docs(spec): the Ceremony Contract v0.1 draft — five laws, wire objects, chained store#229
Conversation
hartsock
left a comment
There was a problem hiding this comment.
Some modifications needed and we need to think harder before committing to a path here.
…(five laws) Review-1 revision (#229): - Third disposition surfaced in the matrix as 'attest' (né passkey; the verdict renames via #231, term from the attestation literature). Its scope composes with the existing once/session — attest×session is the one-ceremony-per-generation affordance; kernel stays clock-free (generations bump at the boundary). - 'chain-store' recorded as a term of art. Chaining strengthened per review: parents reference the LINE-CID (full predecessor incl. sig), so signature-stripping breaks the chain. Stated assumptions split: deterministic signatures (Ed25519; H(sig|content,key)=0) for reproducibility, collision resistance for tamper-evidence. JSONL formalized as the lossless at-rest view of canonical DAG-CBOR. - L2 honesty: flat files hold for additions only — deleting a durable deny widens undetectably; the chain-store is load-bearing for the full mutation set. H1 generalized to append-only-verifiability. - default = administrator opinion surface; negative pins (signed durable denies w/ provenance) as the enterprise/parental-control story. - New AuditRecord wire object (§3.6): audit = ceremony over the chain head, appended to the same chain. - L6 demoted to well-formedness WF-1: six laws → five. Governance section records the executed cut; L1+L4 merge remains the next candidate. Refs #229 review, #231, #225. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
v0.1.1 pushed (efcc7ca) — every review thread landed, law count went DOWN.
Term of art recorded: chain-store (§1 Terms). |
…rincipal, SAS enrollment, external anchors Every participant is a fingerprint; roles (principal/agent/surface/gate) differ only in what they sign — a monolith newt is the degenerate case of one fingerprint wearing all roles, a no-compute mobile surface the other pole (keypair + renderer). Delegation completes L5's pinned predicate transitively: chains meet at a common pinned principal, root involved at ISSUANCE not per-delegation (headless fleets verify offline; already shipped mechanism — mesh CertChain #39 §9.1, proof-of-possession #40 §9.2). Zero new laws. Mechanism: §5.4 SAS enrollment ceremony — commit-then-reveal bound to the exchange transcript, human comparison as the unspoofable channel (naive phrase-echo is MITM-relayable); paranoia parameterized as (SAS entropy × rounds, witnesses, presence) with minima set by caveat ceiling. §5.5 external anchors (GitHub keys, DNS, org CA) = candidate corroboration channels for a self-sovereign root — never load-bearing, per the floating-identity doctrine; no-GitHub users enroll by ceremony alone. Remote surfaces MUST sign their Decisions (attributable grant provenance); in-process surfaces MAY omit. Refs #229 review discussion, #225; protocol work: agent-mesh companion issue. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
v0.1.2 pushed (5ad88f9) — the identity model, from the delegation/fleet/mobile discussion. §2.1 roles table (principal/agent/surface/gate — monolith newt = one fingerprint, all roles; no-compute mobile = keypair + renderer); L5's pinned predicate completed transitively (chain-to-pinned-principal, PoP at every link — already shipped as mesh CertChain #39/#40; root involved at issuance NOT per-delegation, so headless fleets verify offline); §5.4 SAS enrollment (commit-then-reveal, transcript-bound, human-compares — the naive phrase-echo is MITM-relayable; paranoia = (entropy × rounds, witnesses, presence), minima by caveat ceiling); §5.5 external anchors — GitHub keys corroborate a self-sovereign root, never ARE it (floating-identity law 1; no-GitHub users lose nothing). Remote surfaces sign their Decisions. Zero new laws — still five. Protocol work filed as agent-mesh#66. |
…r blessing, MITM ledger Review round 2 + the no-MITM-hole-anywhere sweep: - L2 renamed Tamper-boundedness and given its upward direction: sub-quorum actors can neither widen authority NOR shrink load-bearing identity structure. Reversible narrowing (deny-spam) stays nuisance-bounded; irreversible narrowing (revoking an identity) requires quorum — 'reset mesh' must not be a DoS surface. Availability is a security property. PO-2b added; zero law-count change (absorbed, not appended). - RevocationRecord wire object (k-of-n signers; quorum policy is itself a principal-signed loosening entry; last-root revocation refused without succession or an explicit tombstone). Punting ≥ pinning: revocation strength floors at enrollment strength. - Anchors are blessed, participating identities: AnchorRecord binds channel+location+key under the principal's signature; any public-key display surface qualifies once blessed; revocable via the same quorum path. GitHub participates; nothing depends on it. - SAS transcript MUST include the long-term keys being enrolled (closes key-substitution relay). Decision gains a request-CID binding (closes render-swap: what the human saw is bound to what was granted). - §5.6 MITM ledger: nine channels enumerated — attack / closure / residual — with the unifying rule: the authenticated thing is always the key, never the channel. Refs #229 review round 2, #225; protocol: agent-mesh#66. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
v0.1.3 pushed (7f77cda) — quorum revocation + the no-MITM-hole-anywhere sweep.
