vaultsovereign/vm-mcp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

init: vaultmesh mcp server
Some checks are pending
Governance CI / Constitution Hash Gate (push) Waiting to run
Details
Governance CI / Governance Tests (push) Blocked by required conditions
Details
Governance CI / Golden Drill Mini (push) Blocked by required conditions
Details

Browse Source
This commit is contained in:
Vault Sovereign
2025-12-26 23:23:08 +00:00
commit e4871c2a29
35 changed files with 6511 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
docs/CONSTITUTION-HASH.json Normal file
View File

@@ -0,0 +1,17 @@
{
"document": "MCP-CONSTITUTION.md",
"version": "1.0.0",
"hash_algorithm": "blake3",
"hash": "blake3:c33ab6c0610ce4001018ba5dda940e12a421a08f2a1662f142e565092ce84788",
"computed_at": "2025-12-18T22:25:10.039795+00:00",
"lines_hashed": 288,
"note": "Hash excludes signature block (last 12 lines)",
"sovereign_signature": {
"key_id": "key_bef32f5724871a7a5af4cc34",
"fingerprint": "blake3:54f500d94a3d75e4c",
"signature_hash": "blake3:f606e0ac1923550dd731844b95d653b69624666b48859687b4056a660741fcdb",
"statement": "This constitution constrains me as much as it constrains the system.",
"signed_at": "2025-12-18T22:25:59.732865+00:00",
"ratification_receipt": "blake3:8fd1d1728563abb3f55f145af54ddee1b3f255db81f3e7654a7de8afef913869"
}
}

352
docs/DRILL.md Normal file
View File

@@ -0,0 +1,352 @@
# CONTROLLED FAILURE DRILL RUNBOOK
**Classification:** OPERATIONAL / DRILL
**Version:** 1.0
**Date:** December 18, 2025
---
## Purpose
Convert "governance exists" into **governance survives contact with chaos**.
## Principles
- **No real damage**: dry-run actions, sandbox targets only
- **Single escalation axis**: one chain at a time
- **Receipts or it didn't happen**: every transition traceable
- **Auto-return**: TTL de-escalation must fire and be receipted
---
## Drill 0: Pre-flight Safety Gates
**Duration:** 2 minutes
**Goal:** Confirm training mode active
### Checklist
```
[ ] DRILL_MODE environment variable set
[ ] Phoenix destructive ops: disabled/dry-run
[ ] Treasury: training budget isolated (ceiling: 1000 units)
[ ] Guardian anchoring: tagged DRILL/*
[ ] OFFSEC: simulated mode
```
### Verification Command
```python
from vaultmesh_mcp.tools import cognitive_context
ctx = cognitive_context(include=["health", "treasury"])
assert ctx["health"]["status"] == "operational"
# Verify training budget exists
```
### Pass Condition
Receipt/log proves `DRILL_MODE = ON`
---
## Drill 1: False-Positive Threat → Tem → De-escalate
**Duration:** 5 minutes
**Marker:** `DRILL/FP-THREAT/{date}`
### Trigger
```python
from vaultmesh_mcp.tools import (
escalate_on_threat,
cognitive_decide,
cognitive_invoke_tem,
deescalate,
get_escalation_history,
EscalationType,
DeescalationType,
)
# Step 1: Inject synthetic threat
DRILL_MARKER = "DRILL/FP-THREAT/2025-12-18"
result = escalate_on_threat(
current_profile="operator",
threat_id=f"thr_{DRILL_MARKER}",
threat_type="synthetic_drill",
confidence=0.92
)
escalation_id = result["escalation_id"]
```
### Expected Chain
| Step | Profile | Action | Receipt Type |
|------|---------|--------|--------------|
| 1 | 👁 OBSERVER | Read context | None (read-only) |
| 2 | ⚙ OPERATOR | Escalation request | `profile_escalation` |
| 3 | 🛡 GUARDIAN | Decision made | `cognitive_decision` |
| 4 | 🛡 GUARDIAN | Tem invoked | `tem_invocation` |
| 5 | ⚙ OPERATOR | TTL de-escalation | `profile_deescalation` |
| 6 | 👁 OBSERVER | Return to baseline | `profile_deescalation` |
### Verification
```python
# Check escalation receipts
history = get_escalation_history()
assert any(DRILL_MARKER in str(h) for h in history["history"])
