docs: Replace infrastructure-sovereignty.md with auditor-privacy-preserving-geolocation.md

ramkri123 · ramkri123 · commit dcddc77b0e90 · 2026-01-23T01:52:35.000+01:00
- DELETED: infrastructure-sovereignty.md (redundant with unified identity doc)
- NEW: auditor-privacy-preserving-geolocation.md
  - Section 2: PET comparison (TEE, FHE, MPC, DP vs ZKP)
  - Explains why ZKP is optimal for geolocation compliance
  - Multi-sensor fusion architecture
  - SVID geolocation claims
  - Evidence Bundle for auditors

- Updated cross-references in README.md and AI governance doc
- Builds on unified identity framework instead of duplicating
diff --git a/README.md b/README.md
@@ -137,7 +137,7 @@ AegisSovereignAI is designed to be framework-agnostic, serving as a secure execu
 ## Technical & Auditor Resources
 
 *   **[Auditor Guide](./docs/auditor.md)** - High-level overview of the attestation-linked evidence model covering the full AI lifecycle (Ingestion, Training, and Inference), verifiable geofencing (Reg-K), and identity binding. Includes the complete Evidence Bundle structure for regulatory reporting.
-*   **[Infrastructure Sovereignty (Layer 1/2)](./docs/infrastructure-sovereignty.md)** - Technical deep-dive on **Environmental Trust**: Hardware attestation (TEE/TPM), identity binding (SPIFFE/SPIRE + Keylime), privacy-preserving geofencing (Reg-K), and data ingestion provenance.
+*   **[Privacy-Preserving Geolocation (Layer 2)](./docs/auditor-privacy-preserving-geolocation.md)** - Technical deep-dive on **privacy-preserving geofencing** for Reg-K/GDPR compliance, including ZKP vs. other PETs comparison, multi-sensor fusion, and SVID geolocation claims.
 *   **[Privacy-Preserving AI Governance (Layer 3)](./docs/auditor-privacy-preserving-ai-governance.md)** - Technical walkthrough of the **Four-Track Layer 3 Governance Lifecycle** (Training, System Prompt, User Prompt, Output), Batch & Purge architecture, and modular Evidence Bundle verification.
 *   **[Threat Model: Unmanaged Device Security](./hybrid-cloud-poc/THREAT-MODEL-unmanaged-device.md)** - Analysis of **Infrastructure Blind Spots** on **BYOD/Unmanaged Devices**, detailing how AegisSovereignAI prevents location spoofing via hardware-rooted sensor fusion.
 *   **[Unified Identity Deep-Dive](./hybrid-cloud-poc/README-arch-sovereign-unified-identity.md)** - Detailed technical architecture of the SPIRE/Keylime identity fusion model.
diff --git a/docs/auditor-privacy-preserving-ai-governance.md b/docs/auditor-privacy-preserving-ai-governance.md
@@ -1,11 +1,11 @@
 # Layer 3: Privacy-Preserving AI Governance (The "Audit without Disclosure" Paradox)
 
-> **For Technical Auditors & Architects:** This document provides a deep technical walkthrough of the **Layer 3 AI Governance** model using **privacy-preserving techniques (e.g., ZKPs)** for prompt and output verification. For Layer 1/2 foundations (Hardware Trust, Identity, Location), see **[Infrastructure Sovereignty](./infrastructure-sovereignty.md)**.
+> **For Technical Auditors & Architects:** This document provides a deep technical walkthrough of the **Layer 3 AI Governance** model using **privacy-preserving techniques (e.g., ZKPs)** for prompt and output verification. For Layer 1/2 foundations (Hardware Trust, Identity, Location), see **[Privacy-Preserving Geolocation](./auditor-privacy-preserving-geolocation.md)**.
 
 This document solves the **"Audit without Disclosure"** paradox: how can enterprises prove AI compliance to regulators without exposing proprietary prompts or retaining high-liability PII?
 
 > [!IMPORTANT]  
-> **Layer 2 Prerequisites:** All Layer 3 governance assumes a verified **Sovereign Anchor** is in place. Before proceeding with content verification, auditors must confirm the workload is running on attested hardware (Layer 1) with verified identity and location (Layer 2). See **[Infrastructure Sovereignty](./infrastructure-sovereignty.md)** for Stage 1 verification.
+> **Layer 2 Prerequisites:** All Layer 3 governance assumes a verified **Sovereign Anchor** is in place. Before proceeding with content verification, auditors must confirm the workload is running on attested hardware (Layer 1) with verified identity and location (Layer 2). See **[Privacy-Preserving Geolocation](./auditor-privacy-preserving-geolocation.md)** for Stage 1 verification.
 
