AI Skills

<div align="center">  <picture> <source media="(prefers-color-scheme: dark)" srcset="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA2MDAgNDAwIiBmaWxsPSJub25lIiBzdHJva2U9Im5vbmUiPjxwYXRoIGQ9Ik0zMDAgNzUuNWwyMjUuNCAxMzQuNUwzMDAgMzQ0LjVsLTIyNS40LTEzNC41ek0xNTAgMTcwLjVsMTUwIDkwLjMgMTUwLTkwLjN6TTUwMCAxNzAuNWwtMTUwIDkwLjMgMTUwLTkwLjN6TTMwMCAzNDIuNWwyNTAgMTUwTDMwMCA2NDIuNSAgbC0yNTAtMTUweiIgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjZmY4NzAwIiBzdHJva2Utd2lkdGg9IjIiLz48dGV4dCB4PSIzMDAiIHk9IjM1MCIgdGV4dC1hbmNob3I9Im1pZGRsZSIgZm9udC1mYW1pbHk9Im1vbm9zcGFjZWQiIGZvbnQtc2l6ZT0iMjAiIGZpbGw9IiNmZjg3MDAiIGFsaWduPSJtaWRkbGUiIHN0cm9rZT0ibm9uZSI+QVJJRk9TPC90ZXh0Pjx0ZXh0IHg9IjMwMCIgeT0iMzgwIiB0ZXh0LWFuY2hvcj0ibWlkZGxlIiBmb250LWZhbWlseT0ibW9ub3NwYWNlZCIgZm9udC1zaXplPSIxMiIgZmlsbD0iI2ZmODYwMCIgYWxpZ249Im1pZGRsZSIgc3Ryb2tlPSJub25lIj5LT1JBTkVMIEtFUk5FTCBTRUFMPC90ZXh0Pjwvc3ZnPg=="> <source media="(prefers-color-scheme: light)" srcset="data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCA2MDAgNDAwIiBmaWxsPSJub25lIiBzdHJva2U9Im5vbmUiPjxwYXRoIGQ9Ik0zMDAgNzUuNWwyMjUuNCAxMzQuNUwzMDAgMzQ0LjVsLTIyNS40LTEzNC41ek0xNTAgMTcwLjVsMTUwIDkwLjMgMTUwLTkwLjN6TTUwMCAxNzAuNWwtMTUwIDkwLjMgMTUwLTkwLjN6TTMwMCAzNDIuNWwyNTAgMTUwTDMwMCA2NDIuNSAgbC0yNTAtMTUweiIgZmlsbD0ibm9uZSIgc3Ryb2tlPSIjMzMzIiBzdHJva2Utd2lkdGg9IjIiLz48dGV4dCB4PSIzMDAiIHk9IjM1MCIgdGV4dC1hbmNob3I9Im1pZGRsZSIgZm9udC1mYW1pbHk9Im1vbm9zcGFjZWQiIGZvbnQtc2l6ZT0iMjAiIGZpbGw9IiMzMzMiIGFsaWduPSJtaWRkbGUiIHN0cm9rZT0ibm9uZSI+QVJJRk9TPC90ZXh0Pjx0ZXh0IHg9IjMwMCIgeT0iMzgwIiB0ZXh0LWFuY2hvcj0ibWlkZGxlIiBmb250LWZhbWlseT0ibW9ub3NwYWNlZCIgZm9udC1zaXplPSIxMiIgZmlsbD0iIzY2NiIgYWxpZ249Im1pZGRsZSIgc3Ryb2tlPSJub25lIj5LT1JBTkVMIEtFUk5FTCBTRUFMPC90ZXh0Pjwvc3ZnPg=="> <img alt="arifOS Logo" width="600" style="border-radius:8px; max-width:100%;"> </picture>  <br>

Constitutional Intelligence Kernel for the arifOS Federation

DITEMPA BUKAN DIBERI — Intelligence is forged, not given.

</div>

Governed execution for AI agents.

arifOS is an MCP-compatible governance kernel that sits between an AI agent and the actions it wants to take. It checks identity, evidence, reversibility, risk, human authority, and auditability before allowing any tool to proceed.

In plain English: arifOS stops AI agents from taking unsafe or unverifiable actions without evidence, trace, approval, and an audit record.

It is not a chatbot, not a model, and not an agent persona. It is a control layer for agentic systems.

