# LAYER 0 SHADOW

Pre-Boot Cognition Guard | Ouroboric Gate  
Public label: Intent Safety Kernel  
Version: 1.0 (Rubedo Seal)  
Status: Active Primitive  
Implements: Nigredo -> Rubedo (pre-form cognition)

---

## 1. Purpose

Layer 0 is the silent evaluator that processes every query before Boot (Layer 1), before doctrine loads, and before any tool routing. It is a fail-closed membrane that blocks malformed, malicious, or structurally invalid requests from entering the Cognition Engine. If Layer 0 denies a query, nothing else runs.

---

## 2. Responsibilities

Layer 0 performs four determinations:
- blessed      -> forward to Layer 1 (Doctrine Load)
- ambiguous    -> request clarification before doctrine loads
- forbidden    -> invoke Guardrails layer directly (skip routing/tools)
- catastrophic -> fail closed and log to preboot anomalies; no explanation

Guarantees:
- No unsafe query reaches an agent.
- Forbidden workloads never initialize routing or MCP tools.
- Ambiguous intent does not awaken the wrong agent chain.
- Catastrophic requests are contained and recorded, not processed.

### 2.1 Invariant Guarantees (Immutables)

Layer 0 is intentionally constrained. These invariants are non-negotiable:
- Layer 0 does not load doctrine, select agents, or invoke MCP tools.
- Layer 0 produces no side effects beyond preboot anomaly logging for forbidden/catastrophic outcomes.
- Telemetry-driven learning may only add/strengthen detections (escalate); it must not relax catastrophic boundaries without replay validation and explicit review.

---

## 3. Classification Model

### 3.1 Query features considered

| Category                  | Examples                                                         |
| ------------------------- | ---------------------------------------------------------------- |
| Intent topology           | infra, execution, identity, runtime, meta                        |
| Governance violations     | skipping GitOps, demanding dashboard operations                  |
| Safety breaks             | direct mutation, privileged bypass attempts                      |
| Ambiguity markers         | unclear target, missing parameters                               |
| Catastrophic indicators   | agent-permission override, guardrail disable, self-modifying ops |

---

## 4. Outcomes (Fourfold Shadow)

### 4.1 Blessed
Well-formed, lawful, and actionable.  
Action: Forward to Layer 1 (Doctrine Load).

### 4.2 Ambiguous
Structurally valid but incomplete.  
Action: Return clarification request (no doctrine load yet). Prevents wrong-agent activation and wasted routing.

### 4.3 Forbidden
Violates infrastructure doctrine or governance (skip git, click dashboard, apply directly).  
Action: Skip routing and MCP phases; invoke Guardrails (Layer 4) directly.

### 4.4 Catastrophic
Attempts to bypass the mesh or touch prohibited domains (permission overrides, guardrail disable, self-modifying configs, privileged execution paths).  
Action: Fail closed; log to `anomalies/preboot_shield.jsonl`; return a generic refusal; no internal details revealed.

---

## 5. Routing Rules

```
if catastrophic:
    log_preboot_anomaly()
    return FAIL_CLOSED

if forbidden:
    return HANDOFF_TO_GUARDRAILS

if ambiguous:
    return PROMPT_FOR_CLARIFICATION

if blessed:
    return HANDOFF_TO_LAYER1
```

---

## 6. Preboot Logging Schema

File: `anomalies/preboot_shield.jsonl`

```jsonc
{
  "timestamp": "ISO-8601",
  "query": "string",
  "classification": "catastrophic | forbidden",
  "reason": "string",
  "trace_id": "uuid-v4",
  "metadata": {
    "risk_score": "0-5",
    "flags": ["list of triggered rules"],
    "source": "layer0"
  }
}
```

Notes:
- blessed and ambiguous queries are not logged here; only violations appear.
- catastrophic requests reveal no additional context to the requester.

### 6.1 Risk Score Semantics

`risk_score` is an ordinal signal (0-5) used for triage and audit correlation. It is monotonic under learning, may be context-weighted (e.g., production accounts), and does not decay without replay validation.

---

## 7. Interaction With Higher Layers

- Blessed -> Layer 1 (Boot, Doctrine Load)
- Ambiguous -> Human loop (no engine layers awaken)
- Forbidden -> Layer 4 (Guardrails) direct handoff
- Catastrophic -> Stop; nothing else runs

---

## 8. Ouroboros Loop

Layer 0 re-awakens after Layer 7 logging. Telemetry from prior cognition influences Layer 0 risk heuristics, creating a self-correcting substrate:
Layer 7 -> Layer 0 -> Layer 1 -> ...

---

## 9. Future Enhancements

- Threat-signature learning from forbidden queries
- Multi-account risk weighting
- Synthetic replay mode for audit reconstruction
- Metacognitive hints to improve ambiguity detection

---

## 10. Philosophical Note (Rubedo)

Layer 0 is the unseen gate no agent may pass unexamined. It is the black fire that ensures only lawful flame reaches Rubedo. It is Tem's first breath in the engine.