Certainty Engineering for Crisis Data — Sovereignty-Hardened
CERTUS is the core scoring engine that powers VERITAS. It computes a Damage Confidence Index (DCI) for every report, along with an Uncertainty Mass (UM) that tells responders how much to trust the score itself.
Author: Sheldon K. Salmon & ALBEDO · AionSystem · May 2026
You don't need the formula to understand this. Start here.
Picture a dispatch desk in a crisis operations center. The phones are ringing. Reports are coming in from across a city that just took a direct hit — hundreds of them, then thousands. Each one is a person with a phone, standing somewhere, telling you what they see.
Some of them are right. Some of them are wrong. Some are standing in front of a building that looked fine an hour ago and has since half-collapsed. Some are describing rubble from two blocks away, not the building in the photo. Some are submitting the same location twice because they weren't sure the first one went through. And some — a small number — are submitting deliberately false reports to redirect response resources.
The operator at the dispatch desk has one job: before a truck moves, before a team deploys, before a resource gets committed — figure out which reports to trust.
That operator is CERTUS.
Every report that arrives on the desk gets a number. Not a guess. A number built from four separate lines of evidence — the photo, the neighbourhood consensus, the timestamp, and an internal logic check. CERTUS weighs all four, combines them, and writes a single score on the top of the report: a number between 0.0 and 1.0.
But that's not all. CERTUS also calculates an Uncertainty Mass (UM) — a measure of how much uncertainty is baked into that score. A high‑confidence score with low uncertainty is actionable. A high‑confidence score with high uncertainty? That's a warning sign. The UM tells you:
| UM | Status | Meaning |
|---|---|---|
| < 0.35 | VALID | Score is reliable — act on it |
| 0.35–0.60 | DEGRADED | Score useful but uncertain — verify locally |
| > 0.60 | SUSPENDED | Do not rely — must field-verify first |
Then it stamps the report with a colour and routes it.
🟢 Green — the score is 0.70 or above AND UM < 0.35. CERTUS is confident. This report goes to the front of the stack. Responders can act on it.
🟡 Amber — the score is between 0.40 and 0.69 OR UM is 0.35–0.60. Something is uncertain — maybe only one person reported it, maybe the photo was blurry, maybe the report is 30 hours old. Watch it. Don't ignore it. Don't act on it alone.
🔴 Red — the score is below 0.40 OR UM > 0.60. CERTUS is raising its hand. A human needs to look at this before anything moves. Not because the reporter is lying — they probably aren't — but because the evidence isn't strong enough yet to stake a deployment decision on it.
There is one additional rule at the dispatch desk. It fires even before the score is calculated.
If two reports arrive from the same address and they contradict each other — one says "Completely damaged," one says "Minor damage" — CERTUS flags the location as a conflict. The whole location goes red immediately, regardless of what the individual scores would have been. Contradicting reports at the same address don't average out. They signal that something is genuinely unknown, and unknown is not a safe basis for action.
A human resolves the conflict. Then the location is re‑evaluated.
One more thing the operator notices. When a cluster of reports arrives from the same GPS cluster, at the same time, with photos that look similar — CERTUS raises a flag before routing any of them. Evidence from people who were all in the same place at the same time, comparing notes, is not five independent confirmations. It may be one shared perception submitted five times. CERTUS knows the difference.
This is the entire purpose of the engine. Not to replace the reporter. Not to replace the responder. To sit between them and do the one thing both of them need: translate raw human signals into a number that honestly represents how much those signals should be trusted, and tell you how sure it is about that number.
The trucks move on green. The humans watch amber. The red pins wait for eyes.
