Glossary

AllowToken

Sealed artifact issued by PEPG when pre-execution policy admits a request. Carries the firing rule, the standardized decision_reason_code, the active policy_hash, the evaluation_hash binding envelope + policy + rule + outcome, and the evaluator_version. Per the §0 detached-attestation corollary, signatures are excluded from the seal, re-signing never invalidates an AllowToken.

AER, Attestation Execution Record

The single tamper-evident record produced at Stage 4 of the pipeline. AER consolidates the six DKEC kernel outputs (DSE, TOK, DSC, NREP, AIVP, DCAE) into one signed object. Its hash, aer_hash, is the input to the cryptographic sealing pipeline (Stage 5).

AIVP, Artificial Intelligence Verification Protocol

DKEC kernel that governs AI behavior under policy. Performs contradiction detection, policy enforcement, and reasoning validation; emits the Proof Integrity Artifact (PIA hash). Answers: "Did the AI behave correctly under governance rules?"

Attestation

In Verdifax usage, the act of sending a payload through the nine-stage pipeline and receiving back a sealed manifest hash. "Attesting" a model output means making that output verifiable.

CCV, Continuous Constraint Verification

The runtime budget monitor that runs continuously during pipeline execution after PEPG admits the request. Tracks per-run consumption against a configured budget, token_budget, time_budget, or cost_budget, and emits a sealed CCVHaltReceipt when a limit is breached. The halt is mid-flight: the partial execution up to the halt point is itself sealed via partial_execution_hash.

CCVHaltReceipt

Sealed artifact issued by CCV when a per-run runtime budget is breached. Carries the original allow_token_hash (so the causal chain is preserved), the budget_hash of the active configuration, the breached budget_limit, the measured consumed_at_halt, the partial_execution_hash of work completed before the halt, and the constraint_type identifier (e.g., token_budget, humanized as "token" in audit PDFs).

DCAE, Deterministic Compute Attestation Engine

DKEC kernel that proves the run executed on trusted hardware. Cooperates with the Hardware Root Engine (HRE) to bind execution to a specific physical machine. Answers: "Was this executed on trusted hardware?"

DKEC, Deterministic Kernel Execution Controller

Stage 3 of the pipeline. Dispatches the six kernels in lockstep and emits the EPA / EFA hashes plus six execution IDs.

DLA, Deterministic Ledger Anchoring

Stage 9. Produces the final .VFA artifact and runs the independent third-party verifier. The output is final_vfa_hash plus an independent_verified boolean that must be true for the manifest to seal.

DOG, Deterministic Oracle Gateway

Stage 1 of the pipeline. The pipeline's front door, admits the payload, derives the envelope, computes envelope_id and envelope_hash.

DSC, Deterministic State Continuity

DKEC kernel that validates state transitions. Answers: "Was this state transition valid?"

DSE, Deterministic State Engine

DKEC kernel that captures the exact system state at execution time. Answers: "What is the exact system state?"

DTL, Deterministic Transport Layer

Stage 2. Sequences and binds envelopes into a totally-ordered log; emits sequence_id and transport_hash.

DenyReceipt

Sealed artifact issued by PEPG when pre-execution policy rejects a request. Carries the firing rule (or the literal default when the policy's default effect was deny), the standardized decision_reason_code (e.g. RULE_DENIED, CLASSIFICATION_EXCEEDED, MFA_REQUIRED_NOT_SATISFIED, MCD_SIGNATURE_MATCH), the policy_hash, and the evaluation_hash. When the deny was driven by a MCD signature match, the receipt carries a populated mcd_finding_hash binding the matching threat signature; the decision_reason_code will be MCD_SIGNATURE_MATCH. MCD-driven denies are NOT a separate outcome state, they are pepg_deny with mcd_finding_hash populated.

EFA, Execution Flow Artifact

A DKEC output. The hash sealing the per-kernel execution chain (DSE, TOK, DSC, NREP, AIVP, DCAE in canonical order). Distinct from epa_hash, which captures the higher-level execution proof.

Envelope

The canonical wrapper for a payload that's been admitted into the pipeline. An envelope is identified by envelope_id (string) and sealed by envelope_hash (64-char hex).

EPA, Execution Proof Artifact

A DKEC output. The hash produced by Stage 3 summarizing successful kernel execution, captures the work the six kernels actually performed and is bound into the manifest.

Formal Verifier Status

A field in the sealed manifest carrying the formal-verifier success token. Anything other than the success token aborts the manifest. Today this field is scaffold-flagged: see scaffold-gaps.

Hardware Attestation Hash

The output of Stage 5 (ZKSP, hardware attestation). A SHA-256 of either a TPM2 quote or an AMD SEV-SNP report, anchoring the run to a specific physical machine.

Leakage Bundle Hash

Stage 5 (ZKSP, leakage bound) output. An upper bound on information that escaped the secure enclave during the run, sealed and included in the manifest.

