# Attack Resistance & Control Ledger Status: Canonical Scope: State-Level Threat Model Operating Mode: Single-Sovereign, Local-First Federation: Optional Witness Augmentation ## Non-goal VaultMesh does not guarantee liveness, availability, or global consensus under adversarial conditions. It guarantees detectability, attribution, and recoverable truth. ## Pinned Definitions - **ShadowReceipt**: An append-only proof emitted when an action is considered but not executed, recording intent, denial reason, and (if applicable) scope narrowing without side effects. - **Receipt scroll**: An append-only JSONL event log per domain (e.g., `receipts/treasury/treasury_events.jsonl`). - **Merkle root**: A deterministic commitment over a scroll’s hashed leaves using the VaultMesh `VmHash` + `merkle_root` algorithm. - **Root file**: A file that stores the current Merkle root for a scroll (typically `ROOT..txt`). - **Seal bundle (Ouroboros)**: A deterministic digest over a selected evidence set in the local SQLite ledger, stored as a `proof_artifacts.kind=ouroboros_seal_bundle` artifact. - **Anchor (external, optional)**: A timestamp/immutability witness over a seal digest (RFC-3161 / blockchain / etc.), recorded as an additional proof artifact referencing the seal bundle. - **Trace id**: A correlation id linking the evidence chain across `tool_invocations`, `mcp_calls`, `proof_artifacts`, and (where emitted) `shadow_receipts`. - **Capability / scope**: A revocable, least-privilege right that can be narrowed without rewriting history (Mesh receipts). ## Operating Assumption VaultMesh is designed to remain truthful, auditable, and survivable as a single sovereign system under isolation. Federation is an optional augmentation that increases resilience and reach, but is never required for correctness. Primary adversary context: *“You are alone. No peers. No network. No court protection.”* ## Adversary Classes (State-Level) - **Isolation**: network partition, long-term offline operation, selective connectivity denial. - **Seizure**: physical confiscation, disk imaging, forced shutdown, forced relocation. - **Coercion**: compelled operation, compelled credential disclosure, compelled signing. - **Supply chain**: compromised dependencies, poisoned updates, build/release interdiction. - **Insider drift**: sequences of individually policy-valid actions that violate long-horizon invariants. - **Narrative warfare**: re-framing outages as “lies”, attacking legitimacy rather than mechanics. --- ## 🜔 Proof (Immutable Wealth) ### Invariants - **Append-only evidence**: evidence is never rewritten in place; corrections are new events referencing prior ids/hashes. - **Deterministic verification**: the same inputs yield the same roots and seal digests. - **Detectable tamper**: any change to past events must surface as a root/seal mismatch. ### Likely Moves - Edit/delete old receipts; roll back state to a “clean” snapshot; truncate scrolls. - Rewrite root files to match a forged history. - Partition the node so anchoring cannot occur. ### Controls - Scrolls are append-only JSONL + deterministic Merkle roots (`ROOT.*.txt`). - Seals bind SQLite evidence to a deterministic digest (local witness) that can be copied out-of-band. - Optional anchoring adds a time witness when connectivity exists (never required for local correctness). ### Evidence Artifacts - Scrolls: `receipts/**` - Roots: `ROOT.*.txt` and `receipts/console/ROOT.console.txt` - Local ledger: `.state/ledger.sqlite` (`tool_invocations`, `mcp_calls`, `proof_artifacts`, `shadow_receipts`) - Seal bundles: `.state/seals/ouroboros_seal_*.json` + `proof_artifacts.kind=ouroboros_seal_bundle` - Anchor receipts: `receipts/guardian/anchor_events.jsonl` (and planned `proof_artifacts.kind=external_anchor`) ### Drills - Recompute and compare roots (no writes): `python3 cli/vm_cli.py guardian compute-roots` - Check whether on-disk roots match computed roots: `python3 cli/vm_cli.py guardian status` - Emit an anchor cycle (writes roots + anchor receipt): `python3 cli/vm_cli.py guardian anchor --backend local` - Seal recent evidence (deterministic digest over ledger tables): `python3 cli/ledger.py seal --since "7 days"` --- ## 🜃 Energy (Scarce Wealth) ### Invariants - **No action without cost**: actions require a debit/charge. - **No cost without record**: debits/credits are receipted; state is reconstructable from receipts. - **No silent denial**: denied/aborted high-impact actions produce a ShadowReceipt (proof of restraint), not silence. ### Likely Moves - Spam/flood to force writes, bury signals in volume, or extract unbounded work. - Coercive drain of budgets to force depletion or induce “just this once” shortcuts. ### Controls - Debit-before-write for mutating operations; budgets enforce