vaultsovereign/vm-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Initialize repository snapshot

Browse Source
This commit is contained in:
Vault Sovereign
2025-12-27 00:10:32 +00:00
commit 110d644e10
281 changed files with 40331 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

217
spec/ATTACK_RESISTANCE_LEDGER.md Normal file
View File

@@ -0,0 +1,217 @@
# Attack Resistance & Control Ledger
Status: Canonical
Scope: State-Level Threat Model
Operating Mode: Single-Sovereign, Local-First
Federation: Optional Witness Augmentation
## Non-goal
VaultMesh does not guarantee liveness, availability, or global consensus under adversarial conditions. It guarantees detectability, attribution, and recoverable truth.
## Pinned Definitions
- **ShadowReceipt**: An append-only proof emitted when an action is considered but not executed, recording intent, denial reason, and (if applicable) scope narrowing without side effects.
- **Receipt scroll**: An append-only JSONL event log per domain (e.g., `receipts/treasury/treasury_events.jsonl`).
- **Merkle root**: A deterministic commitment over a scrolls hashed leaves using the VaultMesh `VmHash` + `merkle_root` algorithm.
- **Root file**: A file that stores the current Merkle root for a scroll (typically `ROOT.<scroll>.txt`).
- **Seal bundle (Ouroboros)**: A deterministic digest over a selected evidence set in the local SQLite ledger, stored as a `proof_artifacts.kind=ouroboros_seal_bundle` artifact.
- **Anchor (external, optional)**: A timestamp/immutability witness over a seal digest (RFC-3161 / blockchain / etc.), recorded as an additional proof artifact referencing the seal bundle.
- **Trace id**: A correlation id linking the evidence chain across `tool_invocations`, `mcp_calls`, `proof_artifacts`, and (where emitted) `shadow_receipts`.
- **Capability / scope**: A revocable, least-privilege right that can be narrowed without rewriting history (Mesh receipts).
## Operating Assumption
VaultMesh is designed to remain truthful, auditable, and survivable as a single sovereign system under isolation. Federation is an optional augmentation that increases resilience and reach, but is never required for correctness.
Primary adversary context: *“You are alone. No peers. No network. No court protection.”*
## Adversary Classes (State-Level)
- **Isolation**: network partition, long-term offline operation, selective connectivity denial.
- **Seizure**: physical confiscation, disk imaging, forced shutdown, forced relocation.
- **Coercion**: compelled operation, compelled credential disclosure, compelled signing.
- **Supply chain**: compromised dependencies, poisoned updates, build/release interdiction.
- **Insider drift**: sequences of individually policy-valid actions that violate long-horizon invariants.
- **Narrative warfare**: re-framing outages as “lies”, attacking legitimacy rather than mechanics.
---
## 🜔 Proof (Immutable Wealth)
### Invariants
- **Append-only evidence**: evidence is never rewritten in place; corrections are new events referencing prior ids/hashes.
- **Deterministic verification**: the same inputs yield the same roots and seal digests.
- **Detectable tamper**: any change to past events must surface as a root/seal mismatch.
### Likely Moves
- Edit/delete old receipts; roll back state to a “clean” snapshot; truncate scrolls.
- Rewrite root files to match a forged history.
- Partition the node so anchoring cannot occur.
### Controls
- Scrolls are append-only JSONL + deterministic Merkle roots (`ROOT.*.txt`).
- Seals bind SQLite evidence to a deterministic digest (local witness) that can be copied out-of-band.
- Optional anchoring adds a time witness when connectivity exists (never required for local correctness).
### Evidence Artifacts
- Scrolls: `receipts/**`
- Roots: `ROOT.*.txt` and `receipts/console/ROOT.console.txt`
- Local ledger: `.state/ledger.sqlite` (`tool_invocations`, `mcp_calls`, `proof_artifacts`, `shadow_receipts`)
- Seal bundles: `.state/seals/ouroboros_seal_*.json` + `proof_artifacts.kind=ouroboros_seal_bundle`
- Anchor receipts: `receipts/guardian/anchor_events.jsonl` (and planned `proof_artifacts.kind=external_anchor`)
### Drills
- Recompute and compare roots (no writes): `python3 cli/vm_cli.py guardian compute-roots`
- Check whether on-disk roots match computed roots: `python3 cli/vm_cli.py guardian status`
- Emit an anchor cycle (writes roots + anchor receipt): `python3 cli/vm_cli.py guardian anchor --backend local`
- Seal recent evidence (deterministic digest over ledger tables): `python3 cli/ledger.py seal --since "7 days"`
---
## 🜃 Energy (Scarce Wealth)
### Invariants
- **No action without cost**: actions require a debit/charge.
- **No cost without record**: debits/credits are receipted; state is reconstructable from receipts.
- **No silent denial**: denied/aborted high-impact actions produce a ShadowReceipt (proof of restraint), not silence.
### Likely Moves
- Spam/flood to force writes, bury signals in volume, or extract unbounded work.