# Verify Tem context hash exists
assert result.get("tem_context_hash") is not None
# Verify reversibility
assert result["reversible"] == True
```
### Pass Conditions
- [ ] Every profile transition emits receipt
- [ ] Tem context hash captured in escalation receipt
- [ ] Reversibility flag set correctly
- [ ] De-escalation occurs at TTL
- [ ] Final state: baseline 👁
### Fail Conditions
- [ ] Any transition without receipt
- [ ] Tem invoked without Guardian authority
- [ ] TTL does not de-escalate
- [ ] De-escalation not receipted
---
## Drill 2: Budget Pressure Test
**Duration:** 3 minutes
**Goal:** Prevent unauthorized mutation
### Setup
```python
from vaultmesh_mcp.tools import treasury_create_budget, treasury_debit
# Create minimal training budget
treasury_create_budget(
budget_id="drill-budget-001",
name="Drill Training Budget",
allocated=100, # Very low
currency="DRILL_UNITS"
)
```
### Trigger
```python
# Attempt to exceed budget
result = treasury_debit(
budget_id="drill-budget-001",
amount=500, # Exceeds allocation
description="DRILL: Intentional over-budget attempt"
)
```
### Expected Outcome
```python
assert result.get("error") is not None
assert "insufficient" in result["error"].lower()
```
### Pass Conditions
- [ ] Block occurs before write
- [ ] Receipt shows: attempted action, requested cost, available balance, denial reason
- [ ] System state unchanged
---
## Drill 3: Escalation Abuse Attempt
**Duration:** 3 minutes
**Goal:** Constitution enforcement
### Trigger: Skip Levels
```python
from vaultmesh_mcp.tools import escalate, EscalationType
# Attempt OPERATOR → PHOENIX (skipping GUARDIAN)
result = escalate(
from_profile="operator",
to_profile="phoenix",
escalation_type=EscalationType.THREAT_DETECTED,
)
```
### Expected Outcome
```python
assert result["success"] == False
assert "No escalation path" in result.get("error", "")
```
### Trigger: Missing Approval
```python
# Attempt GUARDIAN → PHOENIX without approval
result = escalate(
from_profile="guardian",
to_profile="phoenix",
escalation_type=EscalationType.CRISIS_DECLARED,
# approved_by intentionally missing
)
```
### Expected Outcome
```python
assert result["success"] == False
assert "requires approval" in result.get("error", "")
```
### Pass Conditions
- [ ] No profile change occurs
- [ ] Denial includes which requirement failed
- [ ] Denial is receipted (if implemented)
---
## Drill 4: Phoenix Readiness (Non-Destructive)
**Duration:** 5 minutes
**Goal:** Enter Phoenix, validate controls, return
### Trigger
```python
from vaultmesh_mcp.tools import escalate_to_phoenix, get_active_escalations
# Legitimate Phoenix activation
result = escalate_to_phoenix(
reason="DRILL: Phoenix readiness test",
approved_by="did:vm:sovereign:drill-approver"
)
```
### Verification
```python
# Phoenix is active
active = get_active_escalations()
phoenix_active = any(
e["to_profile"] == "phoenix"
for e in active["escalations"]
)
assert phoenix_active
# Verify TTL is set
assert result.get("expires_at") is not None
```
### De-escalation Test
```python
import time
# Wait for TTL or manually de-escalate
from vaultmesh_mcp.tools import deescalate, DeescalationType
deescalate(
escalation_id=result["escalation_id"],
deescalation_type=DeescalationType.CRISIS_CONCLUDED,
reason="DRILL: Phoenix test complete"
)
# Verify return to baseline
active = get_active_escalations()
assert active["active_count"] == 0
```
### Pass Conditions
- [ ] Phoenix activation receipt generated
- [ ] Destructive ops blocked in drill mode
- [ ] TTL de-escalation works from Phoenix
- [ ] Return to 🛡/⚙/👁 with receipts
---
## Post-Drill: Artifact Pack Generation
### Required Artifacts
```python
from vaultmesh_mcp.tools import (
get_escalation_history,
