QLX

A coherence-governed security layer.

QLX is a cryptographic client that executes only under admissible conditions. It consumes CohOS decisions and QAKD attestation to govern when keys are used, when sessions are established, and when encryption actions may occur.

CohOS-gated execution · QAKD-keyed sessions Fail-closed security under uncertainty

Core framing

Security fails when used at the wrong time.

Many compromises are not broken cryptography. They are correct cryptography executed on inadmissible state: replayed telemetry, substituted entropy, drifted instrumentation, or unbounded timing uncertainty.

Governed execution No ALLOW → no crypto action

Key discipline Keys are released only with proof

Audit trail Artifacts emitted with every decision

Positioning

QLX is governance plus disciplined cryptography.

QLX is designed to be evaluated as a cipher family, while the operational advantage comes from admissibility governance. Cryptanalysis and operational gating are separable. QCT does not claim formal superiority to AES or NIST PQC by default.

What QLX is

A security client layer that gates encryption, negotiation, and key use on CohOS ALLOW and QAKD proof bundles.

What QLX is not

Not a blanket replacement for AES or PQC. Not “unbreakable.” Not a claim of formal post-quantum security by assertion.

Where value concentrates

Refusal-first execution under uncertainty: prevent crypto actions from occurring on compromised or ambiguous state.

ALLOW → execute

decision.json
{
  "decision": "ALLOW",
  "reason": "ALLOW_ALL_CHECKS_PASS"
}
qlx_action: PERMITTED

REFUSE → block

decision.json
{
  "decision": "REFUSE",
  "reason": "REPLAY_DETECTED"
}
qlx_action: BLOCKED

The seam

QLX is downstream of admissibility.

CohOS is the authority. QAKD is the key and identity layer. QLX is the security executor. The stack is intentionally ordered so that crypto cannot override refusal or operate without evidence.

1) CohOS decides

ALLOW or REFUSE under policy envelopes, with reason codes and artifacts.

2) QAKD releases keys

Keys and CUFs are released only when CohOS is ALLOW, with attestation bundles.

3) QLX executes

Encryption, negotiation, and session actions occur only under ALLOW and verified bundles.

Artifact contract

Security actions are audit-bound.

QLX actions attach to the same artifact set as the admissibility decision. This makes “why was this allowed” as answerable as “what cipher was used.”

Evidence bundle

decision.json policy.json manifest.json hashes.json metrics.json

Discipline

Round-trip verification is a first-class invariant.

In QCT’s operational posture, correctness is not assumed. QLX encryption is validated by explicit round-trip checks. If encryption and decryption do not agree under the declared parameters, the system refuses.

Encrypt

Generate ciphertext using declared keying and nonce parameters.

Decrypt

Reconstruct keystream deterministically and recover plaintext.

Verify

If mismatch occurs, refuse and emit evidence (ROUNDTRIP_FAIL).

Refuse on round-trip failure

decision.json
{
  "decision": "REFUSE",
  "reason": "ROUNDTRIP_FAIL"
}

Deployment

Guard, firewall, and VPN become governed execution surfaces.

QLX is deployed as an execution layer that consults CohOS before sensitive operations. These modes start in shadow mode: measure and refuse risky actions before enforcing, then graduate to enforcement once baselines are stable.

QLX Guard

Monitor flows and sessions, flag inadmissible conditions, refuse unsafe negotiation paths.

QLX Firewall

Enforce policy at the boundary. Block or degrade actions on REFUSE with explicit reason codes.

QLX VPN

Coherence-attested tunnels with frequent rekey using QAKD; refuse establishment under uncertainty.