vm-core/docs/skill/ALCHEMICAL_PATTERNS.md

# VaultMesh Alchemical Patterns

> *Solve et Coagula — Dissolve and Coagulate*

## The Alchemical Framework

VaultMesh uses alchemical metaphors not as mysticism, but as precise operational language for system states and transformations.

## Phases (Operational States)

### Nigredo 🜁 — The Blackening

**Meaning**: Crisis, breakdown, decomposition
**Operational State**: System under stress, incident in progress

**Indicators**:
- Active security incident
- Service degradation
- Guardian anchor failures
- Constitutional violations detected

**Receipt Types During Nigredo**:
- `offsec_incident` (severity: high/critical)
- `obs_log_alert` (severity: critical)
- `gov_violation`
- `psi_phase_transition` (to_phase: nigredo)

**Actions**:
- Incident response procedures activated
- Enhanced monitoring enabled
- Emergency powers may be invoked
- Transmutation processes initiated

```json
{
  "type": "psi_phase_transition",
  "from_phase": "albedo",
  "to_phase": "nigredo",
  "trigger": {
    "event_type": "security_incident",
    "reference": "INC-2025-12-001",
    "severity": "critical"
  },
  "indicators": [
    "active_intrusion_detected",
    "guardian_alert_level_elevated"
  ]
}
```

---

### Albedo 🜄 — The Whitening

**Meaning**: Purification, recovery, stabilization
**Operational State**: Post-incident recovery, learning phase

**Indicators**:
- Incident contained
- Systems stabilizing
- Root cause analysis in progress
- Remediation being verified

**Receipt Types During Albedo**:
- `offsec_remediation`
- `psi_transmutation` (steps: extract, dissolve, purify)
- `obs_health_snapshot` (improving trends)

**Actions**:
- Post-incident review
- IOC extraction
- Rule generation
- Documentation updates

```json
{
  "type": "psi_phase_transition",
  "from_phase": "nigredo",
  "to_phase": "albedo",
  "trigger": {
    "event_type": "incident_contained",
    "reference": "INC-2025-12-001"
  },
  "indicators": [
    "threat_neutralized",
    "services_recovering",
    "rca_initiated"
  ],
  "duration_in_nigredo_hours": 4.5
}
```

---

### Citrinitas 🜆 — The Yellowing

**Meaning**: Illumination, new capability emerging
**Operational State**: Optimization, enhancement

**Indicators**:
- New defensive capabilities deployed
- Performance improvements measured
- Knowledge crystallized into procedures
- Drills showing improved outcomes

**Receipt Types During Citrinitas**:
- `psi_transmutation` (steps: coagulate)
- `psi_integration`
- `security_drill_run` (outcomes: improved)
- `auto_workflow_run` (new capabilities)

**Actions**:
- Deploy new detection rules
- Update runbooks
- Train team on new procedures
- Measure improvement metrics

```json
{
  "type": "psi_phase_transition",
  "from_phase": "albedo",
  "to_phase": "citrinitas",
  "trigger": {
    "event_type": "capability_deployed",
    "reference": "transmute-2025-12-001"
  },
  "indicators": [
    "detection_rules_active",
    "playbook_updated",
    "team_trained"
  ],
  "capabilities_gained": [
    "lateral_movement_detection_v2",
    "automated_containment_k8s"
  ]
}
```

---

### Rubedo 🜂 — The Reddening

**Meaning**: Integration, completion, maturity
**Operational State**: Stable, sovereign operation

**Indicators**:
- All systems nominal
- Capabilities integrated into BAU
- Continuous improvement active
- High resilience demonstrated

**Receipt Types During Rubedo**:
- `psi_resonance` (harmony_score: high)
- `obs_health_snapshot` (all_green)
- `mesh_topology_snapshot` (healthy)
- `treasury_reconciliation` (balanced)

**Actions**:
- Regular drills maintain readiness
- Proactive threat hunting
- Continuous compliance monitoring
- Knowledge sharing with federation

```json
{
  "type": "psi_phase_transition",
  "from_phase": "citrinitas",
  "to_phase": "rubedo",
  "trigger": {
    "event_type": "stability_achieved",
    "reference": "phase-assessment-2025-12"
  },
  "indicators": [
    "30_days_no_critical_incidents",
    "slo_targets_met",
    "drill_outcomes_excellent"
  ],
  "maturity_score": 0.92
}
```

---

## Transmutation (Tem Pattern)

Transmutation converts negative events into defensive capabilities.

