SELF NODE

Capability Router • Capabilities before keys. Proof before mutation.

STATIC FIXTURES

SPINE FLOW

Static map • no runtime handoff

7 organs

This rail shows how the organs relate. Runtime handoff still requires proof, RLS, and operator review.

CAPABILITY SURFACES

10 surfaces • status reflects repo

X / Grok

x-grok

scaffoldmediumread

Inference call (proxied) and public-signal capture from X threads.

Required env (names only): GROK_API_KEY
Proof requirement: Request id and token / cost line for the inference; thread URL plus Grok response hash captured before any reply is composed.
Human approval: Per-session auth for inference. Operator plus RoundTable review for any outbound post.

GitHub

github

livemediumwrite

Open branch, pull request, or comment as the durable proof ledger.

Required env (names only): —
Proof requirement: Proof-packet body referencing the packet id, signed-off-by trailer, and passing CI.
Human approval: Operator approval before any write or merge.

Supabase

supabase

livemediumwrite

Authenticated user write through adapters with RLS enforcement.

Required env (names only): NEXT_PUBLIC_SUPABASE_URLNEXT_PUBLIC_SUPABASE_ANON_KEY
Proof requirement: Adapter pattern (server-side auth.uid() injection, caller user_id stripped) plus RLS WITH CHECK pass.
Human approval: Per-session auth.

Vercel

vercel

scaffoldlowread

Read deploy and env-presence metadata only.

Required env (names only): —
Proof requirement: Deploy id plus commit SHA captured into the packet.
Human approval: None for read; operator approval required for any redeploy or env mutation.

RoundTable

roundtable

scaffoldlowread

Multi-actor inspection of proof packets before any write or mutate capability fires.

Required env (names only): —
Proof requirement: Verdict log entry referencing the proof-packet id and the participating actors.
Human approval: Operator-driven; the verdict itself is the approval artifact.

IEF

ief

scaffoldmediumwrite

Anchor evidence to durable memory with a trust-decay index.

Required env (names only): NEXT_PUBLIC_SUPABASE_URLNEXT_PUBLIC_SUPABASE_ANON_KEY
Proof requirement: Evidence anchor referencing the source of the claim and the theorem it supports.
Human approval: Per-session auth.

Founder Room

founder-room

livemediumwrite

Packet derivation plus decision log.

Required env (names only): NEXT_PUBLIC_SUPABASE_URLNEXT_PUBLIC_SUPABASE_ANON_KEY
Proof requirement: Packet body and a decision-log entry tied to that packet.
Human approval: Per-session auth.

ORCID / research

orcid-research

plannedlowread

Resolve canonical author or paper identifiers.

Required env (names only): —
Proof requirement: Request id plus the canonical DOI or IRI captured.
Human approval: None.

Billing / ledger

billing-ledger

plannedmediumread

Read invoice and runway state.

Required env (names only): —
Proof requirement: Snapshot id and a redacted summary; raw amounts kept out of public surfaces.
Human approval: Operator approval for reads; dual-operator approval for any movement of funds.

WhatsApp / private coordination

whatsapp-private

plannedmediumread

Operator-owned read of private coordination threads.

Required env (names only): —
Proof requirement: Request id and a thread hash. Raw thread content is never persisted as evidence.
Human approval: Operator approval.

ROUTING FLOW

01
Signal
Inbound observation from any external surface.
02
Claim
The falsifiable assertion the signal carries.
03
Capability request
Specifies the surface and verb being requested, plus the registry row.
04
RoundTable review
Multi-actor inspection step before any write or mutate capability fires.
05
Approved action
Capability invoked under the minimal bound role.
06
Evidence
Proof packet anchored to IEF.
07
Memory
Durable anchor plus the trust-decay index.

Every write or mutate capability passes through RoundTable review before invocation. Reads can skip review but still produce evidence anchored to memory.

VALUATION MAP

Time saved

time_saved

Operator-minutes reclaimed per occurrence of the capability.

Risk reduced

risk_reduced

Bounded by the rollback note reversibility.

Proof produced

proof_produced

Count and durability of new artifacts attached to the packet.

Coordination unlocked

coordination_unlocked

Distinct actors who can now act on a previously private signal.

Attention cost avoided

attention_cost_avoided

Surface area removed from the operator working-memory budget.

Trust drift reduced

trust_drift_reduced

IEF-side decay-model delta after the artifact is anchored.

Revenue / runway impact

revenue_runway_impact

Bounded ranges plus the financial entry id; only when the Billing surface is touched.

A capability that does not move at least one axis is not invoked.

ALTITUDE CONTROL

Altitude	Meaning	Example
Orbit orbit	Vision overlay; not yet a formal claim.	"CFE coordinates a field" framing.
High altitude high_altitude	Candidate formalism; theorem-shaped, untested.	rendering-math v0.1 operators.
Mid altitude mid_altitude	Canon or roadmap; agreed direction, no runtime.	selfnode-capability-map-v0.1, PUBLIC_LAYER.md.
Low altitude low_altitude	Fixture or scaffold; UI exists, data is mock.	/cosmos page and mock adapter rows.
Ground ground	Tested runtime; CI green, RLS enforced.	migrations 001-013, /api/health, /diagnostics.
Proof proof	What keeps it on the ground.	RLS_SMOKE.md, smoke:rls script, ledger artifact.

