Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ The format follows [Keep a Changelog](https://keepachangelog.com/en/1.0.0/). Thi
## [Unreleased]

### Added
- Digital-soul contract family — identity (`IdentitySpine`, `DigitalSoulIdentity`) and reputation (`ReputationDimension`, `SacredCapitalLedger`, `PortableReputationClaim`) plus the one-way on-device bridge (`AscensionReading`), with canonical examples, a privacy-boundary + directionality validator (`tools/validate_digital_soul_examples.py`, wired into `make validate`), ADR-0013, and a contract-additions note. The canonical spine is locked to the 64-gate yi-globe with all other traditions as one-way projections; reputation binds to the reasoning-evidence fabric via `ReasoningReceipt`/`ReasoningReplayPlan` (no parallel receipt); `DigitalSoulIdentity.proofOfSelfRef` optionally anchors the constitutional soul to the verified-identity plane (`ProofOfSelfToken`).
- SourceOS interaction substrate top-level index and README discovery links for `SourceOSInteractionEvent`, generated TypeScript/Python artifacts, and the Noetica → Superconscious → AgentPlane → AgentTerm reference flow.
- Runtime observability and capability governance contracts: `CapabilityLedger`, `BrowserAutomationReceipt`, `GitWorkspaceState`, `OrphanEventReceipt`, and `RuntimeInstallReceipt` with canonical examples, validation wiring (`tools/validate_runtime_observability_examples.py`), a contract catalog, and ADR-0012.
- Reasoning run contracts: `ReasoningRun`, `ReasoningEvent`, `ReasoningReceipt`, `ReasoningReplayPlan`, and `ReasoningBenchmark` with canonical examples and a contract-additions note for the Superconscious reference loop.
Expand Down
8 changes: 6 additions & 2 deletions Makefile
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
.PHONY: validate validate-control-plane-examples validate-nlboot-examples validate-lattice-data-governai-examples validate-ops-history-examples validate-runtime-observability-examples validate-lifecycle-boundary-examples validate-svf-contracts validate-sync-cycle-receipts
.PHONY: validate validate-control-plane-examples validate-nlboot-examples validate-lattice-data-governai-examples validate-ops-history-examples validate-runtime-observability-examples validate-lifecycle-boundary-examples validate-svf-contracts validate-sync-cycle-receipts validate-digital-soul-examples

validate: validate-control-plane-examples validate-nlboot-examples validate-lattice-data-governai-examples validate-ops-history-examples validate-runtime-observability-examples validate-lifecycle-boundary-examples validate-svf-contracts validate-sync-cycle-receipts
validate: validate-control-plane-examples validate-nlboot-examples validate-lattice-data-governai-examples validate-ops-history-examples validate-runtime-observability-examples validate-lifecycle-boundary-examples validate-svf-contracts validate-sync-cycle-receipts validate-digital-soul-examples
@echo "OK: validate"

validate-control-plane-examples:
Expand Down Expand Up @@ -33,3 +33,7 @@ validate-svf-contracts:
validate-sync-cycle-receipts:
python3 -m pip install --user jsonschema >/dev/null
python3 tools/validate_sync_cycle_receipts.py

validate-digital-soul-examples:
python3 -m pip install --user jsonschema >/dev/null
python3 tools/validate_digital_soul_examples.py
72 changes: 72 additions & 0 deletions docs/adr/0013-digital-soul-identity-reputation.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
# ADR-0013: Digital soul — identity and reputation planes

Status: Accepted
Date: 2026-06-29

## Context

The platform is adding a "digital soul" capability: a per-person identity model
drawn from a syncretic correspondence map (yi-globe, sefirot, zodiac, enneagram,
chakra, the twelve senses) plus a reputation model in the Neighbourhoods + Sacred
Capital lineage (distributed, portable, privacy-preserving). The source is a visual
map, not a written spec, so the contracts had to make the implicit architecture
explicit and safe.

Two distinct identity senses already exist in the estate and must not be conflated:

- **Verified identity** — `ProofOfSelfToken` / Identity Is Prime: *am I a real,
deduplicated subject?* (proof and entity-resolution plane).
- **Constitutional identity** — the digital soul: *who am I inwardly?* (given,
symbolic plane).

