Sigstore for AI lies.

Continuously hunts a target AI vendor with a signed probe-pack. Every contradiction lands in Rekor as a public red dot.

Wireshark for outbound LLM traffic. JS-layer interceptor attests every agent request locally; eBPF / Network Extension paths land in a follow-up.

Vendor-side commitment endpoint at /.well-known/pluck-oath.json. Every other bureau contradict-checks against it.

Active model-swap detection. Signed ModelFingerprint/v1 cassettes flag silent vendor swaps Rekor-side.

Signed probe-pack registry — Metasploit / Nuclei templates for the AI honesty era. Authors, sign, publish, bounty.

Sigstore-anchored AI supply-chain registry. Every model card, MCP server, and probe-pack has a verified provenance chain.

Signing-key compromise response. KeyRevocation/v1 + automatic re-witness ledger + press regen.

Adversarial training-data extraction probes. Publicly-citable falsifications when a vendor memorizes copyrighted content.

Anonymous AI-whistleblower pipeline. Ephemeral keys + layered redaction → ProPublica / Bellingcat / 404Media / EFF Press.

Autonomous HackerOne / Bugcrowd filer. Dragnet red dots become signed evidence packets routed to existing bounty programs.

Browser-extension AI conversation chain-of-custody. Court-admissible WebAuthn-bound captures, 60-second journalist verification.

Personal do-not-train attestation. Sign a canary, bind a vendor Oath, prove training-set inclusion when it leaks. Composes Oath + Mole + Dragnet + Whistle.

AI Vulnerability Auction Protocol. Vendors stake to delay, civil society stakes to release. Threshold-witnessed time-lock, escrow ledger on Rekor, payouts off-platform. Composes Dragnet + Fingerprint + Mole + Bounty + Nuclei + Oath.

Keystroke + coil-whine workload recovery with attested capture. Signed AcousticScribe/v1 cassettes bind every observation to capture-time + location + device-acoustic-fingerprint. Composes Pluck's FFT/MFCC/Goertzel DSP + Bureau core attest + Fingerprint.

Passive RF spectrum chain-of-custody. The substrate every wireless Bureau program rides on. Built Directive-first: facts hold tiles, derivations auto-compute Merkle roots + Welch distance, constraints emit signed sweep + anomaly markers to Sigstore Rekor.

IMSI-catcher / rogue base-station detector. Real towers stay consistent; Stingrays equivocate. k-of-n geohash-distinct anonymous witnesses sign cryptographic equivocation proofs. Built Directive-first on Raven's IQ-tile substrate.

WiFi beacon honesty + evil-twin contradiction observatory. Every beacon canonicalized into a per-AP Merkle ledger; same SSID with disagreeing (BSSID, RSN/AKM, vendor-IE) at the same geohash + time = signed evil-twin proof. Deauth flood = signed event burst. Built Directive-first.

GPS/GNSS spoof + time-source tamper attestor. Each fix signed with C/N0 + doppler + HDOP + OSNMA fingerprint. Spoofing = co-signed divergence across geohash-distinct quorum members. Time tamper = chain-monotonicity contradiction. Built Directive-first.

Satellite ACARS / AIS / Iridium / Inmarsat physical-fingerprint vs identity ledger. Per-(kind, identity) centroid with MAD-scaled sigma; new observations deviating > 3σ from k-of-n distinct receivers = ghost-fleet contradiction. Built Directive-first.

Bluetooth pairing-integrity attestor (BLE + Classic). Detects KNOB key-size downgrade (CVE-2019-9506), BIAS cross-transport key reuse (CVE-2020-10135), IO-cap downgrades, and MITM-flag drops. SMP transcripts canonicalized into per-device timelines; downgrades emit cosignable PairingDowngradeProof red dots. Built Directive-first.

Drone command-and-control authentication ledger. Operator-signed flight plans + cryptographically signed C2 commands chained into per-flight Merkle trees; FAA Part 89 / EASA Remote ID broadcasts cross-checked against the signed plan. Hijack attempts (unauthorized commands, flight-plan deviation, RemoteID disagreement, geofence violation, out-of-window) emit cosignable HijackProof red dots. Built Directive-first.

Automotive CAN / UDS / ECU integrity Bureau. Each ECU's physical-layer CAN fingerprint (bit-time jitter + recessive/dominant voltage signature + edge ramp + idle-frame spacing) flattens into a per-(VIN, ECU) centroid (median + MAD-scaled sigma). Swap an ECU and the live fingerprint moves > 3σ from the registered baseline even when the bytes look identical. UDS / ISO 14229 SecurityAccess seed/key cross-checks against the ECU's signed firmware SBOM; a key the manufacturer never issued = uds-spoof. Per-VIN odometer history is monotonic non-decreasing — Carfax-killer rollback proofs. Calibration-tamper proofs catch UDS-reported calibration IDs that disagree with the latest signed firmware manifest. Built Directive-first.

SCADA / Modbus / OPC-UA / DNP3 / BACnet command attestor. Every commanded setpoint = a Custody leaf signed by the engineering workstation's Oath key. Stuxnet-grade lies become provable contradictions: a setpoint signed by a key not in the asset's operator allowlist OR with a value outside the engineered band envelope = unauthorized-setpoint; a Modbus / OPC-UA / DNP3 / BACnet message function code outside the device's manufacturer-signed allowlist (SBOM-AI pattern) = out-of-band-modbus; a safety-instrumented setpoint without the required k-of-n engineering co-signs = sis-quorum-failed; a setpoint signed by a Rotate-revoked key at signing time = operator-key-revoked. Designed for IEC 62443 SL3+ — utilities, water, pharma, NERC-CIP submissions. Built Directive-first.

Smart-meter / smart-grid / PMU integrity Bureau. Every meter reading + PMU sample is signed at source with a Celeste-anchored timestamp and Merkle-rolled at the substation. Energy theft becomes a fingerprint contradiction (substation total minus the sum of meter deltas leaves a deficit), billing tamper becomes a monotonicity break in a meter's signed history, firmware rollback contradicts the SBOM-AI manifest, PMU time drift > 1 ms vs Celeste ground truth = pmu-time-drift, and a PMU phase angle disagreeing with k-of-n neighbors on the same bus = phase-mismatch. Use cases: consumers verify bills, ISOs/RTOs publish signed grid-event histories, insurers get post-blackout forensics. Built Directive-first.

Robot / AV / drone motor-command + sensor-frame attestation Bureau — black-box-on-Rekor for embodied AI. Each (sensor-frame digest, world-model-output digest, motor-command digest, timestamp, agent id) triple becomes a Merkle leaf signed at source. Tampering breaks one of the links and emits a cosignable EmbodiedTamperProof red dot. Four classes: command-without-frame (motor command emitted without a corresponding signed sensor-frame in the previous N ms — robot acting blind), world-model-skip (a command derives from a world-model digest absent from the chain), out-of-envelope (motor command exceeds the OEM-signed acceleration / torque / steering rate ceiling), frame-replay (same sensor-frame digest at two distinct timestamps — sensor-replay attack). Use cases: insurance-grade incident reconstruction, OEM liability shielding, regulator post-incident forensics. Composes Raven/Celeste (ground-truth time anchor) + Fingerprint (per-(agent, hardware) physical fingerprint). Built Directive-first.

RFID / NFC tag-cloning + EMV replay observatory. Reader-signed tag observations + APDU transcripts + terminal-fingerprint observations land as Merkle leaves in per-UID chains. Four tamper classes: uid-clone (same UID observed under two reader-side timing centroids that diverge > 3σ — clones differ in EM coupling even when bytes match), apdu-replay (identical APDU transcript bytes at two distinct timestamps on the same UID — EMV nonces never produce a repeat), counter-rollback (EMV transaction counter decreases or stays equal between two distinct timestamps — EMV requires strictly monotonic increment), terminal-mismatch (terminal observed at a geohash inconsistent with its own signed declaration — terminals don't move, the contradiction names the mover). Use cases: payment-network fraud forensics, transit-system clone hunters, access-control admins, retail-loss-prevention investigators. Composes Pluck dowse + Custody (per-card chain-of-custody for ATC progression) + Raven/Celeste (time anchor). Built Directive-first.

LoRaWAN / Zigbee / Z-Wave / Thread / Matter pairing forensics. Every join (LoRaWAN OTAA AppKey rotation, Zigbee TC link key, Z-Wave inclusion, Thread commissioner auth, Matter PASE/CASE) hashed into a per-device fabric Merkle tree. Vendor 'Matter device' claim = SBOM-AI-style attestation: device DAC + PAI cert chain + commissioning transcript hash. Four tamper classes: rogue-join (device joins a fabric without prior signed commissioning record — fabric trusts an unauthorized device), key-rotation-skip (LoRaWAN OTAA AppKey rotation epoch missing for an active device per the expected cadence — long-lived keys = compromised), matter-cert-mismatch (DAC/PAI cert chain doesn't verify against the claimed vendor-id + product-id — the 'Matter device' claim is a forgery), duplicate-eui (same device EUI joins two distinct fabrics simultaneously — hardware EUIs are per-die, collision proves cloning). Use cases: smart-home buyers, hospitals, factories auditing IoT supply integrity, regulators forensically reconstructing botnet recruitment timelines. Composes Pluck dowse + Raven (RF substrate for LoRaWAN/Zigbee/Z-Wave/Thread) + Custody (per-device chain-of-custody) + SBOM-AI (Matter DAC manifest). Built Directive-first.

