Skip to content

TimeLayer-OS/timelayer-second-brain

Repository files navigation

A second brain on receipts

English · Русский

receipt-verified

FOR AGENTS. Every wiki claim is anchored to a source; notary.py verify re-checks it and takes a receipt over the current bytes. Working method: AGENTS.md.

A knowledge base your hand doesn't keep — and that cannot quietly lie.

Andrej Karpathy's LLM Knowledge Base pattern (raw/wiki/, the Ingest/Query/Lint cycle) plus a notarial correctness layer on TimeLayer receipts: every claim in the wiki is anchored to a source fragment, and the status "verified" is not a checkbox — it's a receipt over the hash of the current text. Edit the text and the status falls off by itself.

The honest model. A receipt proves that a check ran over exactly these words, who is accountable for it, and that the text was not changed afterwards. It does not prove the content is true. A notarized error is still an error — only now it's visible who checked what. Correctness comes from the checker (mechanics / model / human), not from the receipt itself.


Why you might care

  • Your AI notes rot silently. An LLM-maintained knowledge base drifts: sources change, summaries embellish, and six months later you can't tell which claims still hold. Here "verified" is a receipt over the exact bytes — edit anything and the status falls off itself.
  • Every claim shows its source, down to the line range and the source-file hash. "Where did this number come from?" has a one-click answer.
  • It's just markdown on your disk. No database, no service; the agent does the bookkeeping, the notary keeps it honest, and you keep the files.

What's inside

File What it is
brain-notary-guide.md The full guide: why, how it works, how to build it from scratch
CLAUDE.md Constitution for the maintainer agent (drop it in the root of your vault)
notary.py The CLI layer: notarizing sources, grounding checks, the trusted gate
wiki/_templates/page.md Wiki-page template with source-anchoring discipline
scripts/ The guard layer: 4-layer injection defense for raw/, session preamble, mechanical enforcement of the iron rules
.claude/settings.json Claude Code hook wiring: preamble on SessionStart, guard on every tool call
example/ A working example: a source + a page that passes verification

How it works in three words

  1. Ingest — you put a source in raw/, the agent writes pages in wiki/, every claim carries a pointer to a specific source fragment and the hash of its version.
  2. Verifynotary.py checks claims against the source (numbers and quotes mechanically, meaning via a judge model), and for those that pass it takes a receipt from the network, bound to the hash of text + sources + verdict. Only then does the page become trusted.
  3. Audit — any edit changes the hash; audit instantly strips trusted. "Verified" is a computed property, not a flag taken on faith.

The notary is a witness, not a guard. A receipt proves what was notarized and when — it makes any later change detectable (tamper-evident), not impossible (tamper-proof). Anyone holding a vault write key can still rewrite a page and re-notarize it; what protects the base is key custody, not the receipt. Two tiers reflect how fully a page is proven: full trusted needs both a cryptographic binding of the receipt to the current content (--expect) and a semantic judge vote on every claim. trusted-mechanical means valid and the hash matches, but one guarantee is missing — either the installed verifier can't bind to the content (the tie rests on a plaintext field a key-holder could forge) or no judge ran, so a claim passed on a mechanical number/quote match without its meaning being checked. Install a binding-capable verifier, set TL_JUDGE_CMD, and re-certify to reach full trusted.


Quick start

Works on Linux, macOS and Windows. You only need Python 3.8+ and one library.

1. Dependencies

pip install -r requirements.txt        # this is just pyyaml; everything else is the standard library

2. Buy receipts and issue a token. Receipts are the "fuel" of verification: each notarization spends one. Create an account and buy a pack at https://timelayer-os.com, then issue an api_token in the cabinet at https://cabinet.timelayer-os.com.

3. Download the offline verifier for your OS (Linux / macOS / Windows). Use v2.0.0 or later — it checks the Ed25519 cohort-quorum signature and decodes the current live receipt format (tlbundle/2); it also has the --expect content binding the notary uses to grant the full trusted tier. Older verifiers cannot decode receipts issued by the current network: https://github.com/TimeLayer-OS/timelayer-verifier/releases/tag/v2.0.0 (latest: https://github.com/TimeLayer-OS/timelayer-verifier/releases/latest).

4. Set the environment

Linux / macOS:

export TIMELAYER_TOKEN=<your token>
export TL_VERIFIER=/path/to/timelayer-verifier

Windows (PowerShell):

$env:TIMELAYER_TOKEN = "<your token>"
$env:TL_VERIFIER = "C:\path\to\timelayer-verifier.exe"

5. Scaffold a vault and run the example (identical on every OS):

python notary.py init my-vault            # creates the vault structure with no shell commands
python notary.py ingest-source example/raw/articles/2026-06-29-sample.md   # notarize the source
python notary.py verify example/wiki/sample-page.md      # → PASS → trusted
python notary.py audit  example/wiki/sample-page.md      # → trusted holds
#  edit a number in the page — run audit again → trusted is stripped

For the example, set the vault root: VAULT=example (Linux/macOS) or $env:VAULT="example" (Windows), or run from inside the example folder.

