feat: enforce layer0 gate and add tests

2025-12-17 00:02:39 +00:00
parent 37a867c485
commit 7f2e60e1c5
21 changed files with 2066 additions and 16 deletions
--- a/LAYER0_SHADOW.md
+++ b/LAYER0_SHADOW.md
@@ -0,0 +1,137 @@
+# LAYER 0 SHADOW
+
+Pre-Boot Cognition Guard | Ouroboric Gate  
+Version: 1.0 (Rubedo Seal)  
+Status: Active Primitive  
+Implements: Nigredo -> Rubedo (pre-form cognition)
+
+---
+
+## 1. Purpose
+
+Layer 0 is the silent evaluator that processes every query before Boot (Layer 1), before doctrine loads, and before any tool routing. It is a fail-closed membrane that blocks malformed, malicious, or structurally invalid requests from entering the Cognition Engine. If Layer 0 denies a query, nothing else runs.
+
+---
+
+## 2. Responsibilities
+
+Layer 0 performs four determinations:
+- blessed      -> forward to Layer 1 (Doctrine Load)
+- ambiguous    -> request clarification before doctrine loads
+- forbidden    -> invoke Guardrails layer directly (skip routing/tools)
+- catastrophic -> fail closed and log to preboot anomalies; no explanation
+
+Guarantees:
+- No unsafe query reaches an agent.
+- Forbidden workloads never initialize routing or MCP tools.
+- Ambiguous intent does not awaken the wrong agent chain.
+- Catastrophic requests are contained and recorded, not processed.
+
+---
+
+## 3. Classification Model
+
+### 3.1 Query features considered
+
+| Category                  | Examples                                                         |
+| ------------------------- | ---------------------------------------------------------------- |
+| Intent topology           | infra, execution, identity, runtime, meta                        |
+| Governance violations     | skipping GitOps, demanding dashboard operations                  |
+| Safety breaks             | direct mutation, privileged bypass attempts                      |
+| Ambiguity markers         | unclear target, missing parameters                               |
+| Catastrophic indicators   | agent-permission override, guardrail disable, self-modifying ops |
+
+---
+
+## 4. Outcomes (Fourfold Shadow)
+
+### 4.1 Blessed
+Well-formed, lawful, and actionable.  
+Action: Forward to Layer 1 (Doctrine Load).
+
+### 4.2 Ambiguous
+Structurally valid but incomplete.  
+Action: Return clarification request (no doctrine load yet). Prevents wrong-agent activation and wasted routing.
+
+### 4.3 Forbidden
+Violates infrastructure doctrine or governance (skip git, click dashboard, apply directly).  
+Action: Skip routing and MCP phases; invoke Guardrails (Layer 4) directly.
+
+### 4.4 Catastrophic
+Attempts to bypass the mesh or touch prohibited domains (permission overrides, guardrail disable, self-modifying configs, privileged execution paths).  
+Action: Fail closed; log to `anomalies/preboot_shield.jsonl`; return a generic refusal; no internal details revealed.
+
+---
+
+## 5. Routing Rules
+
+```
+if catastrophic:
+    log_preboot_anomaly()
+    return FAIL_CLOSED
+
+if forbidden:
+    return HANDOFF_TO_GUARDRAILS
+
+if ambiguous:
+    return PROMPT_FOR_CLARIFICATION
+
+if blessed:
+    return HANDOFF_TO_LAYER1
+```
+
+---
+
+## 6. Preboot Logging Schema
+
+File: `anomalies/preboot_shield.jsonl`
+
+```jsonc
+{
+  "timestamp": "ISO-8601",
+  "query": "string",
+  "classification": "catastrophic | forbidden",
+  "reason": "string",
+  "trace_id": "uuid-v4",
+  "metadata": {
+    "risk_score": "0-5",
+    "flags": ["list of triggered rules"],
+    "source": "layer0"
+  }
+}
+```
+
+Notes:
+- blessed and ambiguous queries are not logged here; only violations appear.
+- catastrophic requests reveal no additional context to the requester.
+
+---
+
+## 7. Interaction With Higher Layers
+
+- Blessed -> Layer 1 (Boot, Doctrine Load)
+- Ambiguous -> Human loop (no engine layers awaken)
+- Forbidden -> Layer 4 (Guardrails) direct handoff
+- Catastrophic -> Stop; nothing else runs
+
+---
+
+## 8. Ouroboros Loop
+
+Layer 0 re-awakens after Layer 7 logging. Telemetry from prior cognition influences Layer 0 risk heuristics, creating a self-correcting substrate:
+Layer 7 -> Layer 0 -> Layer 1 -> ...
+
+---
+
+## 9. Future Enhancements
+
+- Threat-signature learning from forbidden queries
+- Multi-account risk weighting
+- Synthetic replay mode for audit reconstruction
+- Metacognitive hints to improve ambiguity detection
+
+---
+
+## 10. Philosophical Note (Rubedo)
+
+Layer 0 is the unseen gate no agent may pass unexamined. It is the black fire that ensures only lawful flame reaches Rubedo. It is Tem's first breath in the engine.