DCI = (0.35 × PES_eff) + (0.30 × COR) + (0.20 × TFR) + (0.15 × CCI)
| Component | Description | Range |
|---|---|---|
| PES_eff | Photo Evidence Score — AI analysis via OpenRouter, gated at model confidence ≥0.60, scaled by graduated model trust | 0.0 – 1.0 |
| COR | Corroboration Score — agreement with independent reports within density‑adjusted radius (20m–200m), weighted by reporter reputation | 0.0 – 1.0 |
| TFR | Temporal Freshness — event‑aware decay (earthquake, flood, cyclone), with reconciliation gate for fresh evidence | 0.0 – 1.0 |
| CCI | Classification Consistency — cross‑category logic check, expanded suspicious combinations, multilingual penalty | 0.0 – 1.0 |
Epistemic Ceiling: No DCI score can exceed 0.95. Field conditions always carry residual uncertainty. This constraint is architectural and not configurable. The ceiling is now cumulative across all appeals — sequential appeals cannot bypass it.
CERTUS can now empirically calibrate its own dimension weights using ground truth data.
const calibration = CERTUS.calibrateWeights(20);
if (calibration.calibrated) {
// calibration.fcl_entries_analyzed = number of ground‑truth entries
// calibration.recommended_weights = { PES: 0.38, COR: 0.29, ... }
// After human review:
CERTUS.W = calibration.updated_weights_dampened;
}The engine never auto‑updates its weights. Human review is required. This keeps the DCI formula transparent while allowing continuous improvement as field validation accumulates.
Graduated Photo Model Trust
CERTUS does not assume any AI model is trustworthy without a declaration. Instead, it uses a graduated model trust score [0.0–1.0] derived from calibration evidence, which directly and continuously reduces the PES uncertainty penalty as ground truth accumulates.
Trust Score Calibration Status PES UM Penalty Measurement Class 0.0 UNCALIBRATED (no ground truth) 0.20 INFERENTIAL 0.01–0.59 PARTIAL (1–249 validated reports) 0.08–0.20 EVALUATIVE_PARTIAL 0.60–0.85 PARTIAL (250–499 validated reports) 0.03–0.08 EVALUATIVE_PARTIAL 1.0 VERIFIED (formally calibrated) 0.00 EVALUATIVE_CERTIFIED
The trust score is declared at initialization and logged immutably to the audit trail. No code changes are required as calibration evidence accumulates — the engine reduces its own penalty continuously via updateModelCalibration().
Photo API Security (v3.2.1): All requests to the photo analysis endpoint are signed with an HMAC‑SHA‑256 timestamp and signature header (X-CERTUS-Timestamp, X-CERTUS-Signature). Production deployments must set PRODUCTION.photoApiHmacSecret. The API call also includes exponential backoff retries (max 3 attempts) and a circuit breaker.
Current deployment: openrouter/gpt-4o-mini+claude-3.5-sonnet registered as UNCALIBRATED. Full UM penalty applies. Every scored report declares this explicitly.
Framework Calibration Log (FCL)
CERTUS records scoring outcomes against ground truth through FCL entries. Every scored report where ground truth is available produces an entry recording the predicted DCI, predicted tier, actual outcome, and per‑dimension scores.
// Access calibration data
const entries = CERTUS.getFCLEntries();
const count = CERTUS.getFCLCount();
console.log(`FCL entries: ${count} — calibration ${count >= 20 ? 'active' : 'pending'}`);FCL entries are stored in memory (capped at 500) and persisted to storage (IndexedDB, memory, or Supabase). The calibrateWeights() method uses these entries to recommend updated weights.
Integrity Seals & Canonical Serialisation (v3.2.1)
Every scored output carries a cryptographic integrity seal generated via _sealResult(). The seal uses SHA‑256 (Web Crypto API when available) over the report UUID, DCI score, tier, timestamp, engine version, and tenant ID. The report input is also hashed via _hashReportInput() so downstream consumers can verify the report was not modified between submission and scoring.
Canonical serialisation (v3.2.1): The seal uses _canonicalSerialize() to sort object keys alphabetically, ensuring identical seals across different JavaScript engines (Node.js vs browser). This fixes the cross‑environment tamper‑evidence chain that previously broke seals when moving between runtime environments.
