← fallrisk.ai

Enrollment Registry

The signed authority that Trustfall Lite checks against and that Trustfall Deep is anchored to.

Registry — version

— signed records

— structural-evidence

— artifact-identity

manifest — verified against signed payload

issuer fallrisk-96cd5e6a01e1 issuer key id

Canonical JSON JWKS API docs Lookup API

This page displays a compact index derived from the canonical signed registry. The canonical authority remains attest.fallrisk.ai/registry.json; verify any record there against the published JWKS.

Filter

No enrolled records match this search. Press Esc or clear the box to restore the full list.

Model	Family	Arch	Evidence	Enrolled	Status

What counts as proof depends on the claim evidence taxonomy

The Fall Risk registry does not treat all evidence as interchangeable. A structural-evidence record and an artifact-identity record answer different questions. Structural evidence supports claims about which model was measured. Artifact identity supports claims about which bytes match a signed record. Both are useful. They are not the same claim.

This distinction follows the evidence-class framework introduced in What Counts as Proof? Admissible Evidence for Neural Network Identity Claims. Each signed record carries an explicit evidence_class field so consumers can match the claim they make to the evidence the record carries.

Historical audit record — per-version lane audits

Each registry version is audited when it lands. Current state is reported in the strip above; the per-version audits below are the historical record of how each lane was validated at deploy time.

v0.2.2 structural audit — Hugging Face records May 2026

165 Hugging Face records · audit completed May 2026

Across 54,120 same-seed cross-model pairwise comparisons in the 165-record Hugging Face structural-evidence lane, zero observed pair distances fell below ε = 1.003 × 10^-4. The closest pair, Starling-LM-7B-beta and OpenChat-3.5-0106, was separated by 9.82× ε. Both are Mistral-7B fine-tunes in the OpenChat training lineage — the expected hard case for sibling-model separation.

The observed cross-model distance range spans roughly 6,475× between the closest and farthest pairs. This audit covers the structural-evidence lane only. It is an empirical registry audit result, not a formal proof that true FAR is zero.

v0.2.3 artifact audit — Ollama records May 2026

46 Ollama records · audit completed May 2026

The Ollama artifact-identity lane passed uniqueness and integrity checks across 46 signed records. Model IDs, artifact manifest digests, and evidence digests were unique. Unauthorized artifact-hash collisions: zero.

One full-registry artifact-hash collision is documented and authorized: google/gemma-3n-E2B-it and google/gemma-3n-E4B-it share an artifact hash because Gemma 3n uses a MatFormer nested architecture. Artifact identity does not claim runtime structural identity, upstream provenance, or model behavior. Trustfall Lite uses these records to verify local artifact bytes against the signed registry; runtime structural identity is the Trustfall Deep path.

Trust chain — how Lite and Deep use this registry

A registry record does not say a model is safe. It says the claim is signed.

Trust chain

Local artifact

↓ SHA-256

Trustfall Lite

↓ lookup against this signed registry

Signed registry record

↓ JWKS verification

Verdict

Trustfall Deep

↓ runtime structural identity, anchored to this registry

Artifact verification stops at the file. Runtime structural identity begins with Trustfall Deep, anchored to the same signed records published here.

From this registry to a product — Trustfall Lite and Trustfall Deep

Two products. One escalation path.

Lite verifies what model artifact you have on disk. Deep verifies which model is actually computing at runtime. Both anchor to the records on this page.

Trustfall Lite — free, open source, Apache-2.0: Local-first scanner for Hugging Face and Ollama artifacts. Computes SHA-256 hashes on your disk and matches them against the signed records above. Status states: verified · unknown_variant · not_enrolled · pilot_available. No accounts, no telemetry, no network beyond a single fetch of the canonical registry.
pipx install fallrisk-trustfall · Trustfall Lite → · Founder Scan →
Trustfall Deep — runtime identity, Lab + Enterprise tiers: Runtime structural identity for the model actually running in your inference path. Continuous re-measurement against the enrolled anchor. Signed JWTs streamed to OPA, Cedar, SPIFFE, or Envoy. Match accepts; mismatch denies. The sample DENY event below the table is what this enforcement looks like in practice.

Trustfall Deep Lab

Self-service runtime identity for solo researchers, indie ML founders, and small teams. Free / Researcher / Team tiers. Hosted measurement on Fall Risk ephemeral compute, or Local Standard with the signed engine on your hardware. Continuous attestation, audit logs, signed certificates. Self-serve portal in private build.

Trustfall Deep Enterprise

Sovereign deployment for organizations whose model weights, fingerprint vectors, or distance values cannot leave the environment. Customer-deployable signed engine artifact with three trust modes: Local Standard, TEE-backed (TDX + H100 confidential computing), and ZK private-match. Customer-controlled signing keys with proof-of-possession. Tenant-private registry namespace. Design-partner pilots in scoping; mutual NDA on request.

Trustfall Deep conversations route through integrations@fallrisk.ai. Trustfall Lite ships as an open-source client; no contact needed.

