kolm  /  spec  /  RS-1

RS-1: A Reproducible Signed-artifact format for ML inference.

Specification, threat model, and the K-score reproducibility criterion.

kolm engineering . hello@kolm.ai

v1.0 . 2026-05-15 . citeable as kolm.ai/spec/rs-1

1. Motivation

Three open problems in deployed machine learning motivate this work.

Auditability. A regulator asking "what did the model see and what did it return on this date" cannot be answered by current frontier APIs. The token bill is reproducible; the inference is not.

Portability. A signed artifact is the canonical handle for ML deployment in adversarial environments: air-gap networks, regulated zones, edge devices, multi-tenant clouds. There is no industry-wide format for such an artifact.

Quality contract. "The model is good enough" is the most common production deployment criterion. It is not a contract. A blocking, formula-defined quality gate is.

2. The artifact layout

An RS-1 artifact is a deterministic ZIP file with the extension .kolm. The contents are:

artifact.kolm/
  manifest.json       # canonical-JSON manifest, root of trust
  weights/            # quantized weight tensors (INT4 / INT8 / NVFP4)
  tokenizer.json
  graph/              # computation graph in ONNX / FlatBuffer
  recipe.json         # how this artifact was compiled
  eval.json           # K-score breakdown + eval pack results
  credential.json     # signing identity (X.509 or sigstore)
  receipt.json        # inference receipt template (optional)

The ZIP is built with deterministic mtimes (epoch 0) and store/deflate compression so byte-identical inputs produce byte-identical artifacts.

2.1 Manifest

The manifest binds every entry to a SHA-256 hash. The manifest itself has a CID computed as cidv1:sha256: followed by hex(SHA-256(canonical-JSON(manifest))).

{
  "schema": "rs-1",
  "name": "phi-redactor",
  "base": "qwen2.5-7b-instruct",
  "hashes": {
    "weights/q4_0.bin":   "sha256:1bcf2323...",
    "tokenizer.json":     "sha256:a91e02...",
    "graph/decoder.onnx": "sha256:9c8e44..."
  },
  "k_score": 0.982,
  "compiled_at": "2026-05-14T17:32:01Z"
}

2.2 Canonical JSON

Canonical JSON is the byte-identical serialization used for hashing. Rules: sorted keys recursively, no insignificant whitespace, UTF-8, integers as integers. The reference TypeScript verifier implements this in 14 lines (see packages/sdk-ts).

3. Receipt chain

Every inference produces a receipt:

{
  "manifest_cid": "cidv1:sha256:1bcf2323...",
  "input_sha":    "sha256:f3a9...",
  "output_sha":   "sha256:b2d0...",
  "ts":           "2026-05-15T09:14:22.413Z",
  "seed":         42,
  "k_score":      0.982,
  "hmac":         "hex(HMAC-SHA256(secret, canonical_json(body)))"
}

The HMAC is computed over the canonical-JSON of the body (everything except the hmac field). The reference verifier checks the hash with constant-time comparison (crypto.timingSafeEqual).

3.1 RAG receipt extension

For retrieval-augmented inference, the receipt body includes a retrievals array:

"retrievals": [
  {
    "source_uri":   "s3://corpus/policy-v3.pdf#page=4",
    "content_sha":  "sha256:c1f0...",
    "retrieved_at": "2026-05-15T09:14:22.001Z",
    "score":        0.81
  }, ...
]

This is the load-bearing primitive: replay months later proves the model saw exactly that bundle, in that state.

4. The K-score

The K-score is a five-axis reproducibility criterion. Each axis maps to a measurable property of the artifact under a declared evaluation pack. The composite is:

Where:

• A . Accuracy (0–1) - task-specific score on the evaluation pack. For PHI redaction, F1 over span detection. For classification, balanced accuracy.
• S . Sampling determinism (0–1) - 1 if seeded inference produces byte-identical output across n runs; geometric decay otherwise.
• L . Latency stability (0–1) - 1 if p99 latency ≤ 1.5·p50 over a 1k-sample bench; linear decay above.
• C . Calibration (0–1) - 1 − expected calibration error binned at 10 confidence buckets.
• V . Verifier coverage (0–1) - fraction of receipt fields the reference verifier checks (currently 8/8 = 1.0 for RS-1.0).

