Skip to content

ninjra/aion-cycle

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

29 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Copyright 2026 Mushku Nobleworks. All rights reserved. SPDX-License-Identifier: Apache-2.0 OR LicenseRef-Commercial

AION Apex: The One-Prompt Closed Loop

Document class: public orientation. Apex version: v1.0

AION v1 is an RFC-style theoretical architecture with an executable local reference implementation. It is not a hosted service, not a production provenance platform, not a universal truth engine, and not a lie detector.

AION proves one narrow public claim:

Route truth: this output followed this committed path.

It does that with source bytes, metadata-free comparison, exact output, in-circuit transcript commitment, proof artifacts, receipts, and fail-closed verification.

Why this exists

Most systems ask you to trust a pipeline. This one makes the pipeline small enough to rerun, strict enough to fail when changed, and explicit enough to audit. Start by running it. Then break it on purpose. Then read the exact boundary when you want the formal version.

90-second path

make demo            # run the fixed canonical cycle
make verify          # prints exactly PASS or FAIL
make verify-explain  # PASS plus the list of checks performed
make break           # tamper a temp copy and watch it FAIL (repo untouched)

Expected core verifier output:

PASS

What to inspect after the demo:

aion.statement.json
proofs/v1/proof-artifacts.receipt.json
proofs/v1/toolchain.receipt.json
proofs/v1/generation-trace.receipt.json
proofs/v1/public.json
proofs/v1/proof.json

Trust ladder

Level 1  run it        make demo
Level 2  verify it     make verify
Level 3  explain it    make verify-explain
Level 4  break it      make break   (and: make redteam)
Level 5  recompute it  make reproduce
Level 6  audit it      read VERIFY.md, PUBLIC_BOUNDARY.md, PUBLIC_CLAIMS.md

Copy-paste prompt

Paste the following into a coding agent that can write and run local files.

Build a single local AION reference project.

The project is a fixed canonical reference artifact. It is not a hosted service,
not a production provenance system, not arbitrary-input support, not objective
truth, and not a production Groth16 trusted-setup ceremony.

Execution clamps for the coding agent:

- Treat this prompt as the only source of truth. Do not inspect parent workspaces, prior repos, memories, MCP graphs, or external project files.
- Work only in the current empty project directory. Do not search parent directories, sibling repositories, user home directories, caches, prior workspaces, or system-wide project trees for source material or artifacts.
- Use PATH only to locate executables. Use project-local files only for project data. If the Powers of Tau file is absent, `make setup` may download it only from the pinned URL and must hash-check it.
- Do not use web search or online hash services. Compute hashes locally with Python hashlib.
- Do not create placeholders that verification accepts. No DERIVED placeholders, no TODO hashes, no stub proof, no fake verifier, no static PASS path.
- If real circom/snarkjs/ptau are unavailable, the command must fail closed with stdout FAIL. Do not simulate the Groth16 proof.
- Do not widen scope to product features, hosted service, dashboards, or arbitrary-input support.
- Do not load optional skills, MCP resources, parent repo rules, memories, or external helper context.
- Before claiming done, you must actually run the required local commands. If the shell/command runner is unavailable, stop and report BLOCKED; do not create an unverified project and do not claim PASS.

Required public files:

  README.md
  PUBLIC_BOUNDARY.md
  PUBLIC_CLAIMS.md
  VERIFY.md
  DESIGN_NOTES.md
  TRUSTED_SETUP.md
  CIRCUIT.md
  SECURITY.md
  Makefile
  Dockerfile
  package.json
  package-lock.json
  toolchain.lock
  aion_cycle.py
  aion.circom
  fixtures/canonical.json
  fixtures/pass/canonical.json
  fixtures/fail/*.json
  expected_root.txt
  aion.statement.json
  proofs/v1/input.json
  proofs/v1/proof.json
  proofs/v1/public.json
  proofs/v1/verification_key.json
  proofs/v1/toolchain.receipt.json
  proofs/v1/generation-trace.receipt.json
  proofs/v1/proof-artifacts.receipt.json
  proofs/v1/emissions/*.emission.json
  proofs/v1/receipts/*.receipt.json
  tests/test_redteam.py
  tests/test_emission_chain.py
  tests/test_fixtures.py
  tests/test_circuit_structure.py
  tests/test_public_boundary.py
  viewer/index.html
  viewer/app.js

