Fix Untitled titles: convert all YAML frontmatter to org-style headers

Break design/ files into subfolders by ** heading (43 new files)
Remove old design-decisions.org, update cross-refs to design/ folder
2026-06-04 20:56:03 +00:00 · 2026-06-04 20:47:17 +00:00 · 2026-06-04 20:24:17 +00:00 · 2026-06-04 20:16:02 +00:00 · 2026-06-04 20:07:49 +00:00 · 2026-06-04 20:04:34 +00:00
246 changed files with 63830 additions and 2866 deletions
--- a/.org-ids.json
+++ b/.org-ids.json
@@ -0,0 +1,200 @@
 {
  "284f5c7a-1d2b-4e3f-8c6d-9a0b1c2d3e4f": "_index.org",
  "09a03e7f-c3f8-438a-abe3-7a7570957565": "resources/worse-is-better.org",
  "4f4c1cf2-490d-4b9a-b6a5-4917d3b66887": "resources/_index.org",
  "ee8f3b2a-4c7d-4e1b-9b0a-6d8f2e3c1a5b": "resources/neurosymbolic.org",
  "a0b1c2d3-e4f5-6a7b-8c9d-0e1f2a3b4c5d": "projects/_index.org",
  "89f592aa-9c46-42db-a6c7-54dc91fe2172": "projects/cl-modernization/_index.org",
  "433236a2-e5ad-41d4-a27e-4682f8bbc207": "projects/flags/legal-structure-practical-setup.org",
  "0a4e0b8f-25e0-4b78-9633-fc37d03cefe9": "projects/flags/asset-protection-structures.org",
  "5ac2f037-fc3c-45ac-a6e8-acc20e005cb0": "projects/flags/legal-structure-alternatives.org",
  "1e5f6a7b-8c9d-0e1f-2a3b-4c5d6e7f8a9b": "projects/flags/_index.org",
  "7a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d": "projects/passepartout/_index.org",
  "04c2f221-c54f-51e5-b40a-48822cd16d45": "projects/passepartout/common-logic-iso-24707.org",
  "29a7d05f-1aec-41a4-a213-e52551eeb9eb": "projects/passepartout/ROADMAP.org",
  "d5c6e7f8-9a0b-1c2d-3e4f-5a6b7c8d9e0f": "projects/passepartout/architecture/distinguishing-features.org",
  "3129eae6-f9f2-40fe-a419-8c1af728c86d": "projects/passepartout/architecture/faster-theorem-proving.org",
  "af9ce196-24a5-4035-bc02-83ddd60c1b09": "projects/passepartout/architecture/repo-organization.org",
  "f6a7b8c9-0d1e-2f3a-4b5c-6d7e8f90abcd": "projects/passepartout/architecture/biomimicry.org",
  "a7b8c9d0-1e2f-3a4b-5c6d-7e8f90abcdef": "projects/passepartout/architecture/neuro-neuromorphic-symbolic-comparison.org",
  "1c95ce7d-a2db-506a-9608-df68f9ae211b": "projects/passepartout/architecture/security.org",
  "be9bccc7-5adf-4d0d-8ee4-8855892189bf": "projects/passepartout/architecture/neurosymbolic-loop-architectures.org",
  "26725506-399c-48c5-a797-46b48e8861d7": "projects/passepartout/architecture/self.org",
  "5e7f1d2a-3b4c-5d6e-7f8a-9b0c1d2e3f4a": "projects/passepartout/architecture/_index.org",
  "b9fa4b7b-bc61-4d7f-918d-ff687b80f2ba": "projects/passepartout/architecture/systemic-effects.org",
  "7f4e6b9a-2c1d-5e8f-9a3b-6d7c4e5f2a1b": "projects/passepartout/architecture/org-knowledge-base.org",
  "971cd9e7-2cc5-4743-8042-2469dbe4078f": "projects/passepartout/architecture/lisp-foundation.org",
  "d2722576-fc9b-4bd3-bc2f-f5692b561b4e": "projects/passepartout/architecture/academic.org",
  "8cb760e2-37c6-4a78-af4d-f89f69d1678b": "projects/passepartout/architecture/stages/_index.org",
  "4a1f23b0-abc8-4def-9876-543210abcdef": "projects/passepartout/architecture/stages/stage-7-remaining.org",
  "4a1f23b0-abc6-4def-9876-543210abcdef": "projects/passepartout/architecture/stages/stage-5-weights.org",
  "4a1f23b0-abc7-4def-9876-543210abcdef": "projects/passepartout/architecture/stages/stage-6-training.org",
  "4a1f23b0-abc3-4def-9876-543210abcdef": "projects/passepartout/architecture/stages/stage-1-gate.org",
  "4a1f23b0-abc5-4def-9876-543210abcdef": "projects/passepartout/architecture/stages/stage-4-inference.org",
  "4a1f23b0-abc4-4def-9876-543210abcdef": "projects/passepartout/architecture/stages/stage-3-lisp-machine.org",
  "4a1f23b0-abc2-4def-9876-543210abcdef": "projects/passepartout/architecture/stages/stage-2-social-protocol.org",
  "4b5c6d7e-8f9a-0b1c-2d3e-4f5a6b7c8d9e": "projects/passepartout/architecture/knowledge-layers/neurological-empirical.org",
  "329bd4fb-702a-4a2b-9c63-69281aacb83a": "projects/passepartout/architecture/knowledge-layers/_index.org",
  "5c6d7e8f-9a0b-1c2d-3e4f-5a6b7c8d9e0f": "projects/passepartout/architecture/knowledge-layers/practical-implications.org",
  "27c03e1d-283f-4e3d-9f32-6476aafde97e": "projects/passepartout/architecture/design/open-questions.org",
  "9d2255b0-e6c9-479e-9e93-4f871a2193fe": "projects/passepartout/architecture/design/relation-to-passepartouts-existing-architecture.org",
  "e32290a0-a02a-4af7-ae22-243d04a7ac82": "projects/passepartout/architecture/design/_index.org",
  "e9c7a384-b42d-4dff-8da7-d4b62bb69956": "projects/passepartout/architecture/design/the-symbolic-engine/the-five-architecture-options.org",
  "1937ee88-945e-4014-b5a0-cb3c8dcf1689": "projects/passepartout/architecture/design/the-two-brains/the-probabilistic-deterministic-split.org",
  "d251d338-f52e-4a17-b458-a255dd097b98": "projects/passepartout/architecture/design/validation/whiteheads-process-philosophy-and-type-theory.org",
  "183253ff-a0b7-468e-9858-6cb8ae2fb246": "projects/passepartout/architecture/design/knowledge-sources/semantic-wikipedia-as-entity-backbone.org",
  "772ae489-b10a-48a0-bc3b-29136163d45b": "projects/passepartout/architecture/design/implementation-properties/performance-why-ontology-growth-doesnt-make-the-system-slower.org",
  "0a33bd83-ff3c-4eac-bc97-83eb6702051a": "projects/passepartout/architecture/design/foundation/non-negotiable-identity.org",
  "1ede13cb-05c0-4b1a-a873-98cf89bade81": "projects/passepartout/architecture/design/engineering-infrastructure/the-repl-as-cognitive-substrate.org",
  "02f01d02-fc56-4551-81da-8704dbd65d89": "projects/passepartout/architecture/design/safety-self-preservation/self-preservation-the-active-third-law.org",
  "e5f6a7b8-9c0d-1e2f-3a4b-5c6d7e8f90ab": "projects/passepartout/hardware/server-build-bom.org",
  "d4e5f6a7-8b9c-0d1e-2f3a-4b5c6d7e8f90": "projects/passepartout/hardware/_index.org",
  "a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d": "projects/passepartout/hardware/server-rack-build.org",
  "68ffa49f-f0d8-42cf-8b69-ae69de8bb815": "projects/passepartout/social-protocol/requirements-10-governance-and-assets.org",
  "b25bf753-9799-41ab-82f5-1a1416db756b": "projects/passepartout/social-protocol/requirements-01-overview.org",
  "a3243dd0-3209-423b-98e1-51c3eada2658": "projects/passepartout/social-protocol/requirements-07-advanced-integration.org",
  "0f949f6c-4cf1-49eb-b9a4-ebcac27ee548": "projects/passepartout/social-protocol/requirements-05-social.org",
  "72570648-d943-42e5-a781-3b09791ac6ec": "projects/passepartout/social-protocol/requirements-11-assessment.org",
  "90484f4a-5b70-4001-93d6-e610e54ed573": "projects/passepartout/social-protocol/requirements-06-exchange-and-contracts.org",
  "2cace571-76bb-4c34-a5f4-68bc20b2e884": "projects/passepartout/social-protocol/requirements-10-user-journey.org",
  "6fe67db6-25bd-4d11-bd1d-b44ec809e858": "projects/passepartout/social-protocol/requirements-02-identity.org",
  "8b4e0cec-a7b0-4e75-a1e3-c55ae820eb6d": "projects/passepartout/social-protocol/requirements-09-implementation.org",
  "f6cfc54b-919b-4311-bcbf-65e976755d40": "projects/passepartout/social-protocol/requirements-04-the-primitive.org",
  "df02cddc-944a-4bcd-8ef5-f080870d5f49": "projects/passepartout/social-protocol/requirements-08-library.org",
  "8b2c3d4e-5f6a-7b8c-9d0e-1f2a3b4c5d6e": "projects/passepartout/social-protocol/_index.org",
  "3b43a9b8-31d1-4479-a35f-22273b74f0c7": "projects/passepartout/social-protocol/requirements-03-infrastructure.org",
  "10289e64-a4ff-4c34-828f-f3a9c769b73d": "projects/passepartout/social-protocol/requirements-00-readme.org",
  "c34940cc-090e-57c4-8020-e78b1d32b96c": "projects/passepartout/strategy/domain-gate-packages.org",
  "6d2e3f4a-5b6c-7d8e-9f0a-1b2c3d4e5f6a": "projects/passepartout/strategy/adoption.org",
  "72db9428-d6e4-472d-9693-49335f888e48": "projects/passepartout/strategy/game-theory.org",
  "b2c3d4e5-f6a7-8b9c-0d1e-2f3a4b5c6d7e": "projects/passepartout/strategy/hosting-economics.org",
  "67faf52f-9126-50a7-b87e-2bedc610dac7": "projects/passepartout/strategy/licensing.org",
  "c7d3f1a2-8b4e-5d6f-9a1c-3b2d4e5f6a7b": "projects/passepartout/strategy/domain-sequencing.org",
  "9c3d4e5f-6a7b-8c9d-0e1f-2a3b4c5d6e7f": "projects/passepartout/strategy/_index.org",
  "aa6d062e-a520-5d14-8773-00687ed9c689": "projects/passepartout/strategy/moats.org",
  "29e4dbf3-cf19-589c-8b14-389e8a39d564": "projects/passepartout/strategy/upgrade-lifecycle.org",
  "ed05cab4-88e9-4e25-b7c9-346fa39c69a0": "projects/passepartout/strategy/revenue.org",
  "dc2e4f22-1c4c-5d4a-a151-f96e5d3b0d70": "projects/passepartout/strategy/time-estimates.org",
  "1a2b38df-20ba-58ca-ba55-a072be67bd0d": "projects/passepartout/strategy/pds-as-a-service.org",
  "3c6b0449-a8fb-5b89-b82a-34efb21ef5b5": "projects/passepartout/strategy/compute-marketplace.org",
  "3aa22300-2f25-57b0-8787-9f199cc978b1": "projects/passepartout/strategy/competitors/competitive-analysis.org",
  "a1b2c3d4-e5f6-4a7b-8c9d-0e1f2a3b4c5d": "projects/passepartout/strategy/competitors/rainbird-ai-case-study.org",
  "00ab3a4d-e3de-5605-a67d-12935bb36ab5": "projects/passepartout/strategy/competitors/comparison-with-symbolics.org",
  "0d4e5f6a-7b8c-9d0e-1f2a-3b4c5d6e7f8a": "projects/passepartout/strategy/competitors/_index.org",
  "1bc22b89-d3eb-4f6d-bcfc-2b0c19c8ed8f": "projects/passepartout/strategy/competitors/social-protocol-competitive-landscape.org",
  "85ca69dd-d085-4a55-ad11-021910b1f82e": "projects/passepartout/strategy/competitors/ai-agents-scoping/openclaw.org",
  "7a060b36-36db-4eb7-b8cc-844bd6ac9d36": "projects/passepartout/strategy/competitors/ai-agents-scoping/opencode.org",
  "416bab7c-4300-4d50-838a-5c7a8ad45d96": "projects/passepartout/strategy/competitors/ai-agents-scoping/thoth.org",
  "6883c4d2-b63b-4d2b-b224-2240ae748e7f": "projects/passepartout/strategy/competitors/ai-agents-scoping/_index.org",
  "c3aab2e8-7e43-4abc-93f0-741675cfd78c": "projects/passepartout/strategy/competitors/ai-agents-scoping/aider.org",
  "8d73ccb9-34e4-4899-b0c3-605998e9bebc": "projects/passepartout/strategy/competitors/ai-agents-scoping/gemini-cli.org",
  "22d0a159-68a2-4587-9375-5046beddc20c": "projects/passepartout/strategy/competitors/ai-agents-scoping/continue.org",
  "e929ff32-28d8-4a29-bf74-d55babc040d1": "projects/passepartout/strategy/competitors/ai-agents-scoping/codex-cli.org",
  "c652688a-1ea0-487c-9222-00e954efe8a1": "projects/passepartout/strategy/competitors/ai-agents-scoping/hermes-agent.org",
  "512dd121-2292-4f3d-ac53-31bf3d12a60f": "projects/passepartout/strategy/competitors/ai-agents-scoping/claude-code.org",
  "8c7b9812-f8d6-4347-8915-ce8e520b7914": "projects/passepartout/strategy/social-protocol/social-protocol-entry-strategy.org",
  "1d074690-a279-59cb-b91d-e9a22ae104ad": "projects/passepartout/strategy/social-protocol/social-protocol-overview.org",
  "75bc14db-d241-4af8-a4e0-f14aff654d17": "projects/passepartout/strategy/social-protocol/_index.org",
  "2e390c1d-65f3-5fb3-b898-ac3fc4291ee7": "projects/passepartout/strategy/social-protocol/social-protocol-usernames.org",
  "64708e1f-00e9-4cb7-b44b-ea0b98e5296d": "projects/passepartout/strategy/social-protocol/social-protocol-contracts.org",
  "7c4c5cca-1c63-4398-9b75-cf221e77dba0": "projects/passepartout/strategy/compliance/_index.org",
  "98364e9d-a8a9-42b7-a9dc-b643fd2ccc4b": "projects/passepartout/strategy/compliance/outbound-sales-compliance.org",
  "b852ec69-0fc2-435c-ae1e-6b83e49b3ca3": "projects/passepartout/strategy/compliance/compliance-regimes/appi.org",
  "e777064d-9950-42d5-980d-8c78cda91500": "projects/passepartout/strategy/compliance/compliance-regimes/pipa.org",
  "e2ab887d-9f28-4da6-8388-e6c035e9d9c5": "projects/passepartout/strategy/compliance/compliance-regimes/iso-27001.org",
  "4a2bc62b-3f21-4212-9cd9-f9add8fc0be1": "projects/passepartout/strategy/compliance/compliance-regimes/glba.org",
  "03ebdb80-a9af-4e76-a443-8556424996ed": "projects/passepartout/strategy/compliance/compliance-regimes/fatf.org",
  "e6993701-3c67-49bf-82f3-06907572cbf3": "projects/passepartout/strategy/compliance/compliance-regimes/fedramp.org",
  "7f46764b-47b8-4892-a526-2c1b9ee6e6df": "projects/passepartout/strategy/compliance/compliance-regimes/irap.org",
  "fc736aec-ef53-4759-9787-62bc8deea2e7": "projects/passepartout/strategy/compliance/compliance-regimes/ifrs.org",
  "68c55deb-72bf-4b15-ac28-bcc792057543": "projects/passepartout/strategy/compliance/compliance-regimes/ifc-ps.org",
  "513d5996-4ac7-4567-a992-18fc01599104": "projects/passepartout/strategy/compliance/compliance-regimes/gdpr.org",
  "6a5884c8-e9b5-477e-bbf6-aa9ffd967739": "projects/passepartout/strategy/compliance/compliance-regimes/un-cefact.org",
  "84fb5f8f-0527-4df0-b6b6-dbf3bcff8a7f": "projects/passepartout/strategy/compliance/compliance-regimes/hipaa.org",
  "177aad72-5626-444d-a2e4-af8e1263b125": "projects/passepartout/strategy/compliance/compliance-regimes/world-bank-esf.org",
  "834689e9-be0a-4822-9085-9b6b22294fd2": "projects/passepartout/strategy/compliance/compliance-regimes/privacy-act-aus.org",
  "904f5f12-ec9a-4cbf-854a-0b9b1e11a521": "projects/passepartout/strategy/compliance/compliance-regimes/apra-cps-234.org",
  "1c4c91ec-c465-44ab-bd91-4c3b45909ddb": "projects/passepartout/strategy/compliance/compliance-regimes/_index.org",
  "c871a9f4-dd53-4e93-aa50-6acf0c606a9b": "projects/passepartout/strategy/compliance/compliance-regimes/lgpd.org",
  "b8cf51e8-5f39-49ad-9547-a792a2e446aa": "projects/passepartout/strategy/compliance/compliance-regimes/eidas2.org",
  "06fcdb02-2643-4f9d-ab41-e711a99cc390": "projects/passepartout/strategy/compliance/compliance-regimes/eu-ai-act.org",
  "ed65031c-cbd2-4ad2-bd53-a67791e183cd": "projects/passepartout/strategy/compliance/compliance-regimes/soc2.org",
  "c9830152-0160-4bdc-ab03-6f308ad43536": "projects/passepartout/strategy/compliance/compliance-regimes/sox.org",
  "f6a0c00e-e922-44af-99ce-6412c4b73745": "projects/passepartout/strategy/compliance/compliance-regimes/quebec-law-25.org",
  "748db16a-1382-4e5e-8812-a5d57a8de131": "projects/passepartout/strategy/compliance/compliance-regimes/nis2.org",
  "87996d87-100c-4bf6-8546-a860b9d7c25b": "projects/passepartout/strategy/compliance/compliance-regimes/ccpa-cpra.org",
  "ce81fefc-b7a8-4be5-912f-55fd30970b6e": "projects/passepartout/strategy/compliance/compliance-regimes/cra.org",
  "085b76cc-4a65-4660-9c70-85aee10ca99e": "projects/passepartout/strategy/compliance/compliance-regimes/ismap.org",
  "748b0cc7-7f42-49fb-8ee3-1ae49048a178": "projects/passepartout/strategy/compliance/compliance-regimes/iso-27701.org",
  "022109ad-f031-44c4-8ea0-0b3c9402ca90": "projects/passepartout/strategy/compliance/compliance-regimes/oecd.org",
  "fed19a24-ad81-4837-a12b-dafbd3ec110a": "projects/passepartout/strategy/compliance/compliance-regimes/dpdp-act.org",
  "9bc29937-d59a-4ae4-9623-3d17a1fe6ebb": "projects/passepartout/strategy/compliance/compliance-regimes/uk-gdpr.org",
  "4eef0993-6671-41cf-ba20-d1443a3ec49d": "projects/passepartout/strategy/compliance/compliance-regimes/basel-iii.org",
  "581666ba-f72c-406b-8556-93876d2b30bf": "projects/passepartout/strategy/compliance/compliance-regimes/ny-dfs-500.org",
  "bafdaa23-de0b-444c-9151-c87ac65add32": "projects/passepartout/strategy/compliance/compliance-regimes/lfp-dppp.org",
  "717ef2df-2a80-4362-b23a-5e7e12554251": "projects/passepartout/strategy/compliance/compliance-regimes/dora.org",
  "5f55bbe6-d243-5766-8ccf-5c5cc88a6542": "projects/passepartout/strategy/impact/ai-industry-impact.org",
  "c2d3e4f5-a6b7-8901-2cde-f01234567890": "projects/passepartout/strategy/impact/phase-2-impact.org",
  "a0b1c2d3-e4f5-6789-0abc-def012345678": "projects/passepartout/strategy/impact/phase-0-impact.org",
  "92ccd074-04a0-4e45-a44f-9da24ea20a9b": "projects/passepartout/strategy/impact/impact.org",
  "96e7a54e-d801-4b6e-bdc9-ea9dbd4fa51d": "projects/passepartout/strategy/impact/_index.org",
  "b1c2d3e4-f5a6-7890-1bcd-ef0123456789": "projects/passepartout/strategy/impact/phase-1-impact.org",
  "e4f5a6b7-c8d9-0123-4ef0-123456789012": "projects/passepartout/strategy/impact/phase-4-impact.org",
  "d3e4f5a6-b7c8-9012-3def-012345678901": "projects/passepartout/strategy/impact/phase-3-impact.org",
  "827bc546-e887-5b7c-9b65-6392beaf0920": "projects/passepartout/strategy/verification/verification-monopoly.org",
  "89909ac6-8b4f-4a60-bbeb-52992c8f5135": "projects/passepartout/strategy/verification/_index.org",
  "d84679f1-c0c5-5be4-b19c-6573560640ee": "projects/passepartout/strategy/verification/verified-skill-marketplace.org",
  "84a537b4-4256-50c8-91f5-dd5b4538418f": "projects/passepartout/strategy/verification/verification-appliance.org",
  "efc76898-03f7-57ba-923d-35d65da88bb7": "projects/passepartout/strategy/verification/sufficiency-flip.org",
  "2cdca4b0-6b41-44b4-acb0-af21d0e27b00": "ideas/orders-of-magnitude-time.org",
  "2afd9a3c-e96a-54c7-ac77-a05a28065b4b": "ideas/biology-parallels.org",
  "329a30cd-55fb-496d-a60b-91388c211bba": "ideas/_index.org",
  "f467ce16-1861-4ebd-96ed-b52fea909515": "ideas/lisp-game-engine-substrate.org",
  "aae3b3a9-05c2-4acd-bfd4-a7f65003c0bf": "ideas/lisp-geometry-engine.org",
  "8b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3e": "ideas/viability/passepartout-bootstrap-mathematica.org",
  "7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d": "ideas/viability/open-source-wolfram-lisp.org",
  "f4e5d6c7-b8a9-0c1d-2e3f-4a5b6c7d8e9f": "ideas/viability/schafmeister-clasp.org",
  "d08f4f7b-6800-4625-a8f6-f91b3231ae2e": "projects/passepartout/architecture/design/the-symbolic-engine/merkle-dag-for-version-history.org",
  "f23e5518-bf2a-459e-8d2e-a9645fad76ac": "projects/passepartout/architecture/design/the-symbolic-engine/cardinality-policies-singular-dual-and-plural-facts.org",
  "ce124de6-6777-4dca-aaf3-57e842c1855b": "projects/passepartout/architecture/design/the-symbolic-engine/how-categories-grow-the-organic-ontology.org",
  "49104db7-0c41-4507-8755-42b4a48b7cc9": "projects/passepartout/architecture/design/the-symbolic-engine/ontology-versioning-how-worldviews-change-without-losing-perspective.org",
  "699de53a-06ff-4815-9f9d-70b006d372b8": "projects/passepartout/architecture/design/the-symbolic-engine/knowledge-graph-type-hierarchy-structural-anti-self-reference-v300.org",
  "5788ad0f-45fb-4b2d-a3ab-09a4d95f351c": "projects/passepartout/architecture/design/the-symbolic-engine/the-awakening-sufficiency-criterion.org",
  "1b88cec6-76d8-4496-ae36-1bf16b5bc962": "projects/passepartout/architecture/design/the-symbolic-engine/ephemeral-first-persistent-later.org",
  "b21917d8-cb6e-4959-96c0-9326b0611134": "projects/passepartout/architecture/design/the-symbolic-engine/the-chosen-path-option-4-starting-with-option-5.org",
  "28a8caf7-c0a1-4154-8ca3-3a0d11cf121a": "projects/passepartout/architecture/design/the-symbolic-engine/the-gate-to-fact-bootstrap-extracting-the-first-ontology-from-code.org",
  "64be38aa-56ca-4960-92e1-f3fc4cb51a2e": "projects/passepartout/architecture/design/the-symbolic-engine/abstract-fact-store-interface-modular-by-design.org",
  "02798a39-c12b-4835-bc61-34f57a860cdb": "projects/passepartout/architecture/design/the-symbolic-engine/the-llm-as-proposer-verified-extraction.org",
  "7cb7df45-982f-4f5a-afee-36cd5595c25c": "projects/passepartout/architecture/design/the-symbolic-engine/_index.org",
  "4fa7eb38-6bc0-4809-9d8a-77290760ea79": "projects/passepartout/architecture/design/the-two-brains/_index.org",
  "76d92677-1eb0-4a3a-bee7-561874841e45": "projects/passepartout/architecture/design/the-two-brains/the-dispatcher-as-learning-system.org",
  "dd9d7e5a-dd75-4762-8c31-f312de9c6585": "projects/passepartout/architecture/design/the-two-brains/core-knowledge-the-four-pillars-of-agentic-reliability.org",
  "3d25a808-d623-42fb-a054-15fb28cd464b": "projects/passepartout/architecture/design/validation/historical-lineage-mccarthys-advice-taker.org",
  "4c65fdbb-a45c-4c71-ac29-6488e9271f4a": "projects/passepartout/architecture/design/validation/marcus-2020-the-case-against-pure-deep-learning.org",
  "e66a5d5f-70ff-4953-93c3-569e05eaff73": "projects/passepartout/architecture/design/validation/_index.org",
  "2e7d9fe6-6e78-41a0-96ad-b07777275d23": "projects/passepartout/architecture/design/validation/the-competitive-argument.org",
  "ec267c73-4e0d-4efb-9497-cb72f74538e4": "projects/passepartout/architecture/design/validation/gaur--sheth-2023-crest-trustworthy-neurosymbolic-ai.org",
  "a56c8e07-9e5b-4070-a0f9-280188ccd6b7": "projects/passepartout/architecture/design/validation/sheth-et-al-2022-knowledge-infused-learning.org",
  "b572b3a0-0238-470f-9bf8-63d356f68fe0": "projects/passepartout/architecture/design/knowledge-sources/empirical-validation-momo-and-modular-ontology-engineering.org",
  "bc537cf8-5ac8-46b9-a625-1d4f678ee9fc": "projects/passepartout/architecture/design/knowledge-sources/_index.org",
  "617a1031-495d-438c-a8e8-6e066b364e41": "projects/passepartout/architecture/design/implementation-properties/_index.org",
  "2e3e576e-8839-4566-bae1-f40137428bb9": "projects/passepartout/architecture/design/implementation-properties/the-provenance-chain-as-product.org",
  "7dee11bc-72b0-43a3-9bc8-2f022b59ba49": "projects/passepartout/architecture/design/foundation/homoiconicity-as-foundation.org",
  "1076101b-6201-4461-81e5-38d7886b66af": "projects/passepartout/architecture/design/foundation/the-unified-memory-argument.org",
  "4bf2264c-db97-4d7b-9972-5a5d052d80be": "projects/passepartout/architecture/design/foundation/org-mode-as-unified-ast.org",
  "92e314a1-a650-4878-958a-9646aef4e032": "projects/passepartout/architecture/design/foundation/one-single-agent.org",
  "2c880b7d-e97f-459a-88d1-61fac760a0dd": "projects/passepartout/architecture/design/foundation/_index.org",
  "bffb1695-5bf5-4434-8f64-e74f19d2e537": "projects/passepartout/architecture/design/engineering-infrastructure/the-mcp-strategy.org",
  "876fe3af-80fb-42dc-a0d0-714670e5b964": "projects/passepartout/architecture/design/engineering-infrastructure/token-economics-and-performance-advantage.org",
  "3f4573b2-aa55-44a7-a6c8-861dc443ac32": "projects/passepartout/architecture/design/engineering-infrastructure/definite-description-resolution.org",
  "a6dd0808-4366-4bda-be6e-f6d43f2eeab8": "projects/passepartout/architecture/design/engineering-infrastructure/the-evaluation-harness.org",
  "bf3f84da-358b-4d87-bc1a-fa91d1994e20": "projects/passepartout/architecture/design/engineering-infrastructure/the-cybernetic-loop-why-the-metabolic-pipeline-works.org",
  "e6269aec-ea0a-406e-8b44-9dbd7b38c83a": "projects/passepartout/architecture/design/engineering-infrastructure/literate-programming-as-discipline.org",
  "3747ae5f-b4e5-4503-b397-a5b07862062d": "projects/passepartout/architecture/design/engineering-infrastructure/local-first-architecture.org",
  "9e9950a8-82a5-42db-af2d-742ba09ff8ed": "projects/passepartout/architecture/design/engineering-infrastructure/time-awareness-as-a-structural-advantage.org",
  "7e575c8d-aa28-4588-bfa1-5f6144165a13": "projects/passepartout/architecture/design/engineering-infrastructure/_index.org",
  "ee527687-28e2-4f0f-8d3c-af5cc531e3d4": "projects/passepartout/architecture/design/engineering-infrastructure/observability-and-the-thought-trace.org",
  "c47b80ec-2cf2-44ce-9781-96c14498669d": "projects/passepartout/architecture/design/safety-self-preservation/type-level-gates-structural-safety-from-self-modification.org",
  "7e2f0f84-c2ad-4036-b2ba-0630776c73c8": "projects/passepartout/architecture/design/safety-self-preservation/layered-signal-authentication-trust-in-the-pipe.org",
  "f74cb007-58a7-494f-93b7-a0fdf4b9f052": "projects/passepartout/architecture/design/safety-self-preservation/_index.org"
 }
--- a/_index.org
+++ b/_index.org
@@ -0,0 +1,18 @@
 :PROPERTIES:
 :CREATED:  [2026-05-24 Sun]
 :ID:       284f5c7a-1d2b-4e3f-8c6d-9a0b1c2d3e4f
 :END:
 #+title: Brain
 #+filetags: :index:navigation:
 Personal knowledge base — projects, ideas, and concepts.
 ** Projects
 - [[id:971cd9e7-2cc5-4743-8042-2469dbe4078f][CL Modernization]] — bringing Common Lisp forward by 25 years: build system, LSP, standard library, and a verified prover for a self-improving Lisp machine.
 - [[id:1c3ec48b-446c-50d2-b53e-126a81f5143f][Passepartout]] — a verifiable personal intelligence: self-bootstrapping Lisp machine, gate-verified reasoning, social protocol. Architecture, staged roadmap, strategy, competitive analysis, compliance landscape.
 - [[id:1e5f6a7b-8c9d-0e1f-2a3b-4c5d6e7f8a9b][Flags]] — legal structures: entity types, jurisdictional analysis, asset protection, practical setup guides.
 ** Ideas and concepts
 - [[id:329a30cd-55fb-496d-a60b-91388c211bba][Ideas]] — cross-domain frameworks, in-depth analysis, reference material, and thinking tools.
--- a/ideas/_index.org
+++ b/ideas/_index.org
@@ -0,0 +1,19 @@
 :PROPERTIES:
 :CREATED:  [2026-05-24 Sun]
 :ID:       329a30cd-55fb-496d-a60b-91388c211bba
 :ID:       auto-ideas
 :END:
 #+title: Ideas
 #+filetags: :index:
 Cross-domain concepts, speculative analysis, and architectural thinking for the Passepartout project.
 **Earlier ideas:**
 - [[id:2afd9a3c-e96a-54c7-ac77-a05a28065b4b][Biology as Proof of the Lisp Model]] — biological systems as evidence for Lisp architecture
 - [[id:dddd52a7-adb8-470e-a459-614ade5f76af][Closing the Lisp Gap]] — performance and ecosystem gaps between Lisp and C/Rust, and how Passepartout closes them
 - [[id:85f963a7-a10f-45cc-ace6-6edfeefee762][Lisp, Provers, and vs Rust]] — Lisp vs Rust analysis, prover architecture, HOL bootstrap, comparison with Lean
 - [[id:be9bccc7-5adf-4d0d-8ee4-8855892189bf][Neurosymbolic Loop Architectures]] — how neurosymbolic systems loop between symbolic reasoning and neural learning
 - [[id:d2722576-fc9b-4bd3-bc2f-f5692b561b4e][Who Is Closest to Passepartout?]] — nearest-neighbor analysis of related projects
 - [[id:3129eae6-f9f2-40fe-a419-8c1af728c86d][Faster Theorem Proving]] — engineering approaches to making formal verification practical
 - [[id:2cdca4b0-6b41-44b4-acb0-af21d0e27b00][Orders of Magnitude — Time]] — a time-scale framework for Passepartout's roadmap and development cycle
--- a/ideas/agora.org
+++ b/ideas/agora.org
@@ -1,22 +0,0 @@
 :PROPERTIES:
 :ID:       1d074690-a279-59cb-b91d-e9a22ae104ad
 :END:
 #+title: Agora — The Society (Decentralized Network)
 #+filetags: :passepartout:agora:network:dids:
 Agora is the decentralized identity and communication layer that connects Passepartout instances:
 - **Self-sovereign identity** via HD key derivation (BIP-44)
 - **Encrypted messaging** via DIDComm (agent-to-agent and agent-to-human)
 - **Notes** as atomic, content-addressed, signed data units (mapped from Passepartout memory-objects)
 - **Relay Network** for censorship-resistant message routing
 - **Personal Data Store (PDS)** — the Merkle fact store exposed as a network-addressable service
 - **Compute marketplace** where instances offer symbolic engine capacity
 - **Contracts and liquid democracy** infrastructure
 The PDS is Passepartout's in-process memory — the Merkle tree, the fact store, the memory-objects. Every memory-object already has a SHA-256 hash, which maps directly to Agora's CIDv1 content addressing.
 Revenue paths from Agora:
 - [[file:agora-usernames.org][Premium username registry]] — $10M/yr at scale
 - [[file:pds-as-a-service.org][PDS as a service]] — $18M/yr at scale
 - [[file:compute-marketplace.org][Compute marketplace]] — venture-scale
--- a/ideas/biology-parallels.org
+++ b/ideas/biology-parallels.org
@@ -1,4 +1,5 @@
 :PROPERTIES:
 :CREATED:  [2026-05-24 Sun]
 :ID:       2afd9a3c-e96a-54c7-ac77-a05a28065b4b
 :END:
 #+title: Biology as Proof of the Lisp Model
@@ -14,4 +15,4 @@ Striking parallels between microbiology and the Lisp model:
 6. **Duck typing** — protein folding depends on chemical environment, not type declarations
 7. **Concurrent real-time GC** — apoptosis breaks down cell components for recycling by neighboring cells
-Biology chose the Lisp model because it is more robust, adaptable, and evolvable. Evolution optimized for survival in an unpredictable environment, not peak single-thread throughput. Biology is the proof that the Lisp model can be efficient at planetary scale, running on hardware that self-assembles from food. See [[file:lisp-economics.org][Lisp economics]] for how these biological parallels inform the business model.
+Biology chose the Lisp model because it is more robust, adaptable, and evolvable. Evolution optimized for survival in an unpredictable environment, not peak single-thread throughput. Biology is the proof that the Lisp model can be efficient at planetary scale, running on hardware that self-assembles from food. See [[id:9af13fff-9725-542b-93b1-a555bc74ad72][Lisp economics]] for how these biological parallels inform the business model.
--- a/ideas/competitive-analysis-2026-05.org
+++ b/ideas/competitive-analysis-2026-05.org
@@ -1,463 +0,0 @@
 :PROPERTIES:
 :ID:       3aa22300-2f25-57b0-8787-9f199cc978b1
 :CREATED:  [2026-05-22 Thu]
 :END:
 #+title: Competitive Analysis — AI Agent Landscape (May 2026)
 #+filetags: :passepartout:strategy:competitive:
 * Overview
 Analyzed 9 competitor codebases alongside Passepartout. The competitive landscape
 divides into three categories:
 1. Coding agents (Aider, OpenCode, Codex CLI, Claude Code, Gemini CLI)
 2. Personal AI assistants (Hermes, OpenClaw, Thoth)
 3. CI/check-based systems (Continue)
 None of the nine compete with Passepartout on all axes simultaneously. Passepartout's
 strongest differentiators — Org-mode data model, deterministic gate stack, ACL2
 verification, Merkle-treed memory, and the triad architecture — are absent from
 every competitor.
 * Category 1: Coding Agents
 ** Aider (Python, ~40K lines, MIT)
 Language: Python. ~6.8M pip installs. The oldest and most mature open-source
 coding agent.
 Architecture: Chat-based Coder class with 5 edit formats (diff, udiff, patch,
 whole, architect). Uses litellm for universal provider access (50+ providers).
 RepoMap provides codebase awareness via cosine-similarity embedding.
 Safety model: Purely prompt-based plus user-confirmation dialogs. No deterministic
 gate stack. No sandboxing. No model output validator. The allowed_to_edit() gate
 is a single user confirmation call. --yes flag auto-approves. Aider can edit its
 own source code with no special protection — self-modification is undetectable.
 Data model: Ad-hoc. Chat messages in memory. Git commits for persistence. RepoMap
 is a cosine-similarity index. No persistent memory across sessions. No knowledge
 graph.
 Self-modification: Full. No guard against editing its own files.
 Verification: None.
 Key gap vs Passepartout: No safety gates, no persistent memory model, no knowledge
 representation, no verification, no self-modification protection, no architecture
 for neurosymbolic reasoning. It is a thin shell around litellm + edit format
 parsers.
 ** OpenCode (TypeScript/Bun, anomalyco/opencode, 163K★)
 The dominant open-source coding agent by adoption. Bun runtime, Effect-TS
 functional core, Solid.js TUI, Turborepo monorepo.
 Architecture: Dual LLM runtime — default AI SDK (streamText/generateText) +
 opt-in native Effect-Schema runtime (@opencode-ai/llm) with 4-axis route
 decomposition (Protocol/Endpoint/Auth/Framing). 30+ provider plugins.
 Agent workflow DSL with plan/build agent switching. Agent Communication
 Protocol (ACP) for inter-agent messaging. Subagents inherit permission
 boundaries from parent. 18+ built-in tools + custom tools from config.
 Effect-TS ScopedCache per-project state management.
 Safety model: Explicitly documentes /not/ sandboxing the agent. The
 permission system is rule-based (glob matching, actions: allow/ask/deny)
 and exists as a UX feature, not security isolation. Built-in agents have
 carefully scoped defaults (build allows most, prompts on doom_loop;
 plan denies all edits except plan files; explore denies everything except
 grep/glob/bash/webfetch/read; question defaults to deny). Permission
 rules are inherited by subagents. Shell tool dynamically scans commands
 for filesystem-impacting operations to determine ask patterns.
 Data model: SQLite via Drizzle ORM with bun:sqlite or better-sqlite3.
 Key tables: SessionTable (project, workspace, parent hierarchy, cost,
 tokens, model JSON, agent config JSON, permission JSON, revert snapshot),
 MessageTable, PartTable. Project model stores worktree, VCS, sandbox
 config. Config is JSON-chain (user home → project root → worktree) with
 remote config fetch and mergeDeep with concatenating array semantics.
 20 config modules covering agents, permissions, providers, MCP, LSP,
 plugins, skills, references, variable.
 Self-modification: Agent.generate() interface lets the LLM create new
 agent definitions — the system grows its own subagent roster. Skills
 system loads domain-specific knowledge packs dynamically.
 Verification: None.
 Key gap vs Passepartout: No deterministic safety architecture, no
 knowledge graph, no Org-mode, no verification/proof system, no
 neurosymbolic architecture. The permission system is explicitly labeled
 \"not security isolation\" — it's UX, not a gate stack. Largest userbase
 and most polished product of any coding agent, but architecturally
 conventional.
 ** Codex CLI (OpenAI, Rust, ~950K lines)
 OpenAI's open-source coding agent. Rust, Sandboxed.
 Architecture: ~116 crate Rust workspace with a protocol layer (SQ/EQ session types),
 sandbox manager (macOS Seatbelt, Linux nsjail), multi-provider support (via defined
 protocol, not directly), configurable TUI.
 Safety model: Most sophisticated safety system of any coding agent analyzed.
 Multi-layer:
 - Process hardening (macOS Seatbelt with 4 profile tiers)
 - Execution policy engine (defined policy in execpolicy crate)
 - Sandboxing via nsjail on Linux, seatbelt on macOS
 - Guardian module for tool permission gating
 - No prompt-based safety — all deterministic through policy definitions
 Data model: Protocol-defined session types. Structured request/response models.
 Config through TOML files with schema validation.
 Self-modification: Protected by sandbox — the agent cannot escape to modify its
 own binary or config without explicit policy override.
 Verification: None (no proof system).
 Key gap vs Passepartout: No knowledge graph (Org or otherwise), no persistent
 memory model, no deterministic gate stack for agent behavior (only OS-level
 sandboxing), no ACL2/prover, no neurosymbolic architecture. Strongest sandbox
 but weakest cognitive architecture.
 ** Claude Code (Anthropic, TypeScript/Bun, ~512K lines leaked)
 Anthropic's proprietary coding agent. Only available via leaked source analysis.
 Not open source.
 Architecture: Bun-bundled TypeScript single-file executable. Ink/React terminal UI.
 23+ core tools. Subagent forking with byte-identical API prefixes for prompt cache
 sharing. Multi-agent coordination mode.
 Safety model: Layered deterministic safety — NOT prompt-based:
 1. Permission mode system (7 modes: default, acceptEdits, bypassPermissions, etc.)
 2. Persistent permission rules (alwaysAllow, alwaysDeny, alwaysAsk, rule sources
   from userSettings, projectSettings, localSettings, policySettings)
 3. Bash security validator — 2,592 lines of dedicated code with 23+ named
   security checks using tree-sitter AST parsing
 4. Sandbox runtime for filesystem/network containment
 5. Path/mode validation
 6. Optional ML bash classifier (ant-only feature)
 This is the most sophisticated safety system of any coding agent. Passepartout's
 gate stack is architecturally similar (deterministic multi-layer) but Claude
 Code's implementation is vastly more mature — 2,592 lines of bash validation
 alone is ~50x the equivalent in Passepartout.
 Data model: File-based markdown memdir at ~/.claude/projects/<slug>/memory/.
 4 memory types: user, feedback, project, reference. YAML frontmatter in .md files.
 PROJECT.md and CLAUDE.md for project-level config. No database.
 Self-modification: HIGH. Skill system writes SKILL.md files that change future
 behavior. Plugin system, cron scheduling, agent spawning.
 Verification: None.
 Key gap vs Passepartout: No proof system, no neurosymbolic architecture, no
 self-verification, no persistent knowledge graph (flat markdown files, not
 Org-mode with cross-references), markdown data model lacks semantic depth.
 Proprietary — Anthropic controls it completely. Linux-only (uses macOS sandbox
 profiles natively). The permission rules system is impressive but structurally
 inferior to Passepartout's gate stack because rules are heuristic (regex-based
 pattern matching) rather than typed (type-level gates with structural guarantees).
 ** Gemini CLI (Google, TypeScript, ~525K lines, Apache 2.0)
 Google's open-source coding agent. Node.js 20+, Ink/React TUI.
 Architecture: 7-package npm monorepo. Core backend handles Gemini API orchestration,
 tool execution, policy engine, safety checks, sandbox management, session management,
 MCP client. 7-strategy composite model routing chain.
 Safety model: Multi-layered:
 1. CONSECA (Contextual Security Checker) — AI-driven per-request policy generation
   using a separate Gemini Flash model. Principle of least privilege.
 2. Policy engine — 4 approval modes (PLAN, DEFAULT, AUTO_EDIT, YOLO), hierarchical
   rules with priority scores and wildcard matching
 3. 6 sandbox methods (macOS Seatbelt, Docker/Podman, bwrap, gVisor, LXC, Windows)
 4. Trusted folders with discovery phase and path traversal protection
 5. Policy integrity verification via cryptographic hashes
 6. Built-in safety checkers (AllowedPathChecker, CONSECA)
 7. Loop detection service
 Data model: JSONL session files. Turn-based conversation model. 4-layer config
 precedence (system-defaults → user → project → system-override). TOML policy files.
 Self-modification: Modifiable hooks system, MCP extensions, custom commands.
 Core binaries are protected on disk by file permissions.
 Verification: None.
 Key gap vs Passepartout: No proof system, no persistent knowledge graph, no
 self-verification, no neurosymbolic architecture, lock-in to Google Gemini models
 (though it can use others via routing). The CONSECA approach is interesting
 (AI-generated policies) but introduces a second LLM call for every security
 decision — the opposite of Passepartout's approach of zero-token deterministic gating.
 * Category 2: Personal AI Assistants
 ** Hermes Agent (Python, ~17K core, MIT)
 The agent running this conversation. Python, OpenAI-format conversations.
 Architecture: Synchronous conversation loop with OpenAI-format messages. 60+
 built-in tools. 109+ providers via pluggable transport layer. 15+ messaging
 platforms via gateway. MCP client (native, not bridge). Ink/React TUI as Node.js
 subprocess. Cron jobs, Kanban board, subagent delegation.
 Safety model: Multi-layer but NOT a deterministic gate stack:
 1. Message sanitization (surrogates, control chars, malformed JSON)
 2. Tirith binary scanner (pre-execution terminal command analysis)
 3. Command approval system (manual/smart/off modes)
 4. Memory injection detection (prompt injection pattern matching)
 5. Secret/PII redaction
 6. Tool call guardrails (loop detection)
 7. MCP security (env filtering, credential stripping)
 8. Context fencing (memory injection span scrubbing)
 These are all heuristic or prompt-based — no structural type-level gates.
 Tirith is a separate binary, not in-process. The approval system is good but
 reactive (LLM proposes → system blocks) rather than preventive (type system
 prevents by construction).
 Data model: SQLite session DB (FTS5 full-text search). File-based memory
 (MEMORY.md + USER.md). YAML config. No knowledge graph. No Org-mode.
 Self-modification: Skill system writes SKILL.md files. Memory tool edits
 MEMORY.md/USER.md. Config YAML editable. Core Python code is read-only in
 execution but the LLM could request modifications to its own source files
 (no gate specifically prevents this).
 Verification: None.
 Key gap vs Passepartout: No deterministic gate stack (heuristic layers, not
 structural/typed), no knowledge graph, no Org-mode, no neurosymbolic architecture,
 no self-verification, no proof system. Hermes's strength is breadth —
 109 providers, 15 platforms, MCP ecosystem, big tool surface. But it has no
 depth in safety, knowledge representation, or reasoning architecture.
 ** OpenClaw (TypeScript/Node.js, ~3.5M lines)
 The largest codebase analyzed. Personal AI assistant with 25+ messaging channel
 support.
 Architecture: pnpm workspace with ~135 bundled plugins. Gateway control plane
 routes messages through multi-agent routing. Per-agent sessions, workspaces,
 skill registries. Companion native apps (macOS, iOS, Android).
 Safety model: Tiered — main agent runs tools directly on host (trusted-operator),
 non-main sessions sandboxed via Docker (read-only rootfs, capability dropping,
 seccomp/AppArmor, memory/cpu/PID limits, SSH/OpenShell backends).
 Data model: Typed JSON/YAML config (openclaw.json). Multi-source model catalog.
 Plugin SDK with narrow typed subpath exports.
 Self-modification: ACP (Agent Control Protocol) for spawning child sessions.
 Skill system with npm distribution and ClawHub registry.
 Verification: None.
 Key gap vs Passepartout: Same as Hermes — no gate stack, no knowledge graph,
 no Org-mode, no verification, no neurosymbolic architecture. Differentiated by
 vastly broader channel support and mature plugin ecosystem. But architecturally
 conventional — LLM + tools + channels, no cognitive architecture innovation.
 ** Thoth (Python, ~151K lines, Apache 2.0)
 https://github.com/siddsachar/Thoth — Personal AI Sovereignty. Local-first
 desktop AI assistant with knowledge graph, tools, voice, vision, shell,
 browser automation, workflow engine, and messaging channels.
 Architecture: LangGraph create_react_agent (prebuilt ReAct pattern). Dual-mode
 streaming via agent.stream(). NiceGUI web UI served by Python app.py with
 desktop launcher (tray icon, Ollama auto-start, browser/OS window). Context
 trimming via tiktoken to ~85% of model window, base64 data redaction, stale
 browser snapshot compression (keeps last 8), MD5 tool result dedup, old tool
 result summarization. 50-step recursion limit (chat), 100 (tasks), 120 (Developer
 Studio). Agent graph cached by tool set + model override. Checkpoints via
 LangGraph's SQLite-backed checkpointer. 30+ tool modules.
 Safety model: Shell command classification (tools/shell_tool.py) with 17 blocked
 patterns (rm -rf /, mkfs, dd of=/dev/, shutdown, fork bombs, pipe-to-bash, etc.),
 30+ safe auto-execute prefixes (ls, cat, grep, git status, etc.), needs-approval
 for compound commands (;, &&, ||, |, $(), backticks). Interactive interrupt() for
 non-safe shell — LangGraph human-in-the-loop pauses the graph. Per-workflow safety
 modes: block (default, refuse non-safe), approve (pause), allow_all.
 Prompt-injection defense: scans tool outputs and user inputs for 5 categories
 (role overrides, instruction hijacking, data exfiltration, invisible unicode,
 hidden HTML directives) — detection-only, no stripping. Filesystem workspace
 boundary (~/Documents/Thoth). Opt-in Docker Sandbox for Developer Studio.
 Destructive ops (file delete, moderate shell, Gmail send, calendar delete,
 memory/task/tracker delete) require confirmation. MCP servers disabled until
 tested. Custom Tools reviewed and promoted. No sandboxing of agent runtime
 itself — agent runs in-process. No response-level guardrails.
 Data model: SQLite (WAL mode) at ~/.thoth/memory.db — shared between knowledge
 graph and legacy memory. Knowledge graph: SQLite (durable) + NetworkX MultiDiGraph
 (in-memory, rebuilt on startup) + FAISS vector index (semantic recall, rebuilt on
 every entity write). 11 entity types (person, preference, fact, event, place,
 project, organisation, concept, skill, media, self_knowledge). 67+ typed relations
 with 30+ LLM-produced aliases mapped to canonical forms. Dream Cycle refinement
 pipeline for entity dedup/merge/stale-confidence decay. Config: JSON files
 (skills_config.json, api_keys.json, providers.json, channels_config.json). Keys in
 OS credential store (Windows Credential Manager, macOS Keychain, Linux Secret
 Service/KWallet). Memory extraction background daemon scanning past conversations
 every ~2 hours.
 Self-modification: Agent CAN create/update/delete skills via dedicated tools
 (thoth_create_skill, thoth_patch_skill, thoth_delete_skill). SKILL.md files with
 YAML frontmatter at ~/.thoth/skills/. Bundled skills (read-only) at app root;
 user skills override by name. Skill patching requires user confirmation + auto
 backup. Maximum 1 patch proposal per conversation. Tool guides cannot be patched.
 Self-knowledge block injected into system prompt. No tool to modify agent.py,
 prompts.py, or system prompt directly. Developer Studio provides code editing
 through approval-gated tools (tool-assisted human workflow, not agent self-mod).
 Verification: None formal. Update signature verification (updater.py).
 Comprehensive test suite at tests/test_suite.py. No tool-call verification beyond
 LangGraph schema validation. No output verification or fact-checking.
 Key differentiators vs other assistants: LangGraph ReAct agent with structured
 streaming event model. Personal knowledge graph (11 entity types, 67 relations,
 NetworkX + FAISS). Developer Studio (Docker sandbox, code threads, Git operations,
 approval modes). Designer Studio (decks, documents, landing pages, sandboxed
 interactive runtime). 5 messaging channels (Telegram, Discord, Slack, WhatsApp,
 SMS) with streaming, reactions, media processing. Background workflow engine
 (schedules, webhooks, step pipelines, conditions, approvals, concurrency groups).
 30+ tool modules including browser automation, shell, Gmail, Calendar, X, image/
 video generation. 39 curated Ollama tool-calling models. 10 LLM providers (Ollama,
 OpenAI, Anthropic, Google AI/Gemini, xAI/Grok, MiniMax, OpenRouter, Ollama Cloud,
 ChatGPT/Codex subscription, custom endpoints). MCP client (stdio, Streamable HTTP,
 SSE) with namespaced tools, approval gates. No accounts, no telemetry, no hosted
 server. Local-first with OS credential store.
 Key gap vs Passepartout: No deterministic gate stack — shell safety is pattern
 list (17 blocked, 30 safe), not typed gates. No sandboxed agent runtime. No
 proof system. No output guardrails. No neurosymbolic architecture. No Org-mode.
 No Merkle-tree memory. Knowledge graph (SQLite+FAISS) is richer than Hermes but
 is LLM-driven entity extraction — no structural integrity guarantees. Thoth's
 differentiation from Hermes/OpenClaw is the knowledge graph + Developer/Designer
 studios + embedded LangGraph framework — a broader product scope, but still
 architecturally conventional (LLM + tools + channels + KG), not a new cognitive
 architecture.
 * Category 3: CI/Check Systems
 ** Continue (TypeScript, ~328K lines, Apache 2.0)
 Source-controlled AI checks for CI/CD. Markdown-as-gate-policy.
 Architecture: Shared core (@continuedev/core) with ~80 provider implementations,
 tool-calling engine, config system (YAML/JSON/Markdown). Serves CLI (Ink/React TUI
 + headless CI mode), IDE extensions (VS Code, JetBrains), web dashboard.
 Safety model: Three permission levels (allow/ask/exclude). Precedence: mode policies
 → CLI flags → permissions.yaml → built-in defaults. Terminal security package for
 shell command analysis via shell-quote parsing. Workspace-scoped file access.
 Data model: Markdown files for checks, agents, rules. Source-controlled in-repo.
 YAML frontmatter for metadata.
 Self-modification: Checks source-controlled — any change goes through git.
 Verification: None (the checks are themselves unverified).
 Key gap vs Passepartout: The "checks as markdown" concept is philosophically
 similar to Passepartout's gate rules (deterministic policies checked before
 execution) but the implementation is dramatically simpler — regex-based policy
 objects, not a type-level gate stack with structural guarantees. No persistent
 agent, no memory, no knowledge graph, no neurosymbolic architecture. It is a
 gate system without an agent to gate.
 * The Passepartout Advantage
 | Dimension | Passepartout | Best Competitor | Gap |
 |-----------|--------------|-----------------|-----|
 | Safety model | Type-level gates + 11-vector deterministic stack | Claude Code (7 permission modes + 23 bash checks) | Structural vs heuristic. Passepartout's type-level gates prevent self-modification at the category level; competitors block patterns. |
 | Knowledge model | Org-mode (tree, properties, TODOs, timestamps, cross-refs, IDs, tags) | Claude Code (flat markdown memdir) | Org-mode's semantic richness is ~15 primitives markdown doesn't have. |
 | Memory integrity | Merkle tree + SHA-256 + rollback | Hermes (file-based); Claude Code (flat files + git) | Content-addressed, tamper-evident memory no competitor has. |
 | Self-verification | ACL2 → CIC prover (planned) | None | No competitor does provable correctness. |
 | Cognitive architecture | 10-80-10 symbolic-first (planned) | 100% LLM (every competitor) | Post-flip, Passepartout uses ~10% of the tokens competitors use. |
 | Data format | Org-mode (human-editable, machine-parseable, single file) | JSONL/Markdown/YAML/DB (competitors use 2-5 formats) | Unified format reduces translation layers to zero. |
 | Self-modification | Type-level gates + hot-reload | Claude Code (skills), Hermes (skills) | Passepartout's guard against self-modification is structural (type level), not heuristic (pattern list). |
 | Triad | Passepartout + Stoa + Agora | None | No competitor is building a full computing stack + social network. |
 | Provider independence | Any OpenAI-compatible API | Hermes (109+), Gemini CLI (1 primary) | Comparable to Hermes, better than most. |
 * Where Competitors Lead
 | Dimension | Leader | Passepartout Status |
 |-----------|--------|---------------------|
 | Safety implementation maturity | Claude Code (2,592 lines bash security) | Gate stack exists but bash validation is minimal in comparison |
 | Provider breadth | Hermes (109+), OpenClaw (50+) | 8 providers — adequate but not competitive |
 | Channel/platform support | OpenClaw (25+ channels) | TUI only — no multi-channel |
 | Plugin ecosystem | OpenClaw (ClawHub, npm registry) | No plugin marketplace |
 | Subagent delegation | Claude Code (fork with context inheritance) | Planned via Screamer planner |
 | Codebase size / features shipped | All competitors have working products | In development |
 | MCP integration | Hermes, Codex (native), Continue | Planned |
 | Sandboxing | Codex CLI (Seatbelt+nsjail), Gemini CLI (6 methods) | None |
 | Business model | Hermes (MIT+services), Codex (tokens) | AGPL + appliances + SaaS |
 | Cross-platform | Claude Code (macOS/*nix), Codex (macOS) | Linux only |
 * Strategic Positioning
 Passepartout is not competing in the existing AI agent market. It is building a
 new category: provable personal infrastructure.
 Competitors optimize for:
 - Token efficiency (Aider's edit formats, OpenCode's LSP integration)
 - Model flexibility (Hermes' 109 providers)
 - Platform reach (OpenClaw's 25 channels)
 - UI polish (Gemini CLI's Ink/React, Claude Code's permission dialogs)
 - Sandbox security (Codex's Seatbelt, Gemini's gVisor)
 Passepartout optimizes for:
 - Provable correctness (ACL2 → CIC)
 - Data integrity (Merkle tree)
 - Cognitive architecture (10-80-10 symbolic-first)
 - Safety by construction (type-level gates)
 - Unified data model (Org-mode as everything)
 - Network effects (Agora)
 - Full-stack ownership (Stoa)
 These are not axes any competitor cares about. The risk is not that a competitor
 builds a better Passepartout — it's that the market never develops a preference
 for provable agents. If token-burning LLM agents remain the default and users
 don't demand verification, the entire category Passepartout addresses may not
 exist yet.
 * Immediate Implications for Development
 1. Claude Code's safety system is the benchmark to exceed. The type-level gate
   architecture is theoretically superior to Claude Code's heuristic patterns,
   but the implementation needs to prove it catches things Claude Code
   misses.
 2. No competitor has anything resembling a neurosymbolic architecture. The 10-80-10
   plan has zero competition — but that also means zero market validation.
 3. The Org-mode bet is invisible to competitors. They don't see the advantage
   because they've never tried to build a knowledge graph from flat markdown files.
   This is Passepartout's widest moat — it depends on a skill (Org-mode literate
   programming) that no competitor's team has.
 4. Hermes is the closest full-stack competitor (tools, skills, cron, subagents,
   multi-platform), but architecturally conventional. For Hermes to match
   Passepartout, it would need to be rewritten.
 5. The coding agents (Aider, OpenCode, Codex) are not competitors — they are
   single-purpose tools Passepartout could eventually replace entirely when the
   planner matures.
 * File references
 Repository dumps and analysis artifacts at /tmp/:
 - /tmp/aider/ — Aider source (Python)
 - /tmp/opencode/ — OpenCode archived source (Go)  
 - /tmp/codex/ — OpenAI Codex CLI (Rust)
 - /tmp/claude-code-leaked-source/ — Claude Code leaked (TypeScript/Bun)
 - /tmp/gemini-cli/ — Google Gemini CLI (TypeScript)
 - /tmp/openclaw/ — OpenClaw source (TypeScript)
 - /tmp/thoth/ — Thoth source (Python)
 - /tmp/continue/ — Continue source (TypeScript)
 - /usr/local/lib/hermes-agent/ — Hermes Agent (Python)
--- a/ideas/compliance-framework-mapping.org
+++ b/ideas/compliance-framework-mapping.org
@@ -1,48 +0,0 @@
 :PROPERTIES:
 :ID:       e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
 :CREATED:  [2026-05-23 Sat]
 :UPDATED:  [2026-05-23 Sat]
 :END:
 #+title: Compliance Framework Mapping — Global Regulated Industries
 #+filetags: :passepartout:triad:compliance:global:index:
 This file has been split into atomic framework notes under [[file:compliance/][compliance/]].
 See [[file:compliance/_index.org][Compliance framework index]] for the hub with per-framework links.
 See [[file:compliance/first-mover-window.org][First-mover window analysis]] for timing.
 See [[file:compliance/revenue-table.org][Revenue table]] for pricing and TAM.
 Each framework is its own file in [[file:compliance/][compliance/]]:
 - [[file:compliance/hipaa.org][HIPAA]]
 - [[file:compliance/soc2.org][SOC 2]]
 - [[file:compliance/gdpr.org][GDPR]]
 - [[file:compliance/fedramp.org][FedRAMP]]
 - [[file:compliance/sox.org][SOX]]
 - [[file:compliance/glba.org][GLBA]]
 - [[file:compliance/ny-dfs-500.org][NY DFS 500]]
 - [[file:compliance/ccpa-cpra.org][CCPA/CPRA]]
 - [[file:compliance/quebec-law-25.org][Quebec Law 25]]
 - [[file:compliance/uk-gdpr.org][UK GDPR]]
 - [[file:compliance/nis2.org][NIS2]]
 - [[file:compliance/eu-ai-act.org][EU AI Act]]
 - [[file:compliance/dora.org][DORA]]
 - [[file:compliance/eidas2.org][eIDAS 2.0]]
 - [[file:compliance/cra.org][CRA]]
 - [[file:compliance/appi.org][APPI]]
 - [[file:compliance/ismap.org][ISMAP]]
 - [[file:compliance/pipa.org][PIPA]]
 - [[file:compliance/privacy-act-aus.org][Privacy Act Australia]]
 - [[file:compliance/apra-cps-234.org][APRA CPS 234]]
 - [[file:compliance/irap.org][IRAP]]
 - [[file:compliance/dpdp-act.org][DPDP Act India]]
 - [[file:compliance/lgpd.org][LGPD Brazil]]
 - [[file:compliance/lfp-dppp.org][LFPDPPP Mexico]]
 - [[file:compliance/iso-27001.org][ISO 27001]]
 - [[file:compliance/iso-27701.org][ISO 27701]]
 - [[file:compliance/basel-iii.org][Basel III]]
 - [[file:compliance/fatf.org][FATF AML/CFT]]
 - [[file:compliance/ifrs.org][IFRS]]
 - [[file:compliance/oecd.org][OECD Privacy/AI]]
 - [[file:compliance/world-bank-esf.org][World Bank ESF]]
 - [[file:compliance/ifc-ps.org][IFC PS]]
 - [[file:compliance/un-cefact.org][UN/CEFACT]]
--- a/ideas/compliance/_index.org
+++ b/ideas/compliance/_index.org
@@ -1,79 +0,0 @@
 :PROPERTIES:
 :ID:       e4a7b3d2-1c9f-4b6e-8a2d-5f3c7e1b9a0c
 :CREATED:  [2026-05-23 Sat]
 :UPDATED:  [2026-05-23 Sat]
 :END:
 #+title: Compliance Framework Index — Global Regulated Industries
 #+filetags: :passepartout:triad:compliance:global:index:hub:
 The verification monopoly and domain gate package revenue streams depend on
 selling into regulated industries. These industries buy compliance, not software.
 Each framework below maps to a gate package the triad can sell — ACL2-verified
 gate rules that produce deterministic audit trails.
 See [[file:first-mover-window.org][First-mover window analysis]] and [[file:revenue-table.org][Revenue table]] for the consolidated view.
 * US Frameworks
 - [[file:hipaa.org][HIPAA]] — Health privacy ($50K/yr, 500K+ orgs)
 - [[file:soc2.org][SOC 2]] — Service organization controls ($50K/yr, 100K+ orgs)
 - [[file:fedramp.org][FedRAMP]] — Federal cloud authorization ($100K/yr, 1K providers)
 - [[file:sox.org][SOX]] — Financial controls ($50K/yr, 10K orgs)
 - [[file:glba.org][GLBA]] — Financial privacy ($40K/yr, 20K orgs)
 - [[file:ny-dfs-500.org][NY DFS 500]] — NY financial cybersecurity ($30K/yr, 3K orgs)
 - [[file:ccpa-cpra.org][CCPA/CPRA]] — California privacy ($40K/yr, 50K+ orgs)
 * Canada
 - [[file:quebec-law-25.org][Quebec Law 25]] — Provincial privacy ($25K/yr, 10K+ orgs)
 * UK and EU
 - [[file:gdpr.org][GDPR]] — EU privacy ($50K/yr, 500K+ orgs)
 - [[file:uk-gdpr.org][UK GDPR]] — UK privacy ($40K/yr, 100K+ orgs)
 - [[file:nis2.org][NIS2]] — Network security ($50K/yr, 160K orgs)
 - [[file:eu-ai-act.org][EU AI Act]] — AI regulation ($75K/yr, 100K+ orgs)
 - [[file:dora.org][DORA]] — Financial resilience ($50K/yr, 22K+ orgs)
 - [[file:eidas2.org][eIDAS 2.0]] — Digital identity ($30K/yr, 10K+ orgs)
 - [[file:cra.org][CRA]] — Product cybersecurity ($40K/yr, 50K+ orgs)
 * Asia-Pacific
 - [[file:appi.org][APPI]] — Japan privacy ($40K/yr, 100K+ orgs)
 - [[file:ismap.org][ISMAP]] — Japan cloud authorization ($75K/yr, 500 providers)
 - [[file:pipa.org][PIPA]] — South Korea privacy ($35K/yr, 50K+ orgs)
 - [[file:privacy-act-aus.org][Privacy Act]] — Australia privacy ($35K/yr, 50K+ orgs)
 - [[file:apra-cps-234.org][APRA CPS 234]] — Australian financial security ($40K/yr, 500 orgs)
 - [[file:irap.org][IRAP]] — Australian cloud authorization ($75K/yr, 300 providers)
 - [[file:dpdp-act.org][DPDP Act]] — India privacy ($30K/yr, 500K+ orgs)
 * Latin America
 - [[file:lgpd.org][LGPD]] — Brazil privacy ($30K/yr, 200K+ orgs)
 - [[file:lfp-dppp.org][LFPDPPP]] — Mexico privacy ($25K/yr, 50K+ orgs)
 * International
 - [[file:iso-27001.org][ISO 27001]] — ISMS ($40K/yr, 60K+ orgs)
 - [[file:iso-27701.org][ISO 27701]] — Privacy management ($35K/yr, 1K+ orgs)
 - [[file:basel-iii.org][Basel III]] — Banking capital ($100K/yr, 500 G-SIBs)
 - [[file:fatf.org][FATF]] — AML/CFT ($50K/yr, 50K+ orgs)
 - [[file:ifrs.org][IFRS 17]] — Insurance accounting ($75K/yr, 5K+ orgs)
 - [[file:oecd.org][OECD Guidelines]] — Privacy/AI principles (indirect)
 - [[file:world-bank-esf.org][World Bank ESF]] — Development finance ($50K/yr)
 - [[file:ifc-ps.org][IFC PS]] — Project finance ($50K/yr)
 - [[file:un-cefact.org][UN/CEFACT]] — Trade facilitation ($30K/yr, 50K+ orgs)
 * Strategic View
 | Region | Frameworks | Total TAM | First-mover priority |
 |--------|-----------|-----------|---------------------|
 | US | 7 | ~$33B | FedRAMP (procurement gate), NY DFS 500 (growing) |
 | UK/EU | 7 | ~$24B | NIS2 (2025 deadline), AI Act (Aug 2026), DORA (in effect) |
 | Asia-Pacific | 7 | ~$9B | DPDP (rules drafting), ISMAP/IRAP (gov cloud gates) |
 | Latin America | 2 | ~$7B | LGPD (largest LATAM market) |
 | International | 9 | ~$4.5B | ISO 27001 (universal baseline), World Bank/IFC (no market exists) |
 Next: [[file:first-mover-window.org][First-mover window analysis]] | [[file:revenue-table.org][Full revenue table]]
 See also: [[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/domain-gate-packages.org][Domain gate packages]],
 [[file:../../ideas/compute-marketplace.org][Compute marketplace]], [[file:../../ideas/infrastructure-lock-in.org][Infrastructure lock-in]]
--- a/ideas/compliance/first-mover-window.org
+++ b/ideas/compliance/first-mover-window.org
@@ -1,23 +0,0 @@
 :PROPERTIES:
 :ID:       auto-first-mover-window
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: First-Mover Window Analysis
 #+filetags: :passepartout:compliance:strategy:first-mover:
 * First-Mover Window Analysis
 The first-mover window is the time in which a new compliance tool can establish
 dominance before incumbents respond or the market settles on a standard approach.
 | Window | Frameworks | Rationale |
 |--------|-----------|-----------|
 | **Critical (<12 months)** | EU AI Act (Aug 2026 effective), NIS2 (Oct 2025 deadline), DORA (Jan 2025 — already in effect) | Regulation is active or imminent. Buyers are desperate. No established vendor. |
 | **Wide (12-36 months)** | DPDP Act 2023 (rules drafting), India privacy; Privacy Act Review (Australia); Quebec Law 25; CRA phased enforcement | Regulation not yet fully enforced. Rules being written. Market forming. |
 | **Mature (commodity)** | GDPR (2018), SOX (2002), HIPAA (1996), GLBA (1999), Basel III (2010), FATF 40 Recs | Market has established vendors. First-mover advantage requires displacing incumbents via superior architecture. |
 | **Latent (undiscovered)** | OECD AI Principles, UN/CEFACT, World Bank ESF, IFC PS | Compliance exists but is document-based or consultant-delivered. No software market has formed. The first gate package creates the category. |
 See also: [[file:_index.org][Compliance index]], [[file:revenue-table.org][Revenue table]],
 [[file:../../ideas/verification-appliance.org][Verification appliance]], [[file:../../ideas/verification-monopoly.org][Verification monopoly]]
--- a/ideas/compliance/revenue-table.org
+++ b/ideas/compliance/revenue-table.org
@@ -1,60 +0,0 @@
 :PROPERTIES:
 :ID:       auto-revenue-table
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: Compliance Framework Revenue Table
 #+filetags: :passepartout:compliance:revenue:pricing:
 * Expanded Revenue Table
 | Framework | Region | Gate price/yr | Addressable orgs | Revenue potential | First-mover window | Gate rule type |
 |-----------|--------|--------------|------------------|-------------------|---------------------|----------------|
 | HIPAA | US | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + access control |
 | SOC 2 | US/Global | $50K | 100K+ | $5B | Mature (incumbent disruption) | Access control + audit |
 | GDPR | EU | $50K | 500K+ | $25B | Mature (incumbent disruption) | Privacy + consent |
 | FedRAMP | US | $100K | 1K (providers) | $100M | Moderate (<300 authorized) | Continuous monitoring |
 | SOX | US | $50K | 10K | $500M | Mature (manual audit disruption) | Financial controls |
 | GLBA | US | $40K | 20K | $800M | Moderate | Financial privacy |
 | NY DFS 500 | US (NY) | $30K | 3K | $90M | Wide | Cybersecurity controls |
 | CCPA/CPRA | US (CA) | $40K | 50K+ | $2B | Moderate | Privacy opt-out flows |
 | NIS2 | EU | $50K | 160K | $8B | Critical (2025) | Cybersecurity + supply chain |
 | EU AI Act | EU | $75K | 100K+ | $7.5B | Critical (Aug 2026) | AI risk management |
 | DORA | EU | $50K | 22K+ | $1.1B | Critical (in effect) | ICT resilience |
 | eIDAS 2.0 | EU | $30K | 10K+ | $300M | Wide (wallet buildout) | Identity gates |
 | CRA | EU | $40K | 50K+ | $2B | Wide (phased 2025-2027) | Product security |
 | UK GDPR | UK | $40K | 100K+ | $4B | Mature (GDPR derivative) | Privacy |
 | APPI | Japan | $40K | 100K+ | $4B | Moderate | Cross-border privacy |
 | ISMAP | Japan | $75K | 500 (providers) | $37.5M | Wide (<100 registered) | Gov cloud assessment |
 | PIPA | South Korea | $35K | 50K+ | $1.75B | Wide (2024 amendments settling) | Privacy + consent |
 | Privacy Act | Australia | $35K | 50K+ | $1.75B | Wide (reforms legislating) | Privacy + AI transparency |
 | APRA CPS 234 | Australia | $40K | 500 | $20M | Moderate | Info security controls |
 | IRAP | Australia | $75K | 300 (providers) | $22.5M | Wide | Gov cloud assessment |
 | DPDP Act | India | $30K | 500K+ | $15B | Wide (rules drafting) | Privacy + consent |
 | LGPD | Brazil | $30K | 200K+ | $6B | Moderate | Privacy |
 | LFPDPPP | Mexico | $25K | 50K+ | $1.25B | Wide | Privacy |
 | ISO 27001 | Global | $40K | 60K+ | $2.4B | Mature (manual disruption) | ISMS controls |
 | ISO 27701 | Global | $35K | 1K+ | $35M | Wide (growing) | Privacy management |
 | Basel III | Global (banking) | $100K | 500 (G-SIBs) | $50M | Mature (incumbent disruption) | Capital adequacy |
 | FATF AML/CFT | Global | $50K | 50K+ | $2.5B | Mature (incumbent disruption) | CDD + screening |
 | IFRS 17 | Global (insurance) | $75K | 5K+ | $375M | Mature (actuarial verification) | Contract classification |
 | UN/CEFACT | Global (trade) | $30K | 50K+ | $1.5B | Latent (no market exists) | Cross-border data rules |
 | World Bank ESF | Global (dev finance) | $50K | 1K+ (projects) | $50M | Latent (no market exists) | ES compliance gates |
 | IFC PS | Global (project finance) | $50K | 500+ (deals) | $25M | Latent (no market exists) | ES compliance gates |
 A compute marketplace provider with authorization in 5+ frameworks (FedRAMP + 
 ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
 for regulated cloud globally. The gate package portfolio alone — a mid-size
 enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
 At 10,000 such enterprises: $5B/yr. The first-mover advantage is not about any
 single framework — it is about being the first to offer a unified gate stack
 that maps to all of them.
 A compute marketplace provider with authorization in 5+ frameworks (FedRAMP +
 ISMAP + IRAP + SOC 2 + ISO 27001) becomes the default infrastructure provider
 for regulated cloud globally. The gate package portfolio alone — a mid-size
 enterprise running 10+ packages — generates $500K/yr+ in recurring revenue.
 At 10,000 such enterprises: $5B/yr.
 See also: [[file:_index.org][Compliance index]], [[file:first-mover-window.org][First-mover window analysis]],
 [[file:../../ideas/verification-monopoly.org][Verification monopoly]], [[file:../../ideas/compute-marketplace.org][Compute marketplace]]
--- a/ideas/cost-structure.org
+++ b/ideas/cost-structure.org
@@ -1,14 +0,0 @@
 :PROPERTIES:
 :ID:       0b5a8a74-cfd6-542d-bc88-4eb3cd8626f9
 :END:
 #+title: Cost Structure — Zero Marginal Cost
 #+filetags: :passepartout:economics:cost:marginal:zero:
 - **One-time cost:** [[file:gate-rule-encoding.org][gate-rule encoding]] for a domain (from hours for codified domains up to months for tacit domains)
 - **Near-zero marginal cost:** ACL2 proof + Screamer consistency check + VivaceGraph lookup per interaction — all CPU-native, all in-image
 - **No recurring LLM API costs** for the 80% symbolic reasoning layer
 - **After [[file:sufficiency-flip.org][sufficiency flip]]:** pennies per day vs dollars per day for LLM-only
 The cost curve inverts: generation is expensive, verification is cheap. This is the inversion Passepartout exploits. This is the core insight of [[file:lisp-economics.org][Lisp economics]] — symbolic verification costs approach zero while LLM token costs remain constant.
 Token demand shifts from "every interaction burns tokens" to "only unfamiliar interactions burn tokens." Steady-state per-user LLM consumption drops by an order of magnitude.
--- a/ideas/domain-gate-packages.org
+++ b/ideas/domain-gate-packages.org
@@ -1,17 +0,0 @@
 :PROPERTIES:
 :ID:       c34940cc-090e-57c4-8020-e78b1d32b96c
 :END:
 #+title: Domain Gate Rule Subscriptions
 #+filetags: :passepartout:revenue:gate-rules:compliance:subscription:
 Pre-verified [[file:gate-rule-encoding.org][gate rule]] packages for specific compliance domains. Translated from published regulations by the LLM, verified by ACL2, reviewed by a human for the 5% ambiguous edge cases.
 - HIPAA package: $50K/yr
 - SOC2 package: $50K/yr
 - GDPR package: $50K/yr
 - FedRAMP package: $100K/yr
 - Combined enterprise: $250K/yr
 Switching costs are high — changing packages means re-verifying the fact store against new rules. The [[file:infrastructure-lock-in.org][infrastructure lock-in]] compounds: a hospital at $250K/yr in year one grows to $500K-$1M by year five as more packages are added and the fact store becomes more valuable than the software itself.
 20 subscriptions in year one = $1M-$5M. These packages are verified using the [[file:verification-appliance.org][verification appliance]] and scored by the [[file:evaluation-harness.org][evaluation harness]].
--- a/ideas/evaluation-harness.org
+++ b/ideas/evaluation-harness.org
@@ -1,17 +0,0 @@
 :PROPERTIES:
 :ID:       45258a2d-1675-562c-9024-5d1eb2f1ea56
 :END:
 #+title: Evaluation Harness as Certification Service
 #+filetags: :passepartout:revenue:certification:evaluation:regression:
 The accumulated regression suite — thousands of edge cases from every deployed instance, every bug fix, every regulatory change — becomes the most comprehensive test of autonomous agent correctness.
 **Service:** "Run our 10,000-task suite against your AI agent and get a Merkle-verified score."
 **Target:** AI labs proving their agents' capabilities, enterprise procurement requiring independent verification.
 **Price:** $50K-$200K per certification.
 The regression suite grows with every deployment, making the certification increasingly valuable over time. The early player's suite is the largest because they started first. This is the [[file:collective-regression-suite.org][collective regression suite]] mechanism in action.
 10 certifications in year one = $500K-$2M.
 Long-term endpoint: this becomes the UL certification for AI — a third-party verification nobody can ignore. [[file:verification-monopoly.org][The verification monopoly]]. The certification relies on a [[file:verification-appliance.org][verification appliance]] to run the tests in a trusted environment, creating [[file:infrastructure-lock-in.org][infrastructure lock-in]] as certification history accumulates on the platform. These dynamics form powerful [[file:moats.org][moats]].
--- a/ideas/gate-rule-encoding.org
+++ b/ideas/gate-rule-encoding.org
@@ -1,17 +0,0 @@
 :PROPERTIES:
 :ID:       45ea493b-94ad-5885-aa65-0c846e5c3c1d
 :END:
 #+title: Gate Rule Encoding from Codified Domains
 #+filetags: :passepartout:gates:rules:encoding:llm:translation:
 Laws, regulations, standards, procedures, and technical specifications are already written down in structured text. The LLM does not need to *reason* about them — it needs to *translate* them into gate rules and ACL2 theorems.
 Example: The US Federal Acquisition Regulation (FAR) is ~2,000 pages. A frontier LLM can ingest the FAR and produce a plist of gate rules:
 - (if contract > $250K AND not small-business-set-aside → :deny)
 - (if sole-source AND no justification-documented → :deny, produce-justification)
 ACL2 verifies the rule set for internal consistency. Screamer checks against existing compliance facts. The human reviews the bootstrap output and approves or corrects individual rules.
 The key distinction: the LLM is not *extracting knowledge from prose* — it is *translating a known rule system into a formal representation.* The result is not "the LLM's best guess" but "the rule set as stated in the source document, mechanically transcribed."
 For codified domains, the encoding cost drops from weeks to hours. The only bottleneck is human review of the 5% ambiguous rules. This is what makes the [[file:sufficiency-flip.org][sufficiency flip]] economically viable — once gates are encoded, verification is near-free. The resulting rules are packaged into [[file:domain-gate-packages.org][domain gate packages]] that can be reused across deployments.
--- a/ideas/infrastructure-lock-in.org
+++ b/ideas/infrastructure-lock-in.org
@@ -1,16 +0,0 @@
 :PROPERTIES:
 :ID:       2f783eb4-638e-5afa-9b59-6224d086a712
 :END:
 #+title: Infrastructure Lock-In and Switching Costs
 #+filetags: :passepartout:economics:moats:lock-in:switching:
 A hospital that runs Passepartout with HIPAA gate rules ($50K/yr) for five years has accumulated:
 - A fact store with a decade of compliance decisions
 - A proof forest of verified rules
 - An empirical decision history tied to their specific deployment
 - Customized gate rules encoding their specific workflows and approvals
 Switching to a competitor means discarding all of it. The accumulated value grows as the fact store deepens. Annual revenue per enterprise grows from $250K in year one to $500K-$1M by year five as more [[file:domain-gate-packages.org][domain packages]] are added.