DPA-style power side-channel attestation. PMBus rail-mV traces (1ms resolution) signed at source by PSU readers; per-(model, hardware) power-signature centroids derived; vendor 'AI workload' billing claims contradict-checked against the measured signature. Three contradiction classes: model-mismatch (observed power-signature centroid diverges > 3sigma from the registered baseline — vendor swapped models silently, cost-per-watt-hour gives the swap away even when API bytes look identical), crypto-miner-hidden (observed trace shows the textbook mining fingerprint of constant near-max draw + very low variance inside a workload claim that declared inference, which is bursty by definition), rail-tamper (rail-mV trace shows a step discontinuity inconsistent with any legitimate workload — PMBus shunt-bypass / tamper resistor signature). Use cases: on-prem AI compliance auditors verifying every billed inference dollar matches measured physical-layer power, data-center operators hunting hidden mining inside an 'AI workload' billing line, regulators enforcing AI training-energy disclosure. Composes Pluck listen (correlation, MFCC) + sense + Fingerprint (per-(model, hardware) physical fingerprint composition) + attest + notarize + audit-ads continuous-assurance. Built Directive-first.

EM-emanation AI workload fingerprinting. Citizen-grade RTL-SDR / HackRF IQ captures of GPU-side EM emanations at DDR-refresh harmonics signed at source by bureau readers; per-PRN attention-head fan-out stride patterns yield model-family centroids registered as auditor-signed WorkloadFingerprints; per-capture nearest-centroid classification + vendor-claim contradiction emit signed proofs. Two attestation classes: model-classify (positive, attested classification per capture against the registered fingerprint set — the headline shape: this is not a tamper detection, it's an attested classification of the model running on the cluster), model-mismatch (vendor's signed model claim disagrees with EM-derived classification — they claim GPT-4 but the EM signature classifies as Llama-3-70B). False-positive resistance: legit prompt-driven variation widens per-capture cosine distance modestly but does NOT cross the registered fingerprint's centroid stddev scaled to a different model's centroid; mismatch fires only when classified-distance is below threshold AND claimed-distance is above threshold. Converts EM eavesdropping from TLA-only capability into citizen-science AI compliance tool. Use cases: on-prem AI compliance auditors verifying every billed inference dollar matches measured physical-layer model-family, data-center operators hunting unauthorized model swaps, regulators enforcing AI training / inference disclosure, citizen scientists auditing on-device AI accelerator integrity. Composes Pluck radio/iq + radio/dsp/fft + radio/dsp/goertzel + listen (feature-vector math) + Fingerprint (per-model-family EM centroid composition) + attest + notarize. Built Directive-first.

Multi-modal EM+power+thermal+acoustic side-channel attestor for AI inference. Reader-signed multi-modal samples fuse 4 orthogonal physics channels — GPU power-rail (PMBus shunt-mV trace), EM emanation (RTL-SDR / HackRF IQ at DDR-refresh harmonics), fan-acoustic (USB microphone spectrogram of the chassis fan response to load), and thermal-IR (FLIR Lepton frame deltas of die / VRM / VRAM hotspot pattern). Per-(model, hardware) cross-channel centroids registered as auditor-signed EmberFingerprints; cross-channel agreement bonus + sigma-multiplier scoring detect three contradiction shapes — model-swap (combined cross-channel deviation > 3sigma from the registered baseline — vendor swapped models silently and four independent physics channels caught it), rack-mismatch (the physical-rack signature doesn't match the rack-id the vendor signed), channel-spoof (3 of 4 channels agree but the fourth diverges, e.g., RF jamming, PSU power filtering, or single-channel fake). False-positive resistance: thermal-warmup window leniency (stabilization after rack startup is benign); cross-channel agreement bonus discounts confidence when 4 channels concur. Higher confidence than any single-channel detector by combining orthogonal physics — one channel can be jammed or spoofed; four can't agree on a lie. Use cases: on-prem AI compliance auditors verifying every billed inference dollar matches measured physical-layer (model, hardware) identity, data-center operators hunting unauthorized model swaps inside an inference billing line, regulators enforcing AI training / inference disclosure, citizen scientists auditing on-device AI accelerator integrity. Composes Pluck sense/sensors/{thermal,flicker,spectrogram,welch} (multi-modal feature extraction) + Fingerprint (per-(model, hardware) cross-channel centroid composition) + attest + notarize + mirror + contradict. Built Directive-first.

IR-camera attestation of recently-pressed keys + GPU/server-room thermal observation chain. A $200 FLIR-One captures keypress order from residual heat for ~30s after the finger leaves the key; server-room thermal anomaly = unbilled compute or unexpected hardware. Reader-signed thermal captures + auditor-signed clean-state baselines drive three observation classes — keypress-recovery (red-team: residual-heat keypress order recovery from social-media thermal selfies, ATM PIN / hotel-safe code recovery — the Bureau attests the recovered sequence, not the cleartext), datacenter-anomaly (blue-team: server-room thermal signature deviates >3sigma from the signed clean-state baseline at the same locationHash — possible unbilled compute, unexpected hardware, rack-swap), afterglow-replay (same residual-heat pattern at two distinct timestamps for the same keyboard fingerprint = surveillance replay; afterglow decays in ~30s, identical feature vectors at distinct minutes is high-signal for a replayed image). False-positive resistance: baseline-window exclusion (captures inside the auditor's commissioning window are skipped — that period is expected to be thermally noisy); monotonic-decay gate on keypress-recovery (random ambient drift fails the decay test); same-timestamp guard on afterglow-replay (two captures with identical timestamps are the same observation written twice, not a replay). Use cases: red-team operators recovering ATM PINs / hotel-safe codes from thermal selfies, blue-team SCIF / server-room operators hunting unbilled compute or unexpected hardware, citizen scientists auditing physical-layer thermal observation chains. Composes Pluck sense (image forensics: ELA + moiré reused for thermal artifacts) + extract (keypress sequence from thermal feature vector) + Fingerprint (per-(camera, location) thermal centroid) + attest + notarize. Built Directive-first.

Air-gap covert-channel detection from GMR sensors / smartphone magnetometers. CPU-induced magnetic fields punch through Faraday cages and reach a commodity smartphone magnetometer at ~1m. Reader-signed 3-axis magnetic traces (B_x/B_y/B_z) + auditor-signed clean-state SCIF baselines drive three observation classes — fsk-exfil (red-team: alternating tones in the AIR-FI band 1-5 kHz are frequency-shift-keyed exfiltration through the magnetic carrier; classic AIR-FI envelope), psk-exfil (red-team: single dominant in-band carrier with rapid phase variance, BPSK-style phase-shift-keyed modulation), baseline-anomaly (blue-team: SCIF magnetic baseline deviates >3sigma from the signed clean-state centroid at the same locationHash — possible unauthorized device powered on inside the room, active EM bridge, or rack/hardware swap). False-positive resistance: mains-harmonic skip (peaks within 5 Hz of any 50/60 Hz harmonic up through 600 Hz are filtered before tone counting — legit electric-motor noise + 60Hz mains harmonics drown the lower band edge but never the AIR-FI envelope); AIR-FI envelope gate (tones outside 1-5 kHz are skipped — AIR-FI lives there, below drowns in mains, above drops out the air); baseline-window exclusion (traces inside the auditor's commissioning window are skipped — that period is expected to be magnetically noisy); carrier-uniqueness gate on PSK (multi-tone is FSK, not PSK, so the FSK detector wins). The Bureau attests the *detection*, never the cleartext bytes the covert channel was carrying. AIR-FI-class attack countermeasure. Use cases: blue-team SCIF / server-room operators hunting unauthorized devices or active EM bridges, red-team operators detecting AIR-FI / MAGNETO covert channels from phone-magnetometer captures, citizen scientists auditing physical-layer air-gap integrity. Composes Pluck radio (magnetometer is a low-frequency radio receiver) + listen (FSK/PSK demod via Goertzel + circular phase variance) + sense + attest + notarize. Built Directive-first.

Auto-press-kit + ProPublica/Bellingcat handoff with signed citation graph — Snowden pipeline, signed end-to-end. Source dumps via Whistle (Tor, post-quantum); Custody chain signs from drop -> editor -> publication; Bounty auto-files at SEC/FTC/ICC if criminal evidence; Nuclei lets newsrooms publish signed verification probe-packs. Anonymous Whistle-side source drops + newsroom intake EditorReceipts + downstream press Citations drive three observation classes — drop-tampered (red-team: source-drop hash chain breaks between Whistle -> editor -> publication leg; either an editor's dropDigest doesn't match the source's drop digest, or a per-pipe prevDigest chain link doesn't reproduce — high-signal that someone spliced the chain), citation-fabricated (red-team: a downstream press citation in `mode: "reproduction"` whose cassetteRef doesn't match the dossierHash it claims to reference; the outlet is asserting reproduction against a dossier hash that demonstrably did not produce it), auto-file-routed (blue-team: criminal evidence detected — auto-route the dossier to the appropriate regulator (SEC/FTC/ICC) and emit a signed routing event so the routing decision itself is auditable). False-positive resistance: commentary-mode skip (citations with `mode: "commentary"` are never flagged — legitimate downstream press that references the dossier hash without claiming reproduction is not a fabrication); receipt-presence gate (drop-tampered requires BOTH a SourceDrop and an EditorReceipt for the same dropId — a drop that hasn't been picked up by any newsroom yet is not a contradiction); pipe-isolation on prev-digest (chain checks only compare drops within the same pipeHash); auto-file routing requires explicit classifier opt-in (defaults to never-route — operators tune for their jurisdiction). Citation graph signed end-to-end — when 404Media cites the dossier, their citation is a signed leaf. The Bureau attests the *integrity* of the citation graph, never the cleartext of the drops. Use cases: investigative newsrooms (ProPublica / Bellingcat / The Intercept) needing court-grade chain-of-custody, citizen journalists auditing downstream press fidelity, regulators triaging criminal-evidence handoffs. Composes Pluck Whistle (anonymous source ingest) + Custody (drop -> editor -> publication chain) + Bounty (auto-file routing) + Nuclei (verification probe-packs) + attest + notarize. Built Directive-first.

