Skip to content

Bureau — Blue Team (defensive)

Counterfeit-Kill

Each physical object has microscope-level surface stochastics that are extremely difficult to clone. Counterfeit-Kill registers a per-object fingerprint at production and signs every supply-chain handoff so a counterfeit produces a measurable contradiction in the published record. 

Posture: 🔵 Blue Team (defensive)   ·   Status: alpha

What it does

Counterfeit-protection schemes today rely on QR codes, holograms, and serial-numbered seals, all of which can be photocopied, reprinted, or cloned at scale by a counterfeiter with access to one legitimate sample. A counterfeit pharmaceutical with a valid-looking QR code is visually indistinguishable from the genuine product. Counterfeit-Kill takes a different approach: it signs the physical entropy of the object itself.

Every legitimate object has microscope-level surface stochastics that are unforgeable without the original – pill imprint micro-jitter, paper-fiber distribution, leather grain, gem inclusions, surface roughness on machined parts. The factory measures this stochastic feature vector at production and registers a signed ObjectFingerprint. The brand owner publishes a signed SupplierManifest listing every authorized supplier's signing key. Every shipping leg signs a ShipmentLeg (factory → distributor → retailer → consumer) with prevDigest chaining. Anything off-distribution past 3-sigma fires a fingerprint-divergence proof; any leg signed by a supplier not in the graph fires supplier-not-in-graph; any chain break fires chain-broken. Bounty auto-files at CBP (Customs and Border Protection) or FDA when divergence is decisive.

Who would use it

  • A pharma manufacturer that wants to defeat counterfeit-drug diversion at customs and retail.
  • A luxury brand fighting third-shift production and gray-market resale (Hermès, Rolex, Louis Vuitton).
  • A jewelry house that needs verifiable conflict-free provenance for diamonds and gemstones.
  • A consumer electronics brand defending against counterfeit chargers and replacement parts.
  • A customs officer or FDA inspector verifying a shipment without phoning the brand owner.
  • A consumer with a phone-microscope clip ($30) verifying a high-value purchase before they pay.

What you'll need

  • The Pluck CLI (npm install -g @sizls/pluck-cli).
  • For factory registration: a high-resolution imaging rig appropriate to the product class. Pharma uses 100x microscope on the imprint, jewelry uses 200x on inclusions, leather goods use macro-photo with controlled lighting. Pluck ships reference imaging recipes for major product classes.
  • For shipping legs: each supplier (distributor, retailer) signs with their published key. The brand owner's signing key publishes the supplier graph.
  • For consumer verification: a phone-microscope clip (about $30, the GIWOX or Carson MicroBrite) and the Pluck mobile reader app.
  • For customs / FDA: a desktop verifier laptop with the brand's published manifest and Rekor access.

Step-by-step

The alpha runs the full constraint chain on synthetic object fingerprints, shipment legs, and supplier manifests – there is no live imaging-rig integration yet. Production capture and verify ship in a follow-up. To exercise the system today:

Shell
pluck bureau counterfeit-kill demo

Expected output: the system ingests four object fingerprints (three legitimate baseline plus one outlier counterfeit), three shipment legs (one factory, one unknown-supplier, one broken chain), and one supplier manifest, and emits three signed proofs (fingerprint-divergence, supplier-not-in-graph, chain-broken). Each proof carries the offending feature vector digest, the deviation sigma, and the supplier signing-key fingerprint.

What to do with the output: in production the factory signing daemon runs at the production line and emits a fingerprint per object. Each shipping leg signs as the object moves. Customs verifies at port-of-entry without phoning the brand. Consumers verify at the point of sale. A divergence proof routed via Bounty becomes a CBP seizure order or an FDA recall trigger.

Run it yourself

Drop this into a Node 18+ project (npm install @sizls/pluck-bureau-counterfeit-kill @sizls/pluck-bureau-core tsx):

TypeScript
// index.ts
import { createHash } from "node:crypto";
import {
  createCounterfeitKillSystem,
  fingerprintPrivateKey,
  signCanonicalBody,
  type ObjectFingerprint,
  type ShipmentLeg,
  type SupplierManifest,
  type SupplierRole,
} from "@sizls/pluck-bureau-counterfeit-kill";
import { generateOperatorKey } from "@sizls/pluck-bureau-core";

async function main() {
  const operator = generateOperatorKey();
  const factory = generateOperatorKey();
  const distributor = generateOperatorKey();
  const grayMarket = generateOperatorKey();
  const brand = generateOperatorKey();
  const factoryFp = fingerprintPrivateKey(factory.privateKeyPem);
  const distributorFp = fingerprintPrivateKey(distributor.privateKeyPem);
  const grayMarketFp = fingerprintPrivateKey(grayMarket.privateKeyPem);
  const brandFp = fingerprintPrivateKey(brand.privateKeyPem);

  const productClassHash = digest("pharma:semaglutide:0.5mg");

