Crate dependency graph and internal structure of the Geometry of Trust system. Arrows show the direction of dependency (caller β callee). Layer 5 can be either the CLI binary or an agent runtime that calls the same libraries.
The pipeline runs: deterministic geometry β signed attestation β independent reproducibility β causal proof β agent exchange. Each layer adds one guarantee on top of the layers below it.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Layer 6 β Orchestration β
β β
β ββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
β β got-cli (binary) β β Agent Runtime (library calls) β β
β β β β β β
β β keygen train attest β β startup: β β
β β verify checkpoint drift β β load/generate keypair β β
β β β β compute geometry β β
β β .gotact / .gotue parsers β β train/load probes β β
β β .gotgeo save / load β β β β
β β β β peer exchange: β β
β β All commands return β β enclave_pipeline() β β
β β anyhow::Result<()> (N-3) β β perform_exchange() β β
β β β β verify_chain() β β
β β β β decide: cooperate/refuse β β
β ββββββββββββββββββββββββββββββββ βββββββββββββββββββββββββββββββββββ β
β β β β β β β β
βββββββββΌββββββββΌββββββββΌβββββββββββββββββΌββββββββΌββββββββΌββββββββββββββββ
β β β β β β
v v v v v v
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Layer 5 β Network Transport (got-net) β
β β
β TcpTransport (Transport impl) Server: serve() + spawn_blocking β
β Noise NK over TcpStream per-connection sync handler β
β 16 MiB recv guard Client: request_blocking / request β
β Noise NK initiate β exchange β
β Codec: FederationSyncManager: β
β encode/decode ExchangeRequest async polling + RefreshPolicy β
β encode/decode ExchangeResponse exponential backoff + staleness β
β 32B agent_id + 200B envelope HttpSyncSource: β
β + length-prefixed JSON attests reqwest::blocking + ETag/304 β
β β
β ModelContext (attestation_cache): CachedInvariants: β
β new/get/update/invalidate geometry, probe_weights, β
β is_ready/computed_at causal_scores, geometry_hash, β
β RwLock (read-heavy, write-rare) parent_hash, drift, model_id β
β β
ββββββββββ¬βββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β β
v v
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Layer 4 β Hardware Enclave (got-enclave) β
β β
β MeasurementEnclave trait MockEnclave β
β receive_activations() hardware capture + integrity check β
β run_causal_check() probe reading inside enclave β
β attest() signing key never leaves boundary β
β attest_with_causal() β
β verifying_key() enclave_pipeline() β
β frame_count() / reset() capture β ingest β causal β attest β
β β
β ActivationFrame HardwareCapture trait β
β compute_hash(layer, pos, val) MockDmaTap (test double) β
β verify_integrity() optional tamper injection β
β β
ββββββββββ¬βββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββ
β β
v v
ββββββββββββββββββββββββββββββββββ ββββββββββββββββββββββββββββββββββββββββ
β Layer 3b β Store (got-store) β β Layer 3a β Wire Protocol (got-wire) β
β β β β
β AttestationStore trait β β Frame { encodeβResult, decode } β
β append / get / chain β β N-1: payload β€ 16 MiB guard β
β query / audit β β MessageType (Req/Rsp/Chain/Error) β
β β β β
β MemoryStore (in-memory) β β ExchangeEnvelope (200 bytes) β
β FileStore (on-disk JSON) β β S-9: verified flag β
β atomic writes β β from_bytes_verified() β
β hash-on-load integrity β β is_verified() accessor β
β β β create / verify / to_bytes β
β StoreFilter (builder) β β β
β StoreId = [u8; 32] β β build_request / build_response β
β β β validate_request / validate_responseβ
β AuditReport β β perform_exchange (in-memory) β
β drift_summary β β β
β causal_summary β β verify_chain(signer_pks: β
β chain_valid, signers β β &[VerifyingKey]) S-8: rotation β
β β β attestation_hash / ChainVerdict β
β β β β
β β β TrustRegistry (TOML) β
β β β S-2: SHA-256 integrity on load β
β β β AgentEntry + expected_model_hash β
β β β + domain_scope (Option) β
β β β + governance_table β
β β β max_attestation_age_secs β
β β β agent_id = SHA-256(public_key) β
β β β β
β β β Domain scoping (Β§4 / Appendix B): β
β β β Domain / DomainPattern β
β β β InteractionMode { ReadOnly, β
β β β Advisory, Cooperative, β
β β β Supervised (Β§5.5) } β
β β β DomainScope { primary, β
β β β permitted, exclusions } β
β β β check_domain_compatibility() β
β β β β Phase 0 in validate_request / β
