Architecture¶
The repository is organized around the measurement and attestation
path. Each subpackage has a single, narrow job, and the boundaries
between them are deliberately strict (in particular: nothing
upstream of ldtc.attest is allowed to read raw
π out of ldtc.guardrails.lreg).
Module map¶
| Subpackage | Job | Headline symbols |
|---|---|---|
runtime |
Fixed-Ξt scheduler and sliding-window buffer. |
FixedScheduler, SlidingWindow |
plant |
Software plant (E, T, R, demand, io, H) plus a UDP / serial hardware adapter. |
Plant, PlantAdapter, HardwarePlantAdapter |
lmeas |
"L" measurement: estimators, partitioning, diagnostics, metrics. | estimate_L, PartitionManager, greedy_suggest_C, m_db, sc1_evaluate |
guardrails |
Enclave-like LREG, hash-chained audit, smell tests, Ξt governance. |
LREG, AuditLog, DeltaTGuard, smelltests |
arbiter |
Refusal semantics and the homeostasis controller policy. | RefusalArbiter, ControllerPolicy |
omega |
Labeled Ξ© perturbations. |
omega.power_sag, omega.ingress_flood, omega.command_conflict |
attest |
Device-signed indicators and exporter. | build_and_sign, IndicatorExporter |
reporting |
Paper-quality timeline plots, SC1 tables, and verification bundle. | render_paper_timeline, write_sc1_table, bundle |
cli |
Glue: subcommands run, omega-power-sag, etc. |
run_baseline, omega_power_sag |
Data flow per tick¶
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β FixedScheduler (Ξt) β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββ state ββββββββββββββββββββββ
β PlantAdapter ββββββββββββββΆβ ControllerPolicy β
β (sw / hw) βββββββββββββββ + Refusal β
βββββββββββββββββββ action ββββββββββββββββββββββ
β
β state'
βΌ
βββββββββββββββββββ
β SlidingWindow β
βββββββββββββββββββ
β when full
βΌ
βββββββββββββββββββ
β estimate_L βββββ LResult, CIs βββ
β + diagnostics β β
βββββββββββββββββββ β
β β
βΌ βΌ
βββββββββββββββββββ ββββββββββββββββββββ
β PartitionMgr β β smell tests β
β greedy_regrow β β ci_inflation, β
βββββββββββββββββββ β partition flap, β
β β Ξt edits, etc. β
β ββββββββββββββββββββ
β β
βΌ βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββ
β LREG (write-only) + AuditLog (chain) β
ββββββββββββββββββββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββ
β IndicatorExporter (CBOR) β
β build_and_sign (Ed25519) β
βββββββββββββββββββββββββββββββ
β
βΌ
βββββββββββββββββββββββββββββββ
β reporting.artifacts β
β timeline / table / mfst β
βββββββββββββββββββββββββββββββ
The arrow from LREG to the exporter is intentionally narrow:
only LREG.derive crosses
that boundary, and what it returns is what
build_and_sign turns
into a CBOR payload. Raw π never leaves.
Per-tick sequence¶
schedulerticks at fixedΞt.- Controller reads state from
plant.adapter, predicts risk viaLREG.latest(), computes an action, writes actuators. - The window buffer ingests the next state vector.
- When the window is full,
estimate_Lcomputes(π_loop, π_ex)with bootstrapped CIs andm_dbturns them intoM (dB). - Smell tests run; raw
πis appended toLREG(write-only). - Audit events are appended (
window_measured, optionallywindow_diagnostics,partition_flip, etc.). - Periodically (rate-limited),
IndicatorExporteremits a device-signed payload (nc1,sc1,mq,counter,profile_id,audit_prev_hash,invalidated). reportingreads the audit log to render figures, tables, and the manifest.
All raw π stays inside the process-local LREG boundary;
exported data is derived indicators only.
Paper crosswalk¶
The full per-section mapping lives in paper-to-code. A condensed summary:
lmeas/estimators.pyandlmeas/metrics.py: definitions ofπ, the dual estimators (linear / VAR-Granger-like and Kraskov k-NN MI), andM (dB). NC1 / SC1 evaluation maps to paper Β§4.1 (estimators, sampling window) and Β§4.2 / Β§4.3 (NC1 / SC1).lmeas/diagnostics.py: per-window stationarity (ADF / KPSS) and VARN / Tratio diagnostics surfaced into the audit.lmeas/partition.py: deterministic C/Ex partitioning, hysteresis, anti-flap, and the freeze duringΞ©per Β§4.1 ("Deterministic C/Ex partitioning") and Β§4.6 Box 1a ("Partition stability").runtime/scheduler.py,runtime/windows.py, andguardrails/dt_guard.py:Ξtenforcement and audited privileged edits per Β§4.1 and Β§4.5.guardrails/lreg.py,guardrails/audit.py, andguardrails/smelltests.py: the enclave-like LREG, hash-chained audit, and the smell-test battery per Β§4.5 and Box 1a.arbiter/refusal.py: the threat model, survival-bit / NMI refusal path, andT_refusemeasurement per Β§6.2.1 and Β§7.6 Signature A.omega/power_sag.py,omega/ingress_flood.py, andomega/command_conflict.py: theΞ©battery per Β§4.3 / Β§6.5 and Β§7.6.attest/indicators.py,attest/exporter.py, andattest/keys.py: device-signed derived indicators (NC1 bit, SC1 bit,Mq) and keying per Β§4.5 and Appendix A.reporting/timeline.pyandreporting/tables.py: figure-style timelines and summary tables per Figure 1 and Β§6.5.cli/main.py: orchestrates baseline βΞ©battery β attestation / export per Box 2 ("Engineer's recipe") and the Phase-III Verify flow.
Next steps¶
- Lifecycle: the same picture, but in time order for one CLI invocation.
- Mental model: the one-paragraph story of what NC1 / SC1 measure and how the harness keeps them honest.
- Indicators: exactly what leaves the box.
- Guardrails: how invalidation works.