Skip to content

agent_contracts: verifiable inference settlement — model-gated contracts#32

Merged
grapheneaffiliate merged 2 commits into
mainfrom
claude/wizardly-dirac-kxomac
Jun 19, 2026
Merged

agent_contracts: verifiable inference settlement — model-gated contracts#32
grapheneaffiliate merged 2 commits into
mainfrom
claude/wizardly-dirac-kxomac

Conversation

@grapheneaffiliate

@grapheneaffiliate grapheneaffiliate commented Jun 18, 2026

Copy link
Copy Markdown
Owner

Add the first contract that uses the ternary VM as a decision model rather than an adding machine. Every v0.1.0 contract reaches its decision by reading a trusted flag from the witness (conditional_payment fires on input[56]==1, multisig counts flag bytes, time_locked compares a supplied clock); the VM is used only for carry/borrow arithmetic. risk_gated_transfer instead computes the gate as a neural-network forward pass on the verifier path, so a machine-learning inference becomes a bit-exact, re-executable artifact that both releases money and resolves disputes — no oracle, no human underwriter.

This works only because TernaryNetwork::forward is bit-exact on every conformant integer host (ARCHITECTURE.md s0.8): a model's output is a deterministic function of (weights_hash, features), so any participant can re-derive the verdict. Floating-point inference cannot do this.

  • risk_gated_transfer (agent_contracts/src/inference.rs): transfer gated by credit_risk_model_v1, a 4-layer integer-only ternary MLP computing APPROVE = (income + collateral - debt >= 500) AND (risk_flags <= 10). The AND is a real ReLU(b1+b2-1) non-linearity. program_hash commits to the model's weights_hash, so the model is part of the contract identity.
  • inference_agent example: happy path (model APPROVEs, loan settles) + dispute path (model DENIEs a high-risk applicant, malicious executor claims it disbursed, judge re-executes the model -> SlashExecutor).
  • 10 new tests (264 workspace total), incl. a feature-grid sweep proving the network is bit-exact vs a plain-Rust ground truth on both decision boundaries. Strict clippy + rustfmt clean.
  • docs/use-cases/verifiable-inference-settlement.md: the capability, the build, honest limits, and a portfolio of further model-gated use cases (parametric insurance, verifiable inference markets, oracle-free KYC, deterministic auctions, per-inference model licensing, confidential model-gated payments). INDEX + CHANGELOG updated in the same commit.

Claude-Session: https://claude.ai/code/session_017mNfJDn9fro84YvM3WnCks

What & why

CI gates (all must pass)

  • cargo build --workspace --release
  • cargo test --workspace --release
  • cargo fmt --all -- --check
  • cargo clippy --workspace --exclude psl-rust-runner --all-targets -- -D warnings
  • ruff check . (if Python touched)
  • tools/ci/check_legacy_isolation.sh

Repo invariants

  • No new unwrap()/expect() on production paths outside the audited categories (docs/UNWRAP_AUDIT.md updated if added)
  • No floating point on the verifier path (fp in tooling/diagnostics is flagged explicitly below)
  • No new Lean sorrys in load-bearing theorems
  • docs/INDEX.md updated in this PR if any Markdown doc was added, moved, or removed
  • Frozen code untouched (legacy/ per ADR-0001, trace-hash v1 per ADR-0008) — or the PR explains why

Tests

claude added 2 commits June 18, 2026 21:19
@claude
agent_contracts: verifiable inference settlement — model-gated contracts
ca6f1a9 
Add the first contract that uses the ternary VM as a *decision model*
rather than an adding machine. Every v0.1.0 contract reaches its decision
by reading a trusted flag from the witness (conditional_payment fires on
input[56]==1, multisig counts flag bytes, time_locked compares a supplied
clock); the VM is used only for carry/borrow arithmetic. risk_gated_transfer
instead computes the gate as a neural-network forward pass on the verifier
path, so a machine-learning inference becomes a bit-exact, re-executable
artifact that both releases money and resolves disputes — no oracle, no
human underwriter.

This works only because TernaryNetwork::forward is bit-exact on every
conformant integer host (ARCHITECTURE.md s0.8): a model's output is a
deterministic function of (weights_hash, features), so any participant can
re-derive the verdict. Floating-point inference cannot do this.

- risk_gated_transfer (agent_contracts/src/inference.rs): transfer gated by
  credit_risk_model_v1, a 4-layer integer-only ternary MLP computing
  APPROVE = (income + collateral - debt >= 500) AND (risk_flags <= 10).
  The AND is a real ReLU(b1+b2-1) non-linearity. program_hash commits to
  the model's weights_hash, so the model is part of the contract identity.
- inference_agent example: happy path (model APPROVEs, loan settles) +
  dispute path (model DENIEs a high-risk applicant, malicious executor
  claims it disbursed, judge re-executes the model -> SlashExecutor).
- 10 new tests (264 workspace total), incl. a feature-grid sweep proving
  the network is bit-exact vs a plain-Rust ground truth on both decision
  boundaries. Strict clippy + rustfmt clean.
- docs/use-cases/verifiable-inference-settlement.md: the capability, the
  build, honest limits, and a portfolio of further model-gated use cases
  (parametric insurance, verifiable inference markets, oracle-free KYC,
  deterministic auctions, per-inference model licensing, confidential
  model-gated payments). INDEX + CHANGELOG updated in the same commit.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017mNfJDn9fro84YvM3WnCks
@claude
security: ignore pqcrypto-* unmaintained advisories (PQClean archival)
f89d9cb 
RustSec flagged the entire pqcrypto-* family unmaintained on 2026-06-04
(RUSTSEC-2026-0161/-0162/-0163/-0166) because upstream PQClean is being
archived (~July 2026). These crates enter via psl-crypto-agility as the
ML-DSA (FIPS 204) and ML-KEM (FIPS 203) bindings.

The advisory class is `unmaintained`, NOT `vulnerability`: the wrapped
FIPS implementations are NIST-standardized and unchanged, and the
advisories state no safe upgrade exists within the pqcrypto-* ecosystem.
The forward path is the pure-Rust ml-dsa / ml-kem crates (both
determinism-compatible) — a cryptographer-review-gated change tracked
under ADR-0006 / gate 19. Ignore in the interim, matching the existing
documented-ignore pattern (the family was already partly acknowledged
via RUSTSEC-2024-0436 / paste).

Updated all three sources that must agree:
- deny.toml [advisories].ignore (with rationale)
- .github/workflows/security.yml cargo-audit --ignore flags
  (cargo-audit does not read deny.toml)
- docs/LICENSE_REVIEW.md (ignored-advisories table + pqcrypto note)

If any advisory is reclassified unmaintained -> vulnerability, the
ignore must be removed and the ml-dsa/ml-kem migration prioritized.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_017mNfJDn9fro84YvM3WnCks
@grapheneaffiliate grapheneaffiliate merged commit 8bbbb18 into main Jun 19, 2026
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@grapheneaffiliate @claude