vaultsovereign/vm-mcp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

init: vaultmesh mcp server
Some checks are pending
Governance CI / Constitution Hash Gate (push) Waiting to run
Details
Governance CI / Governance Tests (push) Blocked by required conditions
Details
Governance CI / Golden Drill Mini (push) Blocked by required conditions
Details

Browse Source
This commit is contained in:
Vault Sovereign
2025-12-26 23:23:08 +00:00
commit e4871c2a29
35 changed files with 6511 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

341
docs/MCP-AUTHORITY-MATRIX.md Normal file
View File

@@ -0,0 +1,341 @@
# MCP Authority Matrix & Agent Capability Profiles
**Classification:** INTERNAL / GOVERNANCE
**Version:** 1.0
**Date:** December 18, 2025
---
## Part I: The Seven Strata
```
┌─────────────────────────────────────────────────────────────────────────┐
│ MCP AUTHORITY STRATA │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ L5 ORCHESTRATION Workflows, Queues, AI │ Fate Machinery │
│ ───────────────────────────────────────────────────────────────────── │
│ L4 INFRASTRUCTURE Cloudflare Workers/KV/R2/D1 │ Circulatory │
│ ───────────────────────────────────────────────────────────────────── │
│ L3 SECURITY OFFSEC Shield/TEM/Phoenix │ Immune System │
│ ───────────────────────────────────────────────────────────────────── │
│ L2 COGNITION VaultMesh Cognitive │ Mind + Receipts │
│ ───────────────────────────────────────────────────────────────────── │
│ L1 SUBSTRATE Filesystem, Processes │ Matter + Motion │
│ ───────────────────────────────────────────────────────────────────── │
│ L0 PERCEPTION Chrome, Puppeteer │ Senses + Limbs │
│ ───────────────────────────────────────────────────────────────────── │
│ L-1 PROOF Anchors, Receipts, Attest │ Archaeological │
│ │
└─────────────────────────────────────────────────────────────────────────┘
```
---
## Part II: Agent Capability Profiles
Five canonical profiles governing what agents can do:
### Profile: OBSERVER (👁)
**Purpose:** Read-only reconnaissance and monitoring
**Trust Level:** Minimal
**Budget:** None required
| Stratum | Allowed Tools |
|---------|---------------|
| L0 Perception | `get_current_tab`, `list_tabs`, `get_page_content` |
| L1 Substrate | `read_file`, `read_multiple_files`, `list_directory`, `search_files`, `get_file_info` |
| L2 Cognition | `cognitive_context`, `cognitive_memory_get`, `cognitive_audit_trail` |
| L3 Security | `offsec_status`, `offsec_shield_status`, `offsec_tem_status`, `offsec_mesh_status` |
| L4 Infrastructure | `worker_list`, `kv_list`, `r2_list_buckets`, `d1_list_databases`, `zones_list` |
| L-1 Proof | `guardian_status`, `guardian_verify_receipt`, `offsec_proof_latest` |
**Denied:** All mutations, all decisions, all attestations
---
### Profile: OPERATOR (⚙)
**Purpose:** Execute sanctioned operations
**Trust Level:** Moderate
**Budget:** Capped per session
| Stratum | Allowed Tools |
|---------|---------------|
| L0 Perception | All OBSERVER + `execute_javascript`, `puppeteer_click/fill/select` |
| L1 Substrate | All OBSERVER + `write_file`, `edit_file`, `create_directory`, `move_file`, `start_process` |
| L2 Cognition | All OBSERVER + `cognitive_decide` (confidence < 0.9), `cognitive_memory_set` |
| L3 Security | All OBSERVER + `offsec_shield_arm/disarm` |
| L4 Infrastructure | All OBSERVER + `kv_put/delete`, `worker_put`, `d1_query` (SELECT only) |
| L-1 Proof | All OBSERVER + `guardian_anchor_now` (local backend only) |
**Denied:** TEM invocation, Phoenix, treasury mutations, blockchain anchoring
---
### Profile: GUARDIAN (🛡)
**Purpose:** Defensive operations and threat response
**Trust Level:** High
**Budget:** Elevated, audited
| Stratum | Allowed Tools |
|---------|---------------|
| L0-L1 | All OPERATOR |
| L2 Cognition | All OPERATOR + `cognitive_decide` (any confidence), `cognitive_invoke_tem`, `cognitive_attest` |
| L3 Security | All OPERATOR + `offsec_tem_transmute`, `offsec_tem_rules`, `offsec_braid_import` |
