Climate-Food Chain-Of-Custody — Federated Provenance Seal¶

GFTCL-LION-CLIMATE-FOOD-001 — the seventh internal-audit domain to land ALIVE, and the first to ship its full federated outward shell in the same commit as the internal close. Other peer cells, audit partners, lab co-witnesses can subscribe, recompute, and verify the cell's witnesses without privileged access to its substrate.

The native claim¶

A climate / food provenance chain is an ordered sequence of handoffs. Each handoff has an actor (the party that touches the payload) and a claimed output payload-hash. The chain is coherent iff every step's claimed output matches the deterministic order-sensitive combine of the running payload + the step's actor.

The Wittgenstein-honest move: SEAL THE CHAIN AT PROVENANCE TIME so no upstream party can retro-fit an earlier handoff without invalidating every downstream claimed hash.

What this seal IS¶

A pure-function dignity property. Given the public inputs (p₀, a₁, a₂, a₃, F), any federation peer recomputes (p₁, p₂, p₃) and the coherence + finalization verdicts bit-for-bit. Two parties given the same inputs land on the same verdict.

combine(p, actor) = 7·p + actor — pure Nat, kernel-reducible by decide, order-sensitive (catches handoff reorder).

What this seal IS NOT¶

A claim that upstream handoff actors are trustworthy. Coherence proves handoffs match the announced chain; it does not prove the payload reflects the real-world thing.
A real cryptographic hash. The order-sensitive combine is for the algebraic-coherence property. For cryptographic-strength signing, the cell's signature_quintet (5 facets) layers on top, and any peer re-derives each facet from the canonical witness.
A closure on the sensor layer. Real-world climate anomaly witnessing stays NAMED OPEN on summit.climate.heat_anomaly_witness.
A closure on LVC drift. The pre-registered-prediction-vs-reported- observation drift stays NAMED OPEN on summit.food.lvc_drift_witness.

The three worked instances (decide-closed in Lean)¶

Instance	Chain	Verdict
A clean	p₀=10, actors [1, 2, 3], F=3496	COHERENT FINALIZES (p₃=3496)
B broken-link	s₂ claims 999, truth is 499	INCOHERENT
C tampered-reorder	actors [3, 2, 1] (same multiset, different order)	COHERENT but DIFF_FINAL (p₃=3592 ≠ 3496)

Order-sensitive combine catches the reorder — same multiset of actors produces a different terminal hash.

Federation pipeline¶

Stage	What happens
Seal	Operator walks the chain; `ClimateFoodEngine.sealValidation` recomputes `(p₁, p₂, p₃)` and writes `climate_food_validations` with verdict + canonical witness + SHA-256
Sign	`SignatureQuintet.selfSigned(...)` produces 5 facets (`cell_id`, `domain_id`, `lean_artifact_path`, `payload_sha256`, `tau_block`); writes JSON array to `signature_quintet`
Gate	Substrate trigger `trig_cf_nats_requires_quintet` refuses to set `nats_broadcast_at_iso` non-NULL while `signature_quintet = '[]'`. An unsigned receipt cannot roar
Broadcast	NATS subject `gaiaftcl.climate_food.chain.sealed` carries the witness payload
Alert	`ClimateFoodAlertableEvents` projects fields → seeded rules fire → `alert_queue` row → Apple Alert + RSS item
Re-verify	Peer cell with NO substrate access parses canonical, recomputes `(p₁, p₂, p₃)` + 5 facets, confirms bit-for-bit

Falsifier — `M8FederationReVerifySmokeTest`¶

Six assertions any peer cell can run:

Substrate seed chain chain-demo-cf-001 is present.
ClimateFoodEngine.recompute bit-matches FirstRoars/ChainOfCustodyHash.lean instance A: p=[71, 499, 3496].
sealValidation produces verdict_kind = 'coherent_finalizes'.
signature_quintet is non-empty (5-facet self-sign); nats_broadcast_at_iso is non-NULL.
Peer re-verify: a simulated peer cell with no substrate access recomputes from public inputs alone and lands on the same witness SHA-256.
Tamper test: attempting to mark broadcast on an unsigned row is ABORTED by trig_cf_nats_requires_quintet. The federation gate holds.

Run:

cd cells/xcode
swift run M8FederationReVerifySmokeTest

Expected output ends with result: ALL PASS.

Substrate¶

climate_food_chains — pre-registration anchor. SQL trigger trig_cf_chains_anchor_immutable refuses any UPDATE touching chain_id, initial_payload_nat, actor_1, actor_2, actor_3, announced_final_nat, registered_at_iso, registration_sha256.
climate_food_validations — append-only outcome rows. UPDATE trigger refuses every column edit except nats_broadcast_at_iso, which is gated by the signing trigger.

What stays NAMED OPEN¶

summit.climate.heat_anomaly_witness — real-time sensor ingress and per-region pre-registered heat-anomaly prediction.
summit.food.provenance_chain — extension beyond length-3 chains; variable-length chain support over List Nat.
summit.food.lvc_drift_witness — LVC-style drift between the pre-registered prediction and the reported observation (the LVC v2 collapse gate work).

Files¶

Lean seal: proof/lean/FirstRoars/ChainOfCustodyHash.lean
Substrate: cells/xcode/Sources/GaiaFTCLCore/NarratorSchemaV128.swift
Engine: cells/xcode/Sources/ClimateFoodUI/ClimateFoodEngine.swift
Panel: cells/xcode/Sources/ClimateFoodUI/ClimateFoodDomainPanel.swift
AlertableEvents: cells/xcode/Sources/ClimateFoodAlertableEvents/ClimateFoodAlertableEvents.swift
Signing primitive: cells/xcode/Sources/GaiaFTCLCore/SignatureQuintet.swift
Federation smoke test: cells/xcode/Sources/M8FederationReVerifySmokeTest/main.swift
Rosetta registration: cells/xcode/Sources/M8FrequencySweep/Rosetta/LeanArtifactRegistry.swift

Federation-cosigned

This page's source is sealed in the GaiaFTCL federation manifest — page SHA-256 6fa1dccf35dd7ff9…, manifest witness a090592e0609adc8…, signed 2026-06-02T18:58:22Z by cell gaiaftcl-mac-cell. Verify with gaiaftcl wiki sign --all and compare wiki-all-signatures.json.