Normalize all passepartout-economics to inline wiki links
Replaced every bottom-of-section 'See also:' block with inline Org-mode file: links at the first natural mention in body text. All 29 files across the economics directory now use wiki-style inline cross-references rather than standalone reference blocks.
This commit is contained in:
Hermes
@@ -10,6 +10,4 @@ The DID system is permissionless — anyone generates their own DID via HD key d
|
|||||||
- **Premium tier:** short names (2-3 chars), common words, brand names, squatter prevention via auction or annual lease
|
- **Premium tier:** short names (2-3 chars), common words, brand names, squatter prevention via auction or annual lease
|
||||||
- **Revenue model:** $5-$50/year per premium username, auction revenue for highly contested names (single-letter, common surnames). ENS-style: registration fees fund development, not speculation.
|
- **Revenue model:** $5-$50/year per premium username, auction revenue for highly contested names (single-letter, common surnames). ENS-style: registration fees fund development, not speculation.
|
||||||
|
|
||||||
At scale: 1M premium usernames at $10/yr average = $10M/yr recurring. The namespace registry is a natural monopoly — the early player's registry is the most widely accepted, so every new user registers there. Network effects lock in.
|
At scale: 1M premium usernames at $10/yr average = $10M/yr recurring. The namespace registry is a natural monopoly — the early player's registry is the most widely accepted, so every new user registers there. Network effects lock in. The premium username registry works together with a [[file:pds-as-a-service.org][PDS as a service]] offering and a [[file:compute-marketplace.org][Compute marketplace]] to form a complete revenue ecosystem.
|
||||||
|
|
||||||
See also: [[file:pds-as-a-service.org][PDS as a service]], [[file:compute-marketplace.org][Compute marketplace]]
|
|
||||||
|
|||||||
@@ -12,6 +12,4 @@ If a symbolic-bootstrapping architecture becomes popular, the industry structure
|
|||||||
|
|
||||||
**Hyperscaler competition shifts.** The race shifts from "who has the most H100s" to "who has the best domain-specific gate rules." Google's industry data advantage matters more than Azure's raw compute.
|
**Hyperscaler competition shifts.** The race shifts from "who has the most H100s" to "who has the best domain-specific gate rules." Google's industry data advantage matters more than Azure's raw compute.
|
||||||
|
|
||||||
**New hardware tier emerges:** CPU-native verification appliances running Lisp microcode on RISC-V cores. Low volume (hundreds of thousands/year), high margin ($5K-50K/unit). Manufacturable at older fab nodes (28nm, 45nm) — no dependency on TSMC's leading edge.
|
**New hardware tier emerges:** CPU-native [[file:self-driving-lisp-machine.org][verification appliances running Lisp microcode]] on RISC-V cores. Low volume (hundreds of thousands/year), high margin ($5K-50K/unit). Manufacturable at older fab nodes (28nm, 45nm) — no dependency on TSMC's leading edge. This hardware embodies [[file:lisp-economics.org][Lisp economics]] — the cost of verification approaches zero once the symbolic engine is running on dedicated silicon. The outcome is a [[file:verification-monopoly.org][verification monopoly]] for agent safety — the same certification dynamic UL provides for electrical safety.
|
||||||
|
|
||||||
See also: [[file:lisp-economics.org][Lisp economics]], [[file:verification-monopoly.org][Verification monopoly]], [[file:self-driving-lisp-machine.org][Self-driving Lisp Machine]]
|
|
||||||
|
|||||||
@@ -14,6 +14,4 @@ Striking parallels between microbiology and the Lisp model:
|
|||||||
6. **Duck typing** — protein folding depends on chemical environment, not type declarations
|
6. **Duck typing** — protein folding depends on chemical environment, not type declarations
|
||||||
7. **Concurrent real-time GC** — apoptosis breaks down cell components for recycling by neighboring cells
|
7. **Concurrent real-time GC** — apoptosis breaks down cell components for recycling by neighboring cells
|
||||||
|
|
||||||
Biology chose the Lisp model because it is more robust, adaptable, and evolvable. Evolution optimized for survival in an unpredictable environment, not peak single-thread throughput. Biology is the proof that the Lisp model can be efficient at planetary scale, running on hardware that self-assembles from food.
|
Biology chose the Lisp model because it is more robust, adaptable, and evolvable. Evolution optimized for survival in an unpredictable environment, not peak single-thread throughput. Biology is the proof that the Lisp model can be efficient at planetary scale, running on hardware that self-assembles from food. See [[file:lisp-economics.org][Lisp economics]] for how these biological parallels inform the business model.
|
||||||
|
|
||||||
See also: [[file:lisp-economics.org][Lisp economics]]
|
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
#+title: Collective Regression Suite — Specification
|
#+title: Collective Regression Suite — Specification
|
||||||
#+filetags: :passepartout:evaluation:regression:suite:collective:
|
#+filetags: :passepartout:evaluation:regression:suite:collective:
|
||||||
|
|
||||||
The evaluation harness is not a static test suite written once. It is a living artifact that grows with every deployed instance. Every gate decision that a human corrects becomes a test case. Every bug fix adds an edge case. Every regulatory update adds a rule that must be checked.
|
The [[file:evaluation-harness.org][evaluation harness]] is not a static test suite written once. It is a living artifact that grows with every deployed instance. Every gate decision that a human corrects becomes a test case. Every bug fix adds an edge case. Every regulatory update adds a rule that must be checked.
|
||||||
|
|
||||||
This specification describes how the collective regression suite is built, maintained, and used, with Agora as the substrate for distribution and contribution.
|
This specification describes how the collective regression suite is built, maintained, and used, with Agora as the substrate for distribution and contribution.
|
||||||
|
|
||||||
@@ -12,7 +12,7 @@ This specification describes how the collective regression suite is built, maint
|
|||||||
|
|
||||||
A single instance learns from its own mistakes. The collective learns from every instance's mistakes. A HIPAA deployment in one hospital discovers an edge case that a SOC2 deployment in a SaaS company would never encounter on its own — but if that SaaS company ever expands into healthcare, their gate stack must handle that edge case. The collective suite gives them hundreds of thousands of edge cases they did not pay to discover.
|
A single instance learns from its own mistakes. The collective learns from every instance's mistakes. A HIPAA deployment in one hospital discovers an edge case that a SOC2 deployment in a SaaS company would never encounter on its own — but if that SaaS company ever expands into healthcare, their gate stack must handle that edge case. The collective suite gives them hundreds of thousands of edge cases they did not pay to discover.
|
||||||
|
|
||||||
This is the mechanism behind the verification monopoly claim. A certification means "your gate stack is verified against every edge case ever discovered by any instance in the ecosystem." A competitor starting from scratch cannot buy or scrape this knowledge.
|
This is the mechanism behind the [[file:verification-monopoly.org][verification monopoly claim]]. A certification means "your gate stack is verified against every edge case ever discovered by any instance in the ecosystem." A competitor starting from scratch cannot buy or scrape this knowledge.
|
||||||
|
|
||||||
**What a test case is**
|
**What a test case is**
|
||||||
|
|
||||||
@@ -123,7 +123,7 @@ Assume each deployed instance generates on average one new unique test case per
|
|||||||
- Year 2: ~50,000 cases (1,000 instances x 50 weeks x 1 case/week)
|
- Year 2: ~50,000 cases (1,000 instances x 50 weeks x 1 case/week)
|
||||||
- Year 3: ~500,000 cases (10,000 instances x 50 weeks x 1 case/week)
|
- Year 3: ~500,000 cases (10,000 instances x 50 weeks x 1 case/week)
|
||||||
|
|
||||||
At year 3, a new instance that runs the suite captures half a million edge cases from real deployments at zero marginal cost. The operator charges $50K-$200K for the certification. The insurmountability is not technical — a well-funded competitor could reproduce some of these cases through synthetic generation. The insurmountability is provenance: these cases are labeled by real human corrections from real deployments. A synthetic case is a best guess. The collective suite's cases are ground truth.