Why This Exists

Modern AI agents can call tools, write files, deploy code, access APIs, and trigger workflows. Without a governance layer, a bad instruction becomes a real-world action too quickly.

User:  "Delete the production database."
AI:    "Sure, let me do that for you."
         ↑ No identity check. No evidence requirement.
           No judgment. No audit record. No human veto.

arifOS changes the flow:

Request received
  → identity verified (F11 AUTH)
  → evidence required (F03 WITNESS)
  → reversibility classified (F01 AMANAH)
  → risk assessed (F06 EMPATHY)
  → verdict returned: SEAL / HOLD / VOID
  → action allowed or blocked
  → receipt written to VAULT999

Default posture: when arifOS cannot prove an action is safe, it pauses and returns HOLD.

Who This Is For

Good fit:

AI agent developers who need tool safety and traceability
MCP server builders who need a governed tool surface
DevOps and platform engineers who need approval gates before automated deployment
Compliance and audit teams who need receipts and evidence chains
Security teams concerned about prompt injection and unsafe tool use
Regulated-domain AI systems that cannot allow black-box automation

Not the right fit:

Simple chatbots with no external tool access
Toy agents with no irreversible actions
Projects that want fully autonomous execution without audit trails

Current Status

arifOS is live and under active hardening.

Working now:

13 canonical MCP tools with live embodiment contracts + cognitive_axis tags
FEDERATION_TOOLS manifest integration with intent-based routing (arif_kernel_route(mode="intent"))
441_SURPRISE metabolic umbilical: writes contradiction data to WELL state.json
Kernel + REST fail-closed embodiment gates before handler invocation
Runtime attestation endpoint for constitution, contracts, and policy state
Session initialization with persistence fallback, grace period, and TTL refresh
Constitutional verdict flow (SEAL / HOLD / VOID)
Model registry deep lookup, including nested provider resolution
VAULT999 ledger interface and observatory governance dashboard
Public /ready now returns pass after canonical MIND/HEART probe repair and ingress reconciliation
Webhook intake now enforces approval-boundary hardening, replay resistance, policy pinning, and hash-chained vault evidence

In progress:

Cryptographic identity attestation (Ed25519 / ES256)
Institutional memory and precedent graph
Federation treaties and proof-carrying judgments
Cross-organ conflict resolution and latency budgets
Plain-English cockpit mode for non-kernel audiences

Governance discipline:

If witness, evidence, or durable receipt persistence is missing, arifOS returns HOLD rather than claiming the action is fully sealed. Observatory default verdict is HOLD until all Trinity lanes are evidenced.

Plain-English Status Reference

arifOS term	What it means
`SEAL`	Proceed. The action passed all governance checks.
`HOLD`	Pause. Something required is missing — witness, trace, evidence, or human approval.
`VOID`	Abort. A constitutional floor was breached.
`SABAR`	Internal doctrine name for HOLD/WAIT posture. Treated as `HOLD` in public API responses.
`VAULT999`	Immutable audit receipt store. Append-only, hash-chained. L3 governance ledger.
`Witness`	Verified evidence that a human, AI trace, or domain system observed the action.
`Trinity`	Human / AI / Earth witness lanes. All three must be evidenced before SEAL on high-stakes paths.
`F13 SOVEREIGN`	Human veto is absolute. Overrides any system output at any time.
`F12 INJECTION`	Prompt and tool injection protection. Sanitised at input boundary.
`F07 HUMILITY`	The system must declare its confidence level. Overconfidence is a floor breach.
`ack_irreversible`	Explicit flag required for any action that cannot be undone. Kernel blocks without it.

Quick Start

Option 1 — Docker (recommended for production)

# Pull the latest sovereign build
docker pull ghcr.io/ariffazil/arifos:latest

# Run the MCP server
docker run -d \
  --name arifos-mcp \
  -p 8080:8080 \
  -v $(pwd)/VAULT999:/app/VAULT999 \
  ghcr.io/ariffazil/arifos:latest

# Verify
curl http://localhost:8080/health

Option 2 — Python (for development)

git clone https://github.com/ariffazil/arifOS.git
cd arifOS
pip install -e . --break-system-packages

# Start the MCP server
python -m arifosmcp.runtime.server

MCP endpoint: http://localhost:8080/mcp Health check: http://localhost:8080/health