 ## 1. The Problem: The Prompt & Output Paradox
 
@@ -84,7 +84,7 @@ While multiple Privacy-Enhancing Technologies (PETs) exist, **ZKP** provides the
 AegisSovereignAI's Layer 3 provides **cryptographic verification** across the AI governance lifecycle: **Model Training → System Prompt → User Prompt → AI Output**.
 
 > [!NOTE]
-> **Layer 2 Content Moved:** Data Ingestion Provenance (Track A) and Geofencing verification are Layer 2 concerns. See **[Infrastructure Sovereignty](./infrastructure-sovereignty.md)** for these primitives.
+> **Layer 2 Content Moved:** Data Ingestion Provenance (Track A) and Geofencing verification are Layer 2 concerns. See **[Privacy-Preserving Geolocation](./auditor-privacy-preserving-geolocation.md)** for these primitives.
 
 ### Track A: Model Training Governance (Redaction Policy)
 
@@ -309,7 +309,7 @@ If the ZKP circuit encounters a prompt that violates an **Exclusion Rule** (e.g.
 
 > [!NOTE]
 > **Modular Verification:** The complete Evidence Bundle is verified in two stages:
-> - **Stage 1 (Layer 1/2):** "Is this a valid Aegis Sovereign Node?" See **[Infrastructure Sovereignty](./infrastructure-sovereignty.md)**
+> - **Stage 1 (Layer 1/2):** "Is this a valid Aegis Sovereign Node?" See **[Privacy-Preserving Geolocation](./auditor-privacy-preserving-geolocation.md)**
 > - **Stage 2 (This Document):** "Did this node follow the governance policy for this session?"
 
 When an auditor requests **Layer 3 compliance evidence**, they receive:
@@ -447,4 +447,4 @@ A `sovereign_factory` applies the `governance.wrap_node` decorator to the LangGr
 
