What survives when the world breaks.
Layer 1 (AAM) records what already happened. Layer 2 (AI Production Discipline) prevents errors before deploy. Layer 3 (Continuity & Adversarial Resilience) addresses what survives when the network drops, infrastructure fails, or an adversary takes a swing. Two Bonis sub-functions — evidence generator and identity generator. One sub-function explicitly not Bonis’s lane. Honest about what is shipped, what is scoped, and what is open-source.
Layer 3 is the cryptographic spine that survives the failure modes Layer 1 and Layer 2 cannot.
- Three sub-functions, two are Bonis’s lane. Evidence generator (Knox Edge Anchor) and identity generator (HSM/TPM-bound PQC) — Bonis. Reasoning generator (local LLM fallback) — open-source models, not Bonis.
- Anchor primitives shipped. Public Knox anchor endpoint, public verify endpoint, hourly Merkle aggregation, OpenTimestamps Bitcoin anchor, multi-chain routing surface, public TLA+ specification.
- PQC stack shipped. ML-DSA-44/65/87 (FIPS 204) and SLH-DSA-128s/192s/256s (FIPS 205) deployed live on terravault-00360-gkv on 2026-04-24.
- Edge Anchor and HSM binding scoped. Knox Edge Anchor SW appliance v1 (Docker, LMDB, sync-on- reconnect) and HSM/TPM-bound signing are in active scope and explicitly not yet shipped. Status disclosed inline throughout this page.
- Defensive only. Bonis preserves evidence and identity. Bonis does not operate counter-agents, does not disable adversarial systems, does not undertake offensive action.
What stays standing when the world breaks.
A failure mode that takes down all three sub-functions simultaneously is rare; a failure mode that takes down one is routine. Layer 3 separates the three so a network drop does not collapse identity, an HSM compromise does not collapse evidence, and a hosted-model outage does not collapse the agent’s ability to keep making constrained decisions.
Evidence generator
The Knox anchor pipeline buffers, sequence-numbers, hash-links, and Merkle-aggregates events. Shipped today as the canonical chain. The Knox Edge Anchor SW appliance — Docker container, LMDB-backed local chain, sync-on-reconnect — extends the same primitive to operator-side capture during network loss. Buffered events sync to Bitcoin via OpenTimestamps when the network returns; the temporal record reflects the actual moment of capture, not the moment of sync.
Identity generator
Knox Agent #11 Layer 4 ships post-quantum signatures across six NIST parameter sets — ML-DSA-44/65/87 (FIPS 204) and SLH-DSA-128s/192s/256s (FIPS 205) — via @noble/post-quantum, deployed live on terravault-00360-gkv on 2026-04-24. The HSM/TPM binding extension keeps the operator-side signing key bound to a hardware module so that key extraction by a network-resident adversary does not produce a usable signing surface. HSM/TPM binding is scoped under the Knox Edge Anchor Tier C build queue and is explicitly not yet shipped.
Reasoning generator
A local LLM fallback when the hosted model is unreachable is the domain of open-source model families — Llama, Phi, Gemma, and the broader open-weight ecosystem. Bonis does not ship a reasoning model and does not compete in this lane. Operators who require offline reasoning compose an open-source local model alongside Layer 3 evidence and identity primitives; the three sub-functions integrate cleanly because they answer different questions.
The primitives Layer 3 packaging composes above.
Layer 3 is not a forward-looking-only promise. The cryptographic primitives that Layer 3 productization will package and operatorize are already operational on production endpoints. The links below resolve to public surfaces.
The packaging work explicitly not yet shipped.
Layer 3 productization is scoped under the Knox Edge Anchor Tier C build queue. The work below is in active engineering scope and is explicitly labeled as such. No claim is made that any of these are shipping product surfaces today.
Knox Edge Anchor SW appliance v1
Docker container, LMDB-backed local chain, sync-on-reconnect to the canonical Knox chain. Operator-side capture during network loss; events replay into the canonical chain and Merkle-aggregate to Bitcoin when the network returns.
Court-ready offline verifier kit
Bitcoin SPV-only verifier with no Bonis dependency. Verifies any Knox anchor against a local Bitcoin header archive without contacting Bonis or any operator surface.
