19 KiB
19 KiB
MCP Authority Matrix & Agent Capability Profiles
Classification: INTERNAL / GOVERNANCE
Version: 1.0
Date: December 18, 2025
Part I: The Seven Strata
┌─────────────────────────────────────────────────────────────────────────┐
│ MCP AUTHORITY STRATA │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ L5 ORCHESTRATION Workflows, Queues, AI │ Fate Machinery │
│ ───────────────────────────────────────────────────────────────────── │
│ L4 INFRASTRUCTURE Cloudflare Workers/KV/R2/D1 │ Circulatory │
│ ───────────────────────────────────────────────────────────────────── │
│ L3 SECURITY OFFSEC Shield/TEM/Phoenix │ Immune System │
│ ───────────────────────────────────────────────────────────────────── │
│ L2 COGNITION VaultMesh Cognitive │ Mind + Receipts │
│ ───────────────────────────────────────────────────────────────────── │
│ L1 SUBSTRATE Filesystem, Processes │ Matter + Motion │
│ ───────────────────────────────────────────────────────────────────── │
│ L0 PERCEPTION Chrome, Puppeteer │ Senses + Limbs │
│ ───────────────────────────────────────────────────────────────────── │
│ L-1 PROOF Anchors, Receipts, Attest │ Archaeological │
│ │
└─────────────────────────────────────────────────────────────────────────┘
Part II: Agent Capability Profiles
Five canonical profiles governing what agents can do:
Profile: OBSERVER (👁)
Purpose: Read-only reconnaissance and monitoring
Trust Level: Minimal
Budget: None required
| Stratum | Allowed Tools |
|---|---|
| L0 Perception | get_current_tab, list_tabs, get_page_content |
| L1 Substrate | read_file, read_multiple_files, list_directory, search_files, get_file_info |
| L2 Cognition | cognitive_context, cognitive_memory_get, cognitive_audit_trail |
| L3 Security | offsec_status, offsec_shield_status, offsec_tem_status, offsec_mesh_status |
| L4 Infrastructure | worker_list, kv_list, r2_list_buckets, d1_list_databases, zones_list |
| L-1 Proof | guardian_status, guardian_verify_receipt, offsec_proof_latest |
Denied: All mutations, all decisions, all attestations
Profile: OPERATOR (⚙)
Purpose: Execute sanctioned operations
Trust Level: Moderate
Budget: Capped per session
| Stratum | Allowed Tools |
|---|---|
| L0 Perception | All OBSERVER + execute_javascript, puppeteer_click/fill/select |
| L1 Substrate | All OBSERVER + write_file, edit_file, create_directory, move_file, start_process |
| L2 Cognition | All OBSERVER + cognitive_decide (confidence < 0.9), cognitive_memory_set |
| L3 Security | All OBSERVER + offsec_shield_arm/disarm |
| L4 Infrastructure | All OBSERVER + kv_put/delete, worker_put, d1_query (SELECT only) |
| L-1 Proof | All OBSERVER + guardian_anchor_now (local backend only) |
Denied: TEM invocation, Phoenix, treasury mutations, blockchain anchoring
Profile: GUARDIAN (🛡)
Purpose: Defensive operations and threat response
Trust Level: High
Budget: Elevated, audited
| Stratum | Allowed Tools |
|---|---|
| L0-L1 | All OPERATOR |
| L2 Cognition | All OPERATOR + cognitive_decide (any confidence), cognitive_invoke_tem, cognitive_attest |
| L3 Security | All OPERATOR + offsec_tem_transmute, offsec_tem_rules, offsec_braid_import |
| L4 Infrastructure | All OPERATOR + worker_deploy, d1_query (all), queue_* |
| L-1 Proof | All OPERATOR + offsec_proof_generate, guardian_anchor_now (eth backend) |
Denied: Phoenix (requires PHOENIX profile), treasury spending
Profile: PHOENIX (🔥)
Purpose: Crisis response and system rebirth
Trust Level: Maximum
Budget: Emergency allocation
Activation: Requires quorum or automated trigger
| Stratum | Allowed Tools |
|---|---|
| All | All GUARDIAN |
| L3 Security | + offsec_phoenix_enable/disable, offsec_phoenix_inject_crisis |
| L4 Infrastructure | + worker_delete, r2_delete_bucket, d1_delete_database (destructive ops) |
| L2 Cognition | + treasury_debit (emergency only) |
Constraints:
- Every action emits double-receipt (cognitive + guardian)
- Auto-disables after crisis resolution
- Full audit to governance within 24h
Profile: SOVEREIGN (👑)
Purpose: Full authority over civilization
Trust Level: Absolute
Budget: Unlimited
Activation: Human operator only (Ed25519 verified)
| Stratum | Allowed Tools |
|---|---|
| All | Every tool, no restrictions |
| Special | auth_* tools, capability grants/revokes |
| Treasury | treasury_create_budget, treasury_credit |
| Governance | LAWCHAIN proposals, constitution amendments |
Constraints:
- All actions anchored to BTC/ETH
- Cannot be delegated to autonomous agents
- Requires hardware key signature
Part III: Authority Matrix (Tool × Profile)
│ OBSERVER │ OPERATOR │ GUARDIAN │ PHOENIX │ SOVEREIGN │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L0 PERCEPTION │ │ │ │ │ │
get_page_content │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
execute_javascript │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L1 SUBSTRATE │ │ │ │ │ │
read_file │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
write_file │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
kill_process │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L2 COGNITION │ │ │ │ │ │
cognitive_context │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
cognitive_decide │ ✗ │ ≤0.9 │ ✓ │ ✓ │ ✓ │
cognitive_invoke_tem │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
cognitive_attest │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L3 SECURITY │ │ │ │ │ │
