Skip to content

Trust and Provenance

treedinteractive edited this page Jun 28, 2026 · 15 revisions

SERAPH ships cryptographic trust as a substrate-level capability rather than an aftermarket addition. This holds in the current 0.2.0 release, built on the v3 (calibration-free) substrate: the trust layer sits above the store's quantization format and is unaffected by it, so the guarantees below are identical regardless of how a frame's embedding is encoded on disk. Every store carries an attestation of its creator from genesis. When the application supplies a writer identity — the standard configuration for Commercial and Enterprise deployments — every committed record additionally carries a signature over its content, attributing it to that writer's key. Two independent facts are recorded and separately verifiable: the license under which the store was created (attested by SERAPH's licensor) and the writer who signed each record (a key the customer holds and SERAPH never sees). Internal tamper-evidence is thereby extended from "the chain is internally consistent" to "every record is provably attributable to the writer who created it, and that attribution cannot be silently transferred or forged — not even by the licensor."

SERAPH is distributed in three license tiers. The tier determines the security posture available to the operator:

Tier Secure mode Writer attribution Sealing Full DSG substrate
Free Non-secure stores only No No Yes
Commercial Available — application supplies the writer key Per-record Ed25519 signatures (app-held key) Yes Yes
Enterprise Available — application/PKI writer identity Per-record Ed25519 / RSA-3072 / ECDSA-P384 (app/PKI key) + Gov mode Yes Yes

The tier distinction is enforced structurally, not by a configuration flag the operator can flip. The license token carries customer_uuid + tier + validity, signed by SERAPH's licensor and verified against a public key compiled into the engine binary; tier gating reads the signed tier flag. The license is secret-free — it contains no signing key of any kind. Writer identity is supplied separately by the application through the engine's identity interface (an in-process Ed25519 key for Commercial, or an X.509 / PKCS#11 provider for Gov/Enterprise); SERAPH only ever calls the provider to sign and records its public key in the store — it never sources, ships, or holds the writer's private key. A store becomes secure when the license tier permits it and the application supplies a writer identity: supplying one engages per-record signing, omitting one yields a non-secure (still tamper-evident) store. The arrangement is deliberate — because the writer key lives only in the customer's deployment, authorship is evidence-grade: provable even against the licensor, who cannot fabricate it.

All three tiers receive the full DSG substrate — emergent similarity, declared relationships, eigenframe promotion, traversal, consolidation, contradiction detection, and watermark-chain integrity. A Free-tier store is a fully functional SERAPH store; it simply lacks writer attribution and the cryptographic features that depend on it. Free-tier installations can also read and verify any .sfg file, including sealed secure stores — verification requires only the writer's public key, which is recorded in the store's genesis attestation; no signing key and no contact with the licensor are needed.

For deployments requiring compartmented access control and per-operator accountability, the Enterprise tier extends this trust model further

Genesis Attestation

When a store is created, its genesis record encodes the precise circumstances of its origin: the wall-clock time of creation, the embedding model in use, a hash of the configuration that governs the substrate's geometry, an optional external time anchor, the licensor-signed license attestation of the party who created it (customer UUID, tier, validity), and — when a writer identity is supplied — the writer's public key and signing algorithm, which become the anchor against which every per-record signature is later verified. These are canonically serialized and folded into the genesis watermark, becoming the cryptographic anchor from which the rest of the chain extends. Any subsequent attempt to claim a different creator, configuration, writer key, or moment of origin invalidates the chain at its root.

Per-Record Writer Attribution

In a secure store — a Commercial or Enterprise deployment that supplies a writer identity — every committed record carries an Ed25519 signature over the record's content commitment, verified against the writer public key anchored in the genesis attestation. Because that anchor is folded into the genesis watermark, writer identity is load-bearing rather than metadata adjacent to the chain: a store cannot be re-attributed to a different writer without breaking the chain at its root. A verifier replaying the chain produces a complete writer histogram: who contributed which records, in what order, and whether any record was written by a party other than the store's original creator. Cross-author activity is visible immediately. The cost of this attribution is small — under twenty microseconds of signature work per record, dwarfed by the embedding cost that already dominates the write path, and roughly three percent of typical per-record storage.

Sealing

A store may be sealed when its content is final. Sealing appends a signed sentinel record and one-way refuses all further writes from the engine. The seal travels with the store as part of the chain itself, not as a sidecar file, so recipients of a sealed store can confirm at a glance that it was distributed as a finished artifact rather than handed off mid-edit. Records committed after a seal are visible as such in audit, and the substrate's secure mode refuses to produce them in the first place.

External Time Anchoring

The chain's lower bound, the moment its content was first committed, can be cryptographically tied to a trusted external time source. SERAPH ships with two anchor backends: OpenTimestamps, which produces free Bitcoin-anchored proofs suitable for academic, research, and open-source use, and RFC 3161, which uses contracted Time Stamping Authorities and is the prevailing standard for enterprise, legal, and regulatory contexts. Periodic anchors of the chain tip, committed as records in the chain itself, provide upper bounds at the customer's chosen cadence. Combined, the result is a temporal lattice in which every record's existence time is cryptographically bounded from both directions — without external sidecar files, and without trust in the operator's local clock.

Distribution and Audit

A single call returns a structured audit of any store: chain integrity, genesis reconstruction, operator identity signature, anchor validity, sealed status, writer histogram, cross-author write counts, and the signature validity of every individual record. Verifiers extract the writer's public key directly from the genesis attestation and validate every per-record signature without any out-of-band lookup. (The licensor's signature in genesis attests the license — customer UUID, tier, validity — not the writer key; the two are independent facts, which is precisely what makes authorship provable even against the licensor.) A third party receiving a sealed store can verify everything it claims using only the file and a standalone verification utility — no network connectivity, no contractual relationship, no acquisition of a license required.

Boundaries of the Cryptographic Guarantee

Any party in possession of a SERAPH store, including legitimate licensees other than the store's creator, leaves a cryptographic fingerprint on every record they commit. Adversarial appends to a received store, accidental cross-author writes, post-distribution tampering with content or declared relationships, and silent substitution of a creator's identity are all detected at verification time. None of these are theoretical: each is a real failure mode in distributed knowledge systems, and SERAPH addresses each at the substrate level.

What secure mode does not claim to prevent is the use of a forked engine that bypasses license validation entirely. Such a system can write any bytes it likes to a file, but the resulting artifact carries no valid signature against the licensor's trusted keys and is cryptographically distinguishable from a store produced by an authorized installation. This is the appropriate division of responsibility: cryptographic provenance defends against forgery, and contractual licensing defends against unauthorized use of the software itself.

The result is a knowledge base that answers, with cryptographic rigor, the question every serious knowledge system eventually faces:

What did we record, what did we claim about it, when did we record it, who recorded it, and can all of that be proven?

In prior versions this guarantee was specified and held in reserve, activated only by deployments that required it. As of the 0.2.0 release, the Commercial and Enterprise tiers unlock the full trust model: internal integrity and genesis attestation apply to every store automatically, and — once the application supplies a writer identity — per-record writer signatures, external time anchoring, and one-way sealing operate from the moment of store creation. The license gates the tier; the application supplies the writer key. Free-tier stores retain the watermark chain and genesis attestation — the append-only integrity guarantee — but do not carry per-record writer signatures or support sealing. For deployments in which a knowledge artifact must travel between organizations, the Commercial tier transforms verification from a matter of institutional trust to a matter of arithmetic.

Clone this wiki locally