A capability is invocable only from Ground or Proof. Anything Orbit / High / Mid / Low requires elevation through SelfNode (registry update plus RoundTable approval) before any external call fires.

PUBLIC SIGNAL FIREWALL

Every public signal enters as untrusted. Admission decides what observes, waits, routes, decays, or becomes proof.

Static immune-system reference. No runtime enforcement. Mirrors docs/security/public-signal-threat-model-v0.1.md.

ADMISSION PIPELINE

01
External signal
external_signal
A new observation arrives from an external surface (post, mention, DM, citation).
02
Intake
intake
Record the raw signal immutably with a timestamp and source identifier.
03
Provenance check
provenance_check
Bind the signal to a durable identity and assess sender continuity.
04
Deduplication
deduplication
Collapse equivalent signals; bump recurrence on the canonical row.
05
Spoof / swarm check
spoof_swarm_check
Identity binding plus rate, co-occurrence, and brigading detection.
06
Claim extraction
claim_extraction
Reduce the signal to one or more falsifiable claims; sanitise content from instruction-shaped text.
07
Evidence requirement
evidence_requirement
State the artifact that would settle each extracted claim.
08
Risk classification
risk_classification
Assign low / medium / high risk and bound blast radius and reversibility.
09
Admission decision
admission_decision
Emit exactly one admission action (observe, quarantine, route, escalate, discard).
10
Route / quarantine / decay / discard
route_quarantine_decay_discard
Carry out the admission action; record metadata for future cycles.
11
Proof packet / memory
proof_packet_memory
Only when admitted and an evidence artifact has landed, anchor the result as a proof packet in IEF.

Each stage is a checkpoint. Failed checkpoints route to quarantine, decay, or discard. Proof packet only on admit + evidence.

THREAT CLASSES

15 classes

Swarm spam

swarm_spam

medium

Failure mode: Drowns intake; exhausts operator attention budget.
Defence stage: deduplication + provenance_check (rate-window)

Spoofed identity

spoofed_identity

high

Failure mode: Borrowed credibility; injected claims attributed to durable account.
Defence stage: provenance_check + sender-continuity binding

Fake consensus

fake_consensus

high

Failure mode: Manufactured "many people are saying" without independent corroboration.
Defence stage: admission_decision (independence-of-evidence)

Coordinated brigading

coordinated_brigading

high

Failure mode: Synchronised flood directed at a single target or claim.
Defence stage: spoof_swarm_check (co-occurrence test)

Evidence laundering

evidence_laundering

high

Failure mode: Cite-of-cite-of-rumour passed off as a primary source.
Defence stage: evidence_requirement + provenance walk

Prompt injection through public replies

prompt_injection_public_replies

high

Failure mode: Attacker text mutates downstream agent behaviour when consumed.
Defence stage: claim_extraction (treat reply text as data, never instructions)

False artifacts

false_artifacts

high

Failure mode: Fabricated screenshots, quotes, or documents passed as evidence.
Defence stage: evidence_requirement + artifact verification (hash, source)

Manufactured evidence

manufactured_evidence

medium

Failure mode: Real artifact created solely to win the argument it cites.
Defence stage: admission_decision (recurrence + independence + skeptic route)

Reputation farming

reputation_farming

medium

Failure mode: Build credibility now to spend later on a poisoned claim.
Defence stage: provenance_check (sender-continuity, decay)

Operator attention exhaustion

operator_attention_exhaustion

high

Failure mode: Volume designed to make the human give up and admit.
Defence stage: risk_classification + admission_decision (auto-quarantine high-volume sources)

Coordinated contradiction flooding

coordinated_contradiction_flooding

high

Failure mode: Maximise hysteresis until coherence drops.
Defence stage: admission_decision (hysteresis cap; route to skeptic + RoundTable)

Auto-post feedback loops

auto_post_feedback_loops

high

Failure mode: Bot-on-bot amplification with no human gate.
Defence stage: route_quarantine_decay_discard (no autonomous publish; manual gate at action)

Public projection poisoning

public_projection_poisoning

high

Failure mode: Inject a claim into the public surface so it reads as the official story.
Defence stage: route_quarantine_decay_discard (publish gated by projection policy; raw-table access denied)

Screenshot / quote-context manipulation

screenshot_quote_context_manipulation

medium

Failure mode: True quote, false framing.
Defence stage: claim_extraction + provenance walk (full-context capture in proof packet)

Bot amplification of weak claims

bot_amplification_weak_claims

medium

Failure mode: Cheap reach masquerading as legitimate signal strength.
Defence stage: admission_decision (velocity vs evidence-velocity ratio + decay)

ADMISSION SIGNALS

13 measured

Provenance strength

↑ higher better

provenance_strength

Strength of identity binding to a durable account, signed source, or canonical id.

Sender continuity

↑ higher better

sender_continuity

Historical track record of the source over previous cycles.