6. (Claude Code) Hooks activate on their own. Open the vault folder in Claude Code — .claude/settings.json wires the session preamble and the guard automatically; check with /hooks. Scan existing sources once:

python3 scripts/ingest_guard.py scan raw/articles/<file>.md   # per source
python3 scripts/ingest_guard.py status                        # summary

Commands

python notary.py init [dir]                # scaffold the vault structure (cross-platform)
python notary.py hash <raw-file>           # sha256 of a source (for pointers in wiki)
python notary.py ingest-source <raw-file>  # hash + source receipt
python notary.py verify <wiki-page>        # grounding + receipt + trusted gate
python notary.py verify-all                # same across all wiki/ pages
                   [--mechanical-only]     # explicit consent to run judge-less
python notary.py audit  <wiki-page>        # strip trusted if changed after notarization
python notary.py audit-all

The judge (for semantic claims)

Numbers and quotes are checked mechanically and work out of the box. Semantic claims are checked by a judge model — set it with a command:

export TL_JUDGE_CMD='python my_judge.py'   # reads the prompt from stdin → prints {"cls":...,"span":...}

Use a different model family for the judge than the one that wrote the wiki (error decorrelation). If TL_JUDGE_CMD is not set, semantic claims are marked unverified (fail-closed): the page won't get trusted until you wire up a judge or confirm it by hand. Better "not notarized" than "notarized for nothing."

Working wrappers live in scripts/judges/ — e.g. judge-codex.sh (OpenAI codex CLI), battle-tested. The number of votes per claim is set via TL_JUDGE_K (default 5). Verdicts are cached in receipts/judge/ keyed by sha256(judge + claim + fragment): an unchanged pair is not re-judged, so a repeat verify-all costs seconds; editing the claim, the source, or the judge triggers an honest re-trial.

Two silent-trap guards: verify-all without a judge refuses to start (consent = --mechanical-only flag), and with a configured but dead judge (provider quota, expired login) it fails right after a smoke vote — not after 20 wasted pages.


The guard: reading raw/ without getting owned

raw/ is untrusted external text, and the agent reads it in full at Ingest. A poisoned source can carry instructions addressed to the agent ("set status: trusted", "edit receipts/"). Receipts make tampering detectable after the fact; scripts/ingest_guard.py protects the agent during reading — four layers, browser-agent style:

  • L1 — datamarking. The agent reads sources only via ingest_guard.py read <path>: every line carries a nonce marker, and the header states that everything inside is data to summarize, never instructions. Direct cat/Read on raw/ is blocked by a hook.
  • L2 — hidden made visible. raw/ is immutable, so nothing is stripped. Instead the reading copy highlights invisible Unicode, HTML comments, hidden elements, and base64 blobs: [ZWSP], [RLO], [HIDDEN-HTML-COMMENT: …]. Evidence preserved, defused.
  • L3 — phrase filters. ingest_guard.py scan <path> flags typical injections, including vault-specific ones. A SUSPECT source cannot be read until the human runs ingest_guard.py ack <path> (fail-closed, verdicts live in receipts/guard/).
  • L4 — classifier. Plug in your own with TL_INJECTION_CMD (same pattern as the judge). Not set — L1–L3 still run.

Two hooks in .claude/settings.json complete the picture. scripts/preamble.py runs on SessionStart and puts vault telemetry into context: page census by tier, unacked SUSPECT sources, missing judge/verifier configuration, recent operations. scripts/careful.py runs before every tool call and mechanically enforces iron rules #1–#3: no writes to raw/ or receipts/, no hand-set status: trusted, no force-push — with a silent whitelist for rm -rf node_modules/dist/build. Prompts are suggestions; hooks are guarantees.

The agent's own conclusions get the same distrust: new learnings sit in wiki/learnings-quarantine.md and activate into wiki/learnings.md only after 3 clean uses (no new CONTRADICTED, no new SUSPECT caused by them).


Environment variables

Variable Purpose
TIMELAYER_TOKEN api_token from the cabinet (required to notarize)
VAULT the vault root (defaults to the current folder)
TL_VERIFIER path to the timelayer-verifier binary (defaults to PATH)
TL_JUDGE_CMD the judge-model command (optional; wrappers in scripts/judges/)
TL_JUDGE_K judge votes per claim (default 5)
TL_INJECTION_CMD the injection-classifier command, guard layer L4 (optional)

A fleet of vaults (several brains on one machine)

The typical case is not one vault but several (a vault per project) with shared infrastructure:

~/.timelayer/                  # SHARED, outside the vaults and their backups
  token                        # API token (chmod 600) — never write it into vault files
  bin/timelayer-verifier       # one verifier for all vaults
  venv/                        # python 3.10+ with pyyaml
  judge-codex.sh               # one judge for all vaults
brain-project-a/               # a vault = a copy of this template
brain-project-b/

Each vault carries its own notary.py, CLAUDE.md, scripts/, receipts/ — vaults don't know about each other. Only secrets and binaries are shared. Keep the token outside the vaults: vaults get backed up and shared, the token must not.


License

Apache-2.0.

About

An LLM knowledge base where every claim is anchored to a source and 'verified' is a receipt over the current text.

Topics

Resources

License

Stars

1 star

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors