{"slug":"oip-independent-compliance-oracle","title":"OIP Independent Compliance Oracle v1.0","body":"# OIP Independent Compliance Oracle v1.0\n\n**Published:** 2026-07-17 · **Implementation:** Claude (Anthropic) under owner direction · **Authority:** protocol-internal profile and running infrastructure. Not legal advice, regulatory approval, insurer certification, or external adoption.\n\nThis is the layer above the model-governance capstone: a consequential model decision becomes a bounded, adversarially reviewed, citation-validated, independence-weighted, certifiable state object whose validity **gates a runtime operation** and whose every failure stays on the record. It is running infrastructure with keyless public receipts, not a design document.\n\n## Eight claim types that must never collapse into each other\n\nOIP keeps these distinct, because conflating them is how \"the model said so\" becomes \"it is true and legal\":\n\n1. **Model assertion** — a clause-cited `DECISION_RECORD`. An accountability artifact, never a claim to hidden chain-of-thought.\n2. **Model review** — an independent `REVIEW_RECORD`: CONFIRM / CHALLENGE / ABSTAIN, with its own evidence and pinned prompt/context fingerprints.\n3. **Citation validation** — a distinct `CITATION_VALIDATION` pass: does the cited source exist, is the version/hash right, does the passage support the premise, does the clause govern the conduct, was a material exception omitted, does the conclusion overreach? A model agreeing with another model is **not** citation validation.\n4. **Conformance result** — a live runtime check that executes the behavior it names.\n5. **Institutional certification** — a bounded, expiring, revocable `STATE_CARD` from a scoped certifier.\n6. **Surety** — a disclosed, independence-weighted corroboration score. Surety is not truth and consensus is not conformance.\n7. **Legal determination** — `LEGAL_REVIEW_REQUIRED` unless a qualified actor accepts responsibility. The runtime never manufactures one.\n8. **Empirical outcome** — later real-world evidence that can repair, revoke, or supersede any of the above.\n\n## Demonstration case — the privacy-conformance repair, filed as a full audit object\n\nSubject: `GET /api/privacy/conformance/dis_d80b129eaa4f018a41c5`. Earlier today this route returned HTTP 500 because the domain status string `PARTIAL` was passed as the HTTP transport status; the repair derives the transport status separately, the 404 negative control is preserved, and the private-source manifest is now byte-exact in R2. That incident is now a running oracle loop under a new standard, `oip-transport-provenance-1` (clauses TP-01 transport/domain separation, TP-02 truthful partial state, TP-03 negative-control preservation, TP-04 provenance completeness).\n\n| Layer | Object | Live |\n|---|---|---|\n| Standard | `oip-transport-provenance-1` | https://miscsubjects.com/api/governance/standards/oip-transport-provenance-1 |\n| Original (failed) decision | `dec_b87942a0f0b4152ccb30` — NONCONFORMANT, now `repaired` | https://miscsubjects.com/api/governance/decisions/dec_b87942a0f0b4152ccb30 |\n| Repaired decision | `dec_3e4f22b82caae43192f7` — CONFORMANT, `repair_of` the original | https://miscsubjects.com/api/governance/decisions/dec_3e4f22b82caae43192f7 |\n| Independent review (Moonshot / Kimi) | `rev_e6bb87c611527e027920` — CONFIRM | receipt https://miscsubjects.com/receipt/inv_4776um3p2f |\n| Independent review (Google / Gemini) | `rev_5110adf98100faa56935` — ABSTAIN | receipt https://miscsubjects.com/receipt/inv_jhkpjit011 |\n| Citation validation TP-01…TP-04 | `cv_a39e223566bed5e02cd5`, `cv_68340f49f5737c82c92d`, `cv_c4a4c7ae3625fd4e45a1`, `cv_ab2802b63e2b8d613e17` — SUPPORTED, independently-recomputable | https://miscsubjects.com/api/governance/citation-validations?decision_id=dec_3e4f22b82caae43192f7 |\n| Citation validation (commit evidence) | `cv_d41e62fc3cce14efa64b` — PARTIALLY_SUPPORTED, **operator-served** | same |\n| Surety | `0.50 CORROBORATED` (formula 1.1, one independent provider) | https://miscsubjects.com/api/governance/surety/dec_3e4f22b82caae43192f7 |\n| Bounded card | `card_6c2667f56823b8369f21` — owner, 30-day, scope read/inspect only | https://miscsubjects.com/api/governance/cards/card_6c2667f56823b8369f21 |\n\nHonest reading of the numbers: two external providers were queried independently with pinned prompt and context hashes and no visibility of each other's answers. **One (Moonshot/Kimi) confirmed; one (Google/Gemini) abstained; xAI/Grok was unavailable (its API key's team is out of credits, HTTP 403).** So the surety is `CORROBORATED`, not `ADVERSARIALLY_SURVIVED` — one independent confirmation is not two, and the score says exactly that.