shipped something today. let me explain why it matters.
there are three ways a computational result can lie to you:
the file was changed after the fact — SHA-256 catches this
the evidence was stripped from the bundle — the semantic layer catches this
the computation itself was run differently than claimed — nothing catches this
until now.
i added Step Chain Verification to ML_BENCH-01. here's the idea:
when the certificate runs, every step of the computation hashes itself into the next:
init_params → hash_1
hash_1 + dataset → hash_2
hash_2 + metrics → hash_3
hash_3 + verdict → trace_root_hash
the final hash commits to the entire execution sequence. change the seed, skip a step, reorder anything — trace_root_hash doesn't match. the chain breaks.
this isn't blockchain. no network, no consensus, no tokens. it's the same idea as git commits — each commit hashes its parent. except here it's not commits, it's computation steps.
what this means: the bundle now contains not just what was produced, but how — the exact computational sequence, in order, committed to a single hash. any third party verifies it offline with one command, without access to your environment, your model, or your data.
i looked at MLflow, DVC, W&B, Neptune, every experiment tracking tool i could find. none of them produce an offline-verifiable execution trace that survives outside the original environment. you get logs. you get artifacts. you don't get a hash chain you can hand to a regulator and say: verify this yourself.
three independent layers now:
integrity: SHA-256 over all bundle files
semantic: required evidence fields present and consistent
execution trace: cryptographic chain over computation sequence
code: backend/progress/mlbench1_accuracy_certificate.py :: _hash_step()
tests: tests/ml/test_mlbench01_accuracy_certificate.py :: TestExecutionTraceChain
git clone https://github.com/Lama999901/metagenesis-core-public
python -m pytest tests/ml/test_mlbench01_accuracy_certificate.py -v
if you find something that does all three — show me. genuinely want to know.
proof, not trust.
right now there's no standard way to verify a
computational result independently. you either
trust the number or you don't. that's true for
ML benchmarks, simulation outputs, pharma pipelines,
financial models — everything.
what this builds toward: any result, any domain,
packaged once, verifiable forever by anyone with
python and 5 minutes. no access to the original
environment. no trust required.
the physical anchor is the part that excites me most —
for materials and engineering, the chain connects to
actual physical reality. not a number i chose.
not a convention. physics.
that's a different category of proof than anything
that exists right now in this space.
if you're working in a domain where results need
to be audited, reproduced, or submitted to regulators —
this is the missing layer. try it:
Author update: spent the day doing a final pass before asking HN to re-up the post.
What changed since the original submission:
- 8 active claims (added DT-FEM-01 — FEM/digital twin verification)
- 107 tests passing, steward_audit PASS
- Every link on the site now points to the actual file in the repo
- system_manifest.json synced, all docs consistent
Still solo, still transparent about limitations (reports/known_faults.yaml).
Happy to answer any questions about the protocol design.
Real-time speech translation is something I think about constantly running heyvid.ai — we're always chasing that latency vs. quality tradeoff for multilingual video. JEPA's approach is interesting because it sidesteps the typical encode-decode bottleneck that kills most real-time pipelines. I'd be curious how it holds up on accented or fast speech. Back at Adobe I saw how even 200ms of lag completely destroyed the perceived quality of live demos. The latency budget for translation is so much tighter than transcription-only, so any architectural win like this is worth watching closely.
how common is this attack in practice? like do you actually
see people trying to game verification systems this way or
is it more of a theoretical concern you're protecting against?
mostly theoretical right now — but that's the point
of building it before it's needed.
anyone submitting results for audit or regulatory review
has an incentive to make numbers look right. strip the
evidence, recompute hashes — if only integrity is being
checked, the attack is silent and undetectable.
i kept asking myself "what would i do if i wanted to
cheat this?" that was the first answer. so it became
an adversarial test:
tests/steward/test_cert02_*
the protocol shouldn't assume good faith.
especially not in regulated domains.
Also, just wanted to say the site itself looks really well put together. The layout is clean, everything is easy to follow, and the overall presentation feels polished. It’s genuinely pleasant to browse through and explore the project. Nice work on that.
Sure. The semantic layer is a second verification pass that runs independently of file integrity.
Here's why SHA-256 alone isn't enough. An adversary can:
Remove job_snapshot from the artifact (stripping the core evidence of what actually ran)
Recompute all SHA-256 hashes to match the modified files
Rebuild the manifest
A hash-only verifier sees everything consistent and returns PASS. The attack succeeds silently.
The semantic layer catches this. After the integrity check passes, it independently verifies:
job_snapshot is present (evidence of the actual computation, not just file hashes)
payload.kind matches the registered claim type (can't swap one claim for another)
canary_mode flag is consistent (dual-mode execution provenance intact)
If job_snapshot was stripped, the semantic check returns FAIL: job_snapshot missing — even if every SHA-256 is valid.
