No Log = No Action

Traditional computing and control architectures treat logging as a telemetry concern, decoupled from execution by asynchronous buffering, deferred writes, and best-effort delivery semantics. In such systems, the execution path and the persistence path are independent: an action completes on the main processor pipeline while a log entry is enqueued in a memory buffer, forwarded through a network stack, and eventually written to a storage backend. This architectural separation introduces non-determinism between execution and persistence, because the temporal ordering of action completion and log commitment is not enforced by any structural constraint.

Actions routinely complete while their corresponding log entries remain in volatile buffers, transit queues, or write-back caches, any of which may be lost to power interruption, process termination, memory pressure eviction, or network partition. The result is that the observability layer provides a probabilistic, best-effort record of system behavior rather than a deterministic, complete, and tamper-evident proof of every externally visible effect.

Post-hoc reconstruction, the standard forensic technique applied when logs are incomplete, is fundamentally unreliable under these conditions. Reconstruction depends on correlating timestamps across distributed components, but clock skew, NTP drift, and deliberate clock manipulation introduce timing inconsistencies that make causal ordering ambiguous. Under adversarial conditions, an attacker with sufficient privilege can selectively delete, modify, or forge log entries, rendering post-hoc analysis not merely incomplete but actively misleading.

Two classes of execution path are particularly dangerous because they reach physical interfaces without traversing any software logging stack. Emergency shutdown sequences in industrial control systems bypass normal software layers entirely, driving actuators through dedicated hardware circuits. Direct Memory Access and memory-mapped I/O paths allow DMA-capable peripherals to read and write physical memory without CPU intervention or software mediation, triggering externally observable effects with no logging whatsoever. Even IOMMU protections are insufficient: documented vulnerabilities include early boot gaps, deferred DMA attacks exploiting stale mappings, and message-signaled interrupt forgery. Telemetry provides observability but not enforcement; any architecture that permits action without structurally guaranteed prior log commitment cannot provide the evidentiary integrity that Ternary Logic demands.

This specification defines the No Log = No Action invariant as a structural execution constraint requiring that no state transition, transaction, API call, or physical actuation may be released unless a corresponding log entry has been fully committed to a local hardware-backed non-volatile accumulator. The invariant is not a policy, a configuration parameter, or a software check; it is an architectural coupling enforced through the physical topology of the execution path.

The invariant is defined over a transition system TS = (S, Act, T, I, AP, L). Two atomic propositions are distinguished: log(a), which holds when a log entry for action a has been fully committed with integrity verified, and exec(a), which holds when action a has produced an externally observable effect.

Log completeness is defined as the conjunction of four conditions: (1) canonical serialization through a deterministic form such as JCS (RFC 8785) or deterministic CBOR; (2) cryptographic hashing with collision-resistant output included in the Merkle accumulator and linked via hash chain; (3) physical persistence to a hardware-backed non-volatile storage element that retains data across power loss; and (4) read-back confirmation with integrity check verifying that the stored hash matches the recomputed hash.

The No Log = No Action invariant transforms logging into a protocol-level gate embedded directly in the execution path, enforcing a strict write-before-release model. The core mechanism is a Merkle accumulator whose root hash serves as the current execution capability token, stored in a hardware-protected register accessible only to the logging subsystem and the actuator interlock, and not writable by any other component regardless of privilege level.

Any attempt to execute an action without presenting a valid capability token that matches the current Merkle root triggers an immediate fault condition, halting the action and initiating a safe harbor transition. Actuator release requires the simultaneous satisfaction of three independent cryptographic requirements:

This specification states explicitly that no administrative privilege, software override, hypervisor code, or System Management Mode firmware can bypass execution gating. The actuator interlock operates at a layer below all software privilege levels: the electrical path from the decision logic to the external actuator physically traverses the interlock hardware, and there is no alternate routing that circumvents it. Transactional semantics enforce atomic commit or full abort: the sequence Idle → Proposed → Logging → Committed → Executing → Complete admits no partial states.

The invariant depends on a hardware root of trust anchoring the entire enforcement chain in tamper-resistant physical components. The trust chain extends from immutable boot ROM through measured firmware stages to the execution gate hardware, with each link cryptographically verified before control passes to the next.

The insufficiency of software-only enforcement is demonstrated through four attack vectors: kernel compromise (full physical memory access enables log suppression); hypervisor escape (documented exploits grant host memory modification); SMM subversion (SMM operates above hypervisor privilege, SMM callout vulnerabilities enable OS-level code to run at SMM privilege); and supply chain substitution (compromised UEFI modules or device firmware subvert the entire software stack before OS load). Hardware enforcement is the only sufficient countermeasure.