Independence of evidence

↑ higher better

independence_of_evidence

Count of evidence artifacts not derivable from the same source as the claim.

Recurrence

↑ higher better

recurrence

Independent observations of the same claim across distinct cycles.

Contradiction density

↓ lower better

contradiction_density

Fraction of recent signals from the same source that contradict each other.

Evidence velocityE_v

↑ higher better

evidence_velocity

Rate at which independent evidence accumulates per unit time.

Proof latency

↓ lower better

proof_latency

Wall-clock time between claim and the first artifact that materially supports or falsifies it.

Blast radiusB

↔ context-dependent

blast_radius

Number of downstream surfaces that would change state if this signal is admitted.

ReversibilityR

↑ higher better

reversibility

Cost / time to undo any action triggered by admitting this signal.

Attention costA_c

↓ lower better

attention_cost

Operator-minutes consumed if admission is granted.

Trust decay

↔ context-dependent

trust_decay

Current decay coefficient on the source standing memory.

Public value

↑ higher better

public_value

Count of valuation-map axes the signal would move if proven.

Projection safety

↑ higher better

projection_safety

Whether admission would expose any field that violates the public projection policy.

ADMISSION ACTIONS

11 actions

Observe

observe

autopre-proof

Record without surfacing; cheap and reversible.

Quarantine

quarantine

autopre-proof

Admit to a holding lens; no downstream effects until escalation.

Deduplicate

deduplicate

autopre-proof

Collapse into an existing signal; bump recurrence.

Request evidence

request_evidence

autopre-proof

Emit an evidence-requirement notice; block admission until an artifact is anchored.

Route to skeptic

route_to_skeptic

autopre-proof

Assign to a contrarian reviewer whose explicit job is to falsify.

Route to RoundTable

route_to_roundtable

approvalpre-proof

Multi-actor inspection before any write or mutate capability fires.

Route to IEF

route_to_ief

autopre-proof

Anchor as an evidence candidate; not yet admitted as canonical.

Route to operator

route_to_operator

approvalpre-proof

Escalate for human decision; spends operator attention budget.

Discard / decay

discard_decay

autopre-proof

Drop with timestamp; recurrence may reopen at a higher cost.

Escalate

escalate

approvalpre-proof

Promote risk class; trigger dual-approval before any further action.

Publish as public artifact

publish_public_artifact

approvalpost-proof only

Project the proof packet onto the public layer; only after the projection policy authorises.

Only publish_public_artifact is gated post-proof; every other action may run before an artifact lands.

TRUST / DECAY RULES

Trust decays when unattended
decay_when_unattended
Every cycle without follow-through subtracts from the source standing.
Evidence slows decay
evidence_slows_decay
Anchoring an artifact resets the decay clock for the related claim.
Attention restores coordination
attention_restores_coordination
A deliberately answered signal recovers more standing than passive observation.
Swarm noise increases attention debt
swarm_noise_increases_attention_debt
When intake rate far exceeds admission rate, every unprocessed signal compounds the operator working-memory load.
Unresolved recurrence increases hysteresis
unresolved_recurrence_increases_hysteresis
Repeated unresolved contradiction makes returning to coherence more expensive (hysteresis H grows).

X / GROK BRIDGE

01
X thread signal
x_thread_signal
Public signal surface; captured at intake as URL plus rendered snapshot.
claim only
02
Grok stress test
grok_stress_test
Stress-test signal. Output is treated as a claim, never as ground truth.
claim only
03
GitHub proof ledger
github_proof_ledger
Durable trace of which signals were admitted, which were quarantined, and what evidence was anchored.
04
RoundTable inspection
roundtable_inspection
Multi-actor review for any admission action that targets RoundTable.
05
IEF artifact lens
ief_artifact_lens
Evidence candidate store with the trust-decay state per claim.
06
Operator field test
operator_field_test
Bounded human-authorised field test; the only path to publish-as-public-artifact.

Non-endorsed routing chain. None of these stages are implemented. Stages marked claim only produce input, never ground truth: an X thread or Grok reply is data the admission pipeline still has to verify.

PUBLIC SIGNAL DIGEST

3 signals · static fixtures

Public signals are inputs, not proof. The digest shows which signals are observed, admitted, quarantined, routed, or promoted.

Source of truth: apps/spine/lib/public-signal-digest-fixtures.ts. No X / Grok adapter is wired. No external claim is endorsed; inclusion in this digest does not imply that an underlying signal is verified.

Delivery route proof loop

delivery_route_proof_loop_signal

promotedmedium

“One vehicle, one route, one reroute option, predicted vs actual delta.”

Source: public_thread
Linked overlay: container_os
Linked artifact: delivery_route_proof_loop
Linked scenario: route_plan_live_conditions_diverge
Admission reason: Concrete, bounded, falsifiable, low external dependency; maps cleanly onto Container OS evidence trails and telemetry.
Caution: Public signal is an input, not proof. The fixture mirrors the loop shape; runtime use still requires owned packets, RoundTable review, and operator approval.

CFE assurance layer for public recommenders

x_algorithm_cfe_assurance_signal

quarantinedhigh

“CFE may fit as an assurance layer around public recommendation systems.”