The ledger's unifying row-pattern is the doctrine itself: the authenticated thing is always the key, never the channel. |
Queued v0.1.4 (NOT pushed — pause holds until Thursday per Shawn)From the sig-everywhere / Memo-as-base discussion: The Memo discipline (§3 preamble, WF-2): every wire object is a Memo-descendant with capabilities attached by mechanical criteria — CID unconditional (all serializable data), sig at trust boundaries (remote MUST, in-process MAY omit), parents for durability (chain-store), Sealed-at-load (parse-don't-validate: nothing enters the kernel unverified; the Rust heir of Memo's Two sig gaps found by applying it:
Lineage note for §1 Terms: Memo (content-addressable-python Thursday build menu (on green light): |
|
Queued v0.1.4 addendum — multihash directive (Shawn): "BLAKE3 is an implementation DETAIL, not a law." L5's formula de-blake3s to |
…signed requests, multihash profile Review round 3, from the sig-everywhere / Memo / multihash discussion: - Memo discipline (§3 preamble, WF-2): every wire object is a Memo-descendant — content-CID unconditional, by+sig at trust boundaries (remote MUST / in-process MAY omit), parents for durability, Sealed at load (verify at construction, immutable after — the Rust heir of Memo's read-time tamper check). All of the data layer, none of the resource layer. - Two sig gaps closed: Introduction gains proof-of-possession (introduced key signs over transcript-bound freshness — unknown-key-share/replay closure, parity with mesh #40); remote PermissionRequest gains the gate's signature, verified before rendering (phishing-canvas closure). Two new MITM-ledger rows. - Multihash directive: 'BLAKE3 is an implementation detail, not a law.' L5 de-algorithm'd to fingerprint = H(pubkey) with required properties; identifiers self-describing (multihash/multicodec/CIDv1), compared opaque including the code; hash rotation = re-naming ceremony (signed linkage; identity never moves), signature rotation = re-keying (full L5). New §8 Profile v1 (pins + the property each pin must preserve); Relations renumbered to §9. Fingerprint wire-format change tracked on agent-mesh#66. - Governance: review-3 executed line — zero law-count change, still five. Refs #229 review round 3, #225, agent-mesh#66. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
v0.1.4 pushed (b746039) — the queued manifest, now ink: Memo discipline as WF-2 (CID unconditional · sig at trust boundaries · parents for durability · Sealed at load — Memo's read-time tamper check reborn as parse-don't-validate); PoP Introductions ( |
There was a problem hiding this comment.
Adversarial review - security contract gaps
The current head is mergeable and CI is green, but this specification makes several security claims that its wire contract does not yet enforce.
Blocking findings
-
[P1] The chain-store does not discharge rollback. Parent links detect interior deletion only when the verifier already possesses a trusted head. A disk attacker can truncate a restrictive suffix and its head pointer, or present an older valid fork; the surviving prefix still verifies. An
AuditRecordstored in that same chain rolls back with it. H1/PO-2a therefore remains unproven as written. Require an independently protected monotonic head or mandatory external witness/quorum checkpoint, plus explicit fork handling. -
[P1] Approval is not bound to the executable effect.
