Evidence Pack Abstraction Framework

• Evidence Pack Abstraction is a systematic framework that aggregates and filters evidence using hierarchical, policy-driven, or cryptographic models.
• It provides a stable interface linking granular evidence to higher-level inference, audit, and reproducible research protocols.
• The framework supports diverse applications such as clinical trials, digital workflows, and network forensics through strict governance and verifiability.

An evidence pack abstraction is a formal, structured mechanism for representing, governing, and reusing summaries of evidence across domains, research projects, provenance systems, AI workflows, and auditable processes. It is grounded in hierarchical, policy-driven, or cryptographic frameworks and serves as a stable interface between granular, often heterogeneous sources of evidence and higher-level reasoning, audit, or inference protocols. Evidence pack abstractions are foundational to reproducibility, inferential discipline, selective disclosure, verifiable audit, and cross-context reuse.

1. Formal Definitions and Core Principles

Evidence pack abstractions are formally defined frameworks for aggregating, filtering, and structuring evidence according to rigorous epistemic or mechanistic laws. Their essential property is compositionality: each pack provides a reusable interface, typically comprising a bounded set of fields, summaries, statistical mappings, or cryptographically bound records, and enforces strict constraints on admissible transformations, extensions, and interfaces.

Three distinct paradigms can be identified:

• RECAP Evidence Pack (e.g., Layer B in RECAP v1.0): An evidence pack $P$ is a reusable domain abstraction, a 4-tuple $P = (C, M, D, R)$, comprising (i) domain constructs $C$, (ii) measurement categories and rules $M$, (iii) design archetypes $D$, and (iv) inferential routes $R$. This abstraction governs evidence filtering, admissibility, and analytic protocols for all projects within a domain (Lee, 10 Dec 2025).
• Cryptographic Evidence Pack: In regulated digital workflows, an evidence pack is a fixed-length cryptographic tuple $ev = (f_0, \dots, f_{k-1})$, each $f_i \in \{0,1\}^\lambda$, encapsulating fieldwise commitments to workflow attributes and finalized as $(ev, \sigma)$, where $\sigma$ is a signature providing audit integrity, constant-size storage, and composable linkage to higher-layer audit structures (Kao, 21 Nov 2025).
• Provenance Evidence Pack: In provenance abstraction, an evidence pack is a grouped subgraph (under policy) collapsed into a single abstract node, preserving logical and temporal dependencies while concealing, aggregating, or reclassifying sensitive components, subject to correctness guarantees (e.g., type-preservation, constraint satisfaction) (Missier et al., 2014).

The definitional commonality is explicit interface boundary (construct or type schema, cryptographic binding, or node grouping), invariance under controlled operations, and compositionality horizontally (across evidence subunits) and vertically (across inference or audit layers).

2. Methodological Tiering, Governance, and Inference Rules

Evidence pack abstraction enforces stratified governance and inferential discipline by separating fundamental laws, domain abstractions, and project instantiations. The RECAP architecture exemplifies this with its three non-interchangeable layers:

Layer	Role	Characteristics
Grandparent	Methodological laws	Immutable from below, houses domain-agnostic rules
Parent ("Evidence Pack")	Domain abstraction, law translation	Defines $P = (C, M, D, R)$, versioned, contract-bound
Child	Project instance	Implements routes, analysis, logging, adheres to pack

Formal inference rules in evidence-pack tiering include:

• Tiering: Each evidence unit $u$ is classified as Core, Supplement, or Excluded via predicates:
  • $\text{Align}(u, C)$ (construct match)
  • $\text{Plaus}(u, M)$ (operationalization conformity)
  • $\text{Compat}(u, D)$ (design archetype)
  • $\text{Opacity}(u)$ (irreconcilable or missing information)
• Routing: Each project must declare a single $r \in R$; multiple inferential routes are prohibited per child.
• Contamination Control: Strict forward-only flow from Grandparent $\to$ Parent $\to$ Child. Prohibited flows are (i) upward (e.g., Child result modifying Parent law), (ii) downward (Child overriding Parent), and (iii) sideways (Child$_i$ $\to$ Child$_j$).

Pack-level governance is enforced by versioning, boundary contracts (explicit interfaces on constructs, mapping, non-reification, and contamination clauses), registry systems, and constrained upward insight process (Lee, 10 Dec 2025).

3. Algorithms and Abstraction Procedures

Evidence pack construction employs a variety of algorithmic mechanisms, depending on the context:

• Abstraction Learning (Mathematical Theory): The abstraction $a \in \mathbb{R}^k$ is learned by minimizing the "leakiness" loss:

$$\mathcal{L}_{\text{pack}} = \sum_{Q \in \mathbb{Q}} D_{\text{KL}}[Q(p(X))\,\|\,Q(\tilde p(X|A))]$$

where $Q$ are queries of inferential or decision interest. Greedy forward-selection, maximum-entropy relaxation, or gradient-based updates are employed under cardinality or parametric constraints (Millidge, 2021).

• Policy-Driven Graph Abstraction: The ProvAbs tool applies rule-based sensitivity assignment and grouping. Nodes exceeding receiver clearance $cl$ are abstracted by computing closure, type-based extension, and replacement; residual utility $RU$ quantifies preserved evidence (Missier et al., 2014).
• Evidence Filtering and Summarization (e.g., EACon): Evidence packs are constructed by extracting claim-relevant keywords, matching against evidence passages, and distilling abstracted summaries, often in prompt-based, zero-shot LLM settings. Filtering and summarization are systematically ablated for impact analysis (Gong et al., 2024).
• Cryptographic Extraction: Every workflow event $E$ is encoded into fieldwise hashes $f_i = H(\phi_i(E))$, signed to form a tuple of size $k\cdot\lambda$, with verification independent of event complexity. Packing, chaining (hash chain), and batch auditing are designed for $O(1)$ per-event computational cost (Kao, 21 Nov 2025).