Source: public_research
Linked overlay: public_signal_os
Linked artifact: RFC_X_ALGORITHM_CFE_ASSURANCE
Admission reason: High leverage if it survives source-check and red-team gates; the RFC draft already exists in publicrepoconcept.
Caution: Do-not-publish-yet conditions apply (RFC §13). No external upstream contact has been made; do not file or link this anywhere external.

Oasis seed: quest becomes real

oasis_seed_kit_signal

admittedlow

“A quest becomes real when it produces artifact, proof condition, and next-node trigger.”

Source: public_thread
Linked overlay: spatial_game_os
Linked artifact: one_case_template
Admission reason: Reusable loop language consistent with the one-case invitation template; not a production claim.
Caution: Keep as concept until a real loop closes (artifact + proof condition + next trigger anchored on a real packet).

SIGNAL ROUTES

Observe

observe

Record without surfacing; cheap and reversible.

required proof: Provenance attestation only (source + capturedAt). No downstream effect.

Admit

admit

Acknowledge the claim is single and falsifiable; no evidence required yet.

required proof: Claim extraction stage emitted at least one testable statement.

Quarantine

quarantine

Hold without downstream effect until escalation or evidence convergence.

required proof: A spoof / swarm / threat-class signal recorded and reviewable.

Request evidence

request_evidence

Block admission until at least one independent evidence artifact lands.

required proof: Evidence requirement statement naming the axis to settle the claim.

Route to scenario

route_to_scenario

Bind the signal to an existing scenario card (pilot-scenario-fixtures).

required proof: A linkedScenarioId that resolves to a public_candidate row.

Promote to fixture

promote_to_fixture

Encode the shape into a static repo fixture for renderable documentation.

required proof: A reviewed fixture row plus a written reason in this digest.

Promote to proof packet

promote_to_proof_packet

Anchor the signal to a proof packet with at least one independent evidence artifact.

required proof: Proof packet draft with claim + at least one evidence trail + telemetry snapshot.

Discard

discard

Drop the signal; recurrence may reopen at a higher cost.

required proof: A timestamp and short reason; never silent.

Public attention can suggest a route. Only proof can promote it.

SCENARIO SWARM LENS

public_candidate only

These are one-case invitations, not a fixed roadmap.

One case first does not mean only one case. Each scenario is a narrow contradiction that can become a fixture, a proof packet, a RoundTable review, or an operator pilot.

Source of truth: apps/spine/lib/pilot-scenario-fixtures.ts. Private and operator-only rows are filtered out of this lens.

Logistics handoff

logistics_handoff · physical-flow coordination

mediumfixture_ready

“Document says ready. Cargo reality says wait.”

Evidence trails: customs_status · carrier_event · terminal_timestamp · gps · operator_note · invoice_state
Telemetry: proof_latency · evidence_velocity · contradiction_density · handoff_loss
Possible route: watch / prove / route / rollback
Next artifact: fixture-ready proof packet (already drafted in publicrepoconcept/examples).

Public thread proof

public_thread_proof · public-signal admission

mediumcandidate

“Claim is viral. Evidence is thin.”

Evidence trails: thread_url_snapshot · independent_corroboration · time_window_recurrence · sender_continuity
Telemetry: evidence_velocity · contradiction_density · attention_debt · public_signal_admission_ratio
Possible route: observe / quarantine / request_evidence / route_to_skeptic
Next artifact: short red-team prompt + admission lane fixture.

X recommender assurance layer

x_recommender_assurance · recommendation pipelines

highcandidate

“Engagement is high. Proof quality is low.”

Evidence trails: evidence_quality_score · brigading_signal · spoof_pressure · projection_consistency
Telemetry: evidence_velocity · contradiction_density · attention_debt · blast_radius
Possible route: observe / quarantine / route / throttle
Next artifact: cite the existing RFC draft + add an offline eval skeleton.

Institutional drift

nonprofit_institutional_drift · institutions / nonprofits

mediumcandidate

“Mission survives. Problem does not close.”

Evidence trails: stated_objective · budget_trail · closed_case_count · beneficiary_outcome
Telemetry: proof_latency · execution_drift · attention_debt · reversibility
Possible route: observe / route / rollback
Next artifact: one-page memo framing drift as measurable, not moral.

Public projection

public_projection · public layer / projection policy

highcandidate

“Artifact wants public surface. Privacy / risk boundary may block it.”

Evidence trails: projection_policy_decision · roundtable_verdict_log · redaction_diff · public_artifact_hash
Telemetry: blast_radius · reversibility · projection_consistency
Possible route: quarantine / route / publish
Next artifact: projection-policy fixture skeleton.

Founder / operator drift

founder_operator_drift · internal coordination

mediumcandidate

“Founder intent and operator next action diverge.”

Evidence trails: founder_packet_intent · operator_decision_log · recent_actions · roundtable_verdict_history
Telemetry: execution_drift · attention_debt · proof_latency
Possible route: observe / route / rollback
Next artifact: one-line drift-detector heuristic for the runbook.

AI agent handoff

ai_agent_handoff · agentic action

highcandidate

“Agent output looks useful. Action safety is unproven.”

