Hugging Face's logo

SZLHOLDINGS
/
szl-provctl

Kernels
kernel
Model card Files
xet
 Community

szl-provctl — provenance-DAG control + supply-chain interop

The lane the supply-chain leaders leave open. Sigstore, SLSA and in-toto define the formats; CodeCarbon measures joules; NeMo Guardrails / Llama Guard block. But as of 2026, no tool (a) emits a governed run as a spec-exact in-toto v1 Statement + SLSA provenance, (b) walks an ML provenance DAG and verifies every edge, or (c) measures energy per kernel call bound to a signable provenance chain. szl-provctl does all three — turning a szl-kernels UnifiedReceiptChain into the exact shapes the rest of the ecosystem already verifies.

Part of the szl-kernels governed-kernel series. Where szl-govsign signs a verdict and szl-blocked records a refusal, szl-provctl makes a governed run interoperable — a standard attestation the whole supply-chain world can read, and a DAG anyone can re-verify.

Three frontiers it owns

  1. Interop bridge → the standard world. statement_from_chain(...) emits a spec-exact in-toto v1 Statement (https://in-toto.io/Statement/v1) whose subject digest is the chain head and whose predicateType is the governance predicate — the exact payload a DSSE envelope / Sigstore Bundle wraps (cosign v2.6 --statement). slsa_statement(...) emits a SLSA v1.0 provenance predicate (https://slsa.dev/provenance/v1) so a governed run is a first-class build-provenance event.
  2. Provenance-DAG traversal — the open frontier. SLSA/in-toto define resolvedDependencies but ship no tool that recursively verifies an ML provenance DAG. ProvenanceDAG.verify_dag() topologically resolves the graph, verifies each chain's internal hash-chain and each edge's asserted dependency head, and returns the first break. honest-BLOCKED nodes are surfaced, never dropped.
  3. Per-kernel MEASURED energy. measure_kernel_energy(...) reads the real NVML cumulative-energy counter delta around a single kernel call and writes a receipt naming the exact kernel/op measured — energy bound to kernel identity. No GPU/NVML → joules=None, UNAVAILABLE_NO_NVML. Never fabricated.

What it proves — and what it does NOT

  • ✅ The in-toto/SLSA output is field-name spec-exact (verified against the in-toto v1 Statement spec and slsa.dev/spec/v1.0/provenance) — a real signer/verifier can consume it.
  • ❌ It does NOT prove Λ uniqueness — proven_trust is structurally locked False (no code path sets it True). Λ = Conjecture 1 (OPEN), advisory only.
  • ❌ It does NOT fabricate energy — a non-MEASURED joule value is rejected at build time.
  • The hash-chain digest is an integrity fingerprint, not a signature; signing is szl-govsign's job (DSSE / Sigstore, out of band).

Quickstart 

from kernels import get_kernel

pc = get_kernel("SZLHOLDINGS/szl-provctl", revision="main", trust_remote_code=True)

print(pc.selfcheck()["ok"])   # True — 23 checks: interop shapes, DAG verify/tamper, MEASURED energy

# A governed run
chain = pc.UnifiedReceiptChain()
chain.emit("governed_norm", "rms_norm", {"in_shape": [4, 64], "eps": 1e-6})

# 1) Interop — the exact payload the ecosystem verifies
stmt = pc.statement_from_chain(chain, lambda_score=0.9, decision="ALLOWED")
assert stmt["_type"] == "https://in-toto.io/Statement/v1"
assert stmt["subject"][0]["digest"]["sha3_256"] == chain.head()   # bound to the chain head

slsa = pc.slsa_statement(
    chain=chain,
    resolved_dependencies=[
        pc.resource_descriptor("SZLHOLDINGS/szl-governed-norm", pc.tensor_digest("gn-build")),
    ],
    invocation_id="run-1", started_on="2026-06-24T00:00:00Z", finished_on="2026-06-24T00:00:01Z",
)
assert slsa["predicateType"] == "https://slsa.dev/provenance/v1"

# 2) Provenance DAG — verify a multi-run ML graph, edge by edge
dag = pc.ProvenanceDAG()
dag.add_run("pretrain", chain)
ft = pc.UnifiedReceiptChain(); ft.emit("governed_norm", "rms_norm", {"phase": "finetune"})
dag.add_run("finetune", ft, deps=["pretrain"])
res = pc.verify_dag(dag)
print(res["ok"], res["order"], res["blocked_nodes"])   # True ['pretrain','finetune'] []

# 3) Per-kernel MEASURED energy (real NVML delta; None on CPU — never fabricated)
r = pc.measure_kernel_energy(chain, lambda x: x * 2, kernel="governed_norm", op="rms_norm", args=(21,))
print(r["receipt"]["attrs"]["label"], r["receipt"]["attrs"]["joules"])

API

Symbol What it does
statement_from_chain(chain, ...) chain → governance predicate → in-toto v1 Statement (subject digest = chain head).
slsa_statement(chain=, resolved_dependencies=, ...) governed run → SLSA v1.0 provenance Statement (buildType, resolvedDependencies, runDetails).
build_governance_predicate(...) the https://szl.holdings/governance/v1 predicate; proven_trust locked False; energy MEASURED-only enforced.
resource_descriptor(name, digest_hex, ...) an in-toto v1 / SLSA ResourceDescriptor (digest required).
ProvenanceDAG, ProvenanceNode, verify_dag(dag) build + recursively verify an ML provenance DAG; surfaces BLOCKED nodes; returns first break (chain_integrity / edge_mismatch / missing_dependency / cycle).
measure_kernel_energy(chain, fn, kernel=, op=, ...) run fn once, MEASURE NVML energy delta around it, emit a kernel-named energy receipt.
UnifiedReceiptChain, tensor_digest, GENESIS the suite chain (byte-identical digests when szl_kernels is installed).
selfcheck() 23-check CPU-only health probe (interop shapes, DAG verify+tamper, MEASURED-only enforcement).

The governed-kernel series

Kernel Lane Live hologram
szl-kernels unified suite — cross-kernel UnifiedReceiptChain szl-kernels-live
szl-governed-norm RMSNorm/LayerNorm + receipts governed-norm-holo
szl-lambda-gate advisory Λ gate (Conjecture 1, OPEN) lambda-gate-holo
governed-inference-meter MEASURED-joule energy accounting energy-attest-holo
szl-govsign signed governance attestation (DSSE / in-toto) szl-govsign-live
szl-blocked honest-BLOCKED first-class state + EU AI Act Annex IV szl-blocked-live
szl-provctl provenance-DAG verify + in-toto/SLSA interop + per-kernel MEASURED energy szl-provctl-live

Honesty & prior art

  • Imports: Python stdlib only (NVML via optional pynvml; absent → honest UNAVAILABLE_NO_NVML). Python 3.9+.
  • Prior art attributed: in-toto attestation framework, SLSA, DSSE, OpenSSF model-signing, CodeCarbon. The https://szl.holdings/governance/v1 predicate and governed-run/v1 buildType are SZL's own.
  • Λ advisory (Conjecture 1, OPEN). Energy MEASURED-only. honest-BLOCKED surfaced, never dropped.

License & provenance

Apache-2.0 · © 2026 SZL Holdings · Stephen P. Lutar · ORCID 0009-0001-0110-4173

Downloads last month
-
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support

Space using SZLHOLDINGS/szl-provctl 1