Capabilities
What TCD Proof checks, records, and verifies around each AI action.
A TCD receipt is backed by checks before, during, and after an AI-assisted action:
request limits, identity, policy version, risk state, route decision, signature,
evidence references, verification results, replay behavior, and runtime changes.
Reviewers can see what was checked, what was recorded, and what can be verified
without exposing raw prompts, answers, cookies, auth headers, or customer payloads.
Request intake checks
TCD checks each HTTP or gRPC request before downstream systems trust it: body size,
header size, vector size, chain length, authentication context, rate-limit zone,
idempotency key, and stable event identity. If the request is malformed, oversized,
overloaded, or unsafe to process, the failure path is explicit.
Identity and policy binding
Each selected action can be tied to the request identity, event identity, tenant,
subject, route, policy reference, policy digest, receipt settings, config fingerprint,
and runtime build identity. This lets a reviewer ask: “Which rule set was active for this action?”
AlwaysValid risk budget
TCD converts risk signals into controller state, including e-process and alpha-wealth values.
The receipt can record the controller mode, guarantee scope, selected source, and risk-budget
state separately from the final business decision, so reviewers can see both the outcome and
the statistical guardrail behind it.
Safety detection and calibration
Detector outputs are deterministic for the same request and configuration. Calibration state
is recorded through stable digests, evidence is sanitized and bounded, and timeout or error
paths can fail closed instead of silently passing through.
Route decision and Terminal Contract
TCD combines policy match, authentication result, rate-limit result, detector evidence,
route choice, and security signals into one Terminal Contract. Downstream systems receive
a concrete instruction — allow, degrade, or block — with enforcement mode, route plan,
decision identity, and reason code.
Receipt signing and key evidence
TCD builds a canonical receipt body, records the receipt head, signing-key identity,
key policy, signature status, and rotation or revocation readiness. Where available,
deployments can add hardware-root or HSM/KMS-backed signing evidence and return a report
that can be checked outside the app.
Durable evidence records
TCD can persist receipt references, audit references, ledger heads, commit references,
storage references, outbox state, and evidence identity. The evidence record avoids raw
prompts, completions, cookies, auth headers, and customer payloads; it keeps references,
hashes, and bounded metadata instead.
Verification reports
TCD can produce a verification result for the receipt body, receipt head, signature,
policy binding, expected config/build/image fingerprints, chain window, and evidence
references. A reviewer can check the receipt without relying only on your product UI.
Restart and replay checks
TCD keeps receipt lookup, idempotent writes, prepare/commit evidence flow, restart-safe
access, replay-safe lookup, chain traversal, and explicit failure states. A receipt should
still be checkable after restart, retry, or recovery.
Audited runtime changes
When policies, configs, keys, calibration settings, patch gates, trust settings, or
evidence-delivery retries change, TCD records the change as an audited action. The system
can track rollback or compensation paths and keeps the business result separate from the
evidence result.
Operational telemetry
TCD can export bounded metrics, structured logs, runtime diagnostics, health and readiness
checks, hardware/runtime evidence, and privacy-aware telemetry. The goal is to make operations
reviewable without turning logs into a place where customer content or secrets leak.