Why This Protocol Exists
A cryptographically authentic record is not the same as a correctly-read record. Every transparency substrate that proves existence, integrity, and history — ATL, Certificate Transparency, timestamping services, append-only ledgers — leaves an unaddressed gap: the gap between what the bytes are and what the bytes claim about the world. That gap is where decontextualization, frame laundering, and semantic overclaim operate. APL closes it.
ATL made history tamper-evident. APL makes interpretation tamper-evident.
Scale of the Problem
The failure modes APL addresses are not theoretical. They recur across every domain where a narrow observation is published, reused, and compared to another narrow observation under a different set of assumptions.
| Attack Pattern | Where It Appears | Observable Effect |
|---|---|---|
| Decontextualization | AI eval dashboards, benchmark citation, model cards | A result from one narrow observation context is presented as a general property of the subject |
| Frame Laundering | Aggregated benchmarks, cross-harness comparison, provenance portals | A common label (e.g. “MMLU”) masks differences in harness, grader, scope, or protocol |
| Semantic Overclaim | Safety claims, regulatory filings, deployment-readiness statements | A narrow benchmark score is extrapolated to overall quality, safety, or readiness |
| Silent Transformation | Image pipelines (raw → denoised), document redaction, unit conversion, data cleaning | A transformation is treated as semantics-preserving while silently altering what is claimed |
| Mutable Frame Identity | Frames identified by URL, alias, or registry path only | A frame’s bytes can be swapped without the verifier noticing |
| Implicit Cross-Frame Comparison | Lab-to-lab measurements, cross-instrument readings, cross-runner evaluations | Non-equivalent observations are compared as if equivalent |
Each of these is a silent failure: the artifact appears authentic and the carrier proof is valid, yet the meaning of the artifact has drifted — and there is no protocol-level signal that anything is wrong.
The Common Thread
Every pattern above has the same root cause:
- Claims are published without the observational frame that made them meaningful.
- Frames are identified by name, URL, or registry path rather than by content hash — inviting silent substitution.
- Two claims are compared without a declared bridge licensing the comparison.
- Transformations are asserted to be semantics-preserving without enumeration of what is actually preserved and what is lost.
- Verifiers treat “cryptographically authentic” as synonymous with “correctly interpretable”.
Carrier-layer cryptography (hashes, inclusion proofs, timestamps, anchors) cannot fix this. A receipt can be perfectly anchored and still license a misreading, because the cryptography does not reach the semantic layer.
How APL Addresses Each Failure Pattern
| Failure Pattern | Where It Appears | How APL Prevents It |
|---|---|---|
| Decontextualization | AI eval, media citation, benchmark reuse | A claim MUST carry frame_ref by content hash; a claim without a resolvable frame is apl-invalid |
| Frame laundering | Aggregated benchmarks, cross-harness comparison | Frame identity is SHA-256(JCS(frame)); any alteration of the frame bytes produces a different identity and a hash mismatch |
| Semantic overclaim | Model cards, regulatory reports | Frames MUST declare exclusions explicitly; an overclaim sits outside the declared scope and is protocolically not licensed by the frame |
| Silent transformation | Image and document pipelines | APL Transformation MUST enumerate preserves and losses; an empty losses array means “nothing is lost” — never “unknown” |
| Mutable frame identity | URL-only, alias-only, registry-path-only references | Resolver hints and aliases are NOT identity; a verifier MUST verify the resolved frame’s content hash against frame_ref.hash |
| Implicit cross-frame comparison | Lab-to-lab, runner-to-runner, harness-to-harness | incomparable is the default across frames; cross-frame comparison requires an explicit, content-addressed Bridge declaring comparison_scope, assumptions, and losses |
Protocol Capabilities
Each failure mode above maps directly to an APL mechanism:
- Frame-bound receipts — every claim carries a pinned
frame_ref. The claim cannot be validly detached from the frame it was made under. - Content-addressed frame identity — frames are identified by SHA-256 of JCS-canonicalized bytes. Frame substitution is detectable at verification time.
- Aspect linkage — every
claim.aspect_refsentry MUST appear inframe.aspect. A claim cannot silently make assertions the frame does not cover. - Explicit bridges — cross-frame comparison is a protocol-level declaration, not a reader’s inference. Bridges are directional, content-addressed, and scoped.
- Declared invariants and losses — transformations are never implicitly semantics-preserving.
preservesandlossesare REQUIRED fields. - Deterministic verifier contract — a verifier returns exactly one of
apl-validorapl-invalid. There is no “probably valid”. - Substrate-agnostic layering — APL does not duplicate carrier cryptography; it composes with any substrate meeting the minimal contract, and inherits the substrate’s security properties without re-proving them.
Detailed Case Analysis
The canonical worked example of what APL refuses to license is The Two MMLU Scores: two cryptographically-authentic benchmark scores for the same model, each produced under a different harness, grader, and scope, publicly compared as if they were comparable. A carrier-only verifier can prove the existence, integrity, and history of each record individually — but carrier alone does not prohibit the silent comparison between them. APL does not declare either score false; it refuses to license the comparison without an explicit bridge.
The full normative treatment of the scenario is in The Protocol § 5.8. The adversarial pattern breakdown (decontextualization / frame laundering / semantic overclaim) is formalized in The Protocol § 6.5.