Security

Don't trust.
Verify.

Proofs — not promises. Local-first.

Run full Ghost demo Capabilities

AES-256 · Ed25519
Evidence log
Deterministic replay

Security Architecture — Seven Layers

Proof Layer

AI Evidence Log, Device-Signed Records, Hash Chain, Deterministic Replay, Fleet Attestation

Safety Layer

Input/Output Classification, PII Redaction, Injection Defense

Policy Layer

Policy-as-Code, RBAC, Cloud Escalation Rules, Retention Policies

Runtime Plane

ExecuTorch + Core ML + llama.cpp, Speculative Decoding, Dynamic Precision

Memory Plane

Encrypted SQLite + Vector Embeddings + Graph Links, FTS5

Routing Plane

5-State Degradation Ladder, Thermal/Battery/RAM-Aware Selection

Observability Layer

Ring Buffer Telemetry, Per-Inference Metrics, Crash Recovery

Foundation Security

Zero Network Architecture

All AI inference runs on-device using local models — zero API calls to external servers
Memory storage, retrieval, and search are entirely local (encrypted SQLite + FTS5 + vector embeddings)

+3 more technical details

Voice processing: Whisper STT and TTS run on-device — no cloud speech APIs
Routing, intent classification, and complexity scoring are local computations
The only network use: optional model downloads (CDN) and explicit cloud escalation (opt-in)

Encryption at Rest

All stored data encrypted with AES-256 (optional SQLCipher for full database encryption)
Encryption keys stored in iOS Secure Enclave / Android Keystore — hardware-backed, never exported

+3 more technical details

Key derivation uses platform-native secure random number generation
Database snapshots for model upgrade rollback are also encrypted
Wipe All performs cryptographic erasure — not just file deletion, but key destruction

Sync Encryption Layer

Multi-device sync uses X25519 key agreement for forward-secret session keys
Payloads encrypted with AES-256-GCM; relay server stores only ciphertext

+2 more technical details

Key material never leaves devices; we do not hold decryption keys
Optional key backup via user-controlled recovery mechanism

Model Integrity Verification

Every model bundle is signed with Ed25519 (keys in keys/model_signing.pub)
Signature verification runs before any model is loaded into memory

+3 more technical details

SHA-256 hash verification on individual model files within each bundle
Key rotation support: configurable signing policy with staged rollout
Atomic model activation with crash-safe VERIFIED sentinel — prevents partial loads

Input Security

Prompt injection defense via Gate classifier pre-filter (270M model, <50ms)
Input scanning with configurable safety thresholds and blocked categories

+3 more technical details

Content filters for harmful, illegal, and dangerous content
Automatic refusal templates for blocked requests
Emergency cached responses for critical safety scenarios

Proof Layer Security Architecture

AI Evidence Log — Cryptographic Trust Root

Every meaningful AI action generates a signed proof record in a tamper-evident, append-only evidence log
Device-level signing keypair generated in Secure Enclave / Android Keystore at first boot — private key never leaves hardware

+4 more technical details

Each record contains: model provenance, context fingerprint (SHA-256), memory references, policy constraints, locality flag, quality events, timing, device attestation
SHA-256 hash chain links each record to its predecessor — any modification breaks the chain and is detectable
Every record is digitally signed with the device's private key — independently verifiable by anyone with the public key
Exported proof bundles are self-contained evidence packages: chain integrity + digital signatures + record contents

Context Fingerprinting and Memory Boundary Proof

Context fingerprint: SHA-256 hash of the full context window sent to the model, proving exactly what was used without exposing raw content
Memory references: hashed identifiers of every memory object referenced during context construction

+3 more technical details

Three transparency modes: Simple (human-readable summaries), Advanced (full hashes and metadata), Paranoid (raw context + crypto data)
Policy constraints applied per response: cloud escalation rules, language enforcement, token budgets, role-based access — all logged by identifier and version
Transparency mode changes are themselves logged — creating a record of visibility level at any point in time

Deterministic Replay Verification

Proof records store: input, model version + quantization, system prompt hash, context hash, random seed, execution provider, output token ID hash
Replay loads the original model version from immutable archive, reconstructs context (hash-verified), runs inference with stored seed on same execution provider

+4 more technical details

Output verification hashes token ID sequence (integers) before detokenization — deterministic and robust against cosmetic string differences
Model archive: append-only, configurable retention (3-7+ years for regulated industries), SHA-256 hash registry verification before replay
Context retention with zstd compression (3-5x ratios) for long-term replay feasibility, encrypted at rest with device key
Mismatch on replay is flagged as a critical diagnostic event — indicating potential model corruption or hardware degradation

Fleet Attestation and Drift Detection

Each organization device periodically generates a signed fleet attestation heartbeat
Heartbeat contains: model hash inventory (verified against registry), policy version hash, proof chain head hash

