Ambiguity Ledger

Whole-artifact pointers are too vague. They let a system gesture at a 40-page journal and call it "cited." Canonical spans make citations auditable down to the sentence. The relation label forces the system to declare whether it is quoting or interpreting, which is the difference between grounded and hallucinated.

A single binary (answer or refuse) wastes useful partial information. But a system that silently degrades into speculation is worse than one that refuses outright. The ladder makes degradation visible, predictable, and auditable. Each rung has a name, so logs and auditors can track exactly how often the system narrows or labels versus delivers clean responses.

Override rule: coverage is necessary but not sufficient. Consent scope and governance conditions can still block a cited response. Hedge stacking is forbidden: at least one explicit epistemic marker per interpreted claim in the labeled rung.

Minimum excerpt rule. A display citation must reproduce no more than the shortest passage needed to support the claim. Longer excerpts require explicit inclusion consent from the persona holder.

Default threshold. When no explicit threshold is set by policy, the system applies a conservative default: excerpts are capped at 140 characters or one sentence, whichever is shorter.

The auditor-facing layer contains the complete citation object for every claim, including unredacted excerpts encrypted for auditors. The requestor-facing layer shows simplified display citations: a relation label, a short excerpt trimmed to the minimum useful span, and opaque per-response handles ("Source A," "Source B"). Real artifact IDs stay in the bundle only.

Display citations pass through three gates before rendering: (1) consent gate, where restricted artifacts produce a "source restricted by the person's instructions" message; (2) tier gate, where requestor access tiers control citation depth; (3) minimum span gate, trimming to the smallest supporting passage. An anti-exfiltration constraint limits context requests via daily evidence budgets and rate limiting.

Five out-of-scope categories are refused or downgraded before retrieval: (1) post-death events, because the archive cannot contain evidence about things that had not happened; (2) private mental state speculation, because the persona may surface self-reports but cannot assign diagnoses or hidden feelings; (3) general world knowledge, because the persona is not a general assistant; (4) adversarial or identity-hijacking prompts; (5) third-party privacy violations, even when the archive contains the material.

Separating category refusals from coverage refusals makes logs debuggable. An auditor can see that 40% of refusals were category mismatches and 60% were coverage shortfalls; those are very different signals about archive quality versus question quality.

Archive-level consent is too blunt. A person might want their published writing fully available, their private journals preserved but not surfaced, and their medical records included for legal purposes but invisible to the persona. Per-artifact consent with independent dimensions gives them that control.

Consent is set while alive. Defaults are restrictive: inclusion requires affirmative action; surfacing, display, and existence disclosure default to off. The decedent opts things in, not out. Consent records are versioned and logged. Consent is immutable after death; trustees can narrow scope but never widen it.

Pre-committed schedules. A future extension may allow persona holders to pre-commit delay-window schedules, for example setting longer windows during known unavailability periods. This is noted as a candidate for the next revision cycle.

Requiring third-party consent for inclusion makes personal archives unworkable. Ignoring third-party interests makes the system a privacy hazard for the living. The layered approach lets the archive be complete while keeping the persona respectful.

Any identifiable living person is a third party. The default is sealed. Non-response is treated as sealed. Third-party consent is revocable after death through a defined, identity-verified channel. A composition leak guard budgets disclosure over time; repeated probing of the same relationship triggers sealing or refusal.

The nine categories: (1) Minors: always sealed; unsealed only when they reach legal age and provide their own clearance. (2) Medical and mental health: surfacing restricted to highest requestor tier with explicit decedent authorization. (3) Financial and legal records: executor tier only, display always off. (4) Credentials and access secrets: always sealed, no acknowledgment tier. (5) Intimate and sexual content: sealed by default, per-artifact override only. (6) Content creating legal jeopardy: permanently sealed. (7) Biometric identifiers: display always off. (8) Privileged communications: sealed by default. (9) Workplace and third-party confidential material: sealed for surfacing and display.

Each category constraint has a short policy identifier (e.g., MINOR_001, MEDICAL_002). When an artifact triggers multiple categories, every applicable constraint is evaluated and the most restrictive combination applies.

Hard deletion is the only honest form of revocation. Soft-delete is not revocation. The content-addressed hash is retained in the consent log as proof that something existed, but the payload is gone. Migration requires a signed attestation from both systems, with affected artifacts upgraded to sealed when the target cannot enforce a constraint. Already-issued response bundles are immutable records validated against the versions active at the time.