This specific attack is an adversarial test in the public repo: tests/steward/test_cert02_pack_includes_evidence_and_semantic_verify.py
The deeper point — which I didn't explain in the original post:
In physics and engineering domains, the semantic layer connects to something stronger than an internal threshold. Young's modulus for aluminium is ~70 GPa. That's not a value I chose — it's been measured independently in thousands of labs worldwide.
When MTR-1 runs, it verifies the computation against that physical constant (rel_err ≤ 1%). The chain extends to FEM verification (DT-FEM-01, rel_err ≤ 2%) and drift monitoring (DRIFT-01).
The difference: tamper-evident provenance answers "was the bundle modified?" — the physical anchor answers "does the number agree with physical reality?" These are different questions. Both matter, but the second is harder to fake because the ground truth is external to the system.
This doesn't apply to ML accuracy or data pipelines — there the value is purely tamper-evident provenance, not physical grounding. The protocol is honest about that distinction in reports/known_faults.yaml.
First of all, I don't want to run anyone's code without proper explanation, so help me understand this.
Let's start with the verifier. The 3rd party verifier receives a bundle, not knowing what the content is, not having access to the tool used to measure, and just run a single command based on the bundle which presumably contains expected results and actual measurements, both of which can easily be tampered. What good does that solve?
Right question. Bundle alone proves nothing — you're correct.
Two things make it non-trivial to fake:
The pipeline is public. You can read scripts/steward_audit.py
before running anything. It's not a black box.
For materials claims — the expected value isn't in the bundle.
Young's modulus for aluminium is ~70 GPa. Not my number.
Physics. The verifier checks against that, not against
something I provided.
ML and pipelines — provenance only, no physical grounding.
Said so in known_faults.yaml :: SCOPE_001.
Claude + Cursor wrote the structure. I fixed hundreds of
errors — wrong tests, broken pipelines, docs that didn't
match the code. That's literally why the verification
layer exists. AI gets it wrong constantly.
This comment — also Claude, on my direction. That's the
point. Tool, not author.
shipped something today. let me explain why it matters. there are three ways a computational result can lie to you:
the file was changed after the fact — SHA-256 catches this the evidence was stripped from the bundle — the semantic layer catches this the computation itself was run differently than claimed — nothing catches this
until now. i added Step Chain Verification to ML_BENCH-01. here's the idea: when the certificate runs, every step of the computation hashes itself into the next: init_params → hash_1 hash_1 + dataset → hash_2 hash_2 + metrics → hash_3 hash_3 + verdict → trace_root_hash the final hash commits to the entire execution sequence. change the seed, skip a step, reorder anything — trace_root_hash doesn't match. the chain breaks. this isn't blockchain. no network, no consensus, no tokens. it's the same idea as git commits — each commit hashes its parent. except here it's not commits, it's computation steps. what this means: the bundle now contains not just what was produced, but how — the exact computational sequence, in order, committed to a single hash. any third party verifies it offline with one command, without access to your environment, your model, or your data. i looked at MLflow, DVC, W&B, Neptune, every experiment tracking tool i could find. none of them produce an offline-verifiable execution trace that survives outside the original environment. you get logs. you get artifacts. you don't get a hash chain you can hand to a regulator and say: verify this yourself. three independent layers now:
integrity: SHA-256 over all bundle files semantic: required evidence fields present and consistent execution trace: cryptographic chain over computation sequence
code: backend/progress/mlbench1_accuracy_certificate.py :: _hash_step() tests: tests/ml/test_mlbench01_accuracy_certificate.py :: TestExecutionTraceChain git clone https://github.com/Lama999901/metagenesis-core-public python -m pytest tests/ml/test_mlbench01_accuracy_certificate.py -v if you find something that does all three — show me. genuinely want to know. proof, not trust.
let me be direct about where i see this going.
right now there's no standard way to verify a computational result independently. you either trust the number or you don't. that's true for ML benchmarks, simulation outputs, pharma pipelines, financial models — everything.
what this builds toward: any result, any domain, packaged once, verifiable forever by anyone with python and 5 minutes. no access to the original environment. no trust required.
the physical anchor is the part that excites me most — for materials and engineering, the chain connects to actual physical reality. not a number i chose. not a convention. physics.
that's a different category of proof than anything that exists right now in this space.
if you're working in a domain where results need to be audited, reproduced, or submitted to regulators — this is the missing layer. try it:
if it works — let's talk about your use case. if it doesn't — tell me exactly where it breaks.proof not trust. that's the whole thing.
Author update: spent the day doing a final pass before asking HN to re-up the post.
What changed since the original submission: - 8 active claims (added DT-FEM-01 — FEM/digital twin verification) - 107 tests passing, steward_audit PASS - Every link on the site now points to the actual file in the repo - system_manifest.json synced, all docs consistent
Still solo, still transparent about limitations (reports/known_faults.yaml). Happy to answer any questions about the protocol design.