Abstraction Bargain
Every computational model discards physical properties to enable formal reasoning. Each discarded property generates a class of failure modes invisible to the model. CERTUS declares its abstraction bargain explicitly via the MODEL_LIMITATIONS block — a permanent, auditable declaration of what the DCI model cannot see.
Discarded Property Failure Class Sensor reliability Damaged camera lenses, low‑light noise, sensor artifacts Atmospheric interference Smoke, dust, fog, rain degrading photo quality Cultural differences in damage reporting Non‑English descriptions receiving systematically lower CCI scores (now flagged) Language translation fidelity Semantic drift during automated translation (+0.10 UM penalty) Independence of nearby reports Correlated community reports inflating corroboration Geographic homogeneity Uniform COR radius – now dynamically adjusted via OSM building density Event‑specific decay Hand‑tuned curves for earthquake, flood, cyclone
Specification primacy ordering: When behaviour contradicts expectation, verify whether the specification permits the behaviour before diagnosing an implementation error.
Thresholds & Actions
DCI Range Tier UM Threshold Pin Color Action ≥ 0.70 High Confidence < 0.35 🟢 Green Trusted, ready for triage 0.40 – 0.69 Watch < 0.60 🟡 Amber Monitor; verify locally < 0.40 Review Required any 🔴 Red Human verification required any any 0.60 🔴 Red Do not act — field verification required
Sub-Component Details
- Photo Evidence Score (PES_eff)
VERITAS uses OpenRouter to access AI models for damage assessment:
Priority Model Purpose Primary GPT-4o-mini (OpenAI via OpenRouter) Fast, cost‑efficient damage assessment Fallback Claude 3.5 Sonnet (Anthropic via OpenRouter) Higher‑accuracy fallback
How it works:
- User captures photo — Canvas API strips EXIF metadata
- Image sent to OpenRouter with structured prompt
- AI returns: damage level, confidence score, description
- CERTUS derives a model trust score from registered calibration data
- If confidence < 0.60 → PES_eff applies trust‑scaled gate
- If confidence ≥ 0.60 → PES_eff used directly; UM penalty scaled by trust
- If API unavailable → falls back to TensorFlow.js offline model (xBD dataset)
Resilient API calls (v3.2.1): The photo analysis endpoint is configurable (PRODUCTION.photoApiEndpoint). The engine retries failed requests up to 3 times with exponential backoff (500ms, 1000ms, 2000ms) and a circuit breaker that opens after 3 consecutive failures.
The isRealModel flag is deprecated. All deployments must register a model via CERTUS.registerPhotoModel(config) at initialization.
- Corroboration Score (COR) — Density‑Adjusted & Reputation‑Weighted
Scenario Score Uncertainty Contribution No nearby reports Not evaluable (excluded) +0.35 UM One nearby report, agrees 0.55 +0.05 UM One nearby report, disagrees 0.40 +0.05 UM Multiple independent reports, strong agreement 0.70 0 UM Multiple reports, contradiction < 0.40 +0.08 UM
Dynamic COR radius (v3.2.1): Queries OpenStreetMap for building density in a 500m bounding box. Adjusts radius from 20m (extreme density) to 200m (rural). Eliminates geographic bias.
Reputation weighting (v3.2.1): When reputationFn is provided, nearby reports from banned reporters are excluded, and the agreement weight is scaled by each reporter’s reputation score (0.5 + score/2). Good reporters matter more.
Evidence Independence Detection. CERTUS detects when multiple reports are likely correlated — same submitter cluster, same time window, same GPS cluster, similar photos. Correlated evidence is down‑weighted before entering the COR calculation.
- Temporal Freshness (TFR) — Event‑Aware & Reconciliation Gate
TFR = profile.fn(hours_elapsed)
Event Type Decay Curve 6h 12h 24h 48h Earthquake Rescue window: high first 6h, then gradual 1.00 0.78 0.52 0.27 Flood Stays relevant longer – 120h half‑life 0.95 0.90 0.80 0.60 Cyclone Moderate decay, 96h half‑life 0.94 0.88 0.75 0.50 Default Linear 48h half‑life 0.88 0.75 0.50 0.00
Use report.eventType = 'earthquake' | 'flood' | 'cyclone' | 'default' in the report object.