Do not commit or rely on these regenerated byproducts as verifier authority:

  proofs/v1/aion.r1cs
  proofs/v1/aion.sym
  proofs/v1/aion.zkey
  proofs/v1/aion_0.zkey
  proofs/v1/aion_js/
  proofs/v1/public_bad.json
  proofs/v1/public_bad_reverify.json

Goal:
Run one fixed closed route and prove it:

  Source -> Encode -> Carry -> Compare -> Carry Back -> Map Back -> Write -> Prove -> Verify -> Close

Command contract:

  make setup       # installs/checks local toolchain and hash-checks ptau
  make verify      # verifies the committed lightweight proof bundle
  make reproduce   # regenerates heavy proof byproducts and the proof bundle
  make test        # red-team, fixture, circuit-structure, and boundary tests
  make boundary-check

stdout contract:

  PASS

or:

  FAIL

Failure diagnostics:

  stdout remains exactly PASS or FAIL.
  On failure, stderr may include one controlled public-safe line:

    FAIL_REASON:<reason_code>

  Reason codes are diagnostics, not a third status. Do not print tracebacks during
  normal failure handling. Do not leak local private paths, credentials, secrets,
  or internal implementation names.

Host route requirements:

1. Never use Python's built-in hash(). Use hashlib.sha256 for all identity,
   ordering, receipts, emissions, and roots.
2. Serialize deterministically with json.dumps(value, sort_keys=True,
   separators=(",", ":")).encode("utf-8") unless a stricter byte tuple is used.
3. Bytes are source authority. Encode text fixtures as UTF-8 strict. Do not
   normalize casing, whitespace, line endings, or Unicode.
4. V1 uses fixed fixture byte-count scoring. Do not describe it as Q15 or
   saturating arithmetic unless both host and circuit implement that model.
5. Implement explicit phase functions:
     phase_source
     phase_encode
     phase_carry
     phase_compare
     phase_carry_back
     phase_map_back
     phase_write
6. Encode stores identity in a local ledger:
     source_record_id -> source_bytes
     field_hash -> [source_record_id]
7. Compare sees fields only and performs integer byte-count scoring.
8. Require a strict unique winner. Ties fail closed.
9. If mapback finds zero or multiple source records for a selected field_hash,
   fail closed with a stable reason code.
10. Write emits selected source bytes and checks byte-exact equality.
11. Every phase emits a receipt with:
     phase name
     input identity/hash
     output identity/hash
     child receipt hashes
     failed_checks
     proof_passed
     receipt_hash
12. Compose phase receipts into a cycle receipt.
13. Emit transition emissions with source lineage and chain hashes.
14. Verification must recompute receipt hashes from bodies; never trust a stored
    proof_passed flag by itself.
15. Verification must be read-only: do not write public_bad files into the tracked
    proof directory. Generate negative public inputs in a temp path.

Circuit requirements:

1. Use one fixed-reference Circom circuit for the canonical fixture.
2. Public inputs are emitted bytes and the 256-bit transcript digest commitment.
3. Enforce byte/bit consistency for query, corpus, and emitted bytes.
4. Enforce pairwise equality scoring in-circuit.
5. Enforce corpus0 as the strict winner:
     score0 - score1 - 1 is a non-negative 16-bit value
     score0 - score2 - 1 is a non-negative 16-bit value
6. Enforce emitted[i] === corpus0[i] for every emitted byte.
7. Enforce in-circuit SHA-256 over the domain-separated transcript:
     AION-CYCLE-V1| || query || corpus0 || corpus1 || corpus2 || emitted
   and bind sha.out to expected_digest_bits.
8. Document the circuit structure in CIRCUIT.md and add tests that assert the
   structural constraints are present.

Groth16/toolchain requirements:

1. Use real circom and snarkjs. No fake verifier, no stub proof, no static boolean.
2. Pin the public reference toolchain:
     snarkjs 0.7.6
     circom 2.2.3
     circom binary sha256 85342c7ff332d948df7c0c50ecf201e6129349aef550ce873f3c811b79fe53a3
     circomlib 2.0.5
     powersOfTau28_hez_final_18.ptau sha256 e970efa7774da80101e0ac336d083ef3339855c98112539338d706b2b89ac694
3. Use npm ci for locked local dependencies.
4. Use a public deterministic beacon for the demo/reference zkey step. Record the
   beacon and state clearly that this is demo/reference-only, not a production
   ceremony.
5. Run positive Groth16 verification and a negative public-input verification.
   The negative input must be generated from current public.json in a temp path.
6. TRUSTED_SETUP.md must state what this proves and what it does not prove.

