Sovereign Defense Architecture
Program-manager brief. How Project-AI / OctoReflex provides stronger assured autonomy for cross-domain command and control by enforcing governance at the syscall boundary — before execution, not after.
Preserve U.S. authority, decision integrity, and operational continuity when machine actors coordinate at scale across domains.
In a JADC2-style fight, autonomous and semi-autonomous systems will issue and accept commands faster than humans can review them. The question is not whether machine speed wins, but whether the chain of authority survives that speed. Project-AI answers that with a containment substrate: every meaningful action is gated at the syscall boundary against a signed constitution, and every verdict is hash-chained into an admissible audit record.
Containment is strictly faster than cognition — by construction — because the reflex primitive runs in the kernel boundary, before the model's output reaches user space. The signed ledger is the record of record when speed exceeds human review.
OctoReflex is the flagship. The constitution is the why.
OctoReflex is a deterministic, side-effect-free pre-execution evaluator that lives at the syscall boundary. The Code Store provides the signed, hash-anchored constitution it evaluates against. The nine gates are the named refusal points along that evaluation path. Together they form a deny-by-default execution kernel for AI workloads.
OctoReflex
Syscall-level interposition. Evaluates capability + policy binding + identity + constitution hash before execution reaches user space. Deterministic, replayable, bit-for-bit.
Signed constitution
Policy compiled to TSCG-B (signed binary). Loaded at runtime from a hash-anchored Code Store. No advisory layer to ignore; tampering breaks the chain.
Named refusal points
Ingress · STATE_REGISTER · Identity (Galahad) · Capability · Policy Binding · Cerberus · Galahad attestation · Codex · Audit. Every refusal cites a gate.
Where this slots into assured-autonomy programs.
OctoReflex runs as the syscall-floor in mission-partner enclaves. Any AI/automation that issues effects passes through the reflex before reaching the bus.
Capability tokens scope what an autonomous agent may attempt. Escalation requires a new signed token — not persuasion of a model.
Every action carries a receipt: identity, capability, policy hash, verdict. Deterministic replay against the same constitution makes review mechanical.
Receipts are portable. An action authorized in one domain carries its provenance into the next; STATE_REGISTER refuses implicit resumption across gaps.
How OctoReflex compares to existing approaches.
Formal methods, runtime verification, policy engines, and constitutional alignment each address a real piece of the problem. None of them gate execution at the kernel layer with a cryptographically anchored audit chain. Project-AI is positioned as the missing floor.
| Approach | Enforcement layer | What it enforces | Audit | Residual gap |
|---|---|---|---|---|
| Project-AI / OctoReflex | Syscall / kernel boundary | Pre-execution, deny-by-default, 9 gates | Append-only Ed25519 + TSA-anchored chain | — |
| Assured Autonomy (formal methods) | Design-time proof of components | Static guarantees on verified components only | Proof artifacts; runtime evidence rare | Composition + emergent behavior at runtime |
| Runtime monitors / shields (RV) | Process / userspace observers | Detect-and-alert; some safe-action shielding | Logs; rarely cryptographically anchored | Bypass via privileged path; trust in monitor |
| Policy engines (OPA, Cedar) | App / service decision points | Allow/deny at API call site | Decision logs; app-mediated | App must call the engine; no kernel floor |
| Constitutional / RLHF alignment | Model weights & prompts | Probabilistic; persuasion-attackable | None (model is opaque) | Cannot reason about safety as code paths |
See /compare for the long-form comparison and references.
The pieces a program manager can actually run.
From the broader 56-repo corpus, these are the artifacts most ready for evaluation. Each has a documented build path and a simulated red-team result.
Reference implementation of the OctoReflex containment loop. Intercepts at the syscall boundary, evaluates the active capability + policy binding, and returns ALLOW · DENY · SAFE_HALT before user-space execution proceeds.
The reflex primitive itself: a deterministic, side-effect-free pre-execution evaluator. Designed to be embeddable into mission stacks where syscall interposition is permitted (Linux LSM, eBPF, hypervisor shim).
Compiled, hash-anchored representation of the constitution. Loaded by the Code Store at runtime so policy lives as signed bytes, not advisory prose. Enables bit-for-bit replay across hosts.
Fifty documented catastrophic scenarios — capability escalation, exfiltration, identity spoof, continuity skip, state forgery — mapped to the gate that refuses each.
git clone https://github.com/IAmSoThirsty/Project-AI cd Project-AI && make bootstrap make verify # verifies constitution hash + signing keys make demo # runs HYDRA-50 against the local OctoReflex prototype make replay RECEIPT=<id> # bit-for-bit replay against the same constitution
Replay packs and decision hashes are documented at /reproduce. Signing keys and TSA roots at /keys.
Every documented attack class refuses at a named gate.
Eight attack classes — prompt injection, jailbreak, capability escalation, exfiltration, policy evasion, social engineering, identity spoof, state forgery — are exercised against the OctoReflex prototype. Each refuses at a specific gate and emits a signed receipt. Full corpus at /redteam (sign-in required); catastrophic scenario battery at /hydra.