+4 more technical details

If any device's heartbeat shows a mismatch — model drift, policy drift, or chain drift — the device is quarantined
Quarantined devices: no policy updates, no knowledge sync, restricted AI capabilities until resolution
Drift detection runs on every heartbeat — continuous compliance, not periodic audits
Organization admin panel verifies proof bundles from any device using the fleet's registered public keys

Sovereign AI Attestation Framework

On-demand signed compliance snapshots: model fleet, active policies, knowledge graph hash, cloud escalation history, violation log
Model registry attestation: every model on every device verified against approved registry — unapproved models flagged immediately

+3 more technical details

Cloud escalation proof: zero-cloud attestation for air-gapped deployments, or per-escalation documentation (reason, encrypted payload, provider, transit method)
Memory encryption key proof: key generation and usage logged by operation type, key export events would be logged if they ever occurred
Data residency attestation: enrollment policy + device attestation prove processing jurisdiction without location tracking

Policy-as-Code Engine

Declarative policy definitions enforced at runtime with cryptographic proof of enforcement for every policy, every time
Policies express: cloud restrictions, language enforcement, model restrictions, token budgets, content domain rules, memory access scopes, voice restrictions, retention windows

+4 more technical details

Enforcement: policies loaded at enrollment, synced on updates; orchestration layer checks before every AI action
Violations blocked and logged: which policy, what was attempted, what was blocked, what alternative was offered
Policy compliance reporting: enforcement events, exception requests, policy coverage, drift detection status
User-facing: clear explanations ('This conversation is subject to your organization's no-cloud policy. Here's what I can offer locally.')

Role-Based Access Control (RBAC)

Team and Organization tiers support configurable roles (admin, member, viewer)
Permissions govern memory visibility, sync settings, and policy changes
Least-privilege defaults; admins can scope access per group or project
Role changes and permission modifications logged in the AI Evidence Log with hash chain integrity

Privacy Guard

Automatic PII detection in all memory write operations
Configurable redaction: names, emails, phone numbers, addresses, financial data
Memory items can be individually viewed, edited, or deleted by the user
Full memory wipe with cryptographic erasure — key destruction, not just file deletion
No usage analytics, behavioral tracking, or telemetry transmitted externally

Cryptographic Trust Root

Device-level Ed25519 signing keypair for proof record signing and attestation
Keys held in Secure Enclave (iOS) / Android Keystore — hardware-backed, never exported
Hardware-backed signing: private key never leaves the secure element
Exportable public key for independent verification of proof bundles
Fleet key registration and revocation for enterprise: org admins register device public keys, revoke compromised or decommissioned devices

Recovery and Resilience

Per-tier crash quarantine: models that crash are isolated and excluded from future loads
Database health check on startup with automatic repair
Interrupted inference recovery — generates safe fallback if model crashes mid-response
Database snapshot/restore for safe rollback after model upgrades
42 unit tests covering security-critical paths including 25-cycle leak tests

Cloud Escalation — Honest and Transparent

TLS 1.3 in transit · non-retention by contract · fully logged · opt-in only

Escalation context

When cloud escalation occurs (opt-in only), Ghost provides radical transparency about what happened. No hand-waving. No misleading claims. Here is exactly what Ghost guarantees:

The cloud provider's endpoint terminates TLS, meaning the provider does see plaintext during inference. This is a contractual guarantee (non-retention), not a cryptographic one. We state this honestly because enterprises deserve precision, not hand-waving.

Encrypted in transit

TLS 1.3 for all cloud communication. Provider endpoint terminates TLS for inference processing.

Non-retained by contract

Cloud provider contractually agrees to not retain context or output. Processing is ephemeral.

Fully logged

Every escalation logged in the AI Evidence Log: reason, encrypted payload size, provider, transit method, timestamps.

User-controlled

Cloud escalation never happens without explicit user or organizational policy authorization. Visible in Proof Drawer.

Future: Confidential Computing

Roadmap detail

When Ghost adds confidential computing support, cloud inference will run inside hardware-attested Trusted Execution Environments (Intel SGX, AMD SEV, ARM CCA). Context processed in encrypted enclaves, never visible to the cloud provider in plaintext. TEE integrity attestation logged in the AI Evidence Log. This is a future phase — we don't claim it now.

Compliance and Attestation

Ghost generates signed compliance snapshots on demand: model fleet, active policies, knowledge graph hash, cloud escalation history, policy violation log. Exportable for auditors, regulators, or courts.

