Vault3D.
An AI-monitored printer attestation service built around a printer-side hardware security module and a daemon that turns every print job into a signed, archivable evidence bundle. The HSM holds the printer's private key for the life of the machine; AI checks production context for anomalies while the daemon composes the bundle (G-code, slicer build, firmware hash, sensor envelope, operator binding) and asks the HSM to sign it. Single-machine deployment is two hours; fleet deployment, two days.
AI inside the attestation path.
Vault3D does not ask AI to decide whether a print is valid. It uses AI to surface context a human or policy engine should review before a signed artifact enters the audit trail.
| AI signal | input | output |
|---|---|---|
| slicer drift | slicer build, profile, G-code features | flags unusual toolchain changes for review |
| sensor anomaly | temperature, humidity, oxygen, chamber timing | scores the build envelope against normal site behavior |
| operator context | IdP session, role, printer, shift pattern | detects unusual authorization patterns without changing access policy |
| bundle completeness | required fields and linked TwinCert draft | blocks audit export when evidence is missing |
What Vault3D actually signs.
The signed bundle is not a stamp on a file. It is a canonical-form CBOR payload covering everything you need to reconstruct what the printer was instructed to do and what context it was instructed in.
| field | content | why it matters |
|---|---|---|
gcode_sha256 | SHA-256 of canonical-form G-code | identifies the exact toolpath the printer executed |
slicer_attest | signed slicer build identifier + hash | identifies the slicer that produced the G-code, with its own attestation |
firmware_sha256 | printer firmware image hash at signing time | ties the bundle to the firmware that drove the motors |
sensor_envelope | signed envelope of build-chamber sensor readings | chamber temperature, humidity, oxygen if applicable, recorded throughout the build |
operator_binding | operator IdP session token, signed by HSM | identifies the human who authorised the print |
machine_counter | HSM-held monotonic counter | prevents bundle replay; counters never decrease |
twincert_ref | optional reference to TwinCert record | links the as-built bundle to its digital-twin certificate |
customer_id | customer root key fingerprint | identifies which customer's trust root anchors this bundle |
The HSM.
Specification.
FIPS 140-2 Level 3 certified, Common Criteria EAL5+, tamper-evident enclosure with active mesh. Vendors qualified: a small list, documented under support contract. The HSM and AI-runtime evaluation criteria are delivered in signed customer packages; public downloads only list files that actually exist on this site.
We do not market specific HSM vendors on the public site for two reasons: vendor agreements vary by region, and we have actively rejected vendors for behaviours we do not want associated with their brand without a redress conversation.
Provisioning.
Enrolment is a witnessed ceremony (RB-12). The customer's nominated custodian generates the printer-side key inside the HSM — the key never exists outside the HSM. The HSM produces a certificate-signing request; the customer root signs the printer certificate; the certificate is published to the manifest. Total operator time: approximately 90 minutes per printer.
Bring-your-own-HSM is supported for customers with existing PKI investments. We have a published integration guide for Thales and Utimaco; other vendors require a scoping conversation.
API surface.
The daemon exposes a small REST API on the local printer host. Bindings: Python, Go, Rust (feature parity).
# sign a bundle (slicer hands the daemon the canonical CBOR + context) POST /v3/bundles body: { gcode_sha256, slicer_attest, firmware_sha256, ... } resp: { bundle_id, signature, signed_at, machine_counter } # fetch an archived bundle (audit / dispute / regulator request) GET /v3/bundles/{bundle_id} resp: full CBOR bundle + signature + verifier hints # verify a bundle (anyone with manifest access can call this; idempotent, no auth) POST /v3/verify body: bundle CBOR + signature resp: { ok: bool, manifest_rev, printer_id, signed_at } # printer posture (the live machine-readable record) GET /v3/posture resp: { firmware_sha256, hsm_state, manifest_rev, last_sign, mode }
Verification works offline against a hardcoded ceremony root pin. The /v3/verify endpoint will refuse to verify if the manifest is older than the configurable TTL — this is deliberate; you want the verification to fail loud rather than silently accept a stale revoked key.