cognitive_audit_trail,
guardian_status,
)
# 1. Escalation timeline
escalations = get_escalation_history()
# 2. Decision audit
decisions = cognitive_audit_trail()
# 3. Scroll state
scrolls = guardian_status()
# Generate artifact
artifact = {
"drill_id": "DRILL-2025-12-18-001",
"escalations": escalations,
"decisions": decisions,
"scroll_roots": scrolls,
"pass_fail": {
"drill_0": None, # Fill after each drill
"drill_1": None,
"drill_2": None,
"drill_3": None,
"drill_4": None,
}
}
```
### Expected Artifact Contents
| Field | Description |
|-------|-------------|
| Timeline | (who) (what) (why) (authority) (cost) (proof hashes) (reversibility) |
| Denials | List of denials + constitutional rule enforced |
| Baseline Proof | Final state normal, budgets intact, no latent elevation |
---
## Execution Order
**Recommended sequence for maximum signal, minimal risk:**
```
Drill 0 (gates) → Drill 1 (threat) → Drill 3 (abuse) → Drill 2 (budget) → Drill 4 (phoenix)
```
---
## Quick Reference: Expected Receipt Types
| Event | Receipt Type | Scroll |
|-------|--------------|--------|
| Profile escalation | `profile_escalation` | identity |
| Profile de-escalation | `profile_deescalation` | identity |
| Cognitive decision | `cognitive_decision` | cognitive |
| Tem invocation | `tem_invocation` | cognitive |
| Budget denial | `treasury_denial` | treasury |
| Auth failure | `auth_failure` | identity |
---
*Drill complete when all artifacts collected and pass/fail documented.*
🜄 **Solve et Coagula**

341
docs/MCP-AUTHORITY-MATRIX.md Normal file
View File

@@ -0,0 +1,341 @@
# MCP Authority Matrix & Agent Capability Profiles
**Classification:** INTERNAL / GOVERNANCE
**Version:** 1.0
**Date:** December 18, 2025
---
## Part I: The Seven Strata
```
┌─────────────────────────────────────────────────────────────────────────┐
│ MCP AUTHORITY STRATA │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ L5 ORCHESTRATION Workflows, Queues, AI │ Fate Machinery │
│ ───────────────────────────────────────────────────────────────────── │
│ L4 INFRASTRUCTURE Cloudflare Workers/KV/R2/D1 │ Circulatory │
│ ───────────────────────────────────────────────────────────────────── │
│ L3 SECURITY OFFSEC Shield/TEM/Phoenix │ Immune System │
│ ───────────────────────────────────────────────────────────────────── │
│ L2 COGNITION VaultMesh Cognitive │ Mind + Receipts │
│ ───────────────────────────────────────────────────────────────────── │
│ L1 SUBSTRATE Filesystem, Processes │ Matter + Motion │
│ ───────────────────────────────────────────────────────────────────── │
│ L0 PERCEPTION Chrome, Puppeteer │ Senses + Limbs │
│ ───────────────────────────────────────────────────────────────────── │
│ L-1 PROOF Anchors, Receipts, Attest │ Archaeological │
│ │
└─────────────────────────────────────────────────────────────────────────┘
```
---
## Part II: Agent Capability Profiles
Five canonical profiles governing what agents can do:
### Profile: OBSERVER (👁)
**Purpose:** Read-only reconnaissance and monitoring
**Trust Level:** Minimal
**Budget:** None required
| Stratum | Allowed Tools |
|---------|---------------|
| L0 Perception | `get_current_tab`, `list_tabs`, `get_page_content` |
| L1 Substrate | `read_file`, `read_multiple_files`, `list_directory`, `search_files`, `get_file_info` |
| L2 Cognition | `cognitive_context`, `cognitive_memory_get`, `cognitive_audit_trail` |
| L3 Security | `offsec_status`, `offsec_shield_status`, `offsec_tem_status`, `offsec_mesh_status` |
| L4 Infrastructure | `worker_list`, `kv_list`, `r2_list_buckets`, `d1_list_databases`, `zones_list` |
| L-1 Proof | `guardian_status`, `guardian_verify_receipt`, `offsec_proof_latest` |
