Skip to main content

Glass Box Ledger

Every AI decision, cryptographically chained. Every receipt, externally verifiable. Every block, bit-exactly replayable.

Standard chat logs are pilot notes — mutable, subjective, interpretable. The Glass Box Ledger is the flight data recorder — objective, hardened, and binding. When a governance decision is challenged, you don't stitch together logs from five systems. You look up a block. You verify its signature against a published public key. You replay its input through the same Guardian build and get the same verdict, bit-for-bit. That's evidence.

The Merkle Chain

BLOCK n-2timestamp · input_hashpolicy_hash · outcomecorrections · actor_idH₍ₙ₋₂₎Hash(prev ‖ state)BLOCK n-1timestamp · input_hashpolicy_hash · outcomecorrections · actor_idH₍ₙ₋₁₎Hash(prev ‖ state)BLOCK ntimestamp · input_hashpolicy_hash · outcomecorrections · actor_idHₙAlter any byte in any past block → current hash fails validation

Every block captures a canonical tuple — (timestamp, input_hash, policy_hash, adapter_hash, outcome, corrections, actor_id) — and anchors to the previous block:

H_n = sha256(H_{n-1} || state_n)

Alter a single byte of any past block and the current block's hash fails validation. The chain enforces integrity without any central coordinator — each block is a cryptographic commitment to the entire history preceding it.

The Receipt Envelope

Canonical Receipt Envelope

SIGNED ENVELOPEreceipt_idrcp_01JW…timestamp2026-05-01T00:10:42Zsurfacemcp_gatewaytoolstripe.create_refundnhi_idnhi_01JW…policy_hashsha256:3f2a1b…model_digestsha256:8e1c7d…adapter_hashsha256:b7e4c2…seed2026050201input_digestsha256:a01f…output_digestsha256:c92b…lipschitz_bound0.34verdictblockedreason_codepolicy:refund_capblock_hashsha256:9f2d1e…prev_hashsha256:6a8c0b…signatureEd25519 · kid=org-q2Every field feeds the block hash. Any byte changed → signature fails → tamper detected.

Every surface writes the same envelope structure. A chat verdict, a tool call, a CLI command, a training promotion, a policy finalization — they all produce receipts that share this shape. Three consequences:

  1. One schema across the platform. SIEM queries written against the verdict field hit every surface. No per-surface rewrites.
  2. Determinism fields are mandatory. model_digest, adapter_hash, seed, policy_hash — every receipt carries enough to reproduce.
  3. Signature covers the whole envelope. Change any field, the signature fails.

The envelope is what makes Trinitite receipts legally binding artifacts: not "our internal log shows," but "the verifiable signed commitment from this public key, at this trusted timestamp, says."

External Trust Anchors

Public Verifier Topology — Third-Party Trust Anchors

TRINITITEsigns every receipt1. hash block2. sign with org key3. anchor externallyJWKSpublic key bundle/.well-known/jwks.jsonRFC 3161 TSAtrusted timestampDigiCert / GlobalSignSigstore Rekortransparency logrekor.sigstore.devVERIFIERauditor / regulator / browserfetch JWKS + receiptre-compute block hashverify signature offlineThree independent trust anchors. Even Trinitite cannot backdate an artifact — the TSA and Rekor logs are external witnesses.

Trinitite signatures are not the only witness. Every receipt's root hash is anchored to three independent external systems:

  • Public JWKS — the public half of the signing key is published at /.well-known/jwks.json. Anybody can fetch it and verify signatures offline.
  • RFC 3161 TSA — a trusted timestamp authority (DigiCert, GlobalSign) witnesses that the hash existed at the claimed time. Even Trinitite cannot backdate an artifact.
  • Sigstore Rekor — a transparency log that makes every anchored hash publicly auditable. Insertion is tamper-evident.

The practical upshot: a regulator, a Big-4 partner, or a disputing counterparty can verify a Trinitite receipt without ever calling a Trinitite endpoint. The signature, the timestamp, and the inclusion proof are all witnessable from independent third parties. This collapses the adverse-inference attack surface — "well, they could have changed the log" — to zero.

Bit-Exact Replay

Rewind · Adjust · Prove — Replay Over the Ledger

0123456789101112131415161718192021REWIND → BLOCK 11ORIGINALReplay with all fieldsunchanged. Assert hash chainvalidates.COUNTERFACTUALTweak one parameter (e.g.amount → $49.99). Observe newverdict.PATCH VALIDATIONUse the new Guardian adapter.Assert the previously-blockedinput is now correctlyhandled.

Every block is replayable. Given a block ID:

  1. Look up the receipt — model_digest, adapter_hash, seed, policy_hash.
  2. Load an identical inference stack — same base model, same adapter, batch-invariant kernel with the same fixed tile size.
  3. Re-run the input. Verify the input_digest matches; verify the output_digest matches.