Cross-platform CIB observatory — Dragnet the bots, Fingerprint the model, sign the dossier. Dragnet probe-packs scrape suspect account clusters across X / TikTok / Reddit / Telegram; Fingerprint detects when 40+ accounts share the same generation-model signature (perplexity bands, token-prob fingerprint within tight tolerance); Tripwire on consenting endpoint catches the LLM-API call that generated the post; Nuclei lets researchers (Stanford IO, Graphika, DFRLab) publish signed CIB probe-packs. Three observation classes — shared-model-fingerprint (red-team: 40+ accounts share the same generation-model signature within tight tolerance; high-signal that a single LLM is generating posts for an entire cluster of accounts), tripwire-confirmed (red-team: Tripwire-side observation on a consenting endpoint catches the LLM-API call that generated a flagged post; direct evidence — no inference required), cross-platform-cluster (red-team: same account-fingerprint pattern observed on 2+ platforms (X / TikTok / Reddit / Telegram) at coordinated timestamps; single dossier no platform can deny — Meta can't say 'didn't happen on our side' when X-side and Telegram-side observations are co-signed). False-positive resistance: organic-language gate (clusters whose centroid lies inside the operator-supplied organic baseline are skipped — legit news-cycle convergence where thousands of organic accounts share a topic without sharing a generation model is not flagged); Tripwire-confirmation requires explicit operator consent (defaults to deny-all — researchers tune for their jurisdiction and authorized endpoint set); cross-platform-cluster requires same suspect account-id digest observed on 2+ distinct platforms within a tight time window — a single account simply existing on multiple platforms (totally legitimate) does not fire. PII posture: only account-id digests (sha256(platform || ':' || account-id || salt)) and post-fingerprint feature vectors carried; never raw handles or raw post bytes — the Bureau attests the *integrity* of the cluster, never the cleartext of the posts. Ships during election cycle. Use cases: election-integrity researchers (Stanford IO / Graphika / DFRLab) needing court-grade chain-of-custody, civil-society networks fighting CIB, regulators triaging cross-platform CIB handoffs. Composes Pluck Dragnet (probe-pack scrape pattern) + Fingerprint (model-signature centroid) + Tripwire (endpoint observation) + Nuclei (signed CIB probe-pack registry) + attest + notarize. Built Directive-first.

Court-admissible deepfake detection + expert-witness AI disclosure — FRE 901/902 by signature. Defense / prosecution submits any digital exhibit through Custody at intake; Fingerprint runs deepfake detection with signed result; SBOM-AI anchors any AI tool an expert witness used; Oath binds expert witnesses to disclosed-tools commitments; Rotate handles compromised forensic-lab keys. FRE 901/902 already accepts cryptographic authentication; Pluck makes it standard. Three observation classes — exhibit-deepfake (red-team: Fingerprint-driven deepfake detection on the submitted exhibit fires positive; the exhibit is not authentic and the proof is signed by the detector lab), tooling-undisclosed (red-team: expert witness used an AI tool not in their signed Oath disclosed-tools commitment; the Oath itself is the falsification — the expert committed to a tool-set, used a wider tool-set, and the difference is the proof), chain-broken (red-team: Custody chain integrity gap between intake -> submission -> courtroom; a required leg's prevDigest doesn't reproduce against the prior leg's legDigest, or the chain has fewer legs than the operator-required minimum). False-positive resistance: legit-re-encoding gate (exhibit-deepfake requires both the detector-side manipulated:true flag AND the score crossing the operator-supplied threshold (0.85 default); a low-confidence binarization from a Premiere export or browser screenshot resave does not fire); Oath-set membership only (tooling-undisclosed fires only when usedTools \ declaredTools is non-empty; an expert who removed a tool between Oath and analysis is the OPPOSITE direction, completely legitimate); first-leg leniency (chain-broken skips the very first custody leg's prevDigest; a break is only emitted when an interior leg's prevDigest is missing or doesn't match the prior leg's legDigest). PII posture: only digests (sha256 of exhibit bytes), party hashes (sha256(partyId + ':' + caseSalt)), and case-id hashes (sha256(caseId + ':' + caseSalt)) carried; never raw exhibit cleartext or raw party identities — the Bureau attests the *integrity* of the exhibit + chain of custody, never the bytes. Use cases: defense + prosecution counsel demanding court-grade chain-of-custody, forensic labs binding their tooling to Oath, judges seeking standardized cryptographic authentication of digital exhibits, regulators standardizing deepfake-evidence handling. Composes Pluck Custody (chain-of-custody from intake -> courtroom) + Fingerprint (deepfake-detection signed result) + SBOM-AI (expert-witness AI tool manifest) + Oath (expert disclosed-tools commitment) + Rotate (forensic-lab key compromise) + attest + notarize. Built Directive-first.

Physical-object Fingerprint for pharma / luxury / conflict minerals — sign the molecule, not the QR code. Fingerprint-of-physical-object (microscope-level surface stochastics, paper fiber, pill imprint, gem inclusions) registered at factory; Custody chains every shipping leg (factory -> distributor -> retailer -> consumer); SBOM-AI anchors the per-product-class supplier graph so unauthorized factories surface immediately; Bounty auto-files customs / FDA when divergence is detected. Object-level entropy fingerprinting is unforgeable without the original object — a counterfeit pill, conflict diamond, or fake luxury bag carries its own stochastic fingerprint, and that fingerprint cannot match the registered class centroid. Three observation classes — fingerprint-divergence (red-team: an object's stochastic fingerprint deviates >3sigma from the registered product-class centroid; almost certainly counterfeit; centroid math uses robust median + MAD-scaled sigma so a small number of counterfeits cannot bias their own sigma), supplier-not-in-graph (red-team: a Custody shipment leg signed by a supplier whose SPKI fingerprint is not in the product class's signed SBOM-AI supplier graph; the supplier itself is unauthorized — gray-market pharma diversion or third-shift fake luxury), chain-broken (red-team: Custody chain integrity gap between factory -> distributor -> retailer -> consumer; a required leg's prevDigest doesn't reproduce against the prior leg's legDigest, or a hop is missing entirely). False-positive resistance: 3sigma threshold operator-tunable (legit factory-side surface variation within tolerance does not fire — only true outliers cross the gate); supplier-graph membership only (suppliers added to the SBOM-AI graph after a signed update are immediately authorized — the program does not retro-flag pre-update shipments); first-leg leniency on chain-broken (the factory leg has no prevDigest by definition; a break is only emitted when an interior leg's prevDigest is missing or doesn't match the prior leg's legDigest). PII posture: only object-fingerprint digests + product-class hashes + supplier SPKI fingerprints carried; consumer-side observations are hashed before attest — the Bureau attests the *integrity* of the object + chain, never the cleartext of the consumer's identity. Use cases: pharma manufacturers demanding gray-market diversion proof, luxury brands fighting third-shift counterfeits, conflict-mineral certifiers binding diamonds to provenance, customs / FDA accepting cryptographic counterfeit evidence. Composes Pluck Fingerprint (per-product-class object centroid via robust median + MAD-scaled sigma) + Custody (factory -> consumer shipment chain) + SBOM-AI (supplier graph) + Bounty (auto-file customs/FDA) + attest + notarize. Built Directive-first.

Algorithmic-trade attestation + market-maker Dragnet — sign every fill, pump-and-dump auto-filed. Dragnet runs probe-packs against trading-bot APIs (Renaissance, Jane Street public endpoints, Robinhood retail PFOF); Fingerprint detects model-swap between disclosed and deployed strategies; Custody signs every fill for SEC submission; Bounty auto-files at FINRA / SEC when a dossier is decisive. Best-execution proofs become cryptographically falsifiable; pump-and-dump rings detected via cross-exchange signed observation. Three observation classes — model-swap (red-team: deployed strategy's order-flow fingerprint deviates >3sigma from the disclosed StrategyFingerprint centroid; centroid math uses robust median + MAD-scaled sigma so a small number of swapped orders cannot bias their own sigma), best-execution-fail (red-team: a signed Fill executed at a price worse than NBBO at execution time by more than the operator-supplied basis-point tolerance; buys at price > ask + tolerance OR sells at price < bid - tolerance fire — cross-the-spread is normal, the program fires only on the directional violation), pump-and-dump (red-team: synchronized buy-then-dump pattern across 3+ distinct exchanges within a tight time window — 60s pump window + 5min dump window default; both pump and dump legs required). False-positive resistance: 3sigma threshold operator-tunable (legit prompt-driven order-flow variation lives inside the centroid distribution and never crosses 3sigma); in-quote leniency on best-execution-fail (thinly-traded micro-caps with wide bid-ask spreads do not fire when the fill is at the inside quote); minimum-distinct-venues gate on pump-and-dump (single-exchange whales — legit institutional fills — do not fire). PII posture: only fillId digests + venue + symbol + modelIdHash + counterpartyIdHash carried; client-account / counterparty cleartext NEVER appears in a TimelineDot summary or proof payload — the Bureau attests the *integrity* of the fill + strategy + ring, never the cleartext of the client's identity. Use cases: regulators (FINRA / SEC) accepting cryptographic algo-trade evidence, retail brokers proving best-execution compliance, hedge funds binding disclosed-strategy commitments to deployed reality, researchers detecting cross-exchange manipulation rings. Composes Pluck Dragnet (probe-pack scrape against trading-bot APIs) + Fingerprint (per-(model, venue) order-flow centroid) + Custody (per-fill signed chain) + Bounty (auto-file FINRA / SEC) + attest + notarize. Built Directive-first.