Root model:

  transcript_root = domain-separated hash of source bytes and emitted output
  proof_root      = receipt hash for proof/toolchain/artifact evidence
  cycle_root      = statement hash binding transcript_root, proof_root, policy,
                    proof system, circuit hash, verification key hash,
                    public input hash, and proof hash

EXPECTED_TRANSCRIPT_ROOT is the frozen transcript root only. The cycle_root must
not be equated to EXPECTED_TRANSCRIPT_ROOT.

Canonical fixture:

  query:
    b"need contract renewal approval"

  corpus:
    b"contract renewal requires finance approval"
    b"weather report says rain tomorrow"
    b"lunch menu includes soup"

  expected selected record:
    b"contract renewal requires finance approval"

Tests required:

1. The canonical statement verifies: stdout PASS, rc 0.
2. Mutating statement root, proof hash, public input, receipt body, generation
   trace, phase receipt, emission order, previous emission hash, or source root
   produces stdout FAIL, rc 1, and the expected FAIL_REASON.
3. Stored public_bad files are absent and not trusted.
4. Verification is read-only.
5. Duplicate field-hash mapback fails closed.
6. Fixtures are concrete JSON files, not README-only placeholders.
7. Public boundary test forbids private paths, credentials, private keys, internal
   Apex markers, internal method inventories, and claims wider than the fixed route.
8. Circuit structure test asserts public signals, strict-winner binding,
   emitted==corpus0 binding, digest binding, and SHA width.

Definition of done:

- `make setup` completes with pinned hash checks.
- `make verify` prints PASS and leaves git status unchanged.
- `make reproduce` regenerates proof byproducts and then `make verify` still prints PASS.
- `make test` passes.
- `make boundary-check` passes.
- Public docs contain positive and negative clamps for major claims.
- No public doc claims production security, production trusted setup,
  arbitrary-input support, objective truth, privacy, hosted service behavior, or
  broad provenance.

Plain claim / formal claim

Plain:  If any committed artifact changes, verification fails.
Formal: verify recomputes the statement cycle_root, receipt hashes, artifact
        hashes, public digest bits, and Groth16 verification, and rejects any
        mismatch fail-closed.
Plain:  The verifier does not trust a green flag.
Formal: a stored proof_passed flag is ignored; receipts are recomputed from
        their bodies before they are believed.

What to trust / what not to trust

You can trust Because
The committed bundle matches the statement make verify recomputes it from files
Tampering is detected red-team fixtures and make break show fail-closed behavior
The public claim is bounded PUBLIC_BOUNDARY.md and PUBLIC_CLAIMS.md define scope
Do not trust Why
That this is production secure demo/reference trusted setup only (TRUSTED_SETUP.md)
That it proves objective truth it verifies a route, not reality
That arbitrary inputs are supported one fixed canonical fixture only
That a UI equals verification the CLI and artifacts are canonical

Glossary

statement   the public claim being verified (aion.statement.json)
receipt     a small artifact recording input hash, output hash, and link to the route
fixture     a tiny fixed example proving the route behaves the same every time
route       the fixed ordered phases from source bytes to verified statement
map-back    recovering the selected source bytes from the ledger by field hash
canonical   the one fixed reference cycle this repo proves
byte-exact  compared as raw bytes, not normalized text
fail-closed if the route cannot be verified, the result is FAIL, never a guess

Verification axiom

Trust is ephemeral and lazy-resolved from source.

AION never trusts self-certification. A cached or previously verified artifact may be evidence, but it is not authority. The verifier recomputes the lineage needed for the present decision every time. Caches store material, never trust.

Reports, emissions, receipts, generated artifacts, and cache entries are snapshots, never authority unless explicitly promoted into durable data/source authority. Code/source files can be durable source artifacts. Trust comes only from fresh recomputation from source.

Claim discipline

Every AION claim has two sides:

  • the positive claim: what is verified,
  • the negative clamp: what must not be inferred.

This mirrors the cycle itself: a route closes only when the required relation holds and the forbidden shortcuts fail.

