification (v0.48.0): Tamarin Prover models for the PeerRiskSignal state machine. Three machine-checked lemmas: signal_bounded, anomaly_detection_responsive, no_single_source_cascade. Property-based tests exercise the same boundary conditions without Tamarin.

Enterprise-grade example suite (v0.48.1): 25 animated GIF demos covering every protocol feature across all three phases. Shared terminal_render.py and _bootstrap.py helpers; all 25 feature example pages embed GIF references.

Value Added

  • Cascade detection guards K-of-N consensus against correlated validators.

  • Adversarial credit-farming patterns are detected from the full history, not only the most recent delta.

  • Hidden model instructions cannot be used to authorize actions that contradict the declared attestation.

  • Injected runtime content is blocked if it was not declared in the signed integrity record.

  • Expired ephemeral identities can be verifiably destroyed; the destruction itself is auditable.

  • Communication metadata does not leak agent identity over an encrypted channel.

  • Peer discovery does not depend on DNS.

  • Authorization is enforced below the agent process boundary.

  • Data access is attested before and after execution; seven violation reasons are independently verifiable.

  • Eight security lemmas are machine-checked across the full trust pipeline and the PeerRiskSignal state machine.

  • 1,041 tests pass; the layer rule and public boundary rule are enforced in code and documented in AGENT.md.

What Became Possible

With the trust pipeline adversarially hardened and machine-verified, the project enters the maturity phase: documentation restructure, maintainer quality, public API stability, a protocol conformance suite, TypeScript/Go/C# SDKs, a Go protocol verifier, and cross-language interoperability proof (v0.49–v0.56).

Key Releases

Version

Milestone

v0.38.0

Cascade-resilient consensus: CDS + TCS independence scores

v0.38.1

Codebase modularity: layer rule enforced, consensus/context split

v0.38.2

Vertical material removal; public boundary sharpened

v0.39.0

Adversarial seed isolation: credit-farming + volatility + streak fragility

v0.40.0

Verifiable logic attestation: ModelAttestation, LogicAttestationGate

v0.41.0

Context-injection defense: ContextIntegrityRecord, ContextInjectionGate

v0.42.0

Ephemeral identity purge: NullificationReceipt, signed Merkle registry

v0.43.0

Communication privacy: timestamp bucketing, block-padding, header stripping

v0.44.0

Sovereign overlay discovery: signed gossip, DNS-free bootstrapping

v0.45.0

Process-level mediation: GenesisGuard, MediatedExecutionReceipt

v0.46.0

Trust path performance + atlas pruning: TrustPathCache, GraphPruningPolicy

v0.47.0

Data usage attestation: DataLicensePolicy, DataAccessIntent, DataAccessRecord

v0.48.0

Formal PeerRiskSignal verification: 3 Tamarin lemmas, property-based tests

v0.48.1

Enterprise-grade example suite: 25 animated GIF demos, shared helpers