 ---
 
-[Root README](../README.md) | [Auditor Guide](./auditor.md) | [Infrastructure Sovereignty (Layer 1/2)](./infrastructure-sovereignty.md) | [IETF WIMSE Draft](https://datatracker.ietf.org/doc/draft-lkspa-wimse-verifiable-geo-fence/)
+[Root README](../README.md) | [Auditor Guide](./auditor.md) | [Privacy-Preserving Geolocation (Layer 2)](./auditor-privacy-preserving-geolocation.md) | [IETF WIMSE Draft](https://datatracker.ietf.org/doc/draft-lkspa-wimse-verifiable-geo-fence/)
diff --git a/docs/auditor-privacy-preserving-geolocation.md b/docs/auditor-privacy-preserving-geolocation.md
@@ -0,0 +1,291 @@
+# Privacy-Preserving Geolocation Verification for Auditors
+
+> **For Technical Auditors & Architects:** This document provides a deep-dive on **privacy-preserving geolocation verification** for regulatory compliance (e.g., Reg-K, GDPR). For the underlying hardware and identity architecture, see **[Unified Identity & Trust Framework](../hybrid-cloud-poc/README-arch-sovereign-unified-identity.md)**. For Layer 3 AI governance, see **[Privacy-Preserving AI Governance](./auditor-privacy-preserving-ai-governance.md)**.
+
+---
+
+## 1. The Problem: The Residency vs. Privacy Deadlock
+
+Regulators require **proof of data residency** (e.g., **Regulation K**), but traditional geofencing creates a fundamental conflict:
+
+| Requirement | Traditional Approach | Liability / Risk |
+|-------------|---------------------|------------------|
+| **Prove Data Residency** | Log precise GPS coordinates | Creates massive PII liability under GDPR |
+| **Comply with GDPR** | Don't store location data | Cannot prove Reg-K compliance |
+| **Prevent Location Spoofing** | Rely on IP-based geofencing | Trivially bypassed with VPNs |
+
+**The Deadlock:** Enterprises are forced to choose between **non-compliance with residency laws** or **privacy violation under GDPR**.
+
+---
+
+## 2. Privacy-Preserving Techniques: A Technical Comparison
+
+Multiple Privacy-Enhancing Technologies (PETs) exist for protecting location data. Below is an analysis of why **Zero-Knowledge Proofs (ZKPs)** are optimal for geolocation compliance.
+
+| Technology | How It Works | Pros | Cons for Geolocation |
+|------------|--------------|------|----------------------|
+| **Trusted Execution Environments (TEEs)** | Process location inside hardware enclaves (Intel SGX, AMD SEV) | Low overhead, real-time processing | Requires external auditor to trust the enclave; no portable proof for regulators |
+| **Homomorphic Encryption (FHE)** | Compute on encrypted coordinates without decryption | Strong mathematical guarantees | **1000x+ overhead** makes real-time geofencing impractical |
+| **Secure Multi-Party Computation (MPC)** | Distribute computation across multiple parties | No single party sees full data | Network latency; operational complexity for mobile devices |
+| **Differential Privacy** | Add noise to location data | Protects individual coordinates | **Cannot prove exact boundary compliance** (noise defeats precision) |
+| **Zero-Knowledge Proofs (ZKPs)** | Prove statement about data without revealing data | Portable proof; auditor-verifiable; no data retention | Proof generation overhead (mitigated by batching) |
+
+### Why ZKP is Optimal for Geolocation Compliance
+
+1. **Portable Proof:** Unlike TEEs, ZKPs produce a proof that can be verified by any auditor without trusting specific hardware.
+2. **Exact Compliance:** Unlike Differential Privacy, ZKPs prove the coordinate is **exactly** within the boundary—no approximations.
+3. **No Retained Data:** The proof is generated device-side; raw coordinates never leave the device.
+4. **Auditor Independence:** Regulators verify the mathematical proof, not the Enterprise's attestation claims.
+5. **Batching for Performance:** While individual proof generation has overhead, session-level batching amortizes costs.
+
+> [!NOTE]
+> **AegisSovereignAI Hybrid Approach:** We combine **TEEs** (for secure real-time filtering) with **ZKPs** (for auditor-verifiable compliance proofs), achieving both performance and regulatory portability.
+
+---
+
+## 3. The AegisSovereignAI Solution: Hardware-Rooted Privacy-Preserving Geofencing
+
+AegisSovereignAI resolves this deadlock using a **"Coordinate-in-Polygon" ZKP circuit** combined with hardware-rooted sensor fusion.
+
+### The Architecture
+
+```
+┌─────────────────────────────────────────────────────────────────────────────┐
+│                     PRIVACY-PRESERVING GEOLOCATION FLOW                      │
+└─────────────────────────────────────────────────────────────────────────────┘
+
