Copyright 2026 Mushku Nobleworks. All rights reserved. SPDX-License-Identifier: Apache-2.0 OR LicenseRef-Commercial
Document class: public orientation. Apex version: v1.0
AION v1 is an RFC-style theoretical architecture with an executable local reference implementation. It is not a hosted service, not a production provenance platform, not a universal truth engine, and not a lie detector.
AION proves one narrow public claim:
Route truth: this output followed this committed path.
It does that with source bytes, metadata-free comparison, exact output, in-circuit transcript commitment, proof artifacts, receipts, and fail-closed verification.
Most systems ask you to trust a pipeline. This one makes the pipeline small enough to rerun, strict enough to fail when changed, and explicit enough to audit. Start by running it. Then break it on purpose. Then read the exact boundary when you want the formal version.
make demo # run the fixed canonical cycle
make verify # prints exactly PASS or FAIL
make verify-explain # PASS plus the list of checks performed
make break # tamper a temp copy and watch it FAIL (repo untouched)Expected core verifier output:
PASS
What to inspect after the demo:
aion.statement.json
proofs/v1/proof-artifacts.receipt.json
proofs/v1/toolchain.receipt.json
proofs/v1/generation-trace.receipt.json
proofs/v1/public.json
proofs/v1/proof.json
Level 1 run it make demo
Level 2 verify it make verify
Level 3 explain it make verify-explain
Level 4 break it make break (and: make redteam)
Level 5 recompute it make reproduce
Level 6 audit it read VERIFY.md, PUBLIC_BOUNDARY.md, PUBLIC_CLAIMS.md
Paste the following into a coding agent that can write and run local files.
Build a single local AION reference project.
The project is a fixed canonical reference artifact. It is not a hosted service,
not a production provenance system, not arbitrary-input support, not objective
truth, and not a production Groth16 trusted-setup ceremony.
Execution clamps for the coding agent:
- Treat this prompt as the only source of truth. Do not inspect parent workspaces, prior repos, memories, MCP graphs, or external project files.
- Work only in the current empty project directory. Do not search parent directories, sibling repositories, user home directories, caches, prior workspaces, or system-wide project trees for source material or artifacts.
- Use PATH only to locate executables. Use project-local files only for project data. If the Powers of Tau file is absent, `make setup` may download it only from the pinned URL and must hash-check it.
- Do not use web search or online hash services. Compute hashes locally with Python hashlib.
- Do not create placeholders that verification accepts. No DERIVED placeholders, no TODO hashes, no stub proof, no fake verifier, no static PASS path.
- If real circom/snarkjs/ptau are unavailable, the command must fail closed with stdout FAIL. Do not simulate the Groth16 proof.
- Do not widen scope to product features, hosted service, dashboards, or arbitrary-input support.
- Do not load optional skills, MCP resources, parent repo rules, memories, or external helper context.
- Before claiming done, you must actually run the required local commands. If the shell/command runner is unavailable, stop and report BLOCKED; do not create an unverified project and do not claim PASS.
Required public files:
README.md
PUBLIC_BOUNDARY.md
PUBLIC_CLAIMS.md
VERIFY.md
DESIGN_NOTES.md
TRUSTED_SETUP.md
CIRCUIT.md
SECURITY.md
Makefile
Dockerfile
package.json
package-lock.json
toolchain.lock
aion_cycle.py
aion.circom
fixtures/canonical.json
fixtures/pass/canonical.json
fixtures/fail/*.json
expected_root.txt
aion.statement.json
proofs/v1/input.json
proofs/v1/proof.json
proofs/v1/public.json
proofs/v1/verification_key.json
proofs/v1/toolchain.receipt.json
proofs/v1/generation-trace.receipt.json
proofs/v1/proof-artifacts.receipt.json
proofs/v1/emissions/*.emission.json
proofs/v1/receipts/*.receipt.json
tests/test_redteam.py
tests/test_emission_chain.py
tests/test_fixtures.py
tests/test_circuit_structure.py
tests/test_public_boundary.py
viewer/index.html
viewer/app.js
Do not commit or rely on these regenerated byproducts as verifier authority:
proofs/v1/aion.r1cs
proofs/v1/aion.sym
proofs/v1/aion.zkey
proofs/v1/aion_0.zkey
proofs/v1/aion_js/
proofs/v1/public_bad.json
proofs/v1/public_bad_reverify.json
Goal:
Run one fixed closed route and prove it:
Source -> Encode -> Carry -> Compare -> Carry Back -> Map Back -> Write -> Prove -> Verify -> Close
Command contract:
make setup # installs/checks local toolchain and hash-checks ptau
make verify # verifies the committed lightweight proof bundle
make reproduce # regenerates heavy proof byproducts and the proof bundle
make test # red-team, fixture, circuit-structure, and boundary tests
make boundary-check
stdout contract:
PASS
or:
FAIL
Failure diagnostics:
stdout remains exactly PASS or FAIL.