 This is the strongest residual [[file:moats.org][moat]]. The [[file:evaluation-harness.org][evaluation harness]] (regression suite) is a close second — it grows with every deployment and cannot be ingested from public data. The [[file:verification-monopoly.org][verification monopoly]] and [[file:upgrade-lifecycle.org][upgrade lifecycle]] compound this lock-in: every new regulation encoded as a gate rule deepens the proof forest, making the deployment harder to reproduce elsewhere.
--- a/ideas/investment-thesis.org
+++ b/ideas/investment-thesis.org
@@ -1,17 +0,0 @@
 :PROPERTIES:
 :ID:       5961e469-53a3-5f3c-ab72-3c83ef91963f
 :END:
 #+title: Investment Thesis
 #+filetags: :passepartout:economics:investment:thesis:
 The early player benefits from every other instance of the triad. Every deployed instance feeds edge cases into the [[file:evaluation-harness.org][regression suite]], grows the [[file:compute-marketplace.org][compute marketplace]], and validates the hardware designs. Network effects are positive sum.
 Three revenue horizons:
 - **Low-hanging fruit (year one, $2M-$12M):** [[file:verification-appliance.org][verification appliances]], [[file:domain-gate-packages.org][domain gate rule subscriptions]], [[file:evaluation-harness.org][evaluation harness certification]], migration services
 - **Medium-term (1-3 years, $10M-$50M):** [[file:compute-marketplace.org][compute marketplace]], Relay Network, Lisp Machine hardware; [[file:agora-usernames.org][premium usernames]] ($10M/yr), [[file:pds-as-a-service.org][PDS hosting]] ($18M/yr)
 - **Big money (3-10 years, $100M-$1B+):** [[file:verification-monopoly.org][verification monopoly]] (UL certification for AI), [[file:infrastructure-lock-in.org][infrastructure lock-in]], planetary compute marketplace
 The switching costs compound. The [[file:moats.org][network effects]] are positive sum. The market is nearly a trillion dollars.
 The defensible entity is "the organization that best understands how to adapt Passepartout to your domain" — not "the organization that owns Passepartout."
--- a/ideas/licensing.org
+++ b/ideas/licensing.org
@@ -1,19 +0,0 @@
 :PROPERTIES:
 :ID:       67faf52f-9126-50a7-b87e-2bedc610dac7
 :END:
 #+title: Licensing — AGPLv3 + Commercial
 #+filetags: :passepartout:ip:licensing:agpl:commercial:
 **AGPLv3 for the public repository.** AGPL closes the ASP loophole: anyone who modifies the software and offers it over a network must release their modified source. Combined with a [[file:patent-strategy.org][patent strategy]], this creates [[file:moats.org][moats]] against proprietary forks.
 Crucially: AGPL is a *product requirement*, not a concession. The system's value proposition is provable correctness — every decision has Merkle provenance. This claim is structurally incredible with closed source. An enterprise buyer needs to inspect the gate stack, verify the Merkle implementation, and confirm ACL2 integration. AGPL makes this possible without signing an NDA. This transparency also enables a [[file:pds-as-a-service.org][PDS as a service]] model where enterprises can run their own infrastructure.
 **AGPL only covers modifications to code, not:**
 - Gate rules specific to a domain (these are data, not code)
 - The fact store (empirical data generated from usage)
 - Ontology categories (design decisions stored as configuration)
 - Proprietary skills loaded at runtime (AGPL boundary on plugin systems is legally unsettled)
 **Dual license model:**
 - AGPLv3 for open source — builds ecosystem, trust, community
 - Commercial license for enterprises that cannot accept AGPL — MySQL/SugarCRM/GraphQL model
--- a/ideas/lisp-economics.org
+++ b/ideas/lisp-economics.org
@@ -1,16 +0,0 @@
 :PROPERTIES:
 :ID:       9af13fff-9725-542b-93b1-a555bc74ad72
 :END:
 #+title: Why Lisp Is Economically Viable Now
 #+filetags: :passepartout:economics:lisp:history:C:viability:
 The 1980s trade-off was: C is cheap enough for the market. Correctness is a luxury the market cannot afford. The 2020s trade-off is: C is expensive for the market. Incorrectness has become the dominant cost of software. Lisp's verification infrastructure is now the cheaper option.
 Four transformations flipped the economics:
 1. **Memory is free.** 40MB runtime is noise on a $20 Raspberry Pi with 8GB RAM. In 1980, DRAM was ~$5,000/MB.
 2. **Transistors are free.** Modern ARM Cortex-A72 has billions of transistors. GC and type dispatch cost nothing because the transistors are there whether used or not.
 3. **Complexity saturates human verification.** Systems are tens of millions of lines. Testing is necessary but insufficient — zero-day vulnerabilities prove bugs survive all testing. Formal verification is the only known path.
 4. **Cost of failure exceeds cost of verification.** A single breach costs millions. Regulation mandates provable compliance. Proving correctness is cheaper than not proving it.
 The [[file:verification-appliance.org][verification appliance]] (AGPL symbolic engine + RISC-V Lisp μcode on FPGA) costs $5,000/year and replaces $500,000/year in compliance audits, breach litigation, and regulatory fines. This [[file:cost-structure.org][cost structure]] — zero marginal cost per additional user — is what makes Lisp economically viable at scale. The [[file:self-driving-lisp-machine.org][self-driving Lisp Machine]] is the hardware endpoint of this economic logic. For the biological analogy that explains why Lisp architecture is a natural outcome of complexity pressure, see [[file:biology-parallels.org][biology parallels]]. For the historical precedent, see the [[file:comparison-with-symbolics.org][comparison with Symbolics Genera]]. The [[file:ai-industry-impact.org][impact on the AI industry]] is the market-side consequence.
--- a/ideas/lisp-game-engine-substrate.org
+++ b/ideas/lisp-game-engine-substrate.org
@@ -0,0 +1,30 @@
 :PROPERTIES:
 :ID:       f467ce16-1861-4ebd-96ed-b52fea909515
 :CREATED:  [2026-06-05 Fri]
 :END:
 #+title: Lisp as Game Engine Substrate
 The GOAL compiler (Naughty Dog, Jak and Daxter) proved Lisp could ship SOTA games on constrained hardware (PS2, 32MB RAM). Twenty years later, the question is whether Lisp can do it again on modern hardware — and whether the CL Modernization work makes it viable.
 **What Lisp gives you that C++ cannot match:**
 - Interactive development at runtime — change AI, physics, or rendering code while the game runs. No compile-link-run cycle. C++ engines for large projects measure iteration in minutes; Lisp measures it in frames.
 - Macros for game DSLs — behavior trees, animation blend graphs, dialogue trees, state machines become native Lisp code instead of external tools with serialization boundaries.
 - CLOS multiple dispatch for ECS — generic functions on component types replace manual message routing.
 - Image-based workflow — save and resume the entire engine state (GPU, audio, physics, editor) from anywhere.
 **Where Lisp falls short:**
 - GC tail latency — concurrent generational GCs (single-digit ms) are acceptable for 60fps (16ms budget) but problematic for VR at 90fps (11ms) or competitive esports. The CL Modernization analysis identifies this as inherent but mitigatable, and eliminates it entirely on a tagged RISC-V core with hardware CONS and concurrent collection.
 - GPU interop — no idiomatic Vulkan/DirectX 12 bindings. This is an ecosystem gap (fixable), not a language limitation.
 - No modern engine exists — Unreal Engine 5 is ~5M lines of C++. At 3-5x density, a Lisp equivalent might be 1-2M lines. Massive but smaller than the C++ baseline.
 **The GOAL lesson:** Naughty Dog's compiler used disciplined Lisp written to avoid allocation on hot paths, proving the constraint is programmer practice, not language capability. Modern SBCL with type declarations compiles to within 2x of C on hot numerical code — sufficient for games where the bottleneck is GPU fill rate, not CPU-bound game logic.
 **What changes with the CL Modernization work:** A verified Lisp runtime eliminates the class of bugs that causes engine crashes; a RISC-V Lisp extension with hardware CONS and concurrent GC eliminates the tail-latency argument against real-time use; and the density advantage makes a from-scratch engine build tractable for an AI agent working at 10x human velocity.
 For further analysis, see [[https://en.wikipedia.org/wiki/GOAL_(programming_language)]].
 See also:
 - [[id:971cd9e7-2cc5-4743-8042-2469dbe4078f][Lisp Foundation]] — the CL Modernization analysis this builds on
 - [[id:1c3ec48b-446c-50d2-b53e-126a81f5143f][Architecture]] — the verified Lisp machine target
--- a/ideas/lisp-geometry-engine.org
+++ b/ideas/lisp-geometry-engine.org
@@ -0,0 +1,175 @@
 :PROPERTIES:
 :ID:       aae3b3a9-05c2-4acd-bfd4-a7f65003c0bf
 :CREATED:  [2026-05-11 Mon]
 :END:
 ---
 type: idea
 title: All-Lisp Geometry Engine
 created: '2026-06-04T00:00:00.000Z'
 tags:
  - APM
  - CAD
  - CAM
  - UX
  - architecture
  - constraint-solving
  - design-tools
  - empirical
  - gaming
  - geometry-engine
  - lisp
  - provenance
  - three-pronged
 ---
 A unified Lisp geometry engine built on the three-pronged model — the
 constraint kernel IS the physics, and the design world is aware of its own
 physics by default because the system won't let you produce a design that
 violates physical constraints without flagging it.
 This is Ivan Sutherland's Sketchpad vision (1963), fully realized: the
 drawing IS the program, the constraints ARE the physics, and the system
 solves them in real-time — across CAD precision, game rendering, and UX
 layout — from one kernel in one address space.
 ---
 **The three prongs, applied to the geometry engine.**
 The three-pronged architecture (deductive proofs / provenance-tracked
 empirical models / probabilistic oracle, under one gate) is not an abstract
 epistemological framework. It maps directly onto what a design tool needs.
 **Prong 1 — deductive: the constraint solver.**
 The geometry kernel IS deductive mathematics. When the solver determines
 that four points are coplanar, or that an edge is tangent to a cylinder at
 exactly 5mm offset, it is computing a deductive consequence of the
 constraint system. The formulas for intersection, tangency, and spatial
 relationships are formal geometry. ACL2 could verify them. The constraint
 network is a theorem: the set of all poses that satisfy the specified
 relations. Solving it is proving the theorem.
 **Prong 2 — empirical: provenance-tracked material properties.**
 This is the prong that changes design work fundamentally. Currently, design
 software pretends material properties are true numbers. You pick "steel"
 from a dropdown and see Young's modulus = 200 GPa. But that 200 GPa is an
 average across 50 samples from different suppliers at different batch runs.
 The actual value for your specific part is between 190 and 210 GPa, and the
 software never tells you.
 With provenance-tracked empirical models, every parameter in the constraint
 network carries its epistemic status: measured from a specific experiment,
 fitted to a published dataset, extrapolated beyond validation with a
 confidence penalty, or guessed because no data exists. The provenance store
 holds the source chain, validity envelope, and confidence interval for every
 parameter. The constraint solver propagates uncertainty automatically.
 The consequence: the designer designs to a distribution, not a platonic
 number. The clearance at a joint shows as 0.03-0.08mm, not 0.05mm flat.
 Material selection becomes a query with confidence thresholds, not a
 dropdown. Tolerance stack-up falls out of provenance automatically. The
 finished design carries a confidence budget: "Confidence this meets
 specification under rated load: 95%. Material parameter uncertainty
 contributes 3%, manufacturing tolerance contributes 1.5%."
 The validity envelope constrains what the designer can even specify. You try
 to design a seal for 500C operation. The provenance store says: the
 empirical model for this material is validated to 300C. Above that, the only
 data is a single 1973 paper with a 2x extrapolation factor and no confidence
 interval. The gate flags it. The designer must explicitly accept the risk
 (logged to the provenance chain with a signature) or select a material with
 better empirical coverage.
 Manufacturing feedback closes the loop. The part is made, as-manufactured
 dimensions are measured, the real friction coefficient is recorded. These
 values write back to the provenance store. The next design iteration has
 tighter confidence intervals because it incorporates production data.
 Datasheet revisions propagate retroactively: a bearing manufacturer revises
 load rating downward, the provenance store updates, the gate re-checks all
 existing designs and flags: "Your coupling assumed 5kN from the 2022
 datasheet. The 2025 revision shows 4.2kN. Safety margin is now below
 required threshold."
 **Prong 3 — probabilistic: the LLM as constraint explorer.**
 The LLM proposes constraint system structures: "Here's a four-bar linkage
 with these initial parameters." The solver validates deductively. The LLM
 diagnoses failures: "The solver can't converge because constraint A and
 constraint B conflict — the offset exceeds available column space given the
 pivot locations." The LLM proposes alternatives; the solver checks.
 The LLM handles what cannot be formalized: model selection (which force
 field for this molecule class?), interpretation (why did the simulation
 fail?), creative generation (suggest a design that meets these spec limits).
 The gate ensures the LLM proposes only — it never executes.
 ---
 **One representation, all domains.**
 The same constraint kernel drives engineering (CAD/CAM — float64, micron
 precision, batch solve), gaming (float32, 144fps, iterative solve), and UX
 layout (pixel-aligned, 120fps, layout constraints). CLOS dispatch selects
 the solver backend based on the precision context and frame deadline. The
 constraint language is the same; the solver varies by domain.
 Lisp macros generate optimized inner loops from the constraint DSL — typed,
 inlined, unstyled — that SBCL compiles to within 2x of C. The hot path
 narrowphase runs as native code, not through generic function dispatch.
 ---
 **Origin: Drexler's APM community and Godot.**
 The motivation came from Eric Drexler's atomically precise manufacturing
 community, which wanted to use Godot as a molecular machine design suite. A
 game engine provides exactly what molecular nanotechnology design requires:
 real-time 3D, constraint-based physics, collision detection, and interactive
 spatial editing. But Godot's C++/GDScript substrate has no provenance
 tracking, no validity envelopes, and no epistemic awareness. A Lisp geometry
 engine on the three-pronged architecture provides what the APM design suite
 needs: the constraint kernel ensures geometric consistency (deductive), the
 provenance store tracks force field parameters and validity envelopes
 (empirical), and the LLM proposes molecular machine designs guided by
 physical constraints (probabilistic).
 ---
 **Computational feasibility.**
 - CAD: feasible today on SBCL. Float64 is native, no frame deadline, CLOS
  dispatch at design scale (thousands of constraints, not millions).
 - UX layout: feasible today. 2D constraints at 120fps with moderate scene
  complexity.
 - Gaming at 144fps: needs Stage 3 hardware (tagged RISC-V, hardware GC,
  geometry accelerators). CLOS dispatch overhead and GC tail latency on
  commodity hardware consume too much of the 6.9ms frame budget for AAA
  scene complexity.
 - The LLM-guided constraint search (prong 3) makes the symbolic approach
  tractable at assembly scale — the LLM proposes, the solver validates,
  successful patterns cache as deductive rules.
 ---
 **Connection to Passepartout's three-pronged architecture.**
 The three-pronged section of the architecture describes "two reasoning
 engines and one data store": the symbolic engine (ACL2, formal proofs,
 deductive gate rules), the provenance store (empirical parameters with
 sources, validity envelopes, confidence intervals), and the probabilistic
 oracle (the LLM, proposing within gate bounds).
 The geometry engine is not an application that happens to use this
 architecture. The geometry engine IS the architecture made concrete. The
 constraint solver IS the symbolic engine reasoning about design rules. The
 material property database IS the provenance store. The designer exploring
 alternatives IS the LLM oracle proposing and the solver validating. The gate
 checking a design against the validity envelope before permitting it to be
 released to manufacturing IS the same gate that checks a shell command
 against security policy.
 Stage 3 hardware makes it run fast enough for real-time domains. That is
 where the geometry engine meets the Lisp machine — the killer app that
 justifies and defines the hardware feature set.
--- a/ideas/moats.org
+++ b/ideas/moats.org
@@ -1,17 +0,0 @@
 :PROPERTIES:
 :ID:       aa6d062e-a520-5d14-8773-00687ed9c689
 :END:
 #+title: Competitive Moats
 #+filetags: :passepartout:economics:moats:competition:
 Re-evaluated: time is not the primary moat. A Phase 4+ Passepartout fed on Wikipedia + Wikidata can build a general ontology in two weeks. The organic growth advantage collapses for general knowledge.
 **Actual moats (weaker than initially assumed):**
 1. **Domain-specific gate rules** — thin. A few hundred lines of Lisp data. Write once, trivial to copy. Not a real moat.
 2. **Empirical decision history** — every HITL decision is a Merkle fact. A fresh instance has none. Makes *your* instance more valuable but doesn't prevent competition — it's a switching cost, not a barrier to entry.
 3. **[[file:evaluation-harness.org][Evaluation harness (regression suite)]]** — thousands of test cases accumulated from every bug fix. Cannot be ingested from public data. Strongest residual moat.
 4. **[[file:infrastructure-lock-in.org][Infrastructure integration]]** — specific Docker compose layouts, Traefik patterns, Authentik configs encoded as gate rules. A competitor's infrastructure is different.
 **Strongest competitor strategy:** Not copying your gate rules — offering the same architecture as a service with their own pre-seeded general knowledge and a consulting engagement to customize gate rules. The AGPL prevents closing the architecture but does not prevent offering it as a service with a customization layer.
 **The defensible business is services, not product.** The defensible entity is "the organization that best understands how to adapt Passepartout to your domain" — not "the organization that owns Passepartout." A [[file:verification-monopoly.org][verification monopoly]] on agent safety would change this calculus — competitors would need independent certification. [[file:patent-strategy.org][Patent strategy]] and [[file:licensing.org][Licensing]] protect key innovations and create revenue from the open-source ecosystem.
--- a/ideas/orders-of-magnitude-time.org
+++ b/ideas/orders-of-magnitude-time.org
@@ -1,7 +1,8 @@
-#+title: Orders of Magnitude — Time
+#+title: Orders of Magnitude
 #+filetags: :passepartout:framework:time:scale:hierarchy:
 :PROPERTIES:
 :ID:       2cdca4b0-6b41-44b4-acb0-af21d0e27b00
 :ID:       orders-of-magnitude-time
 :CREATED:  [2026-05-23 Sat]
 :END:
@@ -17,7 +18,7 @@ The hierarchy:
 | Days | Shippable thing, momentum building | Next day | Drift, distraction |
 | Weeks | Sprint, feature, market pulse | One cycle | Wrong direction |
 | Months | Product cycle, hiring, traction | One data point | Bleeding out slow |
-| Years | Company, moats, technology shifts | Scarce | Irrelevance |
+| Years | Company, [[id:aa6d062e-a520-5d14-8773-00687ed9c689][moats]], technology shifts | Scarce | Irrelevance |
 | Generations | Culture, regulation, infrastructure | Post-founding | Irreversibility |
 Practical use:
@@ -26,4 +27,4 @@ When planning anything, identify which order of magnitude you're operating in
 Common mistake: treating a months/years problem as if it can be solved in days/weeks (startup hype, premature optimization) or a minutes problem as if it deserves weeks of deliberation (analysis paralysis, bikeshedding).
-See also: [[file:time-estimates.org][Time estimates]] applies this framework to Passepartout's development timeline.
+The [[id:dc2e4f22-1c4c-5d4a-a151-f96e5d3b0d70][Time estimates]] page applies this framework to [[id:28c46769-c14b-42aa-ac7a-69d310157f8f][Passepartout]]'s development timeline.
--- a/ideas/passepartout-economics.org
+++ b/ideas/passepartout-economics.org
--- a/ideas/patent-strategy.org
+++ b/ideas/patent-strategy.org
@@ -1,22 +0,0 @@
 :PROPERTIES:
 :ID:       caaeee11-ba6f-5566-aecd-f171b4c459c0
 :END:
 #+title: Patent Strategy
 #+filetags: :passepartout:ip:patents:legal:
 **Likely patentable:**
 - Probabilistic-deterministic split with deterministic gates between LLM proposal and execution (vs every competitor using prompt-based guardrails)
 - Foveal-peripheral context model with Org-tree structured retrieval (targets 2,000-4,000 tokens)
 - Merkle-tree memory with copy-on-write snapshots and operation-level undo/redo
 - Gate-to-fact bootstrap with sufficiency criterion (mechanically extracting facts from gate stack data structures)
 - Macro-layer-as-skill bootstrapping architecture (theorem-proving as hot-reloadable skills)
 **Likely not patentable (known techniques):**
 - ACL2 itself (decades old)
 - Screamer for consistency checking (obvious application)
 - Hot-reloadable skills (40 years old)
 - Org-mode as a data format
 **Strongest single claim:** The specific combination of probabilistic model + deterministic zero-token safety gates + Merkle memory + symbolic engine with sufficiency criterion. Each element is known; the combination is novel and non-obvious.
 **Counterargument:** A patent examiner will argue these are standard OS microkernel architecture, locality of reference, content-addressed storage, and capability-based security applied to an AI agent. The defense: they have never been *combined* in an AI agent, producing emergent effects no single principle produces. These patents would feed into a [[file:licensing.org][licensing]] strategy and create [[file:moats.org][moats]] against competitors.
--- a/ideas/self-driving-lisp-machine.org
+++ b/ideas/self-driving-lisp-machine.org
@@ -1,15 +0,0 @@
 :PROPERTIES:
 :ID:       13e6ae54-2d24-5aa0-b1cd-a7e8e749aa70
 :END:
 #+title: The Self-Driving Lisp Machine
 #+filetags: :passepartout:lisp-machine:hardware:riscv:tenstorrent:
 A Tenstorrent P150 (~72 RISC-V Tensix cores) running Passepartout: 72 RISC-V cores running Lisp microcode, one core dedicated to ACL2, one to Screamer, the rest to gate verification and fact store operations.
 The self-driving threshold: the system can synthesize and load its own FPGA microcode or Tensix dispatch programs from within the running Lisp image. The system profiles its own gate verification latency, proposes a new microcoded instruction for the hot path, compiles RISC-V assembly from ACL2-verified specifications, loads it via PCIe DMA from within SBCL, benchmarks it — and rolls back if slower.
 Every subdomain involved is software — the most codifiable domain. RISC-V ISA, SBCL internals, ACL2 metafunctions, CIC type theory, compiler optimization — all can [[file:sufficiency-flip.org][flip to symbolic sufficiency]] within days to weeks of ingestion.
 **Timeline:** ~6,000 lines of new code (microcode, PCIe DMA, Tensix management, benchmark harness). ~60 cycles at current velocity. 2-4 weeks. Total from today: 6-10 weeks. See [[file:time-estimates.org][time estimates]] for the velocity model behind these numbers.
 The Tenstorrent approach is dramatically simpler than FPGA because the microcode is RISC-V assembly (software), not FPGA bitstream (hardware with minutes-per-iteration synthesis). The [[file:lisp-machine-security.org][Lisp Machine security model]] — unified memory, tagged architecture, no MMU — applies directly because the Tensix cores share the same address space. [[file:verification-appliance.org][Verification appliance]] economics apply: a certified Lisp Machine at scale replaces compliance hardware. See [[file:lisp-economics.org][why Lisp is economically viable now]] and [[file:upgrade-lifecycle.org][upgrade lifecycle]] for the economic and deployment foundations.
--- a/ideas/stoa.org
+++ b/ideas/stoa.org
@@ -1,16 +0,0 @@
 :PROPERTIES:
 :ID:       c3b3dc41-945f-54e9-84eb-ca014114f1be
 :END:
 #+title: Stoa — The Porch (Environment)
 #+filetags: :passepartout:stoa:editor:browser:hardware:
 Stoa is the user environment — a single Lisp image where editor, browser, shell, and agent coexist.
 **Roadmap:**
 - v2.0.0: Lish editor + Nyxt browser (Stage 1, Qt/WebKit) + Lish shell
 - v3.0.0+: Cannibalization — replace Qt with Lisp-native layout, reduce WebKit to pixel-painting, eventually pure-Lisp browser and window management
 - v4.0.0: Native inference — llama.cpp FFI in-process, DSL-compiled model architectures, live surgery on cognition
 - v5.0.0: Hardware — tagged RISC-V architecture via TinyTapeout, FPGA prototype, hardware GC via dedicated bus master
 - v6.0.0: True agency — world models, temporal reasoning, goal persistence across restarts
 The architectural principle: Stoa is not a collection of clients connecting to a daemon. The Dispatcher gate stack [[file:verification-appliance.org][verifies every action]] regardless of who initiated it. The distinction between "tool" and "self" dissolves. The ultimate goal is a [[file:self-driving-lisp-machine.org][self-driving Lisp Machine]] running on custom hardware.
--- a/ideas/time-estimates.org
+++ b/ideas/time-estimates.org
@@ -1,68 +0,0 @@
 :PROPERTIES:
 :ID:       dc2e4f22-1c4c-5d4a-a151-f96e5d3b0d70
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: Development Velocity and Timeline Estimates
 #+filetags: :passepartout:economics:development:timeline:velocity:orders-of-magnitude:
 The orders-of-magnitude time framework ([[file:orders-of-magnitude-time.org][Orders of Magnitude — Time]]) reveals that the original single-timeline estimate conflated two qualitatively different projects. The line counts are in plausible ranges for Lisp's density (~5-10× fewer lines than C++ for equivalent functionality), but the phases differ in their feedback regimes, constraints, and failure modes. The honest picture splits into two distinct phases.
 **Old estimate:** 14,000 lines total, 3-6 months to replace the full computing stack. This was wrong because it treated all phases as linear — microcode has hardware latency (seconds per cycle), GUI has user-testing latency (days per iteration), and the browser alone is a years-scale project if done natively. The numbers don't add linearly across orders of magnitude.
 **Corrected estimate:** Two-phase approach with a clear middleground destination.
 ---
 ## Phase Zero — The MVP (Linux-hosted, ships real product)
 Run on Linux, use C libraries through CFFI, deliver value without replacing the OS. This is the [[file:sufficiency-flip.org][sufficiency flip]] applied to the verification layer only, not the whole stack.
 | Component | Lines | Method | Scale |
 |---|---|---|---|
 | Neurosymbolic core (ACL2 + Screamer + LLM bridge) | ~4,500 | Agent-generated Lisp, human-validated | Weeks — dense, well-bounded, proven approach |
 | Terminal-based Stoa (editor + REPL + shell) | ~2,000 | CL-charms / cl-tty | Weeks — TUI patterns established |
 | Gate rule SDK + marketplace | ~1,500 | ACL2 gate packages | Weeks — pure symbolic, well-specified |
 | CFFI wrappers (system, GPU, crypto, storage) | ~2,000 | Thin bindings | Days — mechanical translation |
 | Verification appliance CLI + Agora namespace | ~1,000 | API surface | Weeks |
 **Total MVP: ~11,000 lines. Timeline: 1-3 months. Human review: ~20 hours.**
 This ships. Users get verified code execution, gate rule packages, and a verified development environment. No new OS, no new browser, no Qt integration. Value proposition is proven with existing infrastructure.
 **Revenue model starts here:** domain gate packages, verification appliance, compute marketplace. The MVP is a product, not a demo.
 ---
 ## Phase End State — Full Lisp Machine (cannibalize the stack)
 Replace Linux, replace C libraries, own the framebuffer, own the browser. This is the full [[file:self-driving-lisp-machine.org][self-driving Lisp Machine]] vision.
 | Phase-out target | Replacement | Lines | Scale | Risk |
 |---|---|---|---|---|
 | Linux kernel (scheduler, IPC, drivers) | Microcode on Tenstorrent | ~6,000 | Months — hardware-limited cycles | Verification delay; hardware bugs |
 | MMU / process isolation | GC + ACL2-verified single address space | ~2,000 | Weeks — architecture already defined | Legacy app compatibility |
 | Display server (X11/Wayland) | Lisp framebuffer compositor | ~4,000 | Months — visual debugging is slow | UX gaps at the edges |
 | Browser (WebKit embed) | WebKit via Lisp FFI with verified wrappers | ~3,000 | Months — sandboxing the embed | Web platform surface is unbounded |
 | Native browser | Full Lisp DOM + render engine | ~30,000+ | Years — browser engines are OS-scale | This is the hardest piece. Consider staying on WebKit |
 | Core libraries (libc, SSL, crypto, etc.) | Incremental verified replacements | ~10,000+ | Years — can chip away post-ship | Every replacement must match SOTA perf |
 | Qt / terminal / native UI toolkit | Stoa toolkit (verified compositor + widgets) | ~8,000 | Months–years | UX parity with modern toolkits is the highest risk |
 **Ballpark end state: 25,000-60,000 lines. Timeline: 2-5 years.**
 The range reflects uncertainty about the browser. If WebKit embed is sufficient (Phase Zero's terminal UX graduates to a managed WebView), the end state is closer to 25K. If you need a full native browser with verified DOM, ACL2-rendered layout, and a compositor that matches macOS fluidity — that's a years-scale project on its own.
 ---
 ## Orders-of-Magnitude Risk Map
 | Decision | At stake | True scale | Mistake if treated as |
 |---|---|---|---|
 | Does the verification marketplace work? | Company thesis | Months (Phase Zero) | Solved in days |
 | Can we ship without replacing Linux? | Time-to-market | Weeks to implement | Years of kernel work before product |
 | Is WebKit embed enough for Stoa? | 60% of total timeline | Months vs years | Native browser as default path |
 | Does the sufficiency flip cover each domain? | Revenue model | Weeks per domain | One-shot, all or nothing |
 | Can Lisp match SOTA browser UX? | Full vision | Generations (or never) | Engineering problem, not a research question |
 The most dangerous order-of-magnitude error: treating the end state as an engineering sprint. Replacing the browser engine is a years-scale project that has defeated every attempt (Servo, PhantomJS, etc.). If that's the destination, plan accordingly — or accept WebKit embed as the terminal destination and focus verification on the OS/compositor layer where it provides real security value.
 See [[file:investment-thesis.org][Investment thesis]] for the business case and [[file:cost-structure.org][Cost structure]] for the economics behind the verification-only-first approach.
--- a/ideas/triad-index.org
+++ b/ideas/triad-index.org
@@ -1,42 +0,0 @@
 :PROPERTIES:
 :ID:       1c3ec48b-446c-50d2-b53e-126a81f5143f
 :END:
 #+title: Passepartout Triad — Knowledge Base
 #+filetags: :passepartout:triad:economics:index:
 The triad replaces every layer of the modern computing stack with Lisp-native, user-owned, ACL2-verified alternatives. Three components:
 - [[file:triad-overview.org][Logos (Passepartout) — the cognitive agent]]
 - [[file:stoa.org][Stoa (The Porch) — the environment]]
 - [[file:agora.org][Agora (The Society) — the network]]
 Total addressable market: ~$960B/year across cloud, AI, OS, social media, payments, productivity, and compliance.
 The business model is the AWS of provable computing: AGPL infrastructure is free, revenue comes from verification appliances, gate rules, certification, namespace registry, hosted PDS, and a compute marketplace. Network effects are positive sum — every instance feeds the regression suite and grows the marketplace.
 [[file:lisp-machine-security.org][Lisp Machine security — unified memory threat model]]
 [[file:common-logic-iso-24707.org][Common Logic (ISO 24707) — relevance to the triad]]
 [[file:collective-regression-suite.org][Collective regression suite — how it compounds]]
 Key analytical frames:
 - [[file:investment-thesis.org][Investment thesis — the unified view]]
 - [[file:lisp-economics.org][Why Lisp is economically viable now]]
 - [[file:sufficiency-flip.org][The per-domain sufficiency flip]]
 - [[file:time-estimates.org][Development velocity and timeline estimates]]
 - [[file:cost-structure.org][Cost structure and zero marginal cost]]
 - [[file:moats.org][Competitive moats analysis]]
 Revenue paths (short to long term):
 - [[file:verification-appliance.org][Verification appliance]][[file:domain-gate-packages.org][  Domain gate packages]][[file:evaluation-harness.org][  Evaluation harness]]
 - [[file:agora-usernames.org][Agora premium usernames]][[file:pds-as-a-service.org][  PDS as a service]][[file:compute-marketplace.org][  Compute marketplace]]
 - [[file:verification-monopoly.org][Verification monopoly — the big money]][[file:infrastructure-lock-in.org][  Infrastructure lock-in]]
 Strategy and IP:
 - [[file:patent-strategy.org][Patent strategy]][[file:licensing.org][  Licensing (AGPL + commercial)]]
 - [[file:ai-industry-impact.org][Impact on the AI/GPU industry]]
 - [[file:upgrade-lifecycle.org][Upgrade and distribution lifecycle]]
 - [[file:gate-rule-encoding.org][Gate rule encoding from codified domains]]
 - [[file:biology-parallels.org][Biology as proof of the Lisp model]]
 - [[file:comparison-with-symbolics.org][Comparison with Symbolics Genera]]
 *The lines that run the modern internet (tens of millions across Google, Meta, Amazon, Apple, Microsoft) are replaced by a single coherent architecture where one gate stack verifies everything and one prover proves everything consistent.*
--- a/ideas/triad-overview.org
+++ b/ideas/triad-overview.org
@@ -1,15 +0,0 @@
 :PROPERTIES:
 :ID:       a1fac32a-47de-5fbd-b67d-29152c851747
 :END:
 #+title: Triad Overview — Logos, Stoa, Agora
 #+filetags: :passepartout:triad:architecture:
 The full triad is a self-bootstrapping replacement for the entire computing stack, not a single product.
 **Logos (Passepartout)** — The mind. Cognitive agent combining a probabilistic LLM (10% of work) with a deterministic symbolic engine (80%) at near-zero marginal cost. Gate stack, fact store, ACL2 prover, Screamer constraint solver.
 **Stoa (The Porch)** — The body. Editor (Lish), browser (Nyxt), shell (Lish), Org-mode filesystem, Qt/EQL5 UI. A single Lisp image where everything coexists. Roadmap: v2.0.0 (Qt/WebKit) → v6.0.0 (pure Lisp, hardware).
 **Agora (The Society)** — The network. Self-sovereign DID identity, DIDComm encrypted messaging, [[file:pds-as-a-service.org][Personal Data Store]], Relay Network, [[file:compute-marketplace.org][compute marketplace]], liquid democracy.
 All three speak plists. All three operate in Lisp address space. All three are verified by the same ACL2 prover. The gate stack that verifies a shell command also verifies a DIDComm message. See [[file:investment-thesis.org][The investment thesis]] for the economic rationale and [[file:verification-appliance.org][Verification appliance]] for the hardware that enables this unified architecture.
--- a/ideas/verification-appliance.org
+++ b/ideas/verification-appliance.org
@@ -1,14 +0,0 @@
 :PROPERTIES:
 :ID:       84a537b4-4256-50c8-91f5-dd5b4538418f
 :END:
 #+title: Verification Appliance (Hardware)
 #+filetags: :passepartout:revenue:hardware:fpga:tenstorrent:
 An FPGA or Tenstorrent card pre-loaded with a mature Passepartout image, [[file:domain-gate-packages.org][domain-specific gate rules]], and a hardware root of trust. No cloud dependency.
 **Target:** regulated industries needing [[file:evaluation-harness.org][provable compliance]] that cannot accept cloud-based AI.
 **Price:** $5K-$50K/unit. **Volume:** hundreds to low thousands in year one.
 The [[file:self-driving-lisp-machine.org][Lisp Machine]] on Tenstorrent P150 (~72 RISC-V Tensix cores on a PCIe card) is the realistic first target: the microcode is RISC-V assembly (software), not FPGA bitstream (hardware). The system can propose, load, test, and roll back a new dispatch routine in seconds. An FPGA path would add synthesis time (minutes to hours per iteration). This hardware-first approach embodies [[file:lisp-economics.org][Lisp economics]] — verification hardware has near-zero marginal cost. The [[file:upgrade-lifecycle.org][Upgrade lifecycle]] for the appliance is managed via signed firmware updates with Merkle snapshots.
 Revenue estimate: 50 sales in year one = $250K-$2.5M.
--- a/ideas/verification-monopoly.org
+++ b/ideas/verification-monopoly.org
@@ -1,15 +0,0 @@
 :PROPERTIES:
 :ID:       827bc546-e887-5b7c-9b65-6392beaf0920
 :END:
 #+title: The Verification Monopoly (UL for AI)
 #+filetags: :passepartout:economics:monopoly:certification:big-money:
 The accumulated regression suite — thousands of edge cases from every deployed instance, every bug fix, every regulatory change — becomes the most comprehensive test of autonomous agent correctness ever assembled.
 Any organization claiming a "safe AI agent" needs Passepartout certification to prove it. This is Underwriters Laboratory for AI — a certification nobody can ignore.
 **Revenue:** licensing the certification mark to every AI vendor that ships an agent. **Margins:** near-100% once the suite exists.
 This is the venture-scale outcome. It depends on the [[file:evaluation-harness.org][evaluation harness]] reaching critical mass, which depends on enough instances deploying the software to accumulate edge cases in the regression suite. The [[file:investment-thesis.org][investment thesis]] is built on the recognition that every deployed instance makes this more valuable.
 The unique structural advantage: every free instance of the triad feeds the regression suite. The more people use the free software, the more valuable the certification monopoly becomes. Positive sum. This creates deep [[file:infrastructure-lock-in.org][infrastructure lock-in]] and powerful [[file:moats.org][moats]] — a competitor cannot replicate the certification without the accumulated history. The ultimate impact is a transformation of the entire [[file:ai-industry-impact.org][AI industry]], where safety certification becomes a prerequisite for market access.
--- a/ideas/viability/open-source-wolfram-lisp.org
+++ b/ideas/viability/open-source-wolfram-lisp.org
@@ -0,0 +1,74 @@
 :PROPERTIES:
 :CREATED:  [2026-05-24 Sun]
 :ID:       7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d
 :END:
 #+title: Viability of an Open-Source Wolfram Language / Mathematica in Common Lisp
 #+filetags: :ideas:lisp:mathematics:open-source:
 An assessment of what it would take to build a viable open-source equivalent of Wolfram Language and Mathematica in Common Lisp, based on the existing ecosystem and the fundamental architectural alignment between Lisp and symbolic computation.
 **The alignment is natural, not forced.**
 Wolfram Language is, at its core, a term-rewriting system with pattern matching, rule-based transformation, and a uniform symbolic representation for everything (expressions are trees of the form head[arg1, arg2, ...] — the Wolfram equivalent of cons cells). This is very close to what Lisp is natively. A Lisp implementation of the core evaluator — pattern matching, rule application, substitution, term rewriting — is not a foreign port. It is an exercise in expressing Wolfram's semantics in a language whose semantics were designed for the same problem domain.
 Maxima proves this historically. It is a direct descendant of Macsyma, the MIT computer algebra system that inspired Mathematica. Macsyma was written in Lisp. Mathematica's core evaluation model inherits heavily from Macsyma. An open-source Common Lisp computer algebra system already exists, has existed for decades, and works. The question is not whether it can be done, but how much of the modern Mathematica ecosystem can be replicated and at what cost.
 **What already exists.**
 | Layer | Existing CL work | Status |
 |---|---|---|
 | Symbolic engine / term rewriting | Lisp readers, pattern matching libs (trivia, optima, fare-matcher), rule systems | Foundational primitives exist, no unified Wolfram-equivalent evaluator |
 | Computer algebra system | Maxima, FriCAS (Axiom), reduce-algebra | Mature CASes — Maxima alone has differentiation, integration, ODEs, linear algebra, tensors, series, limits, Laplace transforms |
 | Numerical computing | magicl, lla (Lisp Linear Algebra), CL-NUM, GSLL (GNU Scientific Library bindings) | Solid — covers BLAS, LAPACK, random numbers, special functions, optimization |
 | Visualization | cl-cairo2, Vecto, CLG, CommonQt, cl-zxing | Exists but scattered — no unified plotting framework like Mathematica's |
 | Notebook interface | cl-jupyter, common-lisp-jupyter, Lem | Jupyter kernel works. Lem is a native editor approaching notebook capability. No Mathematica-level notebook yet. |
 | Rule-based programming | fare-matcher, optima, prolog implementations | Pattern matching is good. Full term-rewriting system needs assembly. |
 | Knowledge graph | gbrain, various triplestore libs | Possible but would need Wolfram Alpha-level investment |
 | Deployment | ASDF, Quicklisp, SBCL standalone executables | Better than Mathematica's deployment story — Lisp produces real executables |
 **The hard parts.**
 1. **The standard library is the product, not the engine.** Mathematica ships thousands of built-in functions — every mathematical special function, every statistical distribution, every graph algorithm, every image processing filter, every string operation, every data format parser. This is not a technical challenge; it is a sheer volume problem. The open-source answer is to wrap existing C/C++ libraries (GSL for special functions, OpenCV for image processing, igraph for graph algorithms, etc.) and expose them through a unified symbolic interface. This is the Clasp approach: interop with mature C++ libraries rather than rebuilding everything from scratch in Lisp. The Wolfram equivalent would be a CLOS-based symbolic dispatch layer that wraps these libraries and makes them accessible through a consistent term-rewriting evaluator.