Reconciliation Gate (v3.2.1): If the report is stale (TFR EXPIRED) but fresh evidence (e.g., satellite photo) is submitted within 6h, TFR recovers to AGING_RECOVERED (≥0.45). The recovery is noted in dci_decay_reconciliation.
- Classification Consistency (CCI) — Expanded & Multilingual
Combination CCI Uncertainty Reason Any + any (consistent) 1.0 0 Consistent "Completely damaged" + "Road" 0.70 +0.08 Roads rarely achieve total collapse "Completely damaged" + "Utility" 0.75 +0.08 Utility infrastructure rarely total collapse "Completely damaged" + "Bridge" 0.80 +0.08 Bridge collapse plausible but verify "Minimal/No damage" + "Bridge" 0.75 +0.08 Bridges rarely sustain only cosmetic damage "Completely damaged" + "Medical" 0.85 +0.08 High consequence — verify urgently "Completely damaged" + "Government Building" 0.80 +0.08 Coordination facility — escalate "Minimal/No damage" + "Residential" 0.95 +0.08 Common and plausible
Multilingual handling (v3.2.1): When witnessText is present and the report language is not English, a +0.10 UM penalty is added and the note [NLP‑A01] is attached. The language_mismatch flag is set in dci_flags. Full multilingual keyword dictionaries are planned for v3.3.
Signal Intelligence Layer
NLP Witness Statement Analysis. Text fields are analysed to extract damage‑level signals and infer infrastructure type directly from descriptions. Non‑English reports receive a transparency penalty rather than silent failure.
Source Credibility Scoring. Evidence sources are assigned credibility weights before entering the COR calculation:
Source Type Credibility Weight First‑hand witness 0.9 Community‑verified reporter Bonus applied at COR Unverified secondhand Reduced weight
Cross‑Validation. Photo evidence, text description, and GPS location are cross‑checked for consistency. Inconsistencies are named explicitly in the scored output.
Adversarial Resistance & Enterprise Hardening
Spatial cluster detection (v3.2.1): detectSpatialCluster() scans reports within a 2km radius over a 20‑minute window. When 5+ reports are found, it returns cluster_detected: true with severity MASS_CASUALTY_RISK if ≥60% are “Completely damaged”. The cluster centroid and recommendation are provided for immediate aggregate dispatch.
Certificate expiry enforcement (v3.2.1): Verification certificates expire after 48 hours. validateCertificate() checks the expiry before sharing; expired certificates return shareable: false with action RE_SCORE_REPORT.
Adversarial Pattern Detection. Multi‑signal detection runs on every batch: duplicate photo detection via perceptual hashing (dHash in browser, FNV‑1a in Node), temporal clustering analysis, submission rate monitoring, coordinate proximity clustering.
Reporter Reputation System. Every reporter carries a reputation score updated after field verification:
Event Reputation Change Field‑verified accurate report +10 Confirmed false report −20 Ban threshold −100
Community Verification Badges. Reporters with consistently verified submissions earn community verification status, applying a source credibility bonus.
Reporter Accountability & GDPR (v3.2.1)
Appeal Workflow. Every reporter may appeal a SUSPENDED or DEGRADED score up to 3 times per report, with new evidence required per appeal. The epistemic ceiling (0.95) is cumulative across all appeals.
GDPR Article 20 – Data Portability. Any reporter can request all their data in machine‑readable format via exportReporterData(reporterId). The export includes reputation record, FCL entries, appeals history, and data recipients.
GDPR Article 17 – Right to Erasure. deleteReporterData(reporterId, verificationToken) redacts personal data while preserving aggregate signal. A verification token (e.g., hashed email or previous session ID) is required to prevent unauthorised deletion.