On failure, stderr may include one controlled public-safe line:
FAIL_REASON:<reason_code>
Reason codes are diagnostics, not a third status. Do not print tracebacks during
normal failure handling. Do not leak local private paths, credentials, secrets,
or internal implementation names.
Host route requirements:
1. Never use Python's built-in hash(). Use hashlib.sha256 for all identity,
ordering, receipts, emissions, and roots.
2. Serialize deterministically with json.dumps(value, sort_keys=True,
separators=(",", ":")).encode("utf-8") unless a stricter byte tuple is used.
3. Bytes are source authority. Encode text fixtures as UTF-8 strict. Do not
normalize casing, whitespace, line endings, or Unicode.
4. V1 uses fixed fixture byte-count scoring. Do not describe it as Q15 or
saturating arithmetic unless both host and circuit implement that model.
5. Implement explicit phase functions:
phase_source
phase_encode
phase_carry
phase_compare
phase_carry_back
phase_map_back
phase_write
6. Encode stores identity in a local ledger:
source_record_id -> source_bytes
field_hash -> [source_record_id]
7. Compare sees fields only and performs integer byte-count scoring.
8. Require a strict unique winner. Ties fail closed.
9. If mapback finds zero or multiple source records for a selected field_hash,
fail closed with a stable reason code.
10. Write emits selected source bytes and checks byte-exact equality.
11. Every phase emits a receipt with:
phase name
input identity/hash
output identity/hash
child receipt hashes
failed_checks
proof_passed
receipt_hash
12. Compose phase receipts into a cycle receipt.
13. Emit transition emissions with source lineage and chain hashes.
14. Verification must recompute receipt hashes from bodies; never trust a stored
proof_passed flag by itself.
15. Verification must be read-only: do not write public_bad files into the tracked
proof directory. Generate negative public inputs in a temp path.
Circuit requirements:
1. Use one fixed-reference Circom circuit for the canonical fixture.
2. Public inputs are emitted bytes and the 256-bit transcript digest commitment.
3. Enforce byte/bit consistency for query, corpus, and emitted bytes.
4. Enforce pairwise equality scoring in-circuit.
5. Enforce corpus0 as the strict winner:
score0 - score1 - 1 is a non-negative 16-bit value
score0 - score2 - 1 is a non-negative 16-bit value
6. Enforce emitted[i] === corpus0[i] for every emitted byte.
7. Enforce in-circuit SHA-256 over the domain-separated transcript:
AION-CYCLE-V1| || query || corpus0 || corpus1 || corpus2 || emitted
and bind sha.out to expected_digest_bits.
8. Document the circuit structure in CIRCUIT.md and add tests that assert the
structural constraints are present.
Groth16/toolchain requirements:
1. Use real circom and snarkjs. No fake verifier, no stub proof, no static boolean.
2. Pin the public reference toolchain:
snarkjs 0.7.6
circom 2.2.3
circom binary sha256 85342c7ff332d948df7c0c50ecf201e6129349aef550ce873f3c811b79fe53a3
circomlib 2.0.5
powersOfTau28_hez_final_18.ptau sha256 e970efa7774da80101e0ac336d083ef3339855c98112539338d706b2b89ac694
3. Use npm ci for locked local dependencies.
4. Use a public deterministic beacon for the demo/reference zkey step. Record the
beacon and state clearly that this is demo/reference-only, not a production
ceremony.
5. Run positive Groth16 verification and a negative public-input verification.
The negative input must be generated from current public.json in a temp path.
