YinkoShield
Brief

Architecture / architecture · 04

Local Evidence Ledger & Commander

Every signed event is appended to a hash-linked ledger that lives on the device. Tampering at any link breaks the chain visibly. The ledger does not leave the device — but the operator can reach into it through a sovereign forensic channel.

[ local evidence ledger · commander channel ] device · on-device storage ·01 sign hash: 0xa3… ·02 sign prev: 0xa3… ·03 … append-only commander module decrypts signed-and-encrypted commands replies with signed forensic responses no infrastructure in the loop · pgp-analogous device key · operator key · sovereign operator encrypted command signed response forensic, attributable device-resident, hash-linked, sovereign — no third-party in the forensic path
The ledger is on the device. The Commander gives operators a signed channel to it without putting any third party in the path.

The ledger

The Local Evidence Ledger is the device-resident record of everything the runtime has signed. It is append-only. Each event references the hash of its predecessor, producing a chain that is reconstructable from any starting point. Tampering with any link makes the break visible at verification time.

This matters operationally. Reconciliation is not a matter of “trust the backend log against the cardholder’s claim” — it is a deterministic verification of a signed sequence. Disputes that used to be a credibility judgment become a verifier output.

outcomes

What this lets you do today that you couldn't before

  • Reconstruct disputed transactions deterministically

    The full execution record is on the device — sequence, ordering, runtime state, trust basis. A dispute investigator queries the ledger and gets the answer; no narrative.

  • Operate evidence under partition

    A device on a 2G/3G network, in a cellular dead zone, or offline by design still produces coherent evidence. The ledger settles on reconnect.

  • Run sovereign forensics

    No third party — including us — sits in the path between the operator and the device-side record. Investigators reach into the ledger directly via the Commander channel.

  • Move investigation off the auth path

    Authorization-time decisions read the inline token; deeper questions are answered asynchronously against the ledger. You don't pay forensic latency in the auth window.

  • Detect tampering specifically, not generically

    A broken hash chain reports the exact link that fails — diagnosable, not anonymous.

Why it stays on the device

Streaming every signed event off the device to a central store would create three problems: a new attack surface (a transit channel adversaries could intercept, replay, or re-order), a new operational dependency (a backend that has to be available for the substrate to function), and a new privacy posture (the operator no longer holds the data lifecycle end-to-end). The substrate is designed not to take any of those costs.

The Commander module

The Commander is the operator-controlled forensic channel into the ledger. It is PGP-analogous: the operator key authors signed, encrypted commands; the device key receives them, decrypts, executes the requested ledger query, and replies with a signed response. No third party — including us — is in the loop.

The Commander is how a fraud investigator retrieves the full evidence record around a disputed transaction. How a regulator audits a citizen-facing workflow. How an issuer reconstructs the device-side execution path of an outlier event. All of it happens between the operator and the device, on a channel the operator owns.

properties

What you get when you wire the Commander in

  • ·01 Append-only

    Events can be added; nothing can be modified or removed without breaking the chain.

  • ·02 Hash-linked

    Every event references the hash of its predecessor. Coherence is verifiable without scanning the whole chain.

  • ·03 Device-resident

    The ledger does not stream to a central store. No new transit channel, no new attack surface, no new operational dependency.

  • ·04 Operator-controlled lifecycle

    Retention policy, deletion policy, query policy — all owned by the operator, not by us.

  • ·05 PGP-analogous Commander channel

    Operator key authors encrypted, signed commands. Device key receives, executes, signs the response. No third-party in the loop.

  • ·06 Asynchronous by design

    Investigation cadence (seconds to hours), not authorization cadence (sub-millisecond). Latency budget is the operator's, not the runtime's.

  • ·07 Privacy-preserving

    No customer PII in the ledger. Device identifiers are pseudonymous. The ledger never leaves the device without an explicit operator-initiated request.

Where to read more

The full ledger format and Commander protocol live in YEI-001 §6.6, shared with regulators and qualifying partners under NDA.

Request the YEI-001 specification →