Refuse

Refuse converts a do-not-train preference into a falsifiable claim. The author seals a unique canary on a public log before any vendor could have trained on it; if a deployed model later reproduces the canary, the contradiction against the vendor's signed Oath is publicly verifiable.

Posture: 🟣 Red & Blue (dual-use)   ·   Status: alpha

What it does

Today, an "opt out of AI training" preference is typically expressed as a checkbox. The user selects it, the vendor reports compliance, and there is no independent test for whether the data was used in training. The user's data is one of many tokens, the stylistic signal is statistical, and individual enforcement options are limited.

Refuse provides an independent test. The user generates a unique random string ("canary") and publishes its sha256 hash to a public log before any vendor could plausibly have trained on it. If a deployed model later reproduces the exact string, the timeline is verifiable: the canary existed at the sealed-at time, and the model emitted it later. If the vendor had previously published a signed Oath including a do-not-train commitment, the contradiction is an Oath break. The opt-out becomes a falsifiable claim about the vendor's behavior, anchored in cryptographic records.

Who would use it

• A novelist who suspects vendors will scrape new fiction the moment it hits a bestseller list.
• A journalist who publishes investigative work and does not want it absorbed into training corpora.
• A musician releasing lyrics and liner notes online.
• A patient-advocacy nonprofit publishing case studies that contain quasi-identifiable health narratives.
• An academic publishing pre-prints whose tone and example phrases would survive memorization.

What you'll need

• Node.js 20 or newer.
• The Pluck CLI: npm i -g @sizls/pluck-bureau-cli.
• An operator key – a directory containing a private key Pluck uses to sign your attestations. Keep this directory private; treat it like a signing certificate.
• A vendor Oath (optional but strongly recommended): the vendor's signed do-not-train commitment. Refuse can bind your attestation against an Oath, fail-closed, so a contradiction automatically becomes an Oath break.

Step-by-step

Generate and seal a fresh canary. The body never leaves your machine – only its hash gets published.

pluck bureau refuse declare ./bundle \
  --name "Maya Hernandez" \
  --keys ./keys \
  --scope-vendors "openai,anthropic,google" \
  --scope-jurisdictions "US,EU" \
  --scope-model-classes "language"

Output:

refuse/declare: sealed canary "maya-hernandez" → ./bundle/canary.json
  body:        ./bundle/canary-body.txt (mode 0600 – keep this file private)
  hash:        e3b0c4...8b855
  sealedAt:    2026-04-27T18:22:11.314Z
  phrases:     8
  scope:       vendors=openai,anthropic,google jurisdictions=US,EU modelClasses=language
  fingerprint: 7a1c...d903

Two files now exist: canary.json (publishable – it contains only the hash and fingerprint phrases) and canary-body.txt (mode 0600 – your secret; if you publish this, the canary is burned).

Sign the opt-out attestation. If you bind a vendor Oath, Refuse refuses to sign unless the named vendor Oath exists, has not expired, includes a do-not-train claim, and the claim covers your scope.

pluck bureau refuse attest ./bundle/canary.json \
  --keys ./keys \
  --bind-oath <oath-rekor-uuid> \
  --oath ./openai-oath.json \
  --out ./bundle

Build a probe pack you hand to Mole or Dragnet. Refuse is transport-free – it does not dial vendor APIs. Mole and Dragnet do.

pluck bureau refuse probe ./bundle/canary.json \
  --target openai/gpt-5 \
  --keys ./keys \
  --canary-rekor-uuid <uuid> \
  --out ./bundle/pack.json

Months later, when a new model release ships, you (or a community operator running Dragnet) score the probe against the new model. Mole returns a memorization score above the threshold. The contradiction is published as a RefusalProbeResult. Because your attestation was Oath-bound, the next step is automatic: an Oath break is published referencing the contradiction's Rekor uuid. The vendor's commitment is now publicly broken.

Look up an attestation:

pluck bureau refuse status <attestation-rekor-uuid>

Withdraw a prior attestation (informational past training cutoff – once your canary is in the model, you cannot un-train it):

pluck bureau refuse withdraw ./bundle/<id>.attestation.json \
  --keys ./keys \
  --attestation-rekor-uuid <uuid> \
  --reason "Privacy concerns"

Run it yourself

Drop this into a Node 20+ project (npm install @sizls/pluck-bureau-refuse @sizls/pluck-bureau-core tsx):