### The Process

```
┌─────────────────────────────────────────────────────────────────┐
│                      PRIMA MATERIA                              │
│                (Raw Input: Incident/Vuln/Threat)                │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  STEP 1: EXTRACT                                                │
│  • Identify IOCs (IPs, domains, hashes, TTPs)                   │
│  • Document attack chain                                        │
│  • Capture forensic artifacts                                   │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  STEP 2: DISSOLVE (Solve)                                       │
│  • Break down into atomic components                            │
│  • Normalize to standard formats (STIX, Sigma)                  │
│  • Map to frameworks (MITRE ATT&CK)                             │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  STEP 3: PURIFY                                                 │
│  • Remove false positives                                       │
│  • Validate against known-good                                  │
│  • Test in isolated environment                                 │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  STEP 4: COAGULATE (Coagula)                                    │
│  • Generate detection rules (Sigma, YARA, Suricata)             │
│  • Create response playbooks                                    │
│  • Deploy to production                                         │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│  STEP 5: SEAL                                                   │
│  • Emit transmutation receipt                                   │
│  • Link prima materia to philosopher's stone                    │
│  • Anchor evidence chain                                        │
└─────────────────────────────────────────────────────────────────┘
                              │
                              ▼
┌─────────────────────────────────────────────────────────────────┐
│                    PHILOSOPHER'S STONE                          │
│              (Output: Defensive Capability)                     │
└─────────────────────────────────────────────────────────────────┘
```

### Transmutation Contract

```json
{
  "transmutation_id": "psi-transmute-2025-12-06-001",
  "title": "SSH Brute Force to Detection Capability",
  "initiated_by": "did:vm:human:sovereign",
  "initiated_at": "2025-12-06T10:00:00Z",
  "input_material": {
    "type": "security_incident",
    "reference": "INC-2025-12-001",
    "prima_materia_hash": "blake3:incident_evidence..."
  },
  "target_phase": "citrinitas",
  "transmutation_steps": [
    {
      "step_id": "step-1-extract",
      "name": "Extract Prima Materia",
      "action": "extract_iocs",
      "expected_output": "cases/psi/transmute-001/extracted_iocs.json"
    },
    {
      "step_id": "step-2-dissolve",
      "name": "Dissolve (Solve)",
      "action": "normalize_to_stix",
      "expected_output": "cases/psi/transmute-001/stix_bundle.json"
    },
    {
      "step_id": "step-3-purify",
      "name": "Purify",
      "action": "validate_iocs",
      "expected_output": "cases/psi/transmute-001/validated_iocs.json"
    },
    {
      "step_id": "step-4-coagulate",
      "name": "Coagulate",
      "action": "generate_sigma_rules",
      "expected_output": "cases/psi/transmute-001/sigma_rules/"
    },
    {
      "step_id": "step-5-seal",
      "name": "Seal",
      "action": "emit_receipt",
      "expected_output": "receipts/psi/psi_events.jsonl"
    }
  ],
  "witnesses_required": ["brick-01", "brick-02"],
  "success_criteria": {
    "rules_deployed": true,
    "detection_verified": true,
    "no_false_positives_24h": true
  }
}
```