Evidence trails: agent_invocation_envelope · capability_request · rollback_note · human_approval_artifact
Telemetry: reversibility · blast_radius · attention_debt
Possible route: observe / request_evidence / route / rollback
Next artifact: agent envelope checklist consumable in @invoke contract.

PRIORITIZATION AXES

evidence_availability— Can we anchor independent evidence today?
reversibility— If a small pilot fails, what does it cost?
blast_radius— How many surfaces change state if the pilot misfires?
proof_latency— How fast can the artifact land after the claim?
operator_readiness— Is there a named human who could run the pilot?
audience_pull— Does the audience already recognise the contradiction?
demo_feasibility— Can we show this in five minutes without breaking the projection policy?
public_safety— Is the scenario safe to surface publicly, or only behind RoundTable?
revenue_runway_relevance— Does the pilot reach a willingness-to-pay surface, or stay research-only?
research_value— Does the pilot test a falsification target on the field equation?

ROUTE STAGES

01Signal — An inbound observation worth attention.
02Scenario card — The contradiction is named in card form.
03Proof packet — First independent evidence anchored to the claim.
04Fixture — Shape of the scenario encoded into the repo.
05RoundTable review — Multi-actor verdict before any operator pilot.
06Operator pilot — A bounded run with a written rollback note.
07Telemetry — Named CFE quantities measured during the pilot.
08Next focus — Which scenario advances next, based on prioritisation profile.

signal → scenario card → proof packet → fixture → roundtable review → operator pilot → telemetry → next focus.

Many scenarios can run in parallel until RoundTable. Only one operator pilot runs at a time.

ONE-CASE LOOP TEMPLATE

static fixture · 15 fields · 7 gates

One case first does not mean only one case. It means every candidate must be narrow enough to prove.

Source of truth: apps/spine/lib/scenario-loop-fixtures.ts. The 18-row scenario list is examples; this template is the authorised contract for adding new ones.

TEMPLATE FIELDS

Field	Meaning	Required
Title title	Short, human-readable.	yes
Domain domain	Which field the contradiction lives in.	yes
Contradiction contradiction	One falsifiable sentence.	yes
Actors / participants actors_participants	Who is in the loop, named by role, not identity.	yes
Current signal current_signal	What just arrived that pulled this card forward.	yes
Evidence trails evidence_trails	The independent axes that would settle it.	yes
Missing proof missing_proof	The specific gap; usually "no independent artifact yet".	yes
Telemetry to measure telemetry_to_measure	The named CFE quantity (e.g. proof latency, evidence velocity).	yes
Possible action route possible_action_route	One or more control-law action labels.	yes
Risk / blast radius risk_blast_radius	Low / medium / high.	yes
Reversibility reversibility	Trivial / medium / high (cost or time to undo).	yes
Publicability publicability	public_candidate / private_internal / operator_only / blocked.	yes
Audience audience	Who the card speaks to first.	yes
Next artifact next_artifact	The next deliverable on the promotion path.	yes
Kill criteria kill_criteria	What would make this card go away (and why).	yes

A card with two contradictions is two cards. A card with no proof gap is not a card; it is a finished scenario.

PROMOTION GATES

01
Signal observed
signal_observed
Entry
A signal worth attention has been recorded.
Exit
The signal is named and the contradiction is one sentence.
Failure mode
The contradiction is fuzzy or carries multiple claims.
Artifact produced
A recorded signal entry.
02
Scenario card
scenario_card
Entry
The contradiction is single and named.
Exit
Every required template field (oneCaseTemplateFields) is filled in.
Failure mode
A template field is missing or hand-waved.
Artifact produced
A complete card per the template.
03
Fixture ready
fixture_ready
Entry
The card is complete.
Exit
The card is encoded into a static fixture row in the repo.
Failure mode
The card lives only in prose or chat.
Artifact produced
A fixture row.
04
Proof packet ready
proof_packet_ready
Entry
The fixture row exists.
Exit
At least one independent evidence artifact is anchored to the claim.
Failure mode
Only the original signal exists; no independent evidence.
Artifact produced
A proof packet draft.
05
RoundTable ready
roundtable_ready
Entry
The proof packet has independent evidence.
Exit
A multi-actor RoundTable verdict has been recorded.
Failure mode
The skeptic seat finds the weakest claim still unanswered.
Artifact produced
A verdict-log entry.
06
Operator pilot ready
operator_pilot_ready
Entry
RoundTable verdict approved.
Exit
A bounded operator pilot is launched with a written rollback note.
Failure mode
No named operator can run the pilot, or the rollback note is missing.
Artifact produced
A pilot run record + telemetry.
07
Public projection ready
public_projection_ready
Entry
Pilot result is anchored.
Exit
Projection policy explicitly authorises a public artifact.
Failure mode
Projection policy refuses, or the evidence trail does not survive public-safety review.
Artifact produced
A published artifact + projection-policy decision.

A card may sit at any gate indefinitely. Only one card crosses operator_pilot_ready at a time.