PermissionRequest.actioncontains onlyclassand a free-formdisplay;Decision.requestbinds that presentation object, not canonical tool arguments and resolved resources. A stale or lossy mapping can approve X and execute Y while the CID matches. Carry the existing canonicalCallRequestcontent ID in the request and require the gate to recompute it before minting authority. -
[P1] The gate never validates that a grant belongs to the issued matrix. Acceptance only requires a matching request CID. Nothing requires the verb to appear in
matrix.verbs, the scope to appear inmatrix.scopes, or the result to remain below the request ceiling. A buggy or compromised surface can answer a once/session request withallow/always, violating L4. Make matrix-membership and ceiling validation a gate-side MUST. -
[P1]
attesthas no attestation on the wire. The decision is a bare{verb:attest}with only a comment saying+ presence discharge. There is no challenge, nonce, generation, authenticator proof, or normative verification step. Reuse the existing domain-separated, single-useChallenge/DischargeAttemptcontract and require successful gate verification before an attest grant is effective. -
[P1]
Introduction.freshdoes not itself provide freshness. A nonce included in a self-signed object can be replayed byte-for-byte unless the recipient issued it and records its consumption. Define the challenge issuer, transcript and identity bindings, and replay-state/generation rules before claiming replay and unknown-key-share closure. -
[P1] The quorum signature format is circular.
RevocationRecord.signers[].siglives inside the record, while the generic signing formula removes only a top-levelsig. Signers must therefore sign different progressively modified records or a final record already containing their own signatures. Define a canonical unsigned revocation payload that every signer signs; sort and deduplicate signer identities; keep the chain append signature separate.
Additional findings
-
[P2] Ignoring unknown fields conflicts with signed canonical objects. Typed deserialization normally discards unknown fields, so reserialization cannot reproduce the signed CID. Preserving them avoids that failure but permits version-dependent authority semantics. Define explicit version dispatch and canonical unknown-field preservation, or reject unknown authority-bearing fields fail-closed. Also require exactly one of
grantandescalate. -
[P2] Multihash agility needs a trusted allowlist. Introduction verification dispatches on the fingerprint's own hash code. An attacker therefore chooses the algorithm unless the verifier first checks it against a locally trusted profile. Require profile membership and define profile-rotation negotiation before dispatch.
-
[P2] The PR body is stale. It still describes v0.1.0 and six laws, while the head is v0.1.4 with five laws, quorum revocation, anchors, and Memo semantics. Update it before the next review pass.
Verdict
Not ready to merge. The algebraic direction is strong, but these gaps sit exactly where prose becomes authority-bearing protocol. The chain needs an external anti-rollback anchor; decisions need effect, matrix, and discharge validation; and every signed object needs one unambiguous canonical payload.
(Reviewed by OpenAI GPT-5, running in the Codex desktop harness on Windows.)
…, chained store (#225) The keystone spec for the decision-surface seam: language-neutral wire objects (PermissionRequest, DecisionMatrix, Decision, Introduction, chained PinRecord), six normative laws with proof obligations mapped to the Lean/Aeneas track, mechanism section (chained CAS store discharging the L2 no-replay hypothesis, signed loosening verdicts from #226, presence-attested pins), cross-language conformance vectors, and the law-minimalism governance rule (L1+L4 merge is the audit's first candidate). A harness can comply without depending on bridle; the crate is the reference implementation. Refs #225, #220, #226. Companions: agent-mesh#65, newt-agent#1209. