vaultsovereign/vm-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
vm-core/spec/ATTACK_RESISTANCE_LEDGER.md
Vault Sovereign 110d644e10 Initialize repository snapshot
2025-12-27 00:10:32 +00:00

218 lines
9.5 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Attack Resistance & Control Ledger
Status: Canonical
Scope: State-Level Threat Model
Operating Mode: Single-Sovereign, Local-First
Federation: Optional Witness Augmentation
## Non-goal
VaultMesh does not guarantee liveness, availability, or global consensus under adversarial conditions. It guarantees detectability, attribution, and recoverable truth.
## Pinned Definitions
- **ShadowReceipt**: An append-only proof emitted when an action is considered but not executed, recording intent, denial reason, and (if applicable) scope narrowing without side effects.
- **Receipt scroll**: An append-only JSONL event log per domain (e.g., `receipts/treasury/treasury_events.jsonl`).
- **Merkle root**: A deterministic commitment over a scrolls hashed leaves using the VaultMesh `VmHash` + `merkle_root` algorithm.
- **Root file**: A file that stores the current Merkle root for a scroll (typically `ROOT.<scroll>.txt`).
- **Seal bundle (Ouroboros)**: A deterministic digest over a selected evidence set in the local SQLite ledger, stored as a `proof_artifacts.kind=ouroboros_seal_bundle` artifact.
- **Anchor (external, optional)**: A timestamp/immutability witness over a seal digest (RFC-3161 / blockchain / etc.), recorded as an additional proof artifact referencing the seal bundle.
- **Trace id**: A correlation id linking the evidence chain across `tool_invocations`, `mcp_calls`, `proof_artifacts`, and (where emitted) `shadow_receipts`.
- **Capability / scope**: A revocable, least-privilege right that can be narrowed without rewriting history (Mesh receipts).
## Operating Assumption
VaultMesh is designed to remain truthful, auditable, and survivable as a single sovereign system under isolation. Federation is an optional augmentation that increases resilience and reach, but is never required for correctness.
Primary adversary context: *“You are alone. No peers. No network. No court protection.”*
## Adversary Classes (State-Level)
- **Isolation**: network partition, long-term offline operation, selective connectivity denial.
- **Seizure**: physical confiscation, disk imaging, forced shutdown, forced relocation.
- **Coercion**: compelled operation, compelled credential disclosure, compelled signing.
- **Supply chain**: compromised dependencies, poisoned updates, build/release interdiction.
- **Insider drift**: sequences of individually policy-valid actions that violate long-horizon invariants.
- **Narrative warfare**: re-framing outages as “lies”, attacking legitimacy rather than mechanics.
---
## 🜔 Proof (Immutable Wealth)
### Invariants
- **Append-only evidence**: evidence is never rewritten in place; corrections are new events referencing prior ids/hashes.
- **Deterministic verification**: the same inputs yield the same roots and seal digests.
- **Detectable tamper**: any change to past events must surface as a root/seal mismatch.
### Likely Moves
- Edit/delete old receipts; roll back state to a “clean” snapshot; truncate scrolls.
- Rewrite root files to match a forged history.
- Partition the node so anchoring cannot occur.
### Controls
- Scrolls are append-only JSONL + deterministic Merkle roots (`ROOT.*.txt`).
- Seals bind SQLite evidence to a deterministic digest (local witness) that can be copied out-of-band.
- Optional anchoring adds a time witness when connectivity exists (never required for local correctness).
### Evidence Artifacts
- Scrolls: `receipts/**`
- Roots: `ROOT.*.txt` and `receipts/console/ROOT.console.txt`
- Local ledger: `.state/ledger.sqlite` (`tool_invocations`, `mcp_calls`, `proof_artifacts`, `shadow_receipts`)
- Seal bundles: `.state/seals/ouroboros_seal_*.json` + `proof_artifacts.kind=ouroboros_seal_bundle`
- Anchor receipts: `receipts/guardian/anchor_events.jsonl` (and planned `proof_artifacts.kind=external_anchor`)
### Drills
- Recompute and compare roots (no writes): `python3 cli/vm_cli.py guardian compute-roots`
- Check whether on-disk roots match computed roots: `python3 cli/vm_cli.py guardian status`
- Emit an anchor cycle (writes roots + anchor receipt): `python3 cli/vm_cli.py guardian anchor --backend local`
- Seal recent evidence (deterministic digest over ledger tables): `python3 cli/ledger.py seal --since "7 days"`
---
## 🜃 Energy (Scarce Wealth)
### Invariants
- **No action without cost**: actions require a debit/charge.
- **No cost without record**: debits/credits are receipted; state is reconstructable from receipts.
- **No silent denial**: denied/aborted high-impact actions produce a ShadowReceipt (proof of restraint), not silence.
### Likely Moves
- Spam/flood to force writes, bury signals in volume, or extract unbounded work.
- Coercive drain of budgets to force depletion or induce “just this once” shortcuts.
### Controls
- Debit-before-write for mutating operations; budgets enforce ceilings.
