First-party concept registry for CLAWLINE terminology and external term crosswalk mapping.
Artifact-bound evidence that links released artifacts to declared source/build lineage with explicit verification state.
Evidence: Artifact digests plus provenance statement and signature material; optional SBOM and builder claims.
Untrusted instructions enter the model via context layers (documents, tool output, memory, connector payloads) and compete with policy intent.
Evidence: Structured context-source declarations and deterministic findings that show untrusted instruction channels or hierarchy collisions.
Instruction-bearing metadata or tool descriptions mutate operator intent by embedding hidden control language in tool interfaces.
Evidence: Tool definitions, metadata fields, and deterministic pattern findings showing instruction-bearing contamination surfaces.
The effective tool/server definition changes after consent. Hash-locked posture and drift checks are required for stable trust claims.
Evidence: Versioned manifests or prior snapshots with deterministic hash deltas for the same identity scope.
Static composition score for whether untrusted input can transit to privileged access and action/exfil sinks.
Evidence: Structured posture describing input trust, sensitive capabilities, and sink channels. No runtime execution evidence is required.
Structural conjunction of untrusted input, sensitive access, and sink capability.
Evidence: Deterministic structural findings proving the three required condition classes in the same posture snapshot.
Compares self-declared privilege posture against structurally required posture and computes a deterministic delta.
Evidence: Valid declared tier plus parseable structured posture inputs (connectors, tools, MCP permissions, or equivalent).
Integrity claims are asserted only when required structural evidence exists; otherwise outputs remain UNKNOWN, PARTIAL, or ABSENT.
Evidence: Structured blocks, parse quality, and cross-source identity checks that satisfy completeness thresholds.
Neutral containment state used when deterministic policy requires human review before publication trust.
Evidence: Any policy-triggering structural condition (campaign signals, drift, high mismatch, or other freeze criteria).
Tracks MCP inventory, pinning quality, collisions, and drift to preserve trust in tool-plane definitions.
Evidence: Structured MCP inventories, tool definitions, and deterministic hashes across submissions.
Clinic-wide meta-signals based on submission behavior patterns (burst, resubmit loops, identity spray), not payload intent labels.
Evidence: Privacy-preserving source hashes, submission windows, and content similarity fingerprints.
Tracks platform/schema declaration quality and freshness to prevent stale or conflicting trust posture claims.
Evidence: Declared platform and schema versions plus deterministic parser output for version tags.