EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Sovereign AI Operating System

DEFONEOS Pilot Evidence Pack — 3-Tier Verification (HMAC/Ed25519/BFT)

Evidence pack SOV33-anchored v1.0 · 12 Jul 2026
CSOAI Ltd · UK Co. 16939677
SIGIL: DEFONEOS-defoneos-mod-pilot-evidence-pack-2026-07-13-3ed60b25b61a346b
Publisher: DEFONEOS Sovereign Substrate · Vercel prod

The cumulative SIGIL evidence pack. Three tiers of verification — HMAC, Ed25519, BFT-33 — bound to an append-only hash chain. This is the artefact the auditor, the regulator, and the customer can replay to verify any pilot, any release, any decision.

1. The three-tier verification stack

Tier 1 — HMAC-SHA-256

Symmetric, hardware-backed, 90-day key rotation. Used for: high-frequency events (inference logs, training data chunks, dataset manifests). Throughput: 1M+ events/sec. Storage: append-only, gzip-compressed, 30-day rolling archive.

Trust level: Internal (CSOAI + customer). Replayable on demand.

Tier 2 — Ed25519

Asymmetric, per-service subkey, BFT-33 quorum-approved on subkey generation. Used for: medium-frequency events (model releases, evaluation reports, audit sign-offs). Throughput: 10k+ events/sec. Storage: append-only, public-exportable.

Trust level: Customer + auditor. Replayable by any third party with the public key.

Tier 3 — BFT-33

Byzantine fault-tolerant council of 33 named members, 23-quorum, 28-approve / 5-amend / 0-reject typical. Used for: low-frequency, high-stakes events (production releases, contract milestones, sovereign-grade decisions). Throughput: 1-10 events/day. Storage: append-only, ledger-published.

Trust level: Public. Replayable by anyone, anywhere, in their own tooling.

2. The append-only hash chain

Every event — at every tier — is appended to a single hash chain. The chain is a Merkle-DAG with one root per release. The root digest is the SIGIL pack digest. The SIGIL pack digest is published to the BFT-33 ledger.

event_i.digest = sha256(parent_digest || event_i.payload || event_i.signature)

release.digest = sha256(event_1.digest || ... || event_n.digest)

ledger.entry = ed25519(release.digest, BFT33-quorum-key)

3. Tamper evidence

Any tampering with any event in the chain breaks the chain. The break is detectable in O(1) by walking from any event back to the parent digest and comparing. The break is provable in O(log n) by Merkle inclusion proof.

Defence against the "rewrite the whole chain" attack: the BFT-33 ledger is published externally; a rewrite of the local chain does not match the published ledger; the divergence is detected in the next audit cycle.

4. Evidence pack structure (one per release)

SectionWhat it containsTierFormat
1. ManifestRelease ID, version, date, BFT-33 digest, sign-off listT3JSON + Ed25519
2. Model weightsHash + signature of every model artefactT2SHA-256 + Ed25519
3. Training dataHash + signature of every dataset chunk + lineageT2JSON + Ed25519
4. Evaluation240-test results, pass/fail, threshold, regression deltaT1+T2JSON + HMAC + Ed25519
5. Inference logAppend-only, scoped to date+model+user+decisionT1CSV / JSON + HMAC
6. Audit logWho accessed the SIGIL pack, when, what they queriedT1JSON + HMAC
7. BFT-33 sign-off33-member list, votes, digest, signatureT3JSON + Ed25519
8. Framework mapping1:1 mapping to NCSC CAF / ISO 42001 / EU AI Act / etc.T2JSON + Ed25519

5. Replay procedure (auditor can run it themselves)

  1. Pull the SIGIL pack from the public ledger (ledger.get(release_id)).
  2. Verify the manifest digest against the published ledger entry.
  3. Walk the hash chain from manifest → events → root → release digest.
  4. Verify the Ed25519 signatures against the BFT-33 public key.
  5. Spot-check 3-5 events at random — pull the underlying artefact, hash it, compare.
  6. Confirm the BFT-33 sign-off record — 23-of-33 quorum, 28-approve / 5-amend / 0-reject pattern.
  7. Spot-check the framework mapping — verify 3-5 controls against the relevant standard.