ceilings. - Compartment budgets by purpose; require stronger capabilities for high-impact budgets. - “Freeze” and “contain” responses narrow authority; they never grant new authority. ### Evidence Artifacts - Treasury scroll + root: `receipts/treasury/treasury_events.jsonl`, `ROOT.treasury.txt` - Ledger witness of debits/denials: `.state/ledger.sqlite` (`tool_invocations`, `shadow_receipts`) - Seal bundles over the above: `.state/seals/ouroboros_seal_*.json` ### Drills - Create a seal over a high-volume window and confirm it is stable on replay: `python3 cli/ledger.py seal --since "1 day"` - Confirm denials are queryable (ShadowReceipts are sealed even if not rooted): - `sqlite3 .state/ledger.sqlite "select ts,horizon_id,reason_unrealized,trace_id from shadow_receipts order by datetime(ts) desc limit 20;"` --- ## 🜍 Intelligence (Auditable Consciousness) ### Invariants - **Bounded automation**: analysis may run, but execution requires capability + receipt trail. - **Legible decisions**: reasoning/uncertainty is recorded as evidence, not “trust the model”. - **Temporal defensibility**: “locally allowed” is insufficient if a long-horizon invariant is violated. ### Likely Moves - Drift sequences: individually allowed steps that collectively break invariants. - Poisoned telemetry: adversarial signals to induce unsafe policies or overblocking. - “Optimize away restraint”: remove proof-of-denial records to reduce friction. ### Controls - DriftGuard pattern: detect long-horizon invariant violations and deny execution while emitting a ShadowReceipt. - Quarantine: treat suspicious signals as inputs to proposals (artifacts), not direct law rewrites. - Replay + seal: decisions are reviewable through deterministic seals over evidence sets. ### Evidence Artifacts - ShadowReceipts: `.state/ledger.sqlite` table `shadow_receipts` - Correlated evidence chain: `.state/ledger.sqlite` tables `tool_invocations`, `mcp_calls`, `proof_artifacts` - Automation scroll (if/when used): `receipts/automation/automation_events.jsonl`, `ROOT.automation.txt` ### Drills - Create a ShadowReceipt for a denied path (proof of restraint), then seal the window: - `python3 cli/ledger.py seal --since "1 day"` - Confirm trace correlation is preserved (and treat gaps as audit failures): - `python3 cli/ledger.py last --n 50` --- ## ☿ Trust (Circulating Authority) ### Invariants - **No ambient trust**: rights are explicit capabilities with scopes. - **Revocation is additive**: power can shrink without erasing history. - **Containment > blame**: automatic responses narrow scopes; they do not expand authority. ### Likely Moves - Key theft / replay; attempt to broaden scope “just for recovery”. - Coercion to compel signing or privileged action. ### Controls - Least-privilege, short-lived capabilities; explicit scopes; revocation receipts. - For irreversible actions: time-locks and/or multi-party approval (policy-dependent). - Record refusals as ShadowReceipts; never “black-hole” denied operations. ### Evidence Artifacts - Mesh capability receipts + root: `receipts/mesh/mesh_events.jsonl`, `ROOT.mesh.txt` - Identity receipts + root: `receipts/identity/identity_events.jsonl`, `ROOT.identity.txt` - ShadowReceipts for denied/coerced paths: `.state/ledger.sqlite` `shadow_receipts` ### Drills - Revoke and verify containment: - (emit revoke) verify it appears in `receipts/mesh/mesh_events.jsonl` - recompute roots: `python3 cli/vm_cli.py guardian compute-roots` --- ## 🜞 Time (Continuity Across Decades) ### Invariants - **Portability**: proofs can be verified from artifacts alone. - **Legibility**: tools and formats remain understandable without a priesthood. - **Recoverability**: state can be reconstructed from receipts + seals. ### Likely Moves - Long-term offline storage; partial artifact survival; missing dependencies; bit rot. - Availability attacks misframed as correctness failures (narrative warfare). ### Controls - Boring formats: JSONL + SQLite + text roots. - Archaeology drill: restore from a cold copy and re-derive roots and seals. - Explicitly separate **truth** from **availability** (see Non-goal). ### Evidence Artifacts - Local ledger: `.state/ledger.sqlite` - Scrolls + roots: `receipts/**`, `ROOT.*.txt`, `receipts/console/ROOT.console.txt` - Constitutional mapping: `spec/BLUEPRINT_SPEC.md`, `spec/MAPPING.md` ### Drills - Cold-restore verification: copy artifacts to a new directory and run: - `python3 cli/vm_cli.py guardian status` - `python3 cli/ledger.py seal --since "365 days"` --- ## Federation (Optional Witness Augmentation) Federation is not correctness. It is redundancy and cross-witnessing. - Peers may mirror roots/seals to increase survivability and detect targeted rollback. - Disagreement is an incident artifact, not a correctness failure of the local node.