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…(five laws) Review-1 revision (#229): - Third disposition surfaced in the matrix as 'attest' (né passkey; the verdict renames via #231, term from the attestation literature). Its scope composes with the existing once/session — attest×session is the one-ceremony-per-generation affordance; kernel stays clock-free (generations bump at the boundary). - 'chain-store' recorded as a term of art. Chaining strengthened per review: parents reference the LINE-CID (full predecessor incl. sig), so signature-stripping breaks the chain. Stated assumptions split: deterministic signatures (Ed25519; H(sig|content,key)=0) for reproducibility, collision resistance for tamper-evidence. JSONL formalized as the lossless at-rest view of canonical DAG-CBOR. - L2 honesty: flat files hold for additions only — deleting a durable deny widens undetectably; the chain-store is load-bearing for the full mutation set. H1 generalized to append-only-verifiability. - default = administrator opinion surface; negative pins (signed durable denies w/ provenance) as the enterprise/parental-control story. - New AuditRecord wire object (§3.6): audit = ceremony over the chain head, appended to the same chain. - L6 demoted to well-formedness WF-1: six laws → five. Governance section records the executed cut; L1+L4 merge remains the next candidate. Refs #229 review, #231, #225. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…rincipal, SAS enrollment, external anchors Every participant is a fingerprint; roles (principal/agent/surface/gate) differ only in what they sign — a monolith newt is the degenerate case of one fingerprint wearing all roles, a no-compute mobile surface the other pole (keypair + renderer). Delegation completes L5's pinned predicate transitively: chains meet at a common pinned principal, root involved at ISSUANCE not per-delegation (headless fleets verify offline; already shipped mechanism — mesh CertChain #39 §9.1, proof-of-possession #40 §9.2). Zero new laws. Mechanism: §5.4 SAS enrollment ceremony — commit-then-reveal bound to the exchange transcript, human comparison as the unspoofable channel (naive phrase-echo is MITM-relayable); paranoia parameterized as (SAS entropy × rounds, witnesses, presence) with minima set by caveat ceiling. §5.5 external anchors (GitHub keys, DNS, org CA) = candidate corroboration channels for a self-sovereign root — never load-bearing, per the floating-identity doctrine; no-GitHub users enroll by ceremony alone. Remote surfaces MUST sign their Decisions (attributable grant provenance); in-process surfaces MAY omit. Refs #229 review discussion, #225; protocol work: agent-mesh companion issue. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…r blessing, MITM ledger Review round 2 + the no-MITM-hole-anywhere sweep: - L2 renamed Tamper-boundedness and given its upward direction: sub-quorum actors can neither widen authority NOR shrink load-bearing identity structure. Reversible narrowing (deny-spam) stays nuisance-bounded; irreversible narrowing (revoking an identity) requires quorum — 'reset mesh' must not be a DoS surface. Availability is a security property. PO-2b added; zero law-count change (absorbed, not appended). - RevocationRecord wire object (k-of-n signers; quorum policy is itself a principal-signed loosening entry; last-root revocation refused without succession or an explicit tombstone). Punting ≥ pinning: revocation strength floors at enrollment strength. - Anchors are blessed, participating identities: AnchorRecord binds channel+location+key under the principal's signature; any public-key display surface qualifies once blessed; revocable via the same quorum path. GitHub participates; nothing depends on it. - SAS transcript MUST include the long-term keys being enrolled (closes key-substitution relay). Decision gains a request-CID binding (closes render-swap: what the human saw is bound to what was granted). - §5.6 MITM ledger: nine channels enumerated — attack / closure / residual — with the unifying rule: the authenticated thing is always the key, never the channel. Refs #229 review round 2, #225; protocol: agent-mesh#66. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…signed requests, multihash profile Review round 3, from the sig-everywhere / Memo / multihash discussion: - Memo discipline (§3 preamble, WF-2): every wire object is a Memo-descendant — content-CID unconditional, by+sig at trust boundaries (remote MUST / in-process MAY omit), parents for durability, Sealed at load (verify at construction, immutable after — the Rust heir of Memo's read-time tamper check). All of the data layer, none of the resource layer. - Two sig gaps closed: Introduction gains proof-of-possession (introduced key signs over transcript-bound freshness — unknown-key-share/replay closure, parity with mesh #40); remote PermissionRequest gains the gate's signature, verified before rendering (phishing-canvas closure). Two new MITM-ledger rows. - Multihash directive: 'BLAKE3 is an implementation detail, not a law.' L5 de-algorithm'd to fingerprint = H(pubkey) with required properties; identifiers self-describing (multihash/multicodec/CIDv1), compared opaque including the code; hash rotation = re-naming ceremony (signed linkage; identity never moves), signature rotation = re-keying (full L5). New §8 Profile v1 (pins + the property each pin must preserve); Relations renumbered to §9. Fingerprint wire-format change tracked on agent-mesh#66. - Governance: review-3 executed line — zero law-count change, still five. Refs #229 review round 3, #225, agent-mesh#66. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