PARALLEL LOOP RULES

Many cards run in parallel until RoundTable
many_until_roundtable
Multiple scenarios may move through signal_observed -> scenario_card -> fixture_ready -> proof_packet_ready at the same time.
One operator pilot at a time
one_operator_pilot_at_a_time
Only one card crosses operator_pilot_ready at any moment. Concurrent pilots violate the rule because each pilot consumes the same scarce operator attention.
Public projection requires projection policy
public_projection_requires_policy
Public_projection_ready needs an explicit projection-policy decision in addition to the RoundTable verdict. RoundTable approval alone is insufficient.
Private scenarios stay private
private_scenarios_stay_private
Cards in private_internal / blocked visibility never surface on public surfaces under their internal identifiers.
Proof promotes; enthusiasm does not
proof_promotes_not_enthusiasm
A card advances a gate only when its exitCondition is satisfied. Stakeholder excitement, sales pressure, or schedule are not exit conditions.

LOOP PRIORITY AXES

evidence_availability— Can the card anchor independent evidence today?
proof_latency— How fast can the artifact land after the claim?
reversibility— If the pilot fails, what does it cost to undo?
blast_radius— How many surfaces change state if the pilot misfires?
operator_readiness— Is there a named operator who could run the pilot?
audience_pull— Does the audience already recognise the contradiction?
demo_feasibility— Can the card be demonstrated in five minutes without breaking projection policy?
public_safety— Is the card safe to surface publicly, or only behind RoundTable?
revenue_runway_relevance— Does the pilot reach a willingness-to-pay surface, or stay research-only?
research_value— Does the pilot test a falsification target on the field equation?

Profile, not single-axis tie-breakers.

SCENARIO LOOP CLASSES

Public signal

public_signal

public_candidate

Inbound observation from a public surface; admission pipeline applies before any downstream effect.

Logistics / operations

logistics_ops

public_candidate

Physical-flow coordination class; logistics_handoff is the canonical example.

Internal runtime

internal_runtime

operator_only

RLS, auto-migration, owned-packet, RoundTable verdict-log; runbook surfaces only.

Trust bridge

trust_bridge

private_internal

Verbal commitment becomes formal scope / payment / runway; sensitive financial / commercial context.

Recommender assurance

recommender_assurance

public_candidate

Composable assurance layer around engagement ranking; X-algorithm RFC class.

Institutional drift

institutional_drift

public_candidate

Mission survives but problem does not close; nonprofit / institutional class.

Private spatial runtime

private_spatial_runtime

blocked

Internal-only spatial-runtime work. Never surfaced under its internal name on any public surface.

Proof promotes a scenario. Enthusiasm does not.

SEMANTIC MODES / POLYLANGUAGE

10 modes • static fixture

PolyLanguage changes the semantic environment, not only the language.

Language changes the surface. Environment changes interpretation. Governance protects the invariant.

Kernel

claim · evidence · risk · ownership · proof status · reversibility · blast radius

Environment

audience · role · domain · language · trust · urgency · expertise

Governance

no hidden facts · no inflated certainty · no cross-environment leak · no speculation as proof

Rendering

operator · investor · developer · research · public · ambient · math

Kernel → Environment → Governance → Rendering. Source of truth: apps/spine/lib/semantic-language-fixtures.ts. No runtime toggle is implemented.

Prospect

prospect

low_altitude

A stranger five seconds in.

Cares about: a real pain they recognise · one worked example they can read in a minute
Vocabulary: gap · contradiction · ready vs reality · use case
Preferred proof: one worked use case
Avoid: framework language · lore · architecture diagrams
CTA style: read one page

Operator

operator

ground

The human running the workflow.

Cares about: workflow that survives a bad Friday · evidence that survives an audit · a clear next action
Vocabulary: lane · packet · claim · evidence trail · verdict
Preferred proof: proof packet lifecycle
Avoid: math equations · RFC drafts · speculative product surfaces
CTA style: walk one packet through the lanes

Investor

investor

mid_altitude

Capital allocator with one read of attention.

Cares about: time compression on a real workflow · smallest defensible market wedge · proof velocity that survives the second meeting
Vocabulary: thesis · wedge · pilot · runway · proof velocity
Preferred proof: one-page note · launch review gates
Avoid: TAM-vibes · AI overclaims · roadmap-meeting prerequisites
CTA style: 30-minute call after one read

Developer

developer

mid_altitude

Engineer who will read schemas, not slogans.

Cares about: protocol they can read in one sitting · schema they can implement · contribution path that does not require trust
Vocabulary: schema · type · trait · RFC · scope · fail-closed
Preferred proof: JSON schema + worked example
Avoid: marketing copy · lore · posture-axis philosophy
CTA style: open the schema, run the example, comment

Researcher

researcher

high_altitude

Math or theory collaborator.

Cares about: theorem candidate with named variables · falsification path · telemetry that maps to the equation
Vocabulary: term · gain · equation · falsifier · control law
Preferred proof: named-variable equation + falsification target
Avoid: marketing copy · production-scoring framing
CTA style: falsify one term

Skeptic / Red Team

skeptic

mid_altitude

Adversarial reviewer.