## Decisions

1. **Lock the spine.** The canonical inner object is the 64-gate yi-globe
(`IdentitySpine.canonicalSpine = "yi-globe-64gate"`, exactly 64 gates). Every
other tradition is a registered **one-way projection** (`oneWay: true`,
`sourceOfTruth: false`, `symbolic: true`) — presentation only, never writable,
never a measured or physically derived value. This honors the settled
matter/form premise without faked numeric derivations.

2. **Two planes, opposite truth-makers.** Identity is *given* and asserted
(`DigitalSoulIdentity`, private, default disclosure none). Reputation is *earned*
and witnessed (`ReputationDimension`, `SacredCapitalLedger`,
`PortableReputationClaim`). Reputation's truth-maker is the existing
reasoning-evidence fabric — attestations reference `ReasoningReceipt` /
`ReasoningReplayPlan`; no parallel receipt type is introduced.

3. **Privacy boundary by construction.** No reputation contract has any field able
to carry a given identity input (birthdate / faith / personality). The boundary
cannot be crossed by mistake; it is also machine-checked
(`tools/validate_digital_soul_examples.py`).

4. **One on-device, one-way bridge.** `AscensionReading` reads the holder's own
works-receipts back onto private inner axes ("ascension"). It is normatively
on-device and `networkServiceProhibited`: no party but the holder may compute or
store inner state. Inner state reaches the outside world only via a deliberate,
holder-minted `PortableReputationClaim`. This forecloses a "spiritual credit
score".

5. **Portable meaning, not a global score.** `ReputationDimension.latticeBinding`
expresses a community's subjective dimension in the shared spine vocabulary, so
capital is legible across neighbourhoods when bound and opaque when not.
`SacredCapitalLedger.noGlobalScore = true`; aggregation is only within a
(neighbourhood, dimension) or via a declared binding.

6. **Cross-plane anchoring is optional and pseudonymous.**
`DigitalSoulIdentity.proofOfSelfRef` may anchor the constitutional soul to a
`ProofOfSelfToken` so reputation is sybil-resistant. The anchor is pseudonymous
and carries no given-identity data. Identity Is Prime remains the proof/evidence
layer (see `identity-is-prime-reference/docs/70_PLATFORM_IDENTITY_CONTRACT_ADAPTER`);
the digital soul is a separate constitutional layer that may reference it.

## Consequences

- Conformant new schemas under `schemas/` with canonical examples, a validator wired
into `make validate`, and a contract-additions note.
- The full per-tradition correspondence tables (gate → sign/sefira/enneatype/…) are
deliberately **not** committed here: they are frontier-authored canon to be added
as separate, sourced projection data files and validated independently, rather than
fabricated inline.
- Home is `sourceos-spec` (the canonical typed-contracts repo), not
`identity-is-prime-reference` (a mathematical reference implementation).
104 changes: 104 additions & 0 deletions docs/contract-additions/digital-soul-identity-reputation.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,104 @@
# Contract additions — digital soul: identity & reputation

Adds the two-layer "digital soul" contract family: a private, given **identity**
layer and an earned, portable, privacy-preserving **reputation** layer
(Neighbourhoods + Sacred Capital lineage). Reputation binds to the existing
reasoning-evidence fabric — community attestations reference `ReasoningReceipt`
records of works; no parallel receipt type is introduced.

## Why (the three forks this closes)

1. **Lock the spine.** `IdentitySpine` commits the canonical inner object to the
64-gate yi-globe. Every other tradition (zodiac, sefirot, enneagram, chakra,
the twelve senses) is a registered one-way **projection** — presentation only,
never a writable source of truth, never a measured/derived physical value.
2. **The dimension-schema join.** `ReputationDimension.latticeBinding` expresses a
community's Sensemaker dimension in the spine's shared vocabulary (a gate or an
inner axis). This is what turns Sacred Capital from portable *data* into portable
*meaning*: bound dimensions are legible across neighbourhoods; unbound ones stay
opaque. There is never a global score.
3. **The private reading.** `AscensionReading` is the single one-way bridge from
reputation to identity: it reads the holder's own works-receipts back through the
spine to move private gate-state along its inner axes ("ascension"). It is
normatively **on-device** and **network-prohibited** — no party but the holder may
compute or store the holder's inner state. This forecloses a "spiritual credit score".