### Transmutation Receipt

```json
{
  "type": "psi_transmutation",
  "transmutation_id": "psi-transmute-2025-12-06-001",
  "timestamp": "2025-12-06T16:00:00Z",
  "input_material": {
    "type": "security_incident",
    "reference": "INC-2025-12-001",
    "prima_materia_hash": "blake3:abc123..."
  },
  "output_capability": {
    "type": "detection_rules",
    "reference": "sigma-rule-ssh-brute-force-v2",
    "philosophers_stone_hash": "blake3:def456..."
  },
  "transformation_summary": {
    "iocs_extracted": 47,
    "rules_generated": 3,
    "playbooks_updated": 1,
    "ttps_mapped": ["T1110.001", "T1021.004"]
  },
  "alchemical_phase": "citrinitas",
  "witnesses": [
    {
      "node": "did:vm:node:brick-01",
      "witnessed_at": "2025-12-06T15:55:00Z",
      "signature": "z58D..."
    }
  ],
  "tags": ["psi", "transmutation", "ssh", "brute-force"],
  "root_hash": "blake3:transmute..."
}
```

---

## Resonance

Resonance measures cross-system synchronization and harmony.

### Resonance Factors

| Factor | Weight | Measurement |
|--------|--------|-------------|
| Anchor Health | 0.25 | Time since last anchor, failure rate |
| Receipt Consistency | 0.20 | Hash chain integrity, no gaps |
| Mesh Connectivity | 0.20 | Node health, route availability |
| Phase Alignment | 0.15 | All subsystems in compatible phases |
| Federation Sync | 0.10 | Witness success rate |
| Governance Compliance | 0.10 | No active violations |

### Harmony Score

```
harmony_score = Σ(factor_weight × factor_score) / Σ(factor_weight)
```

**Interpretation**:
- 0.90 - 1.00: **Rubedo** — Full sovereignty
- 0.70 - 0.89: **Citrinitas** — Optimizing
- 0.50 - 0.69: **Albedo** — Stabilizing
- 0.00 - 0.49: **Nigredo** — Crisis mode

### Resonance Receipt

```json
{
  "type": "psi_resonance",
  "resonance_id": "resonance-2025-12-06-12",
  "timestamp": "2025-12-06T12:00:00Z",
  "harmony_score": 0.94,
  "factors": {
    "anchor_health": 1.0,
    "receipt_consistency": 0.98,
    "mesh_connectivity": 0.95,
    "phase_alignment": 0.90,
    "federation_sync": 0.85,
    "governance_compliance": 1.0
  },
  "current_phase": "rubedo",
  "subsystem_phases": {
    "guardian": "rubedo",
    "oracle": "rubedo",
    "mesh": "citrinitas",
    "treasury": "rubedo"
  },
  "dissonance_notes": [
    "mesh slightly below harmony due to pending node upgrade"
  ],
  "tags": ["psi", "resonance", "harmony"],
  "root_hash": "blake3:resonance..."
}
```

---

## Integration

Integration crystallizes learnings into permanent capability.

### Integration Types

| Type | Description | Example |
|------|-------------|---------|
| `rule_integration` | Detection rule becomes standard | Sigma rule added to baseline |
| `playbook_integration` | Response procedure formalized | IR playbook updated |
| `capability_integration` | New system feature | Auto-containment enabled |
| `knowledge_integration` | Documentation updated | Threat model revised |
| `training_integration` | Team skill acquired | Drill proficiency achieved |

### Integration Receipt

```json
{
  "type": "psi_integration",
  "integration_id": "integration-2025-12-06-001",
  "timestamp": "2025-12-06T18:00:00Z",
  "integration_type": "rule_integration",
  "source": {
    "transmutation_id": "psi-transmute-2025-12-06-001",
    "capability_hash": "blake3:def456..."
  },
  "target": {
    "system": "detection_pipeline",
    "component": "sigma_rules",
    "version": "v2.1.0"
  },
  "integration_proof": {
    "deployed_at": "2025-12-06T17:30:00Z",
    "verified_by": ["brick-01", "brick-02"],
    "test_results": {
      "true_positives": 5,
      "false_positives": 0,
      "detection_rate": 1.0
    }
  },
  "crystallization_complete": true,
  "tags": ["psi", "integration", "detection"],
  "root_hash": "blake3:integration..."
}
```

---

## Oracle Insights

Significant findings from the Compliance Oracle that warrant receipting.

