DTPE in one sentence:
A deterministic runtime that produces cryptographic evidence proving an automated decision followed policy.
Example workflow:
request → policy snapshot → authority snapshot → decision → receipt → ledger → offline verification
Run the demo:
python -m tools.run_demoExpected output:
PASS: verified 1 ledger record(s)
DTPE demonstrates that automated decisions can produce cryptographic evidence showing they complied with governing policy.
The runtime produces:
- deterministic execution decisions
- canonical receipts
- signed authority records
- append-only ledger evidence
- independent offline verification
The included demo executes a request through the runtime, produces a governance receipt, appends a ledger record, and verifies the evidence independently.
If verification succeeds, the system prints:
PASS: verified ledger record(s)
This confirms that the decision evidence can be reproduced and validated without trusting the runtime that generated it.
DTPE / IAL / SPECTRE defines a deterministic governance architecture for automated systems.
DTPE
Delegated Task Provenance Engine
IAL
Identity Accountability Layer
SPECTRE
Systemic Policy Enforcement, Containment, and Traceability Runtime Engine
Reference implementation:
DTPE / IAL / SPECTRE-001
The architecture separates three responsibilities:
Identity and task provenance (DTPE)
Accountability binding and intent verification (IAL)
Policy enforcement and cryptographic traceability (SPECTRE)
Conceptual flow:
Identity
→ Delegated Task Provenance (DTPE)
→ Identity Accountability Binding (IAL)
→ Policy Enforcement Runtime (SPECTRE)
→ Canonical Receipt
→ Ledger Evidence
→ Independent Verification
DTPE is a deterministic governance runtime that produces cryptographic evidence that automated decisions follow policy.
The system enforces policy during execution and produces verifiable artifacts that allow an independent party to confirm that the decision process complied with the governing policy.
Unlike traditional logging systems, DTPE generates canonical receipts and ledger evidence that can be verified offline without trusting the system that produced them.
DTPE provides:
- deterministic execution decisions
- policy snapshot binding
- authority snapshot binding
- cryptographic signatures
- canonical receipt generation
- append-only ledger evidence
- offline verification of decisions
Every decision executed through the runtime produces evidence that can be independently verified.
Current governance approaches for automated systems rely on:
- logging
- internal controls
- policy documents
- trust in system operators
These methods make it difficult to prove that a decision actually followed policy.
DTPE addresses this problem by producing deterministic, cryptographically verifiable governance artifacts.
This allows auditors, regulators, and independent systems to confirm that decisions were executed according to policy.
flowchart TD
A[Request] --> B[Policy Snapshot]
B --> C[Authority Snapshot]
C --> D[Execution Decision]
D --> E[Canonical Receipt]
E --> F[Ledger Append]
F --> G[Offline Verification]
G --> H[Independent Trust]
This pipeline produces deterministic governance artifacts that can be verified independently from the runtime that generated them.
The runtime enforces governance through a deterministic pipeline.
Execution flow:
Request
→ Policy snapshot
→ Authority snapshot
→ Execution decision
→ Canonical receipt
→ Ledger entry
→ Offline verification
Each step produces deterministic artifacts that can be reproduced and validated independently.
DTPE uses policy-defined cryptographic profiles.
Policy determines:
- which cryptographic profile is active
- which profiles are permitted
- when migrations between profiles are allowed
This allows cryptographic migration and algorithm agility without modifying runtime logic.
Example profiles:
- ed25519+sha256+canonical_json_v1
- ml_dsa_65+sha384+canonical_json_v1
The system is designed to support post-quantum cryptography migration.
Runtime implementation for:
- execution pipeline
- policy snapshot construction
- authority snapshot construction
- receipt generation
- cryptographic verification
Utilities including:
- deterministic ledger verification
- runtime tests
Example runtime data including:
- identity registry
- policy definitions
Architecture documentation and system specifications.
The repository includes a minimal demonstration.
Step 1: Execute a request through the runtime.
Step 2: Verify the resulting ledger.
The verification tool recomputes hashes and cryptographic signatures to confirm the ledger evidence.
Expected result:
PASS: verified 1 ledger record(s)
The verification tool validates:
- receipt canonicalization
- receipt hashes
- authority signatures
- policy snapshot hashes
- ledger hash chain integrity
Verification can be performed independently without trusting the runtime that produced the artifacts.
DTPE is built around several invariants:
- deterministic execution
- canonical serialization
- cryptographic authority binding
- verifiable ledger evidence
- independent offline verification
If any invariant fails, execution is refused as non-binding.
Current runtime capabilities include:
- deterministic execution pipeline
- policy-governed cryptographic profiles
- authority signature generation
- receipt generation
- append-only ledger evidence
- offline verification
Future work includes expanded identity models and additional cryptographic profile support.