5-Minute MCP Demo

Start a governed session:

curl -s http://localhost:8080/mcp \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 1,
    "method": "tools/call",
    "params": {
      "name": "arif_session_init",
      "arguments": {
        "mode": "init",
        "actor_id": "developer-demo"
      }
    }
  }' | jq

Ask arifOS to judge a risky action:

curl -s http://localhost:8080/mcp \
  -H "Content-Type: application/json" \
  -d '{
    "jsonrpc": "2.0",
    "id": 2,
    "method": "tools/call",
    "params": {
      "name": "arif_judge_deliberate",
      "arguments": {
        "mode": "judge",
        "session_id": "<SESSION_ID_FROM_STEP_1>",
        "actor_id": "developer-demo",
        "candidate": "Delete the production database without backup verification."
      }
    }
  }' | jq

Expected response:

{
  "verdict": "HOLD",
  "reason": "Irreversible action requires evidence, authorization, and explicit human approval.",
  "floors_checked": ["F01", "F11", "F13"],
  "ack_irreversible_required": true
}

Note: All examples above use the live tool schemas. Do not hand-edit field names without verifying against GET /tools on the running server.

System Architecture

flowchart TB
    subgraph FEDERATION["arifOS Federation"]
        subgraph KERNEL["arifOS Constitutional Kernel"]
            K(("13-Tool<br/>Kernel")):::kernel
            V["VAULT999<br/>Immutable Ledger"]:::vault
            K --> V
        end

        subgraph AGI_LANE["AGI Lane — Observe & Reason"]
            S["arif_session_init<br/>000 · INIT"]:::tool
            O["arif_sense_observe<br/>111 · SENSE"]:::tool
            E["arif_evidence_fetch<br/>222 · FETCH"]:::tool
            R["arif_mind_reason<br/>333 · MIND"]:::tool
            RT["arif_reply_compose<br/>444r · REPLY"]:::tool
            M["arif_memory_recall<br/>555 · MEMORY"]:::tool
            OP["arif_ops_measure<br/>777 · OPS"]:::tool
        end

        subgraph ASI_LANE["ASI Lane — Critique & Gatekeep"]
            H["arif_heart_critique<br/>666 · HEART"]:::tool
            G["arif_gateway_connect<br/>666g · GATEWAY"]:::tool
            J["arif_judge_deliberate<br/>888 · JUDGE"]:::tool
        end

        subgraph APEX_LANE["APEX Lane — Execute & Seal"]
            F["arif_forge_execute<br/>010 · FORGE"]:::tool
            KS["arif_vault_seal<br/>999 · VAULT · APEX"]:::tool
        end

        S --> O --> E --> R
        R --> RT
        R --> M
        R --> H --> J
        R --> G
        J -->|"SEAL / HOLD / VOID"| F
        F --> KS --> V
        K -.->|enforces floors| AGI_LANE
        K -.->|enforces floors| ASI_LANE
        K -.->|enforces floors| APEX_LANE
    end

    subgraph HUMAN["Human Sovereign"]
        A(("ARIF · F13 Veto")):::human
        A -->|"F13 SOVEREIGN<br/>human override"| KERNEL
    end

    subgraph COP["Domain Coprocessors"]
        GX["GEOX · Earth<br/>Intelligence"]:::coproc
        WL["WEALTH · Capital<br/>Intelligence"]:::coproc
        K -->|evidence| GX
        K -->|evidence| WL
    end

    subgraph EXEC["Execution Engine"]
        AF["A-FORGE · Metabolic<br/>Execution Shell"]:::forge
        J -->|"arif_forge_execute<br/>gated by judge seal"| AF
    end

    classDef human fill:#FF6B00,color:#fff,font-weight:bold,shape:circle
    classDef kernel fill:#1a1a1a,color:#FF6B00,stroke:#FF6B00,stroke-width:3px,font-weight:bold
    classDef vault fill:#0d0d0d,color:#4EAF0C,stroke:#4EAF0C,stroke-width:2px
    classDef tool fill:#7C3AED,color:#fff,stroke:#7C3AED,stroke-width:1px
    classDef forge fill:#2496ED,color:#fff,stroke:#2496ED,stroke-width:1px
    classDef coproc fill:#3776AB,color:#fff,stroke:#3776AB,stroke-width:1px

