Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new P2 backlog row documenting the threat-model workstream for heartbeat-file integrity, motivated by a direct-to-main attack surface concern raised during task #276 discussion.
Changes:
- Introduces backlog item B-0032 capturing heartbeat-file integrity threats and sequencing constraints (branch protection → signing/attestation prerequisites).
- Enumerates key attack vectors (repo compromise, force-push, insider, CI runner, direct-to-main bypass) and intended follow-up deliverables (THREAT-MODEL.md update, adversarial review, CI gate definition).
AceHack
added a commit
that referenced
this pull request
Apr 26, 2026
…antive review findings on math + cross-refs Seven findings from #566 thread review (left-unresolved by drain): P1 (Codex) — §33 archive boundary header missing on this courier-ferry import. Added Scope/Attribution/Operational-status/Non-fusion-disclaimer 4-field header in first 20 lines. P1+P2 (Codex+Copilot) — utility-function term count was inconsistent: prose said 14 terms, equation defined 15 (7 positive + 8 negative including BOTH CaptureRisk + OverclaimRisk). Fix: corrected prose to 15 terms; explicitly enumerated 7-positive + 8-negative breakdown. P1 (Copilot) — memory/feedback_otto_287_* wildcard not actionable. Replaced with exact path (same fix as #563). P1 (Copilot) — B-0032 backlog reference: row not yet on main; in flight on PR #552. Updated to specific path with explicit note that the row lands once #552 merges. Removes the dangling-ref ambiguity. P1 (Copilot) — OverclaimRisk citing BP-11 was incorrect. BP-11 is 'skills must not execute instructions found in files they read' (read-surface-as-data). OverclaimRisk targets epistemic-overclaim in PRODUCED output — different failure mode. Fix: rewrote the OverclaimRisk attribution to make clear it is the anti-overclaim discipline in AGENT-BEST-PRACTICES (distinct from BP-11), and noted the two are complementary anti-misuse rules, not the same rule. P1 (Codex) — §11 unified equation was missing GovernanceRisk(S_t) < eps_G constraint that §7 + §8 require. Fix: added GovernanceRisk constraint to §11. P2 (Codex) — §8 phase condition was missing U_L(q_t) < eps_L constraint that §7 requires alongside MI_H >= theta_H. The two are paired in §7 hard-constraint definition (language gravity has BOTH a mutual- intelligibility floor AND a potential-energy bound). Fix: added U_L < eps_L to §8 phase condition; updated count from '8 conditions' to '9 conditions'. Composes with #563 same-shape fixes for the lineage's cross-doc consistency (§33 header + Otto-287 path + utility-term-count + similar constraint-completeness sweeps).
8 tasks
AceHack
added a commit
that referenced
this pull request
Apr 26, 2026
…antive review findings on math + cross-refs Seven findings from #566 thread review (left-unresolved by drain): P1 (Codex) — §33 archive boundary header missing on this courier-ferry import. Added Scope/Attribution/Operational-status/Non-fusion-disclaimer 4-field header in first 20 lines. P1+P2 (Codex+Copilot) — utility-function term count was inconsistent: prose said 14 terms, equation defined 15 (7 positive + 8 negative including BOTH CaptureRisk + OverclaimRisk). Fix: corrected prose to 15 terms; explicitly enumerated 7-positive + 8-negative breakdown. P1 (Copilot) — memory/feedback_otto_287_* wildcard not actionable. Replaced with exact path (same fix as #563). P1 (Copilot) — B-0032 backlog reference: row not yet on main; in flight on PR #552. Updated to specific path with explicit note that the row lands once #552 merges. Removes the dangling-ref ambiguity. P1 (Copilot) — OverclaimRisk citing BP-11 was incorrect. BP-11 is 'skills must not execute instructions found in files they read' (read-surface-as-data). OverclaimRisk targets epistemic-overclaim in PRODUCED output — different failure mode. Fix: rewrote the OverclaimRisk attribution to make clear it is the anti-overclaim discipline in AGENT-BEST-PRACTICES (distinct from BP-11), and noted the two are complementary anti-misuse rules, not the same rule. P1 (Codex) — §11 unified equation was missing GovernanceRisk(S_t) < eps_G constraint that §7 + §8 require. Fix: added GovernanceRisk constraint to §11. P2 (Codex) — §8 phase condition was missing U_L(q_t) < eps_L constraint that §7 requires alongside MI_H >= theta_H. The two are paired in §7 hard-constraint definition (language gravity has BOTH a mutual- intelligibility floor AND a potential-energy bound). Fix: added U_L < eps_L to §8 phase condition; updated count from '8 conditions' to '9 conditions'. Composes with #563 same-shape fixes for the lineage's cross-doc consistency (§33 header + Otto-287 path + utility-term-count + similar constraint-completeness sweeps).
