YinkoShield
Brief

knowledge center / theme 05

evidence architecture

The positive technical proposition — what we sign, and how.

How execution evidence is built, end-to-end. The append-only ledger that holds each event. The forward chain that lets a verifier detect drop, edit, replay without coordinating with the device's clock. The TEE-resident keypair that signs every record. The custody boundary between device, operator, and regulator. And the cut between signal and verdict that keeps decision authority with the operator. Six articles across four primitives.

6 articles · technical reference · cite as published

four primitives · capture · record · sign · cross

The evidence path runs top-to-bottom across four layers. Each layer expands into one or two articles below.

[ evidence architecture · capture → record → sign → cross ] event capture · Trusted Runtime Primitive interposes on the security-relevant call paths · emits typed signals at each significant event overlay · debugger · hook · boot · binding · network · code append-only ledger · forward-chained prev_hash · seq · boot_id · payload — local mutation breaks the chain at verification on-device replay corpus · queryable per tctx signing · TEE / Secure Enclave keypair ES256 (RFC 6979 deterministic) · priv_key non-exportable · pub_key registered once at bootstrap priv_key never crosses the device boundary operator boundary · signal vs verdict Evidence Token crosses (signed) · operator decides verdicts (policy) · one stream, many regimes composes into existing auth, fraud, AML, dispute pipelines
Four primitives, top-to-bottom: capture (TRP) → record (append-only ledger) → sign (TEE keypair) → cross (signed token, private key never). Theme 5 expands each band into one article.
six primitives · layer · primitive · entry

Each row maps an article to the layer of the evidence path it expands and the primitive it covers.

# article layer primitive
01 Append-only hash-linked ledgers — structure and storage semantics record Local Evidence Ledger
02 Forward chaining — three independent invariants for drop, edit, replay record prev_hash · seq · boot_id
03 Self-signing devices — TEE-resident keypair semantics sign ES256 keypair (TEE)
04 Local key custody — what the device retains, what the operator never holds sign key custody boundary
05 Host-side correlation — composing signed evidence with operator pipelines cross tctx join key
06 Signal / verdict separation — the substrate observes, the operator decides cross policy boundary
articles in this theme

type
depth
audience
  1. 01 · 2026·03
    explainer intermediate architect developer

    Append-only hash-linked ledgers — structure and storage semantics

    Append-only and hash-linked is the data-structure choice that makes any local mutation break a global invariant the verifier checks without trusting the device.

    READ →
  2. 02 · 2026·03
    explainer intermediate architect developer

    Forward chaining — three independent invariants for drop, edit, replay

    Three independent invariants — prev_hash, monotonic seq, single boot_id — surface drop, edit, reorder, and replay locally; no clock, no cross-device coordination.

    READ →
  3. 03 · 2026·03
    explainer intermediate security architect

    Self-signing devices — TEE-resident keypair semantics

    Each device generates an ES256 keypair inside the TEE; the private key is non-exportable; signing is what makes the record portable across operator and regulator.

    READ →
  4. 04 · 2026·03
    explainer intermediate security regulatory

    Local key custody — what the device retains, what the operator never holds

    Three concentric custody regions: device holds the private key, operator holds the public-key registry plus verifier, YinkoShield holds none of it.

    READ →
  5. 05 · 2026·03
    explainer intermediate architect developer

    Host-side correlation — composing signed evidence with operator pipelines

    EEI does not replace authentication, fraud, AML, or dispute. It gives each of those four pipelines a signed device-side column they did not have before.

    READ →
  6. 06 · 2026·04
    explainer entry architect regulatory

    Signal / verdict separation — the substrate observes, the operator decides

    The substrate signs signals; the operator decides verdicts. One signal stream feeds many policy regimes — re-policed and replayed without re-signing.

    READ →
← back to Knowledge Center theme 04 · POS runtime threats → /architecture/local-evidence-ledger →