Automated release from CI pipeline
Changes:
adr-107: cross-installation federation with secure aggregation — privacy chain closes (#725)
Closes the cross-installation federation work explicitly deferred from
ADR-105 + ADR-106. Direct extension of both.
Five-layer defence (extends ADR-106's three):
1-3 (ADR-106): Primitive isolation + grad clipping + DP noise
4 NEW: Secure Aggregation (Bonawitz 2016) -- aggregator sees only sum
5 NEW: Per-installation embedding-space rotation key -- cross-install re-ID prevented
Counter-intuitive privacy win: cross-installation amplification IMPROVES
privacy. With N=10 installations each at sigma_local=1.0:
- Per-installation epsilon (50 rounds): 2.5
- Cross-installation effective sigma = sqrt(N) * sigma_local = 3.16
- Cross-installation epsilon (50 rounds): ~1.5 <-- STRONGER
Cross-installation federation actually improves privacy through the
amplification effect, as long as the crypto protocol is implemented
correctly.
Bandwidth: ~2 MB/install/round, monthly ~70-200 MB/install
(within+cross). <0.1% of typical home broadband.
Implementation budget:
- ADR-105 baseline: 500 LOC
- ADR-106 layers: +300 LOC
- ADR-107 SA layer: +530 LOC
- TOTAL ruview-fed: ~1,330 LOC, ~6 weeks
The privacy chain closes:
- R6/R6.1 physics forward model
- R3 embedding-space re-ID
- R14 ethical opt-in / on-device / override
- R15 biometric primitive catalogue
- ADR-105 within-installation federation
- ADR-106 DP-SGD + primitive isolation
- ADR-107 cross-installation + secure aggregation
Every layer has a formal guarantee, implementation path, and honest
scope. No remaining unspecified privacy gap. Cross-installation
training can ship without violating any constraint surfaced by the
research loop.
Threat model: 8 threats, every row has a mitigation layer.
- Compromised aggregator views deltas -> Layer 4 SA
- Cross-installation re-ID -> Layer 5 rotation
- Sybil -> Layer 4 dropout + Krum + N >= 5
- Quantum-resistant: out-of-scope ADR-108 (Kyber substitution)
Honest scope:
- Cross-org PKI = operational, not architectural
- Krum+SA composition proof is non-trivial; reference implementations
needed before production - sqrt(N) amplification assumes installation independence
- Drop-out reconstruction has known attack surfaces (Bonawitz §4.3)
- Per-cog suitability varies (cog-wildlife yes, cog-maritime-watch no)
Composes:
- R3+R15 enforcement now technical, not just policy
- R7 mincut extends to cross-installation adversarial detection
- R12 PABS works at any installation in local rotated embedding space
- R10/R11 cogs benefit asymmetrically
Coordination: ticks/tick-22.md, no PROGRESS.md edit.
Docker Image:
ghcr.io/ruvnet/RuView:9b5e317f99fabc63b78dcca9852f325f82301e22