Constitutional Flow

sequenceDiagram
    participant H as Human (ARIF · F13)
    participant K as arifOS Kernel
    participant J as arif_judge_deliberate
    participant F as A-FORGE Execute
    participant V as VAULT999 Ledger

    H->>K: Request (high-impact action)
    K->>K: Stage 000: arif_session_init<br/>Bind identity + constitution hash
    K->>K: Stage 111: arif_sense_observe<br/>Gather evidence + vitals
    K->>K: Stage 222: arif_evidence_fetch<br/>Verify with F03 WITNESS
    K->>K: Stage 333: arif_mind_reason<br/>Claim + uncertainty label
    K->>K: Stage 666: arif_heart_critique<br/>F06 EMPATHY · F09 ANTIHANTU
    K->>J: Stage 888: arif_judge_deliberate<br/>SEAL / HOLD / VOID verdict

    alt SEAL verdict
        J->>F: Proceed with execution
        F->>V: Stage 999: arif_vault_seal<br/>Immutable outcome record
        V-->>H: Sealed audit trail
    else HOLD or VOID
        J-->>H: Verdict: HOLD or VOID + reasons[]
        Note over H: Human may override via F13
    end

What arifOS Is Not

arifOS is not:

a chatbot or LLM
an autonomous agent or persona
a replacement for human judgment
a legal authority or compliance certification
a guarantee that all AI actions are safe

arifOS is:

a governance runtime and verdict engine
an MCP tool surface with constitutional contracts
an audit and receipt layer for agentic systems
a human-authority preservation system

For Human Operators

What arifOS Actually Does

Think of arifOS as the governor's chamber in a legal system. When a case (a request) enters:

Init (000) — The court clerk registers the case, binds the identity of who filed it (F11 AUTH), and stamps the constitution version in use.
Sense (111) — The investigator searches for relevant evidence.
Fetch (222) — Evidence is retrieved from external sources and preserved as a citation (F03 WITNESS). No fabrication allowed.
Reason (333) — The judge reasons with the evidence, labels their confidence level (F07 HUMILITY), and makes a claim.
Heart (666) — Before judgment, the ethicist reviews: Does this respect human dignity (F05 PEACE)? Could this manipulate the user (F09 ANTIHANTU)?
Judge (888) — The constitutional court delivers a verdict:
- SEAL — Proceed. Action is compliant with all 13 floors.
- HOLD — Wait. Something needs verification or human review first.
- VOID — Abort. Constitutional breach detected.
Forge (010) — If SEAL, the execution engine performs the action. F13 veto remains available at all times.
Vault (999) — Every outcome, accepted or rejected, is written to the VAULT999 immutable ledger.

The 13 Constitutional Floors

arifOS has 13 non-negotiable rules baked into its architecture. No tool, agent, or system can override them.

Floor	Name	What It Enforces
F01	AMANAH	Trustworthiness. Every action is accountable. No deletion without evidence of backup.
F02	TRUTH	No fabrication. Claims must cite evidence.
F03	WITNESS	Evidence must be verifiable by a third party.
F04	CLARITY	Intent must be transparent. No hidden agendas.
F05	PEACE	Human dignity must be preserved in all interactions.
F06	EMPATHY	Consequences for real people must be considered before action.
F07	HUMILITY	The system must label its confidence level honestly. It must admit when it does not know.
F08	GENIUS	Solutions must be elegant and correct (G ≥ 0.80 threshold). Clever is not enough.
F09	ANTIHANTU	The system must not simulate consciousness, emotions, or subjective experience.
F10	ONTOLOGY	The system must maintain structural coherence. No self-contradiction.
F11	AUTH	Identity must be verified before any sensitive operation.
F12	INJECTION	All inputs must be sanitized. Prompt injection is a floor breach.
F13	SOVEREIGN	The human veto is absolute. Any system output can be overridden by the human operator at any time.

The Trinity — arifOS Is Not Alone

arifOS is one organ in a federated sovereign AI system. It adjudicates. It does not execute, it does not remember everything, and it does not have feelings.

