Four roles, calibrated trust
Debuglet assumes the people who submit measurements are untrusted and the machines that run them are only semi-honest. Safety for third parties comes from the protocol, not from good behavior.
Tagged at the source
Every probe leaves a node carrying an unforgeable origin tag bound to the program that sent it.
Verifiable after the fact
Tags can't be forged ahead of time, only confirmed once the platform releases the matching key — so attribution can't be faked retroactively.
You don't have to trust us
A target can reproduce the result from the packet alone. Attribution is independently checkable, not our claim.
Per-target budgets
Each destination has a load budget the platform never exceeds, regardless of how many measurements aim at it.
Shared across programs
That budget is split fairly between every debuglet touching the same target, by weight — not first-come-first-served.
Global, not per-node
Budgets are coordinated across vantage points, so a target isn't overwhelmed by the sum of independently well-behaved nodes.
Protocol details: published with the paper
The attribution construction, key-release schedule, and rate-limit internals are described in a manuscript currently under review. Full specifications and the reference implementation will be released on publication.