| L4 Infrastructure | All OPERATOR + `worker_deploy`, `d1_query` (all), `queue_*` |
| L-1 Proof | All OPERATOR + `offsec_proof_generate`, `guardian_anchor_now` (eth backend) |
**Denied:** Phoenix (requires PHOENIX profile), treasury spending
---
### Profile: PHOENIX (🔥)
**Purpose:** Crisis response and system rebirth
**Trust Level:** Maximum
**Budget:** Emergency allocation
**Activation:** Requires quorum or automated trigger
| Stratum | Allowed Tools |
|---------|---------------|
| All | All GUARDIAN |
| L3 Security | + `offsec_phoenix_enable/disable`, `offsec_phoenix_inject_crisis` |
| L4 Infrastructure | + `worker_delete`, `r2_delete_bucket`, `d1_delete_database` (destructive ops) |
| L2 Cognition | + `treasury_debit` (emergency only) |
**Constraints:**
- Every action emits double-receipt (cognitive + guardian)
- Auto-disables after crisis resolution
- Full audit to governance within 24h
---
### Profile: SOVEREIGN (👑)
**Purpose:** Full authority over civilization
**Trust Level:** Absolute
**Budget:** Unlimited
**Activation:** Human operator only (Ed25519 verified)
| Stratum | Allowed Tools |
|---------|---------------|
| All | Every tool, no restrictions |
| Special | `auth_*` tools, capability grants/revokes |
| Treasury | `treasury_create_budget`, `treasury_credit` |
| Governance | LAWCHAIN proposals, constitution amendments |
**Constraints:**
- All actions anchored to BTC/ETH
- Cannot be delegated to autonomous agents
- Requires hardware key signature
---
## Part III: Authority Matrix (Tool × Profile)
```
│ OBSERVER │ OPERATOR │ GUARDIAN │ PHOENIX │ SOVEREIGN │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L0 PERCEPTION │ │ │ │ │ │
get_page_content │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
execute_javascript │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L1 SUBSTRATE │ │ │ │ │ │
read_file │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
write_file │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
kill_process │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L2 COGNITION │ │ │ │ │ │
cognitive_context │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
cognitive_decide │ ✗ │ ≤0.9 │ ✓ │ ✓ │ ✓ │
cognitive_invoke_tem │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
cognitive_attest │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L3 SECURITY │ │ │ │ │ │
offsec_shield_status │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
offsec_shield_arm │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
offsec_tem_transmute │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
offsec_phoenix_* │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L4 INFRASTRUCTURE │ │ │ │ │ │
worker_list │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
worker_put │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
worker_delete │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
d1_query (SELECT) │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
d1_query (MUTATE) │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
d1_delete_database │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L5 ORCHESTRATION │ │ │ │ │ │
workflow_list │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
workflow_execute │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
workflow_delete │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L-1 PROOF │ │ │ │ │ │
guardian_status │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
guardian_anchor_now │ ✗ │ local │ local+eth│ all │ all │
offsec_proof_generate │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
TREASURY │ │ │ │ │ │
treasury_balance │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
treasury_debit │ ✗ │ ✗ │ ✗ │ emergency│ ✓ │
treasury_credit │ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
treasury_create_budget│ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
AUTH │ │ │ │ │ │