6. TRUSTED_SETUP.md must state what this proves and what it does not prove.
Root model:
transcript_root = domain-separated hash of source bytes and emitted output
proof_root = receipt hash for proof/toolchain/artifact evidence
cycle_root = statement hash binding transcript_root, proof_root, policy,
proof system, circuit hash, verification key hash,
public input hash, and proof hash
EXPECTED_TRANSCRIPT_ROOT is the frozen transcript root only. The cycle_root must
not be equated to EXPECTED_TRANSCRIPT_ROOT.
Canonical fixture:
query:
b"need contract renewal approval"
corpus:
b"contract renewal requires finance approval"
b"weather report says rain tomorrow"
b"lunch menu includes soup"
expected selected record:
b"contract renewal requires finance approval"
Tests required:
1. The canonical statement verifies: stdout PASS, rc 0.
2. Mutating statement root, proof hash, public input, receipt body, generation
trace, phase receipt, emission order, previous emission hash, or source root
produces stdout FAIL, rc 1, and the expected FAIL_REASON.
3. Stored public_bad files are absent and not trusted.
4. Verification is read-only.
5. Duplicate field-hash mapback fails closed.
6. Fixtures are concrete JSON files, not README-only placeholders.
7. Public boundary test forbids private paths, credentials, private keys, internal
Apex markers, internal method inventories, and claims wider than the fixed route.
8. Circuit structure test asserts public signals, strict-winner binding,
emitted==corpus0 binding, digest binding, and SHA width.
Definition of done:
- `make setup` completes with pinned hash checks.
- `make verify` prints PASS and leaves git status unchanged.
- `make reproduce` regenerates proof byproducts and then `make verify` still prints PASS.
- `make test` passes.
- `make boundary-check` passes.
- Public docs contain positive and negative clamps for major claims.
- No public doc claims production security, production trusted setup,
arbitrary-input support, objective truth, privacy, hosted service behavior, or
broad provenance.
Plain: If any committed artifact changes, verification fails.
Formal: verify recomputes the statement cycle_root, receipt hashes, artifact
hashes, public digest bits, and Groth16 verification, and rejects any
mismatch fail-closed.
Plain: The verifier does not trust a green flag.
Formal: a stored proof_passed flag is ignored; receipts are recomputed from
their bodies before they are believed.
| You can trust | Because |
|---|---|
| The committed bundle matches the statement | make verify recomputes it from files |
| Tampering is detected | red-team fixtures and make break show fail-closed behavior |
| The public claim is bounded | PUBLIC_BOUNDARY.md and PUBLIC_CLAIMS.md define scope |
| Do not trust | Why |
|---|---|
| That this is production secure | demo/reference trusted setup only (TRUSTED_SETUP.md) |
| That it proves objective truth | it verifies a route, not reality |
| That arbitrary inputs are supported | one fixed canonical fixture only |
| That a UI equals verification | the CLI and artifacts are canonical |
statement the public claim being verified (aion.statement.json)
receipt a small artifact recording input hash, output hash, and link to the route
fixture a tiny fixed example proving the route behaves the same every time
route the fixed ordered phases from source bytes to verified statement
map-back recovering the selected source bytes from the ledger by field hash
canonical the one fixed reference cycle this repo proves
byte-exact compared as raw bytes, not normalized text
fail-closed if the route cannot be verified, the result is FAIL, never a guess
Trust is ephemeral and lazy-resolved from source.
AION never trusts self-certification. A cached or previously verified artifact may be evidence, but it is not authority. The verifier recomputes the lineage needed for the present decision every time. Caches store material, never trust.
Reports, emissions, receipts, generated artifacts, and cache entries are snapshots, never authority unless explicitly promoted into durable data/source authority. Code/source files can be durable source artifacts. Trust comes only from fresh recomputation from source.
Every AION claim has two sides:
- the positive claim: what is verified,
- the negative clamp: what must not be inferred.