|
At year 3, a new instance that runs the suite captures half a million edge cases from real deployments at zero marginal cost. The operator charges $50K-$200K for the certification. The insurmountability is not technical — a well-funded competitor could reproduce some of these cases through synthetic generation. The insurmountability is provenance: these cases are labeled by real human corrections from real deployments. A synthetic case is a best guess. The collective suite's cases are ground truth. This creates powerful [[file:moats.org][moats]] — the data network effect is inherently accumulated over time and cannot be bought.
|
||||||
|
|
||||||
**The operator's role**
|
**The operator's role**
|
||||||
|
|
||||||
@@ -143,10 +143,4 @@ Instance runs → human corrects a gate decision → new test case is abstracted
|
|||||||
|
|
||||||
Every component of this loop exists or is on Passepartout's roadmap except the Agora Note publishing channel. The gate stack generates the raw signal. The abstraction pass strips instance details. The local triage de-duplicates. The Agora DID provides authentication. The Merkle root provides integrity. The certification badge provides monetization.
|
Every component of this loop exists or is on Passepartout's roadmap except the Agora Note publishing channel. The gate stack generates the raw signal. The abstraction pass strips instance details. The local triage de-duplicates. The Agora DID provides authentication. The Merkle root provides integrity. The certification badge provides monetization.
|
||||||
|
|
||||||
Nothing in this loop requires new core Passepartout functionality. It requires the Agora protocol for inter-instance communication and a server-side aggregation process. Both are roadmap items, but neither depends on the self-driving Lisp Machine.
|
Nothing in this loop requires new core Passepartout functionality. It requires the Agora protocol for inter-instance communication and a server-side aggregation process. Both are roadmap items, but neither depends on the self-driving Lisp Machine. The suite itself is the [[file:infrastructure-lock-in.org][infrastructure lock-in]] — once an enterprise has certified against it, switching to a competitor means rebuilding their compliance from scratch.
|
||||||
|
|
||||||
See also:
|
|
||||||
[[file:evaluation-harness.org][Evaluation harness certification service]]
|
|
||||||
[[file:verification-monopoly.org][Verification monopoly — the big money]]
|
|
||||||
[[file:infrastructure-lock-in.org][Infrastructure lock-in]]
|
|
||||||
[[file:moats.org][Moats]]
|
|
||||||
|
|||||||
@@ -10,7 +10,7 @@ Three standard dialects: CLIF (Common Logic Interchange Format), CGIF (Conceptua
|
|||||||
|
|
||||||
**Relevance to Passepartout**
|
**Relevance to Passepartout**
|
||||||
|
|
||||||
The fact store interchange format. Passepartout's fact store uses plists internally — fast, native to Lisp, zero serialization cost. But between instances (Agora sync, backup/restore, export), a standardized format is needed. CLIF is a strong candidate because its first-order logic is a direct match for the gate rules ACL2 verifies. A CLIF-to-ACL2 translator is mechanically straightforward — both operate on first-order formulas.
|
The fact store interchange format. Passepartout's fact store uses plists internally — fast, native to Lisp, zero serialization cost. But between instances (Agora sync, backup/restore, export), a standardized format is needed. CLIF is a strong candidate because its first-order logic is a direct match for the [[file:gate-rule-encoding.org][gate rules]] ACL2 verifies. A CLIF-to-ACL2 translator is mechanically straightforward — both operate on first-order formulas.
|
||||||
|
|
||||||
The dialect architecture mirrors Passepartout. CL's defining insight: define abstract semantics, let any concrete syntax map to it, get interoperability for free. This is the exact same pattern as Passepartout's "one gate stack, many skills" — the gate stack defines the security ontology (abstract semantics), and skills (dialects) map their operations to it. CL's approach validates Passepartout's design choice and provides a theoretical framework for it.
|
The dialect architecture mirrors Passepartout. CL's defining insight: define abstract semantics, let any concrete syntax map to it, get interoperability for free. This is the exact same pattern as Passepartout's "one gate stack, many skills" — the gate stack defines the security ontology (abstract semantics), and skills (dialects) map their operations to it. CL's approach validates Passepartout's design choice and provides a theoretical framework for it.
|
||||||
|
|
||||||
@@ -43,9 +43,4 @@ Common Logic is relevant not as something to implement or replace, but as:
|
|||||||
4. A bridge to RDF/OWL data sources
|
4. A bridge to RDF/OWL data sources
|
||||||
5. A cautionary example for the CIC prover design (careful about higher-order scope)
|
5. A cautionary example for the CIC prover design (careful about higher-order scope)
|
||||||
|
|
||||||
The right time to integrate it: when Agora Notes need a standard knowledge interchange format for inter-instance communication. Before that, it is a reference worth reading but not implementing.
|
The right time to integrate it: when Agora Notes need a standard knowledge interchange format for inter-instance communication. Before that, it is a reference worth reading but not implementing. The CL approach informs the [[file:sufficiency-flip.org][sufficiency flip]] strategy and the [[file:cost-structure.org][cost structure]] of encoding domain knowledge.
|
||||||
|
|
||||||
See also:
|
|
||||||
[[file:sufficiency-flip.org][Sufficiency flip]]
|
|
||||||
[[file:gate-rule-encoding.org][Gate rule encoding]]
|
|
||||||
[[file:cost-structure.org][Cost structure]]
|
|
||||||
|
|||||||
@@ -13,6 +13,4 @@
|
|||||||
| Market | $50K-$100K/seat | $5K-$50K/appliance |
|
| Market | $50K-$100K/seat | $5K-$50K/appliance |
|
||||||
| Scope | Full OS + environment | Cognitive agent + hardware acceleration |
|
| Scope | Full OS + environment | Cognitive agent + hardware acceleration |
|
||||||
|
|
||||||
The Symbolics comparison is instructive: they built a full Lisp OS from scratch. Passepartout runs on Linux, providing the OS layer for free. The hardware integration is a PCIe card, not a replacement of the entire host. The scope is dramatically smaller — ~2% of the code for a fraction of the functionality that matters most.
|
The Symbolics comparison is instructive: they built a full Lisp OS from scratch. Passepartout runs on Linux, providing the OS layer for free. The hardware integration is a PCIe card, not a replacement of the entire host. The scope is dramatically smaller — ~2% of the code for a fraction of the functionality that matters most. This illustrates the fundamental principles of [[file:lisp-economics.org][Lisp economics]] — the cost of building a Lisp-based system has dropped by orders of magnitude since the 1980s. The [[file:self-driving-lisp-machine.org][Self-driving Lisp Machine]] is the modern analogue: a hardware accelerator rather than a complete computer.
|
||||||
|
|
||||||
See also: [[file:lisp-economics.org][Lisp economics]], [[file:self-driving-lisp-machine.org][Self-driving Lisp Machine]]
|
|
||||||
|
|||||||
@@ -26,6 +26,4 @@ Secondary but real: burst capacity for heavy proofs (hours-long ACL2 conjectures
|
|||||||
|
|
||||||
If Passepartout instances on Agora transact billions of verified operations per day, the spread on compute transactions is enormous. This is not a product sale — it is a bet on network effects. Every new instance increases the value of the network (more capacity, more diversity, more resilience).
|
If Passepartout instances on Agora transact billions of verified operations per day, the spread on compute transactions is enormous. This is not a product sale — it is a bet on network effects. Every new instance increases the value of the network (more capacity, more diversity, more resilience).
|
||||||
|
|
||||||
The early player that provisions the largest compute capacity on Agora becomes the default infrastructure provider for the entire network. This is venture-scale money.
|
The early player that provisions the largest compute capacity on Agora becomes the default infrastructure provider for the entire network. This is venture-scale money. The compute marketplace is the engine that powers the [[file:verification-monopoly.org][verification monopoly]] — certified compute from trusted providers. Together with [[file:agora-usernames.org][Agora usernames]] and other Agora services, it forms the basis of the [[file:investment-thesis.org][investment thesis]].