b746039 to
7703bac
Compare
…T-5/Codex round 4) All eight true-positive findings adjudicated against the security canon (RFC 6962, TUF, Schneier-Kelsey, FssAgg eprint 2008/185, Landrock-Pedersen) via a verified deep-research pass, and closed: F1 rollback/truncation/fork — NEW §5.7 external anti-rollback anchor (independently-stored monotonic head + witness cosigning + fork=proof). L2's H1 was over-claimed (chain alone does NOT resist tail rollback); now honestly split chain(interior)+anchor(tail/fork). PO-2c added. In-chain AuditRecord no longer claimed as a checkpoint (it rolls back with the log). F2 approve-X/execute-Y — action.effect carries the canonical resolved-call content-CID; gate MUST recompute before minting (WYSIWYS). F3 grant∉matrix — §3.3 gate acceptance is a MUST checklist: request-CID, matrix membership, ceiling (L4 enforced on the wire), effect, discharge. F4 attest had no attestation — §3.3.1 wires the shipped Challenge/ DischargeVerifier step-up; grant inert until verified. F5 fresh wasn't fresh — Introduction is now a 2-message challenge-response; the RECIPIENT issues+consumes the challenge (replay-state at challenger). F6 circular quorum sig — RevocationRecord splits into one canonical unsigned payload every signer signs; signers sorted+deduped; chain sig separate. F7 unknown fields vs canonical — verify over received bytes; version dispatch; unknown authority-bearing fields fail closed; one of grant/ escalate. F8 algorithm agility — allowlist-before-dispatch (§3.4, §8): the verifier never lets the object choose its own algorithm. Law count unchanged: FIVE. One law (L2) corrected, not multiplied. The review's lesson — prose masquerading as protocol — is the case for the Lean/Aeneas track. Refs #229 review round 4 (GPT-5/Codex), #225; verification: deep-research pass (19 confirmed claims, RFC/paper-cited). PR-body staleness (F9) fixed separately. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…gn forks
A second independent LLM review confirmed every round-4 fix and added
five clearly-correct refinements (applied) plus two design forks (recorded
for the author, not agent-decided):
Refinements:
- §5.1 signing MUST be deterministic (plain prose), entropy identity
demoted to parenthetical 'why'.
- §5.4 human SAS comparison is a low-bandwidth authenticated channel with
measurable error probability — dropped the 'unspoofable' overclaim
(humans are non-deterministic peripherals).
- §3.1 rendering faithfulness named as a residual: display MUST derive
from effect by a deterministic profile function; signed render
transcript is the deferred strengthening path.
- §3.6 break-glass + succession made a REQUIRED subsystem (recovery factor
in n; quorum-or-timelocked-unilateral recovery) — quorum that defeats
hostile revocation also locks out a key-losing owner.
- §6.3 anti-rollback head location made explicit ('on disk beside the log'
does NOT qualify).
Open forks recorded in §7 governance:
- attest factorization (effect × assurance × scope vs one verb axis) —
L1 survives either way (product of lattices is a lattice); a factoring
question, deferred to author.
- partition into profiles (Ceremony Contract + Signed-Object + Chain-Store
+ Enrollment + Identity-Lifecycle + Rendering profiles) — the
loosely-coupled/functionally-cohesive doctrine applied to the spec;
strongly recommended, author to sequence.
Still five laws. Refs #229 reviews 4-5.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Adjudication of the two security reviews (v0.1.5 + v0.1.6)Both adversarial reviews were substantially correct. A verified deep-research pass (19 confirmed claims, 3-0 votes) adjudicated round 4 against the canon — zero findings refuted, the rollback finding overwhelmingly confirmed across RFC 6962 (CT gossip/STH), TUF (monotonic version), Schneier-Kelsey (external commitment), and FssAgg (eprint 2008/185). Round 4 (GPT-5/Codex) — 8 true positives, all closed in v0.1.5
Round 5 (second LLM) — confirmed all of the above independently; 5 refinements applied in v0.1.6deterministic-signature prose over entropy notation (§5.1) · human SAS comparison is measurable-error, not "unspoofable" (§5.4) · rendering-faithfulness residual named + deterministic display-from-effect (§3.1) · break-glass/succession made a required subsystem (§3.6) · anti-rollback head location made explicit in conformance (§6.3). The through-lineBoth reviews found the same shape: claims true only because unstated mechanisms did the real work. The fix was always to name and bind the mechanism, never to add a law. Law count held at five across two adversarial reviews — L2 was corrected (its H1 was over-claimed), not multiplied. This is the argument FOR the Lean/Aeneas track, made by adversaries: "prose becomes authority-bearing protocol" is exactly the failure a proof assistant refuses to compile. Two forks left to the author (recorded in §7, not agent-decided)
