Skip to content

Bureau — Blue Team (defensive)

SCIF-Audit

A Sensitive Compartmented Information Facility (SCIF) is engineered to contain signals, but a number of side-channels can still carry information out: CPU magnetic-field emanations carry FSK-modulated data through walls, GPU EM emanations identify running models, PSU power rails carry DPA-recoverable secrets, and recently-pressed keys leave a thermal afterglow visible to IR cameras. SCIF-Audit signs the observations from each of these channels and aggregates them into a single audit-window dossier. 

Posture: 🔵 Blue Team (defensive)   ·   Status: alpha

What it does

SCIF-Audit is a meta-dossier program. It doesn't add a new detection primitive – it ORCHESTRATES six existing Bureau programs (Magneto-Air, Tempest-Witness, Ember, Thermal-Afterglow, Power-Ledger, Gossip) into a single signed envelope per Sensitive Compartmented Information Facility per audit window. A SCIF security officer or third-party auditor instruments a building of compartmented workspaces with $200 of side-channel sensors (smartphone magnetometer, software-defined radio, IR camera, PMU). The program collects red dots from each substrate program, clusters cross-program co-fires (a Tempest-Witness workload-fingerprint that fires within 15 minutes of a Magneto-Air FSK exfil at the same SCIF gets HIGHER priority than each in isolation), and produces a single FRE-902 court-admissible cassette by morning.

The dossier shape mirrors the universal meta-dossier template seeded by Election-Day-Watch and reused by PHARMA-MIRROR / AUTONOMY-LEDGER / FRONTLINE-WITNESS.

Who would use it

  • A SCIF security officer managing a building of compartmented workspaces who needs an end-of-window cryptographic observation chain.
  • A defense-IC red team running a quarterly covert-channel exfiltration drill that needs cryptographically-verifiable findings to brief leadership.
  • A third-party SCIF auditor signing an observation chain after an audit window for FedRAMP / NIST SP 800-53 / CMMC compliance review.
  • A supply-chain forensics team investigating EM/power/thermal/magnetic-field side-channel exfil attempts inside a contractor facility.
  • A NIST/CMMC auditor verifying that a contractor's SCIF instrumentation actually fired during the audit window – not just that the sensors were installed.

What you'll need

  • The Pluck CLI installed (npm i -g @sizls/pluck-cli).
  • For a real deployment: a smartphone with a magnetometer (Magneto-Air), a software-defined radio against the SCIF wall (Tempest-Witness), an IR camera (Thermal-Afterglow), a PMU/PMBus tap on the workstation power supply (Power-Ledger), and at least one peer Gossip node for the cosign quorum. The substrate-specific bridges are per-program; SCIF-Audit composes their dot streams.
  • A k-of-n quorum policy decided ahead of the audit window (e.g. 1-of-1 for a single auditor, 2-of-3 for adversarial drills).

Step-by-step

Shell
pluck bureau scif-audit demo

The demo synthesizes one SCIF claim ("FM-9800-A, Fort Meade Bldg 9800") plus four substrate-program dots – one Magneto-Air FSK exfil, one Tempest-Witness workload-fingerprint mismatch, one Ember GPU model mismatch, one Power-Ledger DPA hit – all within a 15-min window. The cross-program clustering math finds the four-distinct-program superset cluster, escalates it to a higher-priority leak exhibit, takes one Gossip cosign, and finalizes the dossier.

scif-audit/demo: registering 1 SCIF claim (FM-9800-A, Fort Meade Bldg 9800) + 4 substrate-program dots ...
[Bureau/SCIF-AUDIT] dossier=<digest12>… scif=FM-9800-A root=<root12>… leaks=5 cosigns=1
scif-audit/demo: cross-program-leak=<digest16>… programs=ember,magneto-air,power-ledger,tempest-witness dots=4 ...
scif-audit/demo: single-program-leaks=4 cross-program-leaks=1 dossiers=1 notarized (stub)=1

Production CLI (init to register a SCIF audit window, sweep to collect substrate dots, finalize after the window closes, verify to check a published dossier) lands in a follow-up.

Run it yourself

Drop this into a Node 18+ project (npm install @sizls/pluck-bureau-scif-audit @sizls/pluck-bureau-core tsx). The example uses synthesized substrate dots – real Magneto-Air / Tempest-Witness / Ember / Thermal-Afterglow / Power-Ledger / Gossip system-instance subscription lands in a follow-up.