|
||||||
|
|
||||||
See also: [[file:agora-usernames.org][Agora usernames]], [[file:verification-monopoly.org][Verification monopoly]], [[file:investment-thesis.org][Investment thesis]]
|
|
||||||
|
|||||||
@@ -4,13 +4,11 @@
|
|||||||
#+title: Cost Structure — Zero Marginal Cost
|
#+title: Cost Structure — Zero Marginal Cost
|
||||||
#+filetags: :passepartout:economics:cost:marginal:zero:
|
#+filetags: :passepartout:economics:cost:marginal:zero:
|
||||||
|
|
||||||
- **One-time cost:** gate-rule encoding for a domain (from hours for codified domains up to months for tacit domains)
|
- **One-time cost:** [[file:gate-rule-encoding.org][gate-rule encoding]] for a domain (from hours for codified domains up to months for tacit domains)
|
||||||
- **Near-zero marginal cost:** ACL2 proof + Screamer consistency check + VivaceGraph lookup per interaction — all CPU-native, all in-image
|
- **Near-zero marginal cost:** ACL2 proof + Screamer consistency check + VivaceGraph lookup per interaction — all CPU-native, all in-image
|
||||||
- **No recurring LLM API costs** for the 80% symbolic reasoning layer
|
- **No recurring LLM API costs** for the 80% symbolic reasoning layer
|
||||||
- **After sufficiency flip:** pennies per day vs dollars per day for LLM-only
|
- **After [[file:sufficiency-flip.org][sufficiency flip]]:** pennies per day vs dollars per day for LLM-only
|
||||||
|
|
||||||
The cost curve inverts: generation is expensive, verification is cheap. This is the inversion Passepartout exploits.
|
The cost curve inverts: generation is expensive, verification is cheap. This is the inversion Passepartout exploits. This is the core insight of [[file:lisp-economics.org][Lisp economics]] — symbolic verification costs approach zero while LLM token costs remain constant.
|
||||||
|
|
||||||
Token demand shifts from "every interaction burns tokens" to "only unfamiliar interactions burn tokens." Steady-state per-user LLM consumption drops by an order of magnitude.
|
Token demand shifts from "every interaction burns tokens" to "only unfamiliar interactions burn tokens." Steady-state per-user LLM consumption drops by an order of magnitude.
|
||||||
|
|
||||||
See also: [[file:lisp-economics.org][Lisp economics]], [[file:gate-rule-encoding.org][Gate rule encoding]], [[file:sufficiency-flip.org][Sufficiency flip]]
|
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
#+title: Domain Gate Rule Subscriptions
|
#+title: Domain Gate Rule Subscriptions
|
||||||
#+filetags: :passepartout:revenue:gate-rules:compliance:subscription:
|
#+filetags: :passepartout:revenue:gate-rules:compliance:subscription:
|
||||||
|
|
||||||
Pre-verified gate rule packages for specific compliance domains. Translated from published regulations by the LLM, verified by ACL2, reviewed by a human for the 5% ambiguous edge cases.
|
Pre-verified [[file:gate-rule-encoding.org][gate rule]] packages for specific compliance domains. Translated from published regulations by the LLM, verified by ACL2, reviewed by a human for the 5% ambiguous edge cases.
|
||||||
|
|
||||||
- HIPAA package: $50K/yr
|
- HIPAA package: $50K/yr
|
||||||
- SOC2 package: $50K/yr
|
- SOC2 package: $50K/yr
|
||||||
@@ -12,8 +12,6 @@ Pre-verified gate rule packages for specific compliance domains. Translated from
|
|||||||
- FedRAMP package: $100K/yr
|
- FedRAMP package: $100K/yr
|
||||||
- Combined enterprise: $250K/yr
|
- Combined enterprise: $250K/yr
|
||||||
|
|
||||||
Switching costs are high — changing packages means re-verifying the fact store against new rules. The infrastructure lock-in compounds: a hospital at $250K/yr in year one grows to $500K-$1M by year five as more packages are added and the fact store becomes more valuable than the software itself.
|
Switching costs are high — changing packages means re-verifying the fact store against new rules. The [[file:infrastructure-lock-in.org][infrastructure lock-in]] compounds: a hospital at $250K/yr in year one grows to $500K-$1M by year five as more packages are added and the fact store becomes more valuable than the software itself.
|
||||||
|
|
||||||
20 subscriptions in year one = $1M-$5M.
|
20 subscriptions in year one = $1M-$5M. These packages are verified using the [[file:verification-appliance.org][verification appliance]] and scored by the [[file:evaluation-harness.org][evaluation harness]].
|
||||||
|
|
||||||
See also: [[file:gate-rule-encoding.org][Gate rule encoding]], [[file:verification-appliance.org][Verification appliance]], [[file:evaluation-harness.org][Evaluation harness]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]]
|
|
||||||
|
|||||||
@@ -10,10 +10,8 @@ The accumulated regression suite — thousands of edge cases from every deployed
|
|||||||
**Target:** AI labs proving their agents' capabilities, enterprise procurement requiring independent verification.
|
**Target:** AI labs proving their agents' capabilities, enterprise procurement requiring independent verification.
|
||||||
**Price:** $50K-$200K per certification.
|
**Price:** $50K-$200K per certification.
|
||||||
|
|
||||||
The regression suite grows with every deployment, making the certification increasingly valuable over time. The early player's suite is the largest because they started first.
|
The regression suite grows with every deployment, making the certification increasingly valuable over time. The early player's suite is the largest because they started first. This is the [[file:collective-regression-suite.org][collective regression suite]] mechanism in action.
|
||||||
|
|
||||||
10 certifications in year one = $500K-$2M.
|
10 certifications in year one = $500K-$2M.
|
||||||
|
|
||||||
Long-term endpoint: this becomes the UL certification for AI — a third-party verification nobody can ignore. [[file:verification-monopoly.org][The verification monopoly]].
|
Long-term endpoint: this becomes the UL certification for AI — a third-party verification nobody can ignore. [[file:verification-monopoly.org][The verification monopoly]]. The certification relies on a [[file:verification-appliance.org][verification appliance]] to run the tests in a trusted environment, creating [[file:infrastructure-lock-in.org][infrastructure lock-in]] as certification history accumulates on the platform. These dynamics form powerful [[file:moats.org][moats]].
|
||||||
|
|
||||||
See also: [[file:collective-regression-suite.org][Collective regression suite]], [[file:verification-appliance.org][Verification appliance]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]], [[file:moats.org][Moats]]
|
|
||||||
|
|||||||
@@ -14,6 +14,4 @@ ACL2 verifies the rule set for internal consistency. Screamer checks against exi
|
|||||||
|
|
||||||
The key distinction: the LLM is not *extracting knowledge from prose* — it is *translating a known rule system into a formal representation.* The result is not "the LLM's best guess" but "the rule set as stated in the source document, mechanically transcribed."
|
The key distinction: the LLM is not *extracting knowledge from prose* — it is *translating a known rule system into a formal representation.* The result is not "the LLM's best guess" but "the rule set as stated in the source document, mechanically transcribed."
|
||||||
|
|
||||||
For codified domains, the encoding cost drops from weeks to hours. The only bottleneck is human review of the 5% ambiguous rules.
|
For codified domains, the encoding cost drops from weeks to hours. The only bottleneck is human review of the 5% ambiguous rules. This is what makes the [[file:sufficiency-flip.org][sufficiency flip]] economically viable — once gates are encoded, verification is near-free. The resulting rules are packaged into [[file:domain-gate-packages.org][domain gate packages]] that can be reused across deployments.