GDPR

On-device processing, cryptographic erasure, full user control, proof of locality

CCPA

No data collection or sale, user deletion with verification, zero third-party sharing

HIPAA

PHI locality proof, encryption key attestation, replayable clinical queries, audit export

SOC 2

Signed compliance snapshots, policy enforcement logs, deterministic replay, fleet attestation

FINRA

Deterministic replay of financial analysis, policy enforcement proof, audit-grade evidence records

FedRAMP

Zero-cloud attestation, fleet quarantine on drift, model registry verification, sovereign processing proof

ITAR

Data residency attestation, zero cloud contact certification, hardware-backed device attestation

Security Vulnerability Reporting

Found a security vulnerability? We take security seriously and respond within 48 hours.

security@ghostfied.com

Security Architecture — Seven Layers

Proof Layer

AI Evidence Log, Device-Signed Records, Hash Chain, Deterministic Replay, Fleet Attestation

Safety Layer

Input/Output Classification, PII Redaction, Injection Defense

Policy Layer

Policy-as-Code, RBAC, Cloud Escalation Rules, Retention Policies

Runtime Plane

ExecuTorch + Core ML + llama.cpp, Speculative Decoding, Dynamic Precision

Memory Plane

Encrypted SQLite + Vector Embeddings + Graph Links, FTS5

Routing Plane

5-State Degradation Ladder, Thermal/Battery/RAM-Aware Selection

Observability Layer

Ring Buffer Telemetry, Per-Inference Metrics, Crash Recovery

Foundation Security

Zero Network Architecture

All AI inference runs on-device using local models — zero API calls to external servers
Memory storage, retrieval, and search are entirely local (encrypted SQLite + FTS5 + vector embeddings)

+3 more technical details

Voice processing: Whisper STT and TTS run on-device — no cloud speech APIs
Routing, intent classification, and complexity scoring are local computations
The only network use: optional model downloads (CDN) and explicit cloud escalation (opt-in)

Encryption at Rest

All stored data encrypted with AES-256 (optional SQLCipher for full database encryption)
Encryption keys stored in iOS Secure Enclave / Android Keystore — hardware-backed, never exported

+3 more technical details

Key derivation uses platform-native secure random number generation
Database snapshots for model upgrade rollback are also encrypted
Wipe All performs cryptographic erasure — not just file deletion, but key destruction

Sync Encryption Layer

Multi-device sync uses X25519 key agreement for forward-secret session keys
Payloads encrypted with AES-256-GCM; relay server stores only ciphertext

+2 more technical details

Key material never leaves devices; we do not hold decryption keys
Optional key backup via user-controlled recovery mechanism

Model Integrity Verification

Every model bundle is signed with Ed25519 (keys in keys/model_signing.pub)
Signature verification runs before any model is loaded into memory

+3 more technical details

SHA-256 hash verification on individual model files within each bundle
Key rotation support: configurable signing policy with staged rollout
Atomic model activation with crash-safe VERIFIED sentinel — prevents partial loads

Input Security

Prompt injection defense via Gate classifier pre-filter (270M model, <50ms)
Input scanning with configurable safety thresholds and blocked categories

+3 more technical details

Content filters for harmful, illegal, and dangerous content
Automatic refusal templates for blocked requests
Emergency cached responses for critical safety scenarios

Proof Layer Security Architecture

AI Evidence Log — Cryptographic Trust Root

Every meaningful AI action generates a signed proof record in a tamper-evident, append-only evidence log
Device-level signing keypair generated in Secure Enclave / Android Keystore at first boot — private key never leaves hardware

+4 more technical details

Each record contains: model provenance, context fingerprint (SHA-256), memory references, policy constraints, locality flag, quality events, timing, device attestation
SHA-256 hash chain links each record to its predecessor — any modification breaks the chain and is detectable
Every record is digitally signed with the device's private key — independently verifiable by anyone with the public key
Exported proof bundles are self-contained evidence packages: chain integrity + digital signatures + record contents

Context Fingerprinting and Memory Boundary Proof

Context fingerprint: SHA-256 hash of the full context window sent to the model, proving exactly what was used without exposing raw content
Memory references: hashed identifiers of every memory object referenced during context construction

+3 more technical details

Three transparency modes: Simple (human-readable summaries), Advanced (full hashes and metadata), Paranoid (raw context + crypto data)
Policy constraints applied per response: cloud escalation rules, language enforcement, token budgets, role-based access — all logged by identifier and version
Transparency mode changes are themselves logged — creating a record of visibility level at any point in time

Deterministic Replay Verification

Proof records store: input, model version + quantization, system prompt hash, context hash, random seed, execution provider, output token ID hash
Replay loads the original model version from immutable archive, reconstructs context (hash-verified), runs inference with stored seed on same execution provider

+4 more technical details

Output verification hashes token ID sequence (integers) before detokenization — deterministic and robust against cosmetic string differences
Model archive: append-only, configurable retention (3-7+ years for regulated industries), SHA-256 hash registry verification before replay
Context retention with zstd compression (3-5x ratios) for long-term replay feasibility, encrypted at rest with device key
Mismatch on replay is flagged as a critical diagnostic event — indicating potential model corruption or hardware degradation

