vaultsovereign/vm-core
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
110d644e10bd9fa1f1d7905b71b141b1323519d2
vm-core/spec/ATTACK_RESISTANCE_LEDGER.md
Vault Sovereign 110d644e10 Initialize repository snapshot
2025-12-27 00:10:32 +00:00

9.5 KiB
Raw Blame History

Attack Resistance & Control Ledger

Status: Canonical
Scope: State-Level Threat Model
Operating Mode: Single-Sovereign, Local-First
Federation: Optional Witness Augmentation

Non-goal

VaultMesh does not guarantee liveness, availability, or global consensus under adversarial conditions. It guarantees detectability, attribution, and recoverable truth.

Pinned Definitions

  • ShadowReceipt: An append-only proof emitted when an action is considered but not executed, recording intent, denial reason, and (if applicable) scope narrowing without side effects.
  • Receipt scroll: An append-only JSONL event log per domain (e.g., receipts/treasury/treasury_events.jsonl).
  • Merkle root: A deterministic commitment over a scrolls hashed leaves using the VaultMesh VmHash + merkle_root algorithm.
  • Root file: A file that stores the current Merkle root for a scroll (typically ROOT.<scroll>.txt).
  • Seal bundle (Ouroboros): A deterministic digest over a selected evidence set in the local SQLite ledger, stored as a proof_artifacts.kind=ouroboros_seal_bundle artifact.
  • Anchor (external, optional): A timestamp/immutability witness over a seal digest (RFC-3161 / blockchain / etc.), recorded as an additional proof artifact referencing the seal bundle.
  • Trace id: A correlation id linking the evidence chain across tool_invocations, mcp_calls, proof_artifacts, and (where emitted) shadow_receipts.
  • Capability / scope: A revocable, least-privilege right that can be narrowed without rewriting history (Mesh receipts).

Operating Assumption

VaultMesh is designed to remain truthful, auditable, and survivable as a single sovereign system under isolation. Federation is an optional augmentation that increases resilience and reach, but is never required for correctness.

Primary adversary context: “You are alone. No peers. No network. No court protection.”

Adversary Classes (State-Level)

  • Isolation: network partition, long-term offline operation, selective connectivity denial.
  • Seizure: physical confiscation, disk imaging, forced shutdown, forced relocation.
  • Coercion: compelled operation, compelled credential disclosure, compelled signing.
  • Supply chain: compromised dependencies, poisoned updates, build/release interdiction.
  • Insider drift: sequences of individually policy-valid actions that violate long-horizon invariants.
  • Narrative warfare: re-framing outages as “lies”, attacking legitimacy rather than mechanics.

🜔 Proof (Immutable Wealth)

Invariants

  • Append-only evidence: evidence is never rewritten in place; corrections are new events referencing prior ids/hashes.
  • Deterministic verification: the same inputs yield the same roots and seal digests.
  • Detectable tamper: any change to past events must surface as a root/seal mismatch.

Likely Moves

  • Edit/delete old receipts; roll back state to a “clean” snapshot; truncate scrolls.
  • Rewrite root files to match a forged history.
  • Partition the node so anchoring cannot occur.

Controls

  • Scrolls are append-only JSONL + deterministic Merkle roots (ROOT.*.txt).
  • Seals bind SQLite evidence to a deterministic digest (local witness) that can be copied out-of-band.
  • Optional anchoring adds a time witness when connectivity exists (never required for local correctness).

Evidence Artifacts

  • Scrolls: receipts/**
  • Roots: ROOT.*.txt and receipts/console/ROOT.console.txt
  • Local ledger: .state/ledger.sqlite (tool_invocations, mcp_calls, proof_artifacts, shadow_receipts)
  • Seal bundles: .state/seals/ouroboros_seal_*.json + proof_artifacts.kind=ouroboros_seal_bundle
  • Anchor receipts: receipts/guardian/anchor_events.jsonl (and planned proof_artifacts.kind=external_anchor)

Drills

  • Recompute and compare roots (no writes): python3 cli/vm_cli.py guardian compute-roots
  • Check whether on-disk roots match computed roots: python3 cli/vm_cli.py guardian status
  • Emit an anchor cycle (writes roots + anchor receipt): python3 cli/vm_cli.py guardian anchor --backend local
  • Seal recent evidence (deterministic digest over ledger tables): python3 cli/ledger.py seal --since "7 days"

🜃 Energy (Scarce Wealth)

Invariants

  • No action without cost: actions require a debit/charge.
  • No cost without record: debits/credits are receipted; state is reconstructable from receipts.
  • No silent denial: denied/aborted high-impact actions produce a ShadowReceipt (proof of restraint), not silence.

Likely Moves

  • Spam/flood to force writes, bury signals in volume, or extract unbounded work.
  • Coercive drain of budgets to force depletion or induce “just this once” shortcuts.