|
||||||
|
|
||||||
See also: [[file:sufficiency-flip.org][Sufficiency flip]], [[file:cost-structure.org][Cost structure]], [[file:domain-gate-packages.org][Domain gate packages]]
|
|
||||||
|
|||||||
@@ -11,8 +11,6 @@ A hospital that runs Passepartout with HIPAA gate rules ($50K/yr) for five years
|
|||||||
- An empirical decision history tied to their specific deployment
|
- An empirical decision history tied to their specific deployment
|
||||||
- Customized gate rules encoding their specific workflows and approvals
|
- Customized gate rules encoding their specific workflows and approvals
|
||||||
|
|
||||||
Switching to a competitor means discarding all of it. The accumulated value grows as the fact store deepens. Annual revenue per enterprise grows from $250K in year one to $500K-$1M by year five as more domain packages are added.
|
Switching to a competitor means discarding all of it. The accumulated value grows as the fact store deepens. Annual revenue per enterprise grows from $250K in year one to $500K-$1M by year five as more [[file:domain-gate-packages.org][domain packages]] are added.
|
||||||
|
|
||||||
This is the strongest residual moat. The evaluation harness (regression suite) is a close second — it grows with every deployment and cannot be ingested from public data.
|
This is the strongest residual [[file:moats.org][moat]]. The [[file:evaluation-harness.org][evaluation harness]] (regression suite) is a close second — it grows with every deployment and cannot be ingested from public data. The [[file:verification-monopoly.org][verification monopoly]] and [[file:upgrade-lifecycle.org][upgrade lifecycle]] compound this lock-in: every new regulation encoded as a gate rule deepens the proof forest, making the deployment harder to reproduce elsewhere.
|
||||||
|
|
||||||
See also: [[file:evaluation-harness.org][Evaluation harness]], [[file:verification-monopoly.org][Verification monopoly]], [[file:moats.org][Moats]], [[file:upgrade-lifecycle.org][Upgrade lifecycle]], [[file:domain-gate-packages.org][Domain gate packages]]
|
|
||||||
|
|||||||
@@ -4,16 +4,14 @@
|
|||||||
#+title: Investment Thesis
|
#+title: Investment Thesis
|
||||||
#+filetags: :passepartout:economics:investment:thesis:
|
#+filetags: :passepartout:economics:investment:thesis:
|
||||||
|
|
||||||
The early player benefits from every other instance of the triad. Every deployed instance feeds edge cases into the regression suite, grows the compute marketplace, and validates the hardware designs. Network effects are positive sum.
|
The early player benefits from every other instance of the triad. Every deployed instance feeds edge cases into the [[file:evaluation-harness.org][regression suite]], grows the [[file:compute-marketplace.org][compute marketplace]], and validates the hardware designs. Network effects are positive sum.
|
||||||
|
|
||||||
Three revenue horizons:
|
Three revenue horizons:
|
||||||
|
|
||||||
- **Low-hanging fruit (year one, $2M-$12M):** verification appliances, domain gate rule subscriptions, evaluation harness certification, migration services
|
- **Low-hanging fruit (year one, $2M-$12M):** [[file:verification-appliance.org][verification appliances]], [[file:domain-gate-packages.org][domain gate rule subscriptions]], [[file:evaluation-harness.org][evaluation harness certification]], migration services
|
||||||
- **Medium-term (1-3 years, $10M-$50M):** compute marketplace, Relay Network, Lisp Machine hardware; premium usernames ($10M/yr), PDS hosting ($18M/yr)
|
- **Medium-term (1-3 years, $10M-$50M):** [[file:compute-marketplace.org][compute marketplace]], Relay Network, Lisp Machine hardware; [[file:agora-usernames.org][premium usernames]] ($10M/yr), [[file:pds-as-a-service.org][PDS hosting]] ($18M/yr)
|
||||||
- **Big money (3-10 years, $100M-$1B+):** verification monopoly (UL certification for AI), infrastructure lock-in, planetary compute marketplace
|
- **Big money (3-10 years, $100M-$1B+):** [[file:verification-monopoly.org][verification monopoly]] (UL certification for AI), [[file:infrastructure-lock-in.org][infrastructure lock-in]], planetary compute marketplace
|
||||||
|
|
||||||
The switching costs compound. The network effects are positive sum. The market is nearly a trillion dollars.
|
The switching costs compound. The [[file:moats.org][network effects]] are positive sum. The market is nearly a trillion dollars.
|
||||||
|
|
||||||
The defensible entity is "the organization that best understands how to adapt Passepartout to your domain" — not "the organization that owns Passepartout."
|
The defensible entity is "the organization that best understands how to adapt Passepartout to your domain" — not "the organization that owns Passepartout."
|
||||||
|
|
||||||
See also: [[file:verification-appliance.org][Verification appliance]], [[file:domain-gate-packages.org][Domain gate packages]], [[file:evaluation-harness.org][Evaluation harness]], [[file:agora-usernames.org][Agora usernames]], [[file:pds-as-a-service.org][PDS as a service]], [[file:verification-monopoly.org][Verification monopoly]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]], [[file:moats.org][Moats]]
|
|
||||||
|
|||||||
@@ -4,9 +4,9 @@
|
|||||||
#+title: Licensing — AGPLv3 + Commercial
|
#+title: Licensing — AGPLv3 + Commercial
|
||||||
#+filetags: :passepartout:ip:licensing:agpl:commercial:
|
#+filetags: :passepartout:ip:licensing:agpl:commercial:
|
||||||
|
|
||||||
**AGPLv3 for the public repository.** AGPL closes the ASP loophole: anyone who modifies the software and offers it over a network must release their modified source. Protects against proprietary forks.
|
**AGPLv3 for the public repository.** AGPL closes the ASP loophole: anyone who modifies the software and offers it over a network must release their modified source. Combined with a [[file:patent-strategy.org][patent strategy]], this creates [[file:moats.org][moats]] against proprietary forks.
|
||||||
|
|
||||||
Crucially: AGPL is a *product requirement*, not a concession. The system's value proposition is provable correctness — every decision has Merkle provenance. This claim is structurally incredible with closed source. An enterprise buyer needs to inspect the gate stack, verify the Merkle implementation, and confirm ACL2 integration. AGPL makes this possible without signing an NDA.
|
Crucially: AGPL is a *product requirement*, not a concession. The system's value proposition is provable correctness — every decision has Merkle provenance. This claim is structurally incredible with closed source. An enterprise buyer needs to inspect the gate stack, verify the Merkle implementation, and confirm ACL2 integration. AGPL makes this possible without signing an NDA. This transparency also enables a [[file:pds-as-a-service.org][PDS as a service]] model where enterprises can run their own infrastructure.
|
||||||
|
|
||||||
**AGPL only covers modifications to code, not:**
|
**AGPL only covers modifications to code, not:**
|
||||||
- Gate rules specific to a domain (these are data, not code)
|
- Gate rules specific to a domain (these are data, not code)
|
||||||
@@ -17,5 +17,3 @@ Crucially: AGPL is a *product requirement*, not a concession. The system's value
|
|||||||
**Dual license model:**
|
**Dual license model:**
|
||||||
- AGPLv3 for open source — builds ecosystem, trust, community
|
- AGPLv3 for open source — builds ecosystem, trust, community
|
||||||
- Commercial license for enterprises that cannot accept AGPL — MySQL/SugarCRM/GraphQL model
|
- Commercial license for enterprises that cannot accept AGPL — MySQL/SugarCRM/GraphQL model
|
||||||
|
|
||||||
See also: [[file:patent-strategy.org][Patent strategy]], [[file:moats.org][Moats]], [[file:pds-as-a-service.org][PDS as a service]]
|
|
||||||
|
|||||||
@@ -13,6 +13,4 @@ Four transformations flipped the economics:
|
|||||||
3. **Complexity saturates human verification.** Systems are tens of millions of lines. Testing is necessary but insufficient — zero-day vulnerabilities prove bugs survive all testing. Formal verification is the only known path.
|
3. **Complexity saturates human verification.** Systems are tens of millions of lines. Testing is necessary but insufficient — zero-day vulnerabilities prove bugs survive all testing. Formal verification is the only known path.