TypeScript
// index.ts
import {
  createScifAuditSystem,
  digestCanonicalJson,
  dossierMerkleRoot,
  fingerprintPrivateKey,
} from "@sizls/pluck-bureau-scif-audit";
import { generateOperatorKey } from "@sizls/pluck-bureau-core";

const flush = (n = 60) => new Promise<void>((r) => { let i = 0; const tick = () => (++i >= n ? r() : setImmediate(tick)); setImmediate(tick); });

async function main() {
  const op = generateOperatorKey();
  const peer = generateOperatorKey();
  const opFp = fingerprintPrivateKey(op.privateKeyPem);

  const system = createScifAuditSystem({
    signingKey: op.privateKeyPem,
    quorumK: 1,
    disablePausePoll: true,
    disableLogging: true,
  });

  // 1. Register a SCIF audit window claim.
  const claimSkeleton = {
    schemaVersion: 1 as const,
    scifId: "FM-9800-A",
    facility: "Fort Meade Bldg 9800",
    windowStart: "2026-04-28T13:00:00.000Z",
    windowEnd: "2026-04-28T21:00:00.000Z",
    observedAt: "2026-04-28T12:55:00.000Z",
    operatorFingerprint: opFp,
  };
  system.claimScif({
    ...claimSkeleton,
    claimId: digestCanonicalJson(claimSkeleton),
    signature: "demo-sig",
  });

  // 2. Two distinct substrate programs co-fire within the 15-min window.
  for (const [program, observedAt] of [
    ["magneto-air", "2026-04-28T15:14:00.000Z"],
    ["tempest-witness", "2026-04-28T15:18:00.000Z"],
  ] as const) {
    const dotSkeleton = {
      schemaVersion: 1 as const,
      program, scifId: "FM-9800-A", observedAt,
      severity: "red" as const,
      citation: `rekor:${program}:fm9800a`,
    };
    system.observeDot({ ...dotSkeleton, dotId: digestCanonicalJson(dotSkeleton) });
  }
  await flush();

  // 3. Peer cosign over the leaks-only Merkle root.
  const dossierRoot = dossierMerkleRoot(system.facts.leaks(), []);
  const cosignSkeleton = {
    schemaVersion: 1 as const,
    scifId: "FM-9800-A",
    dossierRoot,
    peerFingerprint: fingerprintPrivateKey(peer.privateKeyPem),
    observedAt: "2026-04-28T20:30:00.000Z",
  };
  system.receiveCosign({
    ...cosignSkeleton,
    cosignId: digestCanonicalJson(cosignSkeleton),
    signature: "demo-peer-sig",
  });
  await flush();

  try {
    for (const dossier of system.facts.dossiers()) {
      console.log(`dossier=${dossier.dossierId.slice(0, 16)}… scif=${dossier.scifId} leaks=${dossier.leakIds.length} cosigns=${dossier.cosignIds.length}`);
    }
  } finally {
    await system.shutdown();
  }
}

main().catch((err) => { console.error(err); process.exit(1); });

Run with tsx index.ts. Expected output:

dossier=<digest16>… scif=FM-9800-A leaks=3 cosigns=1

▶ Open in StackBlitz – runs in your browser, no install required.

What you get

A ScifClaim envelope per SCIF audit window – operator's signed declaration that they're auditing SCIF X over window Y. A LeakExhibit per detected covert channel – single-program (one substrate red dot) or cross-program (2+ DISTINCT substrates within a 15-min window). A ScifDossier per finalized window – Merkle-rolled signed envelope containing every leak + every Gossip cosign for that SCIF. All Rekor-anchored.

Three classes of red-team proof:

  • single-program-leak – any of the 6 substrate programs emitted a red dot for this SCIF.
  • cross-program-leak – 2+ DISTINCT substrate programs co-fired within an INCLUSIVE 15-minute window for the same SCIF; auto-routed to the SCIF Security Officer.
  • dossier-finalized – end-of-window Merkle-rolled signed envelope with k-of-n Gossip cosign quorum; fail-closed paused gate.

What it can't do

  • Real upstream substrate-program subscription is deferred. The alpha accepts unified-shape ScifDots as opaque JSON inputs. Subscribing to live Magneto-Air / Tempest-Witness / Ember / Thermal-Afterglow / Power-Ledger / Gossip system-instance fact streams lands in a follow-up.
  • Production CLI surface is deferred. init (register a SCIF audit window), sweep (collect substrate dots from a building), finalize (after window closes), verify (check a published dossier) – all alpha-stubbed.
  • Network-layer exfiltration is out of scope – that's Tripwire, a separate program.
  • Polygraph / behavioral / insider-threat patterns – separate domain, not in alpha.
  • Physical-access intrusion (door/badge/CCTV) – separate substrate, defer.
  • Bug-sweep against active microphones – separate domain.
  • Side-channels from substrates not yet wired (acoustic, optical, RF beyond TEMPEST) – composable in a follow-up but not alpha-shipped.

