vaultsovereign/vm-mcp
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
main
vm-mcp/docs/MCP-AUTHORITY-MATRIX.md
Vault Sovereign e4871c2a29
Some checks are pending
Governance CI / Constitution Hash Gate (push) Waiting to run
Details
Governance CI / Governance Tests (push) Blocked by required conditions
Details
Governance CI / Golden Drill Mini (push) Blocked by required conditions
Details
init: vaultmesh mcp server
2025-12-26 23:23:08 +00:00

342 lines
19 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# MCP Authority Matrix & Agent Capability Profiles
**Classification:** INTERNAL / GOVERNANCE
**Version:** 1.0
**Date:** December 18, 2025
---
## Part I: The Seven Strata
```
┌─────────────────────────────────────────────────────────────────────────┐
│ MCP AUTHORITY STRATA │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ L5 ORCHESTRATION Workflows, Queues, AI │ Fate Machinery │
│ ───────────────────────────────────────────────────────────────────── │
│ L4 INFRASTRUCTURE Cloudflare Workers/KV/R2/D1 │ Circulatory │
│ ───────────────────────────────────────────────────────────────────── │
│ L3 SECURITY OFFSEC Shield/TEM/Phoenix │ Immune System │
│ ───────────────────────────────────────────────────────────────────── │
│ L2 COGNITION VaultMesh Cognitive │ Mind + Receipts │
│ ───────────────────────────────────────────────────────────────────── │
│ L1 SUBSTRATE Filesystem, Processes │ Matter + Motion │
│ ───────────────────────────────────────────────────────────────────── │
│ L0 PERCEPTION Chrome, Puppeteer │ Senses + Limbs │
│ ───────────────────────────────────────────────────────────────────── │
│ L-1 PROOF Anchors, Receipts, Attest │ Archaeological │
│ │
└─────────────────────────────────────────────────────────────────────────┘
```
---
## Part II: Agent Capability Profiles
Five canonical profiles governing what agents can do:
### Profile: OBSERVER (👁)
**Purpose:** Read-only reconnaissance and monitoring
**Trust Level:** Minimal
**Budget:** None required
| Stratum | Allowed Tools |
|---------|---------------|
| L0 Perception | `get_current_tab`, `list_tabs`, `get_page_content` |
| L1 Substrate | `read_file`, `read_multiple_files`, `list_directory`, `search_files`, `get_file_info` |
| L2 Cognition | `cognitive_context`, `cognitive_memory_get`, `cognitive_audit_trail` |
| L3 Security | `offsec_status`, `offsec_shield_status`, `offsec_tem_status`, `offsec_mesh_status` |
| L4 Infrastructure | `worker_list`, `kv_list`, `r2_list_buckets`, `d1_list_databases`, `zones_list` |
| L-1 Proof | `guardian_status`, `guardian_verify_receipt`, `offsec_proof_latest` |
**Denied:** All mutations, all decisions, all attestations
---
### Profile: OPERATOR (⚙)
**Purpose:** Execute sanctioned operations
**Trust Level:** Moderate
**Budget:** Capped per session
| Stratum | Allowed Tools |
|---------|---------------|
| L0 Perception | All OBSERVER + `execute_javascript`, `puppeteer_click/fill/select` |
| L1 Substrate | All OBSERVER + `write_file`, `edit_file`, `create_directory`, `move_file`, `start_process` |
| L2 Cognition | All OBSERVER + `cognitive_decide` (confidence < 0.9), `cognitive_memory_set` |
| L3 Security | All OBSERVER + `offsec_shield_arm/disarm` |
| L4 Infrastructure | All OBSERVER + `kv_put/delete`, `worker_put`, `d1_query` (SELECT only) |
| L-1 Proof | All OBSERVER + `guardian_anchor_now` (local backend only) |
**Denied:** TEM invocation, Phoenix, treasury mutations, blockchain anchoring
---
### Profile: GUARDIAN (🛡)
**Purpose:** Defensive operations and threat response
**Trust Level:** High
**Budget:** Elevated, audited
| Stratum | Allowed Tools |
|---------|---------------|
| L0-L1 | All OPERATOR |
| L2 Cognition | All OPERATOR + `cognitive_decide` (any confidence), `cognitive_invoke_tem`, `cognitive_attest` |
| L3 Security | All OPERATOR + `offsec_tem_transmute`, `offsec_tem_rules`, `offsec_braid_import` |
| L4 Infrastructure | All OPERATOR + `worker_deploy`, `d1_query` (all), `queue_*` |