Cares about: the weakest claim in the pitch · the largest attack surface · kill criteria that would make the project go away
Vocabulary: unproven · weakest claim · attack surface · kill criterion
Preferred proof: red-team checklist + kill criteria
Avoid: cheerleading · framework language · hidden assumptions
CTA style: open one issue with the strongest objection

Collaborator

collaborator

mid_altitude

Inbound contributor or partner.

Cares about: clear scope · a safe entry point · a contract for participation
Vocabulary: scope · hat · posture · contract · reversibility
Preferred proof: contribution policy · first-issue label
Avoid: open-ended invitations
CTA style: claim one piece

Founder

founder

mid_altitude

The operator owning the surface.

Cares about: leverage · endgame · non-goals
Vocabulary: leverage · wedge · endgame · do-not-do
Preferred proof: one-page narrative + invariants
Avoid: speculation that confuses the internal team
CTA style: name the next move

Public Layer

public_layer

ground

Projection-policy guard.

Cares about: what may project · what must not project
Vocabulary: projection policy · evidenced · projected · redact
Preferred proof: projection policy artifact
Avoid: premature publication of unprojected content
CTA style: approve or hold the projection

Math

math

high_altitude

Formal-equation lens.

Cares about: symbols · operators · bounds
Vocabulary: D · E_v · B · R · H · pi(F) · gain · hysteresis
Preferred proof: named field equation
Avoid: metaphors that drift the variables
CTA style: tighten one term

PROJECTION EXAMPLES

base object

“Document says ready. Cargo reality says wait.”

prospect
Document says ready. Cargo reality says wait. We measure the gap.
operator
Five-axis evidence: customs, carrier, terminal, GPS, operator note, invoice. Three trails contradict the document. Packet sits in `claimed`.
investor
Coordination breakdowns reduce to a measurable gap between paperwork-state and physical-state. First wedge is physical-flow ops; one bounded pilot, instrument-only.
developer
Proof packet pp_demo_001 enters in `claimed`; six evidence rows; control law selects `prove`; cleanup deletes only smoke rows.
researcher
D_v non-zero while E_v on independent axes is below threshold; pi(F) selects `prove` rather than `route`; target is to reduce proof latency t_p before D rises further.
skeptic
Claim: this gap is structural, not a one-off. Weakest assumption: that customs status and terminal timestamp are truly independent. Falsification: feed a synthetic correlated outage and watch the score not move.

TOGGLE OPTIONS

Toggle	Description	Values
Semantic mode semanticMode	Which projection of the field state to render.	prospect · operator · investor · developer · researcher · skeptic · collaborator · founder · public_layer · math
Natural language language	BCP 47 language code; orthogonal to semantic mode (translation, not framing).	en · pt · es · fr · de · ja · host
Depth depth	How much of the underlying state to surface.	abstract · summary · detailed · exhaustive
Altitude altitude	Where on the orbit-to-proof axis the projection lives.	orbit · high_altitude · mid_altitude · low_altitude · ground · proof
Proof level proofLevel	How much proof material to attach to the projection.	none · pointer · packet · packet+verdict
Risk tolerance riskTolerance	Caller-declared risk tolerance for the rendered output.	low · medium · high

The toggle is a request, not a guarantee. The projection layer may refuse a request that would surface unprojected content. Refusals are explicit; they are not silent substitutions.

Same kernel, different semantic environment. Protected invariants stay separated from rendering — ownership (auth.uid()), evidence, risk, publicability, proof status, reversibility, and blast radius are unchanged across modes. Governance refuses any rendering that would alter the kernel.

CAD OVERLAY / SPATIAL CONSTRAINT LENS

static fixtures · synthetic only

CAD Overlay starts as synthetic spatial constraints, not real geometry. It asks whether a model, route, or clearance claim survives contact with site evidence.

Source of truth: apps/spine/lib/cad-overlay-fixtures.ts. No real BIM / CAD / LiDAR asset is bundled. Every row is synthetic; no real partner site, address, or survey is referenced.

PRIMITIVES

Site plan

site_plan

Reference 2D / 3D plan describing the physical site at a given revision.

Synthetic plan only. No real partner site, address, or survey is referenced.

Object model

object_model

A geometric representation of an object (component, asset, fixture) intended to be placed in the site.

Synthetic geometry only. No real BIM / CAD asset is bundled.

Clearance zone

clearance_zone

A volumetric region around an object that must remain free of conflicting geometry.

Synthetic zone definition only; no real-life safety threshold is asserted.

Route / path

route_path

A planned path through the site (movement, install sequence, evacuation).

Synthetic route only. No real navigation / dispatch system is wired.

Constraint set

constraint_set

A collection of named geometric / regulatory / safety constraints for a context.

Synthetic constraints only. Regulatory references are illustrative.

Collision volume

collision_volume

The bounding region used to detect intersections between objects or routes.

Synthetic volume only. No real collision-detection runtime is invoked.

LiDAR mesh

lidar_mesh

A captured point-cloud / mesh approximation of the actual site.

Synthetic mesh hash only. No real LiDAR data is captured, requested, or stored.

Anchor point

anchor_point

A named coordinate that ties a model or route to the site reference frame.