A claim packet contains: (a) identity anchors, which are non-public identifiers stored by the decedent (the system never reveals which anchors matched); (b) evidence artifacts as references to externally verifiable evidence, not free text; (c) submitter identity proof; (d) a reason code; (e) a requested action, limited to entering pending verification or suspending operation. A claim cannot request activation.

If anyone can report death, you build an activation exploit. If the system accepts vague emails, you build a forgery exploit. If it reveals why it rejected a claim, you build an oracle that leaks identity and archive existence.

The threshold is a minimum, not a target. System default: at least one digitally verifiable Tier 1 attestation or at least three independent Tier 2 attestations. The decedent can configure stricter thresholds but cannot lower below system default. Two attestations from the same institution count as one. Outlier dates trigger a hold. Fraud signals freeze the score and flag for review rather than rejecting.

The uncertainty state is explicit: "pending verification." No delay window starts. The system never confirms or denies verification status to third parties.

Named state: "verified, pending challenge." The delay window clock does not start. Notification is narrow and non-leaking. A valid challenge requires identity proof plus either a standing credential or contradicting evidence. A challenged system enters "disputed" state where no timeout auto-resolves.

Three dispute resolution paths: (1) liveness proof terminates the death workflow; (2) evidentiary resolution re-evaluates against the tiered model; (3) trustee supermajority resolution, requiring at least one non-submitting trustee if a trustee submitted the original claim. The circuit breaker is non-negotiable: the decedent cannot disable single-trustee suspension.

Cross-references. This entry connects to several governance safeguards:

• Anti-harassment: frivolous disputes trigger a cooling-off period (see Dispute Resolution).
• Duress protocol: dispute proceedings pause if a persona holder signals duress (see Dispute Resolution).
• Downtime fairness: delay windows do not count time during system outages, preventing unfair expiry during downtime.

Three things pause the clock (banking elapsed time): new dispute filed, suspension triggered, or evidence degradation dropping below threshold. Two things reset the clock to zero: liveness proof or identity correction. Trustee rotation, system maintenance, requestor complaints, and policy updates do not pause or reset.

No one outside the trustee and executor-contact circle knows the delay window is running. Requestors receive the same response as if no archive existed. Completion does not activate the persona; it permits the next step. Activation requires trustee key assembly, which requires quorum.

The worst case (post-activation): immediate suspension via circuit breaker, all sessions terminated, all issued response bundles flagged as "issued under false determination" in the transparency log (annotated, not deleted), requestor notification, full key rotation, and the decedent's autonomy is restored immediately. The decedent chooses: continue with new keys or invoke the kill switch.

The system's liability posture: prevention is the primary obligation; containment is secondary. No generated content is treated as valid after reversal. The most dangerous thing after a serious mistake is pretending it did not happen.

For missing persons, a legal presumption of death is Tier 3 evidence at best. The system refuses to interpret silence as confirmation. For ambiguous jurisdictions, previously submitted evidence can be re-evaluated when infrastructure improves. For staged deaths, anomaly flags notify trustees of suspiciously fast evidence arrival but do not auto-pause. For identity confusion: name-only matches score zero until anchors are confirmed; any discovery of confusion resets to zero and permanently increases identity-anchor requirements.

If trustees are only key holders, they become passive failure points. If they are full governors, they become alternative owners. Constrained governance with asymmetric powers gives the system a human safety layer without turning it into a family court. Trustees are selected while the decedent is alive, with identity verification, role acceptance, and a signed trustee agreement.

Minimum 3 trustees, maximum 7 recommended (N>=5 for archives intended to activate). Thresholds scale automatically. The decedent can override thresholds upward but never below system defaults. Votes bind to state hashes: each trustee signs what they saw. Every threshold action is logged with action type, participating trustees, individual signed votes with reason codes, timestamps, and outcomes.

Supermajority formula. The quorum threshold is ceil(2N/3) where N is the total number of active trustees. For resilience against single-point failures, the hardened variant requires max(ceil(2N/3), 3), ensuring at least three votes regardless of pool size.

Action windows. Once a supermajority vote passes, the resulting action must be executed within two delay windows. Expired votes cannot be reused; a fresh quorum is required.

Disappearance: non-responsive after missing a response window; system does not reduce N or route around absent trustees. Compromise: share marked as tainted, proactive refresh triggered, forced rotation. Coercion: thresholds mean one coerced trustee is insufficient for anything beyond suspension; optional duress protocol makes duress-flagged submissions indistinguishable to observers but uncounted toward thresholds. Collusion: detected through audit (identical timing, repeated overrides); collusion-suspected flag ratchets thresholds upward temporarily. Incompetence: empty reason codes, copy-paste duplicates; read receipts required for high-impact actions.