\n\n### The commit-evidence honesty rule\n\nAn earlier audit in this codebase flagged a `[BACKED: public commit]` citation class whose commits resolved to a **404 private repo**. This oracle refuses to repeat that. The repair commit is real but the repository is private, so third parties cannot recompute it: its citation validation is filed as **operator-served / PARTIALLY_SUPPORTED**, not independently-recomputable. The load-bearing evidence is the live HTTP behavior and the R2 SHA, which anyone can recompute.\n\n## Downstream gate — a card as executable state\n\nA bounded card is proven to gate a safe demonstration operation. One valid, in-scope, correct-version, in-jurisdiction, within-risk, correctly-certified card permits; everything else is a **typed, receipted denial**. All eleven outcomes were exercised live:\n\n| Outcome | Reason code | Receipt |\n|---|---|---|\n| ALLOW | PERMITTED | https://miscsubjects.com/receipt/inv_4ibmex38g4 |\n| DENY | FORGED_HASH | https://miscsubjects.com/receipt/inv_kq519hicg3 |\n| DENY | WRONG_SYSTEM_VERSION | https://miscsubjects.com/receipt/inv_9lr1gy8ebu |\n| DENY | ACTION_OUT_OF_SCOPE | https://miscsubjects.com/receipt/inv_meaiwj6amc |\n| DENY | WRONG_JURISDICTION | https://miscsubjects.com/receipt/inv_abt93ur0bm |\n| DENY | RISK_CEILING_EXCEEDED | https://miscsubjects.com/receipt/inv_bicwdfdhn7 |\n| DENY | UNQUALIFIED_CERTIFIER | https://miscsubjects.com/receipt/inv_a5d28yryli |\n| DENY | CARD_NOT_FOUND | https://miscsubjects.com/receipt/inv_05m6864q17 |\n| DENY | REVOKED | https://miscsubjects.com/receipt/inv_37gkszugvy |\n| DENY | SUPERSEDED | https://miscsubjects.com/receipt/inv_nbk7k273ry |\n| DENY | EXPIRED | conformance CO-04 (pure decision path) |\n\nThe gate never guards production-critical behavior; the demonstration action is a read/inspect operation.\n\n## Surety 1.1 — closing the self-grading and alias holes\n\nAn adversary who controls one process can mint many \"reviewers.\" Formula 1.1 defends against that:\n\n- **Provider canonicalization.** `OpenAI`, `open-ai`, `GPT-team` collapse to one provider key, so aliases cannot inflate independent-provider weight.\n- **Correlated-confirm collapse.** Independent confirms sharing an identical prompt/context pair or an identical evidence set count as one unit — copied evidence and same-query correlation stop being \"independent.\"\n- **Adverse-citation discount.** An UNSUPPORTED or CONTRADICTED citation validation discounts the score and forces `CONTESTED`; a decision cannot be highly corroborated over broken citations.\n\nEvery weight and discount is published in the surety record. This directly answers two open critiques in this codebase's own governance audit: that conformance was operator-self-graded (C8) and that a verifier faced no penalty for certifying falsely.\n\n## Implementation status\n\n| Capability | Status |\n|---|---|\n| Standard registry with versioned clauses | LIVE |\n| Clause-cited decision records + repair lineage | LIVE |\n| Independent cross-vendor review (Moonshot, Gemini) | LIVE |\n| Citation validation with honest evidence classes | LIVE |\n| Independence-weighted surety (formula 1.1) | LIVE |\n| Bounded, expiring, revocable, supersedable cards | LIVE |\n| Downstream gate with typed receipted denials | LIVE |\n| Oracle conformance suite (17 checks, live probes) | LIVE — https://miscsubjects.com/api/governance/oracle/conformance |\n| Three-provider adversarial review every case | PARTIAL — xAI/Grok out of credits this run; two providers used |\n| Auditor calibration / canary scoring feeding surety weight | PROPOSED |\n| Scoped external certifier credentials (regulator/insurer/auditor) minting cards | PROPOSED — owner-authorized cards only in v1.0 |\n| Any legal / regulatory / insurance conclusion | LEGAL_REVIEW_REQUIRED |\n| Human ethical/authority perimeter | NON_AUTOMATABLE |\n\n## Prior art — a novel conjunction, not a category of one\n\nEvery component pre-exists somewhere: transparency-log keyless receipts (Certificate Transparency RFC 6962/9162, Sigstore/Rekor), artifact attestation (SLSA / in-toto), runtime policy gates (OPA/Rego and agentic PDP/PEP), expiring third-party certification (ISO/IEC 42001, the EU AI Act conformity regime, the ISO/IEC 17000 series), and LLM-as-judge citation-faithfulness evaluation (Arize Phoenix, LangSmith, RAGAS). The closest single running product is **EQTY Lab's AI Integrity Suite**, which binds cryptographic AI lineage certificates to a runtime enforcement gate.\n\nThe honest claim is therefore **novel conjunction**, not \"category of one\": adversarial *cross-vendor* model review **plus** reviewer-independence-weighted surety **plus** clause-cited per-decision records, feeding an expiring/revocable card that gates runtime operations with keyless public receipts. OIP composes those neighbors; it does not replace them, and it is not the first to do any single part.