Topic Positive claim Negative clamp
Route truth This output followed this committed path. It does not prove objective truth.
Local-first Verification runs locally. It is not a hosted service.
Receipts Receipts are recomputed from artifacts. A receipt is not trusted because it exists.
PASS PASS means this fixed cycle closed. PASS is not production security or privacy.
Artifacts Artifacts are inspectable snapshots. Artifacts are not durable authority.
Cache Cache may store material. Cache may not store trust.
Sections A valid section can re-enter verification. An orphan fragment is not valid.
Proof Groth16 verifies the fixed circuit. It does not prove claims outside that circuit.

Full claim boundary: PUBLIC_CLAIMS.md.

What this is / is not

This is This is not
A local reference implementation. A hosted product.
A fixed canonical proof cycle. A general arbitrary-input engine.
A route-truth verifier. An objective-truth oracle.
A receipt/proof/artifact demo. A production provenance service.
A fail-closed reference pattern. A privacy system or lie detector.

Two reader tracks

Track A: I just want to see it work.
  make demo
  make verify
  inspect aion.statement.json

Track B: I need to trust the claim.
  read PUBLIC_BOUNDARY.md
  read VERIFY.md
  read PUBLIC_CLAIMS.md
  run make test
  inspect proof/artifact receipts
  read DESIGN_NOTES.md

The route at a glance

Source bytes
  ↓
Encode
  ↓
Carry
  ↓
Compare
  ↓
Carry Back
  ↓
Map Back
  ↓
Write
  ↓
Prove
  ↓
Verify
  ↓
PASS / FAIL

The program prints exactly one of these:

PASS

or:

FAIL

There is no halfway status.

Quick start

make setup
make demo
make verify
make test

make setup installs the local proof toolchain and fetches the pinned Powers of Tau file. make demo runs the committed reference statement and points to the artifacts. make verify prints the canonical verifier result. make test runs red-team mutation and public-boundary checks.

Read next

File Purpose
PUBLIC_BOUNDARY.md Public contract and egress boundary.
VERIFY.md Proof path and failure matrix.
PUBLIC_CLAIMS.md Allowed and forbidden public claims.
DESIGN_NOTES.md Rationale and non-goals.
TRUSTED_SETUP.md Demo-only Groth16 setup boundary.
CIRCUIT.md Generated circuit structure and audit spec.
fixtures/ PASS/FAIL/tamper/out-of-boundary examples.
viewer/ Optional local read-only artifact viewer.

Adoption recipes

These recipes show how to reuse the reference pattern without changing its contract. They are wrappers around the same local PASS/FAIL path, not a new verification mode.

Recipe Do this This is This is not
Use it in your repo Copy the boundary docs, keep the fixtures visible, and make your own make verify run the local verifier before release. A way to publish a recomputable route. A claim that arbitrary inputs are proven.
Wrap it in CI Add a CI step that runs make verify and fails the build on FAIL or missing artifacts. A release gate for the fixed proof path. A substitute for local recomputation or human review.
Verify a release artifact Pin the artifact hash, run the verifier from a clean checkout, and compare the emitted receipt fields to the release note. A portable check that the published bytes match the proof bundle. A hosted attestation service or a broad provenance platform.

Minimal CI shape:

name: verify-aion
on: [push, pull_request]
jobs:
  verify:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      - run: make setup
      - run: make verify
      - run: make test

Keep the artifact visible. A dashboard may summarize the receipt, but the receipt and proof bundle remain the inspectable evidence.

RFC boundary

This repository defines a public reference architecture and a canonical proof fixture. It is meant to be read like an RFC: exact enough to build and verify the core route, narrow enough to avoid pretending to solve every deployment detail.

In scope:

  • the fixed canonical route,
  • the public circuit,
  • the proof bundle,
  • the receipt and statement model,
  • the positive and negative clamps,
  • the failure behavior.

Out of scope:

  • production user interface,
  • hosted service operations,
  • arbitrary input generalization,
  • deployment-specific key ceremonies,
  • private implementation details,
  • private operational recovery records.

If a critique is about the route, proof, receipt model, or clamps, it is in scope. If a critique is about production packaging beyond this fixed reference, it belongs to a later implementation profile, not to the core RFC.