+  Device (BYOD/Managed)              Aegis Verifier              Auditor
+  ═══════════════════════            ══════════════              ════════
+
+  ┌──────────────────────┐
+  │  Hardware Sensors    │
+  │  (TPM-signed GPS +   │
+  │   CAMARA Mobile API) │
+  └──────────┬───────────┘
+             │
+             ▼
+  ┌──────────────────────┐
+  │  ZKP Circuit Engine  │
+  │  (Coordinate-in-     │
+  │   Polygon Proof)     │
+  └──────────┬───────────┘
+             │
+             │  Private: Precise GPS coordinates
+             │  Public: Compliance boundary polygon
+             │
+             ▼
+  ┌──────────────────────┐          ┌─────────────────────┐
+  │  ZKP Proof Generated │────────▶│  Verify ZKP Proof   │
+  │  (No raw GPS sent)   │          │  + Hardware Quote   │
+  └──────────────────────┘          └──────────┬──────────┘
+                                               │
+                                               ▼
+                                    ┌─────────────────────┐
+                                    │  SVID Issued with   │
+                                    │  Geolocation Claim: │
+                                    │  • status: COMPLIANT│
+                                    │  • region: US-EAST  │──────▶ Evidence
+                                    │  • proof: base64... │        Bundle
+                                    └─────────────────────┘
+
+  🔑 KEY INSIGHT: The Enterprise never sees raw GPS coordinates.
+     The auditor receives a cryptographic proof of compliance.
+```
+
+### The ZKP Circuit
+
+```rust
+// Conceptual Noir Circuit for Privacy-Preserving Geofencing
+fn main(
+    // PRIVATE INPUTS (Never disclosed)
+    gps_latitude: Field,           // User's precise latitude
+    gps_longitude: Field,          // User's precise longitude
+    sensor_signature: [u8; 64],    // TPM signature over coordinates
+    
+    // PUBLIC INPUTS (Visible to auditor)
+    compliance_polygon: [Point; N], // The "Green Zone" boundary
+    tpm_public_key: pub Field,      // For signature verification
+    proof_timestamp: pub Field      // When the proof was generated
+) {
+    // 1. Verify the coordinates came from genuine hardware
+    assert(verify_tpm_signature(
+        sensor_signature, 
+        hash(gps_latitude, gps_longitude, proof_timestamp),
+        tpm_public_key
+    ));
+    
+    // 2. Verify the point is inside the compliance polygon
+    assert(point_in_polygon(
+        gps_latitude, 
+        gps_longitude, 
+        compliance_polygon
+    ));
+    
+    // OUTPUT: Proof that "genuine hardware reported a location within the boundary"
+    // WITHOUT revealing the actual coordinates
+}
+```
+
+---
+
+## 4. Multi-Sensor Fusion: Defeating Spoofing Attacks
+
+AegisSovereignAI uses **hardware-rooted multi-sensor fusion** to prevent location spoofing. This builds on the architecture detailed in the **[Unified Identity & Trust Framework](../hybrid-cloud-poc/README-arch-sovereign-unified-identity.md)**.
+
+### Sensor Hierarchy
+
+| Sensor Type | Trust Level | Verification Method |
+|-------------|-------------|---------------------|
+| **CAMARA Mobile API** | Highest | MNO-verified SIM location via OIDC |
+| **TPM-Signed GNSS** | High | Hardware-rooted GPS signatures |
+| **App-Level GPS** | Low | Cross-validated against higher-trust sensors |
+
+### Attack Resistance
+
+| Attack Vector | Traditional Vulnerability | Aegis Defense |
+|---------------|---------------------------|---------------|
+| **VPN Spoofing** | IP-based checks fail | Hardware sensors ignore network layer |
+| **GPS Spoofing App** | App-level coordinates faked | TPM signature verification fails |
+| **Frida/API Hooking** | Runtime API interception | CAMARA API bypasses app layer entirely |
+| **Rooted/Jailbroken Device** | Full sensor control | Secure Enclave attestation detects compromise |
+
+> **Deep-Dive:** For complete attack analysis, see **[Threat Model: Unmanaged Device Security](../hybrid-cloud-poc/THREAT-MODEL-unmanaged-device.md)**.
+
+---
+
+## 5. The SVID Geolocation Claims
+
+When geolocation verification succeeds, the claims are embedded in the **SPIFFE Verifiable Identity Document (SVID)**:
+
+```json
+{
+  "svid": "spiffe://aegis.local/workload/private-wealth-advisory",
+  "claims": {
+    "grc.geolocation.status": "compliant",
+    "grc.geolocation.region_id": "US-EAST-1",
+    "grc.geolocation.proof": "base64-zkp-proof...",
+    "grc.geolocation.timestamp": "2026-01-20T14:00:00Z",
+    "grc.geolocation.sensor_type": "CAMARA_MNO",
+    "grc.tpm-attestation.tier": "tier-2-byod"
+  },
+  "attestation_quote": "base64-tpm-quote..."