This mirrors the cycle itself: a route closes only when the required relation holds and the forbidden shortcuts fail.
| Topic | Positive claim | Negative clamp |
|---|---|---|
| Route truth | This output followed this committed path. | It does not prove objective truth. |
| Local-first | Verification runs locally. | It is not a hosted service. |
| Receipts | Receipts are recomputed from artifacts. | A receipt is not trusted because it exists. |
| PASS | PASS means this fixed cycle closed. | PASS is not production security or privacy. |
| Artifacts | Artifacts are inspectable snapshots. | Artifacts are not durable authority. |
| Cache | Cache may store material. | Cache may not store trust. |
| Sections | A valid section can re-enter verification. | An orphan fragment is not valid. |
| Proof | Groth16 verifies the fixed circuit. | It does not prove claims outside that circuit. |
Full claim boundary: PUBLIC_CLAIMS.md.
| This is | This is not |
|---|---|
| A local reference implementation. | A hosted product. |
| A fixed canonical proof cycle. | A general arbitrary-input engine. |
| A route-truth verifier. | An objective-truth oracle. |
| A receipt/proof/artifact demo. | A production provenance service. |
| A fail-closed reference pattern. | A privacy system or lie detector. |
Track A: I just want to see it work.
make demo
make verify
inspect aion.statement.json
Track B: I need to trust the claim.
read PUBLIC_BOUNDARY.md
read VERIFY.md
read PUBLIC_CLAIMS.md
run make test
inspect proof/artifact receipts
read DESIGN_NOTES.md
Source bytes
↓
Encode
↓
Carry
↓
Compare
↓
Carry Back
↓
Map Back
↓
Write
↓
Prove
↓
Verify
↓
PASS / FAIL
The program prints exactly one of these:
PASS
or:
FAIL
There is no halfway status.
make setup
make demo
make verify
make testmake setup installs the local proof toolchain and fetches the pinned Powers of
Tau file. make demo runs the committed reference statement and points to the
artifacts. make verify prints the canonical verifier result. make test runs
red-team mutation and public-boundary checks.
| File | Purpose |
|---|---|
PUBLIC_BOUNDARY.md |
Public contract and egress boundary. |
VERIFY.md |
Proof path and failure matrix. |
PUBLIC_CLAIMS.md |
Allowed and forbidden public claims. |
DESIGN_NOTES.md |
Rationale and non-goals. |
TRUSTED_SETUP.md |
Demo-only Groth16 setup boundary. |
CIRCUIT.md |
Generated circuit structure and audit spec. |
fixtures/ |
PASS/FAIL/tamper/out-of-boundary examples. |
viewer/ |
Optional local read-only artifact viewer. |
These recipes show how to reuse the reference pattern without changing its contract. They are wrappers around the same local PASS/FAIL path, not a new verification mode.
| Recipe | Do this | This is | This is not |
|---|---|---|---|
| Use it in your repo | Copy the boundary docs, keep the fixtures visible, and make your own make verify run the local verifier before release. |
A way to publish a recomputable route. | A claim that arbitrary inputs are proven. |
| Wrap it in CI | Add a CI step that runs make verify and fails the build on FAIL or missing artifacts. |
A release gate for the fixed proof path. | A substitute for local recomputation or human review. |
| Verify a release artifact | Pin the artifact hash, run the verifier from a clean checkout, and compare the emitted receipt fields to the release note. | A portable check that the published bytes match the proof bundle. | A hosted attestation service or a broad provenance platform. |
Minimal CI shape:
name: verify-aion
on: [push, pull_request]
jobs:
verify:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- run: make setup
- run: make verify
- run: make testKeep the artifact visible. A dashboard may summarize the receipt, but the receipt and proof bundle remain the inspectable evidence.
This repository defines a public reference architecture and a canonical proof fixture. It is meant to be read like an RFC: exact enough to build and verify the core route, narrow enough to avoid pretending to solve every deployment detail.
In scope:
- the fixed canonical route,
- the public circuit,
- the proof bundle,
- the receipt and statement model,
- the positive and negative clamps,
- the failure behavior.
Out of scope:
- production user interface,
- hosted service operations,
- arbitrary input generalization,
- deployment-specific key ceremonies,
- private implementation details,
- private operational recovery records.
If a critique is about the route, proof, receipt model, or clamps, it is in scope. If a critique is about production packaging beyond this fixed reference, it belongs to a later implementation profile, not to the core RFC.
AION is one closed path. One prompt builds the local project. The project runs
the path end to end. If every step closes, including a real Groth16 proof and
verification, it prints PASS. If anything is off, it prints FAIL.