| L-1 Proof | All OPERATOR + `offsec_proof_generate`, `guardian_anchor_now` (eth backend) |
**Denied:** Phoenix (requires PHOENIX profile), treasury spending
---
### Profile: PHOENIX (🔥)
**Purpose:** Crisis response and system rebirth
**Trust Level:** Maximum
**Budget:** Emergency allocation
**Activation:** Requires quorum or automated trigger
| Stratum | Allowed Tools |
|---------|---------------|
| All | All GUARDIAN |
| L3 Security | + `offsec_phoenix_enable/disable`, `offsec_phoenix_inject_crisis` |
| L4 Infrastructure | + `worker_delete`, `r2_delete_bucket`, `d1_delete_database` (destructive ops) |
| L2 Cognition | + `treasury_debit` (emergency only) |
**Constraints:**
- Every action emits double-receipt (cognitive + guardian)
- Auto-disables after crisis resolution
- Full audit to governance within 24h
---
### Profile: SOVEREIGN (👑)
**Purpose:** Full authority over civilization
**Trust Level:** Absolute
**Budget:** Unlimited
**Activation:** Human operator only (Ed25519 verified)
| Stratum | Allowed Tools |
|---------|---------------|
| All | Every tool, no restrictions |
| Special | `auth_*` tools, capability grants/revokes |
| Treasury | `treasury_create_budget`, `treasury_credit` |
| Governance | LAWCHAIN proposals, constitution amendments |
**Constraints:**
- All actions anchored to BTC/ETH
- Cannot be delegated to autonomous agents
- Requires hardware key signature
---
## Part III: Authority Matrix (Tool × Profile)
```
│ OBSERVER │ OPERATOR │ GUARDIAN │ PHOENIX │ SOVEREIGN │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L0 PERCEPTION │ │ │ │ │ │
get_page_content │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
execute_javascript │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L1 SUBSTRATE │ │ │ │ │ │
read_file │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
write_file │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
kill_process │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L2 COGNITION │ │ │ │ │ │
cognitive_context │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
cognitive_decide │ ✗ │ ≤0.9 │ ✓ │ ✓ │ ✓ │
cognitive_invoke_tem │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
cognitive_attest │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L3 SECURITY │ │ │ │ │ │
offsec_shield_status │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
offsec_shield_arm │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
offsec_tem_transmute │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
offsec_phoenix_* │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L4 INFRASTRUCTURE │ │ │ │ │ │
worker_list │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
worker_put │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
worker_delete │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
d1_query (SELECT) │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
d1_query (MUTATE) │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
d1_delete_database │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L5 ORCHESTRATION │ │ │ │ │ │
workflow_list │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
workflow_execute │ ✗ │ ✓ │ ✓ │ ✓ │ ✓ │
workflow_delete │ ✗ │ ✗ │ ✗ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
L-1 PROOF │ │ │ │ │ │
guardian_status │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
guardian_anchor_now │ ✗ │ local │ local+eth│ all │ all │
offsec_proof_generate │ ✗ │ ✗ │ ✓ │ ✓ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
TREASURY │ │ │ │ │ │
treasury_balance │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
treasury_debit │ ✗ │ ✗ │ ✗ │ emergency│ ✓ │
treasury_credit │ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
treasury_create_budget│ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
────────────────────────┼──────────┼──────────┼──────────┼─────────┼───────────┤
AUTH │ │ │ │ │ │
auth_check_permission │ ✓ │ ✓ │ ✓ │ ✓ │ ✓ │