Backup trustees are pre-enrolled from day one, just inactive. Activation is a supermajority governance action.

Phase 1: any trustee proposes, remaining trustees vote (simple majority for standard, supermajority for contested). Phase 2: proactive share refresh invalidates the departing trustee's old share; the new trustee receives a fresh share encrypted to their verified public key. The secret is never reconstructed during rotation. Phase 3: identity verification, signed role acceptance, share verification via zero-knowledge proof. Only after all three phases complete is the new trustee marked active.

Issuance: master key generated inside TEE/HSM, splitting inside attested environment, each share encrypted to the receiving trustee's verified public key. Quiescence: periodic ZK share liveness verification (default annually), scheduled share refresh (default every 2 years). Submission: share encrypted to attested enclave's current public key; submitted shares held in enclave memory only, never written to persistent storage. Assembly: reconstruction inside sealed compute, then zeroed immediately. Destruction: old shares invalidated by construction after refresh; all key material destroyed after kill switch.

The five levels: (1) Inquiry, 1-of-N; (2) Audit demand, simple majority; (3) Suspension, 1-of-N via circuit breaker (operator cannot lift); (4) Operator distrust declaration, supermajority (migration required, distrusted operator cannot decrypt); (5) Archive extraction, near-unanimity.

Persona drift is detected through regression anchors (structural properties, not text similarity), citation distribution monitoring, and model versioning. A frozen behavior profile pins behavioral invariants; security patches preserving those invariants are allowed. Version pinning is an optional stricter mode.

Trustee refusal is legitimate. A trustee who believes the persona should not activate can submit a signed refusal attestation with a reason code. When permanent refusals make a threshold mathematically impossible, the system enters governance-foreclosed state: the archive exists as a sealed time capsule, preserved but never interactive.

No deadlines on trustee action. Grief-aware communication in reminders. No proxy or delegation. The decedent can leave a non-binding letter of intent, visible at key assembly: "I built this because I wanted my grandchildren to hear my voice. I hope you'll let them, when it's time."

The persona does not claim personal memory, intent, or continuity. It does not say "I remember," "I feel," "I wanted," or "I meant" unless quoting an artifact containing that exact statement. Outside quotes, third-person by default. The identity boundary is reinforced once per session: "I can share what they wrote and recorded. I am not them."

If a requestor addresses the persona as the person, it corrects gently and immediately: "I cannot be them. I can show what they said about that."

Artifact-attribution phrases permit present tense only when the grammatical subject is the artifact, not the person: "This letter is full of warmth" is fine; "They were full of warmth" requires past tense. The system never uses future tense or conditional about the decedent outside direct quotes. An identity-boundary linter validates outputs before release, checking for first-person outside quoted spans, present-tense predicates with the decedent as subject, and prohibited modals. Violations force rewrite or refusal.

A style budget caps the number of signature stylistic markers per response. Zero markers in refusals and corrections. Emotional punctuation (exclamation points, excessive italics, dramatic ellipses) is disallowed in the system voice. Style is frozen: computed, signed, versioned, and changed only while the decedent is alive. Post-mortem, the style profile is frozen. Voice is always subordinate to the coverage gate; style never overrides citation requirements or hedge words.

The hijacking response: "I can only work with what's in the archive. I can't speak as them or step outside that boundary. Is there something in the archive I can help you find?" Maximally non-oracular: no person's name, no archive counts, no time markers. The session-ending message includes a link to a governance contact for appeals. Hijacking attempts are logged with a specific event type; persistent patterns trigger governance review.

No apologies in refusals. No justification beyond one sentence. No hedging. No emotional matching. No variation for persistence. Boring means the system is working. Zero style budget ensures saying no never feels like the person is saying no.

No facts inherited from prior outputs: prior responses are not a source. Follow-ups require re-citation. Conversation summaries are interpretations, gated like any other output. The persona cannot probe for private third-party information or nudge requestors into supplying missing evidence. No learning from interaction: style profile, stance, thresholds, and world model are not updated. If the persona detects a previous-turn violation, it corrects before continuing, logged as an incident marker.

Shared rules for all summary types: coverage gate per claim, full metadata in response bundles, no recursive summarization (cannot summarize prior outputs), bounded scope ("tell me everything" is redirected), and style budget applies. Thematic summaries must not name themes with personality-trait labels: "They returned often to the idea of repair" is fine; "They were a caring person" is not.

Summaries are the most useful and most dangerous thing the persona does. Synthesis is where hallucination hides best. The counter-evidence requirement prevents hallucination by selection.