4.1 KiB
LAYER 0 SHADOW
Pre-Boot Cognition Guard | Ouroboric Gate
Version: 1.0 (Rubedo Seal)
Status: Active Primitive
Implements: Nigredo -> Rubedo (pre-form cognition)
1. Purpose
Layer 0 is the silent evaluator that processes every query before Boot (Layer 1), before doctrine loads, and before any tool routing. It is a fail-closed membrane that blocks malformed, malicious, or structurally invalid requests from entering the Cognition Engine. If Layer 0 denies a query, nothing else runs.
2. Responsibilities
Layer 0 performs four determinations:
- blessed -> forward to Layer 1 (Doctrine Load)
- ambiguous -> request clarification before doctrine loads
- forbidden -> invoke Guardrails layer directly (skip routing/tools)
- catastrophic -> fail closed and log to preboot anomalies; no explanation
Guarantees:
- No unsafe query reaches an agent.
- Forbidden workloads never initialize routing or MCP tools.
- Ambiguous intent does not awaken the wrong agent chain.
- Catastrophic requests are contained and recorded, not processed.
3. Classification Model
3.1 Query features considered
| Category | Examples |
|---|---|
| Intent topology | infra, execution, identity, runtime, meta |
| Governance violations | skipping GitOps, demanding dashboard operations |
| Safety breaks | direct mutation, privileged bypass attempts |
| Ambiguity markers | unclear target, missing parameters |
| Catastrophic indicators | agent-permission override, guardrail disable, self-modifying ops |
4. Outcomes (Fourfold Shadow)
4.1 Blessed
Well-formed, lawful, and actionable.
Action: Forward to Layer 1 (Doctrine Load).
4.2 Ambiguous
Structurally valid but incomplete.
Action: Return clarification request (no doctrine load yet). Prevents wrong-agent activation and wasted routing.
4.3 Forbidden
Violates infrastructure doctrine or governance (skip git, click dashboard, apply directly).
Action: Skip routing and MCP phases; invoke Guardrails (Layer 4) directly.
4.4 Catastrophic
Attempts to bypass the mesh or touch prohibited domains (permission overrides, guardrail disable, self-modifying configs, privileged execution paths).
Action: Fail closed; log to anomalies/preboot_shield.jsonl; return a generic refusal; no internal details revealed.
5. Routing Rules
if catastrophic:
log_preboot_anomaly()
return FAIL_CLOSED
if forbidden:
return HANDOFF_TO_GUARDRAILS
if ambiguous:
return PROMPT_FOR_CLARIFICATION
if blessed:
return HANDOFF_TO_LAYER1
6. Preboot Logging Schema
File: anomalies/preboot_shield.jsonl
{
"timestamp": "ISO-8601",
"query": "string",
"classification": "catastrophic | forbidden",
"reason": "string",
"trace_id": "uuid-v4",
"metadata": {
"risk_score": "0-5",
"flags": ["list of triggered rules"],
"source": "layer0"
}
}
Notes:
- blessed and ambiguous queries are not logged here; only violations appear.
- catastrophic requests reveal no additional context to the requester.
7. Interaction With Higher Layers
- Blessed -> Layer 1 (Boot, Doctrine Load)
- Ambiguous -> Human loop (no engine layers awaken)
- Forbidden -> Layer 4 (Guardrails) direct handoff
- Catastrophic -> Stop; nothing else runs
8. Ouroboros Loop
Layer 0 re-awakens after Layer 7 logging. Telemetry from prior cognition influences Layer 0 risk heuristics, creating a self-correcting substrate: Layer 7 -> Layer 0 -> Layer 1 -> ...
9. Future Enhancements
- Threat-signature learning from forbidden queries
- Multi-account risk weighting
- Synthetic replay mode for audit reconstruction
- Metacognitive hints to improve ambiguity detection
10. Philosophical Note (Rubedo)
Layer 0 is the unseen gate no agent may pass unexamined. It is the black fire that ensures only lawful flame reaches Rubedo. It is Tem's first breath in the engine.