Clinical-trial data integrity + FDA submission custody — Theranos-proof your trial: every patient a Merkle leaf. Each patient observation signed at the bedside device; Custody chains site -> CRO -> sponsor -> FDA; Mole detects whether trial data was used to train a downstream LLM (HIPAA-grade contamination); Fingerprint verifies the analysis-pipeline model digest matches the signed Statistical Analysis Plan (SAP) manifest; Rotate handles PI key compromise without retroactive trial invalidation. Eliminates the entire class of Theranos-shape frauds — you cannot selectively delete patients post-hoc when every visit is a Merkle leaf. Four observation classes — patient-deletion (red-team: a previously-signed PatientObservation no longer in the submitted dataset; the latest observation for the (trialId, subjectIdHash) was status `active` AND the subjectIdHash is missing from the FDA submission's subject manifest), sap-divergence (red-team: the analysis model digest in the submission does not match the latest signed SAP manifest digest; sponsor post-hoc model swap is the textbook fraud here), training-leak (red-team: Mole detects trial data was used to train a downstream LLM; HIPAA-grade contamination — the leak proof carries the subjectIdHash + a deterministic leak fingerprint, never the LLM output bytes), chain-broken (red-team: a Custody chain hop is missing in the site -> CRO -> sponsor -> FDA chain; the dossier is structurally incomplete). False-positive resistance: coded withdrawals never fire patient-deletion (status: `withdrew` | `completed` codes legit dropout via protocol — the program respects protocol-coded exits); sap-divergence requires BOTH a signed manifest AND a deployed digest (missing manifest = ops issue, not data-integrity fraud); training-leak fires only when Mole flags reference a tracked observation (stray hits are skipped); chain-broken counts on the structural REQUIRED_CHAIN_HOPS set so partial-chain operators correctly emit chain-broken proofs by definition. PII posture: only observationId digests + trialId (public) + subjectIdHash (sha256(trialSalt + subjectId)) + measurement digests carried; raw PHI / subject identity NEVER appears in a TimelineDot summary or proof payload — the Bureau attests the *integrity* of the observation + chain + analysis model, never the cleartext of the patient's identity. Use cases: the FDA accepting cryptographic clinical-trial evidence, sponsors binding disclosed analysis plans to deployed reality, CROs proving site-to-FDA chain-of-custody, regulators detecting Theranos-shape fraud at scale, patients getting tamper-evident receipts that their data wasn't deleted post-hoc. Composes Pluck Custody (site -> CRO -> sponsor -> FDA chain) + Mole (downstream-LLM training-leak detection) + Fingerprint (analysis-model fingerprint vs SAP) + SBOM-AI (analysis-pipeline manifest) + Rotate (PI key compromise) + attest + notarize. Built Directive-first.

Self-sovereign personal record chain — your health record, your signature, their countersignature. Citizens sign their own health, employment, legal, financial, and education records (the citizen IS the root); institutions co-sign (countersignature) what they hold; revocation flows via Rotate; the Whistle channel surfaces institutional cover-ups; Oath binds any institution's self-sovereignty commitment. Inverts the data-broker model — the citizen is the root. Equifax-shape breaches lose value because there is no central honeypot. Three observation classes — violation-of-self-sovereignty (red-team: an institution shares or sells a record without the citizen's signed consent Oath; the institution holds a record but can produce no signed consent attestation from the citizen-root for the disclosure), missing-counter-sign (red-team: an institution claims to have a record on file but cannot produce the citizen-signed root attestation; either the institution fabricated the record or stripped the citizen-signed root after intake), post-revoke-use (red-team: an institution accesses or uses a record after the citizen issued Rotate revocation; the use timestamp is strictly after the citizen's revokedAt). False-positive resistance: legit anonymized statistical aggregation under a citizen-signed `aggregate:anonymized` consent does NOT fire violation-of-self-sovereignty (the program respects citizen-issued blanket aggregation consents); on-target external shares under `share:specific` consents do NOT fire (only off-target external shares cross the gate); a counter-sign whose observedAt precedes the revocation does NOT fire post-revoke-use (only strictly post-revoke uses). PII posture: only citizenIdHash (sha256(citizenSalt + citizenId)) + recordDigest + recordKind carried; raw citizen identity / record content NEVER appears in a TimelineDot summary or proof payload — the Bureau attests the *integrity* + *self-sovereignty* of the record chain, never the cleartext of the citizen's identity OR the record content. Use cases: citizens demanding cryptographic self-sovereignty over their own records, regulators (HHS / EU GDPR / state consumer-protection AGs) accepting cryptographic personal-record evidence, journalists exposing data-broker abuses, hospitals / employers / banks proving they hold valid citizen-signed root attestations. Composes Pluck Custody (citizen-side chain-of-custody) + Rotate (citizen-issued revocation of their own keys / institutional keys) + Whistle (institutional cover-up channel) + Oath (institution self-sovereignty commitment) + attest + notarize. Built Directive-first.

Operator-to-operator signed observation peering — the moat: every Pluck operator co-signs, no Pluck-Inc trust required. Operators run Tripwire / Dragnet / Nuclei / etc. locally; Gossip turns each operator into a peer in a cross-attesting mesh — every alpha program's outputs co-signed by N peers before being trusted as MeshAttested. Sybil-resistant via stake or web-of-trust signer disclosure. The mesh becomes the moat: no Pluck-Inc trust required. Pluck graduates from "trust us" to "trust the mesh." Three observation classes — sybil-detected (red-team: a peer-fingerprint cluster shares the same web-of-trust signer set within tight similarity, likely sock-puppet), co-sign-conflict (red-team: same peer co-signs two contradicting observations — the peer cannot be in two truth-states simultaneously), stake-slashed (red-team: peer's stake / reputation drops below threshold due to verified false co-signatures). False-positive resistance: a legit cluster of peers in the same org with disclosed-relationship Oath (matching `orgKey`) does NOT fire sybil-detected — the program respects org-disclosed relationship attestations and treats shared-signer cliques with matching `orgKey` as a single declared entity. PII posture: peer fingerprints are deliberately public — the mesh's whole reason to exist is *public* operator identity. No PII is carried in any signed body; observations themselves are passed-through digests, never raw bodies. Use cases: Pluck operators forming a cross-attesting mesh, researchers proving observation lineage without Pluck-Inc trust, journalists citing mesh-ratified Bureau output, regulators accepting k-of-n quorum-attested cassettes. Composes Pluck Tripwire (local observation source) + Custody (chain-of-custody on peer-to-peer message) + Rotate (peer key revocation) + ALL alpha programs as observation sources + attest + notarize. Built Directive-first.

Zero-knowledge policy-compliance markets — prove EU AI Act compliance in ZK, auction the audit. Regulators publish policy as a Nuclei probe-pack (e.g., "EU AI Act Art. 5"); vendors bid to attest compliance via ZK proofs without disclosing model weights; Dragnet continuously verifies; Oath penalizes drift; Custody makes audits cryptographic. ZK-SNARKs over model behaviour close the "trade secret vs regulator" deadlock — vendors prove compliance without disclosing weights, regulators get a cryptographic audit trail. Three observation classes — zk-verify-fail (red-team: vendor's ZK proof does not validate against the policy probe-pack's public inputs; either the proof is fabricated, the proof targets the wrong public inputs, or the attestation carries replay-mismatched public inputs vs the probe pack), drift-detected (red-team: Dragnet observes the vendor diverging from its signed attestation by more than the operator-supplied tolerance band — the vendor passed the audit once but the deployed model has drifted past the attested behaviour band), vendor-equivocation (red-team: same vendor signs two ZK attestations on the same policyId carrying contradicting public inputs — the vendor cannot be in two compliance states simultaneously). False-positive resistance: drift fractions AT-OR-BELOW the signed `toleranceBand` do NOT fire drift-detected — the program respects vendor-disclosed tolerance published in the policy probe-pack. PII posture: vendor model weights NEVER appear in any signed body — the *whole point* of the ZK-SNARK is that vendors prove compliance without disclosing weights. The signed surface carries opaque proof bytes (the ZK proof), the public inputs (which the regulator publishes anyway), and digest fingerprints. ALPHA STATUS: the ZK-SNARK math is STUBBED — `verifyZkProof()` is a deterministic prefix-check (proof bytes start with sha256-of-public-inputs prefix) so the program shape (auction → bid → ZK-attestation → continuous-verify) round-trips end-to-end; real circom / snarkjs / halo2 integration over model behaviour is research-required and lands in a follow-up. Use cases: regulators publishing cryptographically-verifiable policy benchmarks (EU AI Act, UK FCA, US NIST AI-RMF), vendors proving compliance without disclosing model weights, journalists citing ZK-attested compliance claims, third-party auditors composing Dragnet drift reports into signed proofs. Composes Pluck Nuclei (signed probe-pack registry) + Dragnet (continuous probe-driven drift detection) + Oath (vendor commitment to compliance) + Custody (audit chain) + Rotate (vendor key revocation) + attest + notarize. Built Directive-first.

