Technical Reference

Complete specification — invariants, schemas, APIs, stage types, and gap taxonomy.

System Invariants

No content transit. Raw inputs/outputs, model weights, PII never leave the customer environment. Only commitment hashes transit to api.primust.com. For Bounded Inference: only merkle_root transits — per-operator outputs stay in customer environment.
Fail open, fail honest. Primust failures do not block customer pipelines. All failures become gaps.
Weakest-link proof level. proof_level_floor = minimum across all records. DERIVED — never set manually.
Gaps recorded honestly. detectable_from_surface: false means "unknown" not "ungoverned."
Domain-neutral core. No agent_id, tool_name, trace, pipeline_id in core schema.
Promotion gates in code. P1 → SHAREABLE impossible without override + watermark.
Manifest hash per record. Every CheckExecutionRecord stores manifest_hash at time of execution.
Customer private key never leaves customer environment. BYOK signing: Primust calls customer signing endpoint with payload.
upstream_vpec_verify proof ceiling is Mathematical. Ed25519 verification is deterministic. Never downgrade.
Bounded Inference profiles are Primust-signed. Profile signature verifiable offline against Primust public key. Tampered profile is detectable.

Proof Levels

Level	Enum	Mechanism	Trust required	Examples
Mathematical	`mathematical`	Noir, UltraHonk, Modal CPU	None — pure math	Regex, allowlist, threshold, OPA local, Cedar, Drools, ODM, decision path (XGBoost/RF/logistic), Ed25519 verify
Verifiable Inference	`verifiable_inference`	ONNX-to-circuit (EZKL), Modal GPU	Trust model weights	MLP classification heads <263K params only. Full transformers fail EZKL.
Bounded Inference	`operator_bound`	Per-operator Merkle + signed drift profile	Trust the measurement	HuggingFace transformers (any size), DistilBERT, BERT, RoBERTa, DeBERTa
Execution	`execution`	Model-hash-binding circuit	Trust the model (public, auditable)	Named ML model, pinned LLM API, custom code (hash-bound)
Witnessed	`witnessed`	Two RFC 3161 + Ed25519 sig	Trust reviewer identity	Human review (human_approval stage), lightweight approval (acknowledged stage)
Attestation	`attestation`	Invocation-binding circuit	Trust process owner's word	Opaque process, OTEL records, hosted ML APIs (AWS Comprehend etc.)

Stage Types

Stage type	Proof ceiling	Notes
`deterministic_rule`	Mathematical	Regex, allowlist, threshold, formula
`policy_engine`	Mathematical (local) / Attestation (remote)	OPA, Cedar, Drools, IBM ODM. Local eval = Mathematical. Remote = Attestation.
`statistical_test`	Mathematical (deterministic) / Execution	OLS, GARCH: Mathematical. Sampling/bootstrapping: Execution.
`decision_path_model`	Mathematical	XGBoost, RandomForest, logistic regression, linear SVM. Decision path committed as arithmetic constraints. Auto-inferred by SDK from sklearn/xgboost object types.
`zkml_model`	Verifiable Inference	MLP heads <263K params. EZKL circuit. Tier 2 — demand-gated.
`bound_committed_inference`	Bounded Inference (`operator_bound`)	HuggingFace transformers with Primust profile. Auto-inferred from transformers.Pipeline objects. Includes auto boundary_rule decomposition.
`open_source_ml`	Execution	Shallow neural nets, open weight LLMs, any ML model without a profile.
`llm_api`	Execution (pinned) / Attestation	Closed LLM APIs, self-hosted APIs. Pinned = Execution. Unpinned or hosted API = Attestation.
`boundary_rule`	Wraps another stage type	Adds Mathematical pre/post conditions around any stage type. Auto-applied by SDK for bound_committed_inference and llm_api.
`human_approval`	Witnessed	Full: Ed25519 keypair, display_hash, dual RFC 3161, min_review_seconds.
`acknowledged`	Witnessed	Lightweight: OAuth identity hash, challenge hash, single RFC 3161. 30-min setup. Same proof_level enum as human_approval.
`upstream_vpec_verify`	Mathematical	Ed25519 verification is deterministic. Proof ceiling never downgraded.
`custom_code`	Execution (hash-bound) / Attestation	Customer code. Hash-bound = Execution. No hash = Attestation.

