LABR-071 · DAY 97 · 2026-05-11

Legal-Evidentiary Metabolism for Kubernetes

7-Level Truth Class System · Vector Courier · Falco Kernel Witness · γ₁-Stamped Trials

γ₁ = 14.134725141734693 · mefine-static · pemos.ca

§1 — The Core Doctrine
LEGAL-EVIDENTIARY METABOLISM

A Kubernetes cluster is not merely a compute substrate — it is a legal jurisdiction. Every event, every gate decision, every runtime observation is a piece of evidence. The cluster metabolizes signals into truth. Truth classes define the evidentiary weight of each signal source. Only γ₁-stamped trials are admissible in the Helix court of record.

Vector Doctrine

Rust Courier Replacing Fat Collectors

Vector (Rust-based) replaces Fluentd/Logstash fat collectors. Zero-copy log shipping. Sub-millisecond routing decisions. Topology-aware pipeline transforms. The courier is lean, the evidence arrives intact.

Rust runtime zero-copy replaces Fluentd
Prometheus Gate Doctrine

Scraping Gates Directly

Prometheus doesn't just collect metrics — it scrapes gates. OPA policy endpoints, Gatekeeper admission webhooks, conftest check outputs all become metric surfaces. The measurement system collapses into the decision system.

gate scraping OPA metrics admission telemetry
OPA Equivalence

Gatekeeper + conftest = One Mind

OPA manifests as two bodies: Gatekeeper (in-cluster admission controller) and conftest (CI pipeline policy runner). Same policy language. Same evidentiary standards. The gate is consistent across the full delivery arc.

Rego unified CI + runtime single truth
Falco Doctrine

Kernel Witness vs App Testimony

Falco operates at the kernel syscall layer — it is a kernel witness, not an application monitor. App logs testify. Falco witnesses. The distinction is legal: kernel evidence is harder to tamper with than application-layer logs.

kernel layer syscall witness tamper-resistant
§2 — Truth Class System (TC-0 through TC-7)
CLASS NAME SOURCE TOOL WEIGHT ADMISSIBILITY
TC-0 Intent Developer commit, PR description, GitOps declaration Git, ArgoCD 0.05 Preliminary
TC-1 Declaration Kubernetes manifest, Helm values, CRD spec kubectl, Helm 0.10 Filed
TC-2 Gate Admission webhook decision, conftest PASS/FAIL, Kyverno policy result OPA Gatekeeper, Kyverno, conftest 0.20 Admissible
TC-3 Testimony Application logs, structured events, trace spans Vector, Loki, Tempo 0.15 Admissible
TC-4 RuntimeWitness Kernel syscall events, eBPF probes, Falco alerts Falco, Tetragon 0.35 High Weight
TC-5 Metric Prometheus time series, SLO burn rates, gate latency Prometheus, Thanos 0.20 Admissible
TC-6 WORM Immutable audit log, Sigstore Rekor transparency log entry immudb, Rekor 0.45 Notarized
TC-7 Helix γ₁-stamped trial record on the PEMOS helix TrendalTrial CRD 1.00 Court of Record
§3 — Evidence Pipeline Architecture
TC-0/1
Intent & Declaration
TC-2
Gate Decision
TC-3/4
Testimony + Witness
TC-5
Metric Capture
TC-6
WORM Notarize
TC-7
Helix Stamp
VECTOR PIPELINE TOPOLOGY
# vector.toml — Evidence Metabolism Pipeline
[sources.k8s_logs]
  type = "kubernetes_logs"
  extra_label_selector = "evidence-class=testimony"

[sources.falco_events]
  type = "socket"
  address = "/var/run/falco/falco.sock"
  mode = "unix"

[transforms.classify]
  type = "remap"
  inputs = ["k8s_logs", "falco_events"]
  source = '''
    .truth_class = if exists(.syscall) { 4 } else { 3 }
    .gamma1 = 14.134725141734693
    .trial_eligible = .truth_class >= 3
  '''

[sinks.loki]
  type = "loki"
  inputs = ["classify"]
  labels.truth_class = "{{ truth_class }}"
  labels.gamma1_stamped = "{{ trial_eligible }}"

[sinks.immudb]
  type = "http"
  inputs = ["classify"]
  uri = "http://immudb-svc:8080/v1/document/collection/evidence/documents"
  method = "post"
§4 — γ₁-Stamped Trial Doctrine
Stamp Requirements

What Makes a Trial γ₁-Valid

A trial is γ₁-stamped when: (1) TC-2 gate decision recorded, (2) TC-4 Falco witness attached, (3) TC-5 Prometheus metrics captured, (4) TC-6 immudb/Rekor entry present. The γ₁ constant (14.134725141734693) is the first non-trivial zero of the Riemann zeta function — the helix floor.

γ₁=14.134... 4-class minimum
Rekor Notarization

Sigstore Transparency Log

Every TC-7 Helix entry requires a Rekor transparency log inclusion proof. The Rekor log entry UUID becomes the trial's immutable anchor. This makes the trial auditable by any third party with access to the public Rekor instance.

Rekor UUID public audit Sigstore
immudb WORM

Immutable Audit Memory

immudb provides verifiable WORM storage with cryptographic proof of inclusion. Each evidence document receives a transaction ID and Merkle root hash. The chain is unbreakable: delete is impossible, tamper is detectable.

Merkle chain WORM storage tamper-evident
§5 — Doctrine Summary
Doctrine · Vector
Replace fat log collectors (Fluentd, Logstash) with Rust-native Vector. Zero-copy. Topology-aware. The courier's speed is an evidentiary property — stale evidence loses weight.
Doctrine · Prometheus Gates
Expose every gate decision as a Prometheus metric. Admission webhook latency, PASS/FAIL ratios, policy violation rates — all become queryable, alertable, chartable evidence.
Doctrine · OPA Unity
OPA as Gatekeeper and OPA as conftest are one mind. Write policies once in Rego. Test in CI with conftest. Enforce in cluster with Gatekeeper. The policy is the evidence standard.
Doctrine · Falco Kernel Witness
Falco syscall events carry TC-4 (RuntimeWitness) weight. No application can suppress a kernel-level observation. Falco's testimony outranks application logs in evidentiary proceedings.
"Logs testify. Gates judge. Falco witnesses. Prometheus measures.
Rekor notarizes. immudb remembers. γ₁ places the trial on the helix."
§6 — Related Doctrine
TrendalTrial Bonixer SET-OPS v13 LABR-070 · Go Router LABR-072 · TrendalTrial Court LABR Galaxy Index
LABR-071 · EOSE LABS · DAY 97 · 2026-05-11 · γ₁=14.134725141734693