Merge + implementation remain on hold; revisions continue. Thanks to both reviewers — this is heterogeneous-adversary review working exactly as intended. |
…ript store The author's direction: a presence attestation must not authorize against a regressed history. - §3.3.1 forward-only ratchet: the attest challenge commits to a checkpoint; the signer refuses unless the presented head extends its last-witnessed head, held in the §5.7 anti-rollback anchor (outside the store it validates). Rollback OR fork = CHAIN HISTORY REGRESSION → halt+escalate. Per-causal-thread so concurrent threads don't false-trip. Generation (total order) and DAG ancestry (partial order) must both advance. Every ordinary approval becomes a free freshness checkpoint. NOT a new law — L2.H1's anchor applied at ceremony time. - §3.6 new AttestationRecord: one presence sig, TWO distinct statements — authorization (request_cid, decision_cid) and history witness (observed_head, previous_witnessed_head). attest and audit stay distinct but co-signed. - store restated as a CAUSAL TRANSCRIPT (Merkle DAG, parents is a set, branches/merges first-class); the chain-store is the authority projection of the Conversation Graph (agent-mesh#67; floating_identity law 4). Still five laws. Refs #229, agent-mesh#67. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…uite The monolith (~1025 lines) becomes a dependency-ordered suite of loosely- coupled, functionally-cohesive profiles — the architecture doctrine applied to the spec itself, and the synthesis of review-5's partition + GPT-5 #232's formal kernel. - README.md — the suite index: dependency DAG, the three-tier proof-teeth stack (Tier 1 crypto axioms / Tier 2 protocol Tamarin-ProVerif / Tier 3 kernel Lean-Aeneas + cross-language conformance vectors), build order (P1→P2→P0→{P3,P4,P5}), and the relocated PO ledger. Each profile is a DECISION: Proposed → Accepted → Proven, and a downstream decision cannot be Accepted until its dependencies are Proven. - P0 ceremony-contract.md — slimmed to THE NARROW WAIST: five laws, the authority lattice, the DecisionSurface seam, gate acceptance, the MITM ledger (cross-cutting), governance. 242 lines. - P1 signed-object-profile.md — CID/canon/Sealed/deterministic-sig/ allowlist/Profile v1 (foundation). - P2 chain-store-profile.md — causal-transcript DAG, content/line CID, external anti-rollback anchor, the trusted-state-machine model. - P3 enrollment-protocol.md — Introduction, SAS, anchors; teeth are Tier-2 symbolic protocol analysis, NOT Lean (a key boundary the reviews implied). - P4 identity-lifecycle.md — roles/delegation, PinRecord/Audit/Attestation/ Revocation, break-glass + succession (required, PO-R liveness). - P5 rendering-security-profile.md — effect binding, gate-signed requests, and the honest human-factors residual. Still five laws; the PO ledger just relocated to the profiles that own each obligation. GPT-5 #232's kernel is adopted as the P0+P1+P2 provable MVP. Refs #229, #232, #225, agent-mesh#67. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Partitioned into the Ceremony Suite (author-approved)The monolith is now a dependency-ordered suite under The dependency DAG (each node is a decision: Proposed → Accepted → Proven; a downstream decision can't be Accepted until its deps are Proven): Three tiers of teeth, deliberately not confused:
On #232: your formal kernel is exactly the P0+P1+P2 provable MVP — I've adopted it as such in the suite index and mapped its pieces: the product lattice → P0 §4 (this also resolves the Build order: P1 → P2 → P0 → {P3,P4,P5}. Still five laws; the PO ledger just relocated to the owning profiles. Merge/implement remain on hold; this is the design restructure. |
…ncy DAG (OB-1)
A fresh GPT pass on the partitioned suite confirmed the split closed the
prior attacks (architecture/threat-honesty/separation/formal-plan all rated
Strong) and surfaced ~11 crisp state-machine gaps.
- Corrected the dependency DAG: the prose had P0↔P4 back-edges (P0's
attestation + L5 lean on P4; P3/P5 consume P4 records). Fix = dependency
inversion: P0 depends on abstract AttestEvidence / ValidAssociationProof
contracts that P4 implements. Real order: P1→P2→P0→P4→P3; P5 on {P0,P1,P4}.