Fleet Attestation and Drift Detection

Each organization device periodically generates a signed fleet attestation heartbeat
Heartbeat contains: model hash inventory (verified against registry), policy version hash, proof chain head hash

+4 more technical details

If any device's heartbeat shows a mismatch — model drift, policy drift, or chain drift — the device is quarantined
Quarantined devices: no policy updates, no knowledge sync, restricted AI capabilities until resolution
Drift detection runs on every heartbeat — continuous compliance, not periodic audits
Organization admin panel verifies proof bundles from any device using the fleet's registered public keys

Sovereign AI Attestation Framework

On-demand signed compliance snapshots: model fleet, active policies, knowledge graph hash, cloud escalation history, violation log
Model registry attestation: every model on every device verified against approved registry — unapproved models flagged immediately

+3 more technical details

Cloud escalation proof: zero-cloud attestation for air-gapped deployments, or per-escalation documentation (reason, encrypted payload, provider, transit method)
Memory encryption key proof: key generation and usage logged by operation type, key export events would be logged if they ever occurred
Data residency attestation: enrollment policy + device attestation prove processing jurisdiction without location tracking

Policy-as-Code Engine

Declarative policy definitions enforced at runtime with cryptographic proof of enforcement for every policy, every time
Policies express: cloud restrictions, language enforcement, model restrictions, token budgets, content domain rules, memory access scopes, voice restrictions, retention windows

+4 more technical details

Enforcement: policies loaded at enrollment, synced on updates; orchestration layer checks before every AI action
Violations blocked and logged: which policy, what was attempted, what was blocked, what alternative was offered
Policy compliance reporting: enforcement events, exception requests, policy coverage, drift detection status
User-facing: clear explanations ('This conversation is subject to your organization's no-cloud policy. Here's what I can offer locally.')

Cloud Escalation — Honest and Transparent

TLS 1.3 in transit · non-retention by contract · fully logged · opt-in only

Escalation context

When cloud escalation occurs (opt-in only), Ghost provides radical transparency about what happened. No hand-waving. No misleading claims. Here is exactly what Ghost guarantees:

Encrypted in transit

TLS 1.3 for all cloud communication. Provider endpoint terminates TLS for inference processing.

Non-retained by contract

Cloud provider contractually agrees to not retain context or output. Processing is ephemeral.

Fully logged

Every escalation logged in the AI Evidence Log: reason, encrypted payload size, provider, transit method, timestamps.

User-controlled

Cloud escalation never happens without explicit user or organizational policy authorization. Visible in Proof Drawer.

Future: Confidential Computing

Roadmap detail

Compliance and Attestation

GDPR

On-device processing, cryptographic erasure, full user control, proof of locality

CCPA

No data collection or sale, user deletion with verification, zero third-party sharing

HIPAA

PHI locality proof, encryption key attestation, replayable clinical queries, audit export

SOC 2

Signed compliance snapshots, policy enforcement logs, deterministic replay, fleet attestation

FINRA

Deterministic replay of financial analysis, policy enforcement proof, audit-grade evidence records

FedRAMP

Zero-cloud attestation, fleet quarantine on drift, model registry verification, sovereign processing proof

ITAR

Data residency attestation, zero cloud contact certification, hardware-backed device attestation

Don't trust.Verify.

Security Architecture — Seven Layers

Foundation Security

Zero Network Architecture

Encryption at Rest

Sync Encryption Layer

Model Integrity Verification

Input Security

Proof Layer Security Architecture

AI Evidence Log — Cryptographic Trust Root

Context Fingerprinting and Memory Boundary Proof

Deterministic Replay Verification

Fleet Attestation and Drift Detection

Sovereign AI Attestation Framework

Policy-as-Code Engine

Role-Based Access Control (RBAC)

Privacy Guard

Cryptographic Trust Root

Recovery and Resilience

Cloud Escalation — Honest and Transparent

Future: Confidential Computing

Compliance and Attestation

Security Vulnerability Reporting

Don't trust.Verify.

Security Architecture — Seven Layers

Foundation Security

Zero Network Architecture

Encryption at Rest

Sync Encryption Layer

Model Integrity Verification

Input Security

Proof Layer Security Architecture

AI Evidence Log — Cryptographic Trust Root

Context Fingerprinting and Memory Boundary Proof

Deterministic Replay Verification

Fleet Attestation and Drift Detection

Sovereign AI Attestation Framework

Policy-as-Code Engine

Role-Based Access Control (RBAC)

Privacy Guard

Cryptographic Trust Root

Recovery and Resilience

Cloud Escalation — Honest and Transparent

Future: Confidential Computing

Compliance and Attestation

Security Vulnerability Reporting

Don't trust.
Verify.

Don't trust.
Verify.