There is no local-only pass and no optional proof. make demo is only a friendly entrypoint to the same committed verifier path. The Groth16 setup is demo/reference-only; see TRUSTED_SETUP.md.
The path is laminar: it flows once, cleanly, or not at all.
AION v1 is complete as a fixed-canonical reference implementation:
- one canonical fixture,
- one full-cycle Groth16 circuit,
- in-circuit SHA-256 transcript commitment,
- committed proof bundle,
- three-root statement,
- portable statement verification,
- positive and negative clamps,
- red-team mutation tests.
It is not a production provenance service and not a general arbitrary-input engine. It is a public reference route.
See also: PUBLIC_BOUNDARY.md.
bytes
↓
bounded fields
↓
metadata-free comparison
↓
selected source mapback
↓
exact emitted bytes
↓
in-circuit SHA-256 transcript proof
↓
proof/artifact receipts
↓
three-root statement
↓
PASS / FAIL
AION proves route truth: this output followed this committed path.
Encode -> Carry -> Compare -> Carry Back -> Map Back -> Write -> Prove -> Verify
In plain language:
turn bytes into bounded numbers
carry only the numbers
compare the numbers
carry the selected field hash back
look up the original bytes
write the exact bytes
prove the closure relation
verify the proof
AION watches the path and checks whether it closed. AION does not choose the answer. AION does not change the answer. AION only checks whether the route contradicted its own receipts.
AION is defined by pairs: what must happen, and what must never happen.
| Positive clamp | Negative clamp |
|---|---|
| Source bytes are treated as data. | Source bytes must not become instructions. |
| The route must close in order. | A later step must not skip or replace an earlier step. |
| The comparison step receives bounded fields. | The comparison step must not receive names, labels, paths, or hidden metadata. |
| Receipts must be recomputable from artifacts. | A PASS flag must not be trusted by itself. |
| The proof must verify against public inputs. | A proof artifact must not be accepted because it merely exists. |
| The emitted bytes must equal the selected bytes. | Similar, plausible, or human-approved output must not count. |
| Audit artifacts may be written for verification. | Audit artifacts must not become the final answer. |
Failure must print FAIL. |
The system must not guess, continue, or emit partial success. |
| Step | Plain job |
|---|---|
| Encode | Turn source bytes into bounded numeric fields and store identity separately in the ledger. |
| Carry | Carry only copied numeric fields. Strip every label. |
| Compare | Compare fields with integer-only scoring and deterministic ranking. |
| Carry Back | Carry only the selected field hash back. |
| Map Back | Use the ledger to recover the selected source bytes. |
| Write | Emit output bytes exactly equal to the selected source bytes. |
| Prove | Generate a real Groth16 proof of the closure relation. |
| Verify | Verify the Groth16 proof and all local receipts. |
| AION | Accept only if the entire path closes. |
The proof is not in one step. The proof is in the fixed canonical path closing. Each named route phase has a public receipt under proofs/v1/receipts/.
The comparison step needs a surface that is small, deterministic, and easy to inspect. This map uses a byte histogram:
- a list of 256 integer slots,
- one slot for each possible byte value from 0 to 255,
- for each byte in the source, add one to that byte's slot,
- clamp every value to the bounded range.
This is not a search engine. It is a tiny numeric surface that lets the loop demonstrate the path: bounded fields, metadata-free carry, deterministic comparison, mapback, exact output, and proof closure.
Nothing here is new mathematics. Each part is an ordinary, named result. Math is not here to impress; it is here to point at the dimension plainly.
MIN = -32768
MAX = 32767
Keep the v1 fixture arithmetic integer-only and byte-count based. This reference does not claim a Q15/saturating arithmetic implementation.
score = sum(query[i] * record[i])
Multiply matching slots and add the results. This is the coordinate-wise product and the inner product.
key = (-score, field_hash)
The general design sorts by score and a deterministic tie-break. This v1 circuit uses a stricter shape: the canonical fixture must have one unique winner. If the winner is ambiguous, the run fails instead of guessing.
receipt = SHA256(domain || canonical(input, output, checks))
Hash each step's record. This is a domain-separated hash commitment.
