Documentation

Never-false-confirm

The four gates, the verdict tiers, and why confirmed is unreachable with the demo key and the metadata-only fingerprint database.

The never-false-confirm invariant#

logflip is engineered never to emit a false confirmation, and that property is verified by its test suite rather than asserted. The guarantee holds across hundreds of candidates: without a real signed database and a real key file, confirmed is unreachable.

The shipped fingerprint families are metadata-only. Capture analysis found no sound tool-specific $LogFile byte pattern, so every pattern_hex is empty and an empty-pattern matcher guard makes a spurious byte match structurally impossible. This is an honest encoding of no validated signature exists yet, not a placeholder pending one.

The four gates#

A confirmed verdict is the boolean AND of four independent gates. If any one fails, the result is not a confirmation.

Inversion complete: the strict reverse-replay walk fully completed. Any incompleteness yields INCONCLUSIVE, not a guess.
Exact fingerprint match: a tool-family byte-pattern hit in the signed database. This is the gate the demo and stub database can never satisfy.
Confidence threshold: the match confidence is at least 0.85. That value is a provisional placeholder chosen to make the gate testable before real false-positive rates exist; it is not a calibrated or final value.
Failure-mode independence: the evidence spans at least two distinct failure-mode classes, and any record that cannot be classified forces this gate to fail.

By design

A fifth barrier sits outside the four gates: even if all four passed, a confirmed leaf signed with the synthetic demo key is refused. A confirmation must be signed with a per-engagement production key.

Verdict tiers#

The pipeline derives exactly one of four verdicts in a strict cascade. The color is never the only signal: each tier carries its name and its precondition.

cleanReverse replay found no byte disagreement on the target record.

provisionalA disagreement and an SI-vs-FN delta were surfaced, but no tool family was confirmed. This is the ceiling with the stub database or a demo key.

confirmedEvery corroboration gate passed against a signed database paired with a non-demo key. The stub database and the demo key can never produce this verdict, by design.

anomalySingle-source signal only (an SI-vs-FN delta with no $LogFile coverage). Surfaced as an investigative lead, never as proof.

Why confirmed is unreachable on the demo#

Two independent, simultaneous locks make confirmed unreachable on the shipped configuration. Both a real signed database and a non-demo key are required to lift them, and even then a real validated byte pattern must exist.

The database lock: every shipped family has an empty pattern_hex, so the empty-pattern guard skips them all and the match gate can never report a hit.
The key lock: the synthetic demo key cannot sign a confirmed leaf. Even if every gate passed, signing is refused.

So the pipeline ceiling on real input today is provisional: reverse replay and the SI-vs-FN delta can surface a finding, but byte-pattern attribution is unavailable, so a confirmation is never reached. That is the correct never-false-confirm behavior.

The anomaly tier is a lead, not a finding#

An anomaly is a single-source SI-vs-FN signal with no $LogFile coverage. It is an investigative lead that requires independent corroboration. Anomalies never set the finding exit code, never emit signed artifacts, and can never reach provisional or a confirmation. On a realistically populated live volume the benign SI-vs-FN anomaly rate approaches every file, which is exactly why the tier is capped this way.