# MCP Authority Matrix & Agent Capability Profiles **Classification:** INTERNAL / GOVERNANCE **Version:** 1.0 **Date:** December 18, 2025 --- ## Part I: The Seven Strata ``` ┌─────────────────────────────────────────────────────────────────────────┐ │ MCP AUTHORITY STRATA │ ├─────────────────────────────────────────────────────────────────────────┤ │ │ │ L5 ORCHESTRATION Workflows, Queues, AI │ Fate Machinery │ │ ───────────────────────────────────────────────────────────────────── │ │ L4 INFRASTRUCTURE Cloudflare Workers/KV/R2/D1 │ Circulatory │ │ ───────────────────────────────────────────────────────────────────── │ │ L3 SECURITY OFFSEC Shield/TEM/Phoenix │ Immune System │ │ ───────────────────────────────────────────────────────────────────── │ │ L2 COGNITION VaultMesh Cognitive │ Mind + Receipts │ │ ───────────────────────────────────────────────────────────────────── │ │ L1 SUBSTRATE Filesystem, Processes │ Matter + Motion │ │ ───────────────────────────────────────────────────────────────────── │ │ L0 PERCEPTION Chrome, Puppeteer │ Senses + Limbs │ │ ───────────────────────────────────────────────────────────────────── │ │ L-1 PROOF Anchors, Receipts, Attest │ Archaeological │ │ │ └─────────────────────────────────────────────────────────────────────────┘ ``` --- ## Part II: Agent Capability Profiles Five canonical profiles governing what agents can do: ### Profile: OBSERVER (👁) **Purpose:** Read-only reconnaissance and monitoring **Trust Level:** Minimal **Budget:** None required | Stratum | Allowed Tools | |---------|---------------| | L0 Perception | `get_current_tab`, `list_tabs`, `get_page_content` | | L1 Substrate | `read_file`, `read_multiple_files`, `list_directory`, `search_files`, `get_file_info` | | L2 Cognition | `cognitive_context`, `cognitive_memory_get`, `cognitive_audit_trail` | | L3 Security | `offsec_status`, `offsec_shield_status`, `offsec_tem_status`, `offsec_mesh_status` | | L4 Infrastructure | `worker_list`, `kv_list`, `r2_list_buckets`, `d1_list_databases`, `zones_list` | | L-1 Proof | `guardian_status`, `guardian_verify_receipt`, `offsec_proof_latest` | **Denied:** All mutations, all decisions, all attestations --- ### Profile: OPERATOR (⚙) **Purpose:** Execute sanctioned operations **Trust Level:** Moderate **Budget:** Capped per session | Stratum | Allowed Tools | |---------|---------------| | L0 Perception | All OBSERVER + `execute_javascript`, `puppeteer_click/fill/select` | | L1 Substrate | All OBSERVER + `write_file`, `edit_file`, `create_directory`, `move_file`, `start_process` | | L2 Cognition | All OBSERVER + `cognitive_decide` (confidence < 0.9), `cognitive_memory_set` | | L3 Security | All OBSERVER + `offsec_shield_arm/disarm` | | L4 Infrastructure | All OBSERVER + `kv_put/delete`, `worker_put`, `d1_query` (SELECT only) | | L-1 Proof | All OBSERVER + `guardian_anchor_now` (local backend only) | **Denied:** TEM invocation, Phoenix, treasury mutations, blockchain anchoring --- ### Profile: GUARDIAN (🛡) **Purpose:** Defensive operations and threat response **Trust Level:** High **Budget:** Elevated, audited | Stratum | Allowed Tools | |---------|---------------| | L0-L1 | All OPERATOR | | L2 Cognition | All OPERATOR + `cognitive_decide` (any confidence), `cognitive_invoke_tem`, `cognitive_attest` | | L3 Security | All OPERATOR + `offsec_tem_transmute`, `offsec_tem_rules`, `offsec_braid_import` | | L4 Infrastructure | All OPERATOR + `worker_deploy`, `d1_query` (all), `queue_*` | | L-1 Proof | All OPERATOR + `offsec_proof_generate`, `guardian_anchor_now` (eth backend) | **Denied:** Phoenix (requires PHOENIX profile), treasury spending --- ### Profile: PHOENIX (🔥) **Purpose:** Crisis response and system rebirth **Trust Level:** Maximum **Budget:** Emergency allocation **Activation:** Requires quorum or automated trigger | Stratum | Allowed Tools | |---------|---------------| | All | All GUARDIAN | | L3 Security | + `offsec_phoenix_enable/disable`, `offsec_phoenix_inject_crisis` | | L4 Infrastructure | + `worker_delete`, `r2_delete_bucket`, `d1_delete_database` (destructive ops) | | L2 Cognition | + `treasury_debit` (emergency only) | **Constraints:** - Every action emits double-receipt (cognitive + guardian) - Auto-disables after crisis resolution - Full audit to governance within 24h --- ### Profile: SOVEREIGN (👑) **Purpose:** Full authority over civilization **Trust Level:** Absolute **Budget:** Unlimited **Activation:** Human operator only (Ed25519 verified) | Stratum | Allowed Tools | |---------|---------------| | All | Every tool, no restrictions | | Special | `auth_*` tools, capability grants/revokes | | Treasury | `treasury_create_budget`, `treasury_credit` | | Governance | LAWCHAIN proposals, constitution amendments | **Constraints:** - All actions anchored to BTC/ETH - Cannot be delegated to autonomous agents - Requires hardware key signature --- ## Part III: Authority Matrix (Tool × Profile) ``` │ OBSERVER │ OPERATOR │ GUARDIAN │ PHOENIX │ SOVEREIGN │ ────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤ L0 PERCEPTION │ │ │ │ │ │ get_page_content │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │ execute_javascript │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │ ────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤ L1 SUBSTRATE │ │ │ │ │ │ read_file │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │ write_file │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │ kill_process │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │ ────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤ L2 COGNITION │ │ │ │ │ │ cognitive_context │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │ cognitive_decide │ ✗ │ ≤0.9 │ ✓ │ ✓ │ ✓ │ cognitive_invoke_tem │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │ cognitive_attest │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │ ────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤ L3 SECURITY │ │ │ │ │ │ offsec_shield_status │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │ offsec_shield_arm │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │ offsec_tem_transmute │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │ offsec_phoenix_* │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │ ────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤ L4 INFRASTRUCTURE │ │ │ │ │ │ worker_list │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │ worker_put │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │ worker_delete │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │ d1_query (SELECT) │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │ d1_query (MUTATE) │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │ d1_delete_database │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │ ────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤ L5 ORCHESTRATION │ │ │ │ │ │ workflow_list │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │ workflow_execute │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │ workflow_delete │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │ ────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤ L-1 PROOF │ │ │ │ │ │ guardian_status │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │ guardian_anchor_now │ ✗ │ local │ local+eth│ all │ all │ offsec_proof_generate │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │ ────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤ TREASURY │ │ │ │ │ │ treasury_balance │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │ treasury_debit │ ✗ │ ✗ │ ✗ │ emergency│ ✓ │ treasury_credit │ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │ treasury_create_budget│ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │ ────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤ AUTH │ │ │ │ │ │ auth_check_permission │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │ auth_create_dev_session│ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │ auth_challenge/verify │ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │ ────────────────────────┴──────────┴──────────┴──────────┴─────────┴───────────┘ ``` --- ## Part IV: Profile Escalation Protocol ``` OBSERVER ──(decision)──► OPERATOR ──(threat)──► GUARDIAN ──(crisis)──► PHOENIX │ │ │ │ │ │ │ │ └─────────────────────────┴──────────────────────┴─────────────────────┘ │ ▼ SOVEREIGN (human) (can override any level) ``` ### Escalation Triggers | From | To | Trigger | |------|----|---------| | OBSERVER → OPERATOR | User command requiring mutation | | OPERATOR → GUARDIAN | Threat detected with confidence > 0.8 | | GUARDIAN → PHOENIX | System-critical failure or coordinated attack | | Any → SOVEREIGN | Human override via Ed25519 signature | ### De-escalation Rules - PHOENIX → GUARDIAN: Crisis resolved, no active alerts for 1h - GUARDIAN → OPERATOR: Threat transmuted, shield stable for 24h - OPERATOR → OBSERVER: Session timeout or explicit downgrade --- ## Part V: Implementation Binding ### auth.py Integration ```python PROFILE_SCOPES = { "observer": Scope.READ, "operator": Scope.ADMIN, "guardian": Scope.COGNITIVE, # Includes TEM "phoenix": Scope.COGNITIVE, # + Phoenix tools "sovereign": Scope.VAULT, # All capabilities } PROFILE_TOOLS = { "observer": SCOPE_TOOLS[Scope.READ], "operator": SCOPE_TOOLS[Scope.READ] | SCOPE_TOOLS[Scope.ADMIN], "guardian": SCOPE_TOOLS[Scope.COGNITIVE] | {"offsec_tem_*", "offsec_proof_*"}, "phoenix": ALL_TOOLS - {"auth_*", "treasury_create_*"}, "sovereign": ALL_TOOLS, } ``` ### Receipt Tagging Every tool call receipt includes: ```json { "operator_profile": "guardian", "escalation_source": "operator", "escalation_reason": "threat_confidence_0.94", "budget_remaining": 8500, "session_id": "ses_...", "attestation_required": true } ``` --- ## Part VI: Canonical Tool Taxonomy ``` mcp/ ├── perceive/ # L0 - Chrome, Puppeteer (read) │ ├── observe/ # get_*, list_* │ └── actuate/ # click, fill, navigate │ ├── substrate/ # L1 - Filesystem, processes │ ├── read/ # read_*, search_*, get_info │ ├── write/ # write_*, edit_*, create_* │ └── process/ # start_*, kill_*, list_processes │ ├── cognition/ # L2 - VaultMesh Cognitive │ ├── context/ # cognitive_context │ ├── decide/ # cognitive_decide │ ├── memory/ # cognitive_memory_* │ ├── tem/ # cognitive_invoke_tem │ └── attest/ # cognitive_attest │ ├── security/ # L3 - OFFSEC │ ├── shield/ # shield_* │ ├── tem/ # tem_* │ ├── phoenix/ # phoenix_* │ └── braid/ # braid_* │ ├── infrastructure/ # L4 - Cloudflare │ ├── compute/ # workers, workflows │ ├── storage/ # kv, r2, d1 │ ├── network/ # zones, routes, domains │ └── ai/ # ai_* │ ├── orchestration/ # L5 - Queues, Workflows │ ├── queue/ # queue_* │ ├── workflow/ # workflow_* │ └── cron/ # cron_* │ ├── proof/ # L-1 - Anchoring │ ├── guardian/ # guardian_* │ ├── anchor/ # proof_generate, anchor_now │ └── verify/ # verify_receipt │ └── governance/ # Meta - Auth, Treasury ├── auth/ # auth_* ├── treasury/ # treasury_* └── lawchain/ # (future) proposals, votes ``` --- ## Appendix: Quick Reference Card ``` ┌─────────────────────────────────────────────────────────────────┐ │ MCP AUTHORITY QUICK REF │ ├─────────────────────────────────────────────────────────────────┤ │ │ │ 👁 OBSERVER Read-only. No mutations. No cost. │ │ ⚙ OPERATOR Mutations allowed. Budgeted. No TEM. │ │ 🛡 GUARDIAN Threat response. TEM + attestation. │ │ 🔥 PHOENIX Crisis mode. Destructive ops. Time-limited. │ │ 👑 SOVEREIGN Human only. Full authority. BTC-anchored. │ │ │ │ Escalate: OBSERVER → OPERATOR → GUARDIAN → PHOENIX │ │ Override: SOVEREIGN can intervene at any level │ │ │ │ Every action: WHO decided, UNDER what authority, │ │ AT what cost, WITH what proof. │ │ │ └─────────────────────────────────────────────────────────────────┘ ``` --- *Document anchored. Authority matrix locked.* 🜄 **Solve et Coagula**