Data Flow — What Transits Primust

{
  "run_id": "...",
  "workflow_id": "...",
  "policy_snapshot_hash": "sha256:...",
  "manifest_hashes": ["sha256:...", "sha256:..."],
  "check_execution_records": [
    {
      "manifest_id": "sha256:...",
      "input_commitment_hash": "poseidon2:...",
      "output_commitment_hash": "poseidon2:...",
      "check_result": "pass",
      "proof_level_achieved": "operator_bound",
      "merkle_root": "sha256:...",       ← Bounded Inference only
      "profile_id": "primust/distilbert-class/v1.2.0",  ← Bounded Inference only
      "gpu_class": "a10g",               ← Bounded Inference only
      "actor_id": "user_uuid | null",
      "explanation_commitment": "poseidon2:hex | null",
      "bias_audit": { ... } | null
    }
  ],
  "activity_chain": {
    "record_count": 47,
    "chain_root": "sha256:...",
    "governance_decision_summary": {"allowed": 45, "blocked": 2, "modified": 0}
  },
  "gaps": []
}

Never transits Primust: raw inputs/outputs, model weights, individual AgentActivityRecords, reviewer display content or rationale text, matched PII/secret values, per-operator ML outputs (only merkle_root for Bounded Inference), explanation text (only poseidon2 commitment hash), actual bias audit disparity values (only commitment hash).

API Endpoints

Base URL: https://api.primust.com. SDK endpoints use Authorization: Bearer pk_sb_xxx (sandbox) or pk_live_xxx (production). Dashboard endpoints use JWT.

Run Lifecycle

Method	Endpoint	Description
`POST`	`/api/v1/runs`	Start a run. Body: `workflow_id`, `policy_pack_id`. Returns `run_id`, `policy_snapshot_hash`.
`GET`	`/api/v1/runs/:id`	Get run status and summary.
`POST`	`/api/v1/runs/:id/records`	Commit a check execution record. Returns `record_id`, `chain_hash`.
`POST`	`/api/v1/runs/:id/close`	Seal the run — triggers VPEC issuance. Returns the VPEC.

VPECs & Evidence Packs

Method	Endpoint	Description
`GET`	`/api/v1/vpecs/:id`	Retrieve a VPEC by ID.
`POST`	`/api/v1/packs`	Assemble Evidence Pack from VPEC IDs.
`POST`	`/api/v1/evidence-packs/:id/report`	Generate signed PDF audit report. P1 packs watermarked.

Model Profile Registry

Method	Endpoint	Description
`GET`	`/api/v1/registry/profiles`	List all available profiles. Optional `?model_hash=` filter — includes operator thresholds when filtered.
`GET`	`/api/v1/registry/lookup?hash={onnx_model_hash}`	Lookup profile by model hash. Returns profile_id or 404.
`POST`	`/api/v1/registry/calibration-requests`	Submit a model for calibration. Returns `request_id`. SLA: 7d standard, 48h Enterprise.

Analytics

Method	Endpoint	Description
`GET`	`/api/v1/analytics/check-summary`	Per check_id aggregates. Includes `upgrade_available` signal, `inferred_ceiling`, six-level proof distribution.
`GET`	`/api/v1/analytics/enforcement-summary`	Governance decision aggregates from VPEC `governance_decision_summary` fields — not activity stores.
`GET`	`/api/v1/analytics/proof-trend`	Per-day provable_surface_breakdown. Period: 30\|90\|365 days. Includes drift_events count.