The Ternary Logic framework defines a triadic decision space T = {+1, 0, −1} governing every decision cycle. Every decision cycle must produce a committed log entry recording which state was reached, the complete decision vector, confidence metrics, raw input data, and the specific trigger condition — before the result is released to any downstream consumer.

Epistemic Hold is a mandatory state triggered by any of four conditions: confidence below a calibrated per-domain threshold; conflicting inputs providing contradictory evidence; incomplete data with missing, corrupted, or stale-beyond-freshness-bound fields; and out-of-distribution inputs falling outside the convex hull or statistical boundary of the training distribution, as detected by distance metrics, anomaly scores, or distribution shift detectors.

Forced continuation prevention is enforced through three mechanisms: cryptographic time-lock functions (Wesolowski VDF — sequential squaring in a group of unknown order, not parallelizable) that require proof of elapsed time before exit from Epistemic Hold; external pressure detection through timing analysis flagging anomalous latency acceleration; and a complete audit trail of every override attempt with origin attribution, itself requiring log commitment before evaluation.

Every action committed under the invariant must satisfy verifiable prior log requirements establishing an unbroken chain of cryptographic proof from system initialization through the current state. This chain begins at the boot measurement sequence (TPM PCR values) and extends through every logged decision and action via the Merkle accumulator's append-only structure.

For any action a executed at time t, a Merkle inclusion proof of O(log n) hash values demonstrates that the log entry for a is a leaf in the accumulator whose root was the active capability token at time t. A Merkle consistency proof of O(log n) hash values demonstrates that the accumulator state at any earlier time t' is a prefix of the accumulator state at t, confirming no entries were deleted, modified, or reordered.

No component of the identity-integrity-logging triad can be satisfied without the other two: an unsigned entry lacks identity attribution; a signed entry outside the Merkle accumulator lacks integrity verification; and an executed action without a prior committed entry violates the fundamental invariant. The committed log serves as behavioral proof enabling complete trace reconstruction with third-party verification independent of continued operator cooperation.

Canonicalization is the first defense against ambiguity-based attacks. Every log entry is serialized through a deterministic canonical form — conforming to RFC 8785 (JSON Canonicalization Scheme) or deterministic CBOR (dCBOR) — before hashing. The canonical form defines exact field ordering (lexicographic by key for JSON), exact numeric representation (IEEE 754 double-precision), and prohibits duplicate keys, optional whitespace, or alternative representations.

Silent action prevention leverages observable energy consumption correlation: power consumption during periods logged as idle that exceeds the baseline profile indicates unlogged computation. Known operation types produce characteristic signatures matchable against a reference library. This provides a physical-layer tamper detection capability independent of all software-layer mechanisms.

Post-commit immutability is enforced through hardware WORM storage ensuring committed log segments cannot be overwritten. Software-layer enforcement through systems such as SealFS (Linux kernel module with HMAC ratchet chains) ensures that even root-level modifications to committed data are cryptographically detectable. The combination ensures the committed log is immutable in both the physical and logical senses.

This specification requires fail-closed behavior across all critical failure modes: any failure in logging, hashing, storage, key management, or communication subsystems results in immediate cessation of action execution. Failure classification is biased toward conservative interpretation — when the nature of a failure is ambiguous, the system defaults to full halt rather than degraded operation.

Manual override procedures require physical presence verified through local authentication (physical key, biometric sensor, or hardware token on chassis); multi-party authorization (M ≥ 2 of N organizationally independent authorities); and complete logging — all override actions must be committed to a secondary battery-backed recording device if the primary logging subsystem is inoperative, with records integrated into the primary log upon restoration.

The dual-lane architecture resolves the tension between sub-millisecond latency requirements and global auditability by separating log commitment into two concurrent, independent lanes with distinct latency characteristics, durability guarantees, and failure domains.

Circuit breaker behaviors govern the interaction: when the slow lane anchoring queue depth exceeds a high-water threshold, backpressure propagates to monitoring but does not affect fast lane throughput. When the queue exceeds a critical threshold, the circuit breaker opens, suspending new anchoring attempts. Exponential backoff prevents resource exhaustion during outages. The gap between fast lane commitment and slow lane anchoring is bounded by safety-critical time constants specified per deployment domain, with rate limiting enforced when the gap approaches the tolerance bound.