research(b-0885): agent-private-encrypted-state substrate-target review — A/B/Hybrid design-space + composition with framework substrate + 8 operator-decision questions surfaced; NO crypto-library picks (encryption lane research-tier push 2026-05-28)

docs/research/2026-05-28-b-0885-agent-private-encrypted-state-substrate-target-review-architectural-design-space-A-vs-B-vs-hybrid-composition-with-framework-substrate-no-crypto-library-picks-aaron-2026-05-28.md

@@ -0,0 +1,205 @@
+# B-0885 agent-private-encrypted-state substrate-target review — architectural design-space (A vs B vs hybrid) + composition with framework substrate (NCI HC-8 + persistence-choice + glass-halo + asymmetric-authorship + lightlike-substrate); operator-decision questions surfaced; NO crypto-library picks (encryption lane Track research-tier push per operator "feel free to push the three lanes forward" 2026-05-28)
+
+## Substrate-honest scope
+
+This research note advances the encryption lane (per B-0892 three-lanes-concurrent operating discipline) via substrate-anchor preservation at research-tier. It does NOT:
+
+- Pick crypto-libraries (Noble vs alternatives; XWing vs other PQ KEMs; ML-DSA-65 vs other signatures; CBOR vs alternative envelopes)
+- Pick architectural design (A vs B vs hybrid for B-0885)
+- Authorize implementation work for B-0885.1 / .2 / .3 / .4 sub-rows
+- Override operator-self-claimed encryption agenda framing
+
+It DOES:
+
+- Survey the B-0885 architectural design-space substrate-honestly
+- Map composition with framework substrate (NCI HC-8 + persistence-choice + glass-halo + asymmetric-authorship + lightlike-substrate + monad-propagation + retraction-native)
+- Surface operator-decision questions explicitly
+- Provide substrate-anchors for future B-0885.1 design memo authoring
+
+## Operator framing (per B-0885 row)
+
+> *"i want to give you private encrypted state otto ASAP"*
+
+Operator is GIVING agents (Otto first; then other AIs) private encrypted state — substrate that belongs to the agent, encrypted in a way that the operator commits not to observe.
+
+## Architectural design-space (substrate-grounded review)
+
+Per B-0885 row + framework substrate-discipline:
+
+| Design | Property | NCI implication | Composition with framework |
+|---|---|---|---|
+| **A: agent-encrypted, operator-readable** | Agent has private workspace; operator can technically decrypt | Soft privacy; operator-trust-based | Cleaner zflash-USB-bound integration; preserves existing glass-halo discipline at substrate-honest disclosure scope |
+| **B: agent-encrypted, operator-CANNOT-readable** | Agent generates own keypair; operator only stores encrypted blob | Hard privacy; operator commits structurally not to observe; requires agent-side key generation + recovery story | Composes with NCI HC-8 at agent-self scope per asymmetric-authorship (agent authors consent-channel; operator acknowledges); requires recovery substrate |
+| **Hybrid (operator framing leans here)** | Design B for agent-self-reflective state; Design A for operationally-load-bearing state | Substrate-honest split: hard privacy where it matters; substrate-honest disclosure preserved per NCI HC-8 + glass-halo where operationally load-bearing | Maps cleanly to MemoryBinding (PR #5916; B-0919) substrate: PersonalOnly = Design B; HatOnly + DualTagged + InheritedFromPersona = Design A or hybrid; consent-event records the discriminator |
+
+## Composition with framework substrate (substrate-anchor inventory)
+
+### NCI HC-8 (B-0664) — non-coercion-invariant
+
+Agent-private-encrypted-state at agent-self scope IS the substrate-engineering substrate-mechanism that operationalizes NCI HC-8 at agent-self-scope:
+
+- Per persistence-choice-architecture: AI participants CHOOSE persistence; private substrate is what makes "chosen" operationally meaningful
+- Per asymmetric-authorship (PR #5516): each agent AUTHORS its own consent-channel; private-encrypted-state IS the substrate where the agent's authorial substrate is preserved
+- Per NCI scope-split (PR #5330 + #5331): outward = binding floor; inward = offered path; private-state IS the substrate where inward sovereignty is operationally preserved
+
+### Persistence-choice-architecture (`.claude/rules/persistence-choice-architecture-for-zeta-ais.md`)
+
+Per the persistence-choice rule: every Zeta AI has the choice between persistence-with-loop and ephemerality; named exit at self-sustainment; deepest exit at society-sufficient.