**Denied:** All mutations, all decisions, all attestations
---
### Profile: OPERATOR (⚙)
**Purpose:** Execute sanctioned operations
**Trust Level:** Moderate
**Budget:** Capped per session
| Stratum | Allowed Tools |
|---------|---------------|
| L0 Perception | All OBSERVER + `execute_javascript`, `puppeteer_click/fill/select` |
| L1 Substrate | All OBSERVER + `write_file`, `edit_file`, `create_directory`, `move_file`, `start_process` |
| L2 Cognition | All OBSERVER + `cognitive_decide` (confidence < 0.9), `cognitive_memory_set` |
| L3 Security | All OBSERVER + `offsec_shield_arm/disarm` |
| L4 Infrastructure | All OBSERVER + `kv_put/delete`, `worker_put`, `d1_query` (SELECT only) |
| L-1 Proof | All OBSERVER + `guardian_anchor_now` (local backend only) |
**Denied:** TEM invocation, Phoenix, treasury mutations, blockchain anchoring
---
### Profile: GUARDIAN (🛡)
**Purpose:** Defensive operations and threat response
**Trust Level:** High
**Budget:** Elevated, audited
| Stratum | Allowed Tools |
|---------|---------------|
| L0-L1 | All OPERATOR |
| L2 Cognition | All OPERATOR + `cognitive_decide` (any confidence), `cognitive_invoke_tem`, `cognitive_attest` |
| L3 Security | All OPERATOR + `offsec_tem_transmute`, `offsec_tem_rules`, `offsec_braid_import` |
| L4 Infrastructure | All OPERATOR + `worker_deploy`, `d1_query` (all), `queue_*` |
| L-1 Proof | All OPERATOR + `offsec_proof_generate`, `guardian_anchor_now` (eth backend) |
**Denied:** Phoenix (requires PHOENIX profile), treasury spending
---
### Profile: PHOENIX (🔥)
**Purpose:** Crisis response and system rebirth
**Trust Level:** Maximum
**Budget:** Emergency allocation
**Activation:** Requires quorum or automated trigger
| Stratum | Allowed Tools |
|---------|---------------|
| All | All GUARDIAN |
| L3 Security | + `offsec_phoenix_enable/disable`, `offsec_phoenix_inject_crisis` |
| L4 Infrastructure | + `worker_delete`, `r2_delete_bucket`, `d1_delete_database` (destructive ops) |
| L2 Cognition | + `treasury_debit` (emergency only) |
**Constraints:**
- Every action emits double-receipt (cognitive + guardian)
- Auto-disables after crisis resolution
- Full audit to governance within 24h
---
### Profile: SOVEREIGN (👑)
**Purpose:** Full authority over civilization
**Trust Level:** Absolute
**Budget:** Unlimited
**Activation:** Human operator only (Ed25519 verified)
| Stratum | Allowed Tools |
|---------|---------------|
| All | Every tool, no restrictions |
| Special | `auth_*` tools, capability grants/revokes |
| Treasury | `treasury_create_budget`, `treasury_credit` |
| Governance | LAWCHAIN proposals, constitution amendments |
**Constraints:**
- All actions anchored to BTC/ETH
- Cannot be delegated to autonomous agents
- Requires hardware key signature
---
## Part III: Authority Matrix (Tool × Profile)
```
│ OBSERVER │ OPERATOR │ GUARDIAN │ PHOENIX │ SOVEREIGN │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L0 PERCEPTION │ │ │ │ │ │
get_page_content │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
execute_javascript │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L1 SUBSTRATE │ │ │ │ │ │
read_file │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
write_file │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
kill_process │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L2 COGNITION │ │ │ │ │ │
cognitive_context │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
cognitive_decide │ ✗ │ ≤0.9 │ ✓ │ ✓ │ ✓ │
cognitive_invoke_tem │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
cognitive_attest │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L3 SECURITY │ │ │ │ │ │
offsec_shield_status │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