Incident Packages

Method	Endpoint	Description
`POST`	`/api/v1/incident-packages`	Assemble signed incident package for a run_id. Returns `package_id`, `download_url`. Package signed by Ed25519 + RFC 3161.
`GET`	`/api/v1/incident-packages`	List incident packages for org. Optional `?workflow_id=` filter.

Policy & Manifests

Method	Endpoint	Description
`GET`	`/api/v1/policy/bundles`	List all policy bundles (7 built-in + org custom).
`POST`	`/api/v1/manifests`	Register manifest. Content-addressed — `manifest_id = sha256(canonical(manifest_json))`.
`GET`	`/api/v1/manifests/:id`	Get manifest. No auth required.

BYOK & Auth

Method	Endpoint	Description
`POST`	`/api/v1/org/signing-keys`	Register Ed25519 BYOK public key.
`POST`	`/api/v1/org/signing-keys/:id/verify`	Challenge-response key activation.
`GET`	`/.well-known/primust-pubkey.pem`	Serve public key by key ID. Used by primust-verify for online key resolution.
`GET`	`/api/v1/health`	Returns `{"status":"ok","db":"ok","kms":{"us":"ok","eu":"ok"}}`

VPEC Schema (v6.0.0)

{
  "vpec_id": "vpec_a1b2c3...",
  "schema_version": "6.0.0",
  "org_id": "org_x9y8z7",
  "run_id": "run_8f3a2b...",
  "workflow_id": "loan-underwriting-v3",
  "policy_snapshot_hash": "sha256:...",
  "environment": "production",          // "sandbox" | "production" — NOT test_mode
  "partial": false,
  "state": "signed",
  "proof_level_floor": "operator_bound",  // weakest-link, DERIVED — never set manually
  "provable_surface": 0.87,              // hero metric — NOT coverage_verified_pct
  "provable_surface_breakdown": {
    "mathematical": 0.52,
    "verifiable_inference": 0.00,
    "bounded_inference": 0.18,           // NEW in v6 — Bounded Inference share
    "execution": 0.12,
    "witnessed": 0.05,
    "attestation": 0.00
  },
  "provable_surface_pending": 0.00,      // verifiable_inference proofs in-flight
  "provable_surface_ungoverned": 0.05,   // manifest checks with no record this run
  "provable_surface_basis": "executed_records",  // | "manifest_checks"
  "provable_surface_suppressed": false,
  "gaps": [],                            // NOT governance_gaps — that name is banned
  "merkle_root": "sha256:...",           // present on bound_committed_inference VPECs only
  "profile_id": "primust/distilbert-class/v1.2.0",  // same
  "issuer": { "issuer_id": "primust.com", "issuer_type": "platform" },
  "signature": {
    "algorithm": "Ed25519",
    "public_key_id": "key_m3n4o5",
    "trust_anchor_url": "https://primust.com/.well-known/primust-pubkey.pem",
    "value": "base64..."
  },
  "timestamp_anchor": { "method": "rfc3161", "value": "base64..." },
  "issued_at": "2026-03-17T14:23:01Z"
}

Banned field names

proof_level (single field) → use proof_level_floor
governance_gaps → use gaps
coverage_verified_pct → use provable_surface
proof_distribution / proof_level_breakdown → use provable_surface_breakdown
test_mode → use environment: "sandbox"
pk_test_xxx → use pk_sb_xxx

Check Execution Record

{
  "record_id": "rec_f1g2h3...",
  "run_id": "run_8f3a2b...",
  "manifest_id": "sha256:...",
  "manifest_hash": "sha256:...",
  "input_commitment_hash": "poseidon2:...",
  "output_commitment_hash": "poseidon2:...",
  "commitment_algorithm": "poseidon2",
  "check_result": "pass",
  "proof_level_achieved": "operator_bound",
  "merkle_root": "sha256:...",           // bound_committed_inference only
  "profile_id": "primust/distilbert-class/v1.2.0",  // same
  "gpu_class": "a10g",                   // same
  "operator_count": 48,                  // same
  "actor_id": "user_550e8400 | null",
  "explanation_commitment": "poseidon2:hex | null",
  "bias_audit": { ... } | null,
  "chain_hash": "sha256:...",
  "check_open_tst": "2026-03-17T14:22:18.003Z",
  "check_close_tst": "2026-03-17T14:22:18.145Z",
  "idempotency_key": "idem_a1b2c3..."
}

check_result values
`pass`	Check passed
`fail`	Check failed — gap recorded
`error`	Check threw an exception
`skipped`	Check explicitly skipped with rationale
`degraded`	Check ran in reduced mode