Manifest Hash

The headline artifact of every Verdifax run. A 64-character lowercase SHA-256 hex digest computed from every other field in the ExecutionManifest. The single value an external verifier checks.

MACC, Multi-Agent Coordination Constraint

A stateful cumulative budget enforcer that runs after CCV passes. MACC tracks consumption across all runs sharing a tenant_id against a per-window cumulative budget (e.g. cumulative_token_budget per day). When the cumulative limit is breached, MACC emits a sealed MACCHaltReceipt and refuses further runs for the bound tenant until the window rolls over.

MACCHaltReceipt

Sealed artifact issued by MACC. Carries the bound tenant_id, the active window_start, the cumulative budget_limit, the measured cumulative_at_halt, the contributing run's per_run_consumption, the budget_hash, the constraint_type identifier (e.g., cumulative_token_budget, humanized as "token" in audit PDFs), and the original allow_token_hash of the run that tipped the cumulative consumption past the limit.

outcome_kind

A string field on every run summary (GET /runs and GET /runs/search) indicating which sealed artifact endpoint to fetch. One of: ok, pepg_deny, ccv_halt, macc_halt, stage_error. The dashboard and audit PDF use this field to auto-select the correct endpoint and rendering.

MCD, Malicious-Content Detector

A curated library of threat signatures (MCD_SIGNATURE_LIBRARY_V0.yaml and successors) plus a static analyzer that PEPG consults during evaluation. When a request matches a signature, MCD emits an MCDFinding which is bound into the resulting DenyReceipt via mcd_finding_hash. Provenance verification ensures the active library is signed by a trusted maintainer.

NREP, Non-Repudiation Engine Protocol

DKEC kernel that binds execution to the actor that initiated it via an Ed25519 signature over the AER record. Answers: "Who performed this action?" Public-key registered against the API key at first use; signatures verifiable offline.

PEPG, Pre-Execution Policy Gate

The gate that runs before the nine-stage pipeline. PEPG evaluates a Policy Specification Language (PSL) policy against the incoming request and either issues a sealed AllowToken (admit) or a sealed DenyReceipt (reject). PEPG also consults the MCD library to detect known malicious-content patterns. PEPG can be turned off entirely; when off, every admitted request becomes the original nine-stage attestation pipeline.

PIA, Proof Integrity Artifact

The hash produced by the AIVP kernel binding the AI behavior verification result. Included in the AER record as part of the kernel-level seal for any run involving an AI component.

PoTE, Proof of Temporal Execution

Stage 7 output. A Merkle inclusion proof in a transparency log, binding the run to an immutable public record.

PSL, Policy Specification Language

The structured rule language PEPG evaluates. Defined in PEPG_PSL_SPEC v0.2. A PSL policy is a list of rules with predicates over the envelope plus a default effect (allow or deny). Policies can be Ed25519-signed with threshold rules (any / all / n_of_m / required) and bound to a TrustAnchorSet for revocation.

Program ID

A 64-character lowercase hex identifier registered with the program registry. Specifies which program is being executed; runs of different programs always produce different manifest hashes.

Registry Record Hash

The §0 hash of the registry record authorizing this program. Required as input to every attest() call. If the registry record changes (e.g., the program is updated), the hash changes, which is intentional.

Replay Fingerprint

Stage 6 output. A deterministic identifier any honest re-execution must reproduce.

Route ID

A free-form deterministic route identifier. Runs of the same program on different routes produce different manifest hashes.

VFA, Verdifax Final Artifact

The signed .vfa file produced at Stage 9 containing the full execution record, the manifest hash, and the independent verifier signature.

ZKSP, Zero-Knowledge State Prover

Stage 5. The cryptographic core: ZK transcript, hardware attestation, leakage bound, formal verifier. Together, they bind the run to a verifiable cryptographic proof.

ZK Proof

In Verdifax, the ZKSP step's output: a zero-knowledge proof that the run satisfies the formal-verifier predicate without revealing the witness (the inputs, the model, or the runtime state).

ENFORCEMENT NOT OBSERVATION

An architectural claim: Verdifax enforces execution, it does not observe it. If a request violates policy or constraints, it is halted before execution, and a sealed denial artifact is produced instead. Non-execution is as verifiable as execution.

Pipeline Execution State

A section of the audit PDF that appears for non-OK runs, replacing the "Sealed Manifest Fields" table. Describes which pipeline phases ran before the halt and which artifacts do not exist for this run.

at-execution tenant state

For OK runs, a sealed record of the tenant's cumulative consumption as measured at execution time, bound into the manifest. Added in a recent orchestrator release; runs created before that release do not include this field, and cumulative values for those runs must be reconstructed from coordinator records.

Pipeline Duration

A field in the audit PDF's Run Metadata table, showing wall-clock runtime in milliseconds with sub-millisecond precision via the duration_micros field. Sample values: "0.413 ms (sub-millisecond, gate evaluation only; Verdifax does not invoke AI models)" or "< 1 ms (sub-millisecond, gate evaluation only)" for legacy runs.