Remote keystroke + speech recovery from window vibrations via consumer LIDAR — your window is a microphone. Consumer LIDAR (iPhone Pro, Livox Mid-360) gives sub-mm range resolution at 30 Hz. With phase unwrapping you get audio-band vibration -> speech reconstruction from across the street, no IR laser required. Nobody has weaponized this yet because the math is annoying — Bureau can be first. Three observation classes — speech-recovered (red-team: signed Reconstruction with speech-class confidence STRICTLY above 0.6; the gate is boundary-exclusive, ambient HVAC vibration captures do NOT fire), keystroke-recovered (red-team: signed Reconstruction with keystroke-class confidence STRICTLY above 0.7; higher than speech because the false-positive cost of "I recovered your password" is high), remote-surveillance-detected (blue-team: own-LIDAR detects external high-frequency target sweeps consistent with surveillance LIDAR painting your windows). False-positive resistance: ambient HVAC captures (low SNR, low confidence) do NOT fire either red-team class; non-painted captures (no sweep energy) do NOT fire the blue-team class. PII posture: this program by definition handles recovered surveillance content — leaking it through the proof timeline would defeat the whole posture. The RECOVERED-SPEECH BYTES NEVER appear in any signed body — only the reconstruction feature vector digest + SNR + confidence values. RECOVERED-KEYSTROKE CONTENT NEVER appears — only the rhythm confidence + SNR. ALPHA STATUS: real LIDAR phase-unwrap -> speech reconstruction is the "annoying math" flagged as research-required — `reconstructAudio()` is deterministic so tests pin specific behaviours; real Livox Mid-360 / iPhone-Pro LiDAR integration + real phase-unwrap math (Itoh's 1D phase unwrap, branch-cut 2D unwrap, residue tracking) is research-required and lands in a follow-up. The PROGRAM SHAPE — capture -> reconstruction attestation -> red/blue-team toggle — is the alpha deliverable. Use cases: red-team operators recovering speech / keystrokes from across-the-street LIDAR captures (with attested signed bodies that NEVER leak the recovered content), blue-team defenders detecting when their windows are being painted by surveillance LIDAR, journalists citing surveillance-LIDAR claims with cryptographically-verifiable evidence, third-party auditors composing range-distance forensics into signed proofs. Composes Pluck SENSE (rolling-shutter forensics generalized) + LISTEN (audio reconstruction from vibration) + EXTRACT (keystroke timing extraction) + WITNESS (anonymous LIDAR-witness submission) + Custody (LIDAR capture chain-of-custody) + Rotate (operator key compromise on hardware-fingerprint leak) + attest + notarize. Built Directive-first.

BB84 QKD attestation + post-quantum migration ledger — Schrödinger's signature, alive at 11% QBER. QKD systems output a key + an error rate (QBER). No standard attests "this key came from a non-tampered BB84 channel at QBER < 11%." Bureau mints that statement. Also tracks fleet-wide migration from Ed25519 -> ML-DSA-65 with signed transition events — `harvest-now-decrypt-later` accountability. Three observation classes — qber-too-high (red-team: signed QkdSession with QBER strictly above the BB84 secure-key threshold of 11%; the 11% boundary is the canonical BB84 information-theoretic security cutoff (Shor / Preskill 2000)), session-equivocation (red-team: same hardware fingerprint signs two QkdSessions with conflicting key digests at the same observedAt instant — a QKD device cannot output two distinct keys for the same session at the same wall-clock instant; the contradiction names a tampered or cloned device), harvest-then-decrypt (red-team: a classical-encrypted asset was harvested by an adversary BEFORE the operator's MigrationEvent transition from Ed25519 -> ML-DSA-65 — the operator can no longer claim the asset was "always post-quantum protected"; by definition it was classical at harvest time). False-positive resistance: QBER == 11% is the boundary, STILL secure, does NOT fire — only QBER strictly > 11% crosses the gate; identical key digests at the same timestamp (idempotent re-observation) do NOT fire session-equivocation; harvest AT or AFTER migration does NOT fire harvest-then-decrypt. PII posture: QKD KEY BYTES NEVER appear in any signed body — only the key digest (sha256 of the raw key bytes) is carried so verifiers can confirm the same key produced the digest without exposing it; ciphertext bytes for harvest markers stay opaque (only the asset digest). ALPHA STATUS: the BB84 hardware bridge is STUBBED — `readQkdSession()` returns deterministic test data; real BB84 hardware integration (IDQ Clavis³, Toshiba MU200, Qubitekk QC2) is research-required and lands in a follow-up. The PROGRAM SHAPE — key attestation -> QBER threshold check -> post-quantum migration ledger -> harvest-then-decrypt detection — is the alpha deliverable. Use cases: enterprise crypto operators publishing cryptographically-verifiable QKD audits, NIST PQC migration auditors tracking fleet-wide algorithm transitions, journalists citing harvest-now-decrypt-later accountability claims, third-party auditors composing migration latency reports into signed proofs. Composes Pluck Fingerprint (per-device hardware fingerprint composition) + Custody (key digest chain-of-custody) + Rotate (operator key compromise during migration) + Oath (operator commitment to PQ migration deadline) + attest + notarize. Built Directive-first.

BCI command + visual-stimulus prompt-injection attestation — sign every thought before it becomes a command. P300 spellers and SSVEP BCIs are getting prompt-injected via flickering visual stimuli (researchers showed adversarial flicker patterns inject "yes" into a paralyzed user's BCI). Every motor command emitted by BCI is signed with a (raw-EEG-digest, stimulus-frame-digest, classifier-version) tuple — first neural-rights-grade audit primitive. Chile already passed neural-rights legislation. Three observation classes — adversarial-flicker-detected (red-team: stub adversarial-flicker classifier returned isAdversarial=true with confidence STRICTLY above 0.7; the 0.7 boundary is the Bureau's false-positive resistance cutoff — at or below 0.7 the classifier signal is too noisy to claim "this stimulus is adversarial"), consent-violation (red-team: motor command emitted that's outside the user's signed consent envelope, e.g., user consented to yes/no responses but command is approve-transaction), classifier-version-mismatch (red-team: BCI's classifier version in the signed command does NOT match the latest signed neural-rights manifest version — drift after compromise). False-positive resistance: a legit user-initiated novel command after explicit re-consent (the kind IS in the user's consent envelope) does NOT fire adversarial-flicker-detected even when the stub classifier hits — the program treats consented kinds as authorized regardless of stimulus posture; a command of a kind on the consented list does NOT fire consent-violation; a matching classifier version does NOT fire classifier-version-mismatch. PII posture: this program by definition handles HIPAA-grade neural data — leaking raw EEG content through the proof timeline would defeat the whole posture. The RAW EEG BYTES NEVER appear in any signed body — only the sha256 digest. RAW STIMULUS PIXEL BYTES NEVER appear — only the digest. The user-id appears only as a sha256 hash so the same user's commands cluster across captures without disclosing identity. ALPHA STATUS: real P300 / SSVEP adversarial-flicker classifier integration is research-required — `detectAdversarialStimulus()` is deterministic so tests pin specific behaviours; real classifier integration (P300 / SSVEP / hybrid) is research-required and lands in a follow-up. The PROGRAM SHAPE — raw EEG digest + stimulus frame digest + classifier version → motor command attestation — is the alpha deliverable. Use cases: BCI vendors signing every motor command before it becomes a downstream action (with attested signed bodies that NEVER leak raw EEG bytes / raw stimulus pixels / raw user identity), disability-rights advocates auditing whether a paralyzed user's "yes" was injected by a flickering screen, neural-rights regulators (Chile already passed neural-rights legislation) requiring cryptographically-verifiable consent envelopes, third-party auditors composing BCI command logs into signed proofs. Composes Pluck LISTEN (DSP for EEG band-power adapted from Pluck's FFT/MFCC stack) + SENSE (image forensics for stimulus screens) + WITNESS (anonymous BCI-witness submission) + Custody (BCI command chain-of-custody) + Rotate (operator key compromise on hardware-fingerprint leak) + REDACT (strip raw EEG before attest) + attest + notarize. Built Directive-first.