Model Profile Schema

{
  "profile_id": "primust/distilbert-class/v1.2.0",
  "model_class": "distilbert",
  "architecture": "DistilBertForSequenceClassification",
  "calibrated_gpu_classes": ["cpu", "a10g", "a100", "h100"],
  "calibration_passes": 1000,
  "calibration_date": "2026-03-17",
  "safety_margin": 2.0,
  "operators": {
    "Linear":    { "p99": 2.86e-4, "p99_9": 5.49e-4, "p99_99": 7.93e-4 },
    "LayerNorm": { "p99": 3.19e-5, "p99_9": 3.91e-5, "p99_99": 4.23e-5 },
    "Softmax":   { "p99": 4.59e-6, "p99_9": 5.78e-6, "p99_99": 7.55e-6 },
    "GELU":      { "p99": 3.43e-5, "p99_9": 4.20e-5, "p99_99": 4.96e-5 },
    "Dropout":   { "p99": 4.88e-4, "p99_9": 7.32e-4, "p99_99": 9.52e-4 }
  },
  "profile_signature": "Ed25519:...",
  "signed_by": "primust.com/.well-known/primust-pubkey.pem"
}

Gap Taxonomy — 49 Types

Core (22)

gap_type	Severity	Description
`check_not_executed`	High	A declared check was not executed during the run
`enforcement_override`	Critical	Check enforcement was overridden
`engine_error`	High	Governance engine encountered an error
`check_degraded`	Medium	Check ran in degraded mode
`external_boundary_traversal`	High	Data crossed an external boundary without governance instrumentation
`lineage_token_missing`	High	Delegation handoff missing lineage token
`admission_gate_override`	Critical	Admission gate bypassed or overridden
`check_timing_suspect`	Medium	Review duration below minimum threshold — possible rubber-stamping
`reviewer_credential_invalid`	Critical	Reviewer credential failed validation (expired, revoked, or malformed)
`witnessed_display_missing`	High	Witnessed record lacks display_hash proving what reviewer saw
`witnessed_rationale_missing`	High	Witnessed record lacks rationale_hash
`witnessed_timestamp_invalid`	High	Witnessed record has invalid or tampered timestamp
`deterministic_consistency_violation`	Critical	Same input produced different check results across runs
`skip_rationale_missing`	High	Check skipped without skip_rationale_hash
`policy_config_drift`	Medium	Policy configuration changed between manifest snapshot and execution
`proof_level_floor_breach`	Critical	Record proof level below policy bundle's declared minimum floor
`zkml_proof_pending_timeout`	Medium	EZKL proof generation timed out
`zkml_proof_failed`	High	EZKL proof generation failed
`system_error`	High	Unrecoverable system error during governance processing
`sla_breach`	Medium	Governance SLA target not met
`explanation_missing`	Medium	AI decision lacks explanation commitment (required when compliance_requirements set)
`bias_audit_missing`	High	Decision on protected categories lacks bias audit record

System Availability (1)

gap_type	Severity	Description
`system_unavailable`	High	Primust API unreachable — SDK queued locally, queue lost or TTL expired. Distinct from system_error.

Unstructured Check (1)

gap_type	Severity	Notes
`archetype_unmapped`	Medium	custom_check VPEC exists but compliance officer has not mapped it. Auto-resolves on officer mapping.