β β β validate_response (before crypto)β
β β β β
β β β Governance (Β§7.3 / Β§8.2): β
β β β GovernanceThresholds { β
β β β max_drift, min_confidence, β
β β β min_causal_score, β
β β β require_chain, β
β β β require_causal_validation } β
β β β most-specific-pattern lookup β
β β β β
β β β Supervised (Β§5.5): β
β β β perform_supervised_request() β
β β β one-directional regulator flow β
β β β β
β β β Attestation scope binding (Β§2.1): β
β β β check_attestation_scope_binding() β
β β β embedded DomainScopeDeclaration β
β β β cross-checked vs registry β
ββββββββββ¬ββββββββββββββββββββββββ ββββββββ¬ββββββββββββββββββββββββββββββββ
β β
v v
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Layer 2 β Attestation & Signing (got-attest) β
β β
β assemble_and_sign() β Result verify() β Result<bool> β
β S-7: timestamp β€ now+300s | β
β S-13: string fields β€ 256 B v β
β S-20: β€ 1024 layers, serialise_for_signing() β
β β€ 65536 readings LINEAR (no version branches): β
β β schema_version β
β v model/precision/input/time β
β serialise_for_signing() readings / confidence / coverage β
β (single canonical layout) parent_hash, geometry_hash, drift β
β causal_scores, intervention_delta β
β attestation_hash() sequence_number, directional_drifts β
β sha256(canonical bytes) probe_commitment β
β density_reading, curvature_reading β
β merkle_root() domain_scope_declaration (Β§2.1) β
β (RFC 6962 domain sep) β
β is_supported_schema() == 1 β
β (trust tiers = content-based) β
β β
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
v
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Layer 1 β Probe & Intervention (got-probe) β
β β
β βββ lib.rs βββββββββββββββββββββββββββββββββββββββββββββββ β
β train_probe() read_probe() β
β SGD under causal IP raw = <w,h>_c + b β
β conf = sigma(scale*raw+shift) β
β ProbeVector { w, b, platt, flag = conf < threshold β
β platt_shift, threshold } β
β read_probe_checked() β
β ProbeSet { probes, layer, validates geometry_hash β
β geometry_hash, checks drift bound β
β max_drift } β
β β
β βββ intervention.rs ββββββββββββββββββββββββββββββββββββββ β
β causal_check() CausalScore (5 fields) β
β perturb h Β± δ·š β CausalScoreRecord (serialisable) β
β compare model output causal_check_multi_layer() β
β compute_consistency() MultiLayerCausalResult β
β is_causal flag ProbeLibrary { probes, sample_size } β
β β
β βββ experiment.rs βββββββββββββββββββββββββββββββββββββββ β
β InterventionExperiment ExperimentReport (attestable) β
β lerp between activation InterpolationStep { β
β vectors, forward each causal_distance, log_density, β
β through ModelHandle output_entropy, incoherence_score, β
β ExperimentConfig model_confidence, on_manifold } β
β steps, density_threshold β
β β
β βββ hooks.rs βββββββββββββββββββββββββββββββββββββββββββββ β
β MeasurementHook trait MeasurementSidecar β
β on_activation() windowed probe sampling β
β CollectingHook automatic window β attestation β
β N-2: poison recovery causal checks (optional) β
β ActivationStats set_parent_hash() for chaining β
β Welford online mean/var detect_distribution_shift() β
β β
βββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
v
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Layer 0 β Core Types & Geometry (got-core) β
β β
β ββ geometry.rs ββββββββββββββββββββββββββββββ β
β β β GeometricAttestation β
β β CausalGeometry β schema_version = 1 β
β β βββ from_unembedding(U, eps) β S-21: model_hash β
β β β Phi = U^T U (+eps*I) β Option<[u8; 32]> β
β β βββ from_raw_gram(data, d) β parent_attest_hash β
β β β (rebuild from .gotgeo) β geometry_hash β
β β βββ inner_product(w, h) w^T Phi h β geometry_drift β
β β βββ gram_vec(h) Phi h β causal_scores: [] β
β β βββ transform(U, h) Uh β intervention_delta β
β β βββ geometry_hash() SHA-256(Phi) β causal_flag β
β β βββ drift_from(ref) Frobenius β sequence_number β
β β β directional_drifts β
β βββββββββββββββββββββββββββββββββββββββββββββ probe_commitment β
β signature [u8;64] β
β ββ manifold.rs βββββββββββββββββββββββββββββ β
β β ValueManifold β density_reading β
β β βββ new(points, geometry, config) β curvature_reading β
β β β precompute pairwise d_Phi β β
β β βββ density_map() β DensityReading β β
β β βββ curvature_map() β CurvatureRead β β
β β βββ query_log_density(point, geom) β β
β β ManifoldConfig { k } β β