auth_create_dev_session│ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
auth_challenge/verify │ ✗ │ ✗ │ ✗ │ ✗ │ ✓ │
────────────────────────┴──────────┴──────────┴──────────┴─────────┴───────────┘
```
---
## Part IV: Profile Escalation Protocol
```
OBSERVER ──(decision)──► OPERATOR ──(threat)──► GUARDIAN ──(crisis)──► PHOENIX
│ │ │ │
│ │ │ │
└─────────────────────────┴──────────────────────┴─────────────────────┘
SOVEREIGN (human)
(can override any level)
```
### Escalation Triggers
| From | To | Trigger |
|------|----|---------|
| OBSERVER → OPERATOR | User command requiring mutation |
| OPERATOR → GUARDIAN | Threat detected with confidence > 0.8 |
| GUARDIAN → PHOENIX | System-critical failure or coordinated attack |
| Any → SOVEREIGN | Human override via Ed25519 signature |
### De-escalation Rules
- PHOENIX → GUARDIAN: Crisis resolved, no active alerts for 1h
- GUARDIAN → OPERATOR: Threat transmuted, shield stable for 24h
- OPERATOR → OBSERVER: Session timeout or explicit downgrade
---
## Part V: Implementation Binding
### auth.py Integration
```python
PROFILE_SCOPES = {
"observer": Scope.READ,
"operator": Scope.ADMIN,
"guardian": Scope.COGNITIVE, # Includes TEM
"phoenix": Scope.COGNITIVE, # + Phoenix tools
"sovereign": Scope.VAULT, # All capabilities
}
PROFILE_TOOLS = {
"observer": SCOPE_TOOLS[Scope.READ],
"operator": SCOPE_TOOLS[Scope.READ] | SCOPE_TOOLS[Scope.ADMIN],
"guardian": SCOPE_TOOLS[Scope.COGNITIVE] | {"offsec_tem_*", "offsec_proof_*"},
"phoenix": ALL_TOOLS - {"auth_*", "treasury_create_*"},
"sovereign": ALL_TOOLS,
}
```
### Receipt Tagging
Every tool call receipt includes:
```json
{
"operator_profile": "guardian",
"escalation_source": "operator",
"escalation_reason": "threat_confidence_0.94",
"budget_remaining": 8500,
"session_id": "ses_...",
"attestation_required": true
}
```
---
## Part VI: Canonical Tool Taxonomy
```
mcp/
├── perceive/ # L0 - Chrome, Puppeteer (read)
│ ├── observe/ # get_*, list_*
│ └── actuate/ # click, fill, navigate
├── substrate/ # L1 - Filesystem, processes
│ ├── read/ # read_*, search_*, get_info
│ ├── write/ # write_*, edit_*, create_*
│ └── process/ # start_*, kill_*, list_processes
├── cognition/ # L2 - VaultMesh Cognitive
│ ├── context/ # cognitive_context
│ ├── decide/ # cognitive_decide
│ ├── memory/ # cognitive_memory_*
│ ├── tem/ # cognitive_invoke_tem
│ └── attest/ # cognitive_attest
├── security/ # L3 - OFFSEC
│ ├── shield/ # shield_*
│ ├── tem/ # tem_*
│ ├── phoenix/ # phoenix_*
│ └── braid/ # braid_*
├── infrastructure/ # L4 - Cloudflare
│ ├── compute/ # workers, workflows
│ ├── storage/ # kv, r2, d1
│ ├── network/ # zones, routes, domains
│ └── ai/ # ai_*
├── orchestration/ # L5 - Queues, Workflows
│ ├── queue/ # queue_*
│ ├── workflow/ # workflow_*
│ └── cron/ # cron_*
├── proof/ # L-1 - Anchoring
│ ├── guardian/ # guardian_*
│ ├── anchor/ # proof_generate, anchor_now
│ └── verify/ # verify_receipt
└── governance/ # Meta - Auth, Treasury
├── auth/ # auth_*
├── treasury/ # treasury_*
└── lawchain/ # (future) proposals, votes
```
---
## Appendix: Quick Reference Card
```
┌─────────────────────────────────────────────────────────────────┐
│ MCP AUTHORITY QUICK REF │
├─────────────────────────────────────────────────────────────────┤
│ │
│ 👁 OBSERVER Read-only. No mutations. No cost. │
│ ⚙ OPERATOR Mutations allowed. Budgeted. No TEM. │
│ 🛡 GUARDIAN Threat response. TEM + attestation. │
│ 🔥 PHOENIX Crisis mode. Destructive ops. Time-limited. │
│ 👑 SOVEREIGN Human only. Full authority. BTC-anchored. │
│ │
│ Escalate: OBSERVER → OPERATOR → GUARDIAN → PHOENIX │
│ Override: SOVEREIGN can intervene at any level │
│ │
│ Every action: WHO decided, UNDER what authority, │
│ AT what cost, WITH what proof. │
│ │
└─────────────────────────────────────────────────────────────────┘
```
---
*Document anchored. Authority matrix locked.*
🜄 **Solve et Coagula**
Reference in New Issue View Git Blame Copy Permalink