How it works

Four roles, calibrated trust

Debuglet assumes the people who submit measurements are untrusted and the machines that run them are only semi-honest. Safety for third parties comes from the protocol, not from good behavior.

Coordinatortrusted · keys, schedule, limitsUsersuntrusted · submit debugletsOperatorssemi-honest · vantage pointsTargetsprotected · third partiessubmittagged probes
trusted / semi-honest infrauntrusted inputprotected third party— — — accountable probe path
Provable attribution

Tagged at the source

Every probe leaves a node carrying an unforgeable origin tag bound to the program that sent it.

Verifiable after the fact

Tags can't be forged ahead of time, only confirmed once the platform releases the matching key — so attribution can't be faked retroactively.

You don't have to trust us

A target can reproduce the result from the packet alone. Attribution is independently checkable, not our claim.

Coordinated rate limiting

Per-target budgets

Each destination has a load budget the platform never exceeds, regardless of how many measurements aim at it.

Shared across programs

That budget is split fairly between every debuglet touching the same target, by weight — not first-come-first-served.

Global, not per-node

Budgets are coordinated across vantage points, so a target isn't overwhelmed by the sum of independently well-behaved nodes.

Protocol details: published with the paper

The attribution construction, key-release schedule, and rate-limit internals are described in a manuscript currently under review. Full specifications and the reference implementation will be released on publication.