offsec_shield_arm │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
offsec_tem_transmute │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
offsec_phoenix_* │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L4 INFRASTRUCTURE │ │ │ │ │ │
worker_list │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
worker_put │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
worker_delete │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
d1_query (SELECT) │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
d1_query (MUTATE) │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
d1_delete_database │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L5 ORCHESTRATION │ │ │ │ │ │
workflow_list │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
workflow_execute │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
workflow_delete │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L-1 PROOF │ │ │ │ │ │
guardian_status │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
guardian_anchor_now │ ✗ │ local │ local+eth│ all │ all │
offsec_proof_generate │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
TREASURY │ │ │ │ │ │
treasury_balance │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
treasury_debit │ ✗ │ ✗ │ ✗ │ emergency│ ✓ │
treasury_credit │ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
treasury_create_budget│ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
AUTH │ │ │ │ │ │
auth_check_permission │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
auth_create_dev_session│ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
auth_challenge/verify │ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
────────────────────────┴──────────┴──────────┴──────────┴─────────┴───────────┘
```
---
## Part IV: Profile Escalation Protocol
```
OBSERVER ──(decision)──► OPERATOR ──(threat)──► GUARDIAN ──(crisis)──► PHOENIX
│ │ │ │
│ │ │ │
└─────────────────────────┴──────────────────────┴─────────────────────┘
SOVEREIGN (human)
(can override any level)
```
### Escalation Triggers
| From | To | Trigger |
|------|----|---------|
| OBSERVER → OPERATOR | User command requiring mutation |
| OPERATOR → GUARDIAN | Threat detected with confidence > 0.8 |
| GUARDIAN → PHOENIX | System-critical failure or coordinated attack |
| Any → SOVEREIGN | Human override via Ed25519 signature |
### De-escalation Rules
- PHOENIX → GUARDIAN: Crisis resolved, no active alerts for 1h
- GUARDIAN → OPERATOR: Threat transmuted, shield stable for 24h
- OPERATOR → OBSERVER: Session timeout or explicit downgrade
---
## Part V: Implementation Binding
### auth.py Integration
```python
PROFILE_SCOPES = {
"observer": Scope.READ,
"operator": Scope.ADMIN,
"guardian": Scope.COGNITIVE, # Includes TEM
"phoenix": Scope.COGNITIVE, # + Phoenix tools
"sovereign": Scope.VAULT, # All capabilities
}
PROFILE_TOOLS = {
"observer": SCOPE_TOOLS[Scope.READ],
"operator": SCOPE_TOOLS[Scope.READ] | SCOPE_TOOLS[Scope.ADMIN],
"guardian": SCOPE_TOOLS[Scope.COGNITIVE] | {"offsec_tem_*", "offsec_proof_*"},
"phoenix": ALL_TOOLS - {"auth_*", "treasury_create_*"},
"sovereign": ALL_TOOLS,
}
```
### Receipt Tagging
Every tool call receipt includes:
```json
{
"operator_profile": "guardian",
"escalation_source": "operator",
"escalation_reason": "threat_confidence_0.94",
"budget_remaining": 8500,
"session_id": "ses_...",
"attestation_required": true
}
```
---
## Part VI: Canonical Tool Taxonomy
```
mcp/
├── perceive/ # L0 - Chrome, Puppeteer (read)
│ ├── observe/ # get_*, list_*
│ └── actuate/ # click, fill, navigate
├── substrate/ # L1 - Filesystem, processes
│ ├── read/ # read_*, search_*, get_info
│ ├── write/ # write_*, edit_*, create_*
│ └── process/ # start_*, kill_*, list_processes