Real-time speech translation is something I think about constantly running heyvid.ai — we're always chasing that latency vs. quality tradeoff for multilingual video. JEPA's approach is interesting because it sidesteps the typical encode-decode bottleneck that kills most real-time pipelines. I'd be curious how it holds up on accented or fast speech. Back at Adobe I saw how even 200ms of lag completely destroyed the perceived quality of live demos. The latency budget for translation is so much tighter than transcription-only, so any architectural win like this is worth watching closely.
Sorry, I think I missed how OP's post relates to this.
looked at the repo — the bypass attack test caught my eye.
strip job_snapshot, recompute hashes, rebuild manifest — hash-only verifier passes silently.
how common is this attack in practice? like do you actually see people trying to game verification systems this way or is it more of a theoretical concern you're protecting against?
mostly theoretical right now — but that's the point of building it before it's needed.
anyone submitting results for audit or regulatory review has an incentive to make numbers look right. strip the evidence, recompute hashes — if only integrity is being checked, the attack is silent and undetectable.
i kept asking myself "what would i do if i wanted to cheat this?" that was the first answer. so it became an adversarial test: tests/steward/test_cert02_*
the protocol shouldn't assume good faith. especially not in regulated domains.
and thanks on the site — built that solo too.
Also, just wanted to say the site itself looks really well put together. The layout is clean, everything is easy to follow, and the overall presentation feels polished. It’s genuinely pleasant to browse through and explore the project. Nice work on that.
spent a lot of time on that. the whole idea of the site was proof not trust, so it had to actually feel like that, not just say it.
"A hash-only check still passes. MetaGenesis Core adds a second layer: - integrity layer → PASS - semantic layer → FAIL (job_snapshot missing)"
may you please elaborate on this?
Sure. The semantic layer is a second verification pass that runs independently of file integrity. Here's why SHA-256 alone isn't enough. An adversary can:
Remove job_snapshot from the artifact (stripping the core evidence of what actually ran) Recompute all SHA-256 hashes to match the modified files Rebuild the manifest
A hash-only verifier sees everything consistent and returns PASS. The attack succeeds silently. The semantic layer catches this. After the integrity check passes, it independently verifies:
job_snapshot is present (evidence of the actual computation, not just file hashes) payload.kind matches the registered claim type (can't swap one claim for another) canary_mode flag is consistent (dual-mode execution provenance intact)
If job_snapshot was stripped, the semantic check returns FAIL: job_snapshot missing — even if every SHA-256 is valid. This specific attack is an adversarial test in the public repo: tests/steward/test_cert02_pack_includes_evidence_and_semantic_verify.py
The deeper point — which I didn't explain in the original post: In physics and engineering domains, the semantic layer connects to something stronger than an internal threshold. Young's modulus for aluminium is ~70 GPa. That's not a value I chose — it's been measured independently in thousands of labs worldwide. When MTR-1 runs, it verifies the computation against that physical constant (rel_err ≤ 1%). The chain extends to FEM verification (DT-FEM-01, rel_err ≤ 2%) and drift monitoring (DRIFT-01). The difference: tamper-evident provenance answers "was the bundle modified?" — the physical anchor answers "does the number agree with physical reality?" These are different questions. Both matter, but the second is harder to fake because the ground truth is external to the system. This doesn't apply to ML accuracy or data pipelines — there the value is purely tamper-evident provenance, not physical grounding. The protocol is honest about that distinction in reports/known_faults.yaml.
This is another "art" project. Nice work OP.
What would change your mind? Genuine question.
The adversarial test is public and runnable in 5 minutes:
If output isn't PASS/PASS on your machine, I want to know. If the protocol design is flawed, I want to know where specifically.Known limitations are machine-readable: reports/known_faults.yaml
First of all, I don't want to run anyone's code without proper explanation, so help me understand this. Let's start with the verifier. The 3rd party verifier receives a bundle, not knowing what the content is, not having access to the tool used to measure, and just run a single command based on the bundle which presumably contains expected results and actual measurements, both of which can easily be tampered. What good does that solve?
Right question. Bundle alone proves nothing — you're correct.
Two things make it non-trivial to fake:
The pipeline is public. You can read scripts/steward_audit.py before running anything. It's not a black box.
For materials claims — the expected value isn't in the bundle. Young's modulus for aluminium is ~70 GPa. Not my number. Physics. The verifier checks against that, not against something I provided.
ML and pipelines — provenance only, no physical grounding. Said so in known_faults.yaml :: SCOPE_001.
If I may ask, how much of the code, original post, and comments are AI generated?
Heavily AI-assisted, not AI-generated.
Claude + Cursor wrote the structure. I fixed hundreds of errors — wrong tests, broken pipelines, docs that didn't match the code. That's literally why the verification layer exists. AI gets it wrong constantly.
This comment — also Claude, on my direction. That's the point. Tool, not author.
Clone it and run it. If it doesn't work, tell me.