The verdict is bit-for-bit identical to the original. This is what the batch-invariant kernel buys you: determinism that survives across batch sizes, GPU utilization, and months of production operation.

Counterfactual replay is just as easy. Pick a block, change one input field, re-run. Observe how the verdict shifts. Prove a patch works by re-running a previously-blocked input through the new Guardian and confirming the new verdict. This is the flight simulator for AI decisions — not a theoretical promise, a shipped capability.

Append-Only Backends

The ledger is pluggable. Every deployment picks the backend that matches its regulatory posture:

TierBackendProperties
StandardS3 Object Lock / WORMCommercial durability, adverse-inference defense
ManagedCloud KMS / HSM-anchored PostgresRegulatory separation of duties
SovereignHardware TEE (Nvidia Confidential Computing)Nation-state non-repudiation
EdgeSQLiteAir-gapped / on-premise deployments
SIEM mirrorSplunk / Datadog / CloudWatch pipelineLive forwarding alongside durable write

Swap the backend via env var. Receipts are portable; verification works identically against each.

What Gets Anchored

Every governance-relevant surface writes:

SurfaceReceipt kindContent
LLM Proxychat_verdictInput digest, output digest, provider, governance outcome
MCP Gatewaytool_verdictTool, arguments (hashed), result (hashed), verdict
CLI Firewallcli_execCommand, args, exit code, stdout/stderr hashes, redaction flag
Skill Vaultskill_sign / skill_revokeContent hash, scan record, signature envelope
Trainingadapter_promotionAdapter hash, parent hash, Lipschitz bound, test pass rate
Testingsimulation_reportSuite, adapter, per-scenario verdicts, aggregate pass rate
Policypolicy_finalizePolicy hash, approver, graph snapshot
Attestationsnapshot / exportPoint-in-time evidence bundle, OSCAL export

Every entry carries the same envelope. Every entry is verifiable by the same public key. Every entry is anchored to the same external trust chain.

Public Verification Path

GET /v1/public/verify/:receipt_id
(no auth required)

→ 200 OK
{
  "receipt":             { … },
  "signature_envelope":  "base64:…",
  "jwks_url":            "https://trinitite…/.well-known/jwks.json",
  "tsa_token":           "base64:…",
  "rekor_entry":         "https://rekor.sigstore.dev/api/v1/log/entries/…",
  "verification_bundle": { … }
}

An auditor's workflow: fetch the receipt, fetch the JWKS, fetch the Rekor entry, compute the hash locally, verify the signature locally, verify the Rekor inclusion proof locally, compare timestamps. No Trinitite credentials. No "take our word for it." Just math.

What You Get

CapabilityStandard logGlass Box Ledger
Tamper evidenceNoneMerkle chain breaks on byte change
ReplayBest-effort reconstructionBit-exact via batch-invariant kernel
SignatureNot signedSigned by HSM-backed org key
External witnessesNoneJWKS + RFC 3161 + Sigstore Rekor
Backdating defenseTrust usExternal TSA cryptographically blocks
Third-party verificationAccess our portalVerify from any browser / script
Uniform schemaPer-serviceOne envelope across every surface

Replay Verdict Taxonomy

A replay is not a binary "matched / didn't" — the platform classifies every replayed event into one of four explicit verdicts:

BIT_EXACT
Replay produces a byte-identical output to the original. Same Guardian, same policy hash, same tile size, same seed.
USE Default for any replay run on the same node version with the original adapter still loaded.
SEMANTIC_ONLY
Replay produces a semantically equivalent output (same outcome, same JSON Patch class) but bytes differ — typically because a downstream tokenizer or model build changed.
USE Surfaces when re-running an old block on a newer build; the verdict still validates.
DIVERGENT
Replay produces a different verdict than the original. Either the active policy changed or the adapter shifted in a way that breaks the prior block.
USE Drives a forensic regression alert. Do not silently accept.
ORIGINAL_MISSING
The original adapter or upstream artifact is no longer available, so a faithful replay is impossible. The Merkle receipt is still verifiable.
USE Common after long retention windows. Mark explicitly rather than silently downgrading to semantic_only.

This is the difference between a deterministic system that pretends to be reproducible and a deterministic system that owns its honesty. When a replay is divergent, that's a forensic alert — not a quietly downgraded result.

Next Steps

Compliance Architecture — how ledger anchors become framework-specific attestations.

Testing & Simulation — the replay-over-the-ledger machinery in practice.

Architecture — where batch-invariant determinism is introduced.

Observability — the streams that surface every receipt at the operational level.

Last updated on