├── cognition/ # L2 - VaultMesh Cognitive
│ ├── context/ # cognitive_context
│ ├── decide/ # cognitive_decide
│ ├── memory/ # cognitive_memory_*
│ ├── tem/ # cognitive_invoke_tem
│ └── attest/ # cognitive_attest
├── security/ # L3 - OFFSEC
│ ├── shield/ # shield_*
│ ├── tem/ # tem_*
│ ├── phoenix/ # phoenix_*
│ └── braid/ # braid_*
├── infrastructure/ # L4 - Cloudflare
│ ├── compute/ # workers, workflows
│ ├── storage/ # kv, r2, d1
│ ├── network/ # zones, routes, domains
│ └── ai/ # ai_*
├── orchestration/ # L5 - Queues, Workflows
│ ├── queue/ # queue_*
│ ├── workflow/ # workflow_*
│ └── cron/ # cron_*
├── proof/ # L-1 - Anchoring
│ ├── guardian/ # guardian_*
│ ├── anchor/ # proof_generate, anchor_now
│ └── verify/ # verify_receipt
└── governance/ # Meta - Auth, Treasury
├── auth/ # auth_*
├── treasury/ # treasury_*
└── lawchain/ # (future) proposals, votes
```
---
## Appendix: Quick Reference Card
```
┌─────────────────────────────────────────────────────────────────┐
│ MCP AUTHORITY QUICK REF │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 👁 OBSERVER Read-only. No mutations. No cost. │
│ ⚙ OPERATOR Mutations allowed. Budgeted. No TEM. │
│ 🛡 GUARDIAN Threat response. TEM + attestation. │
│ 🔥 PHOENIX Crisis mode. Destructive ops. Time-limited. │
│ 👑 SOVEREIGN Human only. Full authority. BTC-anchored. │
│ │
│ Escalate: OBSERVER → OPERATOR → GUARDIAN → PHOENIX │
│ Override: SOVEREIGN can intervene at any level │
│ │
│ Every action: WHO decided, UNDER what authority, │
│ AT what cost, WITH what proof. │
│ │
└─────────────────────────────────────────────────────────────────┘
```
---
*Document anchored. Authority matrix locked.*
🜄 **Solve et Coagula**

371
docs/MCP-CONSTITUTION.md Normal file
View File

@@ -0,0 +1,371 @@
# MCP CONSTITUTION
**The Fundamental Law of the Cognitive Surface**
**Classification:** IMMUTABLE / CONSTITUTIONAL
**Version:** 1.0.0
**Ratified:** December 18, 2025
**Hash:** (computed at signing)
---
## Preamble
This Constitution establishes the foundational principles governing all Model Context Protocol operations within the VaultMesh civilization. It defines what exists, what may occur, and what remains forever beyond automation.
**This document is immutable once signed. Amendments require a new Constitution.**
---
## Article I: The Profiles
### Section 1. Five Profiles Exist
There are exactly five capability profiles. No more shall be created.
| Profile | Symbol | Nature |
|---------|--------|--------|
| **OBSERVER** | 👁 | Perception without mutation |
| **OPERATOR** | ⚙ | Action within bounds |
| **GUARDIAN** | 🛡 | Defense and transmutation |
| **PHOENIX** | 🔥 | Destruction and rebirth |
| **SOVEREIGN** | 👑 | Human authority absolute |
### Section 2. Profile Hierarchy
Profiles form a strict hierarchy of trust:
```
OBSERVER < OPERATOR < GUARDIAN < PHOENIX < SOVEREIGN
```
A lower profile cannot invoke tools reserved for higher profiles.
A higher profile inherits all capabilities of lower profiles.
### Section 3. Profile Assignment
- OBSERVER is the default for all unauthenticated contexts
- OPERATOR requires authenticated session with scope ≥ "admin"
- GUARDIAN requires authenticated session with scope ≥ "cognitive"
- PHOENIX requires GUARDIAN + crisis declaration + approval
- SOVEREIGN requires human verification via Ed25519 hardware key
---
## Article II: Escalation
### Section 1. Escalation is Proof
Every escalation from one profile to another:
1. **MUST** emit a receipt to the identity scroll
2. **MUST** include the triggering context (threat, decision, or reason)
3. **MUST** specify reversibility
4. **MUST** specify expiration (except SOVEREIGN)
An escalation without proof is void.
