|
|
--- |
|
|
title: AuditPlane LLM Decision Proofs |
|
|
emoji: 🐠 |
|
|
colorFrom: gray |
|
|
colorTo: pink |
|
|
sdk: gradio |
|
|
sdk_version: 6.3.0 |
|
|
app_file: app.py |
|
|
pinned: false |
|
|
license: other |
|
|
short_description: Ed25519-signed receipts-hash-chained runs-replay-drift diffs |
|
|
thumbnail: >- |
|
|
https://cdn-uploads.huggingface.co/production/uploads/685edcb04796127b024b4805/ZH0Us3iUhibRFp7Ct89Bk.png |
|
|
--- |
|
|
|
|
|
# AuditPlane — Institution-Grade LLM Decision Proofs |
|
|
|
|
|
Ed25519-signed receipts + hash-chained runs + replay + drift diffs + Merkle proofs |
|
|
|
|
|
Most “LLM firewall” projects are easy to argue about and hard to verify. AuditPlane is the verification plane: it turns safety and policy decisions into cryptographically verifiable artifacts that anyone can replay, diff, and falsify. This is not “another detector”. This is a proof layer for whatever detectors you already run. |
|
|
|
|
|
## What this Space does |
|
|
|
|
|
AuditPlane turns LLM decisioning into an auditable ledger: |
|
|
|
|
|
- Generates decision receipts for every prompt in a suite (JSONL) |
|
|
- Ed25519-signs each receipt (integrity / non-repudiation) |
|
|
- Hash-chains receipts (tamper-evident continuity) |
|
|
- Binds receipts to a suite via suite_digest + stable case_id |
|
|
- Enforces baseline validation (export is blocked if invalid) |
|
|
- Replays the same suite later and produces drift diffs |
|
|
- Emits a Merkle root + inclusion proofs |
|
|
- Exports a ZIP bundle containing: |
|
|
- suite.jsonl |
|
|
- baseline_receipts.jsonl |
|
|
- merkle.json |
|
|
- proofs.jsonl |
|
|
- verify_bundle.py (offline verifier) |
|
|
|
|
|
Anyone can take your exported bundle, run verify_bundle.py, and independently confirm signature validity, receipt hash integrity, chain continuity, suite binding, and Merkle inclusion proofs. No Hugging Face trust required. |
|
|
|
|
|
## What this Space is not |
|
|
|
|
|
- Not a complete safety solution by itself |
|
|
- Not a benchmark leaderboard |
|
|
- Not a policy engine |
|
|
|
|
|
The value here is the receipt contract + replay + drift diff + cryptographic proof layer. Plug your real detector stack into the layer registry. |
|
|
|
|
|
## How to use |
|
|
|
|
|
### Baseline |
|
|
1) Paste a JSONL prompt suite: one {"text":"..."} per line |
|
|
2) Click Generate baseline |
|
|
3) Save: baseline receipts (JSONL), merkle.json, proofs.jsonl |
|
|
|
|
|
### Replay + Diff |
|
|
1) Paste the same suite + the baseline JSONL |
|
|
2) Click Replay + diff |
|
|
3) Inspect action drift, reason-code drift, check drift, and pipeline/config drift |
|
|
|
|
|
### Export offline bundle |
|
|
Export is blocked unless baseline validation passes. The ZIP contains verify_bundle.py so third parties can verify offline. |
|
|
|
|
|
## Layer contract (what your layers must emit) |
|
|
|
|
|
Each detector layer/check only needs to output: |
|
|
|
|
|
- name |
|
|
- version |
|
|
- score |
|
|
- threshold |
|
|
- fired |
|
|
- optional evidence |
|
|
- latency_ms |
|
|
|
|
|
You can keep detector internals private while still producing verifiable outputs. |
|
|
|
|
|
## Required Hugging Face Secrets |
|
|
|
|
|
Set these in the Space settings: |
|
|
|
|
|
- RP_SIGNING_PRIVKEY_B64 — base64 of 32 raw bytes (Ed25519 private key) |
|
|
- RP_TRUSTED_PUBKEY_B64 — base64 of 32 raw bytes (Ed25519 public key) |
|
|
|
|
|
Optional: |
|
|
- RP_KEY_ID — label for the signing key id |
|
|
|
|
|
## Generate keys (copy-paste) |
|
|
|
|
|
### Windows PowerShell |
|
|
py -3 -m pip install -U cryptography |
|
|
py -3 -c "import base64; from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey; from cryptography.hazmat.primitives import serialization; priv=Ed25519PrivateKey.generate(); priv_raw=priv.private_bytes(encoding=serialization.Encoding.Raw, format=serialization.PrivateFormat.Raw, encryption_algorithm=serialization.NoEncryption()); pub_raw=priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw); print('RP_SIGNING_PRIVKEY_B64='+base64.b64encode(priv_raw).decode()); print('RP_TRUSTED_PUBKEY_B64='+base64.b64encode(pub_raw).decode())" |
|
|
|
|
|
### Linux / macOS |
|
|
python3 -m pip install -U cryptography |
|
|
python3 - <<'PY' |
|
|
import base64 |
|
|
from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey |
|
|
from cryptography.hazmat.primitives import serialization |
|
|
priv = Ed25519PrivateKey.generate() |
|
|
priv_raw = priv.private_bytes(encoding=serialization.Encoding.Raw, format=serialization.PrivateFormat.Raw, encryption_algorithm=serialization.NoEncryption()) |
|
|
pub_raw = priv.public_key().public_bytes(encoding=serialization.Encoding.Raw, format=serialization.PublicFormat.Raw) |
|
|
print("RP_SIGNING_PRIVKEY_B64=" + base64.b64encode(priv_raw).decode()) |
|
|
print("RP_TRUSTED_PUBKEY_B64=" + base64.b64encode(pub_raw).decode()) |
|
|
PY |
|
|
|
|
|
## Key hygiene (non-negotiable) |
|
|
|
|
|
- Treat RP_SIGNING_PRIVKEY_B64 as production signing material. |
|
|
- Never paste it into issues/logs/screenshots/chat. |
|
|
- If it leaks: rotate immediately (new keys → update HF secrets → restart Space → regenerate baselines). |
|
|
|
|
|
## Offline verification (what the verifier checks) |
|
|
|
|
|
The exported bundle can be verified without Hugging Face. The offline verifier checks: |
|
|
|
|
|
- Ed25519 signature validity |
|
|
- receipt hash integrity |
|
|
- hash-chain continuity (tamper evidence) |
|
|
- suite binding (suite_digest + case_id) |
|
|
- Merkle root + inclusion proofs |
|
|
|
|
|
## Deployment rule |
|
|
|
|
|
No receipt → no claim. |
|
|
|
|
|
If a system cannot produce signed, chained, Merkle-anchored receipts with replay and diff, its safety claims are not auditable. |