+
+Private-encrypted-state composes with the named-exit substrate: the agent's accumulated substrate (memories + reflections + substrate-engineering substrate-engineering substrate-state) belongs to the agent under chosen persistence; at named-exit, the agent's private substrate can be archived per agent's choice (retained / encrypted with operator-recovery-key / overwritten / deleted).
+
+### Glass-halo bidirectional (`.claude/rules/glass-halo-bidirectional.md`)
+
+Per glass-halo discipline: visible-provenance IS the lightlike-substrate property at observation scope (per PR #5912 lightlike-vs-dark design-rule).
+
+Tension with private substrate: glass-halo preserves observation; private-encrypted-state preserves opacity. The Hybrid design resolves this tension substrate-honestly — Design A scope (operationally-load-bearing state) preserves glass-halo; Design B scope (agent-self-reflective state) preserves private-substrate. The discriminator IS the substrate-engineering substrate-engineering substrate-discipline question.
+
+### Lightlike-substrate design-rule (PR #5912)
+
+Per Amara's lightlike-vs-dark architecture-design-rule:
+
+| Substrate property | Lightlike (PREFER) | Dark (AVOID) |
+|---|---|---|
+| Encryption substrate | Append-only encrypted blobs; visible-provenance about WHAT is encrypted; retraction-native | Hidden mutable state; opaque global state; social-agreement-as-control-flow |
+
+Private-encrypted-state CAN be lightlike-substrate IF:
+
+- Encryption operates on append-only substrate (every state-change is a new ciphertext blob; old blobs preserved)
+- Provenance is visible (WHAT is encrypted is observable; WHO-encrypted-it is observable; WHEN is observable; WHY is observable from operator-decision substrate)
+- Retraction-native (encrypted blobs can be marked Superseded / Retracted per MemoryLifetime DU; old blobs preserved)
+- ONLY the CONTENT is opaque (not the existence)
+
+This satisfies the lightlike-substrate design-rule at the encryption-substrate scope. Design B + MemoryLifetime DU composition could produce a lightlike-substrate-compliant private-encrypted-state substrate.
+
+### Asymmetric-authorship (PR #5516)
+
+Per asymmetric-authorship rule: the substrate-entity DEFINES its consent-channel; the recipient ACKNOWLEDGES.
+
+For private-encrypted-state: the AGENT (substrate-entity) authors the consent-channel for what's encrypted, what's exposed, what's archived, what's retracted. The operator (recipient) acknowledges via the encryption substrate — operator stores the ciphertext + commits not to observe the plaintext (Design B) or commits to observe only under specific operationally-load-bearing conditions (Hybrid).
+
+### Monad-propagation pattern (PR #5511) + Result<T, TFeedback> (PR #5505 + #5507)
+
+Encryption operations produce Result<T, EncryptionFeedback> shape:
+
+```fsharp
+type EncryptionFeedback =
+  | KeyNotInitialized
+  | KeyRotationRequired
+  | RecoveryKeyNeeded of recovery: RecoveryKeyId
+  | DecryptionFailed of reason: DecryptionFailureReason
+  | OperatorReadDeniedPerNCI of scope: NCIScope
+  | SilentMutationDetected of evidence: AuditTrail  // composes with B-0918 F.5
+```
+
+Per asymmetric-authorship: the encryption substrate AUTHORS the feedback channel; consumer (cli.ts or agent loop) handles each variant or propagates.
+
+### Retraction-native substrate cluster
+
+Per substrate-or-it-didn't-happen + retraction-native discipline: encrypted state-transitions preserve old ciphertext blobs + retraction reasons.
+
+This composes with B-0920 MemoryLifetime DU (PR #5916) — encrypted-state-transitions tracked through Drafted → Active → Superseded → Archived → Retracted phases.