The whole map

AION is one closed path. One prompt builds the local project. The project runs the path end to end. If every step closes, including a real Groth16 proof and verification, it prints PASS. If anything is off, it prints FAIL.

There is no local-only pass and no optional proof. make demo is only a friendly entrypoint to the same committed verifier path. The Groth16 setup is demo/reference-only; see TRUSTED_SETUP.md. The path is laminar: it flows once, cleanly, or not at all.

Project status

AION v1 is complete as a fixed-canonical reference implementation:

  • one canonical fixture,
  • one full-cycle Groth16 circuit,
  • in-circuit SHA-256 transcript commitment,
  • committed proof bundle,
  • three-root statement,
  • portable statement verification,
  • positive and negative clamps,
  • red-team mutation tests.

It is not a production provenance service and not a general arbitrary-input engine. It is a public reference route.

See also: PUBLIC_BOUNDARY.md.

Truth route

bytes
  ↓
bounded fields
  ↓
metadata-free comparison
  ↓
selected source mapback
  ↓
exact emitted bytes
  ↓
in-circuit SHA-256 transcript proof
  ↓
proof/artifact receipts
  ↓
three-root statement
  ↓
PASS / FAIL

AION proves route truth: this output followed this committed path.

The path

Encode -> Carry -> Compare -> Carry Back -> Map Back -> Write -> Prove -> Verify

In plain language:

turn bytes into bounded numbers
carry only the numbers
compare the numbers
carry the selected field hash back
look up the original bytes
write the exact bytes
prove the closure relation
verify the proof

AION watches the path and checks whether it closed. AION does not choose the answer. AION does not change the answer. AION only checks whether the route contradicted its own receipts.

Positive and negative clamps

AION is defined by pairs: what must happen, and what must never happen.

Positive clamp Negative clamp
Source bytes are treated as data. Source bytes must not become instructions.
The route must close in order. A later step must not skip or replace an earlier step.
The comparison step receives bounded fields. The comparison step must not receive names, labels, paths, or hidden metadata.
Receipts must be recomputable from artifacts. A PASS flag must not be trusted by itself.
The proof must verify against public inputs. A proof artifact must not be accepted because it merely exists.
The emitted bytes must equal the selected bytes. Similar, plausible, or human-approved output must not count.
Audit artifacts may be written for verification. Audit artifacts must not become the final answer.
Failure must print FAIL. The system must not guess, continue, or emit partial success.

What each step does

Step Plain job
Encode Turn source bytes into bounded numeric fields and store identity separately in the ledger.
Carry Carry only copied numeric fields. Strip every label.
Compare Compare fields with integer-only scoring and deterministic ranking.
Carry Back Carry only the selected field hash back.
Map Back Use the ledger to recover the selected source bytes.
Write Emit output bytes exactly equal to the selected source bytes.
Prove Generate a real Groth16 proof of the closure relation.
Verify Verify the Groth16 proof and all local receipts.
AION Accept only if the entire path closes.

The proof is not in one step. The proof is in the fixed canonical path closing. Each named route phase has a public receipt under proofs/v1/receipts/.

The local scoring surface

The comparison step needs a surface that is small, deterministic, and easy to inspect. This map uses a byte histogram:

  • a list of 256 integer slots,
  • one slot for each possible byte value from 0 to 255,
  • for each byte in the source, add one to that byte's slot,
  • clamp every value to the bounded range.

This is not a search engine. It is a tiny numeric surface that lets the loop demonstrate the path: bounded fields, metadata-free carry, deterministic comparison, mapback, exact output, and proof closure.

The small math, in plain language

Nothing here is new mathematics. Each part is an ordinary, named result. Math is not here to impress; it is here to point at the dimension plainly.

Bounded numbers

MIN = -32768
MAX =  32767

Keep the v1 fixture arithmetic integer-only and byte-count based. This reference does not claim a Q15/saturating arithmetic implementation.

Compare fields

score = sum(query[i] * record[i])

Multiply matching slots and add the results. This is the coordinate-wise product and the inner product.

Pick a winner

key = (-score, field_hash)

The general design sorts by score and a deterministic tie-break. This v1 circuit uses a stricter shape: the canonical fixture must have one unique winner. If the winner is ambiguous, the run fails instead of guessing.

Keep receipts

receipt = SHA256(domain || canonical(input, output, checks))

Hash each step's record. This is a domain-separated hash commitment.