The compile-time K-score is recorded in manifest.json and in every inference receipt. A compile is gated by the recipe-declared min_k; the compile fails if K < min_k.

5. Threat model

RS-1 defends against three attacker classes.

T1. Tampered artifact. Mitigated by manifest CID verification on load: the verifier recomputes the CID over canonical-JSON(hashes) and rejects on mismatch. Combined with per-entry SHA-256 verification, the artifact is hash-locked.

T2. Forged receipt. Mitigated by HMAC-SHA256 with constant-time comparison. The secret never leaves the compile environment in the standard deployment; in air-gap mode the secret is provisioned by the operator.

T3. Drift attacker. A retrieval source whose contents change after the receipt is issued. Mitigated by content_sha in retrieval receipts: replay verifies the source content matched at retrieval time. An attacker who can modify a source after the fact still cannot forge a receipt that reproduces.

Out of scope: side-channel timing on the inference engine; weight extraction attacks against the underlying model; rubber-hose attacks against the operator. The format does not solve adversarial robustness of the underlying ML.

6. Reference implementations

Three reference verifiers exist, each pure-stdlib and free of network dependency:

• TypeScript - packages/sdk-ts, 262 LOC, 12 public exports, uses node:crypto, node:fs/promises, node:zlib. No jszip dependency.
• Python - packages/sdk-python/kolm, mirror surface, uses stdlib hashlib, hmac, zipfile.
• Rust - packages/sdk-rust, the read-side library bundled with the CLI.

All three produce byte-identical canonical-JSON serializations, byte-identical CIDs, and byte-identical receipt verification results. This is enforced by an interop test suite (packages/interop).

7. Adoption path

RS-1 is intended for industry-wide adoption. A working implementation, an open spec, and a reference verifier are the minimum bar. The next step is submission to a standards body. We are scoping IETF (CBOR receipt encoding) and W3C Verifiable Credentials WG (the credential.json envelope) as candidate venues in 2026.

8. Related work

The artifact-with-receipt pattern draws on sigstore for code signing, SLSA for build provenance, and the SPIFFE identity model. The reproducibility criterion is closer to the MLPerf evaluation philosophy than to ad-hoc accuracy reporting. The receipt chain mirrors certificate transparency log semantics applied to inference. Distillation is implemented after Hinton et al. (2015) and Gu et al. (MiniLLM, 2023); GRPO follows Shao et al. (DeepSeek-MATH, 2024); HMAC over canonical body follows Bellare et al. (1996).

9. Conclusion

An ML artifact you can hash, sign, and replay is the audit primitive the regulated AI economy is missing. RS-1 is one proposal for that primitive. The spec is public. The verifier is open source. The K-score formula is fixed and citeable. The cost of independent re-implementation in any language with stdlib hashing and ZIP handling is under one engineer-week.

10. Citations

[1] Hinton, Vinyals, Dean. Distilling the Knowledge in a Neural Network. arXiv:1503.02531 (2015).
[2] Bellare, Canetti, Krawczyk. Keying Hash Functions for Message Authentication. CRYPTO (1996).
[3] Shao et al. DeepSeekMath: Pushing the Limits of Mathematical Reasoning. arXiv:2402.03300 (2024).
[4] Gu et al. MiniLLM: Knowledge Distillation of Large Language Models. arXiv:2306.08543 (2023).
[5] Linux Foundation. SLSA: Supply-chain Levels for Software Artifacts. slsa.dev.
[6] sigstore project. sigstore: Software signing for the rest of us. sigstore.dev.
[7] NIST AI 100-1. AI Risk Management Framework v1.0. NIST (2023).