- Coercive drain of budgets to force depletion or induce “just this once” shortcuts.
### Controls
- Debit-before-write for mutating operations; budgets enforce ceilings.
- Compartment budgets by purpose; require stronger capabilities for high-impact budgets.
- “Freeze” and “contain” responses narrow authority; they never grant new authority.
### Evidence Artifacts
- Treasury scroll + root: `receipts/treasury/treasury_events.jsonl`, `ROOT.treasury.txt`
- Ledger witness of debits/denials: `.state/ledger.sqlite` (`tool_invocations`, `shadow_receipts`)
- Seal bundles over the above: `.state/seals/ouroboros_seal_*.json`
### Drills
- Create a seal over a high-volume window and confirm it is stable on replay: `python3 cli/ledger.py seal --since "1 day"`
- Confirm denials are queryable (ShadowReceipts are sealed even if not rooted):
- `sqlite3 .state/ledger.sqlite "select ts,horizon_id,reason_unrealized,trace_id from shadow_receipts order by datetime(ts) desc limit 20;"`
---
## 🜍 Intelligence (Auditable Consciousness)
### Invariants
- **Bounded automation**: analysis may run, but execution requires capability + receipt trail.
- **Legible decisions**: reasoning/uncertainty is recorded as evidence, not “trust the model”.
- **Temporal defensibility**: “locally allowed” is insufficient if a long-horizon invariant is violated.
### Likely Moves
- Drift sequences: individually allowed steps that collectively break invariants.
- Poisoned telemetry: adversarial signals to induce unsafe policies or overblocking.
- “Optimize away restraint”: remove proof-of-denial records to reduce friction.
### Controls
- DriftGuard pattern: detect long-horizon invariant violations and deny execution while emitting a ShadowReceipt.
- Quarantine: treat suspicious signals as inputs to proposals (artifacts), not direct law rewrites.
- Replay + seal: decisions are reviewable through deterministic seals over evidence sets.
### Evidence Artifacts
- ShadowReceipts: `.state/ledger.sqlite` table `shadow_receipts`
- Correlated evidence chain: `.state/ledger.sqlite` tables `tool_invocations`, `mcp_calls`, `proof_artifacts`
- Automation scroll (if/when used): `receipts/automation/automation_events.jsonl`, `ROOT.automation.txt`
### Drills
- Create a ShadowReceipt for a denied path (proof of restraint), then seal the window:
- `python3 cli/ledger.py seal --since "1 day"`
- Confirm trace correlation is preserved (and treat gaps as audit failures):
- `python3 cli/ledger.py last --n 50`
---
## ☿ Trust (Circulating Authority)
### Invariants
- **No ambient trust**: rights are explicit capabilities with scopes.
- **Revocation is additive**: power can shrink without erasing history.
- **Containment > blame**: automatic responses narrow scopes; they do not expand authority.
### Likely Moves
- Key theft / replay; attempt to broaden scope “just for recovery”.
- Coercion to compel signing or privileged action.
### Controls
- Least-privilege, short-lived capabilities; explicit scopes; revocation receipts.
- For irreversible actions: time-locks and/or multi-party approval (policy-dependent).
- Record refusals as ShadowReceipts; never “black-hole” denied operations.
### Evidence Artifacts
- Mesh capability receipts + root: `receipts/mesh/mesh_events.jsonl`, `ROOT.mesh.txt`
- Identity receipts + root: `receipts/identity/identity_events.jsonl`, `ROOT.identity.txt`
- ShadowReceipts for denied/coerced paths: `.state/ledger.sqlite` `shadow_receipts`
### Drills
- Revoke and verify containment:
- (emit revoke) verify it appears in `receipts/mesh/mesh_events.jsonl`
- recompute roots: `python3 cli/vm_cli.py guardian compute-roots`
---
## 🜞 Time (Continuity Across Decades)
### Invariants
- **Portability**: proofs can be verified from artifacts alone.
- **Legibility**: tools and formats remain understandable without a priesthood.
- **Recoverability**: state can be reconstructed from receipts + seals.
### Likely Moves
- Long-term offline storage; partial artifact survival; missing dependencies; bit rot.
- Availability attacks misframed as correctness failures (narrative warfare).
### Controls
- Boring formats: JSONL + SQLite + text roots.
- Archaeology drill: restore from a cold copy and re-derive roots and seals.
- Explicitly separate **truth** from **availability** (see Non-goal).
### Evidence Artifacts
- Local ledger: `.state/ledger.sqlite`
- Scrolls + roots: `receipts/**`, `ROOT.*.txt`, `receipts/console/ROOT.console.txt`
- Constitutional mapping: `spec/BLUEPRINT_SPEC.md`, `spec/MAPPING.md`
### Drills
- Cold-restore verification: copy artifacts to a new directory and run:
- `python3 cli/vm_cli.py guardian status`
- `python3 cli/ledger.py seal --since "365 days"`
---
## Federation (Optional Witness Augmentation)
Federation is not correctness. It is redundancy and cross-witnessing.
- Peers may mirror roots/seals to increase survivability and detect targeted rollback.
- Disagreement is an incident artifact, not a correctness failure of the local node.