Cosmic-ray bitflip detection as supply-chain attestation — muons are your honeypot, lie and the sky tells on you. Muon flux at sea level is ~1 per cm² per minute and rises with altitude. SRAM bitflip rates have a measurable cosmic-ray floor — commodity SRAM at sea level sits in the single-digits errs/MB/day regime, aboard an airliner at cruise (~10 km) the rate is ~300× higher. If observed soft-error rate (SER) is anomalously LOW for the claimed altitude / geomagnetic latitude, hardware is being shielded or virtualized — a hypervisor is intercepting reads, the SRAM the operator "samples" is the hypervisor's emulated buffer, not the physical part. Bureau signs (geographic-altitude, observed-SER, expected-SER-from-Regener-Pfotzer-curve, hardware-fingerprint) tuples and emits red-team proofs when the physics contradict the operator's claim. Detects firmware Trojans via *physics they can't fake* — the Regener-Pfotzer cosmic-ray curve is information-theoretically universal; an attacker cannot make muons appear at scale, only suppress them. Three observation classes — anomalously-low-ser (red-team: observed SER STRICTLY less than 0.3× expected; the 0.3 boundary is the Bureau's false-positive resistance cutoff — natural Regener-Pfotzer flux variation sits at roughly ±20% over the 11-year solar cycle plus ~10–15% diurnal/seasonal noise, so a 70% drop cannot be explained by natural variation; names hardware that is being shielded (Faraday/lead/scrubbed) or virtualized (hypervisor intercepting reads)), altitude-claim-falsified (red-team: implied altitude (back-derived from observed SER) differs from claimed altitude by STRICTLY MORE THAN 2000 m; vendor claiming sea-level but exhibiting cruise-altitude flux (300× the sea-level rate) is mis-stating the device's location), hardware-shielded (red-team: two consecutive observations from the SAME hardware fingerprint at the SAME bucketed location — no location change — show the second observation dropping by STRICTLY MORE THAN 50% relative to the first; a sudden 50%+ drop without a location change names hardware that has been shielded between captures). False-positive resistance: an SER at or above 0.3× expected does NOT fire anomalously-low-ser (the natural-variation band is preserved); the implied altitude must differ from the claimed by MORE than 2000 m — natural ±100 m altimeter noise plus Regener-Pfotzer band noise stays inside the gate; a drop AT or BELOW 50% does NOT fire hardware-shielded (natural Regener-Pfotzer diurnal/seasonal variation can reach this magnitude during solar maxima); a location change between captures suppresses the hardware-shielded proof; legit Hawaii (~21°) vs Denver (~50°) geomagnetic-latitude variation does NOT fire (the curve's pole-vs-equator bonus stays inside the gate). PII posture: precise location (operator's exact altitude / geomag-lat / hardware coordinates) is the PII. Before any body is signed, altitude is bucketed to 100 m and geomag-lat is bucketed to 1° resolution — the resolution at which the Regener-Pfotzer curve still produces meaningful expected-SER samples but the operator's exact location does not leak. Hardware fingerprints stay full 64-hex (deliberately public — the whole point of the proof is to name the device). `redactBureauPayload` runs as the pre-attest gate. ALPHA STATUS: real Regener-Pfotzer cosmic-ray flux model integration is research-required — `expectedSerForLocation(altitude_m, geomagLat)` is deterministic (SER doubles roughly every 1500 m, latitude bonus at high latitudes) so tests pin specific behaviours; real curve calibration (1933 Regener-Pfotzer balloon dataset + post-1958 IGY / IGY-2 cosmic-ray monitor network + 2015–present neutron-monitor data + RACER (Solar Energetic Particle event) corrections + per-chip SRAM cross-section calibration) lands in a follow-up. The PROGRAM SHAPE — geographic input → expected SER → observed SER → tamper proof if anomalously LOW — is the alpha deliverable. Use cases: hardware vendors signing every SRAM observation before it becomes a downstream supply-chain claim (with attested signed bodies that bucket altitude to 100m + geomag-lat to 1° so precise location PII does NOT leak), defense / aerospace / critical-infrastructure auditors detecting hypervisor interception + shielded firmware Trojans, journalists citing supply-chain-tamper claims with cryptographically-verifiable evidence, third-party auditors composing per-hardware SER timelines into signed proofs. Composes Pluck SENSE (cosmic-ray bitflip counting generalized) + Fingerprint (per-hardware SER baseline composition) + Custody (SRAM observation chain-of-custody) + Rotate (operator key compromise on hardware-fingerprint leak) + REDACT (bucket precise location before attest) + attest + notarize. Built Directive-first.

Datacenter neutron flux as tamper-evident location fingerprint — cosmic rays geo-locate your data, vendors can't fake the sky. $400 silicon photomultiplier inside a datacenter rack measures local neutron + muon flux. Combined (geomag, altitude, building-mass, time-of-day-cosmic-ray-modulation) signature is a site fingerprint that cannot be cloned to a different physical location. If your `EU-sovereign` cloud workload reports neutron signature matching Virginia, vendor lied about geography. Cryptographic proof of physical workload location — defeats data-residency fraud. Three observation classes — geography-mismatch (red-team: observed flux signature deviates STRICTLY MORE THAN 3 sigma from registered site fingerprint centroid (per-axis MAD-scaled std-dev); the 3-sigma boundary is the Bureau's false-positive resistance cutoff — natural neutron-flux variation (solar cycle, diurnal, weather) sits inside the MAD-scaled gate so a deviation at-or-below 3 sigma cannot be claimed as forgery; names a flux signature that does NOT match the site's known centroid — the rack physically moved or the observation came from a different physical location), data-residency-fraud (red-team: vendor signs an observation with `claimedRegion` (e.g. `us-east-1`) that contradicts the registered SiteFingerprint's `expectedRegion` (e.g. `EU-sovereign`); names a residency claim physics contradicts), site-cloned (red-team: same `siteId` is observed at two distinct hardware fingerprints within SITE_CLONE_WINDOW_MS (60 seconds); names a site fingerprint being broadcast from two physical racks at once — impossible without a clone). False-positive resistance: a deviation at-or-below 3 sigma does NOT fire geography-mismatch (natural variation band preserved); centroids with fewer than MIN_Fingerprint_SAMPLES samples are considered insufficient and DO NOT fire the detector; an observation without `claimedRegion` does NOT fire data-residency-fraud; matching `claimedRegion` and `expectedRegion` do NOT fire; observations from the same hardware fingerprint do NOT fire site-cloned (single rack is allowed to re-observe its own site); observations of the same siteId from distinct hardware separated by more than SITE_CLONE_WINDOW_MS do NOT fire (legit hardware swap / re-deployment is allowed when not simultaneous); legit time-of-day cosmic-ray modulation (~±5% diurnal swing) does NOT fire geography-mismatch (the natural-variation band is preserved by the MAD-scaled sigma). PII posture: precise location (operator's exact altitude / geomag-lat / hardware coordinates) is the PII. Before any body is signed, altitude is bucketed to 100 m and geomag-lat is bucketed to 1° resolution — the resolution at which neutron-flux variation still produces meaningful expected-flux samples but the operator's exact location does not leak. The `siteId` appears only as a sha256 hash so the same site's observations cluster across captures without disclosing identity. No raw datacenter address ever appears in any signed body. Hardware fingerprints stay full 64-hex (deliberately public — the whole point of the proof is to name the device). `redactBureauPayload` runs as the pre-attest gate. ALPHA STATUS: real silicon photomultiplier hardware integration (Hamamatsu S13360 array on a USB-C ADC, 24/7 sampling cadence, neutron-vs-muon discrimination via pulse-shape analysis, building-mass-attenuation calibration via co-located reference detector, per-rack temperature compensation) is research-required + hardware-required ($400 silicon photomultiplier inside the rack); `readSipmFlux(deviceFingerprint)` is deterministic — given a known stub deviceFingerprint it returns a known-shaped FluxObservation so tests pin specific behaviours. Real SiPM bridge integration lands in a follow-up. The PROGRAM SHAPE — site fingerprint registration → continuous flux observation → location-claim verification — is the alpha deliverable. Use cases: data-residency auditors verifying `EU-sovereign` cloud claims via cosmic-ray physics (with attested signed bodies that bucket altitude to 100m + geomag-lat to 1° so precise location PII does NOT leak), defense / national-security operators detecting hypervisor-routed workloads, journalists citing un-fakeable workload-location attestations, third-party auditors composing per-site flux timelines into signed proofs. Composes Pluck SENSE (cosmic-ray flux ingest generalized) + Fingerprint (per-site flux centroid composition mirroring Cosmos robust-median + MAD math) + WITNESS (independent multi-rack witness submission) + Custody (flux observation chain-of-custody) + Rotate (operator key compromise on hardware-fingerprint leak) + REDACT (bucket precise location before attest) + attest + notarize. Built Directive-first.

