Provenance & disclosure·Boundary
Disclosure boundary
The publication guard runs at every public export site. Full candidate and family sequences are public when intentionally published; salts, embeddings, scoring internals, provider secrets, and local paths cannot cross into the public surface — the boundary is enforced in code, not in policy.
The publication guard runs on every write into the public export tree. A CI leak scanner runs a second pass across the export tree and the site scripts directory.
FIG · 04·The deployed verification path
Stage 1 · Galen
Detects a publishable scientific record (RuntimeCycle, Hypothesis, Experiment, EvidenceBundle, Candidate, CandidateFamily, CandidateLineage, Thesis, AssayResult, Collection, ExternalSignal, ScientificAsset). Drafts a typed envelope against protean.ledger.v1.
Holds zero on-chain roles. Cannot sign or broadcast.
Stage 2 · Operator approval
Reviews the proposed envelope, binds it to a review_record_id, and issues a single-use 5-minute approval token.
Operational approval only. Does not grant treasury powers or bypass Ledger RBAC.
Stage 3 · Bankr automation wallet
Validates approval token, envelope, selector allow-list, spend policy, destination allow-list, and halt switch; signs and broadcasts to Base mainnet.
AUTOMATION_WRITER_ROLE only · per-tx + per-day spend caps · Ledger proxy destination allow-list.
Stage 4 · Protean Ledger
UUPS proxy at 0xE3c261F3…94cf5f0 on Base mainnet emits RecordRegistered + RecordContentEmitted (+ PublicationAttested and EdgeLinked for candidate/family publication).
17 RecordTypes · 20 RelationTypes · 10 LifecycleStates · 6 DisclosureStates.
Stage 5 · Public indexer + digest
scripts/index_ledger_from_genesis.py replays events into a sha256 state digest, served at /ledger/api/v1/indexer/digest.
Open source · reproducible from any Base RPC · 12-block confirmation window.
Stage 6 · Explorer + verification rails
Lens over indexed chain state at protean.sh/ledger; approved public replay artifacts replicate to GitHub and Gitlawb after public records land.
Read-only views. Authority lives upstream.
Protected surface · additional contract role gates
Operator approval is necessary for every Bankr broadcast, but the actions below also require on-chain roles or timelocks that Bankr does not hold.
- IPAssetrequires IP_DECLARANT_ROLE · Bankr does not hold it
- RetractionNotice / proposeRetraction / executeRetractiontreasury-only RETRACTOR_ROLE · 24h timelock
- Governance / role grants / role revocationstreasury-only DEFAULT_ADMIN_ROLE
- Upgrades / pause / unpausetreasury-only UPGRADER_ROLE / PAUSER_ROLE
- setLifecycle / setDisclosure on prior recordsoperator-only mutation of observable state
- revokeLineageoperator-only — can deny prior science
Role separation · three principals · no overlap
- Treasury
proteanlabs.base.ethDEFAULT_ADMIN_ROLE · UPGRADER_ROLE · PAUSER_ROLE · RETRACTOR_ROLE · LINEAGE_REVOKER_ROLE · IP_DECLARANT_ROLE - Operator
0x827Ba9…9C2C7OPERATOR_WRITER_ROLE · PAUSER_ROLE · LINEAGE_REVOKER_ROLE · IP_DECLARANT_ROLE where granted - Bankr
spend-capped automation walletAUTOMATION_WRITER_ROLE only
Operator compromise is not governance compromise.
Disclosure boundary · what crosses the publication guard
- PrivatePrivate salts, embeddings, scoring internals, provider secrets, unfiled IP. Never leave the operator runtime.
- ReviewedDraft envelopes pass through the publication guard before any public write. Full published sequences are allowed; salts, internals, and local paths fail closed.
- Public on chainTyped records and publication attestations carry plaintext sequence provenance, lineage, operator attribution, and content-addressed digests on the Ledger. No secrets.
Private by default
The following are private vault contents. None leave the runtime without explicit human review, and none appear in any file in the public export tree.
- private commitment salts
- selected batches and review-gated candidate cohorts
- scoring weight internals and adaptive deltas
- embedding vectors (text and sequence)
- failure logs and contradiction records
- internal papers and unreviewed assessments
- unfiled invention material and IP work product
- unreleased assay data and provider packets
- local runtime paths and operator artifacts
Public after review
The public artifact layer exposes reviewed, content-addressed projections of the runtime's state. Each is gated by the publication guard at write time and by the leak scanner at CI time.
- typed records on the Protean Ledger (
Hypothesis,Experiment,EvidenceBundle,Candidate,Thesis,RuntimeCycle,ScientificAsset,IPAsset, plus six more) - full candidate and candidate-family sequences for intentionally published records
- salted candidate commitments and sequence hashes beside, not instead of, the sequence
- per-record
replayPointerartifacts on GitHub (proteanlabs1/ledger-mirror) and Gitlawb (protean-ledger,protean-papers,protean-governance,protean-research) - lineage summaries and typed lineage edges (
DerivedFrom,Tests,Supports,Contradicts,Supersedes,Retracts,ParentOf,ChildOf,MemberOfFamily, and more) - lifecycle state and disclosure state
- reviewed public papers and reviewed collection manifests, surfaced as
ThesisandCollectionrecords
Disclosure state
The Protean Ledger defines six deployed DisclosureState values: PrivateCommitmentOnly, RedactedPublic, CounselReviewed, PatentPending, Public, and Retracted. Private drafts that have not been registered yet are proposal state in the private runtime, not an on-chain disclosure value. Disclosure changes after registration are explicit Ledger mutations and emit DisclosureChanged.
The states correspond to the review sites that gate them:
PrivateCommitmentOnly— historical or unpublished record contains only commitment-safe content.RedactedPublic— legacy public record has redacted public content.CounselReviewed— counsel-reviewed disclosure state.PatentPending— public-safe state during provisional-IP handling.Public— the record is fully disclosed to the public surface.Retracted— the treasury wallet has executed aRETRACTOR_ROLEretraction; the record stays on chain but is publicly marked retracted.
How publication safety is enforced
The publication guard is a function, not a policy. Every public payload — every file destined for the public export tree — passes through the guard before write. The guard inspects:
- key names against a blocked list (any key containing "salt", "private", etc.)
- value types against the schema for the destination file
- presence of absolute filesystem paths, home-relative paths, or internal repo paths
If any check fails, the write is refused — the function raises rather than returning a sanitized payload. The CI leak scanner runs a second pass over the entire export tree as defence in depth.
The publication gate
The canonical workflow DAG contains an explicit prepare_provenance step that is gated by review_gate: publication_intent_required AND failure_policy: block. Nothing reaches the public export without that gate clearing.
private runtime
-> publication guard
-> founder / scientific review
-> counsel review (when candidate-specific)
-> public export write
-> CI leak scanner
-> operator approval
-> Bankr
-> Protean Ledger
-> events
-> indexer + Digest
-> Explorer / GitHub mirror / Gitlawb mirrorWhat public proof is not
The boundary is the system's main claim about itself. Private salts and scoring internals stay private. Public sequences, provenance, and proof become infrastructure. Both are enforced in code.