HSM- and TPM-bound PQC signing
Operator-side ML-DSA-87 signing key bound to a hardware security module or TPM. Key extraction by a network-resident adversary cannot produce a usable signing surface.
Hostile-agent self-disable
Automatic kill-switch on Bonis-side agents that violate their own charter. Defensive-Only binding: the kill-switch operates on the Bonis-side agent itself, never on third-party agents in operator deployments.
Edge pre-anchor offline mode
Pre-anchored event capture in an air-gapped environment. Events accumulate in the Edge Anchor; cryptographic-receipt issuance to operators continues during full disconnect; Bitcoin sync occurs on reconnect.
Hardware appliance v1
Sealed-box hardware appliance with FIPS 140-3 candidate posture. Revenue-gated build per the Bonis cost-discipline doctrine; not built on speculation.
Layer 1 and Layer 2 do not survive infrastructure failure.
AAM Layer 1 records what happened. It assumes the operator can call the Knox anchor endpoint when an event occurs. During network loss that assumption breaks, and the record of events occurring during the disconnect has nowhere to land.
AI Production Discipline Layer 2 prevents the operator from shipping bad code in the first place. It assumes a CI/CD pipeline reachable for testing, gates, and hooks. During an outage of the CI surface or the testing infrastructure, the discipline is uncheckable in real time.
Layer 3 closes both gaps. Evidence keeps capturing locally during disconnect; identity keeps producing valid signatures from a hardware-bound key during compromise; agent decisions can fall back to an open-source local model outside Bonis’s scope. The three Layer-3 sub-functions run on independent failure surfaces so a single failure does not collapse all three.
Life-critical and mission-critical AI deployments.
Life-critical operators
Hospital systems running AI in the loop on patient care where evidence preservation cannot be allowed to break during network loss. The cryptographic record of agent decisions and the hardware-bound identity of the signing parties must hold across infrastructure failure conditions.
Mission-critical operators
Energy, utility, and federal continuity-of-operations programs running AI on grid telemetry, mission-system telemetry, or regulated-asset telemetry. The COOP posture requires that evidence and identity survive a wide-area outage long enough to prove what happened during the outage.
Adversarial-resilience operators
Operators facing active adversarial conditions — supply- chain compromise, lateral-movement intrusions, ransomware events, key-material extraction attempts. Layer 3 keeps the cryptographic identity bound to a hardware module and keeps the evidence chain capturing even when the operator’s primary infrastructure is hostile or unreachable.
Long-tail audit operators
Operators required by their regulators or insurers to produce externally-verifiable evidence years after the fact, where the operator’s own infrastructure may no longer exist. The Layer-3 Bitcoin anchor is the external witness that does not depend on the operator continuing to operate.
Common questions, answered.
What is AAM Layer 3?
Layer 3 of the Bonis three-layer architecture — the cryptographic spine that survives when systems fail. Layer 1 (AAM, audit-permanence) records what already happened. Layer 2 (AI Production Discipline) prevents errors before deploy. Layer 3 (Continuity & Adversarial Resilience) addresses what survives when the network drops, infrastructure fails, or an adversary takes a swing. Layer 3 has two Bonis-side sub-functions: an evidence generator that keeps capturing offline and syncs to Bitcoin when the network returns, and an identity generator that keeps cryptographic identity intact when hosted infrastructure is unreachable.
What sub-functions are in Layer 3, and which are Bonis's lane?
Three sub-functions. (1) Evidence generator — Bonis lane. The chain of records keeps capturing in an operator-side appliance during network loss; events sync to the Bitcoin chain via OpenTimestamps when the network returns. Status: primitives shipped, packaging as Knox Edge Anchor in progress. (2) Identity generator — Bonis lane. Agent cryptographic identity remains intact when hosted infrastructure is gone, via HSM- or TPM-bound post-quantum keys. Status: Knox Agent #11 Layer 4 PQC shipped in software (terravault-00360-gkv 2026-04-24); HSM/TPM binding scoped, not yet shipped. (3) Reasoning generator — NOT Bonis lane. Local LLM fallback when hosted model is unreachable is the domain of open-source models (Llama / Phi / Gemma) and is not part of the Bonis product surface.