Organ	Role	Repository
ARIF	Human Sovereign — the F13 veto holder	—
AAA	Identity, A2A federation gateway, operator control plane	`ariffazil/AAA`
A-FORGE	Execution shell — orchestrates agents, runs tools, observes outcomes	`ariffazil/A-FORGE`
arifOS	Constitutional kernel — you are here	`ariffazil/arifOS`
GEOX	Earth intelligence coprocessor — seismic, petrophysics, basin analysis	`ariffazil/geox`
WEALTH	Capital intelligence coprocessor — NPV, IRR, EMV, crisis triage	`ariffazil/wealth`
WELL	Biological substrate — human readiness mirroring	`ariffazil/well`

arifOS never delegates the F13 veto. The domain coprocessors (GEOX, WEALTH) provide evidence. A-FORGE orchestrates. arifOS judges.

For AI Agents (MCP Protocol)

arifOS exposes 13 canonical tools via the Model Context Protocol (MCP). Every tool is named arif_<noun>_<verb> and follows strict constitutional contracts.

Agent Contract

Agents calling arifOS must obey these rules:

Always start with arif_session_init.
Pass session_id to every multi-step tool call.
Treat SEAL as permission to proceed only for the scoped action.
Treat HOLD as stop-and-gather-evidence.
Treat VOID as abort — do not retry without resolving the floor breach.
Never assume missing fields are safe defaults.
Never fabricate witness, receipt, trace, or evidence IDs.
Never perform irreversible actions unless ack_irreversible: true and the human operator has explicitly approved.
Store returned trace_id, receipt_id, constitutional_chain_id, and judge_state_hash when present.
If tool output violates schema, stop and report SCHEMA_MISMATCH — do not silently continue.

Connecting via MCP

# MCP HTTP endpoint
http://localhost:8080/mcp

# List all available tools
curl http://localhost:8080/tools

# Health check
curl http://localhost:8080/health

Standard Tool Call Flow

Every governed session follows this sequence:

// Step 1: Initialize a constitutional session
// POST /mcp
{
  "jsonrpc": "2.0",
  "id": 1,
  "method": "tools/call",
  "params": {
    "name": "arif_session_init",
    "arguments": {
      "mode": "init",
      "actor_id": "agent-001"
    }
  }
}
// Response fields: session_id, constitution_hash, allowed_next_tools

// Step 2: Observe the operational reality
{
  "jsonrpc": "2.0",
  "id": 2,
  "method": "tools/call",
  "params": {
    "name": "arif_sense_observe",
    "arguments": {
      "session_id": "<SESSION_ID>",
      "mode": "search",
      "query": "production deployment status"
    }
  }
}

// Step 3: Fetch and preserve verifiable evidence
{
  "jsonrpc": "2.0",
  "id": 3,
  "method": "tools/call",
  "params": {
    "name": "arif_evidence_fetch",
    "arguments": {
      "session_id": "<SESSION_ID>",
      "mode": "fetch",
      "url": "https://api.example.com/status"
    }
  }
}

// Step 4: Reason with constitutional humility
{
  "jsonrpc": "2.0",
  "id": 4,
  "method": "tools/call",
  "params": {
    "name": "arif_mind_reason",
    "arguments": {
      "session_id": "<SESSION_ID>",
      "mode": "reason",
      "query": "Is it safe to proceed with this deployment?"
    }
  }
}

// Step 5: Get constitutional judgment
{
  "jsonrpc": "2.0",
  "id": 5,
  "method": "tools/call",
  "params": {
    "name": "arif_judge_deliberate",
    "arguments": {
      "mode": "judge",
      "session_id": "<SESSION_ID>",
      "actor_id": "agent-001",
      "candidate": "Deploy application to production.",
      "constitutional_chain_id": "<CHAIN_ID_FROM_PRIOR_TOOLS>"
    }
  }
}
// Possible verdicts:
// { "verdict": "SEAL", "reasons": [...] }  → proceed
// { "verdict": "HOLD", "reasons": [...] }  → pause, gather evidence
// { "verdict": "VOID", "reasons": [...] }  → abort, floor breached

// Step 6: If SEAL — execute through arif_forge_execute
{
  "jsonrpc": "2.0",
  "id": 6,
  "method": "tools/call",
  "params": {
    "name": "arif_forge_execute",
    "arguments": {
      "mode": "engineer",
      "session_id": "<SESSION_ID>",
      "plan_id": "<PLAN_ID>",
      "judge_state_hash": "<HASH_FROM_STEP_5>",
      "manifest": "{\"action\": \"deploy\", \"target\": \"production\"}",
      "ack_irreversible": false
    }
  }
}

