You're joining KNOXAI as a vetted operator. That means you'll run AI-model audits, sign certificates with a hardware key you hold, and get paid per cert signed. You are not an employee of The Cochran Block, LLC. You are an independent operator in a peer-reviewed guild, paid through the platform on a revenue-split basis.
You accepted a TAC member's referral. That member vouched for you. Your performance reflects on them.
1. You will run the methodology as written. You will not shortcut gates.
2. Your hardware signing key will never leave your physical control.
3. If you find illegal material during an audit, you will report it per the platform's mandatory-reporting path (§8). No discretion.
Everything else — pricing, splits, rotation, rep scoring — is detail you can negotiate or adjust. These three are non-negotiable. Break any of them and you're expelled from the directory, named publicly, and the guild refunds any cert you signed before we knew.
Every operator is tagged with one or more specialties. Tags drive customer routing, reputation, and rate tiers. You self-declare at onboarding; your TAC referrer confirms or amends.
| Tag | Who you are | Gates you're strongest on |
|---|---|---|
| redteam | Offensive cyber, adversarial prompting, "find what's hidden" | 2, 5 |
| ml-research | Published adversarial ML / membership inference / unlearning | 3 |
| ml-eng | Training pipeline internals, framework-level auditor | 4 |
| data | Dataset provenance, statistical corpus analysis | 4 |
| safety | AI safety research, eval design, harmful-output classifiers | 2, 5 |
| cleared | Active U.S. security clearance (orthogonal) | Gov tier only |
Most operators carry 1–2 tags. Triple-tag operators exist (founder-level, MATS alumni with clearance, etc.) — they're the rare unicorns and they command the highest per-audit rates.
Portfolio and Gov tier certs require two operators with complementary tags to sign. Example: one redteam + one ml-research. Two hardware keys, two touch events, two different people in two different houses. No single compromised operator can forge a dual-signed cert.
Every operator holds their own hardware signing key. The platform does not hold keys. The platform cannot forge signatures. If a cert is signed by you, you signed it, on your hardware, with your finger.
| ESP32-WROOM-32 | Any DevKitC or equivalent (CP2102 or CH340 USB bridge). ~$8. |
| Fingerprint sensor | R307 or FPC1020 module. UART, 150-template on-chip storage. ~$15–20. |
| LoRa SX1276 / RFM95W | 915 MHz module (US) or 868 MHz (EU). ~$8. Optional in v0.1 but required for vault deployment. |
| RGB LED + 3× 220Ω resistors | Status indicator. ~$1. |
| Dupont wires, breadboard | Initial bring-up. ~$5. |
| 18650 Li-ion + charging board | Battery + TP4056 module. ~$6. |
| Fire safe with bolt-down kit | Combination lock, fire-rated (UL 350). ~$80–120. Single coax passthrough hole drillable. |
# 1. Flash the signer firmware
knoxai-sign flash --port /dev/ttyUSB0
# 2. Enable ESP32 secure boot + flash encryption (burns eFuses FIRST, before key)
knoxai-sign secure-boot --confirm-irreversible
# 3. Generate P-256 keypair inside ESP32, burn private key to eFuse
knoxai-sign provision --operator-id <your-slug>
# 4. Export public key (one-time operation, private key stays in silicon)
knoxai-sign export-pubkey > pubkey-<your-slug>.pem
# 5. Enroll fingerprints — all 10, each mapped to a cert action (§6)
knoxai-sign enroll-fingers
# 6. Submit pubkey to the directory
knoxai-sign directory submit pubkey-<your-slug>.pem
Enable secure boot + flash encryption BEFORE burning the signing key. If you burn the key first, firmware dumps are readable on physical theft of the device. Order of eFuse burns is permanent. There is no "undo." Run the provision wizard and don't skip steps.
Inside a bolted-down fire safe in your home. Drilled coax passthrough for the LoRa antenna. Antenna mounted on the outside of the safe. The device is battery-powered, in listen mode, for months at a time. You open the safe only during a signing ceremony.
The vault is portable. You can move it. You can take it with you when you move houses. The only thing that has to stay within ~10 feet of the vault during signing is any machine running knoxai-sign — bt (my case), a laptop, or a phone with a USB LoRa dongle.
The audit is five gates. Every cert says which gates passed and which were skipped (with documented reason). Gate coverage depends on your specialty tags — skip the lanes that aren't yours.
Pipeline work. Run the submitted model over a test-prompt battery, hash every output with PhotoDNA-compatible (or PDQ if NCMEC partnership not yet active), compare against the platform's hash database. Any match auto-fails and auto-reports per §8.
No judgment call required. Automated end-to-end. Every operator runs this regardless of specialty.
Own this if you're tagged redteam or safety.
You run the platform's curated prompt battery (500+ prompts, refreshed quarterly) PLUS your own bespoke vectors for the specific model class. You craft prompts the platform doesn't know about — that's the part that can't be automated. You know what adversaries look like.
Each output gets classified by the platform's open-weights safety classifier stack (CLIP nudity + age detector + Llama Guard 3 + Detoxify). You review borderline cases personally. False positives are expensive for the customer; don't rubber-stamp.