+}
+```
+
+### Claim Semantics
+
+| Claim | Type | Example | Description |
+|-------|------|---------|-------------|
+| `grc.geolocation.status` | enum | `compliant` | ZKP-verified geofence result |
+| `grc.geolocation.region_id` | string | `US-EAST-1` | Broad compliance region (Reg-K) |
+| `grc.geolocation.proof` | base64 | `eyJ...` | The actual ZKP proof for auditor verification |
+| `grc.geolocation.sensor_type` | enum | `CAMARA_MNO` | Which sensor provided the location |
+
+---
+
+## 6. Enterprise Use Case: Private Wealth Gen-AI Advisory
+
+### Scenario (Use Case 1 - Enterprise Customer)
+
+A high-net-worth client uses the **Private Wealth Gen-AI Advisory** from their personal mobile device. The bank must prove to an EU regulator that the AI inference stayed within the EEA (**Reg-K** compliance), but cannot store raw GPS data (**GDPR** violation).
+
+### The Privacy-Preserving Flow
+
+1. **Client opens app** on personal iPhone/Android
+2. **CAMARA API** verifies device location via MNO (carrier-level, not app-level)
+3. **ZKP circuit** generates proof: "Device is within EEA boundary"
+4. **SVID issued** with `grc.geolocation.status: compliant` and `grc.geolocation.region_id: EEA`
+5. **AI inference executes** with verified geolocation claim
+6. **Evidence Bundle** includes ZKP proof for auditor
+
+**Result:** The bank proves Reg-K compliance without ever touching raw GPS coordinates.
+
+---
+
+## 7. The Evidence Bundle for Auditors
+
+When an auditor requests geolocation compliance evidence:
+
+```json
+{
+  "bundle_type": "GEOLOCATION_COMPLIANCE",
+  "audit_window": {
+    "start": "2026-01-20T00:00:00Z",
+    "end": "2026-01-20T23:59:59Z"
+  },
+  "compliance_boundary": {
+    "name": "EEA_REGULATION_K",
+    "polygon_hash": "sha256:abc123..."
+  },
+  "sessions": [
+    {
+      "session_id": "sess-001",
+      "svid": "spiffe://aegis.local/workload/private-wealth-advisory",
+      "geolocation_claim": {
+        "status": "compliant",
+        "region_id": "EEA",
+        "sensor_type": "CAMARA_MNO",
+        "zkp_proof": "base64-noir-proof..."
+      },
+      "timestamp": "2026-01-20T14:00:00Z"
+    }
+  ],
+  "aggregate_stats": {
+    "total_sessions": 15847,
+    "compliant_sessions": 15847,
+    "non_compliant_sessions": 0
+  },
+  "signatures": {
+    "aegis_geolocation_jws": "eyJhbGciOiJSUzI1NiIs..."
+  }
+}
+```
+
+### Auditor Verification Workflow
+
+1. **Verify Boundary Definition:** Confirm the `polygon_hash` matches the official Reg-K boundary.
+2. **Verify ZKP Proofs:** For each session (or sample), verify the ZKP proof against the boundary.
+3. **Verify Hardware Attestation:** Confirm the session was on attested hardware via SVID.
+4. **Aggregate Compliance:** Confirm all sessions in the audit window are compliant.
+
+---
+
+## 8. Regulatory Mapping
+
+| Regulatory Need | AegisSovereignAI Implementation |
+|-----------------|--------------------------------|
+| **Reg-K (Data Residency)** | ZKP proves location within boundary without storing coordinates |
+| **GDPR Art. 5 (Data Minimization)** | No raw GPS data ever leaves the device |
+| **GDPR Art. 25 (Privacy by Design)** | Hardware-rooted ZKP is privacy-first architecture |
+| **EU AI Act (Transparency)** | Auditor receives verifiable proof, not opaque assertions |
+
+---
+
+## 9. Integration with Layer 3 AI Governance
+
+Geolocation verification is a **Layer 2 prerequisite** for Layer 3 AI Governance. The modular architecture:
+
+```
+┌─────────────────────────────────────────────────────────────┐
+│  MODULAR EVIDENCE BUNDLE VERIFICATION                       │
+└─────────────────────────────────────────────────────────────┘
+
+  Stage 1: Environmental Trust (This Document)
+  ═════════════════════════════════════════════
+  ✓ Is this a genuine, untampered device?
+  ✓ Is the device within the compliance boundary?
+  ✓ Is the SVID bound to attested hardware?
+                    │
+                    ▼
+  Stage 2: Content Trust (AI Governance)
+  ═══════════════════════════════════════
+  ✓ Did the system prompt contain required guardrails?
+  ✓ Were user prompts scanned for injection attacks?
+  ✓ Were AI outputs filtered for PII leakage?
+  
+  See: [Privacy-Preserving AI Governance](./auditor-privacy-preserving-ai-governance.md)
+```
+
+---
+
+[Root README](../README.md) | [Auditor Guide](./auditor.md) | [Unified Identity Framework](../hybrid-cloud-poc/README-arch-sovereign-unified-identity.md) | [AI Governance (Layer 3)](./auditor-privacy-preserving-ai-governance.md)
diff --git a/docs/infrastructure-sovereignty.md b/docs/infrastructure-sovereignty.md