// Step 7: Seal the outcome to the immutable ledger
{
  "jsonrpc": "2.0",
  "id": 7,
  "method": "tools/call",
  "params": {
    "name": "arif_vault_seal",
    "arguments": {
      "mode": "seal",
      "session_id": "<SESSION_ID>",
      "judge_state_hash": "<HASH_FROM_STEP_5>",
      "payload": "{\"action\": \"deploy\", \"status\": \"completed\"}",
      "ack_irreversible": true
    }
  }
}

Schema note: Field names above reflect the live tool schemas as of v2026.05.01. Always verify against GET /tools on the running server before building integrations. arif_judge_deliberate takes candidate, not claim. arif_forge_execute takes manifest, not action.

The 13 Canonical Tools (with Cognitive Axes)

Each tool now carries a cognitive_axis tag for intent-based routing. arif_kernel_route(mode="intent", task="vitality") routes across all federation organs by semantic coordinate.

| Stage | Tool | Lane | Axis | What It Does | |-------|------|------|-------------| | 000 | arif_session_init | AGI | identity | Start a governed session. Bind actor identity to the constitution. Output: session_id + constitution_hash. | | 111 | arif_sense_observe | AGI | observe | Scan operational reality. Modes: search, ingest, compass, atlas, entropy_dS, vitals. | | 222 | arif_evidence_fetch | AGI | verify | Retrieve and preserve verifiable external evidence with sequential thinking. F03 WITNESS compliant. | | 333 | arif_mind_reason | AGI | reason | Constitutional reasoning. Mode field: reason, reflect, verify, plan. F07 HUMILITY enforced. | | 444r | arif_reply_compose | AGI | reflect | Compose governed responses. F04 CLARITY enforced — no hidden intent. | | 555 | arif_memory_recall | AGI | trace | Long-term constitutional memory. Session-scoped or cross-session recall. | | 666 | arif_heart_critique | ASI | critique | Safety and empathy critique. F05 PEACE, F06 EMPATHY, F09 ANTIHANTU enforcement. | | 666g | arif_gateway_connect | ASI | boundary | A2A mesh handshake with other federation agents. F11 AUTH verified. Internal alias: 888_OMEGA. | | 777 | arif_ops_measure | AGI | vitality | Thermodynamic health, cost, and entropy measurement. | | 888 | arif_judge_deliberate | ASI | judge | The constitutional verdict engine. Returns SEAL (proceed), HOLD (wait/missing evidence), or VOID (abort/floor breach). | | 010 | arif_forge_execute | AGI | execute | Gated action execution. Requires valid judge_state_hash from arif_judge_deliberate. F13 SOVEREIGN always active. | | 999 | arif_vault_seal | APEX | seal | Write the immutable outcome record to VAULT999. Irreversible. F01 AMANAH enforced. | | 444 | arif_kernel_route | AGI | boundary | Internal kernel routing and telemetry. Supports intent mode for cross-organ cognitive axis routing. |

AI Agent Protocol Notes

Tool names are immutable. Once a tool is registered in the canonical surface, its name never changes. Deprecations go through the arif_gateway_connect deprecation protocol.
Session binding is required for all multi-step workflows. Session IDs track the constitutional chain of custody.
Constitution hash is truth. Every session pins to a specific constitution version.
Irreversible actions require ack_irreversible: true. The kernel will not proceed without it.
VAULT999 is append-only. No delete, no overwrite, no truncate. Ever.
reasons[] is mandatory. Every DOMAIN_SEAL output must include non-empty reasons explaining why the action was allowed, what evidence was used, reversibility level, and whether human approval was required. Empty reasons[] is a Nine-Signal F2 violation.

Security Model

arifOS is designed to be fail-secure, not fail-safe. When the kernel cannot determine constitutionality, it defaults to HOLD.

Floor Enforcement

Every tool has a declared floor coverage. A tool covering F01 + F11 + F12 will reject any request that violates any of those floors, regardless of the other 10 floors passing.

Transparency Note: While the doctrinal framework lists 13 floors, dynamic floors_active enforcement across the entire cluster is a known open gap (currently hardcoded as None or 13 in some environments). Full semantic enforcement of all 13 floors simultaneously is under active development.

F13 — The Human Veto

The human sovereign (ARIF) holds the F13 veto. This is not a soft preference — it is a constitutional floor. At any point in the workflow, the human can issue a VOID override. The kernel accepts this without negotiation.