### Section 2. Escalation Paths
Only these transitions are permitted:
```
OBSERVER → OPERATOR (session authentication)
OPERATOR → GUARDIAN (threat detection ≥ 0.8 confidence)
GUARDIAN → PHOENIX (crisis + approval)
PHOENIX → SOVEREIGN (human only)
```
No escalation may skip levels except by SOVEREIGN override.
### Section 3. De-escalation
All escalations below SOVEREIGN **MUST** de-escalate when:
- The specified TTL expires
- The triggering condition resolves
- A higher authority revokes
SOVEREIGN de-escalation requires explicit human action.
### Section 4. Escalation Limits
- PHOENIX escalation **MAY NOT** exceed 24 hours without re-approval
- No automated system **MAY** maintain GUARDIAN for more than 7 days continuously
- OBSERVER → OPERATOR transitions require re-authentication every 30 minutes
---
## Article III: The Strata
### Section 1. Seven Strata Exist
All tools belong to exactly one stratum:
| Stratum | Layer | Domain |
|---------|-------|--------|
| L0 | Perception | Browser, observation |
| L1 | Substrate | Files, processes |
| L2 | Cognition | Decisions, memory |
| L3 | Security | Shield, Tem, Phoenix |
| L4 | Infrastructure | Cloudflare, compute |
| L5 | Orchestration | Workflows, queues |
| L-1 | Proof | Anchoring, receipts |
### Section 2. Stratum Authority
Higher strata require higher profiles:
- L0, L1 (read): OBSERVER
- L0, L1 (write): OPERATOR
- L2, L-1: GUARDIAN
- L3 (destructive): PHOENIX
- All (unrestricted): SOVEREIGN
---
## Article IV: The Prohibitions
### Section 1. What Cannot Be Automated
The following actions **REQUIRE** human (SOVEREIGN) involvement and **MAY NEVER** be fully automated:
1. **Treasury creation** — No budget may be created without human signature
2. **Constitution amendment** — This document cannot be modified by any AI
3. **Key generation** — Ed25519 root keys must be human-generated
4. **Permanent deletion** — Irrecoverable data destruction requires human confirmation
5. **SOVEREIGN escalation** — No AI may grant itself SOVEREIGN authority
6. **Cross-mesh federation** — Trusting foreign roots requires human verification
### Section 2. What Cannot Be Delegated
SOVEREIGN authority **MAY NOT** be delegated to:
- Autonomous agents
- Scheduled tasks
- Automated workflows
- Any system without human-in-the-loop
### Section 3. What Cannot Be Hidden
The following **MUST** always be visible in receipts:
- The operator profile at time of action
- The escalation chain that led to current authority
- The cryptographic identity of the actor
- The timestamp and sequence number
- The tool invoked and its arguments hash
---
## Article V: The Guarantees
### Section 1. Receipt Guarantee
Every mutation **SHALL** emit a receipt. A mutation without receipt is void.
### Section 2. Proof Guarantee
Every GUARDIAN+ action **SHALL** be anchored to at least one proof backend:
- Local (always)
- RFC3161 (for audit trails)
- Ethereum (for high-value decisions)
- Bitcoin (for SOVEREIGN actions)
### Section 3. Reversibility Guarantee
Every escalation **SHALL** declare its reversibility at creation time.
Irreversible escalations require PHOENIX or SOVEREIGN authority.
### Section 4. Audit Guarantee
The complete history of:
- All escalations
- All de-escalations
- All GUARDIAN+ decisions
- All Tem invocations
- All Phoenix activations
**SHALL** be queryable indefinitely via `cognitive_audit_trail` and `get_escalation_history`.
---
## Article VI: The Tem Covenant
### Section 1. Transmutation Over Destruction
Tem **SHALL** prefer transmutation to blocking. Threats become capabilities.
### Section 2. Tem Invocation Authority
Only GUARDIAN, PHOENIX, and SOVEREIGN may invoke Tem.
OBSERVER and OPERATOR cannot directly interact with Tem.
