rewrite project _index.org as full narrative intro; rewrite architecture.org to lead with concepts before Lisp

projects/passepartout/_index.org

@@ -5,8 +5,48 @@
 #+title: Passepartout
 #+filetags: :index:
 
-The staged roadmap and architecture — from conventional computing through verified Lisp machine on custom silicon.
+Every layer of the modern computing stack — hardware, firmware, OS, compiler, runtime, network, application — is independently built and independently untrusted. Security today is empirical: "no bugs found in this release" does not mean no bugs exist. We patch, we scan, we monitor, and we accept that zero days are inevitable. The model is probabilistic and the response is reactive.
 
-- [[id:1c3ec48b-446c-50d2-b53e-126a81f5143f][Passepartout Architecture]] — the full architecture: verification subsystem, environment subsystem, social protocol
+Passepartout asks a different question: what if a single system verified everything — from the gate that authorizes an action to the hardware that executes it?
+
+**One verified memory graph, from silicon to application.**
+
+The problem with conventional verification is that it operates at one layer. You can verify a microkernel. You can verify a compiler. You can verify a smart contract. But the proofs live in different frameworks, apply to different semantics, and cannot be composed. The gap between any two verified layers is itself an unverified trust boundary — and that gap is where every practical exploit lives.
+
+The solution is to eliminate the layers. When the entire stack shares one evaluation semantics, there are no boundaries to compose across. The same proof that shows a gate correctly enforces policy also shows that the hardware correctly evaluates the gate. There is nothing between them.
+
+**Why Lisp specifically.**
+
+Verification requires a formal semantics closed under evaluation — a specification that says exactly what every possible program does, with no undefined behavior and no implementation-defined escape hatches. C has both. x86 has both. Rust reduces undefined behavior but does not eliminate it, and its intermediate representation is enormous. The only language with a self-contained formal semantics small enough to verify at the metal is Lisp — because the evaluator *is* the specification. There is no gap between what the spec says and what the machine does. A Lisp machine is a Lisp evaluator, and a verified Lisp evaluator is a verified machine by construction.
+
+This is not about programmer preference. It is the shortest path to a closed, verifiable semantic model at hardware granularity.
+
+**Three subsystems, one address space.**
+
+The project decomposes into three subsystems that share one evaluation semantics, one memory graph, and one proof chain:
+
+- **Verification subsystem** — A gate that evaluates every proposed action against formal policy before allowing it. The same decision procedure checks a shell command, a social protocol contract, or an LLM-generated response. Root as an attack target does not exist because the gate does not depend on OS privilege boundaries — it is in the evaluation loop itself.
+
+- **Environment subsystem** — The personal computing environment where the user works. One coherent program image, one address space, no IPC boundaries between components, no MMU to attack. The editor, shell, browser, and agent are not separate programs — they are functions in the same evaluated graph.
+
+- **Social protocol** — Self-sovereign DID identity, encrypted messaging, personal data stores, relay network, compute marketplace, and liquid democracy. The glue between Passepartout instances. Every message is signed, DAG-tracked, and content-addressed. Communication is provable when you choose it to be.
+
+All three operate in the same Lisp address space. The same gate that authorizes a file write also authorizes a social protocol transaction. The same Merkle chain that proves a DIDComm message's provenance also proves the compiler output matches its source. One semantics, one proof, one machine.
+
+**Staged delivery, not a cut-over.**
+
+The full Lisp machine on custom silicon is the destination, but the path is designed so every stage delivers value independently. Stage 0 runs on conventional Linux using Python — exactly where Hermes and gbrain are today. Each subsequent stage eliminates a class of threat and replaces one component with a verified equivalent. The migration is progressive component swap, not a rewrite.
+
+Stage 7 is what remains when all computational threats are eliminated: physical theft, electronic warfare, logical holes in the specification, and the fallibility of the LLM oracle. No zero days, no viruses, no worms, no malware. The only remaining attack surfaces are physical, oracular, and spec-level — and those are limits of computation itself, not of this design.
+
+**What it means.**
+
+When every action is gate-checked, every message is provable, and every computation runs on verified semantics, the security model shifts from empirical to deductive. Compliance becomes executable gate rules instead of annual audits. AI safety becomes a verified gate between the LLM and the action stream instead of probabilistic guardrails. The accumulated verification suite from every deployed instance becomes an industry certification — Underwriters Laboratory for AI.
+
+Passepartout is a new category. Verified infrastructure. Every existing category — cloud, AI, OS, social, payments, compliance, governance — eventually migrates into it because the alternative becomes indefensible.
+
+---
+
+- [[id:1c3ec48b-446c-50d2-b53e-126a81f5143f][Passepartout Architecture]] — the architecture in detail: verification subsystem, environment, social protocol
 - [[id:b9fa4b7b-bc61-4d7f-918d-ff687b80f2ba][Systemic Effects]] — how verification cascades across society, economics, and geopolitics
-- [[id:4a1f23b0-abc1-4def-9876-543210abcdef][Staged roadmap]] — Stage 0 (Now) through Stage 7 (What Remains)
+- [[id:4a1f23b0-abc1-4def-9876-543210abcdef][Staged Roadmap]] — Stage 0 (Now) through Stage 7 (What Remains)