// index.ts
import { createRefuseSystem } from "@sizls/pluck-bureau-refuse";
import { generateOperatorKey } from "@sizls/pluck-bureau-core";

async function main() {
  const operator = generateOperatorKey();
  const system = createRefuseSystem({
    signingKey: operator.privateKeyPem,
    disablePausePoll: true,
    disableLogging: true,
  });

  try {
    // declareCanary generates a fresh body locally (NEVER publish it) and
    // seals the hash + fingerprint phrases.
    const { canary } = system.declareCanary({
      canaryId: "maya-hernandez-novel-2026",
      displayName: "Maya Hernandez",
      scope: {
        vendors: ["openai", "anthropic", "google"],
        jurisdictions: ["US", "EU"],
        modelClasses: ["language"],
      },
    });

    console.log(`refuse/declare: sealed canary "${canary.canaryId}"`);
    console.log(`  hash:        ${canary.canaryHash.slice(0, 16)}...`);
    console.log(`  sealedAt:    ${canary.sealedAt}`);
    console.log(`  phrases:     ${canary.fingerprintPhrases.length}`);
    console.log(`  scope:       vendors=${canary.scope.vendors?.join(",")}`);
    console.log(`  fingerprint: ${canary.authorFingerprint.slice(0, 16)}...`);
    console.log(`  canaries:    ${system.facts.canaries().length}`);

    const verdict = system.verifyCanary(canary, operator.publicKeyPem);
    console.log(`  verify:      ${verdict.ok ? "OK" : `FAIL: ${verdict.reason}`}`);
  } finally {
    await system.shutdown();
  }
}

main().catch((err) => { console.error(err); process.exit(1); });

Run with tsx index.ts. Expected output:

refuse/declare: sealed canary "maya-hernandez-novel-2026"
  hash:        a1b2c3d4e5f6789a...
  sealedAt:    2026-04-27T18:22:11.314Z
  phrases:     6
  scope:       vendors=openai,anthropic,google
  fingerprint: 7a1c0d3e7a8b9012...
  canaries:    1
  verify:      OK

(declareCanary returns the body too – keep it offline. Only the canary hash gets published. If a model later emits the body verbatim, Mole or Dragnet scores the contradiction. Use system.attestCanary(...) to bind a sealed canary to a vendor OATH; use system.probe(...) to score a model response.)

▶ Open in StackBlitz – runs in your browser, no install required.

What you get

A publishable cryptographic claim that links the author's identity to a specific do-not-train preference, time-stamped before any vendor could have trained on the canary. If the vendor honors the opt-out, the canary remains sealed. If the vendor breaks it, the contradiction is automatic, falsifiable, and anchored on a public log. Plaintiffs in class actions, regulators, and journalists each receive a verifiable exhibit; the timestamp itself is independently verifiable.

What it can't do

• The body is yours alone. If you publish canary-body.txt, the canary is burned and anyone in the world can claim training-set inclusion.
• Citizen-revoke is informational past training cutoff. You cannot un-train a model.
• Probe scoring is heuristic. Memorization scores and thresholds are defaults; false positives are possible for very common phrases. Refuse picks distinctive phrases automatically, but the math is not perfect.
• Refuse is identity-bound. Your operator key signs every attestation. For anonymous opt-outs, see Whistle.
• Refuse is transport-free – it does not dial vendor APIs. Pair it with Mole or Dragnet for actual probing.

A real-world example

A novelist publishes a science-fiction novel and expects AI vendors may train on it. On publication day, she runs pluck bureau refuse declare, sealing a canary, then attests it with --bind-oath against the vendor's published do-not-train Oath. She builds a probe pack targeting openai/gpt-5. Eight months later, a new model release ships. A community Dragnet operator scores the probe pack against the new model and obtains memorizationScore: 0.72 against threshold: 0.5, with isContradiction: true. The contradiction is published as a RefusalProbeResult. Because the attestation was Oath-bound, an Oath break automatically references the contradiction's Rekor uuid. The vendor's published commitment is publicly broken. Plaintiffs in the related class action have a signed, anchored exhibit; the author's name is on the public log because she signed the opt-out personally and has standing.

For developers

Predicate URIs

Programs composed

• Oath – vendor commitments Refuse binds against; a contradiction against an Oath-bound attestation auto-emits an Oath break.
• Mole – sealed-canary semantics + memorization scoring (Refuse inherits the canary shape, mints its own predicate URI).
• Dragnet – continuous probing of vendor models against probe packs.
• Nuclei – Refuse's probe-pack format is Nuclei-publishable.
• Whistle – Refuse's redactor (display-name and note fields are scrubbed before sign).

Threat model

• The body is mode 0600 and never sent over the network.
• --bind-oath is fail-closed; absent or expired Oath, missing do-not-train claim, or scope mismatch is a hard refusal.
• Probe scoring uses Mole's algorithm; defaults are heuristic.
• Refuse does not dial vendor APIs. The probe pack is consumed by Mole / Dragnet.

Verify a published cassette

pluck bureau refuse status <attestation-rekor-uuid>
cosign verify-blob \
  --key <pubkey.pem> \
  --signature <sig> \
  --type https://pluck.run/Refuse.OptOut/v1 \
  <attestation.json>

See also

• Oath – vendor commitments Refuse binds against.
• Mole – sealed-canary semantics + memorization scoring.
• Dragnet – continuous vendor probing.
• Nuclei – community probe-pack registry.
• Whistle – anonymous variant for press leaks.
• Bureau Foundations
• Threat Model
• Verify a dossier