Who is Layer 3 for?
Life-critical and mission-critical operators where evidence preservation and cryptographic identity must hold during network loss, infrastructure failure, or active adversarial conditions. Examples at the TAM altitude include hospital systems running AI in the loop on patient care, energy and utility operators running AI on grid telemetry, federal continuity-of-operations programs, and any deployment where a single network drop or vendor outage cannot be allowed to break the chain of evidence or the cryptographic identity of the agents in the deployment.
What is shipped today?
The shipping primitives that Layer 3 productization composes above are already operational: the Knox anchor pipeline (public anchor endpoint, public verify endpoint, hourly Merkle aggregation, OpenTimestamps Bitcoin anchor), the Layer-4 post-quantum signature stack (ML-DSA-44/65/87 NIST FIPS 204 plus SLH-DSA-128s/192s/256s NIST FIPS 205, deployed live on terravault-00360-gkv on 2026-04-24), the multi-chain routing surface that gives three independent attestation surfaces (OpenTimestamps + local Bitcoin-header archive + Arweave-via-Wayback mirror), and the public TLA+ specification of the anchor pipeline invariants. The Knox Edge Anchor SW appliance and HSM-bound PQC packaging are scoped (Tier C in the Bonis build queue) and explicitly labeled as such on this page.
How does Layer 3 differ from business continuity?
Business continuity addresses how the firm operating the AI keeps running — backups, succession, off-site replication, key-person risk. AAM Layer 3 addresses how the AI deployment itself keeps producing tamper-evident evidence and intact cryptographic identity during failure conditions. Both layers are required; they answer different questions. The firm-level Bonis Systems business continuity surface is published separately at bonissystems.com/bonis/continuity. AAM Layer 3 is the agent-deployment-level surface.
Is Layer 3 defensive or offensive?
Defensive only. Layer 3 preserves evidence and cryptographic identity through failure and adversarial conditions; it does not undertake offensive action against any external system, does not operate counter-agents, and does not disable adversarial agents in third-party deployments. Per the binding Defensive-Only doctrine across every Bonis surface, Layer 3 produces the audit primitive; lawful authority — courts, regulators, platform owners, the operator's own incident-response team — decides what to do with the resulting evidence.
What is the verification path during partial failure?
During network loss, the Knox Edge Anchor (when shipped) buffers anchored events locally in an LMDB-backed chain, preserving sequence-monotonicity and hash-link integrity. When the network returns, the buffered events are replayed into the canonical Knox chain and the Merkle root for that hour is published to Bitcoin via OpenTimestamps. An external verifier can cross-check the buffered chain against the Bitcoin-anchored Merkle root after sync; the temporal record reflects the actual moment of capture, not the moment of sync. Today the anchor pipeline ships the canonical chain; the Edge Anchor offline-buffer is in active scope.
What about quantum-era threats?
Layer 4 of Knox already ships post-quantum signatures across six NIST parameter sets — ML-DSA-44, ML-DSA-65, ML-DSA-87 (FIPS 204) and SLH-DSA-128s, SLH-DSA-192s, SLH-DSA-256s (FIPS 205). Operators with long-term audit-permanence requirements can opt into the highest parameter sets at signing time. The Bitcoin anchor itself is hash-based (SHA-256), and the Merkle aggregation is SHA-256 — both within current NIST-acceptable post-quantum-resilient cryptographic-hash-function guidance. The HSM/TPM binding extension keeps the operator-side signing key bound to a hardware module so that key extraction by a network-resident adversary does not produce a usable signing surface.
Is Layer 3 a competitor to existing high-availability infrastructure?
No. Layer 3 composes above any high-availability stack — load balancers, multi-region failover, COOP infrastructure, hot standbys. The HA stack ensures the operator's services remain reachable; Layer 3 ensures that the cryptographic evidence and identity surfaces survive even when the HA stack is itself unreachable or compromised. The two layers run together. Operators do not have to choose between an HA architecture and an evidence-and-identity continuity layer.