Climate-Food Chain-Of-Custody — Federated Provenance Seal
GFTCL-LION-CLIMATE-FOOD-001 — the seventh internal-audit domain to land
ALIVE, and the first to ship its full federated outward shell in
the same commit as the internal close. Other peer cells, audit
partners, lab co-witnesses can subscribe, recompute, and verify the
cell's witnesses without privileged access to its substrate.
The native claim
A climate / food provenance chain is an ordered sequence of handoffs.
Each handoff has an actor (the party that touches the payload) and a
claimed output payload-hash. The chain is coherent iff every
step's claimed output matches the deterministic order-sensitive
combine of the running payload + the step's actor.
The Wittgenstein-honest move: SEAL THE CHAIN AT PROVENANCE TIME so
no upstream party can retro-fit an earlier handoff without
invalidating every downstream claimed hash.
What this seal IS
A pure-function dignity property. Given the public inputs `(p₀, a₁,
a₂, a₃, F), any federation peer recomputes (p₁, p₂, p₃)` and the
coherence + finalization verdicts bit-for-bit. Two parties given the
same inputs land on the same verdict.
combine(p, actor) = 7·p + actor — pure Nat, kernel-reducible by
decide, order-sensitive (catches handoff reorder).
What this seal IS NOT
- A claim that upstream handoff actors are trustworthy. Coherence
proves handoffs *match the announced chain*; it does not prove the
payload reflects the real-world thing.
- A real cryptographic hash. The order-sensitive combine is for the
algebraic-coherence property. For cryptographic-strength signing,
the cell's signature_quintet (5 facets) layers on top, and any
peer re-derives each facet from the canonical witness.
- A closure on the sensor layer. Real-world climate anomaly
witnessing stays NAMED OPEN on summit.climate.heat_anomaly_witness.
- A closure on LVC drift. The pre-registered-prediction-vs-reported-
observation drift stays NAMED OPEN on summit.food.lvc_drift_witness.
The three worked instances (decide-closed in Lean)
| Instance | Chain | Verdict |
|---|---|---|
| A clean | p₀=10, actors [1, 2, 3], F=3496 | COHERENT FINALIZES (p₃=3496) |
| B broken-link | s₂ claims 999, truth is 499 | INCOHERENT |
| C tampered-reorder | actors [3, 2, 1] (same multiset, different order) | COHERENT but DIFF_FINAL (p₃=3592 ≠ 3496) |
Order-sensitive combine catches the reorder — same multiset of actors
produces a different terminal hash.
Federation pipeline
| Stage | What happens |
|---|---|
| Seal | Operator walks the chain; ClimateFoodEngine.sealValidation recomputes (p₁, p₂, p₃) and writes climate_food_validations with verdict + canonical witness + SHA-256 |
| Sign | SignatureQuintet.selfSigned(...) produces 5 facets (cell_id, domain_id, lean_artifact_path, payload_sha256, tau_block); writes JSON array to signature_quintet |
| Gate | Substrate trigger trig_cf_nats_requires_quintet refuses to set nats_broadcast_at_iso non-NULL while signature_quintet = '[]'. An unsigned receipt cannot roar |
| Broadcast | NATS subject gaiaftcl.climate_food.chain.sealed carries the witness payload |
| Alert | ClimateFoodAlertableEvents projects fields → seeded rules fire → alert_queue row → Apple Alert + RSS item |
| Re-verify | Peer cell with NO substrate access parses canonical, recomputes (p₁, p₂, p₃) + 5 facets, confirms bit-for-bit |
Falsifier — M8FederationReVerifySmokeTest
Six assertions any peer cell can run:
1. Substrate seed chain chain-demo-cf-001 is present.
2. ClimateFoodEngine.recompute bit-matches FirstRoars/ChainOfCustodyHash.lean instance A: p=[71, 499, 3496].
3. sealValidation produces verdict_kind = 'coherent_finalizes'.
4. signature_quintet is non-empty (5-facet self-sign); nats_broadcast_at_iso is non-NULL.
5. Peer re-verify: a simulated peer cell with no substrate access recomputes from public inputs alone and lands on the same witness SHA-256.
6. Tamper test: attempting to mark broadcast on an unsigned row is ABORTED by trig_cf_nats_requires_quintet. The federation gate holds.
Run:
cd cells/xcode
swift run M8FederationReVerifySmokeTestExpected output ends with result: ALL PASS.
Substrate
climate_food_chains— pre-registration anchor. SQL trigger
trig_cf_chains_anchor_immutable refuses any UPDATE touching
chain_id, initial_payload_nat, actor_1, actor_2, actor_3,
announced_final_nat, registered_at_iso, registration_sha256.
climate_food_validations— append-only outcome rows. UPDATE
trigger refuses every column edit except nats_broadcast_at_iso,
which is gated by the signing trigger.
What stays NAMED OPEN
summit.climate.heat_anomaly_witness— real-time sensor ingress
and per-region pre-registered heat-anomaly prediction.
summit.food.provenance_chain— extension beyond length-3 chains;
variable-length chain support over List Nat.
summit.food.lvc_drift_witness— LVC-style drift between the
pre-registered prediction and the reported observation (the LVC v2
collapse gate work).
Files
- Lean seal:
proof/lean/FirstRoars/ChainOfCustodyHash.lean - Substrate:
cells/xcode/Sources/GaiaFTCLCore/NarratorSchemaV128.swift - Engine:
cells/xcode/Sources/ClimateFoodUI/ClimateFoodEngine.swift - Panel:
cells/xcode/Sources/ClimateFoodUI/ClimateFoodDomainPanel.swift - AlertableEvents:
cells/xcode/Sources/ClimateFoodAlertableEvents/ClimateFoodAlertableEvents.swift - Signing primitive:
cells/xcode/Sources/GaiaFTCLCore/SignatureQuintet.swift - Federation smoke test:
cells/xcode/Sources/M8FederationReVerifySmokeTest/main.swift - Rosetta registration:
cells/xcode/Sources/M8FrequencySweep/Rosetta/LeanArtifactRegistry.swift
719b677acdfe702c4245c1aef568a998453eb9a8d645660fad9aff74d73fe6a8.
This page serves with a substrate-honest pending-signature notice until the operator's Franklin signer cosigns it.