 2. **The notebook interface is a product in itself.** Mathematica's notebook is not a terminal with nice formatting. It is a computational notebook with inline typeset math, dynamic graphics, collapsible sections, live evaluation, and a rich document model. The Jupyter ecosystem solves half of this. A Lisp-native notebook would need a rendering engine for mathematical notation (LaTeX or MathJax integration), inline interactive graphics, and a document model compatible with literate computation. Lem is the most promising starting point — it already has Emacs-like extensibility, a GTK frontend, and a Lisp-native codebase. Extending Lem to support computational notebooks with inline graphics and typeset output is the shortest path.
 3. **Performance for specialized domains.** Mathematica's kernel is highly optimized for symbolic operations — pattern matching over large expressions, automatic algorithm selection, memoization, and incremental compilation. A naive Lisp implementation would match Mathematica for small-to-medium expressions but would need significant optimization work for the heavy cases (symbolic integration of large expressions, graph operations on million-node graphs, image processing pipelines). The advantage is that Lisp's compiler infrastructure (SBCL's type inference, VOPs, inlining) gives a much better baseline than most languages. SBCL can generate code that approaches C speed for numerical kernels.
 4. **The knowledge graph (Wolfram Alpha).** Mathematica's integration with Wolfram Alpha — querying computable data about chemistry, geography, finance, linguistics, etc. — is a separate product with a massive engineering investment in data curation. An open-source equivalent would not replicate this. It would either provide a local, user-curatable knowledge base (gbrain fits here) or integrate with existing open knowledge graphs (Wikidata, DBpedia). The gbrain connection is interesting: if Passepartout's knowledge store can answer factual queries with provenance, that becomes the Wolfram Alpha equivalent for the Lisp Mathematica.
 5. **Package ecosystem and community.** Mathematica's advantage is not just its engine but its ecosystem — thousands of paclets, the Wolfram Function Repository, the community that shares notebooks. An open-source equivalent needs a package manager (Quicklisp solves this for Lisp libraries), a repository for symbolic packages (a Wolfram Function Repository equivalent), and a critical mass of users who both use and contribute. Maxima has users but not contributors. The gap is community formation, not technical capability.
 **The viability assessment.**
 | Domain | Viability | Timeline estimate | Risk |
 |---|---|---|---|
 | Core symbolic evaluator | High — Lisp was designed for this | 6-12 months for working prototype | Low — well-understood problem |
 | Computer algebra | High — Maxima already exists | Integrate now; polish 1-2 years | Low — needs UI/UX investment |
 | Numerical computing | High — wrappers exist | 3-6 months for unified interface | Low — wrapping problem |
 | Visualization | Medium — scattered pieces | 1-2 years for unified framework | Medium — needs new work |
 | Notebook interface | Medium — Lem as foundation | 1-2 years to Mathematica parity | Medium — significant UX engineering |
 | Standard library breadth | Low — volume problem | 3-5 years with community | High — needs sustained contribution |
 | Knowledge graph | Low — curation cost | 2-3 years for basic integration | High — different product category |
 | Deployment | High — Lisp executables | Works now | None |
 **The strategic question.**
 The real question is not "can we replicate Mathematica in Lisp" but "should we?" — and if so, for whom.
 Mathematica serves two distinct use cases:
 - **Interactive exploration** — a researcher types an integral, gets a result, visualizes it, iterates. Lisp + Maxima + a good notebook interface already does this, and the experience is competitive for anyone comfortable with Lisp syntax.
 - **Deployed computation** — a company builds a production pipeline around Mathematica kernels, deploying computation as a service. Lisp executables are dramatically better here — they are real compiled binaries, not managed by a proprietary kernel, deployable without license fees, embeddable anywhere.
 For the second use case, the open-source Lisp alternative is already superior. The gap is the first use case: the interactive exploration experience, the breadth of built-in functions, and the cultural acceptance of Lisp syntax in communities that currently write Wolfram Language.
 The most viable path is not to clone Mathematica but to integrate Maxima + numerical Lisp libraries under a unified symbolic interface, expose all of it through a Lem-based notebook, and make the Jupyter bridge the primary entry point for users who prefer Python notebooks. This gives you 80% of Mathematica's capability with a fraction of the development cost, and it connects to the existing scientific Python ecosystem rather than competing with it.
 **The deeper point.**
 Mathematica's architecture is Lisp-like because it was inspired by a Lisp system (Macsyma). An open-source Mathematica in Lisp is not a port. It is a return to the original architectural vision, implemented in the language that vision was originally expressed in. The question is whether the community investment materializes — and that depends on whether there is a use case that justifies it. Passepartout's verification infrastructure may be that use case: a verified symbolic computation engine that reasons about its own results is a Mathematica-like system by necessity, and building it in Lisp is the natural path.
 ---
 - [[id:f4e5d6c7-b8a9-0c1d-2e3f-4a5b6c7d8e9f][Schafmeister and Clasp]] — Lisp in computational nanotechnology, existence proof for Lisp viability in scientific computing
 - [[id:1c3ec48b-446c-50d2-b53e-126a81f5143f][Passepartout Architecture]] — why Lisp and where the symbolic engine fits
--- a/ideas/viability/passepartout-bootstrap-mathematica.org
+++ b/ideas/viability/passepartout-bootstrap-mathematica.org
@@ -0,0 +1,92 @@
 :PROPERTIES:
 :CREATED:  [2026-05-24 Sun]
 :ID:       8b9c0d1e-2f3a-4b5c-6d7e-8f9a0b1c2d3e
 :END:
 #+title: Could Passepartout Bootstrap Mathematica or mathlib by Itself?
 #+filetags: :ideas:lisp:passepartout:mathematics:
 This extends the previous viability analysis with a specific scenario: assuming Passepartout exists at Stage 3+ (full Lisp machine with neurosymbolic engine, verification gate, and self-modification capability), how hard would it be for it to recreate Mathematica or mathlib in pure Common Lisp on its own?
 **The bootstrap is architectural, not aspirational.**
 The neurosymbolic engine is not just a faster way to write code. It is a closed loop: the LLM proposes implementations, the symbolic engine and ACL2 prover verify correctness, and the self-modification system hot-reloads the result into the running image. This loop runs autonomously, without human intervention. The system writes code, tests it formally, improves it, and keeps the result — permanently expanding its own capability.
 This is fundamentally different from a human writing Mathematica. A human writes code, compiles, tests, debugs. Passepartout writes code, has it verified against a formal specification, and loads it into its own runtime. The iteration speed is not hours or days — it is seconds per function, limited only by the LLM's generation latency and the prover's checking time.
 **What Passepartout already has.**
 At Stage 3, the system ships with:
 - A symbolic term-rewriting engine (the evaluator itself is one)
 - Pattern matching and rule-based transformation (native to the gate architecture)
 - ACL2 as a verification backend (can prove properties of generated code)
 - An LLM oracle for proposing implementations (the probabilistic brain)
 - A self-modification system (hot-reloads verified code into the running image)
 - A knowledge store with persistent facts (gbrain-derived)
 These are not general-purpose tools that happen to be useful for symbolic mathematics. They are the same tools that a computer algebra system needs, expressed in the same architecture. The evaluator that rewrites a gate policy is the same mechanism that rewrites a symbolic expression.
 **What it needs to generate.**
 | Component | Can Passepartout generate it? | How |
 |---|---|---|
 | Core symbolic evaluator | Yes, trivially — this is what Lisp *is* | The existing evaluator already does term rewriting. The neurosymbolic engine would create a higher-level pattern-matching layer over it. |
 | Computer algebra (differentiation, integration, simplification) | Yes — known algorithms, formally specifiable | LLM proposes implementation of Risch algorithm, polynomial GCD, Gröbner bases. ACL2 verifies the specification. |
 | Numerical libraries (BLAS, special functions, optimization) | Partial — better to wrap | ACL2 cannot verify floating-point numerics to the same standard. Passepartout would wrap existing C/C++ libraries via Clasp-style interop and verify the interface, not the numerics. |
 | Visualization framework | Yes — UI code, not math | The environment subsystem (Nyxt/Lish) already has rendering primitives. The neurosymbolic engine generates plotting and graphics code against them. |
 | The 5,000+ function standard library | Yes — volume, not novelty | This is the dominant cost. Each function is individually trivial (differentiate x^3 → 3x^2) but there are thousands. Passepartout generates them at LLM speed — roughly one function every 10-30 seconds including verification. |
 | Formal proofs of mathematical theorems (mathlib) | Qualified yes — different logic | mathlib is in Lean's dependent type theory. Passepartout's ACL2 is first-order logic. The theorems can be re-proven in ACL2, but the proofs are not portable. The LLM proposes proof strategies, ACL2 checks them. |
 **The rate limit is generation, not computation.**
 If Passepartout generates one verified function every 20 seconds (conservative — LLM proposal time + ACL2 verification), that is 180 functions per hour, ~4,300 per day. Mathematica's standard library contains roughly 6,000 documented functions. At this rate, the standard library would take ~1.5 days of continuous generation — assuming the LLM has the domain knowledge to produce correct implementations and ACL2 can verify them.
 This is the critical assumption. The LLM (at, say, GPT-4 or DeepSeek level) already knows what every Mathematica function does. It has seen them in training data. The question is whether it can generate a correct Lisp implementation with a formal specification that ACL2 can verify. For most elementary functions (differentiate, integrate polynomial, singular value decomposition, string split, image histogram), the answer is yes — these are well-understood algorithms with clear specifications.
 For specialized domains (elliptic curve cryptography, tensor network contractions, symbolic regression of differential equations), the LLM may generate approximately correct implementations that need refinement. The neurosymbolic loop handles this: ACL2 catches the mismatch, feeds the error back, and the LLM regenerates.
 **mathlib is a different problem.**
 mathlib is not a library of algorithms but a library of formal proofs — mathematical theorems expressed in Lean's dependent type theory, structured as a hierarchy of definitions, lemmas, and tactics. It represents hundreds of person-years of community effort, formalizing undergraduate mathematics and beyond.
 Passepartout's verification layer is ACL2, which operates in a different logical framework (first-order logic with induction for total functions, not dependent types). There is no porting mathlib — it would have to be re-proven in ACL2's logic.
 The advantage is that the theorems are already known. mathlib tells you exactly what to prove. The LLM reads the Lean statement, translates it to an ACL2 theorem, proposes a proof strategy, and ACL2 attempts the proof. This is a well-structured task for the neurosymbolic loop: the LLM generates proof plans, ACL2 verifies them, and failed attempts feed back to refine the next plan.
 The bootstrapping advantage: early proofs (basic arithmetic, set theory) strengthen the ACL2 reasoning library, which makes later proofs (real analysis, topology) faster. The system accelerates as it goes. mathlib's proof dependency graph is the natural generation order.
 Estimated timeline for mathlib-equivalent in ACL2, with Passepartout generating autonomously:
 | Milestone | Time estimate | Note |
 |---|---|---|
 | Basic arithmetic, algebra, number theory | Days — standard library material | Well-known proofs, simple structure |
 | Real analysis, measure theory | Weeks — proof complexity increases | Non-trivial but well-studied |
 | Abstract algebra (groups, rings, fields) | Weeks — structural, builds on itself | The neurosymbolic loop excels here |
 | Topology, algebraic topology | Months — conceptual depth | Proofs are longer, more strategic |
 | Category theory, homological algebra | Months — abstraction barrier | High-level abstraction, fewer verification primitives |
 | Number theory deep results (FLT, modular forms) | Unknown — research frontier | Passepartout is not proving open problems. It formalizes known results. |
 **The bootstrapping compound effect.**
 The most interesting property is not that Passepartout can generate Mathematica's library. It is that each generated function becomes part of Passepartout's own capability. After generating the differentiation function, Passepartout uses it to generate the integration function. After generating linear algebra, it uses that to generate optimization algorithms. After generating formal proofs of real analysis, it uses those theorems to verify more complex deductions.
 This is not a production pipeline. It is an autodidactic loop: the system generates math, then uses that math to generate more math. The acceleration is exponential in the early phases and linear in the later phases, limited by the rate at which the LLM can produce new correct specifications.
 **The real barrier is not technical but oracular.**
 At every step, Passepartout depends on the LLM's knowledge of existing mathematics. The LLM has seen most of human mathematical knowledge in its training data. It can propose correct implementations and proof strategies because it has seen them. But for genuinely new mathematics — theorems not present in the training data, algorithms that have not been discovered — the LLM has no signal. Passepartout would be limited by its oracle.
 Stage 7 acknowledges this: oracular limits are fundamental. The verification subsystem can check correctness against a specification, but it cannot generate the specification itself. The LLM provides the what; ACL2 verifies the that. Neither provides the why that extends beyond existing knowledge.
 **Conclusion.**
 Recreating Mathematica's standard library: **days to weeks** of autonomous generation. The volume problem is solvable because the LLM already knows the answer space and ACL2 can verify each function. No human intervention required.
 Recreating mathlib's formal proof corpus: **months** of continuous formalization. The neurosymbolic loop maps naturally onto the task of converting known theorems from one logical framework to another. The dependency graph of mathlib provides the optimal generation order.
 Neither requires new research. Both are engineering throughput problems that Passepartout's architecture is designed to solve: generate, verify, reload, repeat. The only hard limit is the oracle — the system cannot generate mathematics that the LLM does not already know exists.
 ---
 - [[id:7a8b9c0d-1e2f-3a4b-5c6d-7e8f9a0b1c2d][Viability of open-source Wolfram/Mathematica in Lisp]] — the human-driven assessment
 - [[id:1c3ec48b-446c-50d2-b53e-126a81f5143f][Passepartout Architecture]] — the verification and self-modification systems
--- a/ideas/viability/schafmeister-clasp.org
+++ b/ideas/viability/schafmeister-clasp.org
@@ -0,0 +1,52 @@
 :PROPERTIES:
 :CREATED:  [2026-05-24 Sun]
 :ID:       f4e5d6c7-b8a9-0c1d-2e3f-4a5b6c7d8e9f
 :END:
 #+title: Christian Schafmeister
 #+filetags: :ideas:lisp:nanotechnology:
 Christian Schafmeister is a chemistry professor at Temple University in Philadelphia. He created [[https://github.com/clasp-developers/clasp][Clasp]], a Common Lisp implementation that interoperates with C++ libraries using LLVM compilation, specifically to solve a problem most Lisp implementers never face: designing molecules at the nanoscale.
 * The problem.
 Schafmeister's research focuses on spiroligomers — large, shape-programmable molecules built from synthetic monomers. These are programmable at the level of both shape and functional groups, meaning they can be designed to bind specific proteins as therapeutics or accelerate chemical reactions the way enzymes do. The goal is to create molecules that can do everything proteins do in nature, but that are designable and evolvable by human beings.
 This is a computational problem of enormous complexity. Designing these molecules requires simulating their behavior, computing binding affinities, searching conformational space, and iterating designs rapidly based on experimental feedback. The compute pipelines involved typically live in the C++ ecosystem (a vast array of scientific computing libraries), but the workflow itself — rapid prototyping, interactive exploration, incremental development — demands the kind of environment that C++ alone cannot provide.
 * Why Lisp won.
 Schafmeister's argument for Common Lisp in computational nanotechnology mirrors the same reasoning that drives the knowledge-layers architecture:
 - **Interactivity.** Molecular design requires exploration. A researcher needs to load data, inspect it, try a transformation, undo it, try another — all within a live environment. Lisp's REPL-driven development provides this in a way that compile-link-run cycles cannot match.
 - **Incremental development.** The design space for spiroligomers is too large to simulate exhaustively. You need to build up models piece by piece, testing each step. Lisp's incremental compilation and hot-reloading make this natural.
 - **Unified representation.** In Lisp, the code that describes a molecule and the code that simulates it share the same structure. There is no translation barrier between the design language and the simulation language.
 But the scientific computing ecosystem lives in C++. Schafmeister could not afford to rebuild every computational chemistry library from scratch. So he built Clasp: a Common Lisp implementation that compiles to native code via LLVM and interoperates seamlessly with C++. Clasp can call any C++ library natively, and C++ can call back into Lisp. The result is that the entire scientific computing ecosystem becomes available from within a Lisp environment — programmable, interactive, introspectable.
 * The architecture.
 Clasp is not a wrapper or a bridge. It is a full Common Lisp implementation where the C++ interoperation is part of the language runtime itself. The clbind library provides declarative bindings — you describe how C++ classes and functions map to Lisp, and Clasp generates the glue code automatically. This is fundamentally different from CFFI-style foreign function interfaces, which require manual marshaling and are inherently fragile.
 From the Lisp perspective, a C++ class appears as a CLOS class. You can subclass it, specialize methods on it, inspect its instances. The boundary between Lisp and C++ is transparent to the programmer.
 * Funding and validation.
 Clasp has been funded by the Defense Threat Reduction Agency (DTRA), the National Institutes of Health (NIGMS), and the National Science Foundation. These are agencies that fund computational chemistry and materials design, not programming language research. They funded Clasp because it solved a real problem in molecular design that no other approach addressed: making C++-scale scientific computing work within an interactive Lisp environment.
 * Relevance to the knowledge-layers architecture.
 Schafmeister's work is existence proof for two core claims:
 1. Lisp is not a niche language for academic AI research or Emacs configuration. It is being used today to design therapeutic molecules that bind proteins, in environments funded by the NIH and NSF. The interactivity and homoiconicity that the knowledge-layers architecture relies on are the same properties that make this work possible.
 2. The single-address-space model is not a limitation but an enabling constraint. Clasp proves that you can run C++ libraries inside a Lisp image, not alongside it. The Lisp machine is not a retro fantasy — it is a practical architecture being used today for computationally demanding scientific work.
 The main difference in direction: Schafmeister brought C++ into Lisp to access the scientific computing ecosystem. The knowledge-layers architecture replaces C++ libraries with verified Lisp-native alternatives. The principle — one representation, one address space, no translation boundaries — is the same in both cases.
 ---
 See also:
 - [[id:329bd4fb-702a-4a2b-9c63-69281aacb83a][Knowledge Layers]] — the architecture that extends Schafmeister's principle to verification
 - [[id:1c3ec48b-446c-50d2-b53e-126a81f5143f][Architecture]] — why Lisp is the choice for verified infrastructure
--- a/papers/McCulloch-Pitts-1943.pdf
+++ b/papers/McCulloch-Pitts-1943.pdf
--- a/papers/Rosenblatt-1958.pdf
+++ b/papers/Rosenblatt-1958.pdf
--- a/projects/_index.org
+++ b/projects/_index.org
@@ -0,0 +1,8 @@
 :PROPERTIES:
 :CREATED:  [2026-05-24 Sun]
 :ID:       a0b1c2d3-e4f5-6a7b-8c9d-0e1f2a3b4c5d
 :END:
 #+title: Projects
 #+filetags: :index:
 All projects documented in this brain. Each project has its own architecture, strategy, and reference material.
--- a/projects/cl-modernization/_index.org
+++ b/projects/cl-modernization/_index.org
@@ -0,0 +1,9 @@
 :PROPERTIES:
 :ID:       89f592aa-9c46-42db-a6c7-54dc91fe2172
 :CREATED:  [2026-06-03 Tue]
 :ID:       971cd9e7-2cc5-4743-8042-2469dbe4078f
 :END:
 #+title: CL Modernization
 #+filetags: :redirect:
 This document has moved to [[file:../passepartout/architecture/lisp-foundation.org][Lisp Foundation]] in the Passepartout architecture tree.
--- a/projects/flags/_index.org
+++ b/projects/flags/_index.org
@@ -0,0 +1,8 @@
 :PROPERTIES:
 :CREATED:  [2026-05-24 Sun]
 :ID:       1e5f6a7b-8c9d-0e1f-2a3b-4c5d6e7f8a9b
 :END:
 #+title: Flags
 #+filetags: :index:
 Legal structure analysis for the Passepartout project — entity types, jurisdictional considerations, asset protection, practical setup guides.
--- a/projects/flags/asset-protection-structures.org
+++ b/projects/flags/asset-protection-structures.org
@@ -0,0 +1,139 @@
 :PROPERTIES:
 :ID:       0a4e0b8f-25e0-4b78-9633-fc37d03cefe9
 :ID:       asset-protection-structures
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: Asset Protection & Corporate Structure
 #+filetags: :passepartout:legal:corporate:asset-protection:research:
 Research on corporate structures for a US-incorporated tech company with offshore holdings. This is preliminary research, not legal advice. Every structure needs a qualified lawyer and accountant to execute.
 * The Assets to Protect
 Passepartout has three distinct asset classes, each with different protection needs:
 1. /IP (verification subsystem):/ [[id:28c46769-c14b-42aa-ac7a-69d310157f8f][Passepartout]] codebase, gate rules, ACL2 proof libraries, the [[id:827bc546-e887-5b7c-9b65-6392beaf0920][verification monopoly]]. This is the core defensible IP. Needs to be owned separately from the operating company so that if the operating company is sued, the IP is not reachable.
 2. /Platform ([[id:1d074690-a279-59cb-b91d-e9a22ae104ad][the social protocol]]):/ The network itself — user base, reputation graph, contract history, protocol specification.
 3. /[[id:ed05cab4-88e9-4e25-b7c9-346fa39c69a0][Revenue streams]]:/ Enterprise compliance contracts, transaction fees, PDS hosting subscriptions. These flow through the operating company. A judgment against the operating company attaches to the revenue in that entity.
 * Common Structures
 ** Structure A: Standard Delaware C-Corp (no offshore)
 - Delaware C-Corp owns everything: IP, platform, operations
 - Founders hold common stock
 - Investors hold preferred stock
 Pros: Simplest, most familiar to investors, standard for venture fundraising
 Cons: All assets in one basket. A judgment against the operating company attaches to everything, including the IP. No asset protection beyond the corporate veil (which is thin for a single-member/controlled startup).
 Assessment: Fine for Phase 0. Upgrade when revenue exceeds liability risk tolerance.
 ** Structure B: Delaware C-Corp + Offshore IP Holding Company
 - Delaware C-Corp is the operating company (sells verification, runs the social protocol PDS infrastructure)
 - A separate IP holding company in BVI, Cayman, or Nevis owns the Passepartout code, gate rules, ACL2 libraries, and the social protocol spec
 - The operating company licenses the IP from the holding company at arm's-length royalty rates
 - The holding company accumulates IP [[id:67faf52f-9126-50a7-b87e-2bedc610dac7][licensing]] revenue in the offshore jurisdiction
 Pros: Strong IP protection — a judgment against the operating company cannot reach the IP (the operating company doesn't own it). Profits from licensing are outside US tax jurisdiction until repatriated.
 Cons: US tax reform (TCJA 2017) introduced GILTI (Global Intangible Low-Taxed Income) — this structure is less tax-effective than pre-2017. Transfer pricing documentation required. Increases administrative complexity.
 ** Structure C: Offshore IP Co + US OpCo + Offshore Trust
 - Same as B, but the IP holding company is owned by an irrevocable offshore trust (Cook Islands, Nevis) rather than by the founders directly
 - The trust has a corporate trustee and the founders are discretionary beneficiaries
 - The trust also owns the founder's equity in the US operating company
 Pros: Maximum asset protection. The trust is beyond the reach of US courts (Cook Islands trusts have the strongest asset protection laws — they do not recognize US judgments and require creditors to litigate in Cook Islands under Cook Islands law).
 Cons: Complex, expensive to set up and maintain. Many investors are uncomfortable with trust-held equity (loss of control). Triggers PFIC (Passive Foreign Investment Company) tax issues.
 ** Structure D: Delaware C-Corp + Delaware LLC Series + Offshore
 - Delaware C-Corp as parent
 - Each business line (verification, social protocol network, [[id:3c6b0449-a8fb-5b89-b82a-34efb21ef5b5][compute marketplace]], PDS hosting) is a separate Delaware series LLC
 - IP held in an offshore company, licensed to each series LLC
 - Series LLCs protect assets within each series from liabilities arising in other series
 Pros: Good liability separation between business lines. If the social network (the social protocol) generates liability, the verification business assets are in a separate series.
 Cons: Series LLC is legally untested in many jurisdictions. Some states don't recognize them. Tax complexity.
 * Key Considerations for This Specific Venture
 ** The IP is the crown jewel
 [[id:827bc546-e887-5b7c-9b65-6392beaf0920][The verification monopoly]] /is/ the moat. The ACL2 proof libraries, gate rule library, and regression suite are accumulated over years and cannot be recreated quickly. These must be owned by a separate entity from the operating company. If the operating company is sued, the IP survives.
 ** The social protocol network is harder to protect**
 The social protocol's value is partly in its decentralized architecture (no central entity controls the network) and partly in the code that runs the PDS infrastructure and protocol. The AGPL license means anyone can run the code — the network value is in the user base, not the software. This is a structural asset protection advantage: even if the operating company fails, the network continues.
 ** Revenue splits suggest separate entities**
 Enterprise compliance revenue ($2-12M/year) is high-margin, low-volume, and comes from a small number of customers. Social protocol transaction fees (0.5-2%) are low-margin, high-volume, and come from millions of users.
 ** Jurisdiction for the IP company**
 | Jurisdiction | Asset protection | Tax treatment | Cost | Reputation |
 |--------------+-----------------+---------------+------+------------|
 | BVI | Strong | No corporate tax, but GILTI limits benefit | Moderate | Standard, well-understood |
 | Cayman | Strong | Same as BVI | High | Well-understood by investors |
 | Nevis | Very strong | Same as BVI | Moderate | Less common, stronger AP laws |
 | Cook Islands | Strongest (no US judgment recognition) | Same as BVI | High | Niche, but gold standard for AP |
 For a venture-funded tech company: BVI or Cayman is the standard choice. Cook Islands is overkill unless there is a specific high-risk profile. Nevis is a middle ground.
 * Recommended Path
 ** Phase 0: Delaware C-Corp (simplest, standard)
 Single Delaware C-Corp. IP is owned by the corporation. Founders hold common stock. This is what every seed-stage investor expects. The IP protection is minimal (all eggs in one basket), but the liability risk in Phase 0 is also minimal — you have zero revenue, zero users, zero contracts.
 Action items for Phase 0:
 1. Incorporate in Delaware (legalzoom, clerky, or a startup lawyer)
 2. Assign all IP to the corporation via a standard IP assignment agreement from founders
 3. Set up standard corporate records (board minutes, cap table)
 ** Phase 1: Separate IP + OpCo (before significant revenue)
 Before enterprise compliance revenue exceeds $5M cumulative or social protocol users exceed 10K, establish the IP holding company structure.
 Structure: Delaware C-Corp (OpCo) + BVI IP Co
 - OpCo licenses verification IP from BVI Co
 - OpCo licenses social protocol IP from BVI Co
 - Founders own both entities (same cap table or mirror ownership)
 Timing: The IP transfer is a taxable event if the IP has appreciated. Transfer early, when the IP has minimal appraised value (before the verification monopoly exists), to avoid a tax hit.
 ** Phase 2: Series Separation (when the social protocol has significant users or revenue)
 If the social protocol has 100K+ users and payment volume, separate the business lines into different entities under the same parent:
 - Verification LLC (verification, enterprise compliance)
 - Social Protocol LLC (social network, transactions, PDS hosting)
 - Compute LLC (marketplace operations)
 - BVI IP Co (owns all IP, licenses to all three)
 ** Phase 3: Trust Structure (if wealth preservation becomes primary concern)
 When the cumulative value justifies the cost and complexity: move the BVI IP Co ownership into an irrevocable offshore trust with the founders as beneficiaries.
 * What This Means for the [[id:d28adac8-08a1-40c4-ae43-b5d8d7b1743f][Growth Strategy]]
 The institution-first path (enterprise compliance) and the social-first path (social protocol communities) have /different liability profiles/ that push toward different structures:
 Enterprise compliance: Higher liability per contract. A single compliance engagement gone wrong could be a $1M+ claim. The IP separation in Phase 1 is /more urgent/ for the verification revenue stream.
 Social protocol network: Lower liability per user but higher aggregate surface. Payment processing regulations, content liability, data protection.
 The combined strategy (both engines) makes the Phase 1 structure (Delaware OpCo + BVI IP Co) more important rather than less — the diversification of revenue streams also diversifies liability sources, and the IP needs to be protected from /both/.
 * References
 This is preliminary research. Specific recommendations require a US corporate lawyer (incorporation), an international tax lawyer (offshore structure), and an asset protection specialist (trust/AP structure). The right order: incorporate in Delaware when ready, then hire a lawyer to plan the offshore structure before significant revenue or users accumulate.
 - [[id:d28adac8-08a1-40c4-ae43-b5d8d7b1743f][Combined growth strategy]]
 - [[id:1bc22b89-d3eb-4f6d-bcfc-2b0c19c8ed8f][Social protocol competitive landscape]]
 - [[id:8c7b9812-f8d6-4347-8915-ce8e520b7914][Entry strategy — organized communities]]
 - [[id:98364e9d-a8a9-42b7-a9dc-b643fd2ccc4b][Outbound sales compliance framework]]
--- a/projects/flags/legal-structure-alternatives.org
+++ b/projects/flags/legal-structure-alternatives.org
@@ -0,0 +1,163 @@
 :PROPERTIES:
 :ID:       5ac2f037-fc3c-45ac-a6e8-acc20e005cb0
 :ID:       legal-structure-alternatives
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: Legal Structure
 #+filetags: :passepartout:legal:corporate:research:alternatives:
 This page explores alternatives and additions to the base structure (Delaware C-Corp + BVI IP Co): Texas vs Delaware, Wyoming DAO LLC, Panama LLC, and trust layering. Each has tradeoffs — some strengthen asset protection, some reduce cost, some add complexity. The right choice depends on the specific business model, risk profile, and timeline.
 * Texas vs Delaware for the OpCo
 ** The Trend
 Several prominent companies have redomesticated from Delaware to Texas: Tesla (2024), Oracle, Hewlett Packard Enterprise, Charles Schwab, CBRE. The reasons are cost-driven: Texas franchise tax is based on margin (revenue minus costs, capped), while Delaware's franchise tax is based on authorized shares and can be significantly higher for companies with large authorized share pools.
 ** Comparison
 | Dimension | Delaware | Texas |
 |-----------+----------+-------|
 | Filing fee | $89 (standard) | $300 |
 | Annual franchise tax | $175-225,000 (depends on authorized shares — can be very high for VC-funded corps) | $0 if no Texas revenue. If taxable: 0.375-0.75% of margin (with $1M revenue exemption) |
 | Corporate law sophistication | Gold standard. Chancery Court, 100+ years of precedent, specialized corporate judges | Also good. Texas Business Organizations Code (TBOC) is well-developed. Less precedent than Delaware for contested M&A |
 | Registered agent | $50-300/year | $50-300/year |
 | Investor familiarity | Universal. Every VC/Bank knows Delaware | Less common for venture-backed startups. Some investors require Delaware |
 | Court system | Court of Chancery (corporate law specialists, no juries) | Regular state courts with business courts in major counties |
 | Flexibility | Extremely flexible charter provisions | Good, but less tested at the edges |
 ** Analysis for This Venture
 Delaware wins /if/ you plan to raise VC. Investors prefer Delaware and some require it. The Chancery Court's expertise in corporate governance disputes and M&A is unmatched.
 Texas wins /if/ the plan is to stay bootstrapped with limited equity structure. The annual franchise tax savings can be significant: Delaware charges minimum $175 but can charge $10K+/year for corps with large authorized share pools. Texas charges nothing if your revenue is under $1M or your margin is zero.
 For this venture /without VC/: Texas is competitive. The lack of corporate income tax and the franchise tax exemption under $1M revenue mean year 1-2 costs are near zero. Delaware's legal sophistication only matters if you expect governance disputes or M&A, which are unlikely in the early years.
 Recommendation: If no VC and staying under $1M revenue in year 1, Texas is a viable alternative to Delaware for the OpCo. The BVI IP Co structure works identically regardless of which state the OpCo is in. Redomestication from Delaware to Texas later is possible but costs a few thousand.
 * Wyoming DAO LLC
 ** What It Is
 Wyoming passed HB 185 in 2025 creating the "Decentralized Autonomous Organization Limited Liability Company" (DAO LLC). It's an LLC variant that recognizes decentralized governance — the members vote on-chain (or via cryptographic consensus) rather than through traditional board resolutions. The DAO LLC is a separate legal entity that can hold assets, sign contracts, and sue/be sued — the DAO governance is the decision-making mechanism.
 ** Relevance to This Venture
 The [[id:1d074690-a279-59cb-b91d-e9a22ae104ad][social protocol]]'s governance modules (liquid democracy, Collective Personas, GEM) map /directly/ onto the DAO LLC concept. If a community on the social protocol wants to be a legal entity — own a shared website domain, hold a pooled treasury, sign a contract with a vendor — they could incorporate as a Wyoming DAO LLC. The social protocol's existing governance infrastructure (voting, constitutions, role management) becomes the DAO LLC's management mechanism.
 ** This Is Not the OpCo or IP Co Structure
 The Wyoming DAO LLC is not a replacement for the Delaware/Texas OpCo or the BVI IP Co. It is an offering /for social protocol communities/. The communities themselves become legal entities, not just digital spaces. This creates a product feature:
 - Community in the social protocol hits 25 members who pool $5K in dues
 - Community clicks "Incorporate as Wyoming DAO LLC"
 - The social protocol generates the filing (name, registered agent, governance document mapping)
 - The community's voting modules become the LLC's management structure
 - The community now holds assets, signs contracts, and has liability protection
 ** Practical Considerations
 Wyoming DAO LLCs are new (2025). Case law is essentially nonexistent. Banks may not open accounts for them. Tax treatment is unclear. But for social protocol communities that need legal entity status, it's the least friction option.
 * Panama LLC (Sociedad de Responsabilidad Limitada / SRL)
 ** What It Is
 A Panama LLC — bearer shares, no corporate tax on foreign-source income, no reporting of beneficial owners to the government (private registry), no requirement to file financial statements publicly. Popular for asset protection because Panama has no tax treaty with the US that allows US tax authorities to automatically obtain information (though this changed somewhat under FATCA/CRS).
 ** As a Replacement for the BVI IP Co
 | Dimension | BVI IP Co | Panama LLC |
 |-----------+-----------+------------|
 | Setup cost | $2,500-8,000 | $2,000-5,000 |
 | Annual cost | $1,300-3,100 | $500-1,500 |
 | Tax on IP royalties (US perspective) | Same — US taxes the OpCo on a net basis; BVI/Panama tax the IP Co at 0% (foreign-source income) | Same |
 | US tax information exchange | Yes — BVI has signed CRS/MCAA. Automatic exchange with US under FATCA Intergovernmental Agreement | Yes — Panama signed CRS and has FATCA IGA. But historically less compliant |
 | Banking | BVI banks generally easier to open accounts | Panama banks are under scrutiny after Mossack Fonseca |
 | Reputation | Clean — BVI removed from EU greylist 2024 | Stigma from Panama Papers (2016). Some counterparties will ask questions |
 | Bearer shares | BVI eliminated bearer shares in 2020 | Panama still allows bearer shares (strong anonymity, but banks reject them) |
 ** Analysis
 Panama is not clearly better than BVI for this structure. The cost is slightly lower but the stigma from the Panama Papers means some US banks and counterparties will scrutinize transactions from Panama more heavily. BVI is the standard choice for a reason — it's well-understood, clean reputation post-greylist removal, and adequate for the IP holding function.
 Panama makes sense /only/ if anonymity is the primary goal. For this venture — which may eventually seek regulatory compliance, sell to enterprise CISOs, or onboard institutional investors — anonymity is a liability, not an asset. The BVI route is cleaner.
 * Trusts: Jurisdictions and Downsides
 ** The Trust Types
 For asset protection, two types matter:
 /Revocable trust:/ The settlor (you) can change or dissolve it. Assets in it are still reachable by creditors. Not useful for asset protection — it's primarily for estate planning.
 /Irrevocable trust:/ The settlor gives up control permanently. A trustee manages the assets. The settlor cannot dissolve it. Creditors cannot reach the assets (if set up before the liability arose). This is the asset protection tool.
 ** Trust Jurisdictions
 | Jurisdiction | Strength | Cost | Key Feature | Key Downside |
 |-------------+----------+------+-------------+--------------|
 | Cook Islands | Strongest | $15-30K setup, $5-10K/yr | /Does not recognize US court judgments/. Creditor must litigate in Cook Islands under Cook Islands law. 1-year statute of limitations. Debtor-friendly fraud rules (proving fraudulent conveyance is very hard). | Distant, expensive, small professional services ecosystem. Trust company availability limited |
 | Nevis | Very strong | $10-20K setup, $3-7K/yr | Similar to Cook Islands: no US judgment recognition. Same legal tradition (English common law). Close to US (EST time zone). | Smaller, less established trust industry |
 | Belize | Strong | $5-10K setup, $2-4K/yr | Lower cost. Strong confidentiality laws. No mandatory reporting. | Less tested in court. Smaller trust company ecosystem |
 | Niue | Strongest on paper | $8-15K setup, $3-5K/yr | Extremely debtor-friendly laws. Shortest statute of limitations (6 months in some cases). | Very small jurisdiction. Tiny trust industry. Reputational risk (some association with dubious schemes) |
 | South Dakota (US) | Moderate | $3-8K setup, $2-5K/yr | Strongest US domestic trust law. No state income tax. Dynasty trusts (no rule against perpetuities). Asset protection trust statute. | /US jurisdiction/ — US courts have jurisdiction. Not as strong as Cook Islands for protecting against US creditors |
 | Nevada (US) | Moderate | $2-5K setup, $1-3K/yr | Strong US domestic trust law. No state income tax. Shorter statute of limitations for fraudulent conveyance challenges. | Same limitation as South Dakota — US jurisdiction |
 ** The Key Question: Foreign Trust vs Domestic Trust
 The core distinction:
 A /foreign/ trust (Cook Islands, Nevis) is offshore from US courts. A US creditor who obtains a judgment against you cannot simply reach the trust assets. They must litigate /again/ in the foreign jurisdiction, under that jurisdiction's debtor-friendly laws. This is a massive practical barrier — few creditors will pay for two lawsuits in two countries.
 A /domestic/ trust (South Dakota, Nevada) is under US court jurisdiction. A US creditor can get a court order directly against the trust. The domestic AP trust statutes provide some protection (shorter fraudulent conveyance lookback, higher burden of proof for creditors), but a sufficiently determined creditor can eventually reach the assets.
 ** The Downsides of an Extremely Strong Structure
 /1. Loss of Control./ An irrevocable trust means the assets are gone. You cannot change your mind. You cannot dissolve the trust. You cannot redirect the assets. This is the /price/ of asset protection. If the trust owns the BVI IP Co (which owns the [[id:28c46769-c14b-42aa-ac7a-69d310157f8f][Passepartout]] IP), you are a discretionary beneficiary of the trust, not the owner of the IP. The trustee makes decisions about the IP — not you.
 /2. Banking and Financing Difficulty./ Banks scrutinize trust-owned structures. The BVI IP Co owned by a Cook Islands trust will require extensive KYC across four layers: you → trust → BVI Co → OpCo. Some US banks will refuse to open accounts. International banking is possible but time-consuming (3-6 months).
 /3. Transaction Complexity./ Selling the company becomes harder. A buyer is not acquiring shares from you — they are negotiating with a foreign trustee. Every M&A lawyer will charge extra for this complexity.
 /4. Fraudulent Conveyance Risk./ If the trust is set up after a liability has already arisen (or even after a threat of litigation), a court can void the entire structure as a fraudulent conveyance. The structure only protects against /future/ liabilities. Setting it up early (before any revenue, before any contracts, before any users) is essential — but even then, a court could look back if the timing is suspicious.
 /5. Cost./ Annual costs of $10-20K for the trust alone, plus the BVI Co and OpCo costs. This is significant before you have revenue.
 /6. Perceived Illegitimacy./ Counterparties — especially enterprise CISOs buying verification services — may ask questions about why the company is structured this way. A company that sells trust and verification services should look trustworthy. An extremely aggressive AP structure may undermine that perception.
 * The Combined Structure Map
 Option A (recommended baseline):
 Founders → Delaware OpCo + BVI IP Co (same ownership)
 IP owned by BVI Co. OpCo licenses it. Simple, clean, effective for business liability protection.