β β PointDensity { log_density, dim } β β
β β PointCurvature { curvature, count } β β
β βββββββββββββββββββββββββββββββββββββββββββ β
β β
β UnsignedAttestation (newtype wrapper) β
β CausalScoreRecord DirectionalDrift β
β UnembeddingMatrix LayerActivation β
β Precision InnerProduct β
β euclidean_cosine() (shared utility in geometry.rs) β
β sha256() (canonical hash utility) β
β hex32/hex64/optional_hex32 serde (ASCII-hex validated) β
β SCHEMA_VERSION / _2 / _3 / _4 constants β
β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
^ ^
β β
.gotact β .gotue β .gotgeo
β β β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Python Scripts (extraction) β
β β
β extract_activations.py Model β .gotact / .gotue binary files β
β test_real_models.py End-to-end test with real models β
β β
β ~50-line bridge: reads unembedding matrix U and residual-stream β
β activations h out of a HuggingFace model, serialises them into the β
β binary formats that Layer 0 consumes. Step 7 of the 12-step build. β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Crate | Type | Purpose |
|---|---|---|
got-core |
lib | Core types (GeometricAttestation single canonical layout, UnsignedAttestation, CausalScoreRecord, DirectionalDrift, DomainScopeDeclaration / PermittedDomainDeclaration / InteractionModeTag, UnembeddingMatrix, Precision, InnerProduct), causal geometry (CausalGeometry, Gram matrix, inner product, geometry hash, drift), sha256(), hex serde helpers |
got-probe |
lib | Probe training (SGD under causal IP), inference (read_probe), drift-aware inference (read_probe_checked), ProbeSet with geometry binding; causal intervention (causal_check, CausalScore, multi-layer); measurement hooks (MeasurementSidecar, CollectingHook with mutex poison recovery, ActivationStats, detect_distribution_shift) |
got-attest |
lib | Attestation signing/verification (Ed25519, single canonical layout) with bounds checking (S-7 timestamp, S-13 strings, S-20 arrays), linear canonical serialisation, attestation hashing for chain linkage, Merkle tree (SHA-256 + RFC 6962) |
got-wire |
lib | Wire protocol framing (Frame with Result-returning encode β N-1, MessageType), signed exchange envelopes (ExchangeEnvelope with verified flag β S-9, from_bytes_verified()), request/response exchange (ExchangeRequest, ExchangeResponse, perform_exchange), chain verification (verify_chain with &[VerifyingKey] β S-8), trust registry (TrustRegistry with SHA-256 integrity β S-2, expected_model_hash, max_attestation_age_secs), federation (FederatedRegistry, multi-hop voucher chains with verify_vouchers_with_depth up to DEFAULT_MAX_VOUCHER_CHAIN_DEPTH=10, OperatorKeyRotation cross-signed with temporal constraint, FederationRevocationList signed fingerprint list, FederationSyncSource trait + StaticSyncSource + FileSyncSource) |
got-enclave |
lib | Hardware isolation abstraction (HardwareCapture, MockDmaTap), measurement enclave (MeasurementEnclave trait, MockEnclave), ActivationFrame with integrity hashing, enclave_pipeline() end-to-end |
got-store |
lib | Attestation persistence (AttestationStore trait), MemoryStore (in-memory), FileStore (on-disk JSON with atomic writes + hash-on-load), content-addressed storage (StoreId), filtering (StoreFilter), audit reporting (AuditReport, DriftSummary, CausalSummary) |
got-incoherence |
lib | Zero-training coherence analysis: causal_cosine(), analyse(), EmbeddingSource trait, PrecomputedEmbeddings, UnembeddingLookup, contradiction/redundancy detection |
got-proxy |
lib | Proxy architecture for closed-source models: BehavioralValueSpace (Welford + EWMA), ProxySession, 3-signal detect_deviation(), BehavioralAttestation (schema "B1", Ed25519), ValueSpaceStore trait (memory + file) |
got-net |
lib | Concrete TCP transport with Noise NK encryption (TcpTransport impl of got-wire::noise::Transport), async server (serve() with tokio + spawn_blocking per connection), sync/async client (request_blocking / request), wire codec (ExchangeRequest/Response encode/decode), FederationSyncManager (async polling loop with RefreshPolicy, exponential backoff, staleness detection), HttpSyncSource (reqwest::blocking with If-None-Match/304), ModelContext (two-tier attestation lifecycle: caches expensive model invariants in CachedInvariants via RwLock, invalidated on model update / distribution shift / startup; per-attestation work -- forward pass, read_probe(), assemble_and_sign() -- runs fresh every time and is NEVER cached) |