Performance characteristics.
| operation | p50 | p99 | p99.9 |
|---|---|---|---|
| sign 1.2 MB G-code bundle | 92 ms | 183 ms | 318 ms |
| verify bundle against manifest | 14 ms | 22 ms | 41 ms |
| fetch archived bundle | 8 ms | 19 ms | 35 ms |
| posture query | 2 ms | 5 ms | 9 ms |
| cold-boot to first signable state | 3.4 s | 3.8 s | 4.2 s |
Numbers from production fleet measurement, rolling 28 days, n = 41 sites. The HSM signature is approximately 95 ms of the 183 ms p99 sign latency; we do not see latency reduction as a goal worth pursuing further — the HSM is intentionally the bottleneck.
Slicer integration.
Vault3D is slicer-agnostic but slicer-attested. We publish signed slicer-attestation manifests for the open-source slicers and have a published agreement with one closed-source slicer vendor.
| slicer | status | attestation profile |
|---|---|---|
| Prusa Slicer | fully attested | build-deterministic, signed slicer binary |
| Cura | fully attested | build-deterministic, signed slicer binary |
| Orca Slicer | fully attested | build-deterministic, signed slicer binary |
| Bambu Studio | fully attested | under published agreement with Bambu Lab |
| Materialise Magics | attestation in progress | scoped 2026 Q3 |
| other closed-source slicers | degraded | bundle records slicer self-identification, no third-party attestation |
When a slicer is not fully attested, the TwinCert record (if issued) carries this honestly. Customers who require a fully-attested slicer for regulatory reasons should select from the first four rows.
Archive and retention.
Signed bundles are committed to the customer's manifest — an append-only log with a signed Merkle root. The log lives in customer-controlled storage; we recommend Postgres for the index and S3-compatible object storage for the bundles themselves, but the schema is portable.
- Append-only. A bundle, once committed, is in the log forever. There is no delete operation.
- Merkle-rooted. The log's signed Merkle root is republished to the customer manifest weekly. Any modification to a past bundle would invalidate the root.
- Customer-controlled. The archive lives in your infrastructure. We do not have a copy; we have only the ceremony root that allows you to verify your archive.
- Retention. Customer policy. Aerospace customers typically retain 25 years; medical, 30 years; spare-parts OEMs, the product lifetime. The schema is forward-compatible across all version migrations we have shipped.
What a signed bundle looks like.
One real (anonymised) bundle envelope, decoded from CBOR to JSON for readability.
{
"bundle_id": "bd-2026-05-19T08:42:09Z-7a3f",
"customer_id": "cust-warwick-aero-2024",
"printer_id": "BAY-A4-PRINTER-07",
"gcode_sha256": "4b9c7a3f81e2 ... d871a07",
"slicer_attest": {
"slicer": "prusa-slicer-2.7.4",
"build_sha256": "8e21f04c9a18 ... a48c213",
"attest_key": "sl-prusa-2026-04"
},
"firmware_sha256": "2c8e1b7a04f3 ... 7f61c80",
"sensor_envelope": {
"chamber_temp_c": { "min": 38.2, "max": 41.6, "mean": 39.7 },
"humidity_pct": { "min": 14.1, "max": 16.8, "mean": 15.3 },
"o2_ppm": { "min": 90, "max": 130, "mean": 108 }
},
"operator_binding": {
"idp": "customer-okta",
"sub": "j.whitfield@warwick-aero.example",
"session_sig": "...HSM-signed..."
},
"machine_counter": 41873,
"twincert_ref": "twc-2026-05-19-aa70",
"signed_at": "2026-05-19T08:42:09.183Z",
"signature": "...Ed25519 + Dilithium-3 shadow..."
}
Related advisories.
- 3DC-2026-05-A1 · CRYSTALS-Dilithium migration plan
- Shadow signatures already cover Vault3D bundles; phase-1 hybrid co-signing scheduled 2026 Q4.
- 3DC-2025-11-A1 · Vault3D firmware update path
- Dual-control firmware update procedure (RB-25), live on all production fleet since 2025-11.