Controls

  • Debit-before-write for mutating operations; budgets enforce ceilings.
  • Compartment budgets by purpose; require stronger capabilities for high-impact budgets.
  • “Freeze” and “contain” responses narrow authority; they never grant new authority.

Evidence Artifacts

  • Treasury scroll + root: receipts/treasury/treasury_events.jsonl, ROOT.treasury.txt
  • Ledger witness of debits/denials: .state/ledger.sqlite (tool_invocations, shadow_receipts)
  • Seal bundles over the above: .state/seals/ouroboros_seal_*.json

Drills

  • Create a seal over a high-volume window and confirm it is stable on replay: python3 cli/ledger.py seal --since "1 day"
  • Confirm denials are queryable (ShadowReceipts are sealed even if not rooted):
    • sqlite3 .state/ledger.sqlite "select ts,horizon_id,reason_unrealized,trace_id from shadow_receipts order by datetime(ts) desc limit 20;"

🜍 Intelligence (Auditable Consciousness)

Invariants

  • Bounded automation: analysis may run, but execution requires capability + receipt trail.
  • Legible decisions: reasoning/uncertainty is recorded as evidence, not “trust the model”.
  • Temporal defensibility: “locally allowed” is insufficient if a long-horizon invariant is violated.

Likely Moves

  • Drift sequences: individually allowed steps that collectively break invariants.
  • Poisoned telemetry: adversarial signals to induce unsafe policies or overblocking.
  • “Optimize away restraint”: remove proof-of-denial records to reduce friction.

Controls

  • DriftGuard pattern: detect long-horizon invariant violations and deny execution while emitting a ShadowReceipt.
  • Quarantine: treat suspicious signals as inputs to proposals (artifacts), not direct law rewrites.
  • Replay + seal: decisions are reviewable through deterministic seals over evidence sets.

Evidence Artifacts

  • ShadowReceipts: .state/ledger.sqlite table shadow_receipts
  • Correlated evidence chain: .state/ledger.sqlite tables tool_invocations, mcp_calls, proof_artifacts
  • Automation scroll (if/when used): receipts/automation/automation_events.jsonl, ROOT.automation.txt

Drills

  • Create a ShadowReceipt for a denied path (proof of restraint), then seal the window:
    • python3 cli/ledger.py seal --since "1 day"
  • Confirm trace correlation is preserved (and treat gaps as audit failures):
    • python3 cli/ledger.py last --n 50

☿ Trust (Circulating Authority)

Invariants

  • No ambient trust: rights are explicit capabilities with scopes.
  • Revocation is additive: power can shrink without erasing history.
  • Containment > blame: automatic responses narrow scopes; they do not expand authority.

Likely Moves

  • Key theft / replay; attempt to broaden scope “just for recovery”.
  • Coercion to compel signing or privileged action.

Controls

  • Least-privilege, short-lived capabilities; explicit scopes; revocation receipts.
  • For irreversible actions: time-locks and/or multi-party approval (policy-dependent).
  • Record refusals as ShadowReceipts; never “black-hole” denied operations.

Evidence Artifacts

  • Mesh capability receipts + root: receipts/mesh/mesh_events.jsonl, ROOT.mesh.txt
  • Identity receipts + root: receipts/identity/identity_events.jsonl, ROOT.identity.txt
  • ShadowReceipts for denied/coerced paths: .state/ledger.sqlite shadow_receipts

Drills

  • Revoke and verify containment:
    • (emit revoke) verify it appears in receipts/mesh/mesh_events.jsonl
    • recompute roots: python3 cli/vm_cli.py guardian compute-roots

🜞 Time (Continuity Across Decades)

Invariants

  • Portability: proofs can be verified from artifacts alone.
  • Legibility: tools and formats remain understandable without a priesthood.
  • Recoverability: state can be reconstructed from receipts + seals.

Likely Moves

  • Long-term offline storage; partial artifact survival; missing dependencies; bit rot.
  • Availability attacks misframed as correctness failures (narrative warfare).

Controls

  • Boring formats: JSONL + SQLite + text roots.
  • Archaeology drill: restore from a cold copy and re-derive roots and seals.
  • Explicitly separate truth from availability (see Non-goal).

Evidence Artifacts

  • Local ledger: .state/ledger.sqlite
  • Scrolls + roots: receipts/**, ROOT.*.txt, receipts/console/ROOT.console.txt
  • Constitutional mapping: spec/BLUEPRINT_SPEC.md, spec/MAPPING.md

Drills

  • Cold-restore verification: copy artifacts to a new directory and run:
    • python3 cli/vm_cli.py guardian status
    • python3 cli/ledger.py seal --since "365 days"

Federation (Optional Witness Augmentation)

Federation is not correctness. It is redundancy and cross-witnessing.

  • Peers may mirror roots/seals to increase survivability and detect targeted rollback.
  • Disagreement is an incident artifact, not a correctness failure of the local node.
Reference in New Issue View Git Blame Copy Permalink