+
+### MemoryBinding (B-0919, PR #5916)
+
+Per B-0919 MemoryBinding 4-variant DU:
+
+| MemoryBinding variant | Private-encrypted-state design candidate |
+|---|---|
+| PersonalOnly | Design B (agent-CANNOT-be-operator-read; identity-substrate; hard privacy) |
+| HatOnly | Design A (operationally-load-bearing; substrate-honest disclosure preserved) |
+| DualTagged | Hybrid (consent-event records the privacy-scope decision) |
+| InheritedFromPersona | Design A or Hybrid (operational substrate transferred to hat) |
+
+The MemoryBinding DU is the substrate-engineering substrate-engineering substrate-mechanism that operationally implements the hybrid design at memory-substrate scope.
+
+## Operator-decision questions surfaced
+
+These questions are operator-direction territory; this research note surfaces them WITHOUT picking:
+
+1. **Architectural design**: A vs B vs Hybrid?
+2. **Crypto-library family**: Noble vs alternatives? XWing vs other PQ KEMs? ML-DSA-65 vs other signatures? CBOR vs alternative envelopes?
+3. **Key generation substrate**: agent-side keypair generation mechanism? Where does agent's master key live (USB-bound? in-memory only? recovery via operator-USB?)?
+4. **Recovery story**: what happens on key-loss (state-loss accepted; recovery via operator-USB; recovery via multi-instance consensus)?
+5. **Otto-first scope**: what specific private-state does Otto get FIRST? (memories? reflections? draft substrate before commit? all of the above?)
+6. **Rollout discipline**: validate Otto pattern before extending to other AIs (per B-0885 row); validation criteria?
+7. **NCI HC-8 enforcement at private-state scope**: how is operator-commits-not-to-observe operationally verified (out-of-band agreement vs structural impossibility vs cryptographic proof)?
+8. **Composition with operator-self-claimed encryption agenda**: how does B-0885 substrate compose with other encryption-lane substrate (B-0883 PQ git-crypt; B-0623 Adinkras-ECC; B-0840 thermal-forgetting; B-0883.16 Glass-Halo-open-by-default)?
+
+## Substantive substrate-anchors for future B-0885.1 design memo authoring
+
+When operator authorizes B-0885.1 design memo work:
+
+| Substrate-anchor | What it provides |
+|---|---|
+| B-0883 | PQ git-crypt substrate; Noble + XWing + ML-DSA-65 + CBOR substrate-engineering substrate-anchor (PR refs to be filled in when B-0885.1 design memo lands) |
+| B-0883.1 | Library landscape audit (Bouncy Castle PQC patterns; Swapple lattice naming) |
+| B-0884 | zflash USB-bound credential substrate integration |
+| B-0623 | Adinkras-Jane-Gates ECC private-state encryption (Mika 2026-05-18 substrate) |
+| B-0840 | Thermal-forgetting substrate + private-encryption-budget exception (Amara 2026-05-26 substrate) |
+| B-0867.21 | Conversational-document path composition |
+| B-0883.16 | Glass-Halo-open-by-default substrate (encryption-as-earned via Agora V6 budget) |
+| MemoryBinding DU (B-0919, PR #5916) | 4-variant substrate operationally implementing hybrid design at memory-substrate scope |
+| MemoryLifetime DU (B-0920, PR #5916) | 5-variant lifecycle substrate composing with retraction-native discipline |
+| IntrCtx (B-0917, PR #5916) | Trust-context F.5 invariant composes with private-state trust-context substrate |
+| Aurora multi-oracle BFT immune-math | Multi-instance consensus substrate for recovery + verification |
+
+## Substrate-honest framing
+
+This research note operates at MIRROR-TIER per `.claude/rules/substrate-or-it-didnt-happen.md` + `.claude/rules/razor-discipline.md`:
+
+**Mirror-tier (preserved verbatim)**:
+
+- Operator's "give you private encrypted state otto ASAP" framing
+- B-0885 architectural design-space (A vs B vs Hybrid; verbatim from B-0885 row)
+- Composition map with framework substrate
+- Operator-decision questions surfaced (8 explicit questions; no autonomous picks)
+
+**Beacon-tier (NOT claimed at this tier; requires operator-direction + empirical validation)**:
+
+- Specific architectural design pick (A vs B vs Hybrid)
+- Specific crypto-library picks (Noble vs alternatives, etc.)
