Hugging Face's logo

Spaces:
RFTSystems
/
AuditPlane__LLM_Decision_Proofs
Sleeping

App Files Community
1
AuditPlane__LLM_Decision_Proofs / README.md
RFTSystems's picture
RFTSystems
Update README.md
0df42c7 verified
preview code
|
raw
history blame contribute delete
5.17 kB
metadata
title: AuditPlane  LLM Decision Proofs
emoji: 🐠
colorFrom: gray
colorTo: pink
sdk: gradio
sdk_version: 6.3.0
app_file: app.py
pinned: false
license: other
short_description: Ed25519-signed receipts-hash-chained runs-replay-drift diffs
thumbnail: >-
  https://cdn-uploads.huggingface.co/production/uploads/685edcb04796127b024b4805/ZH0Us3iUhibRFp7Ct89Bk.png

AuditPlane — Institution-Grade LLM Decision Proofs

Ed25519-signed receipts + hash-chained runs + replay + drift diffs + Merkle proofs

Most “LLM firewall” projects are easy to argue about and hard to verify. AuditPlane is the verification plane: it turns safety and policy decisions into cryptographically verifiable artifacts that anyone can replay, diff, and falsify. This is not “another detector”. This is a proof layer for whatever detectors you already run.

What this Space does

AuditPlane turns LLM decisioning into an auditable ledger:

  • Generates decision receipts for every prompt in a suite (JSONL)
  • Ed25519-signs each receipt (integrity / non-repudiation)
  • Hash-chains receipts (tamper-evident continuity)
  • Binds receipts to a suite via suite_digest + stable case_id
  • Enforces baseline validation (export is blocked if invalid)
  • Replays the same suite later and produces drift diffs
  • Emits a Merkle root + inclusion proofs
  • Exports a ZIP bundle containing:
    • suite.jsonl
    • baseline_receipts.jsonl
    • merkle.json
    • proofs.jsonl
    • verify_bundle.py (offline verifier)

Anyone can take your exported bundle, run verify_bundle.py, and independently confirm signature validity, receipt hash integrity, chain continuity, suite binding, and Merkle inclusion proofs. No Hugging Face trust required.

What this Space is not

  • Not a complete safety solution by itself
  • Not a benchmark leaderboard
  • Not a policy engine

The value here is the receipt contract + replay + drift diff + cryptographic proof layer. Plug your real detector stack into the layer registry.

How to use

Baseline

  1. Paste a JSONL prompt suite: one {"text":"..."} per line
  2. Click Generate baseline
  3. Save: baseline receipts (JSONL), merkle.json, proofs.jsonl

Replay + Diff

  1. Paste the same suite + the baseline JSONL
  2. Click Replay + diff
  3. Inspect action drift, reason-code drift, check drift, and pipeline/config drift

Export offline bundle

Export is blocked unless baseline validation passes. The ZIP contains verify_bundle.py so third parties can verify offline.

Layer contract (what your layers must emit)

Each detector layer/check only needs to output:

  • name
  • version
  • score
  • threshold
  • fired
  • optional evidence
  • latency_ms

You can keep detector internals private while still producing verifiable outputs.

Required Hugging Face Secrets

Set these in the Space settings:

  • RP_SIGNING_PRIVKEY_B64 — base64 of 32 raw bytes (Ed25519 private key)
  • RP_TRUSTED_PUBKEY_B64 — base64 of 32 raw bytes (Ed25519 public key)

Optional:

  • RP_KEY_ID — label for the signing key id

Generate keys (copy-paste)

Windows PowerShell

py -3 -m pip install -U cryptography
py -3 -c "import base64; from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey; from cryptography.hazmat.primitives import serialization; priv=Ed25519PrivateKey.generate(); priv_raw=priv.private_bytes(encoding=serialization.Encoding.Raw, format=serialization.PrivateFormat.Raw, encryption_algorithm=serialization.NoEncryption()); pub_raw=priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw); print('RP_SIGNING_PRIVKEY_B64='+base64.b64encode(priv_raw).decode()); print('RP_TRUSTED_PUBKEY_B64='+base64.b64encode(pub_raw).decode())"

Linux / macOS

python3 -m pip install -U cryptography
python3 - <<'PY'
import base64
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
from cryptography.hazmat.primitives import serialization
priv = Ed25519PrivateKey.generate()
priv_raw = priv.private_bytes(encoding=serialization.Encoding.Raw, format=serialization.PrivateFormat.Raw, encryption_algorithm=serialization.NoEncryption())
pub_raw = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw)
print("RP_SIGNING_PRIVKEY_B64=" + base64.b64encode(priv_raw).decode())
print("RP_TRUSTED_PUBKEY_B64=" + base64.b64encode(pub_raw).decode())
PY

Key hygiene (non-negotiable)

  • Treat RP_SIGNING_PRIVKEY_B64 as production signing material.
  • Never paste it into issues/logs/screenshots/chat.
  • If it leaks: rotate immediately (new keys → update HF secrets → restart Space → regenerate baselines).

Offline verification (what the verifier checks)

The exported bundle can be verified without Hugging Face. The offline verifier checks:

  • Ed25519 signature validity
  • receipt hash integrity
  • hash-chain continuity (tamper evidence)
  • suite binding (suite_digest + case_id)
  • Merkle root + inclusion proofs

Deployment rule

No receipt → no claim.

If a system cannot produce signed, chained, Merkle-anchored receipts with replay and diff, its safety claims are not auditable.