offsec_shield_status │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
offsec_shield_arm │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
offsec_tem_transmute │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
offsec_phoenix_* │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L4 INFRASTRUCTURE │ │ │ │ │ │
worker_list │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
worker_put │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
worker_delete │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
d1_query (SELECT) │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
d1_query (MUTATE) │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
d1_delete_database │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L5 ORCHESTRATION │ │ │ │ │ │
workflow_list │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
workflow_execute │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
workflow_delete │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L-1 PROOF │ │ │ │ │ │
guardian_status │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
guardian_anchor_now │ ✗ │ local │ local+eth│ all │ all │
offsec_proof_generate │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
TREASURY │ │ │ │ │ │
treasury_balance │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
treasury_debit │ ✗ │ ✗ │ ✗ │ emergency│ ✓ │
treasury_credit │ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
treasury_create_budget│ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
AUTH │ │ │ │ │ │
auth_check_permission │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
auth_create_dev_session│ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
auth_challenge/verify │ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
────────────────────────┴──────────┴──────────┴──────────┴─────────┴───────────┘
Part IV: Profile Escalation Protocol
OBSERVER ──(decision)──► OPERATOR ──(threat)──► GUARDIAN ──(crisis)──► PHOENIX
│ │ │ │
│ │ │ │
└─────────────────────────┴──────────────────────┴─────────────────────┘
│
▼
SOVEREIGN (human)
(can override any level)
Escalation Triggers
| From | To | Trigger |
|---|---|---|
| OBSERVER → OPERATOR | User command requiring mutation | |
| OPERATOR → GUARDIAN | Threat detected with confidence > 0.8 | |
| GUARDIAN → PHOENIX | System-critical failure or coordinated attack | |
| Any → SOVEREIGN | Human override via Ed25519 signature |
De-escalation Rules
- PHOENIX → GUARDIAN: Crisis resolved, no active alerts for 1h
- GUARDIAN → OPERATOR: Threat transmuted, shield stable for 24h
- OPERATOR → OBSERVER: Session timeout or explicit downgrade
Part V: Implementation Binding
auth.py Integration
PROFILE_SCOPES = {
"observer": Scope.READ,
"operator": Scope.ADMIN,
"guardian": Scope.COGNITIVE, # Includes TEM
"phoenix": Scope.COGNITIVE, # + Phoenix tools
"sovereign": Scope.VAULT, # All capabilities
}
PROFILE_TOOLS = {
"observer": SCOPE_TOOLS[Scope.READ],
"operator": SCOPE_TOOLS[Scope.READ] | SCOPE_TOOLS[Scope.ADMIN],
"guardian": SCOPE_TOOLS[Scope.COGNITIVE] | {"offsec_tem_*", "offsec_proof_*"},
"phoenix": ALL_TOOLS - {"auth_*", "treasury_create_*"},
"sovereign": ALL_TOOLS,
}
Receipt Tagging
Every tool call receipt includes:
{
"operator_profile": "guardian",
"escalation_source": "operator",
"escalation_reason": "threat_confidence_0.94",
"budget_remaining": 8500,
"session_id": "ses_...",
"attestation_required": true
}
Part VI: Canonical Tool Taxonomy
mcp/
├── perceive/ # L0 - Chrome, Puppeteer (read)
│ ├── observe/ # get_*, list_*
│ └── actuate/ # click, fill, navigate
│
├── substrate/ # L1 - Filesystem, processes
│ ├── read/ # read_*, search_*, get_info
│ ├── write/ # write_*, edit_*, create_*
│ └── process/ # start_*, kill_*, list_processes
│
├── cognition/ # L2 - VaultMesh Cognitive
│ ├── context/ # cognitive_context
│ ├── decide/ # cognitive_decide
│ ├── memory/ # cognitive_memory_*
│ ├── tem/ # cognitive_invoke_tem
│ └── attest/ # cognitive_attest
│
├── security/ # L3 - OFFSEC
│ ├── shield/ # shield_*
│ ├── tem/ # tem_*
│ ├── phoenix/ # phoenix_*
│ └── braid/ # braid_*
│
├── infrastructure/ # L4 - Cloudflare
│ ├── compute/ # workers, workflows
│ ├── storage/ # kv, r2, d1
│ ├── network/ # zones, routes, domains
│ └── ai/ # ai_*
│
├── orchestration/ # L5 - Queues, Workflows
│ ├── queue/ # queue_*
│ ├── workflow/ # workflow_*
│ └── cron/ # cron_*
│
├── proof/ # L-1 - Anchoring
│ ├── guardian/ # guardian_*
│ ├── anchor/ # proof_generate, anchor_now
│ └── verify/ # verify_receipt
│
└── governance/ # Meta - Auth, Treasury
├── auth/ # auth_*
├── treasury/ # treasury_*
└── lawchain/ # (future) proposals, votes
Appendix: Quick Reference Card
┌─────────────────────────────────────────────────────────────────┐
│ MCP AUTHORITY QUICK REF │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 👁 OBSERVER Read-only. No mutations. No cost. │
│ ⚙ OPERATOR Mutations allowed. Budgeted. No TEM. │
│ 🛡 GUARDIAN Threat response. TEM + attestation. │
│ 🔥 PHOENIX Crisis mode. Destructive ops. Time-limited. │
│ 👑 SOVEREIGN Human only. Full authority. BTC-anchored. │
│ │
│ Escalate: OBSERVER → OPERATOR → GUARDIAN → PHOENIX │
│ Override: SOVEREIGN can intervene at any level │
│ │
│ Every action: WHO decided, UNDER what authority, │
│ AT what cost, WITH what proof. │
│ │
└─────────────────────────────────────────────────────────────────┘
Document anchored. Authority matrix locked.
🜄 Solve et Coagula