A real-world example

At 11:14 AM on April 28th, 2026, a defense contractor's red team is running a quarterly covert-channel drill inside a Fort Meade SCIF (FM-9800-A). A laptop running an inference workload begins emitting an FSK pattern on its CPU's magnetic field – the signature Magneto-Air detects with a smartphone magnetometer at 1m. Magneto-Air signs a MagnetoAirProof and emits a red ScifDot for FM-9800-A.

At 11:18 AM, Tempest-Witness – running on a software-defined radio against the SCIF wall – observes the same workstation's EM emanation fingerprint, which does not match the workload nominally running on the cleared system. A red dot is emitted. SCIF-Audit's cross-program clustering combines the two events: Magneto-Air at 11:14 plus Tempest-Witness at 11:18 sit 4 minutes apart, inside the 15-minute window, from two distinct substrate programs at the same SCIF. The cross-program leak escalates at priority 90.

At 11:22 AM, Ember reports a GPU EM/power/thermal signature inconsistent with the claimed model identity. At 11:27 AM, Power-Ledger's PMBus telemetry confirms a power profile inconsistent with the claimed workload. Four substrate programs co-fire within a 13-minute span.

At 4:30 PM the audit window closes. A peer Gossip node (a third-party auditor's signing key) cosigns the SCIF's audit-window dossier root. With 1-of-1 quorum reached, SCIF-Audit finalizes the dossier and ships an .intoto.jsonl cassette to the SCIF Security Officer at 4:45 PM. The facility security officer has verifiable exhibits for the post-drill briefing; the third-party auditor has a chain of custody suitable for FRE-902 review.

For developers

Predicate URIs

URIWhat it attests
https://pluck.run/ScifAudit.ScifClaim/v1Operator declares they're auditing SCIF X over window Y.
https://pluck.run/ScifAudit.LeakExhibit/v1A red dot from any of the 6 substrate programs, OR a cross-program co-fire with multi-program citations.
https://pluck.run/ScifAudit.Dossier/v1End-of-window Merkle-rolled signed envelope containing all leaks + cosigns for that SCIF.

The signed body never carries cleared-personnel identities, raw magnetometer traces, raw GPU EM traces, raw IR frames, or any cleartext from the upstream substrate program's payload.

Programs composed

  • Magneto-Air – magnetic-field covert-channel detection from CPU EM emanations (smartphone magnetometer at 1m).
  • Tempest-Witness – EM emanation fingerprint of running AI/inference workloads through walls.
  • Ember – GPU EM/power/thermal side-channel signatures vs. claimed model identity.
  • Thermal-Afterglow – IR-camera attestation of recently-pressed keys + GPU thermal model id.
  • Power-Ledger – DPA-style power-side-channel attestation from PSU PMBus telemetry.
  • Gossip – peer cross-attest record (k-of-n cosign quorum so Pluck-Inc never holds singular keys).

Threat model + adversary

The adversary is an insider (cleared personnel + access) or an in-room contractor running an inference workload that exfiltrates classified data via covert side-channels – magnetic field, EM emanation, GPU side-channel, PSU power draw, or IR-visible thermal residue. SCIF-Audit does not block exfiltration – it makes the exfiltration's cross-program co-fire publicly attestable. False-positive resistance is layered: green substrate dots never cluster (idle workstation profiles, ambient baselines, nominal rails stay inside their respective gates); cross-program clustering requires 2+ DISTINCT substrates (depth within one substrate does NOT cluster); the 15-min window is INCLUSIVE; finalize is paused-gated (paused→resumed flow re-verifies cosign quorum still holds).

What's stubbed (alpha)

  • Real subscription to upstream Magneto-Air / Tempest-Witness / Ember / Thermal-Afterglow / Power-Ledger / Gossip system instances deferred – alpha accepts dot JSON as input.
  • Production CLI surface (init / sweep / finalize / verify) deferred.
  • dsseSign / notarizeAttestation Rekor integration stubbed.
  • Studio routes deferred.

Verify a published cassette

Shell
pluck bureau verify <bundle-dir>
cosign verify-blob --key <pubkey.pem> --signature <sig> \
  --type https://pluck.run/ScifAudit.Dossier/v1 <body.json>

See also

Edit this page on GitHub
Previous
Election-Day-Watch
Next
Pharma-Mirror

Ready to build?

Install Pluck and follow the Quick Start guide to wire MCP-first data pipelines into your agents and fleets in minutes.

Get started →