15-EFT.WP.Methods.Falsification v1.0 | Chapter 2: Terminology, Boundaries & the Object Model

Home ／ Docs-Technical WhitePaper ／ 15-EFT.WP.Methods.Falsification v1.0

Chapter 2: Terminology, Boundaries & the Object Model

I. Scope & Objectives

1. Unify the core falsification vocabulary for this volume, establish a five-layer object model — Env / Data / Model / Runtime / Metrics — and demarcate the boundaries between observables and controllables. Standardize cross-layer interfaces and signature conventions to ensure consistent implementations and audit traceability for P51-* / S52-* / Mx-5* / I50-* throughout the book.
2. Pass criteria
   • Terms are unambiguous with zero conflict-name occurrences.
   • Cross-layer interfaces are aligned by schema_id and anchor.
   • EnvLock guarantees reproducibility.
   • Every assertion A maps to an observable and an executable decision_rule.

II. Terms & Symbols

1. Core terms
   • Hypothesis (H): a testable claim, with H0/H1 and thresholds alpha/beta/delta_equiv.
   • Assertion (A): a property assertion, functional form A(x, y_hat, meta) -> {0,1}.
   • Oracle (O): a judge, oracle(y_true, y_pred, meta) -> verdict ∈ {pass, fail, unknown}.
   • TestCase (TC): TC = <x, y_true?, A, O, rule> with optional y_true?.
   • Metamorphic Relation (MR): MR: x -> x' with expected relation R( y_hat, y_hat' ).
   • CounterExample (CE): a sample for which A(x, •) = 0 or that enters the rejection region.
   • Attack: adversarial or mutation operator, attack(x; method, eps, steps).
   • GateDecision: release gate result GateDecision ∈ {pass, hold, block}.
   • EvidencePack.sig: signed evidence bundle covering coverage, power, error control, and runtime metrics.
2. Observables vs. controllables
   • O (observables): TS.latency, TS.thrpt, TS.error, p_value, power, FDR.
   • U (controls): alpha, beta, q_star, delta_equiv, attack_budget, rng.seed.
3. Time base & consistency
   • Unified mapping ts = alpha + beta * tau_mono.
   • Offline/online consistency:
     delta_offon = ( norm( y_hat_off - y_hat_on ) / norm( y_hat_off ) ),
     R_infer = 1 - delta_offon.
4. Environment & signatures
   EnvLock, anchor, schema_id, hash(•), fingerprint, Graph.sig, ParamCard.sig, InferPipelineCard.sig.
5. Conflict names & prohibitions
   • Do not mix T_fil with T_trans; strictly distinguish n from n_eff.
   • All formulas and definitions use English textual symbols.

III. Postulates & Minimal Equations (chapter-scoped)

• P51-4 (Observable–controllable separation)
  Any decision must depend only on O and the declared U, and the acquisition of O must not alter its distribution.
• S52-5 (Assertion-to-observable mapping)
  There exists a mapping map: A -> < T(x), C_alpha > such that
  decision = [ T(x) ∈ C_alpha ]
  while meeting the error bound alpha and the power target power >= 1 - beta.
• S52-6 (Metamorphic consistency)
  For any MR, if the model satisfies the property, then R( y_hat, y_hat' ) = 1.
  For falsification,
  CE = { x | R( y_hat, y_hat' ) = 0 }.

IV. Data & Manifest Conventions

• HypothesisRegistry (minimum fields)
  id, statement, metric, alpha, beta, delta_equiv, family_id, FDR_policy, owner, expiry_ts, anchor.
• AssertionSet (minimum fields)
  A_k.name, observable, T(x), C_alpha, severity, MR_refs, gate_link, schema_id.
• MR.catalog
  MR_k.id, transform, expected_relation, domain, budget, composable ∈ {true,false}.
• AttackRecipe
  method, eps = {epsilon_linf, epsilon_l2}, steps, targeted ∈ {true,false}, budget.cpu/gpu/mem, rng.family/seed.
• Data lineage & forensics
  All samples and artifacts carry fingerprint and hash(artifact); logs include ts and the mapping parameters for tau_mono → ts.