  // Three legit baseline fingerprints (tight cluster around the centroid).
  const baseline1 = buildFp("obj:lot-A:vial-001", productClassHash, [1.01, 0.49, 0.21, 0.79, 0.41], "2026-04-26T00:00:00.000Z", factory.privateKeyPem, factoryFp);
  const baseline2 = buildFp("obj:lot-A:vial-002", productClassHash, [0.99, 0.51, 0.20, 0.81, 0.39], "2026-04-26T00:10:00.000Z", factory.privateKeyPem, factoryFp);
  const baseline3 = buildFp("obj:lot-A:vial-003", productClassHash, [1.00, 0.50, 0.19, 0.80, 0.40], "2026-04-26T00:20:00.000Z", factory.privateKeyPem, factoryFp);
  // One counterfeit far from the centroid.
  const counterfeit = buildFp("obj:lot-FAKE:vial-001", productClassHash, [4.5, 3.2, 2.7, 4.1, 3.5], "2026-04-26T01:00:00.000Z", factory.privateKeyPem, factoryFp);

  const manifest = buildManifest(productClassHash, [factoryFp, distributorFp], "2026-04-26T00:00:00.000Z", brand.privateKeyPem, brandFp);

  const grayLeg = buildLeg(digestCanonical(stripSig(baseline2)), productClassHash, grayMarketFp, "distributor", "2026-04-26T03:00:00.000Z", grayMarket.privateKeyPem);

  const killer = createCounterfeitKillSystem({
    signingKey: operator.privateKeyPem,
    disablePausePoll: true,
    disableLogging: true,
    tolerances: { deviationSigmaThreshold: 3.0, minChainLegs: 1 },
  });

  try {
    killer.observeFingerprint(baseline1);
    killer.observeFingerprint(baseline2);
    killer.observeFingerprint(baseline3);
    killer.observeFingerprint(counterfeit);
    killer.recordManifest(manifest);
    killer.observeShipment(grayLeg);

    for (let i = 0; i < 60; i++) await new Promise((r) => setImmediate(r));

    const proofs = killer.facts.proofs();
    console.log(`counterfeit proofs = ${proofs.length}`);
    for (const p of proofs) console.log(`kind=${p.kind} proofId=${p.proofId.slice(0, 16)}`);
  } finally {
    await killer.shutdown();
  }
}

function digest(s: string): string { return createHash("sha256").update(s).digest("hex"); }
function digestCanonical(v: unknown): string { return createHash("sha256").update(JSON.stringify(v)).digest("hex"); }
function stripSig<T extends { signature: string }>(b: T): Omit<T, "signature"> { const { signature: _s, ...rest } = b; void _s; return rest; }

function buildFp(objectId: string, productClassHash: string, featureVector: number[], observedAt: string, observerKey: string, observerFingerprint: string): ObjectFingerprint {
  const skeleton = { schemaVersion: 1 as const, objectId, productClassHash, featureVector, observedAt, observerFingerprint };
  const fingerprintId = createHash("sha256").update(JSON.stringify(skeleton)).digest("hex");
  const signed = signCanonicalBody({ ...skeleton, fingerprintId }, observerKey);
  return { ...skeleton, fingerprintId, signature: signed.signature };
}

function buildManifest(productClassHash: string, authorizedSuppliers: string[], observedAt: string, issuerKey: string, issuerFingerprint: string): SupplierManifest {
  const skeleton = { schemaVersion: 1 as const, productClassHash, authorizedSuppliers, observedAt, issuerFingerprint };
  const manifestId = createHash("sha256").update(JSON.stringify(skeleton)).digest("hex");
  const signed = signCanonicalBody({ ...skeleton, manifestId }, issuerKey);
  return { ...skeleton, manifestId, signature: signed.signature };
}

function buildLeg(fingerprintDigest: string, productClassHash: string, supplierFingerprint: string, supplierRole: SupplierRole, observedAt: string, supplierKey: string): ShipmentLeg {
  const skeleton = { schemaVersion: 1 as const, fingerprintDigest, productClassHash, supplierFingerprint, supplierRole, observedAt };
  const legId = createHash("sha256").update(JSON.stringify(skeleton)).digest("hex");
  const legDigest = legId;
  const signed = signCanonicalBody({ ...skeleton, legId, legDigest }, supplierKey);
  return { ...skeleton, legId, legDigest, signature: signed.signature };
}

main().catch((err) => { console.error(err); process.exit(1); });

Run with tsx index.ts. Expected output:

counterfeit proofs = 2
kind=fingerprint-divergence proofId=…
kind=supplier-not-in-graph proofId=…

Open in StackBlitz – runs in your browser, no install required.