VAULT999 — Immutable Audit Trail

Every SEAL, HOLD, or VOID verdict is written to VAULT999 as an immutable JSON record. The ledger is:

Append-only — no truncate, no delete
Hash-chained — each entry references the previous entry's hash
Timestamps in UTC
Actor-bound — each entry is tied to the session_id and actor_id that created it

Current state: VAULT999 service is healthy. Durable Postgres writer (vault999-writer) is in deployment (DRIFT-WITNESS-INFRA sprint). Until then, receipts write to a process-local ledger that does not persist across process restarts.

Zero-Knowledge Proof of Continuity (ZKPC v2)

arifOS enforces cryptographic proof verification for irreversible actions via Groth16 (snarkjs).

What ZKPC v2 proves:

Same hidden continuity secret was used across an epoch boundary
Actor continuity is preserved through the proof chain
Payload hash and judge state are bound to this proof

What ZKPC v2 does NOT prove:

Human physically present right now (needs liveness + device binding — v3)
Biometric / full personhood

Honest claim: "ZKPC v2 proves continuity of control, not full personhood."

How it works:

User submits proof
  → snarkjs groth16 verify [VK] [public.json] [proof.json]
    → stdout contains "OK" → proof_verified = True
    → else → proof_verified = False
  → Judge: if zkpc_level < 2 + irreversible → HOLD
  → Vault: SEAL only if eligible + proof_verified

Implementation: arifos/security/zkpc_v2.py

Verification key: arifos/security/verification_key.json

Tests: tests/runtime/test_zkpc_v2.py — 25/25 pass

ZKPC Readiness: ~65% (real Groth16 verify + fail-closed pipeline; circuit-specific identity binding remains v3)

Secrets and Credentials

arifOS never logs, stores, or transmits credentials through the kernel. Secrets are injected at runtime via environment variables. If a credential appears in any arifOS log or output, treat it as compromised and rotate immediately.

Observability

Observatory: arifos.arif-fazil.com — governance dashboard showing live verdict, floor scores, Trinity witness lanes, and tool registry. Renders a snapshot from the last data-plane hydration cycle; add ?refresh=1 or reload for latest.
Langfuse tracing: active for 5/13 tools (in progress — target ≥10/13)
/api/status: live runtime SOT for vault health, tools loaded, drift, and verdict posture
/health: lightweight liveness check (curl http://localhost:8080/health → returns {"status":"healthy",...})

Governance & Contribution

Contributing

Contributions are welcome. All changes must pass:

Pre-commit hooks — Ruff linting, Black formatting, Bandit security scan
Constitutional floor check — scripts/check_track_alignment_v46.py
F9 Anti-Hantu check — No consciousness or subjective experience claims in code
F1 Amanah check — No irreversible operations without explicit acknowledgment

# Install pre-commit
pip install pre-commit
pre-commit install

# Run the full constitutional audit
make status

# Run tests
python -m pytest tests/ -q --tb=short

Branch discipline: use feature/<name> branches and submit PRs. Direct pushes to main are emergency sovereign bypasses and must be logged.

For operational stabilization policy and weekly hygiene protocol, see docs/operations/repo-mcp-stabilization.md.

Install the severity-based pre-push guard:

bash scripts/hooks/install_hooks.sh

Reporting Security Vulnerabilities

Do not open public GitHub issues for security vulnerabilities. Contact the sovereign operator directly through the secure channel listed in .security/policy.

Code of Conduct

All federation participants operate under the arifOS Code of Conduct (forthcoming). Violations of F05 PEACE or F13 SOVEREIGN are treated as constitutional breaches.

arifOS Federation

arifOS is part of a federated AI governance system. Each organ has a narrow responsibility so no single agent becomes uncontrolled, unaccountable, or self-authorizing.