A parent receipt includes its child receipt hashes. If a child failed, the parent fails. This is Merkle-style commitment composition.
The comparison step receives fields only, never names or labels. In v1, the verifier sees the canonical public bytes because the circuit is a public fixed fixture. The opacity claim is architectural: names and labels cannot steer the comparison. This is noninterference.
A field alone does not reconstruct arbitrary source. Recovery needs the ledger as side information. This is the source-coding limit, with descriptive complexity as the lower-bound intuition.
The circuit asserts no free "pass" bit. There is no tamper_failed === 1 and no
child_passed === 1 witness, because asserting a public input equals a constant
is a tautology a prover could satisfy trivially.
Instead, every quantity the proof binds is computed by constraints:
emitted[i] == corpus0[i] // exact output equals the winner
score0 - score1 - 1 >= 0 (16-bit range) // strict winner, scored in-circuit
score0 - score2 - 1 >= 0 (16-bit range)
SHA256(transcript) == expected_digest_bits // hashed in-circuit, public digest
The scores and the digest are produced inside the circuit, not handed in as free witnesses. The emitted answer and the digest are public inputs, so the proof is about real computed values, not a constant.
The local project must resolve the usual attack surfaces inside the path. These
are not future hardening notes. They are requirements for PASS.
- Real Groth16 setup artifacts: the project must generate real setup, proving-key, verification-key, proof, and public-input artifacts for the included closure circuit. The setup is local to the demo, but it must be real and hash-bound into the final receipt root.
- Circuit soundness checks: the circuit proves the route and the in-circuit SHA-256 commitment. The runner must run a verifier-negative check: flipping any public digest bit must make the real verifier reject the proof.
- No fake verifier:
PASSis forbidden unless the real verifier returns OK for the untampered proof and rejects a tampered public input. - Toolchain binding: the tool names, versions, and path hashes for
circom,snarkjs, andnodemust be recorded in a toolchain receipt. The toolchain receipt hash is a child ofproof_root. Public receipts use normalized command names and path hashes, not local absolute paths. - Artifact binding: the circuit source hash, compiled artifacts, proving key,
verification key, proof, public inputs, and verifier result are receipts.
Historical command metadata is kept in a separate generation trace receipt. The portable verifier treats it as audit history and verifies the trace receipt hash; it does not treat it as the source of artifact truth.
A missing or changed artifact or trace fails
proof_root, which changescycle_root. - Receipt binding: every receipt is meaningful only because it is generated by the step it describes and included in the parent root. The project must bind receipts to phase name, input hash, output hash, child receipt hashes, toolchain receipt hash where relevant, failed checks, and proof status.
- Replay scope: replay verifies the same event. It does not mutate state twice. The event id and replay root are part of the final closure relation.
- No hidden output: normal failure prints only
FAIL. Internal failure details may be retained in local receipts, but they must not leak through the command-line result. - Fuzz smoke: the generated project must include a small malformed-input smoke test: empty input, duplicate-field ambiguity, altered receipt, and bad circuit input must fail.
The point is not to describe risks. The point is to make the local path close only when these risks are handled.
AION uses phase receipts and three roots so the proof is not circular:
| Root | What it binds | How it is checked |
|---|---|---|
transcript_root |
the canonical bytes and emitted answer | computed by the host and by in-circuit SHA-256 |
proof_root |
toolchain, circuit source, compiled artifacts, keys, proof, public inputs, verifier result | computed from proof/artifact receipts |
cycle_root |
the final statement: transcript root + proof root + policy | recomputed from aion.statement.json |
The frozen transcript root can be recomputed with python3 scripts/compute_expected_root.py.
EXPECTED_TRANSCRIPT_ROOT is frozen. The generated cycle_root is not a magic
constant; it is the hash of the emitted statement for that run. PASS requires
all three roots to cohere.
The portable verifier also parses public.json and reconstructs the 256 public
digest bits. Those bits must equal EXPECTED_TRANSCRIPT_ROOT, not merely hash to
the same public.json file. For the negative verifier check, it regenerates a
fresh bad public input from public.json and does not trust a stored bad-public artifact.
- Bytes are the source authority.
- Fields are byte-count integer views for the fixed fixture.
- Arithmetic is integer-only.
- v1 does not claim Q15/saturating arithmetic.