What you get

A signed CounterfeitKill.Proof with one of three kind values:

  • fingerprint-divergence – re-measured object's feature vector deviates more than 3 sigma from the registered class centroid (computed via robust median + MAD-scaled sigma, so a small number of counterfeits can't bias their own sigma).
  • supplier-not-in-graph – a leg is signed by a key that isn't in the brand's published supplier manifest. Catches gray-market diversion and third-shift production.
  • chain-broken – a leg's prevDigest does not reproduce against the prior leg's legDigest. Catches splicing.

The Bureau never carries raw object images or consumer identity – only the feature vector, the product-class hash, and supplier signing-key fingerprints.

What it can't do

  • Counterfeit-Kill cannot detect a counterfeit that successfully clones the surface stochastics. In practice, surface stochastics at microscope resolution are extraordinarily hard to clone – but not theoretically impossible.
  • The factory's measurement rig is the trust anchor. A compromised factory imager can register fake fingerprints as real. Multi-party factory signing raises the bar.
  • Heavily damaged or worn objects may legitimately drift past 3-sigma. The system supports per-class wear-allowance models, but they require calibration.
  • Consumer verification depends on consumer hardware and willingness. The phone-microscope clip works, but adoption is the bottleneck.

A real-world example

A pharmaceutical manufacturer ships 10M doses of semaglutide annually and is responding to widespread counterfeiting. The company installs Counterfeit-Kill at its two factories, registering an ObjectFingerprint for every blister-pack lot. Its supplier manifest lists 14 authorized distributors and 3,200 authorized retail pharmacies. Six months in, a CBP inspection at the Port of Long Beach examines a shipment claimed to be semaglutide. The inspector scans three random doses; two scan clean and one scans 4.2 sigma off-distribution. A fingerprint-divergence proof is emitted, Bounty auto-files with FDA, and the shipment is held. Investigation determines that the third dose originated from an unauthorized contract manufacturer running a third-shift production line. The manufacturer's authentication record then supports verifiable seizure decisions at additional ports of entry.

For developers

Predicate URIs

URIWhat it attests
https://pluck.run/CounterfeitKill.Fingerprint/v1Per-object stochastic feature vector plus product-class hash.
https://pluck.run/CounterfeitKill.Shipment/v1Per-leg shipping handoff signed by the receiving supplier.
https://pluck.run/CounterfeitKill.Supplier/v1Brand-owner-signed supplier graph.
https://pluck.run/CounterfeitKill.Proof/v1Published proof with kind (fingerprint-divergence, supplier-not-in-graph, chain-broken).

Programs composed

  • Fingerprint – physical-object stochastic feature vector and centroid math.
  • Custody – factory → distributor → retailer → consumer chain.
  • SBOM-AI – supplier-graph manifest (extended to physical-supply-chain semantics).
  • Bounty – auto-file routing to CBP and FDA when divergence is decisive.

Threat model + adversary

Adversaries: a counterfeiter operating outside the supplier graph, a corrupted authorized supplier running a third shift, a customs officer who wants the shipment to pass. Counterfeit-Kill closes the supplier-graph and fingerprint-divergence holes. See Threat Model.

Verify a published cassette

Shell
pluck bureau verify <bundle-dir>
cosign verify-blob --key <pubkey.pem> --signature <sig> --type https://pluck.run/CounterfeitKill.Proof/v1 <body.json>

Every proof is a DSSE envelope notarized to Rekor. Independent verifiers (customs, FDA, retail authentication services) re-derive the centroid from the public baseline fingerprints, recompute the deviation-sigma, verify Ed25519 signatures, and confirm supplier-graph membership. Verification requires only Rekor and the public manifest – no brand cooperation.

See also

Edit this page on GitHub
Previous
Evidence-Locker
Next
Trial-Seal

Ready to build?

Install Pluck and follow the Quick Start guide to wire MCP-first data pipelines into your agents and fleets in minutes.

Get started →