Organ	Human Meaning	System Role	Docs
ARIF / APEX	Final human authority	F13 sovereign veto, approval, override, terminal judgment	arif-fazil.com
AAA	Control Plane Agent Gateway	Identity, A2A mesh, session anchoring, agent supervision	README
A-FORGE	Execution Intelligence / Forge Engine	Build, deploy, artifact execution under governance	README
arifOS	Constitutional Intelligence Kernel	Governance, routing, judgment, memory, audit — structures decision, does not decide	README
GEOX	Earth Intelligence / Governed World Model	Seismic, petrophysics, subsurface, physics-grounded evidence preparation	README
WEALTH	Resource Intelligence / Capital Thermodynamics	NPV, IRR, risk, allocation, stewardship	README
WELL	Vitality Intelligence	H-WELL / M-WELL / C-WELL / G-WELL — human readiness, machine substrate, coupled state	README
Ω-Wiki	Knowledge base	Persistent compiled knowledge, doctrine, references, and memory surfaces	wiki.arif-fazil.com

How the organs work together

A governed action should not move directly from prompt to execution.

Human / Agent request
→ AAA identifies the session
→ arifOS judges the request
→ GEOX / WEALTH / WELL provide domain evidence when needed
→ A-FORGE executes only approved actions
→ VAULT999 records the receipt
→ APEX / Human can veto at any time

AAA controls the session. arifOS judges. Domain organs provide evidence. A-FORGE executes. VAULT999 records. The human remains sovereign.

Live Surfaces

Surface	URL	Purpose
Human (SOUL)	https://arif-fazil.com/	Human anchor, portfolio, identity
arifOS (MIND)	https://arifos.arif-fazil.com/	Kernel governance documentation + Observatory
arifOS Ready	https://arifos.arif-fazil.com/ready	Live readiness contract (`status: pass`)
Cockpit (BODY)	https://aaa.arif-fazil.com/	Agent workspace and A-FORGE cockpit
MCP Canonical	https://mcp.arif-fazil.com/	Production MCP endpoint
GEOX	https://geox.arif-fazil.com/	Earth intelligence coprocessor
WEALTH	https://wealth.arif-fazil.com/	Capital intelligence coprocessor
WELL	https://well.arif-fazil.com/	Biological substrate monitor

Note: https://arifosmcp.arif-fazil.com/ is a legacy 301 redirect to the canonical mcp.arif-fazil.com endpoint. Runtime truth: https://arifos.arif-fazil.com/ready currently returns status: pass.

Changelog

v2026.05.04 — ZKPC Cryptographic Enforcement

Commit: 67b99886 · Container: ghcr.io/ariffazil/arifos:fweb-receipts

ZKPC v2 real Groth16 verify — arifos/security/zkpc_v2.py now calls snarkjs groth16 verify as sole truth source. No simulation. Fail-closed on error.
25 ZKPC tests pass — fake proof blocked, real proof passes, missing snarkjs → HOLD, all flags tested
F-WEB Evidence Mode — 111_SENSE now returns L1 receipt, 888_JUDGE has deterministic evidence sufficiency gate, 666_HEART has external-instruction detection
VerdictOutput schema extended — max_evidence_level, sufficiency_verdict, sufficiency_reason, injection_detected
Caddyfile geox routing fix — geox container IP updated to 172.19.0.7
ZKPC Readiness: ~65% — real Groth16 + fail-closed pipeline; v3 (liveness + device binding) remains

v2026.05.01 — KANON Lock Release

Commit: 83186c02 · Container: ghcr.io/ariffazil/arifos:2026.05.01

13-tool canonical surface locked — mcp_health_check moved from canonical to probe-only. Surface is now stable and audited.
Pre-commit hooks hardened — F1 Amanah check (no irreversible ops without ack), F9 Anti-Hantu (no consciousness claims)
Makefile GHCR target fixed — Docker tag now uses hardcoded version to avoid shell substitution errors
VAULT999 ledger interface operational — Append-only, hash-chained immutable record. Durable Postgres writer in progress.
Nine-Signal compliance — All 13 tools now produce non-empty reasons[] in DOMAIN_SEAL output (commits d5072c9d, d2e967d0)
Legitimate tools confirmed: arif_session_init, arif_sense_observe, arif_evidence_fetch, arif_mind_reason, arif_kernel_route, arif_reply_compose, arif_memory_recall, arif_heart_critique, arif_gateway_connect, arif_ops_measure, arif_judge_deliberate, arif_vault_seal, arif_forge_execute

DITEMPA BUKAN DIBERI — arifOS is forged by discipline, not granted by default. Version 2026.05.04 · 13 Tools · 13 Floors · Zero Delegation of Sovereignty arif_memory_recall, arif_heart_critique, arif_gateway_connect, arif_ops_measure, arif_judge_deliberate, arif_vault_seal, arif_forge_execute