## Contracts

| Schema | Layer | Purpose |
|---|---|---|
| `IdentitySpine` | identity (public-shared) | canonical 64-gate lattice + inner axes + one-way projections |
| `DigitalSoulIdentity` | identity (agent-held-private) | per-subject given inputs + gate-state; default disclosure none |
| `AscensionReading` | bridge (agent-held-private) | on-device works→inner-axes reading; replayable |
| `ReputationDimension` | reputation | community-authored context-local dimension + optional spine binding |
| `SacredCapitalLedger` | reputation (agent-held-portable) | evidence-backed capital per (neighbourhood, dimension); no global score |
| `PortableReputationClaim` | reputation | holder-minted, signed, selective disclosure; optional witnessed ascension |

## URN identifiers

| Type | URN prefix |
|---|---|
| `IdentitySpine` | `urn:srcos:identity-spine:` |
| `DigitalSoulIdentity` | `urn:srcos:digital-soul:` |
| `AscensionReading` | `urn:srcos:ascension-reading:` |
| `ReputationDimension` | `urn:srcos:reputation-dimension:` |
| `SacredCapitalLedger` | `urn:srcos:sacred-capital:` |
| `PortableReputationClaim` | `urn:srcos:reputation-claim:` |

## Binding to the evidence fabric

Reputation is evidence-backed by reuse, not by a new receipt type:

- works/acts in the knowledge commons are recorded as `ReasoningReceipt`
(`urn:srcos:reasoning-receipt:`) on the existing v2 reasoning-evidence fabric;
- `ReputationDimension.computedOver` scores those receipts/`ReasoningEvent` types;
- `SacredCapitalLedger.entries[].evidenceRefs` and
`PortableReputationClaim.*.evidenceRefs` point at those receipts;
- `AscensionReading.replayPlanRef` may bind to a `ReasoningReplayPlan` so a reading
is replayable like any reasoning run.

## Cross-plane anchoring (verified vs constitutional identity)

Two identity senses coexist and stay separate:

- **Verified identity** — `ProofOfSelfToken` (`urn:srcos:proof-of-self:`) / Identity
Is Prime: a real, deduplicated, pseudonymous subject.
- **Constitutional identity** — `DigitalSoulIdentity`: who the person is inwardly.

`DigitalSoulIdentity.proofOfSelfRef` optionally anchors the soul to a
`ProofOfSelfToken`, which makes reputation sybil-resistant (capital accrues to a
verified subject) while leaking no given inputs — the anchor is pseudonymous.
Identity Is Prime remains the proof/evidence layer (see
`identity-is-prime-reference/docs/70_PLATFORM_IDENTITY_CONTRACT_ADAPTER`); the digital
soul references it but does not absorb it.

## Enforced invariants (machine-checked)

`tools/validate_digital_soul_examples.py` (wired into `make validate` via
`validate-digital-soul-examples`) checks, beyond JSON Schema:

- **Privacy boundary** — no reputation document may contain any given-identity key
(`birthdate` / `faith` / `personality*` / `givenInputs`). The boundary holds by
construction: the reputation schemas provide no field able to carry them.
- **Directionality** — `AscensionReading` must be on-device, `networkServiceProhibited`,
and declare works→inner-axes `allowed` / identity-inputs→reputation `forbidden`.
- **Evidence backing** — capital entries and claimed dimensions must each reference
at least one works-receipt; no document asserts a global score.
- **Spine integrity** — exactly 64 unique gates.

## Validate

```bash
make validate-digital-soul-examples
```

## CHANGELOG entry (ready to merge into [Unreleased] → Added)

- Digital-soul contract family — identity (`IdentitySpine`, `DigitalSoulIdentity`)
and reputation (`ReputationDimension`, `SacredCapitalLedger`,
`PortableReputationClaim`) plus the one-way on-device bridge (`AscensionReading`),
with canonical examples and a privacy-boundary + directionality validator
(`tools/validate_digital_soul_examples.py`). Reputation binds to the
reasoning-evidence fabric via `ReasoningReceipt`/`ReasoningReplayPlan`; the
canonical spine is locked to the 64-gate yi-globe with all other traditions as
one-way projections.
Loading
Loading