|
||||||
4. **Cost of failure exceeds cost of verification.** A single breach costs millions. Regulation mandates provable compliance. Proving correctness is cheaper than not proving it.
|
4. **Cost of failure exceeds cost of verification.** A single breach costs millions. Regulation mandates provable compliance. Proving correctness is cheaper than not proving it.
|
||||||
|
|
||||||
The verification appliance (AGPL symbolic engine + RISC-V Lisp μcode on FPGA) costs $5,000/year and replaces $500,000/year in compliance audits, breach litigation, and regulatory fines.
|
The [[file:verification-appliance.org][verification appliance]] (AGPL symbolic engine + RISC-V Lisp μcode on FPGA) costs $5,000/year and replaces $500,000/year in compliance audits, breach litigation, and regulatory fines. This [[file:cost-structure.org][cost structure]] — zero marginal cost per additional user — is what makes Lisp economically viable at scale. The [[file:self-driving-lisp-machine.org][self-driving Lisp Machine]] is the hardware endpoint of this economic logic. For the biological analogy that explains why Lisp architecture is a natural outcome of complexity pressure, see [[file:biology-parallels.org][biology parallels]]. For the historical precedent, see the [[file:comparison-with-symbolics.org][comparison with Symbolics Genera]]. The [[file:ai-industry-impact.org][impact on the AI industry]] is the market-side consequence.
|
||||||
|
|
||||||
See also: [[file:self-driving-lisp-machine.org][Self-driving Lisp Machine]], [[file:biology-parallels.org][Biology parallels]], [[file:comparison-with-symbolics.org][Symbolics comparison]], [[file:cost-structure.org][Cost structure]], [[file:ai-industry-impact.org][AI industry impact]]
|
|
||||||
|
|||||||
@@ -4,7 +4,7 @@
|
|||||||
#+title: Lisp Machine Security — Unified Memory Threat Model
|
#+title: Lisp Machine Security — Unified Memory Threat Model
|
||||||
#+filetags: :passepartout:security:lisp-machine:pmp:isolation:
|
#+filetags: :passepartout:security:lisp-machine:pmp:isolation:
|
||||||
|
|
||||||
On bare metal with a unified Lisp image, the defense-in-depth provided by the OS kernel disappears. The gate stack and the code it protects share a single address space. An attacker who exploits a memory corruption in the browser renderer can modify the gate stack's permission tables, the policy engine's state, or the ACL2 prover's decision output. There is no kernel underneath to catch them.
|
On a bare metal [[file:self-driving-lisp-machine.org][Lisp Machine]] with a unified Lisp image, the defense-in-depth provided by the OS kernel disappears. The gate stack and the code it protects share a single address space. An attacker who exploits a memory corruption in the browser renderer can modify the gate stack's permission tables, the policy engine's state, or the ACL2 prover's decision output. There is no kernel underneath to catch them.
|
||||||
|
|
||||||
This note analyzes the threat model and proposes a hardware-enforced privilege separation within the single Lisp image.
|
This note analyzes the threat model and proposes a hardware-enforced privilege separation within the single Lisp image.
|
||||||
|
|
||||||
@@ -21,7 +21,7 @@ Everything (agent, editor, browser, shell, gate stack, ACL2)
|
|||||||
|
|
||||||
The only protection is that the gate stack is verified by ACL2 to be correct. But ACL2 verification is static — it proves properties about source code. At runtime, a memory corruption in the same image invalidates the entire proof. "All defense is symbolic" is exactly right.
|
The only protection is that the gate stack is verified by ACL2 to be correct. But ACL2 verification is static — it proves properties about source code. At runtime, a memory corruption in the same image invalidates the entire proof. "All defense is symbolic" is exactly right.
|
||||||
|
|
||||||
**The solution: hardware-enforced privilege zones within the Lisp image**
|
**The solution: [[file:verification-appliance.org][hardware-enforced privilege zones]] within the Lisp image**
|
||||||
|
|
||||||
RISC-V provides three hardware privilege levels: M-mode (machine), S-mode (supervisor), and U-mode (user). Physical Memory Protection (PMP) enforces access control at the hardware bus level — it cannot be bypassed by software, even by code running in S-mode if configured in M-mode. The key: use these mechanisms to create zones within the shared Lisp address space.
|
RISC-V provides three hardware privilege levels: M-mode (machine), S-mode (supervisor), and U-mode (user). Physical Memory Protection (PMP) enforces access control at the hardware bus level — it cannot be bypassed by software, even by code running in S-mode if configured in M-mode. The key: use these mechanisms to create zones within the shared Lisp address space.
|
||||||
|
|
||||||
@@ -82,7 +82,7 @@ ACL2 trust problem. ACL2 verifies the gate stack. But ACL2 itself is ~50,000 lin
|
|||||||
|
|
||||||
The conventional Linux approach: TCB is ~28 million lines of C across kernel, drivers, and runtime. Defense in depth from many layers. But each layer adds attack surface.
|
The conventional Linux approach: TCB is ~28 million lines of C across kernel, drivers, and runtime. Defense in depth from many layers. But each layer adds attack surface.
|
||||||
|
|
||||||
The Lisp Machine approach: TCB is ~2,500 lines of verified Lisp (M-mode gate core + S-mode gate stack). Attack surface is ~500 lines of ECALL handler. The TCB is roughly 10,000x smaller.
|
The Lisp Machine approach: TCB is ~2,500 lines of verified Lisp (M-mode gate core + S-mode gate stack). Attack surface is ~500 lines of ECALL handler. The TCB is roughly 10,000x smaller. This security advantage creates [[file:moats.org][moats]] — a competitor would need to match both the hardware isolation and the verified codebase.
|
||||||
|
|
||||||
The fundamental trade: fewer layers, less depth, but each layer is simpler, smaller, and verified. A bug in the ECALL handler is catastrophic. A bug in the Linux kernel might be contained by seccomp or namespaces. The question is which is more likely: a bug in 500 lines of verified Lisp, or a bug in 28 million lines of C that is not contained by the remaining depth?
|
The fundamental trade: fewer layers, less depth, but each layer is simpler, smaller, and verified. A bug in the ECALL handler is catastrophic. A bug in the Linux kernel might be contained by seccomp or namespaces. The question is which is more likely: a bug in 500 lines of verified Lisp, or a bug in 28 million lines of C that is not contained by the remaining depth?
|
||||||
|
|
||||||
@@ -92,7 +92,7 @@ But this is a single-point-of-failure architecture. If the ECALL handler holds,
|
|||||||
|
|
||||||
**Gaps in the current design**
|
**Gaps in the current design**
|
||||||
|
|
||||||
None of this is in the architecture documents. The following are not yet specified:
|
None of this is in the architecture documents. The following are not yet specified — these architectural innovations are potential candidates for [[file:patent-strategy.org][patent strategy]]:
|
||||||
|
|
||||||
1. PMP region layout — exactly what is protected and by which region
|
1. PMP region layout — exactly what is protected and by which region
|
||||||
2. ECALL handler specification — the exact interface, request types, validation logic, and error handling
|
2. ECALL handler specification — the exact interface, request types, validation logic, and error handling
|
||||||
@@ -103,9 +103,3 @@ None of this is in the architecture documents. The following are not yet specifi
|
|||||||
7. ACL2 trust documentation — the bootstrap chain and what it means for the gate stack's verification
|
7. ACL2 trust documentation — the bootstrap chain and what it means for the gate stack's verification
|
||||||
8. The boot attestation protocol — how the gate core verifies the gate stack before loading it
|
8. The boot attestation protocol — how the gate core verifies the gate stack before loading it
|
||||||
9. Zone transition costs — how many cycles does an ECALL take, and does that affect the 10-80-10 ratio
|
9. Zone transition costs — how many cycles does an ECALL take, and does that affect the 10-80-10 ratio
|
||||||
|
|
||||||
See also:
|
|
||||||
[[file:verification-appliance.org][Verification appliance]]
|
|
||||||
[[file:self-driving-lisp-machine.org][Self-driving Lisp Machine]]
|
|
||||||
[[file:moats.org][Moats]]
|
|
||||||
[[file:patent-strategy.org][Patent strategy]]
|
|
||||||
|
|||||||
@@ -9,11 +9,9 @@ Re-evaluated: time is not the primary moat. A Phase 4+ Passepartout fed on Wikip
|
|||||||
**Actual moats (weaker than initially assumed):**
|
**Actual moats (weaker than initially assumed):**
|
||||||
1. **Domain-specific gate rules** — thin. A few hundred lines of Lisp data. Write once, trivial to copy. Not a real moat.