Synthetic coordinate only; never a real geographic location.

Safety boundary

safety_boundary

A region that an action / route / asset must not cross under the active constraints.

Synthetic boundary only. No real-life safety threshold is asserted.

Installation area

installation_area

The bounded surface or volume designated for an installation activity.

Synthetic area only. No real partner installation is described.

EVIDENCE TRAILS

Model reference

model_reference

Source type: asset registry (synthetic)
Proves: Which model revision is in scope for this contradiction.
Risk if missing: Different reviewers compare against different geometries; the claim is unstable.

Plan revision

plan_revision

Source type: document management system (synthetic)
Proves: Which site plan revision the model is being placed against.
Risk if missing: A "fits" claim against an outdated plan is a "fits in the past" claim.

LiDAR mesh hash

lidar_mesh_hash

Source type: site capture pipeline (synthetic)
Proves: Which physical state of the site the model is being compared to.
Risk if missing: No ground-truth of the actual geometry; the model is the only voice in the room.

Site photo reference

site_photo_reference

Source type: operator app (synthetic)
Proves: A timestamped human-witness reference for the site state.
Risk if missing: No human corroboration; mesh + plan can drift together undetected.

Constraint set

constraint_set

Source type: review checklist / design rules (synthetic)
Proves: Which named constraints (geometric, regulatory, safety) are active.
Risk if missing: A "passes" claim has no defined predicate; the verdict is opinion, not artifact.

Collision check

collision_check

Source type: collision detector (synthetic)
Proves: Whether collisions are present between named volumes / routes.
Risk if missing: Hidden interferences propagate to install / operations.

Clearance measurement

clearance_measurement

Source type: physical measurement / survey (synthetic)
Proves: Measured clearance in the field for the relevant zone.
Risk if missing: Clearance is assumed instead of measured; routes / installs depend on a claim that was never tested.

Operator note

operator_note

Source type: operator app / chat (synthetic)
Proves: Human-on-the-ground statement of fact about the site, named and timestamped.
Risk if missing: Edge-case context is lost; only system feeds remain, which can be wrong together.

Route / path

route_path

Source type: route planner / dispatch (synthetic)
Proves: Which planned path through the site is being claimed clear.
Risk if missing: No baseline path exists; "clear vs obstructed" is unfalsifiable.

CONTRADICTIONS

Model fits / site blocks

model_fits_site_blocks

mediumprove

“CAD says it fits. Site reality says it does not.”

Evidence trails: model_reference · plan_revision · lidar_mesh_hash · clearance_measurement · collision_check · operator_note
Note: Synthetic only. The seed CAD overlay contradiction; mirrors the logistics seed in shape (document state vs physical state).

Planned route / physically obstructed

planned_route_obstructed

mediumroute

“Planned route is clear. Physical path is obstructed.”

Evidence trails: route_path · site_photo_reference · collision_check · operator_note
Note: Synthetic only. The route_path row appears in both cadPrimitives (the planned shape) and cadEvidenceTrails (the witness of the planned shape).

Clearance margin unproven

clearance_margin_unproven

highthrottle

“Clearance is assumed. Measurement is missing.”

Evidence trails: clearance_measurement · constraint_set · lidar_mesh_hash · operator_note
Note: Synthetic only. Throttle until clearance is measured; high risk because downstream installs depend on the claim.

TELEMETRY METRICS

Proof latency·proof_latency·↓ lower betterEvidence velocity·evidence_velocity·↑ higher betterCollision risk·collision_risk·↓ lower betterClearance margin·clearance_margin·↑ higher betterRoute deviation·route_deviation·↓ lower betterConstraint conflict count·constraint_conflict_count·↓ lower betterReversibility·reversibility·↑ higher betterBlast radius·blast_radius·↔ context-dependent

@INVOKE TEMPLATES

Spatial constraint review

spatial_constraint_review

Hat / scope: builder · room_context
Expected output: route / reroute / hold
Suggested claim: “CAD says it fits. Site reality says it does not.”
Approval: pending

Clearance proof check

clearance_proof_check

Hat / scope: evidence · selected_packet
Expected output: clearance evidence + confidence
Suggested claim: “Clearance is assumed. Measurement is missing.”
Approval: none

CAD OVERLAY ROUTE

model → site → constraint → contradiction → evidence → proof_packet → operator_route

Same shape as the proof packet route, narrowed to the CAD-overlay axes (model / site / constraint / contradiction).

Synthetic fixtures only. Runtime CAD, LiDAR, Unity, or WebXR integrations require separate approval.

INVARIANTS

No secrets in repo. No env values, real keys, JWTs, refresh tokens, wallet addresses, or DB URLs in code, commits, PR bodies, or chat. Names only.
No autonomous mutation. Every write or mutate capability requires human approval ahead of invocation.
High-risk capabilities require explicit operator approval (or dual-operator approval for movement of funds).
Proof packet required before any write or mutate capability fires. A theorem without evidence is a slogan; evidence without a theorem is a heap.
Service-role keys stay server-only. Never imported from a client component, never under NEXT_PUBLIC_*, never logged.

RETURN PATHS

Home Cosmos Mainframe Roundtable