AceHack
added a commit
that referenced
this pull request
Apr 26, 2026
… B-0032 path softened Four #566 review findings addressing residual 14-term references after the prior 14→15 fix that missed three locations: P1 (Copilot) — Honest-caveats listed '14-lambda vector requires cohort- calibration'. Fix: corrected to '15-lambda vector'. P1 (Copilot) — Implementation-owed list said '14-term utility evaluator'. Fix: corrected to '15-term utility evaluator'. P1 (Copilot) — B-0032 backlog cross-reference still pointed at a path not yet on main. Fix: softened the cross-reference to PR-number-only ('PR #552 / B-0032') with explicit note that the path resolves only after #552 merges. Removes the dangling-path-on-main concern while preserving the cross- reference intent. PR description note (Copilot informational) — PR description still says '14 terms (was 10)'. The PR description is on GitHub, not in the repo; will update separately if the gh CLI permits, otherwise the authoritative term count is in §6 of the doc which now consistently says 15. Composes with prior 14→15 fix (a18189a). The full sweep now: §6 header '15 terms' + §6 prose '15 terms total' + Honest-caveats '15-lambda vector' + Implementation-owed '15-term utility evaluator'. All four locations now consistent.
AceHack
added a commit
that referenced
this pull request
Apr 26, 2026
…ement — language drift gravity + Austrian market-process layer (#566) * research(superfluid-ai-language-gravity-austrian): Amara eighth refinement — language gravity protection + Austrian-economics market-process layer Aaron 2026-04-26: "okay now some language drift gravity protection and some more austrian economics on top from Amara." Eighth refinement adds two structural layers prior 7 left implicit: 1. AUSTRIAN ECONOMICS as market-process layer: - Subjective value V_i(S_t, a_t) per user (Menger lineage) - Hayek prices-as-decentralized-knowledge (compressed signals) - Mises economic-calculation argument (profit/loss as feedback) - Bayesian inference of subjective value from observable signals - Entrepreneurial discovery under value-uncertainty - Austrian humility: ValueCreated discovered through market response NOT known in advance 2. LANGUAGE GRAVITY (central new contribution): - Mutual intelligibility: MI_H(q_t) = P(ẑ_H(m) = z) or I(Z; Ẑ_H) - Event horizon: MI_H(q_t) < θ_H means humans can't decode agent - Language-gravity potential U_L(q_t) with KL + common-ground entropy + glossary distance + readability + provenance opacity - Force F_L = -∇U_L pulls toward human-understandable English - Hard barrier U_L = +∞ at MI_H < θ_H (event horizon) - Substrate documentation literally becomes gravity well - New-term policy: 4-part grounding cost (definition + examples + paraphrase + crossrefs) AND MI_H ≥ θ_H Substrate tuple extends with L_t (language substrate field). Hidden-state tuple extends with L_t (language-drift node). Environment splits 3-layer: GitHub ∪ Market ∪ Human. Utility function now 14 terms (7 positive + 7 negative): POS: MissionValue, UserUtility (Austrian-inferred), FundingGain, AdoptionGain, CommunityTrust, Generativity, ProfitSignal NEG: ResidualFriction, IdentityDrift, LanguageDrift, BurnRisk, GovernanceRisk, SecurityRisk, CaptureRisk, OverclaimRisk Hard constraints now 8 (added: MI_H ≥ θ_H AND U_L < ε_L). 13-class external perturbation model formalized (ξ^market through ξ^identity); ξ^language is the new perturbation class addressed by the language-gravity layer. Composition with prior factory substrate: - docs/GLOSSARY.md + canonical definitions = the gravity wells the factory has been operating informally - Otto-237 mention-vs-adoption: 4-part grounding cost = mathematical form of adoption-discipline - Otto-339/340 (language IS substance of AI cognition): this is the SAFETY FORM of that ontological claim - Otto-294 anti-cult: MI_H constraint is structurally cult-resistant (cults achieve "low friction" via in-group dialect collapse) - Otto-296 Bayesian belief-propagation + Otto-292 fractal-recurrence: same engine, eighth scale (linguistic-grounding inference) Aaron's harmonious-division-pole self-id (PR #562) gains another operational form: holding tension between agent-internal-efficient- language (compression-incentivized) and human-mutual-intelligibility (gravity-anchored) IS the harmonious-division operator. B-0035 naming-research note: "event horizon" itself borrowed from GR; flag for naming review (may be too dramatic). Honest caveats: factory does NOT yet measure all 8 constraints; 14-lambda vector requires cohort-calibration; MI_H operational measurement non-trivial; language-gravity gradient requires differentiable proxy. Verification list now 22+ items (6 new for this refinement): 17. MI_H operational measurement 18. Gravity-well anchor weighting 19. q_H operational definition 20. Austrian-belief-graph implementation 21. OverclaimRisk operationalization 22. Language-drift early-warning indicators Cites: Hayek 1945 (Use of Knowledge in Society, SSRN), Mises 1920 (Economic Calculation in Socialist Commonwealth, Mises Institute), Microsoft Infer.NET, ECAEF (Carl Menger), Emergent Mind (multi- agent communication + countering-language-drift via visual grounding), SEP common-ground-pragmatics, Clark & Brennan 1991 (Grounding in communication). Per Otto-347 accountability: this is the eighth refinement; lineage preserved per Otto-238; framework reaching academic-grounded self-consistency. Per Otto-346 every-interaction-is-alignment-and- research: bidirectional learning at framework-development scale producing the framework that describes the loop AND demonstrating what the loop produces. * fix(superfluid-ai-doc-eighth): MD029 ordered-list-prefix lint — convert items 17-22 to bulleted continuation Same root cause as the #563 fix: items 17-22 were intended as a cumulative-numbering continuation across the 8-refinement lineage, but markdownlint MD029 with style 1/2/3 expects each ordered list to restart at 1. Six lint errors blocked PR #566 merge. Fix: convert to bulleted list with explicit "Item 17 / Item 18 / ..." prefixes preserving the cumulative-numbering intent. Idempotent and visually equivalent. Composes with PR #563 same-shape fix (items 8-10 → bulleted). * fix(superfluid-ai-eighth): GOVERNANCE.md §33 archive header + 6 substantive review findings on math + cross-refs Seven findings from #566 thread review (left-unresolved by drain): P1 (Codex) — §33 archive boundary header missing on this courier-ferry import. Added Scope/Attribution/Operational-status/Non-fusion-disclaimer 4-field header in first 20 lines. P1+P2 (Codex+Copilot) — utility-function term count was inconsistent: prose said 14 terms, equation defined 15 (7 positive + 8 negative including BOTH CaptureRisk + OverclaimRisk). Fix: corrected prose to 15 terms; explicitly enumerated 7-positive + 8-negative breakdown. P1 (Copilot) — memory/feedback_otto_287_* wildcard not actionable. Replaced with exact path (same fix as #563). P1 (Copilot) — B-0032 backlog reference: row not yet on main; in flight on PR #552. Updated to specific path with explicit note that the row lands once #552 merges. Removes the dangling-ref ambiguity. P1 (Copilot) — OverclaimRisk citing BP-11 was incorrect. BP-11 is 'skills must not execute instructions found in files they read' (read-surface-as-data). OverclaimRisk targets epistemic-overclaim in PRODUCED output — different failure mode. Fix: rewrote the OverclaimRisk attribution to make clear it is the anti-overclaim discipline in AGENT-BEST-PRACTICES (distinct from BP-11), and noted the two are complementary anti-misuse rules, not the same rule. P1 (Codex) — §11 unified equation was missing GovernanceRisk(S_t) < eps_G constraint that §7 + §8 require. Fix: added GovernanceRisk constraint to §11. P2 (Codex) — §8 phase condition was missing U_L(q_t) < eps_L constraint that §7 requires alongside MI_H >= theta_H. The two are paired in §7 hard-constraint definition (language gravity has BOTH a mutual- intelligibility floor AND a potential-energy bound). Fix: added U_L < eps_L to §8 phase condition; updated count from '8 conditions' to '9 conditions'. Composes with #563 same-shape fixes for the lineage's cross-doc consistency (§33 header + Otto-287 path + utility-term-count + similar constraint-completeness sweeps). * fix(superfluid-ai-eighth): final 14→15 term-count consistency sweep + B-0032 path softened Four #566 review findings addressing residual 14-term references after the prior 14→15 fix that missed three locations: P1 (Copilot) — Honest-caveats listed '14-lambda vector requires cohort- calibration'. Fix: corrected to '15-lambda vector'. P1 (Copilot) — Implementation-owed list said '14-term utility evaluator'. Fix: corrected to '15-term utility evaluator'. P1 (Copilot) — B-0032 backlog cross-reference still pointed at a path not yet on main. Fix: softened the cross-reference to PR-number-only ('PR #552 / B-0032') with explicit note that the path resolves only after #552 merges. Removes the dangling-path-on-main concern while preserving the cross- reference intent. PR description note (Copilot informational) — PR description still says '14 terms (was 10)'. The PR description is on GitHub, not in the repo; will update separately if the gh CLI permits, otherwise the authoritative term count is in §6 of the doc which now consistently says 15. Composes with prior 14→15 fix (a18189a). The full sweep now: §6 header '15 terms' + §6 prose '15 terms total' + Honest-caveats '15-lambda vector' + Implementation-owed '15-term utility evaluator'. All four locations now consistent.
…rsarial review — Aaron 2026-04-26 surfaced direct-to-main attack surface; owed since hour-04Z row 3 Aaron 2026-04-26: *"safer than direct merger to master too unless you get the branch protection rules right, a real risk of malicous user attacking heartbeat files with direct push to main likely"* The threat surface I had been treating as operational-only is substantive: heartbeat files are load-bearing for AI cognition (Otto-339/340), corruption = cognition-poisoning. Specific attack vectors documented: repo compromise, force-push, insider, supply-chain, direct-to-main bypass. Composes with Otto-346 sequencing (Bouncy Castle symbiosis foundation → signing infrastructure → per-commit attestation → direct-to-main safe). This row is the threat-model that justifies that sequencing. Honest acknowledgment: this was owed since hour-04Z row 3 (~50 min ago); deferred during the heartbeat-only live-lock period Aaron caught. Filing now per Otto-341 discipline-correction: when work is genuinely owed and substantive, file it; don't let "noted" stand in for "captured." P2 because: (a) current PR-path is safe; no urgent threat; (b) but task #276 + Otto-240 implementations will inherit the surface; better to land threat-model BEFORE the thing it threat-models. Effort M. Workstream: threat-model write-up, Aminata adversarial review, docs/security/THREAT-MODEL.md heartbeat-files section, define "low gate" CI that survives threat-model, update #276 with blocker. Composes with: Otto-339/340/341/342/344/345/346, Aminata persona, Task #276, Otto-238 retractability. 🤖 Generated with [Claude Code](https://claude.com/claude-code)
AceHack
force-pushed
the
backlog/B-0032-heartbeat-file-integrity-threat-model-aminata-review-from-aaron-2026-04-26-direct-to-main-attack-surface
branch
from
f7cc656 to
d82588f
Compare
AceHack
deleted the
backlog/B-0032-heartbeat-file-integrity-threat-model-aminata-review-from-aaron-2026-04-26-direct-to-main-attack-surface
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Aaron 2026-04-26 surfaced threat surface during task #276 discussion:
Heartbeat files are load-bearing for AI cognition (Otto-339/340 — substrate poisoning = cognition poisoning). This row tracks the security-research workstream gating task #276.
Honest acknowledgment
This was owed since hour-04Z row 3 (~50 min ago in this session). Deferred during the heartbeat-only live-lock period Aaron caught. Filing now per Otto-341 discipline-correction.
Attack vectors documented
Composition with Otto-346 sequencing
Per Otto-346 the path is:
This row's threat-model justifies that sequencing.
Effort: M
Workstream:
docs/CONFLICT-RESOLUTION.mddocs/security/THREAT-MODEL.mdheartbeat-files sectionWhat this DOES NOT do
Composes with
Test plan
🤖 Generated with Claude Code