|
1. **Domain-specific gate rules** — thin. A few hundred lines of Lisp data. Write once, trivial to copy. Not a real moat.
|
||||||
2. **Empirical decision history** — every HITL decision is a Merkle fact. A fresh instance has none. Makes *your* instance more valuable but doesn't prevent competition — it's a switching cost, not a barrier to entry.
|
2. **Empirical decision history** — every HITL decision is a Merkle fact. A fresh instance has none. Makes *your* instance more valuable but doesn't prevent competition — it's a switching cost, not a barrier to entry.
|
||||||
3. **Evaluation harness (regression suite)** — thousands of test cases accumulated from every bug fix. Cannot be ingested from public data. Strongest residual moat.
|
3. **[[file:evaluation-harness.org][Evaluation harness (regression suite)]]** — thousands of test cases accumulated from every bug fix. Cannot be ingested from public data. Strongest residual moat.
|
||||||
4. **Infrastructure integration** — specific Docker compose layouts, Traefik patterns, Authentik configs encoded as gate rules. A competitor's infrastructure is different.
|
4. **[[file:infrastructure-lock-in.org][Infrastructure integration]]** — specific Docker compose layouts, Traefik patterns, Authentik configs encoded as gate rules. A competitor's infrastructure is different.
|
||||||
|
|
||||||
**Strongest competitor strategy:** Not copying your gate rules — offering the same architecture as a service with their own pre-seeded general knowledge and a consulting engagement to customize gate rules. The AGPL prevents closing the architecture but does not prevent offering it as a service with a customization layer.
|
**Strongest competitor strategy:** Not copying your gate rules — offering the same architecture as a service with their own pre-seeded general knowledge and a consulting engagement to customize gate rules. The AGPL prevents closing the architecture but does not prevent offering it as a service with a customization layer.
|
||||||
|
|
||||||
**The defensible business is services, not product.** The defensible entity is "the organization that best understands how to adapt Passepartout to your domain" — not "the organization that owns Passepartout."
|
**The defensible business is services, not product.** The defensible entity is "the organization that best understands how to adapt Passepartout to your domain" — not "the organization that owns Passepartout." A [[file:verification-monopoly.org][verification monopoly]] on agent safety would change this calculus — competitors would need independent certification. [[file:patent-strategy.org][Patent strategy]] and [[file:licensing.org][Licensing]] protect key innovations and create revenue from the open-source ecosystem.
|
||||||
|
|
||||||
See also: [[file:infrastructure-lock-in.org][Infrastructure lock-in]], [[file:verification-monopoly.org][Verification monopoly]], [[file:evaluation-harness.org][Evaluation harness]], [[file:patent-strategy.org][Patent strategy]], [[file:licensing.org][Licensing]]
|
|
||||||
|
|||||||
@@ -19,6 +19,4 @@
|
|||||||
|
|
||||||
**Strongest single claim:** The specific combination of probabilistic model + deterministic zero-token safety gates + Merkle memory + symbolic engine with sufficiency criterion. Each element is known; the combination is novel and non-obvious.
|
**Strongest single claim:** The specific combination of probabilistic model + deterministic zero-token safety gates + Merkle memory + symbolic engine with sufficiency criterion. Each element is known; the combination is novel and non-obvious.
|
||||||
|
|
||||||
**Counterargument:** A patent examiner will argue these are standard OS microkernel architecture, locality of reference, content-addressed storage, and capability-based security applied to an AI agent. The defense: they have never been *combined* in an AI agent, producing emergent effects no single principle produces.
|
**Counterargument:** A patent examiner will argue these are standard OS microkernel architecture, locality of reference, content-addressed storage, and capability-based security applied to an AI agent. The defense: they have never been *combined* in an AI agent, producing emergent effects no single principle produces. These patents would feed into a [[file:licensing.org][licensing]] strategy and create [[file:moats.org][moats]] against competitors.
|
||||||
|
|
||||||
See also: [[file:licensing.org][Licensing]], [[file:moats.org][Moats]]
|
|
||||||
|
|||||||
@@ -15,6 +15,4 @@ The free self-hosted version drives adoption and trust (you can inspect every li
|
|||||||
|
|
||||||
Target: 100K subscribers at $15/month average = $18M/yr recurring, near-zero marginal cost per additional subscriber (the symbolic engine is CPU-bound, not per-user metered).
|
Target: 100K subscribers at $15/month average = $18M/yr recurring, near-zero marginal cost per additional subscriber (the symbolic engine is CPU-bound, not per-user metered).
|
||||||
|
|
||||||
Combined with premium usernames: $28M/yr from Agora services alone before compute marketplace revenue.
|
Combined with [[file:agora-usernames.org][premium usernames]]: $28M/yr from Agora services alone before compute marketplace revenue. The hosted model also creates [[file:infrastructure-lock-in.org][infrastructure lock-in]] as users build their Merkle fact stores on the platform, making migration costly. The AGPL licensing model is described in [[file:licensing.org][Licensing]].
|
||||||
|
|
||||||
See also: [[file:agora-usernames.org][Agora usernames]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]], [[file:licensing.org][Licensing]]
|
|
||||||
|
|||||||
@@ -8,10 +8,8 @@ A Tenstorrent P150 (~72 RISC-V Tensix cores) running Passepartout: 72 RISC-V cor
|
|||||||
|
|
||||||
The self-driving threshold: the system can synthesize and load its own FPGA microcode or Tensix dispatch programs from within the running Lisp image. The system profiles its own gate verification latency, proposes a new microcoded instruction for the hot path, compiles RISC-V assembly from ACL2-verified specifications, loads it via PCIe DMA from within SBCL, benchmarks it — and rolls back if slower.
|
The self-driving threshold: the system can synthesize and load its own FPGA microcode or Tensix dispatch programs from within the running Lisp image. The system profiles its own gate verification latency, proposes a new microcoded instruction for the hot path, compiles RISC-V assembly from ACL2-verified specifications, loads it via PCIe DMA from within SBCL, benchmarks it — and rolls back if slower.
|
||||||
|
|
||||||
Every subdomain involved is software — the most codifiable domain. RISC-V ISA, SBCL internals, ACL2 metafunctions, CIC type theory, compiler optimization — all can flip to symbolic sufficiency within days to weeks of ingestion.
|
Every subdomain involved is software — the most codifiable domain. RISC-V ISA, SBCL internals, ACL2 metafunctions, CIC type theory, compiler optimization — all can [[file:sufficiency-flip.org][flip to symbolic sufficiency]] within days to weeks of ingestion.
|
||||||
|
|
||||||
**Timeline:** ~6,000 lines of new code (microcode, PCIe DMA, Tensix management, benchmark harness). ~60 cycles at current velocity. 2-4 weeks. Total from today: 6-10 weeks.
|
**Timeline:** ~6,000 lines of new code (microcode, PCIe DMA, Tensix management, benchmark harness). ~60 cycles at current velocity. 2-4 weeks. Total from today: 6-10 weeks. See [[file:time-estimates.org][time estimates]] for the velocity model behind these numbers.
|
||||||
|
|
||||||
The Tenstorrent approach is dramatically simpler than FPGA because the microcode is RISC-V assembly (software), not FPGA bitstream (hardware with minutes-per-iteration synthesis).
