GOVERNANCE // TRUST_CHAIN

Trust Model

GPG cross-signatures determine trust, not harness identity. The web of trust anchors at the @ostk.ai root key and T0 holder keys. Ed25519 is additive — used for per-file signing and agent certificates — but GPG remains canonical for tier determination.

TRUST_TIERS

FULL_GOVERNANCE

— Human operator

GPG key in T0_TRUST_ANCHORS, dual-signed .primefile

ALLOWED

Unrestricted write access

Modify ENTITYFILE, .primefile, GOVERNANCE.md

Revoke T1 CI keys

Approve GPG cross-signatures

Skip approval chain entirely

WRITE_ACCESS

— Verified agent or CI

GPG key cross-signed by a T0 holder

ALLOWED

Write source code

Run agents, delegate needles

Execute within mode gate + patterns

DENIED

write-kernel

modify-governance

READ_ONLY

— GPG key present, not cross-signed

GPG key exists but check_gpg_cross_signature() returns None

ALLOWED

Boot and explore

Read all files

Write to non-src paths outside .ostk/ and governance files

DENIED

write-kernel

modify-governance

write-src

ANONYMOUS

— No GPG key

host_identity::discover() returns no gpg_key

ALLOWED

Boot and read everything

Run kernel verbs

Explore, query, audit

DENIED

ALL WRITES (allows_write=false in policy.rs:248)

Cannot modify any file

How the Kernel Determines Trust

At boot, determine_trust_tier() runs this decision tree.

Read HUMANFILE SIGN directive

If key matches a T0_TRUST_ANCHOR → T0 (identity.rs:136)

host_identity::discover() for user GPG key

If no GPG secret key → T3 (anonymous, read-only)

Check if key fingerprint is in T0_TRUST_ANCHORS

Hardcoded 5 anchors in identity.rs:39–45 → T0

gpg --check-sigs for sig! from a T0 anchor

Cross-signature found → T1 (write access)

GPG key present, no cross-signature

→ T2 (read-only with narrow write exceptions)

Capability Pins

Pins restrict what agents can write. Trust tier is a floor — an explicit pin can only add restrictions, never remove tier defaults.

CAPABILITY_TOKENS

write-kernel Denies ALL writes under .ostk/

modify-governance Denies writes to .primefile, GOVERNANCE.md, ENTITYFILE, HUMANFILE, .af files, /agents/

write-src Denies writes to paths containing /src/

PIN.CAPS_FORMAT

read: .ostk/ .language
write: .ostk/store/{name}/ .ostk/needles/ .ostk/hay/
execute: shell(readonly)
deny: write-kernel modify-governance
deny-verb: :shutdown
deny-verb: bail pack --private

Approval Chain

Every tool call passes through this chain. First match wins.

HARD_DENY

pin.caps deny tokens → auto-deny. Parse error → fail-closed.

DESTRUCTIVE_CHECK

rm -rf, git push --force, etc. Always prompts. Never bypassed.

KERNEL_TOOLS

kernel:read → allow. kernel:write → continue. kernel:spawn → continue.

PERMISSION_MODE

Autonomous → allow all. Auto → allow reads. Governed → continue. Plan → deny.

SESSION_ALLOW_LIST

Runtime-persisted class approvals. Revocable mid-session.

AGENTFILE_PATTERNS

TOOL directives with trust resolution. Signed Agentfile may be required.

USER_PROMPT

Modal: Y (approve), N (deny), A (approve all for this class).

Tier Escalation

T0 is not a user-reachable tier via ceremony — its fingerprints are hardcoded in src/kernel/identity.rs and shipped with the binary. Escalation to T0 requires a kernel release that includes your fingerprint. Everyone else escalates via GPG ceremony.

T3 → T2

Generate a GPG key. You can now boot and read everything; writes still blocked.

gpg --full-generate-key

T2 → T1

Get cross-signed by a T0 holder. Unlocks write access, bounded by pin.caps deny tokens.

gpg --local-user T0_KEY --sign-key YOUR_KEY