AFIR · attested fragment inference routing

From sleepy inference to chain of custody.

Every prompt, tool call, cache hit, and agent hop — signed with ML-DSA-65, rooted in a Merkle tree, anchored on Base.

Prompt Model z z z Response no receipt · no proof
Prompt AFIR node Response Receipt — signed ✓ ML-DSA-65 · 384 bytes
Orchestrator Web search ✓ in/out signed Database ✓ in/out signed API call ✓ in/out signed Merkle root one signature · whole pipeline
P1

Signed tool calls

Before/after receipts on every tool an agent touches.

P2

Receipt trees

Every agent hop under one Merkle root per session.

P3

KV cache signing

Caches signed at write time — provenance across turns.

P4

Model manifest

Prove which model signed. No TEE required.

P5

Crypto-agile

Flip a switch when NIST moves.
ML-DSA-65