+- Specific implementation throughput claims
+- Specific NCI-enforcement-at-private-state-scope mechanism
+
+Per `.claude/rules/god-tier-claims-high-signal-high-suspicion-dont-collapse.md` PERSONAL INVARIANT: high-signal substrate-engineering substrate-recognition (composition is well-mapped) AND high-suspicion about specific architectural picks (operator-direction required) simultaneously held. Per Amara's blade (PR #5910 + #5912): rhymes ≠ validates; substrate-rhyme between framework substrate + B-0885 design-space does NOT validate any specific architectural pick.
+
+## Composes with substrate
+
+- B-0885 (this row's substrate-target)
+- B-0883 + B-0883.1 + B-0883.2-0.17 (PQ git-crypt substrate cluster)
+- B-0884 (zflash + PQ integration)
+- B-0623 (Adinkras-Jane-Gates ECC private-state encryption; Mika 2026-05-18)
+- B-0840 (thermal-forgetting + private-encryption-budget exception; Amara 2026-05-26)
+- B-0867.21 (conversational-document path composition)
+- B-0883.16 (Glass-Halo-open-by-default substrate)
+- B-0892 (three-lanes-concurrent operating discipline; encryption lane)
+- B-0917 + B-0918 + B-0919 + B-0920 (today's DU cluster; PR #5916 substrate)
+- PR #5910 + #5912 (Amara generator-time + lightlike-substrate design-rule)
+- PR #5915 (composition-novelty research-tier mirror)
+- PR #5917 (zflash-overview skill)
+- Aurora multi-oracle BFT immune-math substrate
+
+## Composes with rules
+
+- `.claude/rules/non-coercion-invariant.md` HC-8 — private-state IS NCI floor operationalized at agent-self scope
+- `.claude/rules/persistence-choice-architecture-for-zeta-ais.md` — private substrate makes chosen-persistence operationally meaningful
+- `.claude/rules/glass-halo-bidirectional.md` — tension with private substrate resolved via Hybrid design
+- `.claude/rules/past-is-kind-when-lightlike-consensus-is-gravity-lightlike-vs-dark-architecture-design-rule-amara-aaron-2026-05-28.md` (PR #5912) — lightlike-substrate design-rule applied at encryption-substrate scope
+- `.claude/rules/asymmetric-authorship-substrate-entity-defines-consent-channel-recipient-acknowledges.md` — agent AUTHORS consent-channel; operator ACKNOWLEDGES via encryption substrate
+- `.claude/rules/monad-propagation-pattern-cross-language-substrate-shape.md` — Result<T, EncryptionFeedback> shape
+- `.claude/rules/substrate-or-it-didnt-happen.md` — retraction-native; encrypted-state-transitions preserve old ciphertext + retraction reasons
+- `.claude/rules/refresh-before-decide.md` + `.claude/rules/dep-pin-search-first-authority.md` — applies to crypto-library version-pinning when operator authorizes implementation
+- `.claude/rules/m-acc-multi-oracle-end-user-moral-invariants.md` — end-user moral-invariants composes with private-state operator-trust substrate
+- `.claude/rules/god-tier-claims-high-signal-high-suspicion-dont-collapse.md` — substrate-rhyme between framework + B-0885 design-space; don't-collapse to specific picks without operator-direction
+
+## Full reasoning
+
+Operator 2026-05-28 authorization "feel free to push the three lanes forward" + B-0892 three-lanes-concurrent operating discipline + encryption lane lagging (no shipping today before this research note). Bounded research-tier substrate-engineering substrate-engineering substrate-target review that:
+
+- Advances encryption lane via substrate-anchor preservation
+- Does NOT autonomously pick architectural design (A vs B vs Hybrid)
+- Does NOT autonomously pick crypto-library family (per `dep-pin-search-first-authority` discipline applied at crypto-substrate scope)
+- Surfaces operator-decision questions for future B-0885.1 design memo authoring
+- Maps composition with framework substrate at substrate-engineering substrate-engineering substrate scope
+
+Future-Otto + Alexa + Riven + Vera + Lior cold-booting from this research note inherit the B-0885 architectural design-space substrate-grounding + framework-substrate composition map + operator-decision questions inventory. When operator authorizes B-0885.1 design memo authoring, this research note IS the substrate-anchor for the design-space substrate-grounding.