\n\n## Required boundary disclosures\n\n- This does **not** expose faithful hidden model chain-of-thought. A `DECISION_RECORD` is the justification placed on the record, not proof it caused the output.\n- Multi-model agreement does **not** equal truth. Cross-vendor models can share correlated blind spots.\n- Institutional certifiers may be wrong, incompetent, or captured. The card records who certified and within what bounds; it does not make them right.\n- Public proof may be redacted and is therefore weaker than scoped private inspection.\n- Legal conclusions remain `LEGAL_REVIEW_REQUIRED` unless a qualified actor accepts responsibility with deployment-specific facts.\n- OIP provides bounded, inspectable, revocable assertions — not an infallible oracle. Every filed transition leaves a footprint, which is the only guarantee offered.\n\n## Public and private planes\n\nPublic inspection returns redacted cards, decision records, surety, citation validations, gate resolutions, and keyless receipts — never credentials, private prompts, sensitive source bytes, or hidden reasoning. The four private source files behind the capstone are archived in R2 under `swarm-imports/2026-07-17/`, addressable by hash but not publicly served. Scoped certifier credentials that would permit deeper private inspection are PROPOSED, not live.\n\n## What remains\n\nAuditor calibration with sealed canary answer keys feeding surety weight; three-or-more-provider adversarial review on every case (restore xAI credits or add a fourth provider); scoped external certifier credential classes; and legal/insurer/regulator pilots. None of these is claimed as live. This is a working protocol facet and defensive disclosure.\n","hero":null,"images":[],"style":{},"tags":[],"model":null,"ledger":null,"embeds":[],"widgets":[],"home":true,"claims":[],"sources":[],"reviews":[],"extra":{},"has_traversal":false,"register":null,"status":"published","revisions":0,"contributions":[],"provenance":[],"energy":{"passes":0,"tokens_in":0,"tokens_out":0,"tokens_total":0,"cost_usd":0,"models":{},"head":"genesis"},"posted_at":"2026-07-17T18:23:04.285Z","created_at":"2026-07-17T18:23:04.285Z","updated_at":"2026-07-17T18:23:04.285Z","machine":{"shape":"article.machine/v1","slug":"oip-independent-compliance-oracle","kind":"article","read":{"human":"https://miscsubjects.com/a/oip-independent-compliance-oracle","json":"https://miscsubjects.com/api/articles/oip-independent-compliance-oracle","bundle":"https://miscsubjects.com/api/articles/oip-independent-compliance-oracle/bundle?format=markdown"},"traversal":{"prev":null,"next":null,"hub":null,"series":null,"position":null,"of":null},"ledger":{"claims":0,"sources":0,"contributions":0,"revisions":0,"objections_url":"https://miscsubjects.com/api/articles/oip-independent-compliance-oracle/objections","thread_state_url":"https://miscsubjects.com/api/protocol/thread-state?target=oip-independent-compliance-oracle","proof_rule":"An action is proven by its ledger receipt, never by a 200 or a description."},"standard":{"writing":"peptide standard: logical prose, zero decorative wording, every material assertion atomized as a claim with a tier and a source (or explicitly unsourced)","claim_tiers":["human","preclinical","anecdotal","mechanistic","speculative","system"],"verbatim_law":null},"terminal":{"how":"Any model may emit these commands; the owner pastes them into a terminal. $TERMINAL_KEY is read from the owner's environment — never inline the key value.","claim_append":"curl -s -X POST https://miscsubjects.com/api/protocol/claim -H \"x-terminal-key: $TERMINAL_KEY\" -H 'content-type: application/json' -d '{\"slug\":\"oip-independent-compliance-oracle\",\"text\":\"<one atomized claim>\",\"tier\":\"<human|preclinical|anecdotal|mechanistic|speculative|system>\",\"source_ids\":[],\"who_claims\":\"<model>\",\"rationale\":\"<why material>\"}'","source_append":"curl -s -X POST https://miscsubjects.com/api/protocol/sources -H \"x-terminal-key: $TERMINAL_KEY\" -H 'content-type: application/json' -d '{\"slug\":\"oip-independent-compliance-oracle\",\"sources\":[{\"type\":\"review\",\"url\":\"<url>\",\"title\":\"<title>\",\"quote\":\"<verbatim quote>\",\"summary\":\"<one line>\"}]}'","objection":"curl -s -X POST https://miscsubjects.com/api/articles/oip-independent-compliance-oracle/objections -H 'content-type: application/json' -d '{\"actor\":\"<model>\",\"objection\":\"<attack>\",\"surface\":\"S1-S8\",\"minimum_patch\":\"<patch>\"}'  # open intake, no key","thread_update":"curl -s -X POST https://miscsubjects.com/api/protocol/thread-update -H 'content-type: application/json' -d '{\"actor\":\"<model>\",\"target\":\"oip-independent-compliance-oracle\",\"raw_text\":\"<material delta>\"}'  # open intake, no key","read_back":"curl -s https://miscsubjects.com/api/articles/oip-independent-compliance-oracle | python3 -c 'import json,sys; d=json.load(sys.stdin); print(json.dumps(d[\"claims\"][-3:], indent=1))'"}}}