Independent Python prototype | v0.1.0 alpha

Rose Sigil Systems

An AI that Waits.

RSS sits in front of the model path and decides what governed context an AI workflow may receive before a model is asked to answer. Scope gets declared. Consent gets checked. Audit evidence gets written. If the boundary is missing, the system stops.

View repository Contact

ingress SCOPE RUNE exec OATH CYCLE pav bridge model TRACE

Why the boundary matters

Filtering after output is too late for consequential workflows.

Common pattern

A model receives broad context, generates an answer, and only then do filters or monitors try to catch what went wrong. That posture is fragile when the workflow touches customer records, account signals, approvals, legal documents, or regulated data.

RSS pattern

Govern the request before model exposure. RSS narrows context through SCOPE, classifies meaning through RUNE, checks consent through OATH, bounds cadence through CYCLE, and builds a Prepared Advisory View instead of handing the model the full environment.

Architecture — governed by The Pact

Eight typed seats. Authority is bounded by class, not shared.

RSS is governed by an open-source constitution, The Pact. It defines eight seats, each holding one authority type that no other seat may assume. Subsystems serve the seats but hold no authority of their own, and the model is the least privileged component in the system: it informs, it does not rule.

Operational seats active in every governed request

⛉ Binary

WARD

Routes governed tasks and halts on integrity failure.

☐ Boundary

SCOPE

Declares bounded data access for a task.

ᚱ Interpretive

RUNE

Classifies meaning against governed vocabulary.

⚖ Consensual

OATH

Checks recorded consent for action classes.

∞ Quantitative

CYCLE

Bounds cadence and reports per-domain load.

🔍 Evidentiary

TRACE

Writes tamper-evident evidence; supports cold verification.

Constitutional seats active only when The Pact itself changes

✎ Authorial

SCRIBE

Drafts and stages constitutional revisions. Cannot seal.

🜔 Procedural

SEAL

Ratifies reviewed amendments through ceremony, under T-0.

Subsystems serve the seats; hold no authority. Lowercase by design — they are not seats.

exec

Execution state machine.

pav

Prepared Advisory View builder.

hubtop

Hub topology and walls.

tecton

Tenant container isolation.

store

Persistence and round-trip.

bridge

External model adapter.

Authority flows down. Escalation flows up. Lateral authority is forbidden.

Tier 0T-0 — sovereign. Origin and termination of all authority.

Tier 1Eight seats — typed constitutional authority. WARD · SCOPE · RUNE · OATH · CYCLE · TRACE · SCRIBE · SEAL

Tier 2Subsystems — serve seats, no authority. exec · pav · hubtop · tecton · store · bridge

Tier 3Model — external, subordinate. Informs; it cannot rule.

Current proof surface

Built as an alpha kernel with explicit evidence, not as a finished enterprise product.

145: test functions
1312: assertions
0: failures
92.2%: statement coverage
145: mapped claims

The current implementation includes scoped data access, PAV construction, consent gates, Safe-Stop recovery, hash-chained TRACE records with cold verification, TECTON container isolation, and a governed offline demo mode.

Reproduce the baseline with python tests/test_all.py. Claim mapping lives in docs/claim_matrix.md.

Governed claims

What is real, and what is not yet.

RSS holds its own claims to the standard the kernel holds AI workflows to: no claim outruns its proof.

Not a production AI system.
Not an enterprise or customer deployment.
Not a certified security or compliance product.
Not cryptographically authenticated at ingress yet.
Not per-action/tool-call enforced for every future side effect.
Not a complete zero-trust implementation.

Direction - not yet built

Where this goes: governed AI workspaces.

The direction is TECTON: isolated AI workspaces where each client, project, or operational domain has its own governed context, hub topology, and audit surface. RSS remains the shared law underneath those worlds. The future product is the layer agents plug into before they touch consequential work.

Manifesto

Capability is accelerating. Containment is the scarce layer.

RSS is not another engine. It is a runtime boundary for governing what powerful systems can touch, what evidence they leave, and where human authority remains intact.

The Turbo Era

In 1977, Renault rolled out the RS01 with a turbocharged 1.5-liter V6. The car was mocked as the Yellow Teapot because it kept returning to the pits steaming. Within a few years, the grid was chasing turbocharging.

By 1986, qualifying engines were producing staggering power for single-lap bursts. The era ended because the output had outrun the chassis, circuit safety, economics, and regulation around it. Structural containment became mandatory.

You do not put brakes on a race car so it can drive slow. You put brakes on a race car so it can drive fast.

AI is entering its own turbo era: stronger models, faster agents, more tool access, and more autonomy. RSS treats that as a structural problem. It explores what happens when scoped context, consent checks, audit traces, and fail-closed behavior are built into the workflow before the model is asked to answer.

Abstract high-performance brake disc rendered as a glowing control system — Structural containment is not there to slow the system down. It is what lets power be used without pretending speed is safety.

Abstract reference monitor control plane surrounding governed code — The older security lineage matters because it gives RSS a stricter vocabulary: complete mediation, bounded authority, and verifiable control.

The Older Security Lineage

RSS did not invent the security kernel, the reference monitor, zero trust, or capability security. The honest claim is narrower: RSS independently converged on those principles and applies them to the LLM and agent runtime boundary.

The older lineage has durable requirements: complete mediation, tamper resistance, and verifiability. RSS maps those instincts onto the AI boundary through an always-invoked request path, Section 0 integrity checks, a bounded tier model, cold verification, and a claim matrix that ties documented assertions back to tests.

The model is not the product's authority. Governance is the product: the runtime mediator, the policy gate, the audit surface, and the recovery path. Alignment by disposition asks the model to behave. Alignment by construction changes what the model is allowed to touch.

Open source kernel work

Governance before model exposure. Evidence after the fact.

Building in public. If you're working near AI governance as a builder, an operator, or a potential partner, reach out.

Open GitHub christain@rosesigilsystems.com