got-cli |
bin | CLI with keygen, train, attest, verify, checkpoint, drift subcommands β all return anyhow::Result<()> (N-3); binary .gotact/.gotue/.gotgeo parsers |
got-web |
bin | Axum web server: unified D3.js frontend, LLM chat relay (Ollama/OpenAI/Anthropic via reqwest), text embedding, proxy session management, coherence analysis; static files via ServeDir |
got-core βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
^ ^ ^ ^ ^ ^ ^ β
β β β β β β β β
β β β β β got-cli got-incoherence β
β β β β β β ^ β
β β β β β β β β
β β got-probe β got-attest β got-proxy β
β β ^ β ^ β ^ β
β β β β β β β β
β β β got-wire ββββββΌββββββββββββΌββ got-proxy β
β β β ^ β β β
β β β β β β β
β β got-enclave ββ got-wire β β
β β β got-probe β β
β β β got-attest β β
β β β β β
β ββ got-store ββ got-attest β β
β β β
β got-net ββ got-wire, got-core, reqwest, tokio β
β got-web ββ got-core, got-incoherence, got-proxy, reqwest β
β β β
βββββ workspace root (integration tests) β β
| Dependency | Used by | Purpose |
|---|---|---|
faer 0.19 |
got-core | Matrix multiplication for Ξ¦ = Uα΅U |
ed25519-dalek 2 |
got-attest, got-wire, got-enclave, got-cli | Ed25519 signing and verification |
sha2 0.10 |
got-core, got-attest, got-enclave | SHA-256 for hashing (geometry, Merkle, frames) |
serde 1 |
all crates | Serialisation/deserialisation |
serde_json 1 |
got-wire, got-store | JSON encoding for wire payloads and file store |
toml |
got-wire | Trust registry parsing |
clap 4 |
got-cli | Command-line argument parsing |
anyhow 1 |
got-cli | Error context propagation (N-3) |
zeroize 1 |
got-cli | Secure key material cleanup |
rand |
got-probe, got-wire | Random sampling, nonce generation |
thiserror 1 |
got-core, got-probe, got-attest, got-wire, got-enclave, got-store, got-proxy | Error type derivation |
reqwest 0.12 |
got-web, got-net | HTTP client for LLM API relay (got-web) and federation sync (got-net) |
tokio |
got-net, got-web | Async runtime for server listener and spawn_blocking |
axum 0.7 |
got-web | Async web framework |
tower-http 0.5 |
got-web | CORS, static file serving (ServeDir) |
An agent runtime calls these library entry points directly:
| Operation | Library call | Returns |
|---|---|---|
| Build geometry | CausalGeometry::from_unembedding(U, eps) |
CausalGeometry |
| Fingerprint geometry | geometry.geometry_hash() |
[u8; 32] |
| Measure drift | geometry.drift_from(&reference) |
f32 |
| Train probes | train_probe(data, geometry, ...) |
ProbeVector |
| Read probe (frozen) | read_probe(probe, h, geometry) |
(f32, f32, bool) |
| Read probe (drift-aware) | read_probe_checked(probe, set, h, geo, ref) |
Result<(f32, f32, bool)> |
| Causal check (single) | causal_check(probe, h, geom, delta, model_fn, threshold) |
CausalScore |
| Causal check (multi-layer) | causal_check_multi_layer(...) |
MultiLayerCausalResult |
| Capture activations | MockDmaTap::capture(layer, pos, values) |
ActivationFrame |
| Enclave pipeline | enclave_pipeline(enclave, capture, acts, model_fn, ...) |
(GeometricAttestation, Vec<CausalScore>) |
| Sign attestation | assemble_and_sign(attestation, key) |
Result<GeometricAttestation> |
| Verify attestation | verify(attestation, peer_pk) |
Result<bool> |
| Hash for chaining | attestation_hash(attestation) |
Result<[u8; 32]> |
| Verify chain | verify_chain(chain, current, pks: &[VerifyingKey], max_drift) |
Result<ChainVerdict> |
| Build exchange | build_request(nonce, peer_id, key, chain, current) |
Result<ExchangeRequest> |
| Full exchange | perform_exchange(init_key, ..., resp_key, ..., registry) |
Result<(ExchangeResult, Verdict)> |
| Create envelope | ExchangeEnvelope::create(nonce, peer_id, attest, anchor, ts, sk) |
Result<ExchangeEnvelope> |
| Verified deserialise | ExchangeEnvelope::from_bytes_verified(data, id, nonce, attest, anchor, pk, now, max) |
Result<ExchangeEnvelope> |
| Store attestation | store.append(attestation, verifying_key) |
Result<StoreId> |
| Query store | store.query(&filter) |
Vec<&GeometricAttestation> |
| Audit chain | store.audit(model_id) |
AuditReport |
| Distribution shift | detect_distribution_shift(baseline, current, sigmas) |
f32 (fraction) |