|
The Tenstorrent approach is dramatically simpler than FPGA because the microcode is RISC-V assembly (software), not FPGA bitstream (hardware with minutes-per-iteration synthesis). The [[file:lisp-machine-security.org][Lisp Machine security model]] — unified memory, tagged architecture, no MMU — applies directly because the Tensix cores share the same address space. [[file:verification-appliance.org][Verification appliance]] economics apply: a certified Lisp Machine at scale replaces compliance hardware. See [[file:lisp-economics.org][why Lisp is economically viable now]] and [[file:upgrade-lifecycle.org][upgrade lifecycle]] for the economic and deployment foundations.
|
||||||
|
|
||||||
See also: [[file:lisp-machine-security.org][Lisp Machine security]], [[file:verification-appliance.org][Verification appliance]], [[file:time-estimates.org][Time estimates]], [[file:sufficiency-flip.org][Sufficiency flip]], [[file:upgrade-lifecycle.org][Upgrade lifecycle]], [[file:lisp-economics.org][Lisp economics]]
|
|
||||||
|
|||||||
@@ -13,6 +13,4 @@ Stoa is the user environment — a single Lisp image where editor, browser, shel
|
|||||||
- v5.0.0: Hardware — tagged RISC-V architecture via TinyTapeout, FPGA prototype, hardware GC via dedicated bus master
|
- v5.0.0: Hardware — tagged RISC-V architecture via TinyTapeout, FPGA prototype, hardware GC via dedicated bus master
|
||||||
- v6.0.0: True agency — world models, temporal reasoning, goal persistence across restarts
|
- v6.0.0: True agency — world models, temporal reasoning, goal persistence across restarts
|
||||||
|
|
||||||
The architectural principle: Stoa is not a collection of clients connecting to a daemon. The Dispatcher gate stack verifies every action regardless of who initiated it. The distinction between "tool" and "self" dissolves.
|
The architectural principle: Stoa is not a collection of clients connecting to a daemon. The Dispatcher gate stack [[file:verification-appliance.org][verifies every action]] regardless of who initiated it. The distinction between "tool" and "self" dissolves. The ultimate goal is a [[file:self-driving-lisp-machine.org][self-driving Lisp Machine]] running on custom hardware.
|
||||||
|
|
||||||
See also: [[file:verification-appliance.org][Verification appliance]], [[file:self-driving-lisp-machine.org][Self-driving Lisp Machine]]
|
|
||||||
|
|||||||
@@ -21,6 +21,4 @@ The sufficiency flip is not a single event — it happens independently for each
|
|||||||
4. Generate contrastive queries for the 5% uncertain rules (one human session, a few hours)
|
4. Generate contrastive queries for the 5% uncertain rules (one human session, a few hours)
|
||||||
5. Start serving real interactions (empirical loop tightens from first interaction)
|
5. Start serving real interactions (empirical loop tightens from first interaction)
|
||||||
|
|
||||||
For the Lisp Machine bootstrap, every subdomain is software (the most codifiable domain). The entire bootstrap can flip in days to weeks with one human review session.
|
For the Lisp Machine bootstrap, every subdomain is software (the most codifiable domain). The entire bootstrap can flip in days to weeks with one human review session. The [[file:gate-rule-encoding.org][gate rule encoding]] process feeds directly into this: each domain's rules are formally encoded and verified. The [[file:time-estimates.org][time estimates]] for the overall project are derived from the time to flip each subdomain. The [[file:cost-structure.org][cost structure]] shifts from LLM-token-heavy to verification-heavy as more domains flip.
|
||||||
|
|
||||||
See also: [[file:gate-rule-encoding.org][Gate rule encoding]], [[file:time-estimates.org][Time estimates]], [[file:cost-structure.org][Cost structure]]
|
|
||||||
|
|||||||
@@ -8,12 +8,10 @@ At the observed velocity (v0.4.0 to v0.7.2 in a single session), the agent write
|
|||||||
|
|
||||||
**To v1.0.0 (neurosymbolic maturity, ~4,500 lines):** ~80 cycles, 3-5 weeks, ~2-3 hours of human review.
|
**To v1.0.0 (neurosymbolic maturity, ~4,500 lines):** ~80 cycles, 3-5 weeks, ~2-3 hours of human review.
|
||||||
|
|
||||||
**To self-driving Lisp Machine (Logos + Stoa hardware, +~6,000 lines):** ~60 cycles, 2-4 weeks. The microcode must be loaded onto physical hardware and benchmarked, adding seconds per cycle.
|
**To [[file:self-driving-lisp-machine.org][self-driving Lisp Machine]] (Logos + Stoa hardware, +~6,000 lines):** ~60 cycles, 2-4 weeks. The microcode must be loaded onto physical hardware and benchmarked, adding seconds per cycle.
|
||||||
|
|
||||||
**Full Stoa (editor, browser, shell, Qt integration, ~3,500 lines):** ~30 cycles, 2-3 weeks.
|
**Full Stoa (editor, browser, shell, Qt integration, ~3,500 lines):** ~30 cycles, 2-3 weeks.
|
||||||
|
|
||||||
**Total from today to full Logos + Stoa + Agora triad:** 3-6 months. Most of that time is spent on design decisions and protocol specification, not on code.
|
**Total from today to full Logos + Stoa + Agora triad:** 3-6 months. Most of that time is spent on design decisions and protocol specification, not on code.
|
||||||
|
|
||||||
The system writes the code. The human makes architectural decisions and reviews the 5% ambiguous rules.
|
The system writes the code. The human makes architectural decisions and reviews the 5% ambiguous rules. This timeline assumes a rapid [[file:sufficiency-flip.org][sufficiency flip]] for each domain. See [[file:investment-thesis.org][Investment thesis]] for the business case that justifies this approach.
|
||||||
|
|
||||||
See also: [[file:self-driving-lisp-machine.org][Self-driving Lisp Machine]], [[file:sufficiency-flip.org][Sufficiency flip]], [[file:investment-thesis.org][Investment thesis]]
|
|
||||||
|
|||||||
@@ -10,8 +10,6 @@ The full triad is a self-bootstrapping replacement for the entire computing stac
|
|||||||
|
|
||||||
**Stoa (The Porch)** — The body. Editor (Lish), browser (Nyxt), shell (Lish), Org-mode filesystem, Qt/EQL5 UI. A single Lisp image where everything coexists. Roadmap: v2.0.0 (Qt/WebKit) → v6.0.0 (pure Lisp, hardware).
|
**Stoa (The Porch)** — The body. Editor (Lish), browser (Nyxt), shell (Lish), Org-mode filesystem, Qt/EQL5 UI. A single Lisp image where everything coexists. Roadmap: v2.0.0 (Qt/WebKit) → v6.0.0 (pure Lisp, hardware).
|
||||||
|
|
||||||
**Agora (The Society)** — The network. Self-sovereign DID identity, DIDComm encrypted messaging, Personal Data Store, Relay Network, compute marketplace, liquid democracy.
|
**Agora (The Society)** — The network. Self-sovereign DID identity, DIDComm encrypted messaging, [[file:pds-as-a-service.org][Personal Data Store]], Relay Network, [[file:compute-marketplace.org][compute marketplace]], liquid democracy.
|
||||||
|
|
||||||
All three speak plists. All three operate in Lisp address space. All three are verified by the same ACL2 prover. The gate stack that verifies a shell command also verifies a DIDComm message.
|
All three speak plists. All three operate in Lisp address space. All three are verified by the same ACL2 prover. The gate stack that verifies a shell command also verifies a DIDComm message. See [[file:investment-thesis.org][The investment thesis]] for the economic rationale and [[file:verification-appliance.org][Verification appliance]] for the hardware that enables this unified architecture.
|
||||||
|
|
||||||
See also: [[file:investment-thesis.org][The investment thesis]], [[file:verification-appliance.org][Verification appliance]], [[file:pds-as-a-service.org][PDS as a service]], [[file:compute-marketplace.org][Compute marketplace]]
|
|
||||||
|
|||||||
@@ -11,12 +11,10 @@ Once instances diverge in both code and knowledge, naive git pull breaks things.
