|
| 1 | +# Wedge Portfolio |
| 2 | + |
| 3 | +Trust Graphs |
| 4 | + |
| 5 | +Multiplayer Utility - the layer 5 software-system. |
| 6 | + |
| 7 | +> The Artifact is Everything: The core gap in the market is not another |
| 8 | +> dashboard or security agent. The gap is the lack of signed, time-anchored, |
| 9 | +> portable, and settlement-grade receipts. Your competitors are building USB |
| 10 | +> agents, but they are still thinking in terms of "logs," not "evidence." This |
| 11 | +> is your key differentiator. The Wedge is Real and It's Top-Down: Your initial |
| 12 | +> intuition was right, but your time at SEMICON and analyzing the OT landscape |
| 13 | +> has confirmed a critical detail: the adoption of "Receipt Rails" in high-value |
| 14 | +> industrial sectors will be driven top-down by compliance and standards, not |
| 15 | +> bottom-up by individual developers. The key is to align with emerging |
| 16 | +> standards like ISA/IEC 62443 and SEMI E187/E188 and sell to the Tier-1 fabs, |
| 17 | +> OSATs, and utilities who are forced to comply. The "singleplayer utility" is |
| 18 | +> selling them a tool that makes this compliance auditable and less painful. |
| 19 | +
|
| 20 | +- Blockchain Wallet Reputation |
| 21 | +- Email Sender Reputation |
| 22 | +- Sayari Supply Chain Trust |
| 23 | +- DevOps Authority Tracing |
| 24 | + |
| 25 | +- Energy DR/curtailment |
| 26 | + - Verifier: utility/auditor/insurer |
| 27 | + - Value: kW×Δt “receipts” → faster payouts, lower disputes |
| 28 | + - T1R: 4–8 weeks (site + meter/EMS hookup) |
| 29 | +- Fisheries/cold-chain |
| 30 | + - Verifier: export compliance, buyer’s QA, insurer |
| 31 | + - Value: catch + temperature receipts → export finance, fewer chargebacks |
| 32 | + - T1R: 6–10 weeks (boat + sensor pack + buyer) |
| 33 | +- Disaster logistics corridors (UAV/USV + mesh) |
| 34 | + - Verifier: NGO/agency auditors |
| 35 | + - Value: movement/hand-off receipts → audit time −50% |
| 36 | + - T1R: 4–8 weeks (pilot corridor + NGO) |
| 37 | +- Informal delivery fleets (motorbike) |
| 38 | + - Verifier: micro-insurer/financier |
| 39 | + - Value: delivery/outcome receipts → eligibility for insurance/credit |
| 40 | + - T1R: 4–6 weeks (fleet partner + phone app) |
| 41 | +- Reverse logistics (RMA) |
| 42 | + - Verifier: finance/audit/ERP; sustainability reporting |
| 43 | + - Value: RMA state-machine “receipts rail” → refunds/chargebacks clarity, |
| 44 | + refurb analytics |
| 45 | + - T1R: 4–8 weeks (one brand + 3PL) |
| 46 | +- Internal HR compliance (Fair Work–style dispute trail) |
| 47 | + - Verifier: regulator/tribunal; corporate audit |
| 48 | + - Value: standardized settlement-grade artifacts for legal discovery → faster |
| 49 | + resolution -> prevents "lack of documentation" - because process is |
| 50 | + admin-heavy |
| 51 | + - T1R: 4–6 weeks (one HR/legal team) |
| 52 | + |
| 53 | +--- |
| 54 | + |
| 55 | +DevOps authority tracking - this is like SSO (and that user onramp/offramp) |
| 56 | +extended to the entire devops enterprise resources |
| 57 | + |
| 58 | +I need a way to "write down" or audit log a change to authority. |
| 59 | + |
| 60 | +I just changed my GitHub CI/CD NIXPKGS_PRIVATE_PAT to a new one. |
| 61 | + |
| 62 | +Why? |
| 63 | + |
| 64 | +Because after offboarding an employee, it turns out that while she was |
| 65 | +responsible for setting up infrastructure, she had injected her own PAT there. |
| 66 | +And it worke while her account was active. |
| 67 | + |
| 68 | +After offboarding her accounts, the CI/CD failed. It failed (late) rather than |
| 69 | +(early) because we don't early warning that a particular token that is used |
| 70 | +somewhere is now invalid because of a state change somewhere else (this the |
| 71 | +action at a distance problem, or cache-coherency/state-sync/foreign-key |
| 72 | +integrity problem applied to configuration/and secrets). |
| 73 | + |
| 74 | +To fix this, I generated a new token - but I had to: |
| 75 | + |
| 76 | +1. Figure why it was failing? |
| 77 | +2. Trace to the root cause that was due to an invalid token. |
| 78 | +3. Backtrack through business-tacit-knowledge realising that she was responsible |
| 79 | + for this technology domain, and therefore maybe it was her token. |
| 80 | +4. Figure out how to "recreate" this token - because it's not 100% clear what |
| 81 | + exactly this token was capable of. |
| 82 | +5. Inferring from the name, it's a token designed to access only a single |
| 83 | + repository with read-only permissions of the contents. |
| 84 | +6. Therefore, replacing it with a token that has that exact authority - but |
| 85 | + under a new more durable principal rather than any single user's account. |
| 86 | +7. But now we have a repeat problem. The point problem is fixed, but a long term |
| 87 | + problem remains. There is no audit log, and this problem can happen again. |
| 88 | + The token will expire eventually and we will have this problem again. |
| 89 | + |
| 90 | +An audit log is not enough. I could write it into a log. But it's not |
| 91 | +composable, not automated, not open. It's not "connected" the Source of |
| 92 | +Authority, the User of Authority and Target of Authority. |
0 commit comments