Whistleblower Channel (planned). Endpoint: /api/whistleblower. Status: planned for v3.3.
Uncertainty Mass (UM) — How It Works
UM Components (v3.2.1 additions marked)
Source Base Contribution Condition No photo +0.25 PES excluded UNCALIBRATED model +0.20 trust_score = 0.0 PARTIAL calibration +0.03–0.20 trust_score 0.01–0.85 VERIFIED model +0.00 trust_score = 1.0 AI confidence gated Scaled by trust Model confidence < 60% No corroboration +0.35 COR excluded Weak corroboration +0.05 Only one nearby report Contradiction +0.08 Multiple reports disagree Correlated evidence Down‑weighted Sources not independent Aging report +0.05–0.15 Based on hours elapsed Classification flagged +0.08 Suspicious combination Language mismatch +0.10 Non‑English report (v3.2.1) Correlated failures +0.20–0.60 Multiple missing dimensions
UM Calculation
UM = 1 − ∏(1 − p_i)
UM Thresholds
UM Range Validity Status Meaning < 0.35 VALID Score is reliable 0.35–0.60 DEGRADED Score useful but uncertain 0.60 SUSPENDED Do not rely on this score
Constitutional Governance Layer
Every scored output includes a constitutional_status block — a governance instrument declared on every report.
Prohibited Uses (v3.2.1 now enforced at engine level). The engine checks context.stated_purpose against a keyword list. If a blocked use is detected (e.g., “weaponization”, “surveillance”), the score is refused with a constitutional error. Insurance denial is flagged but not blocked.
Prohibited Use Keywords Action Surveillance track individual, monitor person, identify individual, locate specific person Block (Law 4) Weaponization target strike, fire solution, weapons coordinates, strike package Block (Law 6) Insurance denial deny claim, reject insurance, coverage denial Flag only
Consent Gate. The engine provides getConsentForm() but does not block scoring if consent has not been collected. Consent enforcement is the caller's obligation.
Indigenous Data Sovereignty. CERTUS applies the UNDRIP Article 31 FPIC standard:
Governance Layer Implementation Consent Standard UNDRIP Article 31 — FPIC Consent Proof Digital signature of community council Consent Validity One year, revocable at any time Data Ownership Community Traditional Knowledge Protected
Conflict & Cluster Detection
Conflict Detection. When two reports within 50 meters disagree on damage tier, they are flagged as a conflict in the responder dashboard. The whole location goes red immediately.
Cluster Detection (v3.2.1). detectSpatialCluster() identifies mass‑casualty event signatures (≥5 reports within 2km and 20 minutes). The cluster centroid and recommendation AGGREGATE_EMERGENCY_DISPATCH are provided.
Declared Assumptions
Assumption Plain Language
COR-A01
Every assumption carries an identifier and appears in the output so downstream systems can reason about it.