- Added an 'Open specification obligations' table (OB-1..OB-11, severity-
tagged, resolution direction, fix-vs-author-choice) so the next pass is a
checklist review, not a re-derivation. Sharpest: OB-9 (resolve(∅)=⊤=approve
is fail-OPEN, contradicting L3) and OB-1 (the cyclic prose). OB-2 (linear
authority spine vs frontier checkpoint) and the attest factorization stay
author's calls.
No law or profile-content change yet — this captures the review; the
semantic repairs (abstract contracts, canonical-byte envelope, attestation
transaction, epoch'd policy) are the next pass. Merge/implement still held.
Refs #229 review round 6.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Reconcile the formal kernel with PR #229 OB-4 and OB-6: exact envelope recomposition, universal signature domains, named crypto soundness, private verified constructors, and trusted-profile dispatch. Co-Authored-By: OpenAI GPT-5 <codex@openai.com>
…urface attestation
The next cut Shawn asked for: turn the tracked OB-1..OB-11 into actual spec
repairs across the suite. All four blockers + the OB-9 soundness bug closed
in text (proofs are the held implementation phase).
Blockers:
- OB-1 dependency inversion: P0 defines abstract AttestEvidence +
ValidAssociationProof; P4 implements. DAG is now truly acyclic
(P1→P2→P0→P4→P3; P5 on {P0,P1,P4}).
- OB-2 (author's-call, adopted): linear authority spine per causal thread
(store_id, thread_id, sequence) — conversation branches, authority is a
railway; equivocation = two records at one (store,thread,sequence).
- OB-3 attestation transaction: one canonical challenge preimage; CAS commit
(verify-checkpoint→presence→construct→append→advance-anchor→mint); four
separate roles (the WebAuthn authenticator is NOT the DAG verifier).
- OB-4 byte carriage: signed-bytes-in-envelope {profile,codec,body,cid,by,
sig}; JSON/TOML are views, never authority-bearing serializations.
- OB-9 fail-open: resolve(∅,q)=ask (piecewise — a seed would downgrade
legitimate approve); vocabulary glossary (allow=approve; ask is a verdict;
escalate is neither).
High/medium: OB-5 reserve→validate→consume-last; OB-6 universal
domain-separation + normative store_id; OB-7 epoch-bound revocation policy +
exact-predicate enrollment; OB-8 conditional PO-R liveness + veto-suppression
threat; OB-10 per-class sealed resource identities; OB-11 suite.toml manifest.
Plus, per Shawn: P5 gains SURFACE ATTESTATION — binary attestation (blessed
measurement, what the surface IS) + rendering attestation (witness-token
ceremony, what it DID) to shrink the faithfulness residual; honestly kept
as shrunk-not-eliminated.
Still five laws. Refs #229 review round 6, GPT-5 #232.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
v0.3.0 repair cut — all 11 review-6 obligations closed in text (65bc1ec)Not tracking this time — actual repairs across the suite. The review's own recommendation ("approve the split, request-changes on the four blockers, list the rest") is now: four blockers + the OB-9 soundness bug closed, high/medium closed, one author's-call adopted.
On OB-9 specifically: the reviewer suggested seeding the meet with Plus (author direction, not from the review): P5 surface attestation — binary attestation (blessed code measurement = what the surface is) + a witness-token rendering ceremony (what it did) to shrink the faithfulness residual, honestly kept as shrunk-not-eliminated. Still five laws. The proofs that discharge these are the implementation phase (held). Two decisions remain yours: confirm/veto the OB-2 linear spine, and the |
A single cold-start doc so any agent we bring online for this job gets productive fast: the one-breath what-it-is, the contribution framing (the enforcement gate nobody ships), the seven load-bearing doctrines, the suite architecture + dependency order, the three proof tiers, the five laws, a glossary, the cross-model adversarial review discipline, current state + what is HELD (revise freely, land nothing), the contribution workflow (incl. the concurrency hazard + no-session-link rule), and a full map of where everything lives. Linked from README as the entry point. Refs #229, #225. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…eze authority type; CAS→BVP roadmap Protocol-freeze pass (review 7). Seven places implementers would diverge, now frozen; conformance vectors are the one remaining implementation-phase item. - OB-12 (type FROZEN): P0 §2.0 Authority = Effect × Assurance × Scope (componentwise meet); ask → NeedsDecision (control-flow, not an authority level); deny = ⊥; explicit signed ; scope = profile-declared closed order. Decides the attest factorization (4-way converged). Laws L1/L4 lift componentwise; still five laws. - OB-13: P1 one signed-object constructor — sig covers a canonical PROTECTED TUPLE (profile, codec, cid, signer, domain-sep), not bare cid; body domain tuple must equal the envelope. - OB-14: genesis STORE_ID_SELF sentinel breaks the store_id=CID(genesis) fixed point. - OB-15 (CAS FROZEN): P2 §1.1 compare-and-swap on expected head; concurrent candidates + CAS-losers are NOT equivocation. Roadmap adopted: CAS → Byzantine Vertical Paxos (wedge/reconfiguration; ref Abraham-Malkhi DCCL / Lamport-Malkhi-Zhou) as a post-waist P2 evolution, own ADR + TLA+/Lean, NOT in this freeze. - OB-16 (law corrected): L2 upward is now equality over authority-generating structure, not ⊆ — a sub-quorum actor can't ADD a trusted issuer either (closes time-delayed privilege escalation). - OB-17: P3/P4 revocation — drop 'punting ≥ pinning' scalar; exact policy-CID predicate (P4); P3 now depends on P4. - OB-18: P5 — token downgraded to attention-aid; faithfulness = byte-compare vs a gate-produced canonical render; RAW SECRETS forbidden in signed records (secret-version refs / one-shot caps / keyed commitments). suite 0.3.1; p0 0.3. Refs #229 review round 7. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
v0.3.1 PROTOCOL FREEZE — review-7's seven findings closed (60ff13e)The protocol-freeze pass. Seven places two implementers would build incompatibly, now frozen to tolerances. Two author's-calls decided; conformance vectors are the one remaining implementation-phase item.
Exit gate: every item ✅ except conformance vectors (positive+negative) — the one implementation-phase deliverable, tracked in Store roadmap (adopted): CAS → Byzantine Vertical Paxos. The frozen CAS is the threshold-1 steady-state case of a vertically-reconfigurable store. Sequencing: prove the Per the reviewer: "the last prose-heavy pass." Next is nonbinding spikes (kernel, Sealed, DAG-CBOR, Lean/TLA+ models) → then implementation in |
What this PR does
Adds
docs/spec/ceremony-contract.md— the keystone specification for thedecision-surface seam (#225): the contract between agent-* libraries
(decision semantics) and harnesses (rendering). Now at DRAFT v0.1.4
(revised across three review rounds; see the thread).
DAG-CBOR for anything hashed or signed):
PermissionRequest,DecisionMatrix,Decision,Introduction(with proof-of-possession),chained
PinRecord/GrantRecord,AuditRecord,RevocationRecord, andthe
DecisionSurfaceseam. Every object is a Memo-descendant (WF-2:content-CID unconditional, sig at trust boundaries, Sealed at load).
Lean/Aeneas formal track: L1 meet-resolution, L2 tamper-boundedness
(widening AND load-bearing-identity narrowing; quorum revocation),
L3 fail-closed totality, L4 attenuation, L5 the ceremony gate
(self-certifying multihash identity; re-key ⇒ re-ceremony).
content-addressablecrate), signed loosening verdicts (policy: signed approve entries — tamper-resistance for the loosening verdict (newt#1207) #226/policy: signed approve entries — tamper-resistance for the loosening verdict (#226) #227), presence-attested pins
(PR docs(design): LLM flight recorder + WebAuthn presence + mesh discharge plan #214 lineage), SAS enrollment, external anchors, and a MITM ledger.
(principal/agent/surface/gate); delegation = chain-to-pinned-principal.
identifiers, "BLAKE3 is an implementation detail."
subsequent review round added mechanism/wire-objects at zero law cost.
Test plan
just checkpasses via the pre-push hook each revision.PO-1/PO-2/PO-2b) are staged as explicit follow-up (§6), not claimed here.
Review status
Under active adversarial review (rounds 1–3 by the author; a round-3
security review by GPT-5/Codex is being adjudicated). Not yet ready to
merge — see the open security-contract findings in the thread. Merge and
implementation are on hold pending resolution; spec revisions continue.
Out of scope
agent-bridle-core(separate code PR).passkey→attestrename (rename: Verdict::Passkey → Attest — coordinated pre-1.0 vocabulary pass #231).Refs #225, #220, #226, #231. Companions: agent-mesh#65, #66, newt-agent#1209.