Hugging Face's logo

SZLHOLDINGS
/
szl-govsign

Kernels
kernel
Model card Files
xet
 Community

szl-govsign — signed governance provenance

The signed-attestation lane the Kernel Hub leaders leave open. No major kernel publisher signs or attests its build artifacts or its governance verdict. szl-govsign produces an in-toto / DSSE signed governance attestation that binds an artifact digest (a szl-kernels UnifiedReceiptChain head, or a build manifest) to a custom governance predicate — Λ advisory verdict, MEASURED energy, honest-BLOCKED status, allow/block decision — signed with ECDSA P-256.

Part of the szl-kernels governed-kernel series. Where the suite gives you cross-kernel provenance, szl-govsign makes that provenance independently verifiable by a third party — sign it, ship it, verify it offline.

What it proves — and what it does NOT

  • ✅ The signature proves authorship + integrity of the attestation (DSSE PAE + ECDSA P-256, spec-exact).
  • ❌ It does NOT prove Λ uniqueness — that remains Conjecture 1 (OPEN). The predicate's proven_trust field is structurally locked False: there is no code path that sets it True.
  • ❌ It does NOT upgrade an advisory verdict to "proven trust."
  • Energy is MEASURED-only — the energy label is structurally constrained to MEASURED; modeled/estimated/fabricated values are rejected at construction.
  • honest-BLOCKED — a BLOCKED verdict is signed as BLOCKED; the builder refuses to sign a flipped verdict.

Quickstart 

import torch
from kernels import get_kernel

gs = get_kernel("SZLHOLDINGS/szl-govsign", revision="main", trust_remote_code=True)

print(gs.selfcheck())   # sign OK, verify OK, tamper-detected, honest-BLOCKED signed as BLOCKED

priv = gs.generate_ephemeral_keypair()        # production: Sigstore keyless / cosign key out-of-band
pred = gs.build_governance_predicate(
    lambda_verdict=gs.LambdaVerdict(score=0.92, notes="advisory only"),
    energy=gs.EnergyLabel(value=12.5, unit="joules"),       # MEASURED-only
    decision=gs.GovernanceDecision(status="ALLOWED", reason="passed gates"),
    honest_blocked=False,
)
subjects = [gs.Subject(name="szl_kernels/UnifiedReceiptChain", digest={"sha256": "..."})]
envelope = gs.attest(subjects, pred, priv)    # DSSE envelope (in-toto Statement)
assert gs.verify(envelope, priv.public_key()) # third-party-verifiable; tamper => False

API

Symbol What it does
build_governance_predicate(...) Assemble the https://szl.holdings/governance/v1 predicate (doctrine-enforced).
LambdaVerdict / EnergyLabel / GovernanceDecision Typed predicate parts; proven_trust locked False, energy MEASURED-only, decision ∈ {ALLOWED, BLOCKED}.
Subject, build_statement(...) in-toto v1 Statement (subjects + predicate).
attest(subjects, predicate, private_key) Build + sign → DSSE envelope (ECDSA P-256, PAE per DSSE spec).
verify(envelope, public_key) Verify; fails closed (tamper/malformed → False).
generate_ephemeral_keypair(), public_key_pem(...) Demo keypair; no key material written to disk.
selfcheck() Signs, verifies, tampers, confirms verify FAILS, + honest-BLOCKED demo.

Production signing

The demo uses an ephemeral in-process keypair. In production, signing is keyless via Sigstore (Fulcio short-lived cert + Rekor transparency log) or a real cosign key managed out-of-band — see the project spec. The envelope shape is unchanged.

Honesty & prior art

  • Imports: Python stdlib + cryptography only. Python 3.9+.
  • Prior art attributed: the in-toto attestation framework, DSSE, and Sigstore model-transparency. The https://szl.holdings/governance/v1 predicate is SZL's own.
  • Λ advisory (Conjecture 1, OPEN). Energy MEASURED-only. honest-BLOCKED beats fake green.

The governed-kernel series

Kernel Lane Live hologram
szl-kernels unified suite — cross-kernel UnifiedReceiptChain szl-kernels-live
szl-governed-norm RMSNorm/LayerNorm + receipts governed-norm-holo
szl-lambda-gate advisory Λ gate (Conjecture 1, OPEN) lambda-gate-holo
governed-inference-meter MEASURED-joule energy accounting energy-attest-holo
szl-govsign signed governance attestation (DSSE / in-toto) szl-govsign-live
szl-blocked honest-BLOCKED first-class state + EU AI Act Annex IV szl-blocked-live

See it live

  • 🔮 szl-govsign-live — sign a governance verdict, verify it, tamper it, watch a BLOCKED verdict get signed honestly as BLOCKED.
  • 🔮 szl-kernels-live — the cross-kernel provenance graph this layer signs.
  • 🔮 szl-substrate — the governed-compute substrate hub.

License

Apache-2.0. Copyright 2026 SZL Holdings.

SZL Holdings · signed governance provenance · in-toto/DSSE · Λ advisory (Conjecture 1) · energy MEASURED-only · a11oy.net · github.com/szl-holdings · huggingface.co/SZLHOLDINGS

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support

Spaces using SZLHOLDINGS/szl-govsign 3