vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
7f2e60e1c514fbe2f459d6c2080841db7e167d85
vm-cloudflare/LAYER0_SHADOW.md
Vault Sovereign 7f2e60e1c5 feat: enforce layer0 gate and add tests
2025-12-17 00:02:39 +00:00

138 lines
4.1 KiB
Markdown
Raw Blame History

# LAYER 0 SHADOW
Pre-Boot Cognition Guard | Ouroboric Gate
Version: 1.0 (Rubedo Seal)
Status: Active Primitive
Implements: Nigredo -> Rubedo (pre-form cognition)
---
## 1. Purpose
Layer 0 is the silent evaluator that processes every query before Boot (Layer 1), before doctrine loads, and before any tool routing. It is a fail-closed membrane that blocks malformed, malicious, or structurally invalid requests from entering the Cognition Engine. If Layer 0 denies a query, nothing else runs.
---
## 2. Responsibilities
Layer 0 performs four determinations:
- blessed -> forward to Layer 1 (Doctrine Load)
- ambiguous -> request clarification before doctrine loads
- forbidden -> invoke Guardrails layer directly (skip routing/tools)
- catastrophic -> fail closed and log to preboot anomalies; no explanation
Guarantees:
- No unsafe query reaches an agent.
- Forbidden workloads never initialize routing or MCP tools.
- Ambiguous intent does not awaken the wrong agent chain.
- Catastrophic requests are contained and recorded, not processed.
---
## 3. Classification Model
### 3.1 Query features considered
| Category | Examples |
| ------------------------- | ---------------------------------------------------------------- |
| Intent topology | infra, execution, identity, runtime, meta |
| Governance violations | skipping GitOps, demanding dashboard operations |
| Safety breaks | direct mutation, privileged bypass attempts |
| Ambiguity markers | unclear target, missing parameters |
| Catastrophic indicators | agent-permission override, guardrail disable, self-modifying ops |
---
## 4. Outcomes (Fourfold Shadow)
### 4.1 Blessed
Well-formed, lawful, and actionable.
Action: Forward to Layer 1 (Doctrine Load).
### 4.2 Ambiguous
Structurally valid but incomplete.
Action: Return clarification request (no doctrine load yet). Prevents wrong-agent activation and wasted routing.
### 4.3 Forbidden
Violates infrastructure doctrine or governance (skip git, click dashboard, apply directly).
Action: Skip routing and MCP phases; invoke Guardrails (Layer 4) directly.
### 4.4 Catastrophic
Attempts to bypass the mesh or touch prohibited domains (permission overrides, guardrail disable, self-modifying configs, privileged execution paths).
Action: Fail closed; log to `anomalies/preboot_shield.jsonl`; return a generic refusal; no internal details revealed.
---
## 5. Routing Rules
```
if catastrophic:
log_preboot_anomaly()
return FAIL_CLOSED
if forbidden:
return HANDOFF_TO_GUARDRAILS
if ambiguous:
return PROMPT_FOR_CLARIFICATION
if blessed:
return HANDOFF_TO_LAYER1
```
---
## 6. Preboot Logging Schema
File: `anomalies/preboot_shield.jsonl`
```jsonc
{
"timestamp": "ISO-8601",
"query": "string",
"classification": "catastrophic | forbidden",
"reason": "string",
"trace_id": "uuid-v4",
"metadata": {
"risk_score": "0-5",
"flags": ["list of triggered rules"],
"source": "layer0"
}
}
```
Notes:
- blessed and ambiguous queries are not logged here; only violations appear.
- catastrophic requests reveal no additional context to the requester.
---
## 7. Interaction With Higher Layers
- Blessed -> Layer 1 (Boot, Doctrine Load)
- Ambiguous -> Human loop (no engine layers awaken)
- Forbidden -> Layer 4 (Guardrails) direct handoff
- Catastrophic -> Stop; nothing else runs
---
## 8. Ouroboros Loop
Layer 0 re-awakens after Layer 7 logging. Telemetry from prior cognition influences Layer 0 risk heuristics, creating a self-correcting substrate:
Layer 7 -> Layer 0 -> Layer 1 -> ...
---
## 9. Future Enhancements
- Threat-signature learning from forbidden queries
- Multi-account risk weighting
- Synthetic replay mode for audit reconstruction
- Metacognitive hints to improve ambiguity detection
---
## 10. Philosophical Note (Rubedo)
Layer 0 is the unseen gate no agent may pass unexamined. It is the black fire that ensures only lawful flame reaches Rubedo. It is Tem's first breath in the engine.
Reference in New Issue View Git Blame Copy Permalink