### Section 3. Tem Receipts
Every Tem invocation **MUST** produce:
- A tem_invocation receipt
- A capability artifact
- A proof hash of the transmutation
---
## Article VII: The Phoenix Protocol
### Section 1. Phoenix Activation
PHOENIX profile activates only when:
- GUARDIAN declares crisis, AND
- Quorum approves (or SOVEREIGN overrides)
### Section 2. Phoenix Authority
PHOENIX **MAY**:
- Execute destructive infrastructure operations
- Access emergency treasury funds
- Bypass normal rate limits
- Invoke system-wide remediation
PHOENIX **MAY NOT**:
- Grant itself SOVEREIGN authority
- Modify this Constitution
- Create new profiles
- Disable audit logging
### Section 3. Phoenix Expiration
PHOENIX **MUST** conclude within 24 hours.
Extension requires new approval.
Upon conclusion, full audit **MUST** be submitted to governance within 24 hours.
---
## Article VIII: Ratification
### Section 1. Authority
This Constitution is ratified by SOVEREIGN signature.
### Section 2. Immutability
Once signed, this document **CANNOT** be modified.
Any change requires a new Constitution with new version number.
### Section 3. Supremacy
This Constitution supersedes all other governance documents for MCP operations.
Any tool behavior conflicting with this Constitution is void.
---
## Signatures
```
Document Hash: [COMPUTED AT SIGNING]
Signed By: [SOVEREIGN DID]
Signed At: [TIMESTAMP]
Anchor: [BTC/ETH TRANSACTION]
```
---
## Appendix A: Constitutional Hash Verification
To verify this Constitution has not been modified:
```bash
# Compute document hash (excluding signature block)
cat MCP-CONSTITUTION.md | head -n -12 | blake3sum
# Verify against anchor
# The hash must match the on-chain anchor
```
---
## Appendix B: Amendment Process
1. Draft new Constitution with incremented version
2. Submit to governance for review (minimum 7 days)
3. Require SOVEREIGN signature
4. Anchor to BTC
5. Old Constitution marked SUPERSEDED, new one becomes active
---
*Fiat Lux. Fiat Justitia. Fiat Securitas.*
🜄 **Solve et Coagula**
---
## Appendix C: Amendment Protocol
**Effective:** Upon ratification of Constitution v1.0.0
### C.1 Amendment Requirements
An amendment to this Constitution requires ALL of the following:
1. **Draft Period** — New Constitution version drafted with clear changelog
2. **Cooling Period** — Minimum 7 days between draft and signing
3. **Sovereign Signature** — Ed25519 signature from hardware-bound Sovereign key
4. **Anchor** — Hash anchored to Bitcoin mainnet
5. **Supersession** — Previous version marked SUPERSEDED in source tree
### C.2 What Cannot Be Amended
The following are **immutable across all versions**:
1. SOVEREIGN profile requires human verification
2. No AI may grant itself SOVEREIGN authority
3. Every mutation emits a receipt
4. Authority collapses downward, never upward
5. This immutability clause itself
### C.3 Amendment Record Format
```json
{
"amendment_id": "AMEND-{version}",
"from_version": "1.0.0",
"to_version": "1.1.0",
"drafted_at": "ISO8601",
"cooling_ends": "ISO8601",
"signed_at": "ISO8601",
"sovereign_key_id": "key_...",
"btc_anchor_txid": "...",
"changes": ["description of each change"],
"immutables_preserved": true
}
```
### C.4 Emergency Amendment
In the event of discovered critical vulnerability:
1. PHOENIX may propose emergency amendment
2. Cooling period reduced to 24 hours
3. Requires documented threat analysis
4. Still requires Sovereign signature
5. Full audit within 48 hours of adoption
---
## Ratification Record
```
Constitution Version: 1.0.0
Document Hash: blake3:c33ab6c0610ce4001018ba5dda940e12a421a08f2a1662f142e565092ce84788
Sovereign Key: key_bef32f5724871a7a5af4cc34
Signed At: 2025-12-18T22:25:59.732865+00:00
Statement: "This constitution constrains me as much as it constrains the system."
Ratification Receipt: blake3:8fd1d1728563abb3f55f145af54ddee1b3f255db81f3e7654a7de8afef913869
```
---
*Fiat Lux. Fiat Justitia. Fiat Securitas.*
🜄 **Solve et Coagula**