- The comparison step sees only fields.
- Identity lives only in the ledger.
- The canonical fixture has a strict winner; ambiguous ranking fails.
- Ambiguous mapback fails instead of guessing.
- Every step emits a receipt.
- A parent receipt fails if any child failed.
- Replay verifies; it does not mutate twice.
- Final bytes must match directly, not only by hash.
- The expected transcript root is frozen in the project.
- The tamper run must fail.
- The Groth16 circuit must be real: no stub, no static boolean, no fake verifier.
- Groth16 proof generation is required.
- Groth16 verification is required.
PASSis allowed only after Groth16 verification passes.
aion.circom is a single fixed-reference circuit. It is fully unrolled and
machine-generated; audit it through CIRCUIT.md and
tests/test_circuit_structure.py, not by reading every line. It proves the
fixed canonical cycle as a Groth16 relation. The emitted bytes and transcript digest are public inputs;
the private witness is the route data needed to satisfy the circuit. The canonical byte/scoring/output/hash relation is proved
in-circuit; the host remains responsible for fail-closed orchestration,
toolchain and artifact receipts, replay/tamper policy, and statement generation.
The circuit proves, in-circuit:
- every query, corpus, and output byte is a real byte (8-bit range checks),
- the score of each corpus record against the query is the count of matching byte pairs (the byte-histogram inner product, computed inside the circuit),
- corpus record 0 is the strict winner over records 1 and 2,
- the emitted output bytes equal the winning record byte for byte,
- the SHA-256 of the domain-separated transcript
AION-CYCLE-V1| || query || corpus0 || corpus1 || corpus2 || emittedequals a public 256-bit digest commitment.
The SHA-256 is computed inside the circuit using the widely used circomlib
Sha256 template, with the exact installed package-lock and circuit-source hash
bound into the proof artifacts, so the proof itself attests the hash. The shape of the circuit:
// byte range check (per byte)
b[i] === sum(bits[i][k] * 2^k); bits[i][k] * (bits[i][k] - 1) === 0;
// pairwise equality score (per query/corpus pair), eq in {0,1}
eq <== 1 - (q - c) * inv; (q - c) * eq === 0; eq * (eq - 1) === 0;
// strict winner: score0 - score1 - 1 and score0 - score2 - 1 are 16-bit non-negative
ge01 === sum(ge01_bits[k] * 2^k);
// exact output
emitted[i] === corpus0[i];
// in-circuit SHA-256 of the transcript, bound to the public commitment
sha = Sha256(1480); sha.in[...] <== transcript_bits; sha.out[k] === expected_digest_bits[k];Public inputs are the emitted answer bytes and the 256-bit digest commitment. A valid proof means: a witness exists for which the route logic holds and the transcript hashes to exactly that public digest. The runner also performs a verifier-negative check by flipping one public digest bit; the real verifier must reject it.
There is no host-trusted hash step left in the proof. The host computes the same digest only to know the public commitment and to fail closed before proving.
The checked-in proof bundle and statement were verified with:
| Tool | Version / hash |
|---|---|
| Python | 3.12.3 |
| Node.js | v22.22.0 |
| Circom | 2.2.3 |
| snarkjs | 0.7.6 |
| circomlib | 2.0.5 |
| Powers of Tau | powersOfTau28_hez_final_18.ptau |
| ptau SHA-256 | e970efa7774da80101e0ac336d083ef3339855c98112539338d706b2b89ac694 |
Docker users can verify the checked-in proof bundle with. The Docker base image is pinned by digest in Dockerfile:
docker build -t aion-cycle .
docker run --rm aion-cycleExpected output:
PASS
The reference runner requires node, circom, and snarkjs, plus a Powers of
Tau file. A setup script installs the toolchain locally (no sudo) and fetches
and verifies the ptau:
make setup # or: bash scripts/setup.sh
make verify # or: python3 aion_cycle.py
python3 aion_cycle.py --verify-statement aion.statement.jsonOutput:
PASS
or:
FAIL
If node, circom, snarkjs, or the ptau are missing, the runner fails closed
with FAIL. There is no local-only pass.
A green light is not enough. Break it on purpose:
- change one byte in the query,
- change one byte in the selected record,
- change one score,
- change one receipt,
- change one circuit input.