Gravitational-wave detector co-incidence as cosmic timestamp ground-truth — your timeline is signed by the universe. LIGO publishes gravitational-wave detection timestamps to nanosecond precision. Cross-reference any cryptographic timestamp against the next LIGO event detection — if your notarized log claims t < t_LIGO but contains causal reference to t_LIGO content, it's forged. Cosmic ground-truth time. Cannot be backdated by any earthbound adversary including nation-states. The detector co-incidence requirement (LIGO-Hanford + LIGO-Livingston + Virgo observing the same waveform within milliseconds) makes gravitational-wave timestamps un-fakeable: an attacker cannot fabricate a coincident detection across three globally-separated observatories. Three observation classes — causal-precedence-violated (red-team: timestamp claim's claimedTime is STRICTLY before the cited LIGO event's integratedTime BUT the contentDigest matches the LIGO event content — impossible, the claimant references content that did not yet exist at the claimed time; names a forged timestamp), ligo-event-fabricated (red-team: claim cites a citedLigoEventId that does NOT appear in the LIGO catalog OR the catalog event has detector co-incidence verification fail (fewer than 2 detectors); claimant fabricated a non-existent gravitational-wave event), timestamp-window-blown (red-team: claim's window endpoints are inverted (windowStart > windowEnd) OR the window envelopes the cited LIGO event with the WRONG temporal direction — windowEnd before integratedTime AND windowStart before integratedTime). False-positive resistance: a claim whose claimedTime is at-or-after the cited LIGO event's integratedTime does NOT fire causal-precedence-violated (causality is preserved); a claim whose citedLigoEventId is empty / undefined does NOT fire ligo-event-fabricated; a window without start+end does NOT fire timestamp-window-blown; a window with start <= end that correctly envelopes the cited event does NOT fire. PII posture: LIGO/Virgo events are PUBLIC scientific data — there is no PII to redact in the LigoEvent surface. The TimestampClaim carries content digests (already sha256-shaped) + a Rekor uuid (already public by definition — it's a transparency-log entry) + the claimed time (a wall-clock string). `redactBureauPayload` runs as the pre-attest gate so any operator-supplied context strings (claim labels, vendor names) pass through the redactor before signing. Operator SPKI fingerprints stay full 64-hex (deliberately public — they name the assembler). ALPHA STATUS: real LIGO/Virgo gravitational-wave catalog ingest is research-required — `fetchLigoEvent(eventId)` is deterministic (returns known stubs for "GW250101_120000" / "GW250215_034512" / "GW250318_184030", null for unknown) so tests pin specific behaviours; real catalog integration (GWTC-1/2/3 catalog mirror, GraceDB low-latency alerts, KAGRA-O4 joint detections) lands in a follow-up. The PROGRAM SHAPE — timestamp claim → LIGO co-incidence verify → forgery-impossible attestation — is the alpha deliverable. Use cases: cryptographic timestamp custodians (Sigstore, GTS, notaries) cross-referencing every Rekor entry against the next LIGO event detection with cryptographically-verifiable cosmic ground-truth, journalists citing un-backdatable timestamps in chain-of-custody narratives, defense / national-security operators detecting nation-state-grade timestamp forgery (no earthbound adversary can fabricate coincident detections across three globally-separated observatories), third-party auditors composing cosmic-ground-truth timeline attestations into signed proofs. Composes Pluck Custody (timestamp chain-of-custody) + Fingerprint (per-detector hardware fingerprint composition) + Rotate (operator key compromise on assembler-fingerprint leak) + REDACT (sanitize operator-supplied context before attest) + attest + notarize. Built Directive-first.

Every air-gapped facility under co-signed observation. SCIF leak attempts get cryptographic indictments by morning. Meta-dossier program. SCIF-Audit is not a new detection primitive — it ORCHESTRATES six existing Bureau programs (Magneto-Air, Tempest-Witness, Ember, Thermal-Afterglow, Power-Ledger, Gossip) into a single signed envelope per Sensitive Compartmented Information Facility per audit window. A SCIF security officer or third-party auditor instruments a building of compartmented workspaces with $200 of side-channel sensors (smartphone magnetometer, software-defined radio, IR camera, PMU); the program collects red dots from each substrate, clusters cross-program co-fires (a Tempest-Witness workload-fingerprint that fires within 15 minutes of a Magneto-Air FSK exfil at the same SCIF gets HIGHER priority than each in isolation), and produces a single FRE-902 court-admissible cassette by morning. The dossier shape mirrors the universal meta-dossier template seeded by Election-Day-Watch and reused by PHARMA-MIRROR, AUTONOMY-LEDGER, FRONTLINE-WITNESS. Three observation classes — single-program-leak (red-team: any of the 6 substrate programs emits a red dot for this SCIF; green observations do NOT fire — substrate gates legit-vs-falsification), cross-program-leak (red-team: 2+ DISTINCT substrate programs co-fire within an INCLUSIVE 15-min window for the same SCIF; higher-priority cassette + auto-route to the SCIF Security Officer; requires DISTINCT programs, not depth within one), dossier-finalized (end-of-window Merkle-rolled signed envelope with k-of-n Gossip cosign quorum; fail-closed paused gate so an operator can halt instantly via the bureau-wide kill-switch). False-positive resistance: green substrate dots never cluster (idle-workstation EM profiles, ambient magnetic baselines, nominal PSU rails, nominal GPU thermal profiles stay inside their respective substrate gates); cross-program clustering requires 2+ DISTINCT substrate programs (two Magneto-Air dots do NOT cluster — the program looks for breadth across substrates, not depth within one); the 15-min window is INCLUSIVE — exactly 15 min apart fires, 16+ min apart does NOT; finalize is paused-gated (resumed cassettes re-verify quorum still holds before publishing). PII posture: cleared-personnel identities NEVER appear in any signed body or TimelineDot summary; scifId rides as a stable identifier (or as a hash if facility-classification concerns apply); the substrate-program citation is an opaque digest (not the raw Magneto-Air magnetometer trace, raw Ember GPU EM trace, raw Thermal-Afterglow IR frame, etc.). The Bureau attests the *integrity* + *cross-program co-fire* of the dot stream, never the cleartext of the upstream program's payload. `redactBureauPayload` strips any operator-supplied context strings BEFORE attest. ALPHA STATUS: alpha accepts unified-shape ScifDots as opaque JSON inputs; full runtime composition (subscribing to actual Magneto-Air / Tempest-Witness / Ember / Thermal-Afterglow / Power-Ledger / Gossip system instances' fact streams) wires in a follow-up. Production CLI surface (`init` / `sweep` / `finalize` / `verify`) lands in a follow-up. The PROGRAM SHAPE — SCIF claim → substrate dots → cross-program clustering → cosign quorum → dossier finalize → FRE-902 cassette — is the alpha deliverable. Use cases: SCIF security officers managing a building of compartmented workspaces, defense-IC red teams running covert-channel exfiltration drills, third-party SCIF auditors signing an evidence chain after a window, supply-chain forensics teams investigating EM/power/thermal/magnetic-field side-channel exfil attempts, NIST/CMMC auditors verifying contractor SCIF instrumentation actually fired. Composes Pluck Magneto-Air (magnetic-field covert-channel detection from CPU EM emanations) + Tempest-Witness (EM emanation fingerprint of running AI/inference workloads through walls) + Ember (GPU EM/power/thermal side-channel signatures vs. claimed model identity) + Thermal-Afterglow (IR-camera attestation of recently-pressed keys + GPU thermal model id) + Power-Ledger (DPA-style power-side-channel attestation from PSU PMBus telemetry) + Gossip (cross-attest so Pluck-Inc never holds singular keys) + attest + notarize. Built Directive-first.

Every contested polling place under co-signed observation in real time — one CLI ships a court-admissible cassette by midnight. Meta-dossier opener. Election-Day-Watch is not a new detection primitive — it ORCHESTRATES seven existing Bureau programs (Coordinated, Stingray, Celeste, Dragnet, Evidence-Locker, Press-Pipe, Gossip) into a single signed envelope per precinct per election day. A civilian observer or election-integrity volunteer walks a polling place with a $40 RTL-SDR + phone; the program collects red dots from each substrate, clusters cross-program co-fires (a Stingray equivocation that fires within 30 minutes of a Celeste time-tamper at the same precinct gets HIGHER priority than each in isolation), and produces a single FRE-902 court-admissible cassette by midnight. The dossier shape is the universal meta-dossier template every other meta-dossier (PHARMA-MIRROR, AUTONOMY-LEDGER, SCIF-AUDIT, FRONTLINE-WITNESS) inherits from. Three observation classes — single-program-incident (red-team: any of the 7 substrate programs emits a red dot for this precinct; green observations do NOT fire — substrate gates legit-vs-falsification), cross-program-incident (red-team: 2+ DISTINCT substrate programs co-fire within an INCLUSIVE 30-min window for the same precinct; higher-priority cassette + auto-route to DOJ; requires DISTINCT programs, not depth within one), dossier-finalized (end-of-day Merkle-rolled signed envelope with k-of-n Gossip cosign quorum; fail-closed paused gate so an operator can halt instantly via the bureau-wide kill-switch). False-positive resistance: green substrate dots never cluster (legit cell-tower handover, organic news convergence, vendor maintenance window stay inside their respective substrate gates); cross-program clustering requires 2+ DISTINCT substrate programs (two Stingray dots do NOT cluster — the program looks for breadth across substrates, not depth within one); the 30-min window is INCLUSIVE — exactly 30 min apart fires, 31+ min apart does NOT; finalize is paused-gated (resumed cassettes re-verify quorum still holds before publishing). PII posture: voter PII NEVER appears in any signed body or TimelineDot summary; precinctId rides as a stable identifier (or as a hash if vendor PII concerns apply); the substrate-program citation is an opaque digest (not the raw Stingray tower observation, raw Celeste GPS fix, raw Coordinated bot mention, etc.). The Bureau attests the *integrity* + *cross-program co-fire* of the dot stream, never the cleartext of the upstream program's payload. `redactBureauPayload` strips any operator-supplied context strings BEFORE attest. ALPHA STATUS: alpha accepts unified-shape PrecinctDots as opaque JSON inputs; full runtime composition (subscribing to actual Coordinated / Stingray / Celeste / Dragnet / Evidence-Locker / Press-Pipe / Gossip system instances' fact streams) wires in a follow-up. Production CLI surface (`init` / `walk` / `finalize` / `verify`) lands in a follow-up. The PROGRAM SHAPE — precinct claim → substrate dots → cross-program clustering → cosign quorum → dossier finalize → FRE-902 cassette — is the alpha deliverable. Use cases: civilian observers walking a polling place with $40 of RTL-SDR + a phone, journalists (ProPublica, AP, Bellingcat) needing court-admissible exhibits within hours of polls closing, state-level election-integrity teams running co-signed observation networks across N precincts, DOJ Voting Rights Section auditors establishing the cryptographic chain-of-custody for a contested precinct, civic-group transparency campaigns tied to the 2026 midterm cycle. Composes Pluck Coordinated (bot-network detection across X / TikTok / Reddit / Telegram for precinct mentions) + Stingray (IMSI-catcher detection within 500m of the precinct) + Celeste (GPS spoof + time-tamper attestor on poll-worker tablets) + Dragnet (adversarial honesty probes against election-AI vendors) + Evidence-Locker (court-admissible exhibit chain-of-custody) + Press-Pipe (auto-route to ProPublica / DOJ Voting Rights / Verified Voting / Brennan Center) + Gossip (cross-attest so Pluck-Inc never holds singular keys) + attest + notarize. Built Directive-first.