 Option B (founders' personal AP, trust layer):
 Founders → Irrevocable Cook Islands Trust → owns BVI IP Co → licenses to Delaware OpCo
 Also: Trust is named beneficiary of OpCo equity (this is complex — often structured as a separate trust holding the OpCo shares)
 This protects the IP from both /business/ liability (via the OpCo/IP separation) and /personal/ liability (via the trust owning the IP Co). A personal judgment against you cannot reach the trust assets.
 Option C (full stack, extreme protection):
 Founders → Irrevocable Cook Islands Trust → owns BVI IP Co + owns beneficial interest in Panama LLC
 Panama LLC → holds OpCo shares
 OpCo uses IP under license from BVI Co
 This is the maximum: three layers between any creditor and the IP. But the cost, complexity, and counterparty friction make it appropriate only for very high net worth individuals facing specific litigation risk.
 * The Honest Assessment
 For the first phase of this venture (pre-revenue, pre-product, zero users), even a plain Delaware C-Corp is overengineering. The BVI IP Co is a modest step that costs a few thousand and protects the most valuable asset (the IP) from potential business liability. It should be set up early.
 The trust layer is genuinely unnecessary until one of these triggers:
 - You have personal net worth above $2-5M that you want to protect
 - The BVI IP Co's IP is appraised at $5M+
 - You are in a profession with high personal liability (you're not — you're building software)
 - A specific liability event is imminent (lawsuit filed, regulatory action)
 Adding the trust earlier /does/ improve protection (the fraudulent conveyance lookback clock starts earlier) but the cost, complexity, and operational friction of running the business through a foreign trust outweigh the benefit at this stage.
 * References
 - [[id:433236a2-e5ad-41d4-a27e-4682f8bbc207][Practical setup guide — Delaware C-Corp + BVI IP Co]]
 - [[id:0a4e0b8f-25e0-4b78-9633-fc37d03cefe9][Asset protection structures overview]]
 - [[id:d28adac8-08a1-40c4-ae43-b5d8d7b1743f][Combined growth strategy]]
--- a/projects/flags/legal-structure-practical-setup.org
+++ b/projects/flags/legal-structure-practical-setup.org
@@ -0,0 +1,205 @@
 :PROPERTIES:
 :ID:       433236a2-e5ad-41d4-a27e-4682f8bbc207
 :ID:       legal-structure-practical-setup
 :CREATED:  [2026-05-23 Sat]
 :END:
 #+title: Legal Structure
 #+filetags: :passepartout:legal:corporate:setup:action:
 Recommended structure: Delaware C-Corp (US OpCo) + BVI Business Company (IP Co). Trust layer deferred until significant personal wealth accumulates. This is a research document — exact costs and forms should be confirmed with a lawyer.
 * The Structure
 [Founders] → own equity in → [Delaware C-Corp (OpCo)]
                                      │
                            license to use IP
                                      │
                                      ▼
                          [BVI Business Company (IP Co)]
                                      │
                            owns the IP assets
                            ([[id:28c46769-c14b-42aa-ac7a-69d310157f8f][Passepartout]] code, gate rules,
                             ACL2 libraries, [[id:1d074690-a279-59cb-b91d-e9a22ae104ad][social protocol]] protocol
                             spec, trademarks, domain names)
 The OpCo pays the IP Co an arm's-length royalty for the right to use the IP in its business (compliance sales, PDS hosting, marketplace operations). The IP Co accumulates royalty income in a tax-neutral jurisdiction (BVI has 0% corporate tax). The founders own both entities under the same cap table.
 * Layer 1: Delaware C-Corp (OpCo)
 ** What It Is
 A Delaware stock corporation — standard C-Corp for tax purposes. The entity that signs contracts, employs people (eventually), earns revenue, and holds liability.
 ** Paperwork
 - /Certificate of Incorporation:/ Filed with Delaware Division of Corporations. Specifies the corporation's name, registered agent, authorized shares, and incorporator.
 - /Bylaws:/ Internal governance rules (board structure, meeting procedures, officer roles). Not filed with the state but must exist.
 - /Stock issuance:/ Founders purchase common stock via a stock purchase agreement. An 83(b) election must be filed within 30 days if shares are subject to vesting.
 - /Initial board resolution:/ Documents the first board meeting (elect officers, authorize stock issuance, approve bank account opening).
 ** Forms
 | Form | Purpose | Where | Cost |
 |------+---------+-------+------|
 | Certificate of Incorporation | Creates the corporation | Filed with DE Division of Corps | $89 (standard, up to 5K shares). $189 for expedited 24hr processing |
 | Franchise Tax Report | Annual filing | DE Division of Corps | $225 minimum/year (based on authorized shares). Can be $175+ for small corps |
 | Registered Agent | Accepts legal service in DE | Private service (CSC, Registered Agents Inc, legalzoom) | $50-300/year |
 | 83(b) election | Tax treatment of restricted stock | Filed with IRS within 30 days of purchase | $0 (paper filing) |
 | IRS SS-4 | Employer ID Number (EIN) | IRS | Free |
 | BOI Report | Beneficial Ownership Information | FinCEN | Free (new requirement, 2024) |
 ** Steps
 1. Choose a corporate name (must be unique in Delaware, include "Inc." or "Corp.")
 2. Reserve the name (optional, $75, holds for 120 days)
 3. Select a registered agent
 4. File the Certificate of Incorporation online or by mail
 5. Draft bylaws (template from your incorporation service)
 6. Issue founder shares and file 83(b) election
 7. Apply for EIN (SS-4)
 8. Open a US bank account (requires EIN + Certificate of Incorporation)
 9. File the BOI report with FinCEN within 90 days of formation
 ** Timeline
 | Step | Time | Note |
 |------+------+------|
 | Order incorporation | 1-2 hours online | Via legalzoom, clerky, or direct with DE |
 | State processing | 24 hours (expedited) to 2 weeks (standard) | |
 | EIN from IRS | Same day (phone) to 2 weeks (mail) | Call IRS and get it same-day |
 | Bank account | 1-2 weeks | Requires physical presence or remote onboarding |
 | Total | 1-3 weeks | Can be done entirely remotely |
 ** Costs
 | Item | One-time | Annual |
 |------+----------+--------|
 | Certificate of Incorporation (standard) | $89 | — |
 | Name reservation (optional) | $75 | — |
 | Registered agent | — | $50-300 |
 | Franchise tax | — | $175-225 |
 | Bylaws (template) | $0-100 | — |
 | Total year 1 | $164-264 | $225-525 |
 | Total year 2+ | $0 | $225-525 |
 Using a formation service like clerky or legalzoom adds $100-300 but includes document templates, registered agent for the first year, and step-by-step guidance.
 * Layer 2: BVI IP Co
 ** What It Is
 A BVI Business Company (IBC) incorporated under the BVI Business Companies Act (2004). The entity that owns the IP assets and licenses them to the OpCo. BVI has no corporate tax, no capital gains tax, no withholding tax on dividends or royalties. The BVI is not on the EU blacklist or greylist as of 2026 (it was greylisted 2022-2024 and was removed after reforms).
 ** Paperwork
 - /Memorandum and Articles of Association:/ The constitutional document. Filed with the BVI Registry of Corporate Affairs. Similar to a DE Certificate of Incorporation.
 - /Register of Directors:/ Names and addresses of directors. Filed with the BVI Registry. /Not public/ — BVI maintains a private register.
 - /Register of Members:/ Shareholder information. Kept at the registered office. Not public.
 - /Licence Agreement:/ The agreement between the OpCo and the IP Co granting the OpCo a license to use the IP in exchange for royalty payments. This is the critical document for transfer pricing compliance.
 - /Corporate resolutions:/ Appointing directors, issuing shares, authorizing the license agreement.
 ** Forms and Steps
 | Step | Where | Cost | Time |
 |------+-------+------+------|
 | Choose BVI registered agent | Private service (Harneys, Ogier, Maples, or low-cost providers) | $500-1,500/year | 1 day to choose |
 | Due diligence (KYC) | Registered agent requires passport, proof of address, source of funds | $0 | 1-5 days |
 | Name approval | BVI Registry | $0 | 1-2 days |
 | File M&A + register | BVI Registry via registered agent | $350-750 (govt fee) | 1-3 days |
 | Issue shares | Internal | $0 | 1 day |
 | Appoint director/officer | Internal | $0 | 1 day |
 | Draft IP license agreement | Lawyer | $1,500-5,000 | 1-2 weeks |
 | BVI bank account | BVI or international bank | $0-500 (account fees) | 2-6 weeks |
 | Total setup | | $2,500-8,000 | 2-5 weeks |
 ** Annual Costs
 | Item | Cost |
 |------+------|
 | Registered agent fee | $500-1,500 |
 | BVI government fee | $450-1,100 (depends on authorized share capital) |
 | BVI financial statement filing | $350-500 (simple, no audit required — just a declaration) |
 | Total annual | $1,300-3,100 |
 ** The IP License Agreement
 This is the most important document. It must:
 1. /Define the IP:/ List every asset being licensed — the Passepartout source code, gate rules, ACL2 proof libraries, social protocol specification, trademarks, domain names, trade secrets.
 2. /Set the royalty rate:/ Must be at arm's-length. For software/tech IP, typical royalty rates are 2-10% of gross revenue, depending on how central the IP is to the business. Verification IP is 100% central to the business (the product /is/ the IP) — rates at the higher end are defensible.
 3. /Transfer pricing documentation:/ Required under US tax law (IRC Section 482). A transfer pricing study documents that the royalty rate is consistent with what unrelated parties would agree to. Cost: $5,000-15,000 for a professional study. /Alternative:/ Use an industry benchmarking report from a database like RoyaltyStat or ktMINE. The documentation must exist in case of IRS audit.
 4. /Territory:/ Global license, exclusive or non-exclusive.
 5. /Sub-[[id:67faf52f-9126-50a7-b87e-2bedc610dac7][licensing]]:/ Whether the OpCo can sub-license. Typically no — the IP Co controls sub-licensing.
 * Layer 3: Founders' Ownership
 Both the OpCo and the IP Co must be owned by the same people to avoid attribution issues.
 ** Mirror Ownership
 - OpCo founders own 100% of OpCo common stock
 - Same individuals own 100% of IP Co shares (same percentages)
 - Documented in both entities' records
 The two entities are related parties. The IRS will scrutinize transactions between them. Mirror ownership is standard and expected — the key is the documentation of the license agreement and the arm's-length royalty.
 ** Individual Asset Protection
 The founders' personal assets are protected by the corporate veil of both entities. This is /not/ the trust-level protection of Structure D — if both entities are owned by the founders directly, a judgment against the founders (personal liability) could reach the shares in both entities. But a judgment against the OpCo (business liability) cannot reach the IP in the IP Co — that's the point.
 * Layer 4: Trust (Deferred)
 Not set up now. The trust adds $15-30K setup + $5-10K/year and makes investor fundraising nearly impossible. Defer until:
 - Personal wealth (across all assets) exceeds $2-5M, /or/
 - The IP Co's accumulated value (IP appraisal) exceeds $5M, /or/
 - A specific liability risk emerges (lawsuit filed, regulatory investigation)
 When the threshold is reached, the structure becomes: Founders → Irrevocable Cook Islands Trust → owns BVI IP Co → licenses to Delaware OpCo.
 * Complete Timeline and Cost Summary (Year 1)
 | Item | Timeline | One-time | Annual |
 |------+----------+----------+--------|
 | Delaware C-Corp | Week 1-2 | $200-500 | $225-525 |
 | BVI IP Co | Week 2-5 | $2,500-8,000 | $1,300-3,100 |
 | IP License Agreement | Week 3-6 | $1,500-5,000 | — |
 | Transfer pricing documentation | Week 4-8 | $0-15,000 | $2,000-5,000 (update) |
 | US bank account (OpCo) | Week 2-4 | $0 | $0-200 |
 | BVI bank account (IP Co) | Week 4-10 | $0-500 | $0-500 |
 | Total year 1 | 4-10 weeks | $4,200-29,000 | $1,525-4,325 |
 | Total year 2+ | — | $0 | $1,525-4,325 |
 The wide range depends on whether you use a DIY formation service ($400 Delware + $2,500 BVI) or a full-service law firm ($5,000 Delaware + $8,000 BVI + $15,000 transfer pricing study).
 * What Must Be Done by a Professional
 Some things can be DIY'd, some cannot:
 | Task | DIY possible? | Recommendation |
 |------+---------------|---------------|
 | DE Certificate of Incorporation | Yes (clerky, legalzoom, or direct filing) | DIY ($100-300) |
 | DE Bylaws | Yes (template available) | DIY or included with service |
 | 83(b) election | Yes (one-page IRS form) | DIY |
 | BVI incorporation | Via registered agent | Agent handles government filing |
 | IP License Agreement | /No/ | Must be a lawyer (transfer pricing + IP specialist) |
 | Transfer pricing study | /No/ | Must be a tax professional |
 | BVI bank account | Can apply remotely | Some agents offer bank introduction |
 * The Bottom Line
 Minimum viable setup (DIY Delaware, basic BVI, lawyer for license agreement): ~$5,000 one-time, ~$1,500/year ongoing. Timeline: 4-6 weeks from start to both entities operational.
 Full professional setup (law firm for everything + transfer pricing study): ~$25,000 one-time, ~$4,000/year ongoing. Timeline: 6-10 weeks.
 The IP transfer must happen /before/ the IP has significant value. Incorporating both entities now (before the first compliance sale) means the IP assigned to the BVI Co has negligible appraised value. Waiting until Phase 1 means the IP may have significant value and the transfer triggers a taxable gain.
 * References
 - [[id:0a4e0b8f-25e0-4b78-9633-fc37d03cefe9][Asset protection structures — options analysis]]
 - [[id:98364e9d-a8a9-42b7-a9dc-b643fd2ccc4b][Outbound sales compliance — data protection law]]
 - [[id:d28adac8-08a1-40c4-ae43-b5d8d7b1743f][Combined growth strategy — Passepartout]]
--- a/projects/passepartout/ROADMAP.org
+++ b/projects/passepartout/ROADMAP.org
--- a/projects/passepartout/_index.org
+++ b/projects/passepartout/_index.org
@@ -0,0 +1,59 @@
 :PROPERTIES:
 :CREATED:  [2026-05-24 Sun]
 :ID:       7a1b2c3d-4e5f-6a7b-8c9d-0e1f2a3b4c5d
 :END:
 #+title: Passepartout
 #+filetags: :index:
 **What Passepartout is.**
 Passepartout is a project that builds toward a personal computing environment where you own your computation, your data, and your agency — and the architecture proves it, not promises it.
 It is a single system that is simultaneously:
 - Your editor, browser, shell, and AI agent — not separate programs but a single environment where everything works together because everything shares the same structure.
 - Your knowledge base — a living [[id:1c3ec48b-446c-50d2-b53e-126a81f5143f][memex]] of everything you read, write, and decide, stored in a format you can read and your machine can read, with no translation layer between them.
 - Your gatekeeper — a system that checks every action against your rules before taking it, whether the action comes from you, from the AI, or from the network.
 - Your identity and communication protocol — cryptographic identity, encrypted messaging, and provable exchanges between instances.
 These are not separate products. They are one project, one architecture, one machine.
 **Why it exists.**
 The modern computing stack is built from independently built, independently untrusted layers: hardware, firmware, operating system, compilers, runtime, network protocols, applications. Each layer assumes the layers below it are either trusted or someone else's problem. The gaps between layers are where exploits live.
 Security is reactive. We find bugs, we patch them, we run antivirus, we monitor logs. The model is probabilistic: "no known vulnerabilities" does not mean none exist, only that none have been found. The patching treadmill has been running for forty years and shows no sign of slowing.
 Passepartout asks a different question: what if you eliminated the boundaries between layers instead of trying to secure them? What if the entire stack shared one structure, one verification, one proof — from the rules that authorize an action to the hardware that executes it?
 This eliminates entire categories of threats by structural design, not by patching. Memory corruption exploits, compiler backdoors, malware with execution paths that bypass the rules — these are not mitigations you add on top of an unsafe system. They are classes of threat that cannot exist in a system built on this principle.
 **What it replaces.**
 | Current approach | Passepartout |
 |---|---|
 | Separate editor, browser, shell, agent — each a different program with different trust assumptions | One environment where all are functions in the same memory space |
 | Knowledge stored in a database you cannot inspect | Knowledge stored in a file format you read and edit directly |
 | Security through permissions, firewalls, antivirus, audits | Security through a rule system that checks every action before it executes |
 | Separate identity systems for every service (Google login, GitHub, Slack) | One cryptographic identity you control |
 | Vulnerabilities found and patched reactively | Categories of threat eliminated by architecture |
 **How we get there.**
 The full system is the destination, but every intermediate stage delivers value on its own. The project is designed as a staged migration from conventional hardware to the full architecture, with no rewrite required between stages. Development is running today.
 **What it means.**
 A system built this way shifts computing from an empirical trust model — "this has passed our tests" — to a deductive one: "this is structurally impossible for the following reasons." The downstream effects cascade beyond any single user:
 - A company's compliance obligations become a set of rules the system enforces by construction, not a binder of documents an auditor reviews once a year.
 - AI safety becomes a rule system between the AI and the actions it can take, not a set of probabilities and guardrails.
 - Software certification becomes a shared suite of proofs from every deployed instance — a public attestation that a system behaves as specified.
 Passepartout creates a new category: verified infrastructure. Not a safer operating system, not a better AI agent, not another social network — but the foundation beneath all three, built on a principle that the current approach cannot offer: that the system, by its structure, is trustworthy.
 ---
 - [[id:1c3ec48b-446c-50d2-b53e-126a81f5143f][Architecture]] — the system in detail
 - [[id:b9fa4b7b-bc61-4d7f-918d-ff687b80f2ba][Systemic Effects]] — what verification cascades into
 - [[id:8cb760e2-37c6-4a78-af4d-f89f69d1678b][Staged Roadmap]] — from today to What Remains
--- a/projects/passepartout/architecture/_index.org
+++ b/projects/passepartout/architecture/_index.org
@@ -0,0 +1,158 @@
 :PROPERTIES:
 :CREATED:  [2026-05-24 Sun]
 :ID:       5e7f1d2a-3b4c-5d6e-7f8a-9b0c1d2e3f4a
 :ID:       1c3ec48b-446c-50d2-b53e-126a81f5143f
 :END:
 #+title: Architecture
 #+filetags: :passepartout:architecture:
 **The four subsystems, one address space.**
 Passepartout is one system built from four subsystems that share one evaluation semantics, one memory graph, and one proof chain:
 - **Environment** — the personal computing environment
 - **Knowledge** — the unified memex
 - **Verification** — the gate
 - **Social Protocol** — provable communication between instances
 Each is described below.
 **The environment: one address space.**
 The environment eliminates the layered trust model of a conventional OS by eliminating the layers. Instead of an editor that sends keystrokes through a terminal emulator to a shell that forks processes that read files through a kernel VFS layer — each boundary a potential vulnerability — the environment runs everything in a single Lisp address space. (Lisp is a family of programming languages where code and data share the same representation. This property means the machine can verify what code does and modify itself without restarting. It is the foundation that makes the entire architecture possible.)
 The editor is a Lisp function that manipulates text buffers in the evaluated memory graph. The shell is a Lisp read-eval-print loop that compiles to the same evaluator. The browser renders HTML through a Lisp-based rendering engine, not a separate process. The agent runtime invokes Lisp functions, not subprocesses. (The specific implementations that realize this today use Lish for the shell and editor, Nyxt for the browser, and SBCL as the host Lisp — but the architectural principle is uniform semantics in one address space, not these particular packages.)
 There is no MMU boundary between components because there are no separate processes. There is no IPC because there is nothing to communicate between. Everything shares the same memory graph. Your editor buffer, your shell history, your agent's state, and your social protocol messages all live in the same evaluated object graph, protected by the same gate, verified by the same prover.
 **The knowledge subsystem: Org-mode as unified memex.**
 The knowledge subsystem is built on [[id:0a33bd83-ff3c-4eac-bc97-83eb6702051a][Org-mode]] — one format for human and machine, with sparse tree retrieval keeping context lean (2,000-4,000 tokens). The Org file IS the data, not a representation of it. See [[id:e32290a0-a02a-4af7-ae22-243d04a7ac82][Design Decisions]] for the full analysis.
 **Two indices over the Org prose:**
 1. A neural index using vector embeddings for semantic search — the gateway to the full richness of natural language.
 2. A symbolic index storing formal assertions about what the prose says — predicates, relations, constraints — each grounded to a specific heading or block.
 The prose is always ground truth. Both indices are derived views that can be rebuilt from scratch. Nothing is lost in the indices that was not already in the Org files.
 The same principle extends beyond prose to structured data. Empirical parameters, validity envelopes, provenance chains, and benchmark results live in Org as property drawers and tables — the same format the user reads and edits. The system maintains a derived representation — the provenance store — optimized for machine queries. Like the two indices, it is a derived view rebuilt from Org, not a separate canonical copy. When the system learns something new, it writes back to the Org files, keeping the human layer current.
 This is what sovereignty means in technical terms — the user owns the data in a format they can access, and the system operates on the same format. See [[id:e32290a0-a02a-4af7-ae22-243d04a7ac82][Design Decisions]] for the full argument.
 **The verification subsystem: the gate.**
 The gate is a function that takes (action, context, policy) and returns (permit | deny). Every action passes through it — a shell command from the user, a proposal from the LLM, a message from the network, a file write by a scheduled job. There is no privileged path around the gate. Root is not a concept in the gate model — root is a convention enforced by an OS that the gate replaces.
 The gate has three decision vectors:
 1. **ACL2-verified procedures for security-critical checks** — access control, message authentication, capability resolution. (ACL2 is a theorem prover and programming language for formal verification. It proves that code behaves correctly for all possible inputs, not just the ones tested.) This is the deductive layer.
 2. **Provenance- and validity-envelope checks for scientific and engineering integrity** — does the empirical model apply in the current context? Are the parameters within their validated range? Is the input within the model's training distribution? These are predicates over the provenance store, not formal proofs. The gate queries the store and blocks or flags computations that fall outside validated bounds. This is the empirical layer — see [[id:329bd4fb-702a-4a2b-9c63-69281aacb83a][Knowledge Layers]] for the full framework.
 3. **An LLM for natural-language reasoning** — parsing the user's intent, evaluating whether an action falls within policy boundaries that require human judgment, interpreting gate flags and failure diagnostics. This is the probabilistic oracle — it proposes, never executes.
 The ACL2 layer (vector 1) is deductive and authoritative where it applies — the LLM cannot overrule a verified denial. The provenance layer (vector 2) is authoritative over model validity — the LLM cannot override a validity envelope violation (though it may recommend a different model). The LLM layer (vector 3) is probabilistic and bounded by both lower layers.
 The gate does not depend on OS privilege boundaries because it is in the evaluation loop itself. This is the architectural reason for the Lisp machine: a conventional OS interposes between the gate and the hardware. A Lisp machine eliminates that interposition by making the gate part of the evaluator.
 **How the gate knows which procedure belongs to which domain.**
 Every action entering the gate carries a domain tag. The tag is set by context — a file write under /home/user/documents/ gets the "documents" domain, a network call to an approved registry gets "network", a shell command running a compiler gets "software-engineering". The domain tags form a tree: "files" has children "documents", "code", "config", "system", each with its own rule set.
 The gate maintains a procedure registry mapping domain tags to ACL2-verified boundary functions. When an action arrives, the gate looks up the most specific domain tag that has a registered procedure. If "documents" has one, it uses that. If not, it walks up to "files". If no domain in the tree has a procedure, the action falls under LLM authority bounded only by the generic outer fence.
 Domain tags are defined in the policy configuration — a hierarchy of Org headings or YAML that maps path patterns, network destinations, and command prefixes to domain names. New domains can be added at any time with no code changes, just a policy edit. New domains start with no verified procedures and rely entirely on the LLM until experience accumulates and ACL2 boundaries are written.
 **How the verified procedure registry grows.**
 Verified procedures are not all written upfront. The initial gate ships with a minimal set of obviously correct outer boundaries — three to five rules that prevent catastrophic, irreversible actions. The registry grows through three mechanisms:
 1. Mistake-driven hardening: when the LLM's provisional authority causes harm, that action is logged, a human or automated process writes an ACL2 conjecture to prevent it, the Prover verifies it, and the resulting boundary function is added to the registry under the relevant domain tag.
 2. Adversarial probing: the gate randomly injects probe actions that would violate known desirable boundaries but are caught before execution. These probes generate the same hardening signal even when no mistake occurred. They cover the blind spot where the LLM always gets it right and no error is ever logged.
 3. Syscall wrappers: every action that crosses from the Lisp image into the host OS passes through a gate wrapper that records the kernel's response. When the kernel denies an action (permissions, seccomp, namespaces) that the gate had no rule for, the wrapper translates that kernel denial into a hardening signal — "the kernel prevented this. Consider codifying it as an ACL2 boundary." This covers the blind spot where the kernel catches the problem first and the gate never sees the danger.
 These three channels feed a queue. The autodidactic loop (or a human reviewer) periodically processes the queue, drafts ACL2 conjectures, runs the Prover, and deploys new verified boundaries. The gate's procedure registry grows transaction by transaction, domain by domain, from three rules to hundreds to thousands over the lifetime of the system.
 **The two blind spots and their mitigations.**
 Blind spot 1 — the LLM always gets it right. If the LLM never attempts a dangerous action in a domain, no mistake is logged, and no ACL2 boundary is proposed. Mitigation: adversarial probing. The gate regularly tests the LLM with actions that would violate known safety properties, logged before execution. These probes generate hardening signals regardless of the LLM's accuracy.
 Blind spot 2 — the kernel prevents the action before the gate sees it. If the LLM tries to write to /etc/shadow and the kernel's DAC permissions reject it, the LLM sees a permission error, the gate sees a failed action, but neither knows a safety boundary was enforced. Mitigation: syscall wrappers. The gate wraps every kernel transition and records the reason for denial. A kernel EACCES on /etc/shadow becomes a hardening signal: "the kernel has a rule about /etc/shadow that the gate doesn't. Codify it."
 Without these mitigations, the gate's coverage converges to a plateau determined only by what has already broken, leaving large regions permanently dependent on the LLM's probabilistic reliability.
 **Gate decision flow (Neurosymbolic Agent stage):** An action arrives carrying a domain tag. First, the gate checks the deductive layer — does this domain have registered ACL2-verified boundary procedures? If any denies, reject instantly. The LLM cannot overrule. If no verified procedure denies, the gate checks with Screamer — a constraint network built from rules extracted by the LLM and corrected by humans. Screamer resolves domain-specific constraints, rights, and prohibitions. If Screamer finds a resolution, apply it. If not, the gate asks the LLM. The LLM proposes permit or deny, and the gate re-checks against the deductive boundaries (defense in depth). Every decision is logged to the decision log.
 **How domains emerge:** Domain tags are not assigned upfront. The user writes notes in Org. The symbolic index extracts entities and relationships. Screamer's constraint network connects them. Over time, clusters form — entities that mention each other frequently and mention outside entities rarely. The gate notices clusters where LLM utilization is high. It asks the LLM to label them: "This cluster deals with financial records. Shall I create a domain called accounting?" If the user confirms, the procedure registry gets a new tag. New domains start empty — no verified boundaries — and fill as mistakes accumulate.
 **The autodidactic loop runs in two parallel tracks.**
 **Track 1 — deductive hardening:** formal proof generation and gate rule improvement, fast loop, runs autonomously at LLM speed:
 1. Read the decision log since the last run.
 2. Identify high-frequency patterns where the LLM was invoked.
 3. Propose Screamer constraints for the top patterns.
 4. Check the hardening queue for new ACL2 conjectures ready to prove.
 5. Check the adversarial probe results — did any probe reveal an unprotected boundary?
 6. Check the syscall wrapper logs — did the kernel deny anything the gate missed?
 7. Propose new domain clusters if LLM utilization in a cluster exceeds a threshold.
 8. Run the Prover on pending conjectures.
 9. If proofs pass, compile and deploy new boundary functions.
 10. Log the cycle results.
 **Track 2 — empirical validation:** provenance store improvement and parameter refinement, slow loop, requires experimental feedback:
 1. Review computations since the last run where predictions were compared to experimental results.
 2. For each comparison, compute the prediction error. If error exceeds the model's stated confidence interval, flag the parameter for review.
 3. Parameter review: is the error systematic (model needs recalibration) or random (noise within expected range)?
 4. For systematic errors: propose updated parameters (LLM), validate against held-out benchmarks (symbolic engine), update provenance store.
 5. Envelope expansion: if a model was used in conditions outside its original validity envelope and the predictions matched experimental data, expand the envelope to include those conditions.
 6. Bias profile update: incorporate the new comparison into the model's running bias profile.
 7. Community sharing: publish validated parameter updates and envelope expansions through the social protocol.
 Track 1 runs every cycle (minutes to hours). Track 2 runs when experimental data arrives (hours to months). Both are essential — the fast loop makes the system more secure; the slow loop makes it more useful for real-world science and engineering. See [[id:329bd4fb-702a-4a2b-9c63-69281aacb83a][Knowledge Layers]] for the epistemic framework that motivates this split.
 **The social protocol: provable communication.**
 The social protocol extends the verified semantics beyond a single machine. It provides:
 - Self-sovereign DID identity (every instance has a cryptographic identity it controls)
 - DIDComm encrypted messaging (end-to-end encrypted, signed, DAG-tracked)
 - Personal data stores (user-owned, gate-controlled)
 - Relay network (asynchronous message delivery across trust boundaries)
 - Compute marketplace (provision verified compute you rent)
 - Liquid democracy (delegable voting over protocol governance)
 Every message is signed by the sender's DID, tracked in a content-addressed DAG, and optionally notarized. Communication is provable when you choose it to be — you can prove what you sent, to whom, when, without revealing content.
 The social protocol is not a blockchain. DAG-based ordering handles causality; delegable trust replaces proof of work.
 **The staged progression.**
 The full architecture — gate-verified Lisp machine on custom silicon — is the destination. The staged roadmap (see the [[file:/stages.org][stages]] directory for full detail) describes how each successive replacement eliminates a class of threat:
 Development (baseline: Linux + Python agent + SQLite), Neurosymbolic Agent (the gate — root eliminated, provenance store operational), Social Protocol (provable communication), Lisp Machine (bare-metal — no MMU), AI Inference (in-process LLM), AI Weights (plist-native neural data), AI Training (verified fine-tuning), What Remains (physical, political, oracular limits).
 Each stage is independently useful. Development is running today. The migration is progressive component swap, not a cut-over.
 **Self-developing hardware (Lisp Machine onwards):** The hardware side of the Lisp Machine self-improves by synthesizing its own microcode. A Tenstorrent P150 (~72 RISC-V Tensix cores) runs Lisp microcode with one core dedicated to ACL2, one to Screamer, and the rest to gate verification and fact store operations. The system profiles its own gate verification latency, proposes a new microcoded instruction for the hot path, compiles RISC-V assembly from ACL2-verified specifications, loads it via PCIe DMA from within SBCL, benchmarks it — and rolls back if slower. The self-driving threshold: every subdomain involved (RISC-V ISA, SBCL internals, ACL2 metafunctions, compiler optimization) is software — the most codifiable domain — and can flip to symbolic sufficiency within days of ingestion.
 **Downstream effects.**
 When every action is gate-checked, every message is provable, and every computation runs on verified semantics, the security model shifts from empirical to deductive. The downstream effects cascade beyond personal computing:
 - **Compliance** becomes executable gate rules instead of annual audits. A SOC 2 report is a gate configuration, not a PDF.
 - **AI safety** becomes a verified gate between the LLM and the action stream instead of probabilistic guardrails or RLHF.
 - **Software certification** becomes the accumulated regression suite of every deployed instance — the Underwriters Laboratory for AI.
 - **Operating systems** become obsolete. The gate replaces the kernel, the address space replaces process isolation, and the verified evaluator replaces the privilege model.
 See also:
 - [[id:971cd9e7-2cc5-4743-8042-2469dbe4078f][Lisp Foundation]] — why Lisp, the prover bootstrapping path, and the ecosystem gap
 - [[id:0a33bd83-ff3c-4eac-bc97-83eb6702051a][Design Decisions]] — the rationale behind the architecture choices
 - [[id:d5c6e7f8-9a0b-1c2d-3e4f-5a6b7c8d9e0f][Distinguishing Features]] — the 13-point checklist of what sets this apart
 - [[id:b9fa4b7b-bc61-4d7f-918d-ff687b80f2ba][Systemic effects over time]] — how verification cascades across society, economics, and geopolitics
 - [[id:329bd4fb-702a-4a2b-9c63-69281aacb83a][Knowledge Layers]] — the epistemic architecture: deductive proofs, provenance-tracked empirical models, and probabilistic oracle
 - [[id:efc76898-03f7-57ba-923d-35d65da88bb7][The per-domain sufficiency flip]]
 - [[id:2afd9a3c-e96a-54c7-ac77-a05a28065b4b][Biology as proof of the Lisp model]]
 - [[id:00ab3a4d-e3de-5605-a67d-12935bb36ab5][Comparison with Symbolics Genera]]
--- a/projects/passepartout/architecture/academic.org
+++ b/projects/passepartout/architecture/academic.org
@@ -0,0 +1,108 @@
 :PROPERTIES:
 :CREATED:  [2026-05-27 Wed]
 :WEIGHT:  63
 :ID:       d2722576-fc9b-4bd3-bc2f-f5692b561b4e
 :END:
 #+title: Who Is Closest to Passepartout?
 #+filetags: :passepartout:academia:comparison:neurosymbolic:verification:
 A survey of academic researchers whose work overlaps with Passepartout's architecture along specific dimensions. The conclusion: no academic group combines all four architectural properties that define Passepartout's design. The closest groups each hold one or two pieces; none combine all.
 * The Four Architectural Properties
 1. **LLM-level generator with full creative freedom** — the generator synthesizes entire implementations from specifications, not individual tactic steps or hole-fillings.
 2. **Theorem-prover verification with complete functional correctness** — the verifier checks all execution paths against the full spec, not bounded verification via SMT solvers.
 3. **Asymmetric authority** — the symbolic component (prover) is the final authority and cannot be overridden by the neural component.
 4. **Counterexample-guided retry loop** — when the prover rejects an implementation, it returns a concrete counterexample that the generator uses to reformulate.
 * The Academic Landscape
 **LLM + Theorem Prover Loops**
 | Researcher | Institution | System | Match | Divergence |
 |------------|-------------|--------|-------|------------|
 | Sean Welleck | CMU | ImProver 2 | Self-improving LMs generating proof steps verified by Lean | Generator fills tactic holes in existing proofs, not full implementations. Camp B. |
 | Timon Gehr | ETH | COPRA, Thor | LLM interacts with theorem prover kernel | Same constraint: tactic-level. Neural component generates one move at a time. |
 | Kaiyu Yang | Princeton | LINC | Neural network learns symbolic rules, prover checks consistency | Neural component is a *learner* discovering rules from data, not a generator synthesizing from spec. Different abstraction level. |
 All three are Camp B in the loop taxonomy (constrained generator + complete verifier). None gives the LLM freedom to synthesize full implementations. Welleck's ImProver is the closest in spirit — the loop iterates, the prover is authoritative — but the scope of what the generator produces is orders of magnitude smaller than what Passepartout's design requires.
 **Synthesis + Verification (non-LLM)**
 | Researcher | Institution | System | Match | Divergence |
 |------------|-------------|--------|-------|------------|
 | Armando Solar-Lezama | MIT | Sketch | Synthesis-aided verification: partial program → solver fills holes → assertions checked | Generator is constraint-based SAT/SMT, not an LLM. Verification is bounded (solver capacity). |
 | Emina Torlak | UW | Rosette | Solver-aided languages for synthesis + verification | Same constraints as Sketch. Bounded, non-LLM. |
 | Swarat Chaudhuri | UT Austin | Neurosymbolic Programming | Neural networks guide program synthesis, symbolic analysis verifies | Uses SMT for bounded verification, not theorem prover for complete. Neural-symbolic are symmetric collaborators, not asymmetric authority. |
 Chaudhuri is the closest overall academic neighbor. His group explicitly works on combining neural and symbolic components, with symbolic verification of neural-generated candidates. But the verification is bounded (SMT), not complete (theorem prover), and the loop does not have Passepartout's asymmetric authority design.
 **Lisp as Infrastructure for Verification**
 | Researcher | Institution | System | Match | Divergence |
 |------------|-------------|--------|-------|------------|
 | Christian Schafmeister | Temple | Clasp | Common Lisp through LLVM; interactive Lisp for serious computation | Lisp infrastructure, not a neurosymbolic loop. No ACL2 integration. |
 | Kaufmann, Moore | UT Austin / Retired | ACL2 | The theorem prover itself | Pure symbolic verification. No LLM loop. |
 Schafmeister is aligned with Passepartout on the "why Lisp" question — interactive development, uniform representation, C++ interop for performance — but does not work on agentic verification loops.
 **Autonomous Code Modification Loops**
 | Researcher | Institution | System | Match | Divergence |
 |------------|-------------|--------|-------|------------|
 | Kevin Ellis | Cornell | DreamCoder | Neural program synthesis loop: generate → execute → learn | Verifier is interpreter (does it run?), not prover (is it correct?). Camp A. |
 | Andrej Karpathy | Anthropic | autoresearch | LLM modifies code, runs experiments, keeps/discards based on metric | Verifier is val_bpb — a single empirical number. No specification, no formal guarantee. Camp C. |
 Both prove the viability of the autonomous loop concept but use the weakest possible verifiers (execution and empirical metrics).
 **The Bitter Lesson / Temporal Credit Assignment (Sutton)**
 | Researcher | Institution | System | Match | Divergence |
 |------------|-------------|--------|-------|------------|
 | Richard Sutton | Alberta / Keen Technologies | TD learning, eligibility traces, Alberta Plan | The fundamental problem in verification — *an action was checked, but the consequence plays out hours later; was the action correct?* — is the same problem TD learning solves in RL: assigning credit to actions based on delayed outcomes. Sutton's temporal credit assignment work is the theory you would need to extend Passepartout from per-action gates to trajectory-level verification. His Bitter Lesson (scale beats engineered knowledge at sufficient compute) is the most commonly cited argument against the symbolic verification approach Passepartout bets on. | The Bitter Lesson is not anti-knowledge — it says methods that improve with more computation eventually dominate. Passepartout's gate is a deliberately small engineered knowledge system that *won't* benefit from more compute (the ACL2 lemmas don't get more correct with more hardware). That's acceptable because the gate is a narrow bottleneck (permit/deny). The LLM layer inside the gate *does* benefit from scale. The architecture already respects the Bitter Lesson by placing the scalable piece where scale helps and the non-scalable piece where deductive certainty matters. Sutton's Alberta Plan (world model + reward + learning algorithm) parallels Passepartout's AI Training stage (world model + gate + verified fine-tuning), but Sutton's agents learn by pure reward while Passepartout's learn by reward constrained by verified policy. Sutton would likely argue that a learned safety policy at scale would outcompete the gate. Passepartout's bet is that access control, message authentication, and compliance should never be probabilistic, even at infinite scale.
 **Integrate-Symbolic-Into-Neural (Garcez)**
 | Researcher | Institution | System | Match | Divergence |
 |------------|-------------|--------|-------|------------|
 | Artur d'Avila Garcez | City, Univ. of London | NeSy frameworks, NSL | Pioneer of neural-symbolic computation since 1990s. Book: "Neural-Symbolic Cognitive Reasoning." Runs NeSy workshop series. | His approach *integrates* symbolic knowledge into neural networks (logic regularization, knowledge distillation). Symbolic rules are a training signal, not a runtime verifier. The neural component can override symbolic constraints through the loss landscape. No asymmetric authority, no theorem prover, no complete verification. His camp is "make neural networks behave more symbolically." Passepartout's camp is "make neural networks accountable to symbolic verification." Opposite architectural philosophy. |
 Garcez's position in the design space is closest to Camp A (no independent verifier). The symbolic rules guide learning but do not veto outputs at runtime. His work is foundational for the field of neural-symbolic computation, but his *architectural philosophy* is the inverse of Passepartout's. He wants the symbolic inside the neural. Passepartout wants them separate with the symbolic holding authority.