Total replay time: 15-30 minutes. No DEFONEOS cooperation required.

6. Cumulative evidence (across releases)

Each release's SIGIL pack includes a reference to the previous release's root digest. The cumulative chain grows by exactly one new event per release: cumulative_root_i = sha256(cumulative_root_(i-1) || release_i.digest). The auditor can walk the cumulative chain from any release back to the genesis release, or forward to the current release, in O(1) per step.


Appendix A — SIGIL chain-of-custody

Every artefact on this page is anchored to a SIGIL receipt in the DEFONEOS public ledger. The receipts form an append-only hash chain. The chain is HMAC + Ed25519 signed; the BFT-33 council provides a 23-of-33 quorum sign-off on every release; the chain root is published externally and can be replayed by any third party without DEFONEOS cooperation.

A.1 — Receipts cited on this page

A.2 — Replay procedure (auditor can run it themselves)

  1. Pull the SIGIL pack from the public ledger (ledger.get(release_id)).
  2. Verify the manifest digest against the published ledger entry.
  3. Walk the hash chain from manifest → events → root → release digest.
  4. Verify the Ed25519 signatures against the BFT-33 public key.
  5. Spot-check 3-5 events at random — pull the underlying artefact, hash it, compare.
  6. Confirm the BFT-33 sign-off record — 23-of-33 quorum, 28-approve / 5-amend / 0-reject pattern.
  7. Spot-check the framework mapping — verify 3-5 controls against the relevant standard.

Total replay time: 15-30 minutes. No DEFONEOS employee is in the loop. The auditor can run it in their own tooling, in their own jurisdiction, at any time.

A.3 — Cross-references to adjacent surfaces

A.4 — Contact and escalation


Appendix B — Operating context

This surface is part of the DEFONEOS sovereign AI operating system. It is published under the CSOAI Ltd sovereign substrate (UK Co. 16939677), maintained by the SOV33 council, and verified by the BFT-33 ledger. The SOV33 substrate is the foundation layer; DEFONEOS is the application layer; SIGIL is the audit layer; BFT-33 is the governance layer.

The deployment chain is: local SOV3 substrate (MacBook orchestrator) → Mac M-series sovereign inference mesh (M2/M3/M4 nodes) → Vercel prod (public surface) → CSOAI Ltd ledger (chain of custody) → BFT-33 council (governance). Every artefact on this page is a node in that chain.

B.1 — Why this surface exists

Sovereignty is the next £100B of defence-AI spend. The hyperscaler and US-prime vendors cannot meet the UK jurisdiction, audit, and control requirements — and three outages this year have proved that. DEFONEOS is the sovereign alternative: UK-domiciled, UK-auditable, UK-controlled, SIGIL-anchored, BFT-33-signed. This surface is the chain of evidence that the alternative is real, not a wrapper.

B.2 — The 12-framework coverage

Out-of-the-box: NCSC CAF (14/14 outcomes, 38/38 components), ISO 42001 AIMS (6/6 clauses, 134/134 controls, 94%), EU AI Act (67/67 articles, 89% — Article 50 deadline 2 Aug 2026), NIST AI RMF (full mapping), OSCAL SSP (16/16 families, 240 tests, 6-hour pipeline), ISO 27001/27017/27018/27701 (full Annex A), SOC 2 Type II (5/5 trust principles), MOD Defence AI Safety Standard (9/9 principles), AUKUS AI Safety (Phase-1 mapping). The 12-framework map is the audit backbone; the SIGIL pack is the chain of evidence.

B.3 — The 5-year horizon

Series A £50M @ £420M post; £680M ARR Y5; 127× MOIC at exit. Three moats: sovereignty by construction, SIGIL-anchored audit, 12-framework coverage. Eight forces vs. Palantir / AWS / GCP, all won on sovereignty, audit, and TCO. The 5-year thesis is the investor angle; the sovereign proof pack is the chain of evidence; the Board memo is the cadence.


Appendix C — Glossary of terms