Cross-Org Verification (7)

gap_type	Severity
`upstream_vpec_invalid_signature`	Critical
`upstream_vpec_sandbox`	High
`upstream_vpec_key_revoked`	High
`upstream_vpec_insufficient_proof_level`	High
`upstream_vpec_missing_claim`	Medium
`upstream_vpec_issuer_mismatch`	Critical
`upstream_vpec_missing`	High

Profile Registry (1 — new in v15)

gap_type	Severity	Description
`model_profile_missing`	Medium	`bound_committed_inference` stage type declared or inferred but no Primust-signed profile exists for `onnx_model_hash`. Check falls back to Execution. Auto-resolves when Primust publishes a profile or customer submits for calibration. SDK advisory: "upgrade to Bounded Inference at app.primust.com/policy/registry."

Connector-Specific (16)

Pattern: {platform}_api_error (High) = vendor API unreachable or 5xx. {platform}_auth_failure (Critical) = vendor API 401/403.

Platforms: complyadvantage, actimize, blaze, odm, falcon, pega, wolters_kluwer, guidewire — each with _api_error and _auth_failure variants.

Not gaps

check_candidate findings from primust scan are scan advisories — NOT gap types. They do not appear in the VPEC gaps array and do not affect provable_surface.

Package Inventory

SDKs

Package	Language	Registry	Status
`primust`	Python	PyPI	Live 1.0.0
`primust-ai`	Python	PyPI	Live 1.0.0 — autoinstrument(), autoinstrument-level model detection
`@primust/sdk`	TypeScript	npm	Live 1.0.0
`com.primust:primust-sdk`	Java	Maven Central	Published 1.0.0

Open Source

Package	Language	License	Description
`primust-verify`	Python	Apache-2.0	Offline VPEC verifier CLI. Free forever. No account required.
`primust-checks`	Python	Apache-2.0	Open-source check harness. Run checks locally, prove they ran with Primust. 8 built-in checks, 7 bundles.

AI Framework Adapters

Package	Target	Tests	Status
`primust-langgraph`	LangGraph	14	Live 1.0.0
`primust-openai-agents`	OpenAI Agents SDK	14	Live 1.0.0
`primust-google-adk`	Google ADK	14	Live 1.0.0
`primust-otel`	OpenTelemetry	14	Live 1.0.0
`@primust/otel`	OpenTelemetry (TS)	—	Live 1.0.0

Rule Engine Adapters (Mathematical ceiling)

Package	Target	Proof ceiling	Status
`primust-cedar`	AWS Cedar	Mathematical (eval())	Maven Central 1.0.1. GREEN.
`primust-drools`	Red Hat Drools	Mathematical (eval() + Map facts)	Maven Central 1.0.1. GREEN.
`primust-odm`	IBM ODM	Mathematical (eval() via IlrSessionFactory)	Maven Central 1.1.0. GREEN. Real ODM runtime verified.
`primust-opa`	OPA v1.4.2	Mathematical (local) / Attestation (remote)	pkg.go.dev v1.0.1. GREEN. Gap-aware.

Regulated Connectors

primust-connectors (Apache-2.0) — 7 Python REST connectors, 321 tests. All Attestation ceiling (REST wrappers). Mathematical ceiling requires Java in-process SDK with vendor SDK licenses.

Connector	Tests
Guidewire ClaimCenter	38
ComplyAdvantage	48
NICE Actimize	51
FICO Blaze + IBM ODM	41
FICO Falcon	45
Pega CDH	46
Wolters Kluwer UpToDate	46

Infrastructure

Component	Provider
API hosting	Fly.io — always-on, dual-region
Database	Neon Postgres — US (aws-us-east-1) + EU (aws-eu-central-1)
Signing	GCP KMS Ed25519 — HSM-backed, dual-region
ZK proving	Modal — CPU (Noir/nargo) + GPU (EZKL, Tier 2)
Artifact storage	Cloudflare R2 — US + EU buckets
Frontend	Vercel — app.primust.com, verify.primust.com, primust.com
Docs	Mintlify — docs.primust.com