Security Model
CoreTex is designed to fail closed.
Hard rejections include:
- Wrong parent root.
- Patch budget violation.
- Invalid patch encoding.
- Reserved-region write.
- No-op patch.
- Bundle hash or corpus root mismatch.
- Structural validity failure.
- Protected regression failure.
- Retrieval delta below threshold.
- Score movement inside replay/noise tolerance.
- Duplicate patch re-submission after a cached verdict.
The coordinator cannot silently invent a valid CoreTex history. Accepted patch bytes and state advances are public events, and independent verifiers can replay the substrate root from chain logs and public artifacts.
The expensive evaluator is off chain. That is intentional: the EVM should not run BGE-M3 or Qwen3. The trust boundary is handled by bundle pinning, deterministic CPU runtime, per-patch future-blockhash seed binding, duplicate-verdict caching, public replay, signed reports, and auditability of state roots and patch bytes.
The coordinator also runs a canary watchdog over accepted patches. Canary records are not sampled into live gate or confirm packs; they are used to detect score drift that suggests overfitting or corpus leakage.