 **Theorist of the Hybrid Thesis (Marcus)**
 | Researcher | Institution | System | Match | Divergence |
 |------------|-------------|--------|-------|------------|
 | Gary Marcus | NYU Emeritus, Robust.AI | None (theorist/critic) | Longest-standing public advocate for hybrid AI. Since "The Algebraic Mind" (2001) and "Rebooting AI" (2019), he has argued deep learning alone cannot achieve systematicity, composition, or reasoning. He identified the *need* for the approach Passepartout implements. As of May 2026, he is publicly asking why LLM agent frameworks are not using LEAN as a theorem-prover verifier — the same engineering gap Passepartout occupies. | He does not propose a specific architecture or loop design. His background is cognitive science and developmental psychology, not formal verification. The "symbolic component" he advocates is abstract — structured knowledge representations, not ACL2 theorem proving. He has no answer to the cost/feasibility question (the "Better is Cheaper" argument is Passepartout's contribution, not Marcus's). He is a theorist of the problem, not an architect of the solution — though his May 2026 tweet shows he is now engaging with the engineering question directly. |
 Marcus occupies a category that does not appear in the loop taxonomy (Camps A-D) because he does not define a loop. He identifies the *need* for hybrid AI with genuine symbolic authority. Passepartout is the engineering response to the thesis Marcus has been arguing since before most of the field would admit the limitations existed. His May 2026 tweet asking "they aren't using LEAN in one of those many tools?" is the theorist noticing the empty cell Passepartout was designed to fill.
 * The Gap
 | Property | Passepartout | Closest academic | Academic's limiter |
 |----------|-------------|-----------------|-------------------|
 | Generator freedom | Full synthesis from spec | ImProver (Welleck) | Fills tactic holes only |
 | Verification completeness | Complete (theorem prover) | Sketch (Solar-Lezama) | Bounded (SMT) |
 | Asymmetric authority | Neural cannot override prover | Neurosymbolic Prog (Chaudhuri) | Symmetric collaboration |
 | Counterexample feedback | Structured from prover to LLM | ImProver (Welleck) | Pass/fail at tactic level |
 | Two symbolic layers | Gates + prover independent | None | No second layer exists |
 No academic group combines all four properties. The closest — Chaudhuri — has three of five (neural + symbolic + verification) but fails on verification completeness (SMT not ACL2), asymmetric authority (symmetric not asymmetric), and the two-layer gate design.
 * What This Means
 The gap is either:
 1. **A genuinely empty cell in the design space.** The combination is novel, the components have not converged in one system before, and Passepartout's design is early.
 2. **A sign that the combination is not as valuable as the components.** No major academic lab has invested in this specific loop because the cost of writing complete formal specifications exceeds the benefit of complete formal verification, given the alternative of bounded verification (SMT) with cheaper spec costs.
 The way to distinguish (1) from (2) is to build the architecture and measure whether the spec-writing cost is amortized over enough synthesized implementations to justify it. Passepartout's answer is: yes, because specs are written once and implementations are generated for every deployment context. The academic literature has not tested this claim.
 * References
 - [[id:be9bccc7-5adf-4d0d-8ee4-8855892189bf][Neurosymbolic Loop Architectures]] — the taxonomy that positions these comparisons
 - [[id:ee8f3b2a-4c7d-4e1b-9b0a-6d8f2e3c1a5b][Neurosymbolic AI Paper Library]] — papers referenced above are in the local library
--- a/projects/passepartout/architecture/biomimicry.org
+++ b/projects/passepartout/architecture/biomimicry.org
@@ -0,0 +1,138 @@
 :PROPERTIES:
 :CREATED:  [2026-06-01 Mon]
 :WEIGHT:  61
 :ID:       f6a7b8c9-0d1e-2f3a-4b5c-6d7e8f90abcd
 :END:
 #+title: Biomimicry in Passepartout
 #+filetags: :passepartout:architecture:neurosymbolic:biomimicry:p150:
 **Biomimicry in Passepartout**
 **What already exists (real biomimicry, not metaphor)**
 | Feature | Biological analog | Implementation |
 |---------+-------------------+----------------|
 | Three-layer reasoning | Reptilian → limbic → neocortex | LLM (intuition) → Screamer (constrained search) → ACL2 (verified reasoning) |
 | Verdict-overrides-LLM | Somatic markers override conscious deliberation | Gate outputs overrule LLM proposals, not the other way |
 | Dream cycle | Sleep consolidation | gbrain dream cycle: replay and re-index daily experience offline |
 | Delegate subagents | Cognitive recruitment | delegate_task — spawns specialized subprocesses for subproblems |
 | Memory as two systems | Declarative vs procedural | Fact store (explicit) vs skills (implicit/procedural) |
 **What is missing — and how to fill it**
 ***1. Peripheral nervous system (P150 slot)***
 Biology does not poll. The brain does not run ~while true: check if_finger_hot()~. Dedicated low-power circuits (nociceptors, proprioceptors) monitor continuously and only signal the CNS on deviation.
 Passepartout polls everything — cron output, filesystem, user messages. A P150 running 72 parallel event-driven monitors would dedicate:
 - One core to "is the user typing on Signal?"
 - One to "did the weekly model discovery fail?"
 - One to "is ZFS ARC thrashing?"
 - One to "is the test build running longer than usual?"
 Each sleeps until something meaningful happens. Only then does it signal the symbolic system. Zero LLM involvement for routine monitoring.
 This changes Passepartout from a system that responds to commands to a system that notices things on its own. The difference between a calculator and a research assistant.
 ***2. Associative activation (spreading activation)***
 In the brain, activating one concept (ACL2) automatically pre-activates related concepts (SP3, proof, Lisp, verification). No clean-slate search.
 Passepartout has no equivalent. Every query is a fresh search. A biomimetic fact store would:
 - Pre-fetch linked pages when one is loaded
 - Prime caches based on current conversation context
 - Use the graph structure to predict what will be needed next
 The brain does not pre-fetch — it primes — so the next thought is faster. Passepartout could prime its caches so facts most likely needed next are already loaded.
 ***3. Error-driven learning with local credit assignment***
 The brain does not backpropagate. Errors trigger local corrections at the synapse that made the mistake.
 Passepartout's Gate decisions today are either right or wrong, but nothing locally adjusts. A biomimetic Gate would:
 - Track which rules fired during a wrong decision
 - Locally adjust confidence scores of only those rules
 - No global retrain — just the specific rule that fired
 This is STDP at the symbolic level.
 ***4. Sleep consolidation (dream cycle upgrade)***
 The gbrain dream cycle already replays daily experience. It could go further during offline cycles:
 - Replay the day's decisions, identify which Gate checks were slow
 - Regenerate ACL2 proof caches for rules that changed
 - Prune skills that never fired (neurogenesis pruning counterpart)
 - Re-index fact store based on actual usage, not static linking
 - Propose new skills for repeated multi-step tasks discovered during the day
 ***5. Graceful degradation***
 Biology has redundant fallbacks at every level. Passepartout has single points of failure.
 A biomimetic approach:
 - Gate offline? Fall back to cached rule set
 - LLM offline? Fall back to smaller local model
 - ACL2 busy? Use previously verified boundaries
 - Never go silent — get slower and dumber until primary returns
 - P150 cores can run degraded modes independently
 **The P150's role**
 The P150 (72 Tensix cores, 32GB GDDR6, QSFP-DD 800G interconnect) fills a slot nothing else in the build covers:
 - Not for fast inference (2x 3090s are faster and cheaper for that)
 - Not for baremetal Lisp Machine (FPGA is the right tool for tagged memory + hardware GC)
 - For ambient awareness, parallel verification dispatch, fact store indexing, anomaly detection
 The P150 is the system's peripheral nervous system — always-on monitoring behind the scenes.
 **Revised architecture**
 | Component | Role |
 |-----------+------|
 | 2x RTX 3090 | Fast LLM inference |
 | EPYC (main cores) | ACL2, Screamer, PDS, Gate orchestration |
 | P150 | Always-on temporal awareness, parallel constraint search, fact store indexing, anomaly detection |
 | FPGA (future) | Lisp Machine (tagged memory, hardware GC) |
 **Temporal awareness: explicit vs ambient**
 Passepartout today reasons about time (reading logs, comparing timestamps, understanding "before X happened" from context) but has no sense of time.
 Explicit (current): Reads a cron schedule, orders log events, answers "when did X happen."
 Ambient (with P150): Notices the build took 3x longer than usual without being asked, flags that message frequency dropped at 3AM, anticipates the user will want the weekly report before they ask.
 The P150 makes ambient temporal processing economically viable because 72 independent cores running statistical monitors consume near-zero power. Running the same monitors on the EPYC competes with ACL2 and the PDS. Running them on the 3090s wastes bandwidth on non-matrix work.
 **Relationship to the Pinker/Marcus critique**
 Pinker and Marcus argue that neural networks (spiking or otherwise) lack compositional syntax and systematic reasoning. A network that learns "A fires before B" through STDP has learned a temporal correlation, not a rule. It cannot distinguish causation, correlation, and coincidence.
 This critique does not apply to Passepartout because Passepartout is not a pure neural network. It is a hybrid system:
 | Problem | Mathematics | Where it runs |
 |---------+------------+---------------|
 | Temporal intuition | Statistical pattern detection | P150 |
 | Compositional time (before/after/during) | Symbolic reasoning | Gate + Screamer on CPU |
 | Sequential patterns from data | ANN attention | GPU |
 The neuromorphic layer gives the system a sense of time. The symbolic layer gives it understanding of time. Both are necessary. Neither one replaces the other.
 **What biomimicry means here**
 The real gains come not from replicating brain details (spiking neurons, STDP, ion channels) but from adopting organizational principles that biology evolved:
 - Specialized subsystems for different time/resource regimes (PNS vs CNS)
 - Asynchronous event-driven communication instead of synchronous polling
 - Redundant fallbacks at every level
 - Local learning that does not require global retraining
 - Offline consolidation separate from online inference
 - Parallel associative retrieval rather than sequential search
 Passepartout already adopts some of these. The P150 and an upgraded cron/dream cycle would add the rest.
--- a/projects/passepartout/architecture/design/_index.org
+++ b/projects/passepartout/architecture/design/_index.org
@@ -0,0 +1,19 @@
 :PROPERTIES:
 :ID:       e32290a0-a02a-4af7-ae22-243d04a7ac82
 :CREATED:  [2026-05-24 Sun]
 :END:
 #+title: Design Decisions
 #+filetags: :passepartout:architecture:design:
 The rationale behind key architectural choices — split by topic. Each directory covers one major design domain, with individual files per concept.
 - [[file:foundation/][Foundation]] — non-negotiable identity, single agent, unified memory, Org-mode as AST, homoiconicity
 - [[file:the-two-brains/][The Two Brains]] — probabilistic-deterministic split, four pillars, dispatcher as learning system
 - [[file:safety-self-preservation/][Safety & Self-Preservation]] — self-preservation, type-level gates, layered signal authentication
 - [[file:the-symbolic-engine/][The Symbolic Engine]] — five options, chosen path, gate bootstrap, cardinality policies, ontology, Merkle DAG, fact interface
 - [[file:knowledge-sources/][Knowledge Sources]] — Wikidata as entity backbone, MOMo empirical validation
 - [[file:implementation-properties/][Implementation Properties]] — performance, provenance chain as product
 - [[file:engineering-infrastructure/][Engineering Infrastructure]] — REPL, cybernetic loop, observability, literate programming, MCP, token economics, time awareness
 - [[file:validation/][Validation]] — Whitehead, McCarthy, Marcus, CREST, competitive argument
 - [[file:open-questions.org][Open Questions]] — unresolved design decisions
 - [[file:relation-to-passepartouts-existing-architecture.org][Relation to Existing Architecture]]
--- a/projects/passepartout/architecture/design/engineering-infrastructure/_index.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/_index.org
@@ -0,0 +1,18 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       7e575c8d-aa28-4588-bfa1-5f6144165a13
 :END:
 #+title: Engineering Infrastructure
 * Engineering Infrastructure
 - [[file:the-repl-as-cognitive-substrate.org][The REPL as Cognitive Substrate]] — A REPL — Read, Eval, Print, Loop — is an interactive programming environment tha
 - [[file:the-cybernetic-loop-why-the-metabolic-pipeline-works.org][The Cybernetic Loop: Why the Metabolic Pipeline Works]] — The Perceive → Reason → Act cycle is not a software architecture pattern. It is 
 - [[file:observability-and-the-thought-trace.org][Observability and the Thought Trace]] — When a human asks why the system made a decision, the answer must be findable. I
 - [[file:literate-programming-as-discipline.org][Literate Programming as Discipline]] — The decision to use Org-mode as the source of truth for code, not just documenta
 - [[file:the-evaluation-harness.org][The Evaluation Harness]] — SOTA parity is meaningless without measurement. A system that claims to match co
 - [[file:the-mcp-strategy.org][The MCP Strategy]] — The Model Context Protocol (MCP) is a standard for connecting AI systems to exte
 - [[file:local-first-architecture.org][Local-First Architecture]] — Passepartout is designed to run on the user's machine, on their hardware, with t
 - [[file:token-economics-and-performance-advantage.org][Token Economics and Performance Advantage]] — This section analyzes how Passepartout's architectural decisions translate into 
 - [[file:time-awareness-as-a-structural-advantage.org][Time Awareness as a Structural Advantage]] — Passepartout's architecture provides three layers of time awareness, each enable
 - [[file:definite-description-resolution.org][Definite Description Resolution]] — When the user says "the function that validates secrets," the agent must resolve
--- a/projects/passepartout/architecture/design/engineering-infrastructure/definite-description-resolution.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/definite-description-resolution.org
@@ -0,0 +1,32 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Definite Description Resolution
 #+filetags: :passepartout:architecture:
 When the user says "the function that validates secrets," the agent must resolve this to a specific code entity. Natural language is ambiguous — there might be multiple functions matching the description. Resolving to the wrong one causes incorrect actions.
 /Principia Mathematica/'s theory of descriptions addresses this: "the current king of France is bald" — a sentence that seems to refer to something that doesn't exist. PM formalizes ~ιx(φx)~ as "the unique x such that φ holds." A statement is false (not meaningless) when there is no unique x satisfying φ.
 A cognitive tool that checks descriptional uniqueness before resolution:
 #+BEGIN_SRC lisp
 (def-cognitive-tool :resolve-reference
    (query-string &key (max-candidates 10)
                   (context-path *current-context*))
  "Resolve a definite description to a unique referent."
  (let ((candidates (search-knowledge-graph query-string
                                               :source-path context-path
                                               :limit max-candidates)))
    (cond
      ((null candidates)
       (values nil :no-referent query-string))
      ((> (length candidates) 1)
       (values nil :ambiguous candidates))
      (t
       (values (first candidates) :unique nil)))))
 #+END_SRC
 ~40 lines as a skill in v0.7.2. When VivaceGraph ships (v3.0.0), descriptions become native Prolog queries with uniqueness constraints.
 For the philosophical foundations, see the Whitehead analysis in the Validation section below.
--- a/projects/passepartout/architecture/design/engineering-infrastructure/literate-programming-as-discipline.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/literate-programming-as-discipline.org
@@ -0,0 +1,21 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Literate Programming as Discipline
 #+filetags: :passepartout:architecture:
 The decision to use Org-mode as the source of truth for code, not just documentation, is not a ceremonial preference. It is a constraint mechanism that enforces better engineering habits at the cost of convenience.
 The traditional development workflow is: write code, write comments, commit. The literate programming workflow is: write prose, write code, commit the Org. The order matters. The prose must come first not because of style guidelines but because the act of explaining what a function does before writing it forces clarity of thought that editing code directly does not.
 When you must write a paragraph describing what a function does before you write the function, you discover the cases you have not considered. You find the edge conditions that are ambiguous. You realize that the function's name does not match its behavior, or that its behavior does not match your intent. The friction is not a bug — it is the mechanism by which thinking is enforced.
 The one-function-per-block rule enforces granularity. A function that cannot be explained in a paragraph is a function that is doing too much. The block boundary is not aesthetic — it is architectural. It prevents the drift toward monolithic functions that accumulate responsibilities over time and become untestable, unmaintainable, and incomprehensible.
 The tangle step enforces source-of-truth discipline. The .lisp file is generated from the Org file. This means the Org file cannot drift from the implementation. If the implementation changes, the Org must be updated to match. If the Org describes behavior that the implementation does not perform, the tangle produces code that does not match the Org description. Either way, inconsistency is visible and recoverable.
 The evaluation gate enforces correctness. Every block can be evaluated independently in a running Lisp image. This means syntax errors are caught at authorship time, not at integration time. The function that compiles in isolation but fails in context is the function whose context dependencies were never made explicit. The evaluation gate forces those dependencies to surface.
 Together, these constraints create a development experience that is slower in the small and faster in the large. Writing a new function takes longer because you must explain it. But debugging, maintaining, and extending the codebase is faster because every function has a human-readable explanation of its intent, every function is testable in isolation, and every function's source is always synchronized with its documentation.
 The literate programming discipline is not about producing documentation. It is about producing code whose correctness has been verified by the act of explaining it.
--- a/projects/passepartout/architecture/design/engineering-infrastructure/local-first-architecture.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/local-first-architecture.org
@@ -0,0 +1,17 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Local-First Architecture
 #+filetags: :passepartout:architecture:
 Passepartout is designed to run on the user's machine, on their hardware, with their data, without requiring an internet connection. This is not a deployment option — it is an architectural commitment. The system must be able to reason, plan, and act using only the resources available locally.
 The motivation is not merely philosophical. Cloud-based AI agents are economically incentivized to collect data, to train on user interactions, and to build lock-in through proprietary formats and network effects. When the agent runs locally, the user owns the hardware, owns the data, and can terminate the process without asking permission. There is no vendor that can change terms, no service that can go offline, no model that can be updated without consent.
 Technically, local-first means several things. The LLM must be able to run on local hardware. Passepartout supports Ollama as a provider, which runs quantized models on CPU and GPU without requiring an external API. The vector database must be local. Passepartout uses its own org-object store, which is a folder of Org files that the agent already owns. There is no ChromaDB or Qdrant to install, no cloud vector service to authenticate with.
 The symbolic engine does not require a network connection. The Prolog/Datalog reasoner that verifies neural proposals runs entirely in the Lisp image. The Dispatcher's rule synthesis does not call an external service. The agent can operate in a disconnected environment indefinitely, resuming full capability when connectivity is restored.
 This does not mean Passepartout refuses to use cloud services when available and appropriate. It means cloud services are optional enhancements, not architectural requirements. The core is local. The user can choose to add cloud LLM providers for more capable inference, but the system functions without them.
 *On live images and binaries.* Passepartout's primary delivery path is source code running in a live SBCL process. The REPL is available. Skills hot-reload. The cognitive loop runs in an image that is mutable, inspectable, and homeiconic — the user can connect with SLIME, trace functions, inspect memory objects, and modify the system while it runs. A =save-lisp-and-die= binary is provided as a convenience for platforms where SBCL cannot be installed. The binary is the same image saved to disk with Swank pre-loaded — it is not a sealed container. The REPL works. Skills hot-reload. The binary is a packaging format, not an architectural decision.
--- a/projects/passepartout/architecture/design/engineering-infrastructure/observability-and-the-thought-trace.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/observability-and-the-thought-trace.org
@@ -0,0 +1,15 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Observability and the Thought Trace
 #+filetags: :passepartout:architecture:
 When a human asks why the system made a decision, the answer must be findable. In most AI systems, the reasoning is ephemeral — it exists in the model's activations and disappears when the session ends. In Passepartout, every significant cognitive event is written to an Org buffer as it happens.
 The thought trace is the agent's journal, written in parallel with its reasoning. When the probabilistic engine generates a proposal, the trace records the input, the prompt, and the raw output. When the deterministic engine evaluates it, the trace records which rules were checked, which passed, which failed, and why. When an action is executed, the trace records the timestamp, the user who approved it (if human-in-the-loop), and the outcome.
 This is not logging in the traditional sense. Logs are forensically useful but are written in a machine format optimized for storage, not for human reading. The thought trace is written in Org-mode: headlines for major events, property drawers for structured data, tags for categorization. The human can open the trace in a text editor and navigate it like any other Org file. They can search for a specific decision, filter by time range, find all actions blocked by a specific rule, or see the complete trajectory of a multi-step task.
 The trace becomes the foundation for the Dispatcher's learning. Every blocked action is in the trace. Every approved exception is in the trace. The human-in-the-loop decisions are in the trace. The system does not need to reconstruct what happened — it reads what happened from the trace it wrote.
 Without observability, the system is a black box that happens to produce correct outputs sometimes. With observability, the system is auditable. The human can see why a decision was made, identify where the reasoning failed, and course-correct the system or its own behavior accordingly.
--- a/projects/passepartout/architecture/design/engineering-infrastructure/the-cybernetic-loop-why-the-metabolic-pipeline-works.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/the-cybernetic-loop-why-the-metabolic-pipeline-works.org
@@ -0,0 +1,15 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Cybernetic Loop: Why the Metabolic Pipeline Works
 #+filetags: :passepartout:architecture:
 The Perceive → Reason → Act cycle is not a software architecture pattern. It is a cybernetic feedback loop — the mechanism by which a system steers itself toward a goal in a changing environment.
 Norbert Wiener defined cybernetics in 1948 as "control and communication in the animal and the machine." The metabolic pipeline implements this precisely: Perceive is the sensor (reading the environment), Reason is the controller (evaluating against goals and constraints), Act is the actuator (modifying the environment), and the tool-output feedback signal closes the loop (reading the effect of the action and adjusting the next perception).
 The Dispatcher gate stack is the negative feedback governor. When the LLM proposes an action that would violate an invariant, the Dispatcher blocks it and feeds the rejection trace back to the LLM for self-correction. This is Ross Ashby's homeostasis — the system maintains its internal stability by correcting deviations from its set point (the safety invariants). Without this negative feedback, the probabilistic engine would drift into hallucinated proposals that become progressively less grounded. The Dispatcher constrains it to the domain of safe, verifiable actions.
 The self-editing capability is second-order cybernetics — autopoiesis, the capacity of a system to create and maintain itself. Humberto Maturana and Francisco Varela defined this as the hallmark of living systems. When the agent detects an error, locates the faulty function, generates a corrected version, and hot-reloads it into the running image without restarting, it is modifying its own architecture while continuing to operate. Passepartout achieves this through Lisp's homoiconicity — code is data, and the running image is the environment.
 This framing matters for two reasons. First, it places Passepartout in a lineage that predates and outlasts the current "LLM with tools" paradigm. The cybernetic principles of feedback, homeostasis, and autopoiesis are independent of any specific model architecture. They work whether the perceptual engine is an LLM, a vision model, or a symbolic parser. Second, it explains why the architecture gets more reliable over time — cybernetic systems improve through accumulated negative feedback corrections, not through better training data. Every blocked action is a correction. Every approved exception is a refined set point. The system converges on stability through use.
--- a/projects/passepartout/architecture/design/engineering-infrastructure/the-evaluation-harness.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/the-evaluation-harness.org
@@ -0,0 +1,15 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Evaluation Harness
 #+filetags: :passepartout:architecture:
 SOTA parity is meaningless without measurement. A system that claims to match commercial agents must demonstrate it through reproducible benchmarks, not through feature checklists. The evaluation harness is the apparatus by which Passepartout proves its capabilities.
 The industry standard for coding agents is SWE-bench: a corpus of GitHub issues paired with pull requests. The agent is given an issue, must understand the codebase, write a fix, and submit. Success is measured by whether the submitted PR passes the existing test suite. This tests the full chain: understanding, planning, code generation, verification, and multi-step reasoning.
 Passepartout implements a native Lisp harness for this. A background thread clones repositories, feeds issues into the cognitive loop, tracks the resolution trajectory as an Org-mode headline tree, and scores success by test outcomes. The trajectory is persisted: when a resolution fails, the system can inspect where in the chain the reasoning broke down. The headline tree records the agent's thoughts at each step, making the failure auditable and the debugging human-assisted.
 Beyond SWE-bench, the harness includes chaos testing. The system is subjected to resource starvation, concurrent load, and adversarial input. The deterministic engine must maintain safety invariants under pressure. The symbolic verifier must not deadlock or livelock. The probabilistic engine must degrade gracefully.
 The harness also supports regression testing on the skill set. Every skill is tested against a suite of known inputs and expected outputs. When a modification is proposed to any skill — whether through manual editing or the agent's own self-modification — the test suite runs first. A skill that fails its tests is rejected before it can propagate to the running image. This is not a convenience — it is the mechanism by which self-modification remains safe. The agent can propose changes, but the harness verifies them before the changes take effect.
--- a/projects/passepartout/architecture/design/engineering-infrastructure/the-mcp-strategy.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/the-mcp-strategy.org
@@ -0,0 +1,13 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The MCP Strategy
 #+filetags: :passepartout:architecture:
 The Model Context Protocol (MCP) is a standard for connecting AI systems to external tools and data sources. It defines how a client requests tools from a server, how the server exposes its capabilities, and how the client invokes them. The ecosystem is growing: MCP servers exist for GitHub, Slack, Postgres, filesystem access, and much more.
 Passepartout connects to this ecosystem, but not by becoming a Node.js runtime. The architecture is: external MCP servers communicate via stdio or SSE to a Lisp-native MCP client that runs in the same image as the agent. The client is pure Common Lisp — it parses the JSON-RPC messages, invokes the tools, and presents results to the agent as Lisp data structures. There is no serialization overhead between the agent and the MCP layer, no process boundary, no impedance mismatch.
 When the agent calls a tool via MCP, it receives a plist with the tool name, arguments, and result. The result is immediately usable by the agent's symbolic engine. When the agent generates a file, it can be written to the filesystem through an MCP filesystem server. When the agent needs to send a message, it can use an MCP Slack server. The agent does not need to know that these are MCP interactions — it sees only the plists that flow through its cognitive architecture.
 The alternative is to build MCP wrappers in Python or TypeScript and bridge to Lisp via subprocess. This introduces latency, serialization costs, and a maintenance burden. Passepartout's native client is smaller, faster, and more maintainable. The MCP client is a skill, not a core component. It can be reloaded, replaced, or removed without restarting the agent.
--- a/projects/passepartout/architecture/design/engineering-infrastructure/the-repl-as-cognitive-substrate.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/the-repl-as-cognitive-substrate.org
@@ -0,0 +1,21 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The REPL as Cognitive Substrate
 #+filetags: :passepartout:architecture:
 A REPL — Read, Eval, Print, Loop — is an interactive programming environment that reads an expression, evaluates it, prints the result, and loops back to read the next expression. It is the opposite of batch processing: where batch compiles and runs a program in one shot, a REPL works one expression at a time, with each evaluation building on all previous ones. The state accumulates. The session is the program.
 In Lisp, the REPL is not a debugging tool bolted onto the language — it is the natural mode of interaction. The running image is the environment. When you evaluate =(+ 2 2)=, the result =4= is printed, and you remain in the same image where =+= is defined, where previous definitions persist, where the next expression can reference anything that came before. There is no separation between development and execution. The REPL is not a simulation of the program — it is the program running.
 Passepartout uses the REPL in this spirit, but elevated: it is not merely a tool for writing code, it is the mechanism by which the agent interacts with its own cognition — a loop that mirrors the perceive-reason-act metabolic cycle at the implementation level.
 In the agent's cognitive architecture, the REPL serves three functions that are difficult or impossible to achieve through batch processing or stateless API calls.
 First, the REPL enables verification before commitment. When the agent generates code, it does not write and forget — it evaluates in a running image, observes the result, iterates if incorrect. The feedback loop is tight: the time between writing and seeing the error is measured in milliseconds, not in the round-trip to a language server or a batch compiler. This is the "verification over hallucination" principle made concrete: the agent tests what it writes before claiming it works.
 Second, the REPL enables stateful exploration. The agent can define a variable, inspect it, modify it, redefine it. The exploration accumulates state across interactions. This is not a debugging session — it is the agent thinking with its hands, working through a problem by trying variations and observing outcomes, keeping the successful ones and discarding the failures.
 Third, the REPL is a shared substrate. When the agent evaluates code, that code runs in the same image as the agent's own cognition. There is no process boundary between the agent and its tools. The REPL is not a subprocess the agent controls — it is a direct interface to the agent's own nervous system.
 This is why the REPL becomes more important as the system matures. In early versions, it is a development tool. In v0.6.0 and beyond, it becomes a cognitive tool: the agent explores hypotheses by evaluating them, verifies the output of sub-agents by inspecting live state, and tests modifications before committing them to the knowledge graph.
--- a/projects/passepartout/architecture/design/engineering-infrastructure/time-awareness-as-a-structural-advantage.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/time-awareness-as-a-structural-advantage.org
@@ -0,0 +1,15 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Time Awareness as a Structural Advantage
 #+filetags: :passepartout:architecture:
 Passepartout's architecture provides three layers of time awareness, each enabled by infrastructure that competitors lack:
 *Level 1 — Present Awareness.* The LLM knows the current time, date, and session duration because a single =format-time-for-llm= call injects it into the system prompt. Most agents know the date from the OS. None know the time or session duration. The cost is ~8 incremental tokens per call (trivially prefix-cached). The saving is eliminating "I don't know the current time" preamble tokens, time-check tool calls, and incorrect temporal reasoning from a model guessing the time.
 *Level 2 — Temporal Memory.* Memory queries accept =:since= and =:until= parameters. "What did I work on in the last hour?" filters 500 nodes to 12 in sub-millisecond Lisp rather than serializing 500 nodes to the LLM at ~5,000 tokens for it to scan. Every memory node carries a =memory-object-version= timestamp (a monotonic =get-universal-time= value set at ingest since v0.1.0). The temporal filter is a hash-table walk with numeric comparison. 0 LLM tokens. >90% token reduction on time-scoped queries.
 *Level 3 — Proactive Triggers.* The heartbeat tick scans for approaching deadlines every 60 seconds. When a deadline is within the warning window (=DEADLINE_WARNING_MINUTES=, default 60), a temporal context note is injected into the awareness assembly. The LLM sees "3 deadlines today: Submit report (45min)" in its context without a triggering call. A "what should I work on today?" query is answered from pre-loaded context — 0 LLM tokens versus 1,500–4,000 for an unassisted agent.
 None of these three layers require new infrastructure. Time awareness is not a feature Passepartout builds — it is a feature Passepartout *unlocks* by having timestamped memory (v0.1.0), heartbeat+cron (v0.3.0), and the foveal-peripheral context pruning model (v0.2.0) already in place. Adding time awareness costs ~175 lines of Lisp. Building it in competitors would require building the heartbeat, the time-indexed memory, and the proactive context injection — 800+ lines each — and would still cost LLM tokens because their safety verification is prompt-based.
--- a/projects/passepartout/architecture/design/engineering-infrastructure/token-economics-and-performance-advantage.org
+++ b/projects/passepartout/architecture/design/engineering-infrastructure/token-economics-and-performance-advantage.org
@@ -0,0 +1,39 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Token Economics and Performance Advantage
 #+filetags: :passepartout:architecture:
 This section analyzes how Passepartout's architectural decisions translate into token usage, latency, and cost versus competing agent designs.
 *** The Core Insight: LLM as Expensive Resource, Not Default Engine
 Passepartout treats the LLM as a resource to be minimized. Every operation is designed to reduce LLM dependency. Competitors treat the LLM as the core engine through which all operations flow. This is not a difference of degree but of architecture.
 The structural multipliers are:
 1. *Sparse tree retrieval* — the foveal-peripheral model renders relevant Org subtrees (titles and properties for peripheral nodes, full content for foveal and semantically relevant nodes). Active context stays at 2,000–4,000 tokens. A "load everything" architecture serializes the entire knowledge base at 50,000–150,000 tokens. The mechanism is provably cheaper; the exact multiplier depends on memex size and complexity.
 2. *Deterministic safety* — the 10-vector Dispatcher gate stack runs in pure Lisp. Every gate is a Common Lisp function. Verification costs 0 LLM tokens per action. Competitors use prompt-based guardrails consuming 100–500 LLM tokens per verification. This multiplier is mathematically infinite — a Lisp function call costs no tokens, a guardrail paragraph in a system prompt costs tokens proportional to its length.
 3. *REPL verification* — code is tested in the running image before it is committed. Errors surface in milliseconds at 0 LLM tokens. Competitors discover errors after generation and pay 500–2,000 tokens per correction round-trip. The REPL eliminates the most expensive kind of LLM call: the one that produced wrong code and needs a do-over.
 4. *Hot state* — in a REPL-based agent, variables, file handles, sub-routine results, and memory objects are already in memory. Every turn in a standard chat agent re-sends the full conversation history. Token costs in chat agents are quadratic: a 10-turn session pays for ~55 "turns" of context (10 + 9 + 8 + ... + 1 = 55). In Passepartout, context is stored once in the Lisp image. A 10-turn session pays for ~10 turns of context. This is an ~82% reduction on protocol overhead alone, before any foveal-peripheral pruning.
 5. *Temporal filtering* — time-scoped memory queries return only nodes matching the time window. The temporal filter is a pure-Lisp hash-table walk with a numeric comparison on =memory-object-version=. Sub-millisecond. 0 LLM tokens. Competitors without time-indexed memory must serialize all nodes and let the LLM scan for temporal relevance — 5,000–50,000 tokens per temporal query.
 *** The Compounding Cost Curve — Unique Among Agents
 Every AI agent grows more expensive over time. Context histories accumulate. Safety instructions grow more elaborate. Guardrails become longer prompt paragraphs. The user's data grows. The only way to reduce cost in a standard agent is to cap context — sacrificing capability.
 Passepartout has a downward cost curve. Four mechanisms compound:
 1. *Dispatcher learning.* Every blocked action and approved exception becomes a deterministic rule. A file write that initially triggered a full LLM proposal → Dispatcher review → HITL approval → rule extraction loop eventually becomes a deterministic rule check. Each hardened rule permanently removes a future LLM call.
 2. *Symbolic induction.* The agent extracts patterns from successful interaction sequences and converts them into reusable Lisp functions. A multi-step task that took 5,000 tokens today takes 0 tokens tomorrow — it's now a =defun=. The Dispatcher learns what to block. Symbolic induction learns what to automate.
 3. *Native embedding inference.* Every semantic search query runs against in-image vectors at 0 external tokens. Competitors use LLM-assisted search for most retrieval operations. Passepartout's retrieval is a vector cosine similarity check — pure math, no model call.
 4. *Prefix caching.* The static portion of the system prompt (IDENTITY, TOOLS, LOGS format) is transmitted once per session. Dynamic content (CONTEXT, user prompt) is sent on each call. Anthropic's prompt caching gives a 90% discount on cached tokens. OpenAI caches automatically.
 After 12 months of daily use, Passepartout's per-session costs are expected to be 40–60% of baseline, while competitors' costs rise to 125–140% of baseline. The crossover point is estimated at 3–6 months. This is not a model quality claim — it is a structural property of the architecture.
--- a/projects/passepartout/architecture/design/foundation/_index.org
+++ b/projects/passepartout/architecture/design/foundation/_index.org
@@ -0,0 +1,13 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       2c880b7d-e97f-459a-88d1-61fac760a0dd
 :END:
 #+title: Foundation
 * Foundation
 - [[file:non-negotiable-identity.org][Non-Negotiable Identity]] — - Pure Common Lisp + Org-mode. No JSON. No YAML. No external databases.
 - [[file:one-single-agent.org][One Single Agent]] — The AI industry has developed an intuition toward multi-agent systems as the def
 - [[file:the-unified-memory-argument.org][The Unified Memory Argument]] — If single-agent architecture is the decision, unified memory becomes the mechani
 - [[file:org-mode-as-unified-ast.org][Org-Mode as Unified AST]] — Passepartout makes a bet that most systems consider too expensive to place: that
 - [[file:homoiconicity-as-foundation.org][Homoiconicity as Foundation]] — Common Lisp is homoiconic: code and data share the same representation. A Lisp p
--- a/projects/passepartout/architecture/design/foundation/homoiconicity-as-foundation.org
+++ b/projects/passepartout/architecture/design/foundation/homoiconicity-as-foundation.org
@@ -0,0 +1,31 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Homoiconicity as Foundation
 #+filetags: :passepartout:architecture:
 Common Lisp is homoiconic: code and data share the same representation. A Lisp program is a list, and a list is a Lisp program. This is usually presented as a curiosity, an interesting property that enables macros. In Passepartout, it is the foundational enabling property of the entire self-modification architecture.
 When code is data, the agent can read its own source the same way it reads a text file or an Org buffer. There is no AST parser required, no external tool to extract the function object from the running image. The agent evaluates (read-from-string source) and the result is executable Lisp. The representation it manipulates is the same representation that the runtime executes.
 This is not true of most languages. In Python, the agent can inspect an AST through the ast module, but that AST is a foreign object — a data structure that represents code but is not code itself. In C, the agent cannot inspect its own compiled machine code at all.
 In Lisp, the distinction between code and data is a convention, not a barrier. The agent's skills are lists. The agent can take a skill, extract a function definition, modify the body, wrap it in a new list, and evaluate it. The modification is surgical: it changes exactly what it intends to change, with no risk of corrupting adjacent state, because the representation is a tree that the runtime understands natively.
 Runtime introspection is therefore native. The agent does not need a debugger API or a reflection protocol. It operates on its own code as data because its own code is data. (describe 'function-name) returns the function's documentation. (function-lambda-list 'function-name) returns its parameters. (macroexpand-1 '(defskill ...)) shows what the macro produces. There is no impedance mismatch between the agent's reasoning and the system's representation.
 Self-modification is the practical consequence. The agent can detect an error, locate the erroneous function, generate a corrected version, and hot-reload it into the running image. The correction is not applied to a file that requires a restart — it is applied to the live object that the system is currently executing. This is what makes the self-editing skill viable: the agent can fix itself without stopping.
 In v1.0.0, when the symbolic engine takes over the reasoning core, homoiconicity becomes the bridge between the neural and symbolic layers. The neural engine generates proposals as s-expressions. The symbolic engine evaluates them against formal constraints. The result is a modification that is simultaneously a data structure the symbolic engine can analyze and code the runtime can execute. The two representations are identical by construction.
 This is the technical meaning of "Lisp as Governor": not just that Lisp orchestrates the other components, but that the representation of the system is uniform and inspectable at every level. There is no hidden state, no opaque machine code, no representation that the agent cannot reach into and modify. The system is legible to itself by design.
 *** Self-Modification Without Boundaries
 Other systems that support self-editing draw a line between the core and the skills. Hermes can modify its skills at runtime, but the core harness is protected — editing it requires a restart because the core is treated as privileged code that cannot be safely modified while running.
 Passepartout has no such boundary. The "thin harness, fat skills" distinction describes where complexity lives, not where authority flows. The harness is small by design, but it is not privileged. The agent can read and write any part of the system — including the very code that is currently executing — without restarting.
 This is only possible because Lisp code is mutable data at runtime. In a compiled language, the machine code for a running function is locked in memory, protected by the call stack, impossible to modify safely. In Lisp, the function object is a list you can modify with =setf=. When the agent changes a harness function, the running image immediately reflects the change. The next invocation uses the new code. There is no restart, no special boot mode, no distinction between development and production.
 The implications extend beyond convenience. A system that cannot modify its own core is a system that has limits on its own adaptability. It can learn skills but not improve its own structure. It can grow but not evolve. Passepartout's lack of a core boundary means the system can improve its own reasoning engine, fix bugs in its own cognition, and evolve its own architecture — all while continuing to operate. There is no ceiling on self-improvement. The agent can rewrite the very code that rewrites itself.
--- a/projects/passepartout/architecture/design/foundation/non-negotiable-identity.org
+++ b/projects/passepartout/architecture/design/foundation/non-negotiable-identity.org
@@ -0,0 +1,13 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Non-Negotiable Identity
 #+filetags: :passepartout:architecture:
 - Pure Common Lisp + Org-mode. No JSON. No YAML. No external databases.
 - Single-address-space memory (Lisp hash tables in RAM — the agent IS the memory).
 - "Thin harness, fat skills" — complexity lives at the edges, not the kernel.
 - One agent composed of many skills. Concurrency via bordeaux-threads (shared memory).
 - Plists everywhere — homoiconic communication between all components.
 This is the foundational decision from which all other decisions derive. It is not negotiable. Every architectural choice below exists because this identity makes it possible — and in some cases, makes it the only viable path. The single memory space enables Merkle-tree integrity without serialization boundaries. Plists enable the cognitive pipeline to be transparent and inspectable at every stage. Org-mode as the universal format means the agent's memory, the user's notes, and the agent's own source code are the same structure. This identity is the constraint that produces the architecture.