A green light cannot hide a red light

A parent receipt includes its child receipt hashes. If a child failed, the parent fails. This is Merkle-style commitment composition.

Names cannot leak

The comparison step receives fields only, never names or labels. In v1, the verifier sees the canonical public bytes because the circuit is a public fixed fixture. The opacity claim is architectural: names and labels cannot steer the comparison. This is noninterference.

You cannot get something from nothing

A field alone does not reconstruct arbitrary source. Recovery needs the ledger as side information. This is the source-coding limit, with descriptive complexity as the lower-bound intuition.

Prove closure honestly

The circuit asserts no free "pass" bit. There is no tamper_failed === 1 and no child_passed === 1 witness, because asserting a public input equals a constant is a tautology a prover could satisfy trivially.

Instead, every quantity the proof binds is computed by constraints:

emitted[i] == corpus0[i]                     // exact output equals the winner
score0 - score1 - 1 >= 0   (16-bit range)    // strict winner, scored in-circuit
score0 - score2 - 1 >= 0   (16-bit range)
SHA256(transcript) == expected_digest_bits   // hashed in-circuit, public digest

The scores and the digest are produced inside the circuit, not handed in as free witnesses. The emitted answer and the digest are public inputs, so the proof is about real computed values, not a constant.

Closure requirements

The local project must resolve the usual attack surfaces inside the path. These are not future hardening notes. They are requirements for PASS.

  • Real Groth16 setup artifacts: the project must generate real setup, proving-key, verification-key, proof, and public-input artifacts for the included closure circuit. The setup is local to the demo, but it must be real and hash-bound into the final receipt root.
  • Circuit soundness checks: the circuit proves the route and the in-circuit SHA-256 commitment. The runner must run a verifier-negative check: flipping any public digest bit must make the real verifier reject the proof.
  • No fake verifier: PASS is forbidden unless the real verifier returns OK for the untampered proof and rejects a tampered public input.
  • Toolchain binding: the tool names, versions, and path hashes for circom, snarkjs, and node must be recorded in a toolchain receipt. The toolchain receipt hash is a child of proof_root. Public receipts use normalized command names and path hashes, not local absolute paths.
  • Artifact binding: the circuit source hash, compiled artifacts, proving key, verification key, proof, public inputs, and verifier result are receipts. Historical command metadata is kept in a separate generation trace receipt. The portable verifier treats it as audit history and verifies the trace receipt hash; it does not treat it as the source of artifact truth. A missing or changed artifact or trace fails proof_root, which changes cycle_root.
  • Receipt binding: every receipt is meaningful only because it is generated by the step it describes and included in the parent root. The project must bind receipts to phase name, input hash, output hash, child receipt hashes, toolchain receipt hash where relevant, failed checks, and proof status.
  • Replay scope: replay verifies the same event. It does not mutate state twice. The event id and replay root are part of the final closure relation.
  • No hidden output: normal failure prints only FAIL. Internal failure details may be retained in local receipts, but they must not leak through the command-line result.
  • Fuzz smoke: the generated project must include a small malformed-input smoke test: empty input, duplicate-field ambiguity, altered receipt, and bad circuit input must fail.

The point is not to describe risks. The point is to make the local path close only when these risks are handled.

The three roots

AION uses phase receipts and three roots so the proof is not circular:

Root What it binds How it is checked
transcript_root the canonical bytes and emitted answer computed by the host and by in-circuit SHA-256
proof_root toolchain, circuit source, compiled artifacts, keys, proof, public inputs, verifier result computed from proof/artifact receipts
cycle_root the final statement: transcript root + proof root + policy recomputed from aion.statement.json

The frozen transcript root can be recomputed with python3 scripts/compute_expected_root.py.

EXPECTED_TRANSCRIPT_ROOT is frozen. The generated cycle_root is not a magic constant; it is the hash of the emitted statement for that run. PASS requires all three roots to cohere.

The portable verifier also parses public.json and reconstructs the 256 public digest bits. Those bits must equal EXPECTED_TRANSCRIPT_ROOT, not merely hash to the same public.json file. For the negative verifier check, it regenerates a fresh bad public input from public.json and does not trust a stored bad-public artifact.