- Compartment budgets by purpose; require stronger capabilities for high-impact budgets.
- “Freeze” and “contain” responses narrow authority; they never grant new authority.
### Evidence Artifacts
- Treasury scroll + root: `receipts/treasury/treasury_events.jsonl`, `ROOT.treasury.txt`
- Ledger witness of debits/denials: `.state/ledger.sqlite` (`tool_invocations`, `shadow_receipts`)
- Seal bundles over the above: `.state/seals/ouroboros_seal_*.json`
### Drills
- Create a seal over a high-volume window and confirm it is stable on replay: `python3 cli/ledger.py seal --since "1 day"`
- Confirm denials are queryable (ShadowReceipts are sealed even if not rooted):
- `sqlite3 .state/ledger.sqlite "select ts,horizon_id,reason_unrealized,trace_id from shadow_receipts order by datetime(ts) desc limit 20;"`
---
## 🜍 Intelligence (Auditable Consciousness)
### Invariants
- **Bounded automation**: analysis may run, but execution requires capability + receipt trail.
- **Legible decisions**: reasoning/uncertainty is recorded as evidence, not “trust the model”.
- **Temporal defensibility**: “locally allowed” is insufficient if a long-horizon invariant is violated.
### Likely Moves
- Drift sequences: individually allowed steps that collectively break invariants.
- Poisoned telemetry: adversarial signals to induce unsafe policies or overblocking.
- “Optimize away restraint”: remove proof-of-denial records to reduce friction.
### Controls
- DriftGuard pattern: detect long-horizon invariant violations and deny execution while emitting a ShadowReceipt.
- Quarantine: treat suspicious signals as inputs to proposals (artifacts), not direct law rewrites.
- Replay + seal: decisions are reviewable through deterministic seals over evidence sets.
### Evidence Artifacts
- ShadowReceipts: `.state/ledger.sqlite` table `shadow_receipts`
- Correlated evidence chain: `.state/ledger.sqlite` tables `tool_invocations`, `mcp_calls`, `proof_artifacts`
- Automation scroll (if/when used): `receipts/automation/automation_events.jsonl`, `ROOT.automation.txt`
### Drills
- Create a ShadowReceipt for a denied path (proof of restraint), then seal the window:
- `python3 cli/ledger.py seal --since "1 day"`
- Confirm trace correlation is preserved (and treat gaps as audit failures):
- `python3 cli/ledger.py last --n 50`
---
## ☿ Trust (Circulating Authority)
### Invariants
- **No ambient trust**: rights are explicit capabilities with scopes.
- **Revocation is additive**: power can shrink without erasing history.
- **Containment > blame**: automatic responses narrow scopes; they do not expand authority.
### Likely Moves
- Key theft / replay; attempt to broaden scope “just for recovery”.
- Coercion to compel signing or privileged action.
### Controls
- Least-privilege, short-lived capabilities; explicit scopes; revocation receipts.
- For irreversible actions: time-locks and/or multi-party approval (policy-dependent).
- Record refusals as ShadowReceipts; never “black-hole” denied operations.
### Evidence Artifacts
- Mesh capability receipts + root: `receipts/mesh/mesh_events.jsonl`, `ROOT.mesh.txt`
- Identity receipts + root: `receipts/identity/identity_events.jsonl`, `ROOT.identity.txt`
- ShadowReceipts for denied/coerced paths: `.state/ledger.sqlite` `shadow_receipts`
### Drills
- Revoke and verify containment:
- (emit revoke) verify it appears in `receipts/mesh/mesh_events.jsonl`
- recompute roots: `python3 cli/vm_cli.py guardian compute-roots`
---
## 🜞 Time (Continuity Across Decades)
### Invariants
- **Portability**: proofs can be verified from artifacts alone.
- **Legibility**: tools and formats remain understandable without a priesthood.
- **Recoverability**: state can be reconstructed from receipts + seals.
### Likely Moves
- Long-term offline storage; partial artifact survival; missing dependencies; bit rot.
- Availability attacks misframed as correctness failures (narrative warfare).
### Controls
- Boring formats: JSONL + SQLite + text roots.
- Archaeology drill: restore from a cold copy and re-derive roots and seals.
- Explicitly separate **truth** from **availability** (see Non-goal).
### Evidence Artifacts
- Local ledger: `.state/ledger.sqlite`
- Scrolls + roots: `receipts/**`, `ROOT.*.txt`, `receipts/console/ROOT.console.txt`
- Constitutional mapping: `spec/BLUEPRINT_SPEC.md`, `spec/MAPPING.md`
### Drills
- Cold-restore verification: copy artifacts to a new directory and run:
- `python3 cli/vm_cli.py guardian status`
- `python3 cli/ledger.py seal --since "365 days"`
---
## Federation (Optional Witness Augmentation)
Federation is not correctness. It is redundancy and cross-witnessing.
- Peers may mirror roots/seals to increase survivability and detect targeted rollback.
- Disagreement is an incident artifact, not a correctness failure of the local node.
Reference in New Issue View Git Blame Copy Permalink