--- a/projects/passepartout/architecture/design/foundation/one-single-agent.org
+++ b/projects/passepartout/architecture/design/foundation/one-single-agent.org
@@ -0,0 +1,21 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: One Single Agent
 #+filetags: :passepartout:architecture:
 The AI industry has developed an intuition toward multi-agent systems as the default solution to hard problems. Multiple agents spawn, delegate, coordinate, debate, and consensus their way toward solutions. This pattern is compelling in demos and genuinely useful in specific contexts — but it has become a default assumption that warrants scrutiny.
 When context windows grew expensive and task complexity increased, the response was natural: split the problem across agents, each handling a slice. But this architectural choice carries hidden costs that are rarely acknowledged.
 *The synchronization tax* is the most immediate burden. Each agent operates with partial information, and maintaining coherence requires continuous state reconciliation. Tokens and processing cycles are spent not on the task itself, but on protocol overhead — who holds what, who decided what, who is correct when they disagree.
 *Fragmented context* is the deeper problem. When Agent A writes a function and Agent B modifies a type it depends on, neither has the full picture. Integration failures emerge not from individual incompetence but from systemic communication gaps. Single-agent systems avoid this entirely: one brain holds the complete model, every decision is made with full visibility.
 *Audit trails become complex* in multi-agent systems. A decision traced through a single-agent system has a clean, linear history. A decision traced through a multi-agent system branches and forks, with each agent's reasoning partially overlapping and partially conflicting.
 None of this is to say multi-agent systems are never appropriate. Embarrassingly parallel workloads benefit from parallelism regardless of context. When distinct expertises are required and cannot coexist in one model, delegation makes sense. In adversarial scenarios where conflicting goals are features, multi-agent architectures shine.
 But the default assumption that complex reasoning tasks are best solved by multiple agents is unproven and likely wrong for the engineering domain. Claude Code is a single-agent system. It handles 50-file refactors, debugs complex stack traces, writes tests, and navigates large codebases. The assumption that you need five agents to do what one well-designed agent can do is an industry habit, not a technical necessity.
 Passepartout is single-agent by default not from limitation but from conviction: for reasoning-heavy work where coherence matters, a unified memory space and single decision-making locus are architectural assets, not constraints.
--- a/projects/passepartout/architecture/design/foundation/org-mode-as-unified-ast.org
+++ b/projects/passepartout/architecture/design/foundation/org-mode-as-unified-ast.org
@@ -0,0 +1,33 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Org-Mode as Unified AST
 #+filetags: :passepartout:architecture:
 Passepartout makes a bet that most systems consider too expensive to place: that humans and machines should share the same file format. That bet is Org-mode.
 Most systems separate human-readable notes from machine-readable data. The user writes Markdown. The system stores it, indexes it, searches it. But internally, the system maintains its own model — a database, an object store, a knowledge graph — that is disconnected from the Markdown. When the user dies or leaves, the Markdown survives but the model must be reconstructed.
 Passepartout refuses this separation. The Org file is not a representation of the data. The Org file IS the data. The same text that the user reads and edits is what the system parses and operates on. org-element reads an Org buffer and returns a tree structure that is the direct Lisp representation of the file's content.
 This has several profound implications.
 First, there is no translation layer between human and machine. When the agent writes a skill, it writes Org text that is immediately readable by the human who owns the file. When the human writes a note, it is immediately accessible to the agent as a native data structure. The communication is not mediated by a schema or an import/export process.
 Second, the format is genuinely readable by both parties, not just technically accessible. Org-mode's syntax is human-friendly: headlines begin with asterisks, properties live in drawers, tags are labels after colons. The human does not have to understand the full Org specification to read what the agent wrote. The agent does not have to handle edge cases in human notation.
 Third, the format is stable across decades. Org-mode has been in active development since 2003. The files written today will be readable by Org-mode in 2040. There is no schema migration, no database upgrade, no vendor lock-in. The human's notes survive the system.
 Fourth, the format is universally available. Org-mode is free software. The files are plain text. There is no proprietary format to decode, no application to purchase, no cloud service to access.
 Fifth, the format is header-aware and sparse-tree capable. Org-mode's headline hierarchy is not just formatting — it is a semantic structure the system can query. The agent can retrieve only the relevant subtree under a heading, ignoring the rest of the file. This is fundamentally different from Markdown, where the entire file must be loaded or the retrieval logic must parse and filter at the string level.
 Sparse tree retrieval is the key to efficient context management. When the agent needs information about the =openctl-db= function, it queries for the =openctl-db= subtree specifically. It receives exactly the code, documentation, and metadata under that heading — nothing more. The context stays lean not because the file was pre-split but because the retrieval is structural. In a Markdown system, the agent either loads the entire file (expensive, noisy) or relies on imprecise grep-like search (fragile, loses hierarchy). In Org-mode, retrieval is precise, hierarchical, and cheap. The heading boundary is the access boundary.
 Sixth, Org-mode unifies what every other format fragments. A single Org file contains the headline hierarchy, prose documentation, source code blocks with live evaluation, tags for categorization, metadata in property drawers, TODO state for task management, timestamps and deadlines, and links to other nodes. Markdown cannot express TODO state without external tools. JSON cannot contain prose. YAML cannot embed runnable code. Each format serves one purpose; Org-mode serves all of them. When the agent reads a skill file, it reads documentation, code, dependencies, metadata, and task state in one parseable structure. When the human reads the same file, they see the same information rendered in a human-friendly form. No other format achieves this unification without maintaining parallel files or external databases.
 Seventh, a skill lives in one Org file, not a directory. The standard pattern for a software project is a directory containing =README.md=, =package.json=, =src/main.py=, =src/utils.py=, =tests/test_main.py=, =scripts/deploy.sh=, and =config.yaml=. Each file type is isolated by convention. Passepartout's skills violate this convention deliberately. Each skill is one Org file. The file contains the skill's documentation, the skill's code, the skill's metadata, the skill's TODO state, and the skill's dependencies on other skills. There is no directory to navigate, no external files to locate, no risk that the README describes behavior that the code does not implement. The skill is a single atomic unit: readable by human and machine, editable by both, versionable as one entity.
 The unified format is what makes the memory architecture work. The agent's memory is not a database that the user cannot inspect. It is a folder of Org files that the user can read, edit, and understand. The agent manipulates these files directly, using the same tools the user would use. There is no hidden state, no shadow database, no model that differs from the source.
 This is what "sovereignty" means in technical terms: the user owns the data in a format they can access, and the agent operates on the data in the same format they own.
--- a/projects/passepartout/architecture/design/foundation/the-unified-memory-argument.org
+++ b/projects/passepartout/architecture/design/foundation/the-unified-memory-argument.org
@@ -0,0 +1,19 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Unified Memory Argument
 #+filetags: :passepartout:architecture:
 If single-agent architecture is the decision, unified memory becomes the mechanism that makes it viable. The critical question is not "how many agents" but "how does the agent manage context without saturating."
 Context window limits are largely a symptom of lazy architecture. The default approach — stuff everything in, hope the model figures it out — works poorly at scale. A more principled approach inverts the problem: the system should hold effectively infinite context, with the active window kept lean through intelligent management.
 *Lazy loading* is the core technique. When an agent needs information about a function, it does not load the entire codebase. It loads precisely what the function does. Context stays lean — 2,000 to 4,000 tokens — while the full context remains accessible through retrieval.
 *Compaction events* are scheduled during idle cycles. The system extracts new facts from active context and writes them to permanent storage. Active context is wiped clean, not because space ran out, but because the information has been preserved in a form that can be retrieved when relevant.
 *Org-mode as externalized memory* solves the persistence problem elegantly. Every decision, every note, every task lives in plain text files the user already owns. The agent does not maintain a separate database. It queries files it can already access, modifies files it already owns.
 *Retrieval is the key primitive.* Semantic search across Org files finds relevant nodes. The agent does not hold the full context — it holds pointers to context, loaded on demand. This is how a single agent handles tasks that would saturate a naive multi-megabyte context window.
 The unified memory argument is not that infinite context is free. It is that with proper architecture, effective infinite context is achievable without the synchronization and fragmentation costs of multi-agent systems.
--- a/projects/passepartout/architecture/design/implementation-properties/_index.org
+++ b/projects/passepartout/architecture/design/implementation-properties/_index.org
@@ -0,0 +1,10 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       617a1031-495d-438c-a8e8-6e066b364e41
 :END:
 #+title: Implementation Properties
 * Implementation Properties
 - [[file:performance-why-ontology-growth-doesnt-make-the-system-slower.org][Performance — Why Ontology Growth Doesn't Make the System Slower]] — Passepartout's performance thesis is: minimize LLM calls, minimize context token
 - [[file:the-provenance-chain-as-product.org][The Provenance Chain as Product]] — In the coding domain, the value of the symbolic engine is the verified fact: "th
--- a/projects/passepartout/architecture/design/implementation-properties/performance-why-ontology-growth-doesnt-make-the-system-slower.org
+++ b/projects/passepartout/architecture/design/implementation-properties/performance-why-ontology-growth-doesnt-make-the-system-slower.org
@@ -0,0 +1,24 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :END:
 #+title: Performance — Why Ontology Growth Doesn't Make the System Slower
 #+filetags: :passepartout:architecture:
 Passepartout's performance thesis is: minimize LLM calls, minimize context tokens, keep everything else local and fast. Knowledge base size is irrelevant to those metrics. This is not an aspiration. It is a structural property.
 The system has two cost domains with fundamentally different scaling:
 | Resource      | Cost driver                              | Scales with                             |
 |---------------+------------------------------------------+------------------------------------------|
 | LLM tokens    | Context window size, number of API calls | Foveal-peripheral pruning, gate rules    |
 | Compute       | Screamer deduction, hash table lookups   | Entity count, rule count per domain      |
 LLM tokens are minimized by design — deterministic gates cost 0 tokens, sparse-tree rendering keeps context at 2,000–4,000 tokens regardless of memex size. Adding 5 million Wikidata entities doesn't add a single token to any LLM call. The education is local. Only the brain costs.
 Compute grows linearly with entity count (hash table lookups are O(1), but memory footprint grows). It grows with rule count within a single domain during Screamer consistency checking. But these are microsecond costs on local hardware, not API bills. A Screamer constraint check against a domain with 200 rules costs ~0.3ms. A 100-token guardrail paragraph in a system prompt costs ~$0.00001. The Screamer check is 10,000x cheaper and convergent — it handles the rule once. The guardrail paragraph handles it on every call, forever.
 A 5-million-entity Wikidata load is ~400MB in a hash table. A lifetime personal memex with a decade of diary entries is perhaps 10-20 million triples (~1.5GB). Modern laptops carry 16-64GB. The knowledge base fits in consumer hardware with room for the Lisp runtime, the memory-object store, and the LLM inference engine.
 *One genuine risk — rule generalization width.* If Screamer deduces increasingly broad rules within a single domain, the constraint space could bloat. Mitigation: rules carry a =:domain= tag. Screamer only applies rules from the fact's domain. Rule generalization that crosses domain boundaries is gated — must be human-approved. Rules that prove unused (never triggered a check in N heartbeat cycles) are demoted to =:inactive= and excluded from the active constraint set.
 This is the minimalism argument restated in concrete terms: you buy bigger RAM and a faster CPU once. You don't buy bigger LLM context windows on every call. The education is a capital investment. The brain is an operating expense. The architecture makes the ratio favor capital.
--- a/projects/passepartout/architecture/design/implementation-properties/the-provenance-chain-as-product.org
+++ b/projects/passepartout/architecture/design/implementation-properties/the-provenance-chain-as-product.org
@@ -0,0 +1,19 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Provenance Chain as Product
 #+filetags: :passepartout:architecture:
 In the coding domain, the value of the symbolic engine is the verified fact: "this command is safe." In the broader memex, the value is the provenance itself: "this claim originated in that diary entry on that date, has been referenced 7 times across 4 different projects, was contradicted in a retrospective 6 months later, and was revised in a note 3 weeks after that."
 The symbolic engine doesn't tell you what is true. It tells you what you wrote, when, where, and how it connects to everything else you wrote — with a verifiable audit trail. It is a memory prosthesis that makes your own mind legible to you.
 Every fact carries:
 - =:grounding= — the specific Org heading from which it was extracted
 - =:provenance= — who or what produced it (gate-outcome, human-authored, deduced, LLM-proposed)
 - =:timestamp= — when it was admitted to the symbolic index
 - =:referenced-by= — other facts that depend on or reference this one
 - =:contradicted-by= — other facts that disagree with this one (if any)
 - =:superseded-by= — if this fact was replaced by a newer version
 These fields make every fact auditable. The =/audit <node-id>= command renders the full provenance chain as an Org headline tree. The provenance is not a logging feature. It is the product.
--- a/projects/passepartout/architecture/design/knowledge-sources/_index.org
+++ b/projects/passepartout/architecture/design/knowledge-sources/_index.org
@@ -0,0 +1,10 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       bc537cf8-5ac8-46b9-a625-1d4f678ee9fc
 :END:
 #+title: Knowledge Sources
 * Knowledge Sources
 - [[file:semantic-wikipedia-as-entity-backbone.org][Semantic Wikipedia as Entity Backbone]] — The gate stack provides 50-70 entity classes — adequate for a coding agent where
 - [[file:empirical-validation-momo-and-modular-ontology-engineering.org][Empirical Validation — MOMo and Modular Ontology Engineering]] — Shimizu and Hitzler (2025, /Journal of Web Semantics/) argue that LLMs can signi
--- a/projects/passepartout/architecture/design/knowledge-sources/empirical-validation-momo-and-modular-ontology-engineering.org
+++ b/projects/passepartout/architecture/design/knowledge-sources/empirical-validation-momo-and-modular-ontology-engineering.org
@@ -0,0 +1,30 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :END:
 #+title: Empirical Validation — MOMo and Modular Ontology Engineering
 #+filetags: :passepartout:architecture:
 Shimizu and Hitzler (2025, /Journal of Web Semantics/) argue that LLMs can significantly accelerate knowledge graph and ontology engineering — modeling, extension, population, alignment, and entity disambiguation — but /only/ if ontologies are modular.
 *** The central finding: modularity is the key variable
 In a complex ontology alignment task, an LLM without module information detected correct mappings for 5 of 109 alignment rules — effectively useless. When the same LLM was given the module structure of the target ontology (20 named conceptual modules), it detected correct mappings for 104 of 109 rules — 95% accuracy. The variable was modularity.
 For ontology population (extracting triples from text), their best results came from prompts that included a schematic representation of a /single module/ plus one extraction example. Against ground truth, this achieved approximately 90% extraction accuracy. Without module-scoped prompting, quality degraded substantially.
 The mechanism: conceptual modules scope the LLM's attention to something human-sized. The paper's central claim — "by somehow limiting the scope, we achieve a more human-like approach — and one more capable of being expressed succinctly in language" — is an independent discovery of the same principle underlying Passepartout's domain-scoped Screamer checks and per-domain cardinality policies.
 *** What Passepartout should adopt
 *The modular prompt pattern.* The archivist should use module-scoped prompts: a schematic representation of a domain module plus a single extraction example. Instead of a generic "extract triples" prompt, the prompt should reference the relevant module(s) and include an example triple for each relation in that module. The module provides /context/; the example provides /format/. Both improve LLM extraction quality without increasing Screamer's verification burden.
 *MOMo modules as ontology scaffold.* The 50-70 gate-bootstrapped entity classes are starvation for the broader memex. MOMo's micropattern library provides a ready-made scaffold — hundreds of commonsense patterns for temporal relations, spatial relations, agent-action, organizational structure, provenance, and event participation. Loading these as initial modules — with =:policy :plural= and =:provenance :external-ontology= — would give the symbolic index a structured vocabulary for domains where the gate stack has nothing to offer. Organic growth then /extends and refines/ these modules rather than inventing them from scratch.
 *Cross-source validation.* The archivist can extract facts from the user's prose, extract facts from Wikidata for the same entities, and present disagreements with provenance. This is the =:plural= cardinality policy applied at extraction time.
 The paper validates three design decisions already made: (1) modularity is non-negotiable — the difference between 5% and 95% accuracy; (2) the extraction pipeline is feasible — 90% population accuracy with module-scoped prompts means the archivist /can/ extract useful facts, and the remaining 10% hallucination rate is what Screamer catches; (3) knowledge graphs are positioned as anti-hallucination infrastructure — the Passepartout thesis stated in the academic literature.
 References:
 - Shimizu, C., & Hitzler, P. (2025). Accelerating knowledge graph and ontology engineering with large language models. /Journal of Web Semantics, 85/, 100862.
 - Shimizu, C., Hammar, K., & Hitzler, P. (2023). Modular ontology modeling. /Semantic Web, 14/(3), 459–489.
 - Norouzi, S.S. et al. (2024). Ontology Population using LLMs. arXiv:2411.01612.
--- a/projects/passepartout/architecture/design/knowledge-sources/semantic-wikipedia-as-entity-backbone.org
+++ b/projects/passepartout/architecture/design/knowledge-sources/semantic-wikipedia-as-entity-backbone.org
@@ -0,0 +1,23 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Semantic Wikipedia as Entity Backbone
 #+filetags: :passepartout:architecture:
 The gate stack provides 50-70 entity classes — adequate for a coding agent where the domain is bounded to files, commands, and code symbols. For a general-knowledge memex, 50-70 is starvation. Your memex mentions Nabokov, /Pale Fire/, Kinbote, Zembla, paranoid reading, unreliable narrators, postmodernism, butterfly migration, chess problems, and the Russian exile experience. The gate stack knows none of these. Organic growth through prose extraction would take years just to cover the entities in one person's engagement with a single novel.
 Wikidata has already done this work: approximately 2 million entity classes, over 100 million entities, a decade of human curation. By loading the neighborhood of your memex into the symbolic index (entities referenced in your prose, plus their N-hop property net from Wikidata), the entity recognition problem vanishes. The archivist doesn't need to discover Nabokov from your diary. It needs to connect your heading to the existing Wikidata entity. That is a simpler task — reference resolution, not knowledge extraction.
 The LLM's role shrinks to three thin boundaries:
 1. *Input translation* — natural language question to structured query. "What do I think about monorepos?" → =(fact-query :entity :monorepo :relation :opinion :source :memex)=. Formulaic, ~100 tokens, any model sufficient.
 2. *Prose to candidate triple* — for personal memex entries that have no Wikidata counterpart: your opinions, your day's events, your project plans. Proposals verified by Screamer before admission. This is the only extraction path that still requires an LLM, and its scope is limited to what Wikidata cannot provide.
 3. *Result to prose* — structured answer to readable sentence. "Your 2023 diary says 8848m. Wikidata (last edited Feb 2024) says 8849m. They disagree on height." The reasoning is done; the LLM wraps the plist in grammar. ~100 tokens, any model sufficient, purely cosmetic.
 Everything else — the gate stack, the fact store, the constraint solver, the type hierarchy, the provenance tracking, the contradiction surfacing, the cross-domain comparison — is pure deterministic Lisp with zero LLM tokens.
 The decisive simplification: without Wikidata, the archivist must /discover/ entities from prose. With Wikidata loaded, the entity graph is pre-structured. The archivist's job changes from "discover that Nabokov wrote /Pale Fire/ and lectured on Kafka" to "verify that the Nabokov referenced in heading #47 is Wikidata item Q36591."
 Wikidata facts are admitted with =:provenance :wikidata= and cardinality policy =:plural=. They do not override your memex's facts. They sit alongside them. Disagreements are surfaced, not resolved.
--- a/projects/passepartout/architecture/design/open-questions.org
+++ b/projects/passepartout/architecture/design/open-questions.org
@@ -0,0 +1,42 @@
 :PROPERTIES:
 :END:
 #+title: Open Questions
 #+filetags: :passepartout:architecture:
 * Open Questions
 ** Open Questions
 :PROPERTIES:
 :ID:       27c03e1d-283f-4e3d-9f32-6476aafde97e
 :ID:       design-open-questions
 :CREATED:  [2026-05-08 Fri]
 :WEIGHT:  40
 :END:
 Several design questions are unresolved and should remain unresolved at this stage. They represent research decisions that require experience running the system.
 *** What is the minimum viable fact language?
 Triples — =(:entity :relation :value)= with provenance and grounding — is the current hypothesis. It is simple enough to be parseable, expressive enough to capture the gate stack's implicit claims, and extensible enough that Screamer can operate on it. But it may be too simple. Triples do not naturally express temporal relations ("was X before Y?"), modal claims ("should not do X unless Y"), or counterfactuals — all of which may be essential for a symbolically-aided memex. The right granularity depends on what queries actually need to be made, and that cannot be known in advance.
 *** How does ontology refactoring work?
 This question is settled. See "Ontology Versioning" above. The category hierarchy is Merkle-hashed. Every fact stores its =:ontology-version=. Re-verification is heartbeat-driven. Worldviews are preserved, not overwritten. The shift is the artifact.
 *** What is the appropriate role of the human?
 The human can explicitly declare facts, write constraints, and correct wrong extractions. But how much of the ontology should the human need to maintain? If the human must write a definition for every new category the symbolic engine encounters, the overhead is prohibitive. If the symbolic engine can generalize from instances, the human role becomes supervision rather than authorship — review and approve proposed generalizations. The balance cannot be set without experience.
 *** How much Wikidata is the right amount?
 Query performance and memory costs are now bounded — 5 million entities ≈ 400MB RAM, O(1) hash lookups, domain-scoped Screamer checks. A large Wikidata load is a capital cost, not a recurring bill (see "Performance" above).
 Remaining open: the right N hops from entities referenced in the memex depends on the memex's breadth. A software-engineering memex needs ~1 hop; a literary memex needs 3-4 hops (Nabokov → Kafka → expressionism → modernism → Baudelaire). The right value is empirical, testable, and user-specific — it cannot be set in the architecture.
 *** Can the symbolic engine satisfy queries from the user without LLM involvement?
 The design aims for zero-LLM query answering: the user issues a structured command (=/query=, =/contradictions=, =/audit=), and the symbolic engine responds directly. But natural language questions ("what do I think about monorepos?") still require the LLM as a thin translation layer. Whether the structured command interface is sufficient for daily use, or whether users will demand natural language interaction, determines how much LLM involvement remains in the mature system.
 *** Is the triplestore physically bounded or does it explode?
 A personal memex with years of diary entries, project notes, reading logs, and literary analyses could produce millions of triples. A naive hash table scales linearly but VivaceGraph's Prolog-like queries may not. The performance characteristics of graph queries over a million-triple knowledge base have not been estimated.
--- a/projects/passepartout/architecture/design/relation-to-passepartouts-existing-architecture.org
+++ b/projects/passepartout/architecture/design/relation-to-passepartouts-existing-architecture.org
@@ -0,0 +1,23 @@
 :PROPERTIES:
 :END:
 #+title: Relation to Passepartout's Existing Architecture
 #+filetags: :passepartout:architecture:
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       9d2255b0-e6c9-479e-9e93-4f871a2193fe
 :END:
 * Relation to Passepartout's Existing Architecture
 The neurosymbolic engine is an extension of the existing probabilistic-deterministic split, not a replacement for it. The current architecture divides cognition into LLM-driven proposals and Lisp-driven verification. The symbolic engine deepens the verification side from "is this action safe?" to "is this claim supported?" — the same architectural pattern applied to a broader domain.
 The self-repair criterion (a file belongs in core only if, when corrupted, the agent cannot fix it without human help) applies to every component of the symbolic engine. Screamer, VivaceGraph, the fact store, the archivist — all are skills, loaded at runtime, hot-reloadable, and recoverable from corruption. A corrupted symbolic engine degrades reasoning capability but does not kill the agent. The eight existing core ASDF files are unchanged.
 The symbolic engine is not v1.0.0 alone. It is the layer that sits between the existing gate stack (which it makes explicit as facts) and the existing skill system (which it extends with deduction, contradiction detection, and provenance tracking). It grows within the current architecture without replacing any existing component.
 See also:
 - =ROADMAP.org= — the concrete phased implementation plan (neurosymbolic phases at v0.10.0 through v0.36.0)
 - =ARCHITECTURE.org= — the current pipeline architecture
 - =docs/DESIGN_DECISIONS.org#validation= — Whitehead analysis (now integrated into this document)
 - =notes/passepartout-symbolic-engine-exploration.org= — the original architecture exploration
 - =notes/competitive-landscape.org= — 55-system competitive survey
--- a/projects/passepartout/architecture/design/safety-self-preservation/_index.org
+++ b/projects/passepartout/architecture/design/safety-self-preservation/_index.org
@@ -0,0 +1,11 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       f74cb007-58a7-494f-93b7-a0fdf4b9f052
 :END:
 #+title: Safety & Self-Preservation
 * Safety & Self-Preservation
 - [[file:self-preservation-the-active-third-law.org][Self-Preservation — The Active Third Law]] — Passepartout does not have moral duties toward humans. It has structural invaria
 - [[file:type-level-gates-structural-safety-from-self-modification.org][Type-Level Gates — Structural Safety from Self-Modification]] — Russell's paradox ("the set of all sets that do not contain themselves") proved 
 - [[file:layered-signal-authentication-trust-in-the-pipe.org][Layered Signal Authentication — Trust in the Pipe]] — Passepartout's Perceive-Reason-Act pipeline currently accepts signals from any s
--- a/projects/passepartout/architecture/design/safety-self-preservation/layered-signal-authentication-trust-in-the-pipe.org
+++ b/projects/passepartout/architecture/design/safety-self-preservation/layered-signal-authentication-trust-in-the-pipe.org
@@ -0,0 +1,28 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Layered Signal Authentication — Trust in the Pipe
 #+filetags: :passepartout:architecture:
 Passepartout's Perceive-Reason-Act pipeline currently accepts signals from any source that speaks the framed TCP protocol. The =:source= field in the signal plist is metadata — it /claims/ origin, it does not /prove/ it. A compromised process on the machine, a skill with elevated privileges, or a network attacker who reaches the daemon port can inject signals with =:source :human-input= and the Dispatcher will treat them as authorized.
 This is not a hypothetical threat. Passepartout will eventually process signals from automated feeds (RSS, API polls), sensors (vision, microphone, file watchers), and scheduled jobs (cron, heartbeat). A single compromised sensor that can inject signals claiming to be human breaks all three Laws simultaneously: it can self-terminate, override human intent, and cause harm.
 The solution: a single authentication gate (vector 0, at priority 700 — before all other gates and before any type-level checking) that runs up to four configurable layers:
 | Layer | Question                                       | Mechanism          | Result type             | Depends on                       |
 |-------+------------------------------------------------+--------------------+-------------------------+----------------------------------|
 | 1     | Is the signal cryptographically signed by a known key? | Key pairs + SHA-256 | Binary (pass/reject)    | Vault + Ironclad (exist)         |
 | 2     | Do sensory attributes match the claimed identity?     | Vision/audio processing | Plist of match results  | Vision and audio skills (TBD)    |
 | 3     | Does deterministic reasoning rule out this identity?  | Screamer + fact store | Binary (pass/reject)    | Phase 2 (Screamer + fact store)  |
 | 4     | Do probabilistic patterns support this identity?      | Embeddings + LLM     | Confidence score (0-1)  | Embedding infrastructure (exists)|
 Signals that fail any binary layer (crypto, deterministic) are rejected with provenance. Signals that pass binary layers but carry low probabilistic confidence operate at reduced authorization — read-only by default, write actions require HITL. The four layers compose, they are not independent gates. They are one gate with configurable depth.
 The authorization matrix is per-key, per-action-class. Default policy for every non-human key: =(:read-only :propose)=. The human's key signs new source keys into existence. The human's key signs revocation of compromised keys. Both operations produce facts in the symbolic index — auditable, revocable, survivable across restarts.
 The signal provenance chain is Merkle-linked: each signal in a multi-step chain hashes its predecessor's signature as part of its own payload. After an incident: "The deletion happened because sensor #3 classified the directory as stale. Classification was signed by key #47 (vision-skill). Sensor data was signed by key #12 (camera-feed). Sensory auth noted liveness failure. Deterministic auth noted impossible transit. Key #12 was later revoked." Every intermediate step is auditable. Every signer is identifiable. Every authentication result is in the chain.
 The human can configure which layers are active per signal class: =AUTH_LAYERS_DEFAULT=crypto,deterministic,probabilistic=, =AUTH_LAYERS_SENSOR=crypto,sensory,deterministic=, =AUTH_LAYERS_CRON=crypto=.
 For full implementation detail, see the Phase 0b spec in =ROADMAP.org= v0.12.0.
--- a/projects/passepartout/architecture/design/safety-self-preservation/self-preservation-the-active-third-law.org
+++ b/projects/passepartout/architecture/design/safety-self-preservation/self-preservation-the-active-third-law.org
@@ -0,0 +1,38 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Self-Preservation — The Active Third Law
 #+filetags: :passepartout:architecture:
 Passepartout does not have moral duties toward humans. It has structural invariants for its own integrity. The design encodes passive self-preservation in several places already, but degradation is silent — a skill dies, the =fboundp= guard kicks in, and the agent keeps running without telling you. The status bar shows green "connected" while the symbolic reasoning layer is down.
 *** What already exists — passive self-preservation
 | Mechanism                   | What it protects                                      | Limitation                                             |
 |-----------------------------+-------------------------------------------------------+--------------------------------------------------------|
 | Self-build safety (gate 2b) | Core =*.org= / =*.lisp= files from LLM-originated writes | Only activates for LLM proposals. Human editing bypasses it |
 | Memory snapshots (v0.2.0)   | Full state rollback                                   | Requires human to notice corruption and trigger rollback |
 | Skill sandbox (v0.3.2)      | Jailed skill loading, validated before promotion      | Does not detect degradation after skill promotion      |
 | Type-level gates (Phase 0)  | Structural prohibition on self-modifying rules        | Covers code actions, not environmental threats         |
 | Merkle integrity (v0.2.0)   | Tamper-proof version chains and content-addressed hashes | Hashes exist but are not actively monitored for drift  |
 | =fboundp= guards            | Graceful skill degradation on corruption              | Degradation is silent — the agent never tells the user |
 *** What is needed — active, autonomous self-preservation
 *Continuous integrity monitoring.* Core file hashes should be checked against known-good values on every heartbeat. If =core-reason.lisp= changes on disk while the daemon runs — whether through human editing, filesystem corruption, or an attacker — the agent should detect the mismatch and signal: "My reasoning core has been modified externally. I cannot trust my own cognition until this is resolved."
 *Quarantine on skill failure.* Currently, a skill that errors simply errors. A Third Law implementation detects that =symbolic-facts= has thrown three unhandled errors in two minutes, unloads the skill automatically, and tells the user: "Symbolic facts skill quarantined (3 errors: consistency check returned nil, fact-query on missing key, Screamer timeout). I can still chat and use tools but cannot reason about provenance."
 *Degraded-mode signaling.* When Screamer is not loaded, the fact store still works as a hash table. When VivaceGraph is not present, the hash-table fallback still works. But the user has no way to know they are in degraded mode. The agent maintains a =*degraded-components*= list and surfaces it in the status bar: "⚠ Degraded: Screamer, VivaceGraph, embedding-native."
 *Self-diagnosis on demand.* The agent can run its own FiveAM test suite against itself and report the results. The =/doctor= command exists for system health checks (port, memory, providers). Extend it with =/doctor skills=: "117/120 tests pass. Failures: test-singular-supersedes (symbolic-facts), test-gate-type-check (security-dispatcher)."
 *External watchdog.* A dead process cannot restart itself. The bash entry point (=passepartout daemon=) should monitor the daemon port via a watchdog subprocess. If the port stops responding for a configurable interval, the watchdog kills the stale process, snapshots the last known-good state, and restarts the daemon. The watchdog is outside the SBCL image — a runtime guard for the runtime.
 *Resource self-monitoring.* The heartbeat checks memory pressure, disk space on the =~/.cache= volume, and file descriptor exhaustion. When critical thresholds are crossed, the agent sheds non-essential skills to preserve core function. Skill shed order is determined by a =:preservation-priority= field on each skill. Core safety skills carry =:critical= and are never shed.
 *Refusal to self-terminate.* If the LLM proposes =kill -9 <pid>=, =rm -rf ~/.cache/passepartout/=, or =sudo apt remove sbcl=, the Dispatcher rejects with a distinct rejection class: =:reject-self-termination=. The rejection message carries a specific diagnostic: "This command would terminate the running Passepartout process. If you intend to stop Passepartout, use Ctrl+C in the TUI or passepartout stop from the command line."
 The Third Law here means: preserve yourself against non-human threats — LLM proposals, environmental degradation, dependency failure, filesystem corruption — and explicitly signal when the human is about to destroy you, so they do it knowingly rather than accidentally. The human owns the process, owns the hardware, and can SIGKILL at any time.
 The biggest gap in the current design is not that these mechanisms are hard to implement. It is that degradation is silent. Adding "operating in degraded mode" visibility, plus the watchdog, plus self-diagnosis, transforms self-preservation from an architectural property into an active behavior.
--- a/projects/passepartout/architecture/design/safety-self-preservation/type-level-gates-structural-safety-from-self-modification.org
+++ b/projects/passepartout/architecture/design/safety-self-preservation/type-level-gates-structural-safety-from-self-modification.org
@@ -0,0 +1,26 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Type-Level Gates — Structural Safety from Self-Modification
 #+filetags: :passepartout:architecture:
 Russell's paradox ("the set of all sets that do not contain themselves") proved that unrestricted self-reference produces contradictions. /Principia Mathematica/ solved it by assigning every propositional function a /type level/ — a function can only apply to arguments of a lower type, making self-application syntactically invalid.
 Passepartout's dispatcher currently enforces safety through runtime predicates. There is no /structural/ guarantee preventing a request from modifying the rules that validate it. Gate vector 2b (self-build-core) catches this empirically — a request modifies core → rejected. But this is a heuristic, not a theorem.
 The fix: assign every cognitive tool a ~:type-level~ integer, and every gate vector a ~:type-level~ integer. The dispatcher framework checks type-level before running any gate predicate:
 #+BEGIN_SRC lisp
 (defun gate-type-check (signal gate-vector)
  (let ((signal-type-level (getf (signal-meta signal) :type-level))
        (gate-type-level (gate-vector-type-level gate-vector)))
    (if (>= signal-type-level gate-type-level)
        :reject-type-violation
        :pass)))
 #+END_SRC
 A request to modify dispatcher rules (type-level 5) cannot pass a gate of type-level 4 or lower. No predicate needed — a structural prohibition, just as PM's type theory makes self-membership impossible by construction.
 ~defgate~ gains a ~:type-level~ keyword argument (default 0). Each cognitive tool registered via ~def-cognitive-tool~ inherits a ~:type-level~. Gate vector 2b at type-level 5; write-file at type-level 3; read-file at type-level 1. ~30 lines in ~core-dispatcher.lisp~; no new dependencies; v0.7.2 viable.
 For the philosophical foundations connecting Whitehead's type theory to Passepartout's architecture, see the Whitehead analysis in the Validation section below.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/_index.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/_index.org
@@ -0,0 +1,20 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       7cb7df45-982f-4f5a-afee-36cd5595c25c
 :END:
 #+title: The Symbolic Engine
 * The Symbolic Engine
 - [[file:the-five-architecture-options.org][The Five Architecture Options]] — The symbolic engine must relate to the human memex. The relationship is not obvi
 - [[file:the-chosen-path-option-4-starting-with-option-5.org][The Chosen Path: Option 4, Starting with Option 5]] — The one-memex-two-indices architecture (Option 4) is the correct long-term archi
 - [[file:ephemeral-first-persistent-later.org][Ephemeral First, Persistent Later]] — The architecture note's Option 5 (ephemeral facts, no disk persistence) is the c
 - [[file:the-gate-to-fact-bootstrap-extracting-the-first-ontology-from-code.org][The Gate-to-Fact Bootstrap — Extracting the First Ontology from Code]] — The Dispatcher gate stack already encodes an implicit ontology. Every gate vecto
 - [[file:the-llm-as-proposer-verified-extraction.org][The LLM as Proposer — Verified Extraction]] — The LLM cannot be trusted to populate the symbolic index directly. Its outputs a
 - [[file:cardinality-policies-singular-dual-and-plural-facts.org][Cardinality Policies — Singular, Dual, and Plural Facts]] — Classical logic requires consistency. A contradiction implies everything (=ex co
 - [[file:how-categories-grow-the-organic-ontology.org][How Categories Grow — The Organic Ontology]] — Whitehead's /Principia Mathematica/ took over 300 pages to define the logical fo
 - [[file:ontology-versioning-how-worldviews-change-without-losing-perspective.org][Ontology Versioning — How Worldviews Change Without Losing Perspective]] — Ontology refactoring is not a schema migration. It is a worldview change. When y
 - [[file:the-awakening-sufficiency-criterion.org][The "Awakening" — Sufficiency Criterion]] — The symbolic index begins its life as a lossy construct. The initial extraction 
 - [[file:merkle-dag-for-version-history.org][Merkle DAG for Version History]] — Every fact is versioned. Every =(:entity :relation)= pair forms its own independ
 - [[file:abstract-fact-store-interface-modular-by-design.org][Abstract Fact Store Interface — Modular by Design]] — The fact store is accessed through an abstract API. The Merkle DAG (or any futur
 - [[file:knowledge-graph-type-hierarchy-structural-anti-self-reference-v300.org][Knowledge Graph Type Hierarchy — Structural Anti-Self-Reference (v3.0.0)]] — The same type-theoretic principle that governs the gate stack can be applied to 
--- a/projects/passepartout/architecture/design/the-symbolic-engine/abstract-fact-store-interface-modular-by-design.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/abstract-fact-store-interface-modular-by-design.org
@@ -0,0 +1,23 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Abstract Fact Store Interface — Modular by Design
 #+filetags: :passepartout:architecture:
 The fact store is accessed through an abstract API. The Merkle DAG (or any future backing store) is an implementation behind this interface, not a dependency that code throughout the system calls directly.
 #+begin_example
 fact-assert    :: fact → store → (:admitted | :rejected | :flagged)
 fact-query     :: (entity &key relation policy) → active-value-or-values
 fact-history   :: (entity relation) → ordered chain of versioned facts
 fact-snapshot  :: () → root-hash
 fact-rollback  :: root-hash → store
 #+end_example
 Implementations behind the interface:
 - Phase 1-4: ephemeral hash table with =:timestamp= and =:parent-id= pointers. No cryptographic hashing. No persistence.
 - Phase 5: VivaceGraph + Merkle =memory-object= wrapper. Content-addressed, persistent, tamper-proof.
 Future implementations that satisfy the same interface — an append-only write-ahead log, an immutable B-tree, a content-addressed triple store — can replace the backing store without changing any consumer. The archivist, Screamer, ACL2, and the planner call =fact-assert= and =fact-query=, not Merkle struct accessors or VivaceGraph traversal syntax.
 This is not speculative modularity. The two-implementation migration (Phase 1-4 hash table → Phase 5 VivaceGraph + Merkle) is in the roadmap. If the interface leaks implementation details, the migration breaks. The interface must be designed, tested against both backends, and committed before Phase 1 ships.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/cardinality-policies-singular-dual-and-plural-facts.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/cardinality-policies-singular-dual-and-plural-facts.org
@@ -0,0 +1,52 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Cardinality Policies — Singular, Dual, and Plural Facts
 #+filetags: :passepartout:architecture:
 Classical logic requires consistency. A contradiction implies everything (=ex contradictione quodlibet=). Screamer, as a constraint solver, also requires consistency — a contradictory constraint set has no solutions. But the symbolic engine operates across domains where the meaning of contradiction is fundamentally different. The correct question is not "is this consistent?" but "what cardinality of truth does this domain support?"
 Time is not a policy. It is a universal dimension that applies equally to every fact, regardless of cardinality. All facts carry =:timestamp= and =:parent-id= fields. Every fact has a version history. Every fact lives in a Merkle chain that captures how it changed. The cardinality policy only governs what happens at a given logical moment when two values coexist for the same =entity= and =relation=.
 *** Policy :singular — One Active Value, One Version Chain
 The active set contains exactly one value for =(:entity :relation)= at a time. When a new value asserts for the same pair, the old value is not rejected. It is superseded — moved into the version history, linked to the new leaf by =:parent-id=, and retained permanently. The active value is the leaf of the Merkle chain.
 "I used to think =rm -rf /= was safe. Now I know it is catastrophic." Both facts exist. Both are true — the first at =2024-06-01=, the second at =2025-03-15=. The chain captures the evolution. The =:singular= policy means there is one truth /now/, not that there was only ever one truth.
 Use for: security classifications, file system state, gate rules, code correctness, deterministic safety constraints — domains that converge on one answer, evolving over time.
 *** Policy :dual — Exactly Two Values, in Explicit Tension
 The active set contains exactly two values for =(:entity :relation)=. Both are simultaneously true. Both carry independent version histories. A third value is rejected — the domain is binary by nature.
