Security Hardening

After auditing all 26 existing security concepts, we identified six structural weaknesses where coverage is insufficient against specific adversary classes. These are extensions to existing concepts, not new concepts — each one strengthens an already-defined structure.

Coverage gaps

E1. Embedding Residue Tracking

Extends IRD + RSIP. Embedding vectors generated by Φ: V → R³⁸⁴ are the most recovery-resistant form of inference residue. Current IRD tracks direct, propagated, and statistical residues — but does not explicitly model embedding inversion attacks.

Inversion attack model

Given an embedding vector φ_i, an attacker recovers the original text via inversion models. Since 2024, inversion attacks on Sentence-BERT/E5 models achieve BLEU 0.5+ (Morris et al., 2023; Li et al., 2024).

E1 adds a new R5: EmbeddingVector residue category to IRD, with:

R5 residue category

On RSIP execution: (1) identify φ_i for nodes with R5 residue, (2) remove vectors from ANN indices, (3) rebuild FTS5 indices without vectors, (4) verify inversion BLEU score drops below threshold.

Adversaries: A3 (extension API access to embeddings), A4 (disk theft of index files). Phase: 1–2.

E2. Inference Provenance Chain

Extends TCV. The temporal causality verification system records hash chains for navigation edges but does not track causal inputs for AI-inferred edges. When AI creates an edge "A relates to B", we cannot determine which nodes were analyzed to reach that conclusion.

Missing causal inputs

Without provenance tracking: (1) deleting a source node leaves the AI-inferred edge intact, leaking the source's existence; (2) audit cannot verify the basis for inference results; (3) RSIP misses edges whose causal inputs are unknown.

TCV extension

Add a causal_inputs field to TCV hash chain entries. Each causal input records: source node ID, contribution weight (attention score or feature importance), and input snapshot hash (content hash at query time).

Integration: IRD uses causal_inputs to build complete inference residue graphs. RSIP auto-enqueues all AI-inferred edges whose causal inputs include a deleted node.

Adversaries: All classes (provenance is foundational). Phase: 2.

E3. Immutable Audit Commitment

Extends CSEB. The Context Security Event Bus monitors events in real time but does not guarantee immutable recording. An attacker who corrupts CSEB's event buffer can erase evidence of a breach.

Append-only audit buffer

Privacy-preserving audit events record action type, affected node count, security decision, and ASP posture level — but never record node IDs, content, user queries, or URLs.

Merkle root commitment

Every hour, compute a Merkle root over accumulated audit events and commit it to SKV (Sealed Knowledge Volume). Retroactive tampering of the audit log is detectable by comparing Merkle roots.

E3 is the prerequisite for N2 (Forensic Integrity Layer), which builds a full forensic analysis system on top.

Adversaries: A2, A3, A4, A5. Phase: 1–2.

E4. Social Recovery Layer

Extends KPC. KPC encryption depends entirely on a master passphrase. Passphrase loss = permanent data loss. No disaster recovery mechanism exists.

Shamir Secret Sharing

Generate 5 shares with a (3, 5) threshold — any 3 shares can reconstruct the master key. Shares are distributed across: mobile device, BIP39 seed phrase (paper backup), two trusted contacts' devices, and an optional encrypted cloud backup.

Social Recovery is opt-in only. Share generation and reconstruction happen entirely on the local device. Shares are never transmitted in assembled form.

Adversaries: Disaster recovery (availability risk), indirect A5 defense. Phase: 2–3.

E5. Query Canonicalization Shield

Extends KQR. Natural language queries carry linguistic fingerprints — vocabulary choice, syntax patterns, abbreviation frequency — that identify users' cognitive styles. KQR protects the relay path but not query content.

Normalization pipeline

Before KQR transmits to cloud AI, queries pass through a local normalization pipeline: (1) synonym unification, (2) word order normalization, (3) filler removal, (4) structural canonicalization to [Topic] [Relation] [Constraint] form, (5) probabilistic dummy modifier insertion.

Original queries are preserved in the Context Graph. Only normalized versions leave the device.

E5 is the stepping stone for N7 (Cognitive Query Normalization), which adds ML-based style neutralization.

Adversaries: A1, A5. Phase: 2.

E6. Cascade Failure Fallback

Extends ASP. If CSEB and CTA are both compromised simultaneously, ASP loses its trigger sources and access control effectively stops. No independent fallback exists.

Independent watchdog

A hardware-independent watchdog runs in a separate memory space from CSEB/CTA. Both send heartbeats every 5 seconds. If either heartbeat is missed: Warning + forced posture elevation. If both are missed: immediate Lockdown with a compile-time embedded policy (no read, no write, no network, no AI inference, UI alert only).

The Lockdown Policy is embedded at compile time — not modifiable at runtime, eliminating the risk of an attacker tampering with the fallback.

Adversaries: A3, A4. Phase: 2.

Summary