The safety rules

  1. Bytes are the source authority.
  2. Fields are byte-count integer views for the fixed fixture.
  3. Arithmetic is integer-only.
  4. v1 does not claim Q15/saturating arithmetic.
  5. The comparison step sees only fields.
  6. Identity lives only in the ledger.
  7. The canonical fixture has a strict winner; ambiguous ranking fails.
  8. Ambiguous mapback fails instead of guessing.
  9. Every step emits a receipt.
  10. A parent receipt fails if any child failed.
  11. Replay verifies; it does not mutate twice.
  12. Final bytes must match directly, not only by hash.
  13. The expected transcript root is frozen in the project.
  14. The tamper run must fail.
  15. The Groth16 circuit must be real: no stub, no static boolean, no fake verifier.
  16. Groth16 proof generation is required.
  17. Groth16 verification is required.
  18. PASS is allowed only after Groth16 verification passes.

The Groth16 circuit

aion.circom is a single fixed-reference circuit. It is fully unrolled and machine-generated; audit it through CIRCUIT.md and tests/test_circuit_structure.py, not by reading every line. It proves the fixed canonical cycle as a Groth16 relation. The emitted bytes and transcript digest are public inputs; the private witness is the route data needed to satisfy the circuit. The canonical byte/scoring/output/hash relation is proved in-circuit; the host remains responsible for fail-closed orchestration, toolchain and artifact receipts, replay/tamper policy, and statement generation.

The circuit proves, in-circuit:

  • every query, corpus, and output byte is a real byte (8-bit range checks),
  • the score of each corpus record against the query is the count of matching byte pairs (the byte-histogram inner product, computed inside the circuit),
  • corpus record 0 is the strict winner over records 1 and 2,
  • the emitted output bytes equal the winning record byte for byte,
  • the SHA-256 of the domain-separated transcript AION-CYCLE-V1| || query || corpus0 || corpus1 || corpus2 || emitted equals a public 256-bit digest commitment.

The SHA-256 is computed inside the circuit using the widely used circomlib Sha256 template, with the exact installed package-lock and circuit-source hash bound into the proof artifacts, so the proof itself attests the hash. The shape of the circuit:

// byte range check (per byte)
b[i] === sum(bits[i][k] * 2^k);     bits[i][k] * (bits[i][k] - 1) === 0;

// pairwise equality score (per query/corpus pair), eq in {0,1}
eq <== 1 - (q - c) * inv;     (q - c) * eq === 0;     eq * (eq - 1) === 0;

// strict winner: score0 - score1 - 1 and score0 - score2 - 1 are 16-bit non-negative
ge01 === sum(ge01_bits[k] * 2^k);

// exact output
emitted[i] === corpus0[i];

// in-circuit SHA-256 of the transcript, bound to the public commitment
sha = Sha256(1480);   sha.in[...] <== transcript_bits;   sha.out[k] === expected_digest_bits[k];

Public inputs are the emitted answer bytes and the 256-bit digest commitment. A valid proof means: a witness exists for which the route logic holds and the transcript hashes to exactly that public digest. The runner also performs a verifier-negative check by flipping one public digest bit; the real verifier must reject it.

There is no host-trusted hash step left in the proof. The host computes the same digest only to know the public commitment and to fail closed before proving.

Known-good environment

The checked-in proof bundle and statement were verified with:

Tool Version / hash
Python 3.12.3
Node.js v22.22.0
Circom 2.2.3
snarkjs 0.7.6
circomlib 2.0.5
Powers of Tau powersOfTau28_hez_final_18.ptau
ptau SHA-256 e970efa7774da80101e0ac336d083ef3339855c98112539338d706b2b89ac694

Docker users can verify the checked-in proof bundle with. The Docker base image is pinned by digest in Dockerfile:

docker build -t aion-cycle .
docker run --rm aion-cycle

Expected output:

PASS

Run it

The reference runner requires node, circom, and snarkjs, plus a Powers of Tau file. A setup script installs the toolchain locally (no sudo) and fetches and verifies the ptau:

make setup        # or: bash scripts/setup.sh
make verify       # or: python3 aion_cycle.py
python3 aion_cycle.py --verify-statement aion.statement.json

Output:

PASS

or:

FAIL

If node, circom, snarkjs, or the ptau are missing, the runner fails closed with FAIL. There is no local-only pass.

Break it

A green light is not enough. Break it on purpose:

  • change one byte in the query,
  • change one byte in the selected record,
  • change one score,
  • change one receipt,
  • change one circuit input.