What a registry record means — claim boundary

What a registry record means

Says

Fall Risk has measured this model under contract.
The measurement is a signed claim.
The claim is bound to specific artifact hashes.
The signature is independently verifiable via the published JWKS on this page.
Trustfall Lite can use this record for artifact verification.
Trustfall Deep can use the structural anchor for runtime verification.

Does not say

The model is safe.
The model is good.
The model is endorsed by Fall Risk.
The publisher is trustworthy.
Lite verifies what the model does at runtime.
The artifact hash and the structural anchor are the same thing.

Sample signed records — structural and artifact lanes

Sample signed record — structural-evidence lane RS256 / v0.2.3

// Record fields surfaced under "models" in the canonical signed registry. // The full per-record JWS is served by attest.fallrisk.ai/registry.json. RECORD model_id: upstage/SOLAR-10.7B-Instruct-v1.0 evidence_class: itpuf_structural_identity source_registry: huggingface architecture: transformer n_layers: 48 artifact_format: safetensors license: CC-BY-NC-4.0 publisher: upstage runtime_identity_available: true evidence_digest: ea142d65399d9568... status: active issuer: https://attest.fallrisk.ai JWS HEADER (base64url) { alg: RS256, kid: fallrisk-96cd5e6a01e1, typ: fallrisk-enrollment+jwt }

The JWS payload binds model_id, evidence_digest, and evidence_class. Sensitive fields (fingerprint vectors, thresholds, prompt bank, hooking sites) are never included in the public record. Verify the JWS against attest.fallrisk.ai/.well-known/jwks.json.

Sample signed record — artifact-identity lane RS256 / v0.2.3

// Lane B records identify local artifact bytes against a signed registry record. // They do not claim runtime structural identity, upstream provenance, or behavior. RECORD model_id: ollama/library/llama3.1:8b evidence_class: artifact_identity source_registry: ollama artifact_format: ollama_blob publisher: Ollama library license: llama3.1 runtime_identity_available: false artifact_hashes[0].sha256: 667b0c1932bc6ffc... artifact_manifest_digest: 667b0c1932bc6ffc... evidence_digest: b5aa060223de823b... status: active issuer: https://attest.fallrisk.ai JWS HEADER (base64url) { alg: RS256, kid: fallrisk-96cd5e6a01e1, typ: fallrisk-enrollment+jwt }

Artifact-identity records support claims about which bytes match a signed record. Trustfall Lite verifies a local artifact against this record. Trustfall Deep verifies the running model against a structural-evidence record.

Sample DENY event — model substitution detected

Sample DENY Event — Model Substitution Detected HTTP 403

// Measured Model Substitution Under Valid Agent Credentials // Gateway receives inference request with valid SPIFFE credentials 1. CREDENTIAL CHECK Agent identity: ✓ VALID (SPIFFE SVID) Workload attestation: ✓ VALID (mTLS) OAuth scope: ✓ VALID (inference:read) 2. STRUCTURAL IDENTITY CHECK Enrolled anchor: meta-llama/Llama-3.1-8B-Instruct Measured model: deepseek-ai/DeepSeek-R1-Distill-Llama-8B Structural distance: FAR ABOVE THRESHOLD Measurement time: 5.7s 3. POLICY DECISION OPA policy: fallrisk/model_identity/v1 Input: attestation JWT + enrollment anchor Decision: DENY Reason: model_identity_mismatch 4. GATEWAY ACTION HTTP 200 → HTTP 403 Forbidden Body: {"error": "model_identity_verification_failed"}

From the Measured Model Substitution technical note (DOI: 10.5281/zenodo.19342848). Three substitution scenarios, three detected, zero false accepts. Warm-path measurement: 5.7–6.7 seconds on 1× A100 80GB.

Policy snippets — OPA, Cedar, SPIFFE

OPA Rego

default allow = false

allow {
  input.attestation.model_id == input.anchor.model_id
  input.attestation.status == "active"
  input.attestation.issuer == "https://attest.fallrisk.ai"
}

Cedar

permit(
  principal,
  action == Action::"inference",
  resource
) when {
  context.attestation.model_id == context.anchor.model_id
  && context.attestation.status == "active"
};

Your policy engine already knows what to do.

Programmatic verification examples

Three commands cover the canonical authority chain: inspect a signed record, check the manifest digest the API serves, and inspect the derived index this page renders from. All three should agree on the manifest digest byte-for-byte.

# Inspect a signed record from the canonical registry $ curl -s https://attest.fallrisk.ai/registry.json \ | jq '.models["meta-llama/Llama-3.1-8B-Instruct"].record'

# Check the registry manifest digest served by the API $ curl -s https://api.attest.fallrisk.ai/v1/registry/manifest_digest | jq .

# Inspect the derived website index used by this page $ curl -s https://fallrisk.ai/registry/assets/registry-index.json \ | jq '.record_count, .evidence_class_counts, .source_manifest_digest'