### Insight Types

| Type | Description |
|------|-------------|
| `compliance_gap` | New gap identified |
| `regulatory_change` | Regulation updated |
| `risk_elevation` | Risk level increased |
| `deadline_approaching` | Compliance deadline near |
| `cross_reference` | Connection between frameworks |

### Insight Receipt

```json
{
  "type": "psi_oracle_insight",
  "insight_id": "insight-2025-12-06-001",
  "timestamp": "2025-12-06T14:00:00Z",
  "insight_type": "compliance_gap",
  "severity": "high",
  "frameworks": ["AI_Act", "GDPR"],
  "finding": {
    "summary": "Model training data lineage documentation incomplete for Annex IV requirements",
    "affected_articles": ["AI_Act.Annex_IV.2.b", "GDPR.Art_30"],
    "current_state": "partial_documentation",
    "required_state": "complete_lineage_from_source_to_model"
  },
  "recommended_actions": [
    "Implement data provenance tracking",
    "Document all training data sources",
    "Create lineage visualization"
  ],
  "deadline": "2026-08-02T00:00:00Z",
  "confidence": 0.92,
  "oracle_query_ref": "oracle-answer-2025-12-06-4721",
  "tags": ["psi", "oracle", "insight", "ai_act", "gdpr"],
  "root_hash": "blake3:insight..."
}
```

---

## Magnum Opus Dashboard

The Magnum Opus is the great work — the continuous refinement toward sovereignty.

### Dashboard Metrics

```
┌─────────────────────────────────────────────────────────────────┐
│                     MAGNUM OPUS STATUS                          │
├─────────────────────────────────────────────────────────────────┤
│                                                                 │
│  Current Phase: RUBEDO 🜂                Harmony: 0.94          │
│  Time in Phase: 47 days                                         │
│                                                                 │
│  ┌─────────────────────────────────────────────────────────┐   │
│  │ Phase History (90 days)                                  │   │
│  │ ████████████░░░░████████████████████████████████████████│   │
│  │ NNNAAACCCCCNNAACCCCCCCCCCRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR│   │
│  └─────────────────────────────────────────────────────────┘   │
│                                                                 │
│  Transmutations                  Integrations                   │
│  ├─ Active: 2                    ├─ This Month: 7              │
│  ├─ Completed: 34                ├─ Total: 156                 │
│  └─ Success Rate: 94%            └─ Crystallized: 142          │
│                                                                 │
│  Resonance Factors                                              │
│  ├─ Anchor Health:      ████████████████████ 1.00              │
│  ├─ Receipt Integrity:  ███████████████████░ 0.98              │
│  ├─ Mesh Connectivity:  ███████████████████░ 0.95              │
│  ├─ Phase Alignment:    ██████████████████░░ 0.90              │
│  ├─ Federation Sync:    █████████████████░░░ 0.85              │
│  └─ Governance:         ████████████████████ 1.00              │
│                                                                 │
│  Recent Oracle Insights: 3 (1 high severity)                    │
│  Next Anchor: 47 min                                            │
│  Last Incident: 47 days ago                                     │
│                                                                 │
└─────────────────────────────────────────────────────────────────┘
```

### CLI Commands

```bash
# Phase status
vm-psi phase current
vm-psi phase history --days 90

# Transmutation
vm-psi transmute start --input INC-2025-12-001 --title "SSH Brute Force"
vm-psi transmute status transmute-2025-12-001
vm-psi transmute complete transmute-2025-12-001 --step coagulate

# Resonance
vm-psi resonance current
vm-psi resonance history --days 30

# Integration
vm-psi integrate --source transmute-2025-12-001 --target detection_pipeline

# Opus
vm-psi opus status
vm-psi opus report --format pdf --output opus-report.pdf
```