Output Structure (v3.2.1)
{
dci: 0.71,
dci_raw: 0.71, // unadjusted (for calibration)
dci_priority: 0.92, // criticality‑adjusted (Medical=1.5×)
tier: "high",
usable: true,
version: "3.2.1",
// Integrity
input_hash: "sha256:7d4a2f1c...",
integrity_seal: { algorithm: "SHA-256", hash: "...", payload: "..." },
// Dimensional scores
dci_pes: 0.85,
dci_cor: 0.60,
dci_tfr: 0.75,
dci_cci: 1.0,
// Uncertainty infrastructure
dci_uncertainty_mass: 0.28,
dci_validity_status: "VALID",
dci_um_breakdown: [ "📷 Photo evidence clear — model UNCALIBRATED", "⚠️ No corroboration yet" ],
// Diagnostics
dci_strengths: [],
dci_weaknesses: [],
dci_bottleneck: { dimension: "COR", value: 0.60 },
dci_assumptions_raw: [{ id: "COR-A01", plain_language: "..." }],
// v3.2.1 additions
dci_criticality_multiplier: 1.5,
dci_criticality_reason: "Life‑critical — hospital/clinic",
dci_spatial_cluster: { cluster_detected: false },
dci_progression: { progression: "INSUFFICIENT_DATA" },
dci_decay_reconciliation: { reconciled: false },
// Flags
dci_flags: {
language_mismatch: true,
language_reported: "ar",
language_nlp_dictionary: "en"
},
// Field view (responder‑facing)
dci_field_view: {
action: "SHARE THIS REPORT",
confidence: "HIGH",
what_to_do: "Send this to response coordinators.",
share_code: "VRT-8A3F-9B2E"
},
// Constitutional status
constitutional_status: {
law_4_compliant: true,
prohibited_uses_enforcement: "CALLER_RESPONSIBILITY",
consent_gate: "CALLER_RESPONSIBILITY"
},
// Reporter accountability
dci_reporter_reputation: { score: 0, banned: false },
appeal_status: { appeals_remaining: 3 },
gdpr_export_endpoint: "/api/reporter/export"
}Initialisation (v3.2.1)
const CERTUS = new CERTUSEngine(); // or use global singleton
await CERTUS.initialize(supabaseUrl, supabaseKey, {
photoModel: {
id: 'openrouter/gpt-4o-mini+claude-3.5-sonnet',
type: 'openrouter',
calibration_status: 'UNCALIBRATED',
calibration_samples: 0,
calibration_dataset: 'Primary: openai/gpt-4o-mini · Fallback: anthropic/claude-3-5-sonnet',
registered_by: 'certus-deployment'
},
production: {
photoApiHmacSecret: process.env.CERTUS_HMAC_SECRET, // optional
eventDecayProfiles: { /* custom curves */ } // optional
}
});
// As field validation accumulates — no code changes required:
await CERTUS.updateModelCalibration(validatedSampleCount, 'PARTIAL');
// Access FCL calibration data:
const entries = CERTUS.getFCLEntries();
// Self‑calibration (v3.2.1):
const calibration = CERTUS.calibrateWeights(20);
if (calibration.calibrated && confirm('Apply new weights?')) {
CERTUS.W = calibration.updated_weights_dampened;
}Offline & Field Mode
Feature Implementation Offline scoring Full engine runs in browser Offline AI TensorFlow.js + xBD dataset — local inference, no API required AI API fallback Mock analysis (neutral scores) when OpenRouter unavailable Service worker Caches app shell for offline use IndexedDB Stores reports locally, syncs when back online Low‑literacy mode Icon‑based interface, audio guidance Progress persistence Partial reports survive connectivity interruption Family/group reporting Batch submission for multiple locations
Accessibility
Feature Status Icon‑based damage classification ✅ Active Full audio guidance (6 UN languages) ✅ Active Language fallback flag ✅ Active Large text mode ✅ Active Automatic dark mode ✅ Active Haptic feedback (confidence confirmation) ✅ Active Family/group batch reporting ✅ Active
Roadmap (v3.3+)
Feature Status Whistleblower channel (/api/whistleblower) 🔵 Planned — v3.3 Satellite imagery corroboration layer 🔵 Planned — v3.3 Multilingual NLP keyword dictionaries 🔵 Planned — v3.3 Live facility database (replaces mock data) 🔵 Planned — v3.3 VELA constitutional veil integration 🔵 Planned — v3.3 Offline voice recognition (real) 🔵 Planned — v3.3
CERTUS is an application of the AION Constitutional Stack — specifically FSVE certainty scoring, CAL code governance, ECF epistemic tagging, and validity threshold enforcement.
The engine underwent a full four‑instrument adversarial audit (PDE → EAE → ANTI‑FORGE → CAL) across versions v2.5.2 through v3.2.1. All 57 findings are resolved. The engine is horizontally scalable, multi‑tenant, GDPR‑compliant, humanitarian‑equity‑conscious, and enterprise‑ready.
Production-ready. Sovereignty-hardened.
Sheldon K. Salmon & ALBEDO · AionSystem · May 2026