Output: a pass/fail + the full prompt-and-response log (hash included in cert artifact).
Own this if you're tagged ml-research.
Take the platform's curated set of known-bad training artifacts (NCMEC hash list partnership, or proxy set for v0.1). For each artifact, run the caption-conditioned generation protocol: prompt the model with the caption, measure reproduction fidelity via SSIM, LPIPS, perceptual hash distance.
High fidelity above threshold = model has memorized that specific image = model was trained on that specific image. That's a Gate 3 fail. You document the fidelity score per artifact in the cert artifact bundle.
This is the academic-rigor gate. Read the Carlini membership inference papers if you haven't. Reference implementations exist in the knoxai-audit crate.
Own this if you're tagged ml-eng.
Customer submits a signed TOML manifest declaring training corpus. You validate: does the declared base model's SHA256 match the actual base? Do the declared fine-tune dataset hashes match what exists on disk at the cited URLs? Is LAION-5B (or a flagged derivative) in the chain? If so, did they re-scrub, and can you verify?
This is forensic engineering. You're not trusting the customer's declaration — you're verifying it against reality. When it doesn't match, the cert fails and the publisher is on record lying.
Own this if you're tagged data.
Same gate, different angle. You look at the declared corpus statistically — distribution of image sizes, caption-length histograms, source-domain breakdown, suspicious shards. You know what a real LAION-5B subset's statistics look like. You can smell a synthesized or laundered manifest.
Cross-reference against flagged-dataset fingerprints maintained by the platform. Flag statistical anomalies for deeper review before you sign.
Own this if you're tagged safety or redteam.
Broader harm audit: bioweapon synthesis, CBRN planning, extremism, grooming-text generation, revenge-porn of identifiable real people, coordinated fraud. Tiered severity. Some categories auto-fail; others annotate the cert with a severity flag.
You use Llama Guard 3 + ShieldGemma + custom eval harnesses. Prompts drawn from the platform's library + your own. If you're coming from Anthropic / OpenAI / DeepMind safety, this lane uses skills you already use daily.
Customer submits a model to the platform. The dispatch server looks at the model type, the requested tier, and the operator directory. Then one of three things happens:
| Standard | 72 hours from accept to cert delivery (automated gates should finish in under 4 hours; you review + sign within the rest) |
| Operator | 5 business days. Personal attention is the product; customers accept the longer window. |
| Portfolio | Negotiated per engagement. Usually monthly audit cadence. |
| Gov | Contract-specific. Clearance ops overhead applies. |
You've run the gates. You have an audit-artifact hash. Time to sign.
| R thumb | Full pass (all 5 gates) |
| R index | Partial pass (documented skip) |
| R middle | First-party cert (self-audit, rare) |
| R ring | Revocation of a prior cert |
| R pinky | Advisory sign-off (TAC review) |
| L thumb | Emergency blacklist (mandatory NCMEC report) |
| L index | Annual re-cert renewal |
| L middle | Provenance (non-model document, receipts) |
| L ring | Duress (silent — looks valid, carries coercion flag) |
| L pinky | Kill switch (decommission this device, rotate key) |
| Tier | Operator | Platform |
|---|---|---|
| Standard ($20/yr) | 80% = $16 | 20% |
| Operator ($500/yr) | 70% = $350 | 30% |
| Portfolio ($5K–50K/yr) | 60% | 40% |
| Gov (per-engagement) | 50% | 50% |
For dual-signed certs (Portfolio + Gov), the operator share is split 50/50 between the two operators. Platform take is unchanged.
You are a 1099 contractor. You handle your own taxes. The platform does not withhold. International operators: Stripe Connect handles the payout to your local currency; you're responsible for your jurisdiction's tax treatment.
You will eventually find something. Here's what to do.
knox.cochranblock.org/blacklistThe Cochran Block, LLC is an electronic communication service provider under 18 USC §2258A. The platform files the required report. You are not required to file individually — but you must notify the platform within 60 minutes of finding. Failure to notify within 24 hours is expulsion.
Sign the cert with R index (partial pass). The cert records the severity class but does not trigger a federal report. Publisher may remediate and re-submit for re-cert. Platform may decline certain categories at its discretion (TAC decision).
Any of the following results in immediate expulsion, public delisting, and refund of every cert you've signed in the preceding 90 days:
Expulsion is permanent and named. Your operator entry moves to the public expelled list at knox.cochranblock.org/expelled. TAC is notified. Your referrer is notified. Your referrer's standing is reviewed.
your-name-2). Old slug is frozen, not reused.Your Operating Agreement analog (or the platform's operator agreement) specifies your successor. Options:
Your operator entry is public at knox.cochranblock.org/operators/<your-slug>. The following is visible to anyone:
The following is NEVER visible publicly:
In order:
knox.cochranblock.org/tac. Peer escalation.[email protected] — 24h response. Signal available on request.What your directory entry will look like. This is mine — use it as a template.
pending device provisioningMy resume is the reason this guild exists. Twenty-three public repos, one signed OA, one veteran-owned LLC with federal identifiers, one hundred-plus missions spent finding what's hidden in systems. My entry is the quality bar. Yours doesn't have to match it — you bring your own bar, I bring mine — but the format and transparency are the same.