Run it again. It should print FAIL. The point is not that the path can pass. The point is that it refuses to lie.

What the local map keeps small

It does not leave out Groth16. Groth16 is part of the path.

The local map keeps the rest small:

  • local demo setup artifacts with hashes instead of a public ceremony,
  • small verifier artifacts committed with hashes and heavy proof byproducts regenerated by make reproduce,
  • a fixed-length canonical fixture instead of arbitrary-length inputs,
  • one in-circuit scoring surface instead of advanced scoring surfaces,
  • an in-memory ledger instead of production mapback storage,
  • Python theorem execution instead of compiled projection.

None of that changes the path. Real Groth16 generation and verification are still required for PASS.

References

  • Ben-Sasson, E., Chiesa, A., Tromer, E., and Virza, M. (2014). "Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture." USENIX Security 2014.
  • Cover, T. M., and Thomas, J. A. (2006). Elements of Information Theory, 2nd ed. Wiley.
  • Denning, D. E., and Denning, P. J. (1977). "Certification of Programs for Secure Information Flow." Communications of the ACM, 20(7): 504-513.
  • Goguen, J. A., and Meseguer, J. (1982). "Security Policies and Security Models." IEEE Symposium on Security and Privacy, 11-20.
  • Groth, J. (2016). "On the Size of Pairing-Based Non-Interactive Arguments." EUROCRYPT 2016, LNCS 9666, 305-326.
  • Halmos, P. R. (1958). Finite-Dimensional Vector Spaces, 2nd ed. Van Nostrand.
  • Horn, R. A., and Johnson, C. R. (1991). Topics in Matrix Analysis. Cambridge University Press.
  • Knuth, D. E. (1997). The Art of Computer Programming, Vol. 2: Seminumerical Algorithms, 3rd ed. Addison-Wesley.
  • Knuth, D. E. (1998). The Art of Computer Programming, Vol. 3: Sorting and Searching, 2nd ed. Addison-Wesley.
  • Kolmogorov, A. N. (1965). "Three Approaches to the Quantitative Definition of Information." Problems of Information Transmission, 1(1): 1-7.
  • Merkle, R. C. (1988). "A Digital Signature Based on a Conventional Encryption Function." CRYPTO '87, LNCS 293, 369-378.
  • National Institute of Standards and Technology (2015). FIPS PUB 180-4: Secure Hash Standard.
  • Oppenheim, A. V., and Schafer, R. W. (2009). Discrete-Time Signal Processing, 3rd ed. Pearson.
  • Shannon, C. E. (1948). "A Mathematical Theory of Communication." Bell System Technical Journal, 27(3): 379-423.
  • Strang, G. (2016). Introduction to Linear Algebra, 5th ed. Wellesley-Cambridge Press.

Where this fits

AION is not another manifest format. It is a fail-closed verifier policy around bytes, fields, receipts, transformations, proof artifacts, and final output. Other systems can say a manifest is well formed. AION asks whether the whole route coheres. If any byte, receipt, replay, toolchain artifact, or proof no longer agrees, the answer is FAIL.

Patent and license

Patent pending. Public application details are intentionally omitted until a publication record or approved citation is available.

This document is not a patent claim, not legal advice, and does not publish non-public legal materials. The code you build from the prompt is yours to run locally.

Where to go

More information, demos, licensing, and contact: mushku.com

No account required to try the map. Copy the prompt and run it first.

AION invariant projection

Invariant: aion-trust-lineage-storage-v1 Version: 2026-06-27 Packet hash: 7dc4cfd6d5df39ba3dc3234456f62f64f8aeae71448f3cb56d604e919e3ab696 Document class: public projection

Positive clamp:

  • AION verifies present state from source lineage.
  • Code/source files may be durable source artifacts; durable data/context stores preserve material and lineage.
  • Reports, emissions, receipts, generated artifacts, and caches are inspectable current snapshots unless explicitly promoted.
  • Every major public claim says what it is and what it is not.

Negative clamp:

  • Reports, receipts, emissions, generated artifacts, and caches are not authority unless explicitly promoted into durable data/source authority.
  • Nothing is trusted because it exists, is stored, is emitted, is cached, is signed, is hashed, or says it passed.
  • Public docs must not make internal scientific-metaphor claims or expose private implementation details.