|
|||||||
- **Reversible upgrades (Phase 0 undo):** every upgrade produces a Merkle snapshot before applying.
|
- **Reversible upgrades (Phase 0 undo):** every upgrade produces a Merkle snapshot before applying.
|
||||||
- **Delta distribution:** upgrades delivered as diffs against the current ontology version. Migration script runs automatically.
|
- **Delta distribution:** upgrades delivered as diffs against the current ontology version. Migration script runs automatically.
|
||||||
|
|
||||||
**The upgrade is verified by the upgraded system before committing.** The distributor ships the new gate vector; ACL2 reports which rules are compatible and which need review. The operator reviews only the incompatible subset.
|
**The upgrade is verified by the upgraded system before committing.** The distributor ships the new gate vector; ACL2 reports which rules are compatible and which need review. The operator reviews only the incompatible subset. This verified upgrade process creates [[file:infrastructure-lock-in.org][infrastructure lock-in]] — switching costs are high when all knowledge is deeply coupled to the ontology version.
|
||||||
|
|
||||||
**Business model for upgrades:**
|
**Business model for upgrades:**
|
||||||
- Code upgrades: free (AGPL)
|
- Code upgrades: free (AGPL)
|
||||||
- Migration scripts: subscription. The verified migration path from current ontology version to new one.
|
- Migration scripts: subscription. The verified migration path from current ontology version to new one.
|
||||||
- Domain knowledge package upgrades: subscription. When HIPAA updates, the healthcare package updates.
|
- [[file:domain-gate-packages.org][Domain knowledge package upgrades]]: subscription. When HIPAA updates, the healthcare package updates.
|
||||||
- Verification appliance firmware: bundled with hardware. Signed and verified against hardware root of trust.
|
- [[file:verification-appliance.org][Verification appliance firmware]]: bundled with hardware. Signed and verified against hardware root of trust.
|
||||||
|
|
||||||
See also: [[file:infrastructure-lock-in.org][Infrastructure lock-in]], [[file:verification-appliance.org][Verification appliance]], [[file:domain-gate-packages.org][Domain gate packages]]
|
|
||||||
|
|||||||
@@ -4,13 +4,11 @@
|
|||||||
#+title: Verification Appliance (Hardware)
|
#+title: Verification Appliance (Hardware)
|
||||||
#+filetags: :passepartout:revenue:hardware:fpga:tenstorrent:
|
#+filetags: :passepartout:revenue:hardware:fpga:tenstorrent:
|
||||||
|
|
||||||
An FPGA or Tenstorrent card pre-loaded with a mature Passepartout image, domain-specific gate rules, and a hardware root of trust. No cloud dependency.
|
An FPGA or Tenstorrent card pre-loaded with a mature Passepartout image, [[file:domain-gate-packages.org][domain-specific gate rules]], and a hardware root of trust. No cloud dependency.
|
||||||
|
|
||||||
**Target:** regulated industries needing provable compliance that cannot accept cloud-based AI.
|
**Target:** regulated industries needing [[file:evaluation-harness.org][provable compliance]] that cannot accept cloud-based AI.
|
||||||
**Price:** $5K-$50K/unit. **Volume:** hundreds to low thousands in year one.
|
**Price:** $5K-$50K/unit. **Volume:** hundreds to low thousands in year one.
|
||||||
|
|
||||||
The Lisp Machine on Tenstorrent P150 (~72 RISC-V Tensix cores on a PCIe card) is the realistic first target: the microcode is RISC-V assembly (software), not FPGA bitstream (hardware). The system can propose, load, test, and roll back a new dispatch routine in seconds. An FPGA path would add synthesis time (minutes to hours per iteration).
|
The [[file:self-driving-lisp-machine.org][Lisp Machine]] on Tenstorrent P150 (~72 RISC-V Tensix cores on a PCIe card) is the realistic first target: the microcode is RISC-V assembly (software), not FPGA bitstream (hardware). The system can propose, load, test, and roll back a new dispatch routine in seconds. An FPGA path would add synthesis time (minutes to hours per iteration). This hardware-first approach embodies [[file:lisp-economics.org][Lisp economics]] — verification hardware has near-zero marginal cost. The [[file:upgrade-lifecycle.org][Upgrade lifecycle]] for the appliance is managed via signed firmware updates with Merkle snapshots.
|
||||||
|
|
||||||
Revenue estimate: 50 sales in year one = $250K-$2.5M.
|
Revenue estimate: 50 sales in year one = $250K-$2.5M.
|
||||||
|
|
||||||
See also: [[file:domain-gate-packages.org][Domain gate packages]], [[file:evaluation-harness.org][Evaluation harness]], [[file:self-driving-lisp-machine.org][Self-driving Lisp Machine]], [[file:lisp-economics.org][Lisp economics]], [[file:upgrade-lifecycle.org][Upgrade lifecycle]]
|
|
||||||
|
|||||||
@@ -12,6 +12,4 @@ Any organization claiming a "safe AI agent" needs Passepartout certification to
|
|||||||
|
|
||||||
This is the venture-scale outcome. It depends on the [[file:evaluation-harness.org][evaluation harness]] reaching critical mass, which depends on enough instances deploying the software to accumulate edge cases in the regression suite. The [[file:investment-thesis.org][investment thesis]] is built on the recognition that every deployed instance makes this more valuable.
|
This is the venture-scale outcome. It depends on the [[file:evaluation-harness.org][evaluation harness]] reaching critical mass, which depends on enough instances deploying the software to accumulate edge cases in the regression suite. The [[file:investment-thesis.org][investment thesis]] is built on the recognition that every deployed instance makes this more valuable.
|
||||||
|
|
||||||
The unique structural advantage: every free instance of the triad feeds the regression suite. The more people use the free software, the more valuable the certification monopoly becomes. Positive sum.
|
The unique structural advantage: every free instance of the triad feeds the regression suite. The more people use the free software, the more valuable the certification monopoly becomes. Positive sum. This creates deep [[file:infrastructure-lock-in.org][infrastructure lock-in]] and powerful [[file:moats.org][moats]] — a competitor cannot replicate the certification without the accumulated history. The ultimate impact is a transformation of the entire [[file:ai-industry-impact.org][AI industry]], where safety certification becomes a prerequisite for market access.
|
||||||
|
|
||||||
See also: [[file:evaluation-harness.org][Evaluation harness]], [[file:infrastructure-lock-in.org][Infrastructure lock-in]], [[file:ai-industry-impact.org][AI industry impact]], [[file:moats.org][Moats]]
|
|
||||||
|
|||||||
@@ -8,6 +8,4 @@ A marketplace where skills are verified (sandbox + ACL2 non-contradiction proof)
|
|||||||
|
|
||||||
Value is in the verification infrastructure, not the skills themselves. Anybody can write a skill; the marketplace provides the guarantee that the skill won't corrupt the fact store, won't violate gate rules, and won't introduce inconsistencies.
|
Value is in the verification infrastructure, not the skills themselves. Anybody can write a skill; the marketplace provides the guarantee that the skill won't corrupt the fact store, won't violate gate rules, and won't introduce inconsistencies.
|
||||||
|
|
||||||
This is the App Store model applied to provable correctness. The gatekeeper role is replaced by the prover — and the prover is transparent, inspectable, and impartial.
|
This is the App Store model applied to provable correctness. The gatekeeper role is replaced by the prover — and the prover is transparent, inspectable, and impartial. The marketplace relies on [[file:gate-rule-encoding.org][Gate rule encoding]] to define skill constraints and an [[file:evaluation-harness.org][Evaluation harness]] to verify them.
|
||||||
|
|
||||||
See also: [[file:gate-rule-encoding.org][Gate rule encoding]], [[file:evaluation-harness.org][Evaluation harness]]
|
|
||||||
|
|||||||
Reference in New Issue
Block a user