V. Algorithms & Implementation Bindings (object-layer interfaces)

1. Env layer (execution & compliance environment)
   • Input: env.spec → Output: EnvLock → Exception: E_ENV_MISMATCH.
   • Key function: I50-Env lock_env(env.spec) -> EnvLock.
2. Data layer (data & generation)
   • Input: schema_id, MR/Attack → Output: dataset | stream → Exception: E_SCHEMA_MISMATCH.
   • Key function: I50-Data generate_cases(MR_or_Attack, budget, schema_id) -> cases.
3. Model layer (graph & parameters)
   • Input: Graph.sig, ParamCard.sig → Output: Runtime.ready → Exceptions: E_MODEL_MISMATCH, E_PRECISION_LOSS.
   • Key function: I50-Model load_model(anchor) -> Graph.
4. Runtime layer (execution path)
   • Input: Graph, cases, opts → Output: y_hat → Exceptions: E_NONDETERMINISM, E_RESOURCE_EXCEEDED.
   • Key function: I50-3 run_inference(rt, inputs, opts) -> outputs.
5. Metrics layer (measurement & decision)
   • Input: A/O/reports → Output: CoverageReport, GateDecision → Exceptions: E_ORACLE_AMBIGUOUS, E_MULTITEST_UNCONTROLLED, E_POWER_INSUFFICIENT.
   • Key functions: I50-8 compute_coverage(logs) -> CoverageReport, I50-9 gate_release(evidence, policy) -> GateDecision.

VI. Metrology Flows & Run Diagram (Mx-5 summary)

• Mx-51 Object readiness
  Create/verify EnvLock → bind schema_id → validate domains and dimensions of AssertionSet and MR.catalog (check_dim(expr)).
• Mx-52 Case generation & execution
  generate_cases → run inference to produce y_hat → apply oracle and A to adjudicate.
• Mx-53 Statistics & gating
  Compute p_value / power / FDR and coverage cov_spec, kill-rate kill_rate → gate_release emits GateDecision.
• Mx-54 Archiving & signatures
  Package EvidencePack.sig, record hash(•) and anchor, update HypothesisRegistry status.

VII. Verification & Test Matrix

• Structural correctness
  Every A_k in AssertionSet has an observable and a T(x) mapping; MR composability and domain declarations are complete.
• Boundary & exception handling
  Missing schema_id, mismatched EnvLock, and oracle returning unknown; randomized replay via rng.seed.
• Consistency & dimensions
  Time-base alignment for offline replay and online ts is enforced; check_dim(expr) pass-rate is 100%.

VIII. Cross-References & Dependencies

• Core.DataSpec (fields and schema_id), Core.Metrology (measurement & error conventions), Core.Threads (execution & concurrency), Core.Errors (exceptions & severity).
• EFT.WP.Methods.Inference Chapter 4 (data & feature interfaces), Chapter 5 (model & operators), Chapter 6 (online/offline consistency), Chapter 10 (operations & alerting).

IX. Risks, Limitations & Open Questions

• Oracle ambiguity causing inconsistent verdicts; MR domain overreach yielding spurious counterexamples; implicit cross-layer interface changes not captured by schema_id; robustness of streaming FDR control.
• Open questions: fine-grained EnvLock in multi-tenant settings; equivalence proofs for cross-domain anchor; automated synthesis of observable mappings for A.

X. Deliverables & Versioning

• Deliverables
  HypothesisRegistry.json, AssertionSet.yaml, MR.catalog.yaml, AttackRecipe.yaml, InterfaceMap.md (cross-layer interface diagram), EvidencePack.sig.tar.
• Versioning
  Semantic versioning with canary/stable/LTS. Object changes require updating schema_id and Graph.sig/ParamCard.sig. All manifests must bind anchor and hash(•) and fall under EnvLock.