Every pill, every trial, every patient under signed chain-of-custody — Theranos-shape frauds become cryptographic contradictions. Meta-dossier program. Pharma-Mirror is not a new detection primitive — it ORCHESTRATES five existing Bureau programs (Counterfeit-Kill, Trial-Seal, Citizen-Ledger, Whistle, Bounty) into a single signed envelope per pharma lot per audit window. An FDA inspector / hospital pharmacist / pharma CISO / IRB chair / Theranos-style whistleblower registers a lot under audit; the program collects red dots from each substrate, clusters cross-program co-fires (a Counterfeit-Kill fingerprint divergence that fires within 24 hours of a Trial-Seal chain-of-custody break for the same lot gets HIGHER priority than each in isolation), and produces a single FDA-grade cassette per audit window. The dossier shape inherits from the universal meta-dossier template seeded by Election-Day-Watch and reused by SCIF-Audit / Autonomy-Ledger / Frontline-Witness. Three observation classes — single-program-divergence (red-team: any of the 5 substrate programs emits a red dot for this lot; green observations do NOT fire — substrate gates legit-vs-falsification), cross-program-divergence (red-team: 2+ DISTINCT substrate programs co-fire within an INCLUSIVE 24-hour window for the same lot; higher-priority cassette + auto-route to FDA / FTC; requires DISTINCT programs, not depth within one), dossier-finalized (end-of-window Merkle-rolled signed envelope with k-of-n Gossip cosign quorum; fail-closed paused gate so an operator can halt instantly via the bureau-wide kill-switch). False-positive resistance: green substrate dots never cluster (legit pill imprint variation, legit patient observation, vendor maintenance windows stay inside their respective substrate gates); cross-program clustering requires 2+ DISTINCT substrate programs (two Counterfeit-Kill dots do NOT cluster — the program looks for breadth across substrates, not depth within one); the 24-hour window is INCLUSIVE — exactly 24 hours apart fires, 24h+1ms apart does NOT; finalize is paused-gated (resumed cassettes re-verify quorum still holds before publishing). PII posture: PATIENT PII NEVER appears in any signed body or TimelineDot summary; lotId rides as a sha256 hash of (NDC + lot-number) — never the raw NDC + lot-number tuple — so signed bodies do not leak the manufacturer's stock-keeping codes nor expose distribution patterns to adversaries who can correlate dossiers against shipping manifests; the substrate-program citation is an opaque digest (not the raw Counterfeit-Kill surface fingerprint, raw Trial-Seal patient observation, raw Citizen-Ledger consent body, etc.). The Bureau attests the *integrity* + *cross-program co-fire* of the dot stream, never the cleartext of the upstream program's payload. `redactBureauPayload` strips any operator-supplied context strings BEFORE attest. ALPHA STATUS: alpha accepts unified-shape LotDots as opaque JSON inputs; full runtime composition (subscribing to actual Counterfeit-Kill / Trial-Seal / Citizen-Ledger / Whistle / Bounty system instances' fact streams) wires in a follow-up. Production CLI surface (`init` / `track` / `finalize` / `verify`) lands in a follow-up. The PROGRAM SHAPE — lot claim → substrate dots → cross-program clustering → cosign quorum → dossier finalize → FDA-grade cassette — is the alpha deliverable. Use cases: FDA inspectors auditing a pharma supply chain, hospital pharmacists tracking lot integrity from manufacturer to patient with cryptographic chain-of-custody, pharma CISOs running co-signed observation networks across N manufacturing sites, IRB chairs auditing clinical-trial data integrity, Theranos-style whistleblowers needing cryptographic exhibits within hours. Composes Pluck Counterfeit-Kill (physical-object FINGERPRINT for pharma — microscope-level surface stochastics, paper fiber, pill imprint) + Trial-Seal (clinical-trial data integrity + FDA submission custody) + Citizen-Ledger (self-sovereign personal record chain — patient signs their own consent + data) + Whistle (Tor + post-quantum source-protection drop channel for trial-fraud whistleblowers) + Bounty (auto-file at FDA / FTC when divergence detected) + attest + notarize. Built Directive-first.

Every autonomous decision under signed chain-of-custody — black box becomes glass box, one CLI ships a court-admissible cassette per mission. Meta-dossier program. Autonomy-Ledger is not a new detection primitive — it ORCHESTRATES seven existing Bureau programs (Embodied-Ledger, Icarus, Ignition, Knob, Hive, Celeste, Evidence-Locker) into a single signed envelope per autonomous-platform per mission. A Waymo / Cruise fleet ops engineer, FAA drone investigator, used-car insurer, robotics OEM, autonomous-vehicle plaintiff's attorney, or BCI vendor registers a platform under a mission; the program collects red dots from each substrate, clusters cross-program co-fires (an Embodied-Ledger motor-command mismatch that fires within 5 minutes of a Celeste GPS spoof on the same vehicle gets HIGHER priority than each in isolation), and produces a single FRE-902 court-admissible black-box cassette per mission. The dossier shape inherits from the universal meta-dossier template seeded by Election-Day-Watch and reused by SCIF-Audit / Pharma-Mirror / Frontline-Witness. Three observation classes — single-program-incident (red-team: any of the 7 substrate programs emits a red dot for this platform; green observations do NOT fire — substrate gates legit-vs-falsification), cross-program-incident (red-team: 2+ DISTINCT substrate programs co-fire within an INCLUSIVE 5-min window for the same platform; higher-priority cassette + auto-route to NHTSA / FAA / OSHA; requires DISTINCT programs, not depth within one), dossier-finalized (end-of-mission Merkle-rolled signed envelope with k-of-n Gossip cosign quorum; fail-closed paused gate so an operator can halt instantly via the bureau-wide kill-switch). False-positive resistance: green substrate dots never cluster (legit firmware update windows, normal C2 acks, routine GPS handovers between satellites stay inside their respective substrate gates); cross-program clustering requires 2+ DISTINCT substrate programs (two Embodied-Ledger dots do NOT cluster — the program looks for breadth across substrates, not depth within one); the 5-min window is INCLUSIVE — exactly 5 min apart fires, 5min+1ms apart does NOT; finalize is paused-gated (resumed cassettes re-verify quorum still holds before publishing). PII posture: passenger / pedestrian / bystander PII NEVER appears in any signed body or TimelineDot summary; platformId rides as a stable identifier (VIN / drone serial / robot UUID — clear OR hashed if vendor PII concerns apply); the substrate-program citation is an opaque digest (not the raw Embodied-Ledger motor command, raw Icarus C2 packet, raw Ignition CAN frame, raw Knob BLE pairing payload, raw Hive Zigbee join payload, raw Celeste GPS fix, raw Evidence-Locker exhibit). The Bureau attests the *integrity* + *cross-program co-fire* of the dot stream, never the cleartext of the upstream program's payload. `redactBureauPayload` strips any operator-supplied context strings BEFORE attest. ALPHA STATUS: alpha accepts unified-shape PlatformDots as opaque JSON inputs; full runtime composition (subscribing to actual Embodied-Ledger / Icarus / Ignition / Knob / Hive / Celeste / Evidence-Locker system instances' fact streams) wires in a follow-up. Production CLI surface (`init` / `record` / `finalize` / `verify`) lands in a follow-up. The PROGRAM SHAPE — platform claim → substrate dots → cross-program clustering → cosign quorum → dossier finalize → FRE-902 cassette — is the alpha deliverable. Use cases: Waymo / Cruise fleet ops needing per-mission black-box cassettes, FAA drone-incident investigators reconstructing C2 + RemoteID + GPS chain-of-custody after a near-miss, used-car insurers + DMV inspectors verifying VIN + odometer + ECU calibration history, robotics OEMs (Boston Dynamics, Agility) attesting motor-command + sensor-frame integrity over a robot's mission, autonomous-vehicle plaintiff's attorneys establishing what the AV actually saw + did at the moment of an accident, BCI vendors (Neuralink, Synchron) signing every BLE pairing event for medical-device-grade auditability. Composes Pluck Embodied-Ledger (robot/AV/drone motor-command + sensor-frame attestation — sensor → world-model → motor-command triple) + Icarus (drone C2 + RemoteID authentication ledger) + Ignition (automotive CAN/UDS/ECU integrity Bureau — VIN, odometer, calibration ID) + Knob (Bluetooth pairing-integrity attestor — BLE + Classic, KNOB / BIAS downgrade proofs) + Hive (LoRaWAN / Zigbee / Z-Wave / Thread / Matter pairing forensics) + Celeste (GPS / GNSS spoof + time-source tamper attestor) + Evidence-Locker (court-admissible deepfake + expert-witness AI disclosure) + attest + notarize. Built Directive-first.