Run it again. It should print FAIL. The point is not that the path can pass.
The point is that it refuses to lie.
It does not leave out Groth16. Groth16 is part of the path.
The local map keeps the rest small:
- local demo setup artifacts with hashes instead of a public ceremony,
- small verifier artifacts committed with hashes and heavy proof byproducts regenerated by
make reproduce, - a fixed-length canonical fixture instead of arbitrary-length inputs,
- one in-circuit scoring surface instead of advanced scoring surfaces,
- an in-memory ledger instead of production mapback storage,
- Python theorem execution instead of compiled projection.
None of that changes the path. Real Groth16 generation and verification are
still required for PASS.
- Ben-Sasson, E., Chiesa, A., Tromer, E., and Virza, M. (2014). "Succinct Non-Interactive Zero Knowledge for a von Neumann Architecture." USENIX Security 2014.
- Cover, T. M., and Thomas, J. A. (2006). Elements of Information Theory, 2nd ed. Wiley.
- Denning, D. E., and Denning, P. J. (1977). "Certification of Programs for Secure Information Flow." Communications of the ACM, 20(7): 504-513.
- Goguen, J. A., and Meseguer, J. (1982). "Security Policies and Security Models." IEEE Symposium on Security and Privacy, 11-20.
- Groth, J. (2016). "On the Size of Pairing-Based Non-Interactive Arguments." EUROCRYPT 2016, LNCS 9666, 305-326.
- Halmos, P. R. (1958). Finite-Dimensional Vector Spaces, 2nd ed. Van Nostrand.
- Horn, R. A., and Johnson, C. R. (1991). Topics in Matrix Analysis. Cambridge University Press.
- Knuth, D. E. (1997). The Art of Computer Programming, Vol. 2: Seminumerical Algorithms, 3rd ed. Addison-Wesley.
- Knuth, D. E. (1998). The Art of Computer Programming, Vol. 3: Sorting and Searching, 2nd ed. Addison-Wesley.
- Kolmogorov, A. N. (1965). "Three Approaches to the Quantitative Definition of Information." Problems of Information Transmission, 1(1): 1-7.
- Merkle, R. C. (1988). "A Digital Signature Based on a Conventional Encryption Function." CRYPTO '87, LNCS 293, 369-378.
- National Institute of Standards and Technology (2015). FIPS PUB 180-4: Secure Hash Standard.
- Oppenheim, A. V., and Schafer, R. W. (2009). Discrete-Time Signal Processing, 3rd ed. Pearson.
- Shannon, C. E. (1948). "A Mathematical Theory of Communication." Bell System Technical Journal, 27(3): 379-423.
- Strang, G. (2016). Introduction to Linear Algebra, 5th ed. Wellesley-Cambridge Press.
AION is not another manifest format. It is a fail-closed verifier policy around
bytes, fields, receipts, transformations, proof artifacts, and final output.
Other systems can say a manifest is well formed. AION asks whether the whole
route coheres. If any byte, receipt, replay, toolchain artifact, or proof no
longer agrees, the answer is FAIL.
Patent pending. Public application details are intentionally omitted until a publication record or approved citation is available.
This document is not a patent claim, not legal advice, and does not publish non-public legal materials. The code you build from the prompt is yours to run locally.
More information, demos, licensing, and contact: mushku.com
No account required to try the map. Copy the prompt and run it first.
Invariant: aion-trust-lineage-storage-v1
Version: 2026-06-27
Packet hash: 7dc4cfd6d5df39ba3dc3234456f62f64f8aeae71448f3cb56d604e919e3ab696
Document class: public projection
Positive clamp:
- AION verifies present state from source lineage.
- Code/source files may be durable source artifacts; durable data/context stores preserve material and lineage.
- Reports, emissions, receipts, generated artifacts, and caches are inspectable current snapshots unless explicitly promoted.
- Every major public claim says what it is and what it is not.
Negative clamp:
- Reports, receipts, emissions, generated artifacts, and caches are not authority unless explicitly promoted into durable data/source authority.
- Nothing is trusted because it exists, is stored, is emitted, is cached, is signed, is hashed, or says it passed.
- Public docs must not make internal scientific-metaphor claims or expose private implementation details.