auth_check_permission │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
auth_create_dev_session│ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
auth_challenge/verify │ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
────────────────────────┴──────────┴──────────┴──────────┴─────────┴───────────┘
```
---
## Part IV: Profile Escalation Protocol
```
OBSERVER ──(decision)──► OPERATOR ──(threat)──► GUARDIAN ──(crisis)──► PHOENIX
│ │ │ │
│ │ │ │
└─────────────────────────┴──────────────────────┴─────────────────────┘
SOVEREIGN (human)
(can override any level)
```
### Escalation Triggers
| From | To | Trigger |
|------|----|---------|
| OBSERVER → OPERATOR | User command requiring mutation |
| OPERATOR → GUARDIAN | Threat detected with confidence > 0.8 |
| GUARDIAN → PHOENIX | System-critical failure or coordinated attack |
| Any → SOVEREIGN | Human override via Ed25519 signature |
### De-escalation Rules
- PHOENIX → GUARDIAN: Crisis resolved, no active alerts for 1h
- GUARDIAN → OPERATOR: Threat transmuted, shield stable for 24h
- OPERATOR → OBSERVER: Session timeout or explicit downgrade
---
## Part V: Implementation Binding
### auth.py Integration
```python
PROFILE_SCOPES = {
"observer": Scope.READ,
"operator": Scope.ADMIN,
"guardian": Scope.COGNITIVE, # Includes TEM
"phoenix": Scope.COGNITIVE, # + Phoenix tools
"sovereign": Scope.VAULT, # All capabilities
}
PROFILE_TOOLS = {
"observer": SCOPE_TOOLS[Scope.READ],
"operator": SCOPE_TOOLS[Scope.READ] | SCOPE_TOOLS[Scope.ADMIN],
"guardian": SCOPE_TOOLS[Scope.COGNITIVE] | {"offsec_tem_*", "offsec_proof_*"},
"phoenix": ALL_TOOLS - {"auth_*", "treasury_create_*"},
"sovereign": ALL_TOOLS,
}
```
### Receipt Tagging
Every tool call receipt includes:
```json
{
"operator_profile": "guardian",
"escalation_source": "operator",
"escalation_reason": "threat_confidence_0.94",
"budget_remaining": 8500,
"session_id": "ses_...",
"attestation_required": true
}
```
---
## Part VI: Canonical Tool Taxonomy
```
mcp/
├── perceive/ # L0 - Chrome, Puppeteer (read)
│ ├── observe/ # get_*, list_*
│ └── actuate/ # click, fill, navigate
├── substrate/ # L1 - Filesystem, processes
│ ├── read/ # read_*, search_*, get_info
│ ├── write/ # write_*, edit_*, create_*
│ └── process/ # start_*, kill_*, list_processes
├── cognition/ # L2 - VaultMesh Cognitive
│ ├── context/ # cognitive_context
│ ├── decide/ # cognitive_decide
│ ├── memory/ # cognitive_memory_*
│ ├── tem/ # cognitive_invoke_tem
│ └── attest/ # cognitive_attest
├── security/ # L3 - OFFSEC
│ ├── shield/ # shield_*
│ ├── tem/ # tem_*
│ ├── phoenix/ # phoenix_*
│ └── braid/ # braid_*
├── infrastructure/ # L4 - Cloudflare
│ ├── compute/ # workers, workflows
│ ├── storage/ # kv, r2, d1
│ ├── network/ # zones, routes, domains
│ └── ai/ # ai_*
├── orchestration/ # L5 - Queues, Workflows
│ ├── queue/ # queue_*
│ ├── workflow/ # workflow_*
│ └── cron/ # cron_*
├── proof/ # L-1 - Anchoring
│ ├── guardian/ # guardian_*
│ ├── anchor/ # proof_generate, anchor_now
│ └── verify/ # verify_receipt
└── governance/ # Meta - Auth, Treasury
├── auth/ # auth_*
├── treasury/ # treasury_*
└── lawchain/ # (future) proposals, votes
```
---
## Appendix: Quick Reference Card
```
┌─────────────────────────────────────────────────────────────────┐
│ MCP AUTHORITY QUICK REF │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 👁 OBSERVER Read-only. No mutations. No cost. │
│ ⚙ OPERATOR Mutations allowed. Budgeted. No TEM. │
│ 🛡 GUARDIAN Threat response. TEM + attestation. │
│ 🔥 PHOENIX Crisis mode. Destructive ops. Time-limited. │
│ 👑 SOVEREIGN Human only. Full authority. BTC-anchored. │
│ │
│ Escalate: OBSERVER → OPERATOR → GUARDIAN → PHOENIX │
│ Override: SOVEREIGN can intervene at any level │
│ │
│ Every action: WHO decided, UNDER what authority, │
│ AT what cost, WITH what proof. │
│ │
└─────────────────────────────────────────────────────────────────┘
```
---
*Document anchored. Authority matrix locked.*
🜄 **Solve et Coagula**