4. Schema, Interface, and Integration

Evidence packs are instantiated as concrete data structures that serve as immutable or versioned boundaries between process stages, analytic units, or actors. Schema examples include:

• Structured JSON for Network Forensics: An evidence pack $EP(W) = \langle M, S, C, A \rangle$ contains:
  • $M$: window metadata (start/end, victim, dominant L4)
  • $S$: summary statistics (l4 ratios, mean entropy, protocol fields)
  • $C$: clustering/branching (e.g., UDP length clusters)
  • $A$: primary sample anchors, each recording timestamp, header fields, information-theoretic features, anchor substrings, and hexdumps
  • Deterministic budget constraints (max packets, max anchors, max hexdump lines) ensure bounded extract size and reproducibility (Chen et al., 21 Jan 2026).
• Cryptographic Tuple: $Pack = (ev, \sigma)$ is an array of hashed commitments, digitally signed, with all verification and linking operations over fixed-size structures (Kao, 21 Nov 2025).
• Parent Pack Contract in Evidence Synthesis: $P = (C, M, D, R)$, versioned, with boundary contract specifying permissible units, map rules, allowed routes, and explicit contamination-control clauses (Lee, 10 Dec 2025).

Integration into analytic or audit pipelines is explicit: evidence packs sever direct project-to-project data inheritance, standardize interface contracts, and serve as auditable, queryable, and reproducible intermediates for automated or agentic analysis.

5. Application Contexts and Empirical Results

Evidence pack abstractions have been realized across diverse domains:

• Evidence Synthesis (Clinical Trials):
  • Domain packs (e.g., "Blood-Pressure Trial Pack") enable standardized tiering of studies, inferential routing, and audit-logged decisions.
  • Empirical use in antihypertensive studies shows reproducibility and construct discipline: tiering identifies core studies (e.g., RCTs with verified measurement), supplements (e.g., proxy readings), and excludes non-conforming evidence (Lee, 10 Dec 2025).
• Regulated Digital Workflows:
  • Constant-size cryptographic packs are applied to patient randomization, pharmaceutical batch testing, and AI inference, delivering O(1) audit verification, negligible storage overhead, and seamless batch audit capabilities (Kao, 21 Nov 2025).
• Network Forensics and LLM Investigations:
  • Evidence packs support auditable DDoS attribution, with structured JSON serving as the LLM interface. Every anchor can be traced back to packet-level evidence, enabling transparent verdict explanations and error localization (Chen et al., 21 Jan 2026).
• Policy-Driven Provenance Disclosure:
  • Abstracted provenance graphs, tailored to clearance policies, support partially disclosed evidence with strict integrity guarantees (Missier et al., 2014).
• Evidence-Guided ML Fact Verification:
  • In EACon, evidence pack abstraction (keyword-guided, fuzzy-matched, abstracted snippets) yields a 3–5 point Macro-F1 improvement in multi-hop claim verification, with ablation confirming the necessity of both keyword-guidance and selection (Gong et al., 2024).

6. Security, Reproducibility, and Auditability Guarantees

Formal properties are central to evidence pack abstractions:

• Audit Integrity and Non-Equivocation: Cryptographic evidence packs guarantee that no adversary can produce ambiguous or conflicting evidence chains without breaking hash or signature primitives. Constant-size structures prevent variability attacks or side-channel leakage (Kao, 21 Nov 2025).
• Contamination Control: Layered architectures enforce strict flow direction and boundary isolation, precluding silent drift, horizontal copying, or upward law pollution (Lee, 10 Dec 2025).
• Information Preservation and Utility: Mathematical abstraction loss ("leakiness") quantifies retained inferential power in each pack relative to target queries. Empirical evidence and hypothesis-driven learning guide cardinality and summary selection (Millidge, 2021).
• Reproducibility: Hard budget caps (max events, samples, extract length), explicit schema, and log-enforced inference workflows ensure bit-for-bit reproducibility across independent extractions or analytic runs (Chen et al., 21 Jan 2026).
• Utility-Balance in Provenance Disclosure: Policy-driven grouping with residual utility measures enables optimization of abstraction strictness versus retained audit or analytic capacity (Missier et al., 2014).

7. Practical Recommendations and Prospects

Deployment of evidence pack abstractions requires:

1. Authoring or selection of pack templates compatible with domain constructs, measurement maps, and permissible inferential routes.
2. Formalized, versioned contracts and interface boundaries pre-instantiation.
3. Strict enforcement of layered routing, tiering, and contamination controls during analytic execution.
4. Archival of unit-level decisions, tier tables, and reviewer blocks for all child instances, to guarantee lineage and auditability.
5. Upward insight (from instantiation to abstraction) to be mediated only by domain-agnostic content, avoiding direct pollution of pack constructs.
6. Use of automation solely as an executor of pack/constitution rules, never as a domain synthesis source.

In sum, the evidence pack abstraction is an invariant, formally specified, and reproducibility-maximizing interface for evidence management. Its instantiations across methodologies, data types, and security domains are unified by explicit governance, tiering, query-specific leakiness constraints, and audit verifiability. This abstraction is a cornerstone of next-generation evidence synthesis, regulated AI, provenance governance, and LLM-grounded investigations (Lee, 10 Dec 2025, Kao, 21 Nov 2025, Millidge, 2021, Chen et al., 21 Jan 2026, Missier et al., 2014, Gong et al., 2024).