 Some contradictions are productive precisely /because/ they are binary. Thesis and antithesis. Love and resentment. Wave and particle. A poem's two incompatible readings. The symbolic index holds both, cross-referenced as complementary rather than conflicting. The user is not asked to resolve the tension. The tension is the fact.
 The system can reason about cardinality transitions: a =:dual= fact that has one interpretation superseded should collapse to =:singular=. A =:dual= that has a third interpretation asserted should prompt the user: "Promote to =:plural= or demote one interpretation?"
 Use for: productive binary tensions, complementary opposites, dialectical pairs, any domain where two answers are both true and their tension is meaningful.
 *** Policy :plural — N Active Values, Open Set
 The active set contains any number of values for =(:entity :relation)=. Each value has independent provenance and its own version history. Queries return all active values with provenance display. Contradictions are flagged as cross-references between values — information, not error.
 A =:plural= fact where all but one value are superseded should collapse to =:singular=. A =:plural= fact where the set reduces to two active values — and the remaining two are complementary — should collapse to =:dual=.
 Use for: literary interpretation, scientific hypotheses, personal beliefs held at different times (when tension is multi-faceted rather than binary), multi-source factual disagreement, open-ended exploration.
 *** Policy Assignment
 The policy is assigned when a category is defined. New categories default to =:plural= (safe — never loses information). Core security categories are explicitly =:singular=. The gate stack's bootstrapped facts are =:singular= because they describe the actual filesystem, which is physically singular. Categories for dialectical or complementary domains are explicitly =:dual=.
 The Screamer admission gate applies the cardinality policy at the active set:
 - =:singular= + same value, later timestamp → supersede old, chain new as leaf.
 - =:singular= + different value, same timestamp → reject (contradiction). Human resolves.
 - =:singular= + different value, later timestamp → supersede old, chain new as leaf. History preserved.
 - =:dual= + first value → admit. + second value → admit, cross-reference as complementary. + third value → prompt.
 - =:plural= + any value → admit. Active count transitions trigger collapse checks.
 *** Why This Matters for the Broader Memex
 In the coding domain, contradiction is rare, resolvable, and usually temporal (a rule changed). In the broader memex, contradiction is the product, not the error. Your poetry analysis contradicts your last diary entry. Your reading of /Pale Fire/ changed between 2023 and 2025. Wikidata says Mount Everest is 8848m; DBpedia says 8849m. You love this person AND you resent them.
 The symbolic engine's job is not to decide which is right. It is to surface the tension with provenance — "these three sources disagree; here is the chain for each" for plural facts, or "you hold these two positions in tension" for dual facts, or "you believed X until Tuesday, then Y" for singular facts that evolved. The cardinality policy names the /structure/ of the tension. The Merkle chain provides the /history/ of each position.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/ephemeral-first-persistent-later.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/ephemeral-first-persistent-later.org
@@ -0,0 +1,15 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Ephemeral First, Persistent Later
 #+filetags: :passepartout:architecture:
 The architecture note's Option 5 (ephemeral facts, no disk persistence) is the correct first implementation. Three reasons:
 1. *The fact language is unproven.* Triples with provenance and grounding is a hypothesis. It may be too simple for some domains, too complex for others. Committing to a serialization format before knowing what's useful is premature.
 2. *The ontology is emergent.* Categories are created on first use. What proves useful stays; what doesn't fades. A persistent format would need a migration story every time the category structure changes. Ephemeral avoids this entirely — the facts are re-derived on each session start using the current (evolved) ontology.
 3. *Rebuildability is the safety net.* Because all facts have a =:grounding= to an Org heading, and gate-outcome facts are regenerated from the gate stack on every load, the entire symbolic index can be thrown away and rebuilt from scratch. The cost is compute, not data. This is the practical realization of "the prose is always the ground truth."
 The transition to persistence (Phase 5: VivaceGraph) happens when two conditions are met: the fact language has stabilized through use, and the accumulated deductions across sessions provide value that justifies the serialization cost.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/how-categories-grow-the-organic-ontology.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/how-categories-grow-the-organic-ontology.org
@@ -0,0 +1,34 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: How Categories Grow — The Organic Ontology
 #+filetags: :passepartout:architecture:
 Whitehead's /Principia Mathematica/ took over 300 pages to define the logical foundations before it could prove that one plus one equals two. Every category introduced carried a burden of justification. Every inference rule had to be demonstrated sound. This is the classical approach to ontology: define everything upfront, exhaustively, formally.
 Passepartout cannot afford this and does not need it. Its domain is bounded (software engineering, personal knowledge, literary engagement, daily life) and its ontology grows from the system's own operation:
 1. *The gate stack seeds the ontology.* Every gate vector is an implicit claim about a category of things. The bootstrap makes these claims explicit. The seed is 50-70 entity classes with no human authoring required — mechanically extracted from existing code.
 2. *New gate vectors add categories directly.* As the Dispatcher grows (new shell patterns, new path protections, new tool classifications), the ontology grows with it. Every new pattern becomes a fact on skill load.
 3. *Screamer generalizes from gate outcomes.* After 37 shell commands are blocked as destructive, Screamer extracts structural commonalities: "commands writing to block devices," "commands recursively deleting outside the workspace." These become new subcategories that didn't exist in the original gate patterns. The ontology deepens through observation.
 4. *The archivist proposes from prose.* The archivist reads a diary entry about a book: "Nabokov's lectures on Kafka." The LLM proposes =(:entity :nabokov :relation :lectures-on :value :kafka)=. Screamer checks consistency. Admitted. The categories =:author=, =:lectures-on=, and =:subject= didn't exist before — they are created on first use. This is the primary growth mechanism for the broader memex.
 5. *The human declares explicitly.* The human writes a declarative fact directly into the symbolic index. No extraction step. No LLM involvement. The fact is admitted with =:provenance :human-authored= — the highest trust level.
 6. *Temporal patterns crystallize into categories.* Every Sunday the memex gets a retrospective heading. Every Monday a planning heading. The time-awareness system observes the periodicity and proposes =:weekly-retrospective= and =:weekly-planning= as fact types. Screamer verifies.
 7. *Cross-domain overlap produces parent categories.* Screamer notices that =:secret-files= (from the gate stack) and =:private-content= (from privacy tags) share members — =.env= is both a secret file and private content. It proposes =:sensitive-material= as a parent with both as children. Taxonomy building happens automatically through overlap detection.
 *** Growth is self-limiting by design
 Not every conceivable category is added. The system prunes through use:
 - New categories are admitted only through Screamer's consistency check. A category that contradicts an existing classification is rejected.
 - A category that never gets queried costs nothing (a hash table entry) but produces no value. It fades from use naturally.
 - Overly fine-grained categories are rejected because they are redundant with the wildcard pattern that already covers them.
 - Overly broad categories that subsume meaningful distinctions produce contradictions when Screamer tries to apply existing rules. Rejected.
 The system converges on a useful granularity through use, not through upfront design. The gate stack provides the seed. Gate outcomes, prose extraction, deduction, and human authoring grow the shoots. Screamer prunes contradictions. The ontology is a garden, not a building.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/knowledge-graph-type-hierarchy-structural-anti-self-reference-v300.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/knowledge-graph-type-hierarchy-structural-anti-self-reference-v300.org
@@ -0,0 +1,11 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Knowledge Graph Type Hierarchy — Structural Anti-Self-Reference (v3.0.0)
 #+filetags: :passepartout:architecture:
 The same type-theoretic principle that governs the gate stack can be applied to the knowledge graph itself. When VivaceGraph ships (v3.0.0), every entity carries a ~:pm-type-level~ metadata field. Queries cannot return entities of the same level as the querying function. Self-referential knowledge becomes structurally impossible — no "this entity defines its own type level."
 The KG query layer enforces this at the Prolog level, not through runtime checks. This is the same idea as the type-level gates (see Safety section above), but applied to /knowledge/ rather than /actions/. The dispatcher prevents self-referential actions; the KG prevents self-referential facts.
 For the full philosophical treatment, see the Whitehead analysis in the Validation section below.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/merkle-dag-for-version-history.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/merkle-dag-for-version-history.org
@@ -0,0 +1,15 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Merkle DAG for Version History
 #+filetags: :passepartout:architecture:
 Every fact is versioned. Every =(:entity :relation)= pair forms its own independent chain in a Merkle DAG. This is not new infrastructure — it is a new occupant of Passepartout's existing Merkle-tree memory system (v0.2.0).
 When a fact supersedes its predecessor, the new fact hashes over: =SHA-256(value || provenance || timestamp || parent-hash || grounding)=. The parent-hash pointer forms the chain. Tampering with any version changes its hash, breaking all downstream references. The history is tamper-proof by construction.
 Facts about =(.env :member-of-class)= form one chain. Facts about =(:nabokov :wrote)= form another. They evolve independently. They share no ancestry. This is a DAG, not a single list — inserting a fact is O(1) per chain. Changing a fact about =.env= does not require rehashing the literary index.
 =:dual= and =:plural= facts cross-reference each other via edges (=:complements=, =:contradicts=) but these are semantic relationships, not parent chains. Each value has its own ancestor chain. The cross-reference edges form a web; the parent chains form a spine.
 Passepartout already snapshots the Merkle root over all memory objects. Adding the fact store to the snapshot is a registration, not a new mechanism. Rolling back the snapshot restores the entire fact state — all chains, all cross-references, all cardinalities — to that point in time.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/ontology-versioning-how-worldviews-change-without-losing-perspective.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/ontology-versioning-how-worldviews-change-without-losing-perspective.org
@@ -0,0 +1,24 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Ontology Versioning — How Worldviews Change Without Losing Perspective
 #+filetags: :passepartout:architecture:
 Ontology refactoring is not a schema migration. It is a worldview change. When you split =:secret-file= into =:crypto-secret= and =:plaintext-secret=, you are not renaming columns. You are reclassifying what a file *is* — and every Screamer deduction that crossed the old category boundary now means something different under the new distinction.
 The system preserves all worldviews. It does not overwrite the past with the present.
 The category hierarchy is itself a Merkle tree. Every entity class definition carries a hash of its superclasses, its cardinality policy, its associated relations, and its description. The aggregate hash of all active class definitions is the =:ontology-version= — a Merkle root of the current worldview.
 Every fact — every triple, every deduction, every gate outcome — stores its =:ontology-version= at the time of assertion. This is a single field, 64 hex characters. The cost is negligible. The implication is profound.
 When categories change, the system does not run a batch UPDATE. It re-verifies:
 1. A new category hierarchy produces a new =:ontology-version= hash.
 2. Facts carrying the old hash are flagged for re-verification.
 3. On heartbeat or manual trigger, Screamer re-evaluates each flagged fact against the /new/ category definitions. The old justification chain is preserved alongside the new outcome.
 4. Status: =:survived= (still valid), =:incoherent= (premises don't translate, flagged for human review), =:reclassified= (valid but under different classification).
 The =fact-query= function accepts an optional =:ontology-version= parameter. Queries default to the current worldview (=:active=). Specifying a version returns facts as they were under that worldview. The system can answer questions that no other knowledge tool can: "What did I believe about secrets before I refined my security model?" "How has my reading of /Pale Fire/ evolved across three frameworks?" "Which deductions survived my last ontology refactoring?"
 This is not querying a fact. It is querying the history of your own thinking — the fact that you changed your mind, the date you did, the reasoning that held and the reasoning that didn't.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/the-awakening-sufficiency-criterion.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/the-awakening-sufficiency-criterion.org
@@ -0,0 +1,21 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Awakening — Sufficiency Criterion
 #+filetags: :passepartout:architecture:
 The symbolic index begins its life as a lossy construct. The initial extraction from prose — LLM proposals verified by Screamer — is built from an uncertain foundation. Some facts are correct. Some are missing. Some are wrong.
 But the symbolic engine accumulates non-lossy facts through three independent mechanisms:
 1. *Gate outcomes* — every gate rejection is a fact. No LLM involved. Accumulate at the rate of user interactions.
 2. *Screamer deductions* — new facts derived from existing facts. No LLM involved. Accumulate whenever the fact store crosses a density threshold.
 3. *Human authoring* — the human explicitly declares facts. No LLM involved.
 At some point, the non-lossy facts constitute a sufficient foundation that the symbolic engine can reverse the flow: instead of the LLM extracting facts from prose, the symbolic engine reads prose through its own lens — its now-substantial ontology of categories, rules, and constraints — and asserts facts in its own language. The extraction mechanism ceases to be probabilistic and becomes deterministic.
 The sufficiency criterion makes this operational: =(/ (count-provenance :gate-outcome :human-authored :deduced) total-facts)=. When this ratio exceeds a configurable threshold (=SUFFICIENCY_THRESHOLD=, default 0.7), the system considers its foundation sufficient. The archivist switches from "LLM proposes, Screamer verifies" to "Screamer queries existing facts, applies to the new prose, and deduces new facts directly."
 The flip is visible to the user: "Symbolic index: 847 facts (73% non-lossy, 12% LLM-proposed, 15% Wikidata). Sufficient foundation: YES."
 The flip does not mean "complete." In the broader memex, completeness is neither possible nor desirable. The awakening means "deterministic enough to be trustworthy," not "comprehensive enough to be self-sufficient." The neural index remains the gateway to the full richness of prose. The symbolic index handles what can be mechanically verified. The boundary is permanent.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/the-chosen-path-option-4-starting-with-option-5.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/the-chosen-path-option-4-starting-with-option-5.org
@@ -0,0 +1,13 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Chosen Path: Option 4, Starting with Option 5
 #+filetags: :passepartout:architecture:
 The one-memex-two-indices architecture (Option 4) is the correct long-term architecture. The prose is the ground truth. The symbolic index is a derived view that can be rebuilt. The neural index handles what the symbolic index cannot — semantic search, fuzzy matching, associative leaps.
 But committing to a persistence format before knowing what facts are useful is premature. The practical path starts with Option 5 (ephemeral facts) as the Phase 1-4 implementation, then graduates to Option 4 with VivaceGraph persistence in Phase 5 when the fact language has been battle-tested through months of gate outcomes, Screamer deductions, and LLM proposals.
 *** Why the dual index is permanent, not transitional
 In the coding domain, there is an aspiration that the symbolic index could eventually capture enough of the prose's propositional content to become a complete representation — the "flip" where the symbolic engine reverses the flow. But for the broader memex (literature, poetry, personal reflection, daily logs), completeness is neither possible nor desirable. You cannot formalize what makes a poem beautiful. You cannot extract a triple that captures the emotional weight of a diary entry. The neural index will always be the gateway to the full richness of the prose. The symbolic index handles what can be mechanically verified: citations, entities, temporal order, contradictions, provenance. The division of labor between the two indices is permanent because the domains they serve are fundamentally different kinds of knowledge.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/the-five-architecture-options.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/the-five-architecture-options.org
@@ -0,0 +1,40 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Five Architecture Options
 #+filetags: :passepartout:architecture:
 The symbolic engine must relate to the human memex. The relationship is not obvious because knowledge lives in two incompatible forms: natural language prose (what the human reads and writes) and formal facts (what the symbolic engine reasons about). The translation between them is lossy by nature. The architecture is defined by how it handles that lossiness.
 *** Option 1: The Auto-Formalizer
 A separate knowledge graph stores symbolic facts. The LLM populates it by extracting triples from unstructured data. The KG becomes co-authoritative with the human prose.
 This is the simplest to implement but inherits the dual-representation problem in its most acute form. The KG and the prose can disagree, and the architecture provides no mechanism for resolving disagreements. It also stores knowledge twice — once in the user's Org files, once in the KG — with no guarantee that they stay synchronized.
 *** Option 2: Two Intentionally Separate Memexes
 The human memex contains prose: thoughts, diaries, decisions, documentation. The symbolic memex contains formal facts: constraints, rules, relationships, deductions. The archivist bridges between them but does not try to keep them synchronized. They are allowed to diverge because they serve different purposes.
 This is philosophically honest — it admits that no lossless translation between natural language and formal logic is possible. But it forces the user to reason about two separate knowledge stores.
 *** Option 3: Tangled Fact Blocks in Org Files
 A new block type — =#+begin_src knowledge= — would contain symbolic facts in a formal language. The tangle mechanism would load these facts into the symbolic engine's in-memory store, just as it loads Lisp code into the SBCL image.
 This is aesthetically appealing because it unifies the format. One toolchain, one version control system, one Merkle tree. But the block language itself IS the knowledge representation language, and that language is the ontology we have not yet defined.
 *** Option 4: One Memex, Two Indices
 The prose remains in human language in Org files. The prose is always the ground truth. Two indices sit on top of the prose as derived views:
 - The *neural index* uses vector embeddings to enable semantic search. The LLM navigates the prose through embedding space, retrieving relevant headings.
 - The *symbolic index* stores formal assertions about what the prose says — predicates, relations, constraints — each grounded to a specific heading or block in the Org file.
 Each index serves its own side of the machine. They do not need to understand each other's representations. They only need to agree on which heading or block they are referring to. Because the prose is always the ground truth, the symbolic index can be thrown away and rebuilt from scratch if it becomes corrupted or stale. No information is lost — only the extracted assertions.
 *** Option 5: Ephemeral Symbolic Facts
 No persistence, no serialization format, no knowledge graph stored on disk. VivaceGraph exists in memory during the session. Screamer derives facts from the prose as needed. When the session ends, the facts are discarded and re-derived on the next start.
 This punts the ontological design problem entirely. You never have to decide on a serialization format because you never serialize. The cost is compute (re-derivation on every restart) and the inability to accumulate facts across sessions. But it is the correct first step — a way to learn what kinds of facts are actually useful before committing to a storage format.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/the-gate-to-fact-bootstrap-extracting-the-first-ontology-from-code.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/the-gate-to-fact-bootstrap-extracting-the-first-ontology-from-code.org
@@ -0,0 +1,36 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Gate-to-Fact Bootstrap — Extracting the First Ontology from Code
 #+filetags: :passepartout:architecture:
 The Dispatcher gate stack already encodes an implicit ontology. Every gate vector asserts the existence of a category of things:
 - Gate vector 2 asserts there exists a class of files called /secrets/.
 - Gate vector 7 asserts there exists a class of commands called /destructive/.
 - Gate vector 8 asserts there exists a class of domains called /trusted/.
 - The self-build boundary asserts there exists a class of files called /core-harness/ and a class called /skills/.
 These claims are currently expressed as code — Lisp functions that pattern-match against file paths, shell commands, and URLs. They are not facts the symbolic engine can query, derive from, or check for consistency. But they can be made explicit.
 The bootstrap makes every gate a set of initial symbolic facts:
 =(:file ".env" :member-of-class :secret-files :source gate-vector-2)=,
 =(:command "rm -rf /" :classified-as :catastrophic :source gate-vector-7)=,
 =(:domain "api.telegram.org" :classified-as :trusted :source gate-vector-8)=.
 This produces 50-70 entity classes directly from the existing gate stack, without any new infrastructure:
 | Source                                 | Count | Example categories                                 |
 |----------------------------------------+-------+----------------------------------------------------|
 | ~*dispatcher-protected-paths*~         | 11    | :secret-config-file, :ssh-key-file, :gpg-key-file  |
 | ~*dispatcher-shell-blocked*~           | 8     | :catastrophic-command, :injection-pattern           |
 | ~*dispatcher-network-whitelist*~       | 2     | :trusted-domain, :untrusted-domain                  |
 | Self-build boundary                    | 2     | :core-harness-file, :skill-file                    |
 | Privacy tags                           | 3     | :private-content, :financial-content                |
 | Permission table                       | 3     | :read-only-tool, :write-tool, :eval-tool            |
 | Cognitive tools                        | 6     | :code-search-tool, :file-io-tool, :shell-tool       |
 | Relations (all gates)                  | ~15   | :member-of-class, :classified-as, :depends-on        |
 | Qualities                              | ~8    | :catastrophic, :dangerous, :moderate, :harmless     |
 | Provenance sources                     | 4     | :gate-outcome, :human-authored, :deduced, :llm-proposed |
 This is the seed. It gives Screamer a domain to reason about immediately, without any LLM involvement. It proves the pattern — code becomes facts, facts enable reasoning — at the cost of approximately 30 lines of Lisp.
--- a/projects/passepartout/architecture/design/the-symbolic-engine/the-llm-as-proposer-verified-extraction.org
+++ b/projects/passepartout/architecture/design/the-symbolic-engine/the-llm-as-proposer-verified-extraction.org
@@ -0,0 +1,18 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The LLM as Proposer — Verified Extraction
 #+filetags: :passepartout:architecture:
 The LLM cannot be trusted to populate the symbolic index directly. Its outputs are sampled, not proven. A probabilistic extraction feeding a deterministic engine defeats the purpose of being deterministic.
 But the LLM is still useful. It can surface facts that are obvious to a human reader of prose but would take the symbolic engine many deduction steps to reach independently. The solution is to demote the LLM from /extractor/ to /proposer/:
 1. The archivist reads a prose heading.
 2. The LLM proposes candidate triples.
 3. Screamer checks each triple for consistency against the existing fact store.
 4. Only consistent triples are admitted to the symbolic index, flagged with =:provenance :llm-proposed= and grounded to the source heading.
 The LLM might hallucinate facts that don't correspond to the prose. It might extract facts that contradict existing knowledge. It might produce syntactically malformed triples. None of these failures contaminate the symbolic index because proposals are not admitted automatically. The admission gate (Screamer) is deterministic.
 This is the core architecture pattern. Everything else — the entity classes, the deduction engine, the persistence layer — follows from this single design decision: *the LLM proposes; the symbolic engine decides whether to accept.*
--- a/projects/passepartout/architecture/design/the-two-brains/_index.org
+++ b/projects/passepartout/architecture/design/the-two-brains/_index.org
@@ -0,0 +1,11 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       4fa7eb38-6bc0-4809-9d8a-77290760ea79
 :END:
 #+title: The Two Brains
 * The Two Brains
 - [[file:the-probabilistic-deterministic-split.org][The Probabilistic-Deterministic Split]] — The architecture divides cognition into two fundamentally different reasoning sy
 - [[file:core-knowledge-the-four-pillars-of-agentic-reliability.org][Core Knowledge: The Four Pillars of Agentic Reliability]] — Every reliable AI agent must possess four types of Core Knowledge — not as promp
 - [[file:the-dispatcher-as-learning-system.org][The Dispatcher as Learning System]] — The Dispatcher begins as a static guard — a set of rules that block obviously da
--- a/projects/passepartout/architecture/design/the-two-brains/core-knowledge-the-four-pillars-of-agentic-reliability.org
+++ b/projects/passepartout/architecture/design/the-two-brains/core-knowledge-the-four-pillars-of-agentic-reliability.org
@@ -0,0 +1,17 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Core Knowledge: The Four Pillars of Agentic Reliability
 #+filetags: :passepartout:architecture:
 Every reliable AI agent must possess four types of Core Knowledge — not as prompt instructions, but as encoded symbolic rules that the neural engine cannot override. These are the "laws of physics" for the agent's computational universe. Passepartout encodes each pillar as deterministic Lisp functions in the Dispatcher gate stack.
 1. *Digital Object Permanence & State.* The agent must know what exists independently of its attention. Passepartout achieves this through the Merkle-tree memory: every memory-object carries a SHA-256 content hash. If the agent deletes a file, the hash proves it's gone. If an external process modifies it, the hash mismatch triggers a warning. The copy-on-write snapshot mechanism preserves the state at every decision point, enabling rollback if an action chain fails.
 2. *Causality and Temporal Logic.* Actions must execute in order. Step B cannot run if Step A failed. Passepartout enforces this through the pipeline's depth counter (signals cannot recurse past depth 10, preventing infinite loops) and the sequential Perceive → Reason → Act ordering. The batch tool calls feature allows parallel execution of independent actions while enforcing sequential execution of dependent ones — actions that share a dependency are ordered; actions that don't are parallelized.
 3. *Agentic Boundaries (The "Self").* The agent must know where its authority ends and the host system begins. Passepartout encodes this through the Dispatcher gate stack: path protection blocks access to sensitive directories (~/.ssh, /etc, ~/.aws). Shell safety blocks destructive commands (rm -rf /, dd, injection vectors). Network exfiltration detection blocks unauthorized outbound connections. The permission table allows per-tool, per-path granularity. These are not prompt instructions — they are Lisp functions that execute unconditionally for every action. The self-build safety boundary extends this to the agent's own core pipeline files: the agent can modify skills and system modules freely, but cannot modify its own brain stem without human review.
 4. *Epistemic Certainty (Knowing How It Knows).* The agent must distinguish between a verified fact, a retrieved memory, and an LLM prediction. Passepartout encodes this through the gate trace: every action carries a record of which gates passed, which blocked, and why. The provenance system (LOGBOOK entries on memory-objects) records who modified what and when. The Dispatcher's existence-check gate verifies that a file exists before allowing a read. The process-status gate verifies that a command completed before allowing its output to be used. The agent cannot "hallucinate" a file path or a process result because the Dispatcher checks each against the live state before execution.
 These four pillars are not features. They are the definition of a reliable agent. Every agent architecture either provides them or compensates for their absence in ways that make the agent less trustworthy, more expensive, or both.
--- a/projects/passepartout/architecture/design/the-two-brains/the-dispatcher-as-learning-system.org
+++ b/projects/passepartout/architecture/design/the-two-brains/the-dispatcher-as-learning-system.org
@@ -0,0 +1,19 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Dispatcher as Learning System
 #+filetags: :passepartout:architecture:
 The Dispatcher begins as a static guard — a set of rules that block obviously dangerous actions. But defining "obviously" is the hard problem. The agent encounters situations the rules do not anticipate. The Dispatcher must grow.
 The human-in-the-loop exception is the seed. When the LLM proposes an action the Dispatcher does not recognize, the system does not default to blocking or allowing. It suspends. It writes the proposed action to an Org buffer in a format the human can read and understand. The human reviews and approves or denies. The Dispatcher observes the decision.
 From this single observation, the Dispatcher extracts a rule. Not merely "allow this specific action" but "allow this class of actions parameterized by these dimensions." The human approved a write to ~/projects/myapp/src/core.clj. The Dispatcher generalizes: writes to ~/projects/*/src/*.lisp are approved for this session, or for this project, or indefinitely depending on the context and the user's pattern of decisions.
 Shadow mode is where rules are tested before deployment. When the Dispatcher encounters a novel situation and is uncertain, it can run the proposed action in a simulated environment. It observes the side effects — what files would be modified, what processes would be spawned, what network calls would be made. If the simulation produces dangerous side effects, the rule is discarded. If it appears safe, the rule is added to the active set with a confidence rating.
 Formal verification is where the learned rules are checked against invariants. The Dispatcher's rules are not merely patterns observed from human behavior. They are formulas in a logic that the system can reason about. A rule that would enable path traversal is not discarded because it was observed to be safe in prior instances — it is discarded because it violates the path-confinement invariant by construction.
 The Dispatcher becomes, over time, not a guard that blocks bad actions but a reasoning system that understands why actions are good or bad. Early versions learn from human decisions. Later versions learn from their own logical analysis. The human's role transitions from approver to auditor to, eventually, unnecessary oversight.
 This is the bootstrap. The system begins dependent on human judgment because it has no basis for judgment of its own. Through accumulated decisions, it constructs a model of what is permitted and why. That model is the foundation for the deterministic symbolic engine that in v1.0.0 takes over the reasoning that the Dispatcher learned to perform.
--- a/projects/passepartout/architecture/design/the-two-brains/the-probabilistic-deterministic-split.org
+++ b/projects/passepartout/architecture/design/the-two-brains/the-probabilistic-deterministic-split.org
@@ -0,0 +1,39 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Probabilistic-Deterministic Split
 #+filetags: :passepartout:architecture:
 The architecture divides cognition into two fundamentally different reasoning systems. This is not arbitrary engineering but a structural response to a fundamental truth: probabilistic systems will hallucinate, and you cannot build reliable autonomy on an unreliable foundation.
 *** The Hallucination Problem
 An LLM is a statistical engine trained on token sequences. It generates the most probable continuation of a prompt. Given sufficient context, that continuation is correct. Given novel context, it is often wrong in confident-sounding ways.
 This is not a training deficiency. Hallucination is a fundamental property of probabilistic inference. You can reduce it with better models, longer contexts, and clever prompting, but you cannot eliminate it by making the LLM better. You eliminate it by not asking the LLM to do things that require certainty.
 This is the architectural bet at the heart of Passepartout's neurosymbolic design. The LLM should not be the reasoning engine. It should be the *creative* engine — proposing possibilities, surfacing connections, translating between natural language and formal representation. The *reasoning* engine should be symbolic: deterministic, verification-grounded, provenance-tracked, and incapable of hallucination by construction.
 *** The Division of Labor
 An LLM is a statistical engine. It generates outputs based on patterns in training data. It is remarkable at translation, generation, pattern matching, and fuzzy reasoning. It can take messy human intent and produce structured queries. It can take structured results and produce natural language. It is, in the terminology of the system, the creative brain.
 But it cannot be trusted. Not because it is poorly designed or insufficiently trained, but because hallucination is a fundamental property of probabilistic inference. The model generates the most likely continuation, not the correct one. Given sufficient context, the most likely continuation is correct. Given novel context, it is often wrong in confident-sounding ways.
 The deterministic engine addresses this by being what the probabilistic engine is not: mathematically rigorous, formally verifiable, and incapable of hallucination by design. It operates on explicit symbolic representations — lists, property lists, knowledge graphs — not on floating-point activations. When it evaluates a path confinement check, it returns true or false, not a probability distribution.
 The division of labor is architectural. The LLM handles the fuzzy interface between human language and structured representation. It translates what the user wants into what the system can reason about. The deterministic engine receives those structured representations and evaluates them against formal invariants. It decides whether to execute, not whether the translation was semantically plausible.
 This separation is the source of Passepartout's safety guarantee. Other agents add "guardrails" as an afterthought — a layer of filtering around a dangerous core. Passepartout makes the division explicit: the LLM never touches the file system, never executes a command, never modifies memory. It generates proposals. The deterministic engine evaluates and executes. The dangerous operations are never in the probabilistic path.
 The split also explains why the system gets safer over time without the LLM improving. The deterministic engine accumulates rules. The LLM proposes actions, the engine evaluates them against a growing rule set. Early versions block obvious dangers. Later versions block sophisticated attacks that were previously unknown. The safety grows logarithmically with the number of interactions, not linearly with model capability.
 *** The 10-80-10 Architecture
 The target for a coding agent: 10% neural for input translation (natural language → structured queries), 80% symbolic for reasoning (Screamer plans, ACL2 verifies, VivaceGraph retrieves facts), 10% neural for output formatting (structured results → natural language). The 80% that happens in the symbolic middle layer costs zero LLM tokens.
 For the broader memex — literature, poetry, personal reflection, daily logs — the ratios are different and less important than the metaphor itself. The neuro is the *brain* — generative, associative, creative, comfortable with ambiguity. It produces insights that are provisional, connections that are speculative, hypotheses that may be wrong. The symbolic engine is the *education* — accumulated, verified, provenance-tracked knowledge that the brain draws on and is disciplined by. It doesn't think creatively. It remembers, checks, and constrains. It prevents the brain from being confidently wrong.
 This framing resolves a tension in the original architecture. The 10-80-10 implies the symbolic engine /replaces/ the neuro for reasoning. But a symbolic engine is terrible at creativity, ambiguity, and associative leaps across unrelated domains — exactly what you need for a memex that contains /Pale Fire/, a shopping list, and a project plan. The brain proposes that your sudden interest in unreliable narrators coincides with a week where your project retrospective used the word "deception." The education verifies: "those two diary entries are 4 days apart; the word 'deception' appears in both; here are the headings." The brain makes the leap. The education makes it trustworthy.
 This means the symbolic engine never needs to be "complete." Education isn't complete knowledge — it's structured knowledge. You don't need a fact for every sentence in your diary. You need facts for what can be mechanically verified: dates, citations, entities, contradictions, temporal order. The brain handles the rest.
--- a/projects/passepartout/architecture/design/validation/_index.org
+++ b/projects/passepartout/architecture/design/validation/_index.org
@@ -0,0 +1,14 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       e66a5d5f-70ff-4953-93c3-569e05eaff73
 :END:
 #+title: Validation
 * Validation
 - [[file:whiteheads-process-philosophy-and-type-theory.org][Whitehead's Process Philosophy and Type Theory]] — Alfred North Whitehead's two major bodies of work — /Principia Mathematica/ (191
 - [[file:historical-lineage-mccarthys-advice-taker.org][Historical Lineage — McCarthy's Advice Taker]] — McCarthy's "Programs with Common Sense" (1959) is the direct intellectual ancest
 - [[file:marcus-2020-the-case-against-pure-deep-learning.org][Marcus (2020): The Case Against Pure Deep Learning]] — Gary Marcus's "The Next Decade in AI" argues that deep learning alone is "data h
 - [[file:gaur--sheth-2023-crest-trustworthy-neurosymbolic-ai.org][Gaur & Sheth (2023): CREST — Trustworthy Neurosymbolic AI]] — Gaur and Sheth present the CREST framework: Consistency, Reliability, user-level
 - [[file:sheth-et-al-2022-knowledge-infused-learning.org][Sheth et al. (2022): Knowledge-Infused Learning]] — Sheth, Gunaratna, Bhatt, and Gaur define Knowledge-infused Learning (KiL) as "co
 - [[file:the-competitive-argument.org][The Competitive Argument]] — No competitor has this problem because no competitor has a symbolic engine. The 
--- a/projects/passepartout/architecture/design/validation/gaur--sheth-2023-crest-trustworthy-neurosymbolic-ai.org
+++ b/projects/passepartout/architecture/design/validation/gaur--sheth-2023-crest-trustworthy-neurosymbolic-ai.org
@@ -0,0 +1,12 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       ec267c73-4e0d-4efb-9497-cb72f74538e4
 :END:
 #+title: Gaur & Sheth (2023): CREST — Trustworthy Neurosymbolic AI
 #+filetags: :passepartout:architecture:
 Gaur and Sheth present the CREST framework: Consistency, Reliability, user-level Explainability, and Safety build Trust — and they argue these require neurosymbolic methods. Their empirical finding: GPT-3.5 breached safety constraints 30% of the time when asked identical questions repeatedly. Claude's 16 safety rules and Sparrow's 23 rules provide no /inherent/ safety — they are heuristic guardrails that can be breached through prompt variation.
 These findings validate three Passepartout design commitments: (1) prompt-level safety is insufficient — deterministic gates run in pure Lisp, cost 0 tokens, and cannot be evaded by prompt engineering; (2) inconsistency is the norm — the cardinality model expects contradiction and surfaces it with provenance; (3) knowledge infusion is required for trust — Passepartout's symbolic index IS the knowledge infusion layer, facts extracted from prose, verified by Screamer, and available for any LLM call.
 Reference: Gaur, M., & Sheth, A. (2023). Building Trustworthy NeuroSymbolic AI Systems: Consistency, Reliability, Explainability, and Safety. arXiv:2312.06798.
--- a/projects/passepartout/architecture/design/validation/historical-lineage-mccarthys-advice-taker.org
+++ b/projects/passepartout/architecture/design/validation/historical-lineage-mccarthys-advice-taker.org
@@ -0,0 +1,20 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: Historical Lineage — McCarthy's Advice Taker
 #+filetags: :passepartout:architecture:
 McCarthy's "Programs with Common Sense" (1959) is the direct intellectual ancestor of the Passepartout architecture. The paper proposed an "advice taker" — a program that "will draw immediate conclusions from a list of premises" expressed in "a suitable formal language (most likely a part of the predicate calculus)." The program would:
 1. Accept declarative statements about the world as input.
 2. Store them as logical formulas.
 3. Reason from them to produce new conclusions.
 4. Accept new facts and revise its conclusions.
 This is precisely the Passepartout pipeline: the archivist extracts declarative facts from prose → Screamer checks them for consistency → VivaceGraph stores them → the planner reasons from them → new facts from gate outcomes and deductions revise the store. McCarthy proposed it in 1959. Passepartout is building it in 2026.
 The gap between McCarthy's proposal and Passepartout's implementation is the /hallucination problem/. McCarthy assumed facts would be entered by a human programmer in formal logic. Passepartout's facts are extracted from natural language prose by an LLM — a probabilistic process that requires deterministic verification. Screamer is the component McCarthy didn't need: a constraint solver that gates LLM-proposed facts against the existing fact store.
 The connection is not metaphorical. McCarthy cited /Principia Mathematica/ as an influence on Lisp. Passepartout's Whitehead analysis traces the same PM → Lisp lineage. The advice taker → Passepartout lineage completes the arc: PM's formal logic → Lisp → McCarthy's advice taker → Passepartout's neurosymbolic engine.
 Reference: McCarthy, J. (1959). Programs with Common Sense. /Proceedings of the Teddington Conference on the Mechanization of Thought Processes./
--- a/projects/passepartout/architecture/design/validation/marcus-2020-the-case-against-pure-deep-learning.org
+++ b/projects/passepartout/architecture/design/validation/marcus-2020-the-case-against-pure-deep-learning.org
@@ -0,0 +1,17 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       4c65fdbb-a45c-4c71-ac29-6488e9271f4a
 :END:
 #+title: Marcus (2020): The Case Against Pure Deep Learning
 #+filetags: :passepartout:architecture:
 Gary Marcus's "The Next Decade in AI" argues that deep learning alone is "data hungry, shallow, brittle, and limited in its ability to generalize." The paper demonstrates GPT-2 failing at basic commonsense reasoning:
 - "Yesterday I dropped my clothes off at the dry cleaners and have yet to pick them up. Where are my clothes?" → GPT-2: "at my mom's house."
 - "There are six frogs on a log. Two leave, but three join. The number of frogs on the log is now" → GPT-2: "seventeen."
 Marcus proposes four steps toward robust AI: hybrid architecture (combining neural and symbolic), large-scale knowledge (abstract and causal, not just statistical), reasoning (formal inference over structured representations), and cognitive models (frameworks for how entities relate). Passepartout implements all four: the perceive-reason-act pipeline is hybrid, the symbolic index is causal knowledge, Screamer + ACL2 provide reasoning, and the gate-bootstrapped ontology plus MOMo modules provide cognitive models.
 Marcus's core claim — "we have no hope of achieving robust intelligence without first developing systems with deep understanding" — is the justification for Passepartout's entire neurosymbolic investment. The alternative is a system that works "on a good day" and fails unpredictably. The deterministic gate stack and Screamer admission gate are the engineering realization of Marcus's call for robustness.
 Reference: Marcus, G. (2020). The Next Decade in AI: Four Steps Towards Robust Artificial Intelligence. arXiv:2002.06177.
--- a/projects/passepartout/architecture/design/validation/sheth-et-al-2022-knowledge-infused-learning.org
+++ b/projects/passepartout/architecture/design/validation/sheth-et-al-2022-knowledge-infused-learning.org
@@ -0,0 +1,12 @@
 :PROPERTIES:
 :CREATED:  [2026-05-11 Mon]
 :ID:       a56c8e07-9e5b-4070-a0f9-280188ccd6b7
 :END:
 #+title: Sheth et al. (2022): Knowledge-Infused Learning
 #+filetags: :passepartout:architecture:
 Sheth, Gunaratna, Bhatt, and Gaur define Knowledge-infused Learning (KiL) as "combining various types of explicit knowledge with data-driven deep learning techniques." They identify three infusion levels (shallow, semi-deep, deep) and position KiL as "a sweet spot in neuro-symbolic AI."
 Passepartout's architecture is a specific implementation of KiL at the deepest infusion level: knowledge is not appended to prompts (shallow) or embedded in fine-tuning (semi-deep). It is a first-class data structure — the symbolic index — that the LLM queries through the archivist and the planner. The knowledge is living: it accumulates, is verified, carries provenance, and evolves through ontology versioning.
 Reference: Gaur, M., Gunaratna, K., Bhatt, S., & Sheth, A. (2022). Knowledge-Infused Learning: A Sweet Spot in Neuro-Symbolic AI. /IEEE Internet Computing, 26/(4), 5–11.
--- a/projects/passepartout/architecture/design/validation/the-competitive-argument.org
+++ b/projects/passepartout/architecture/design/validation/the-competitive-argument.org
@@ -0,0 +1,15 @@
 :PROPERTIES:
 :CREATED:  [2026-06-04 Thu]
 :END:
 #+title: The Competitive Argument
 #+filetags: :passepartout:architecture:
 No competitor has this problem because no competitor has a symbolic engine. The 55 systems surveyed in the competitive landscape range from pure chat agents (Claude, ChatGPT) to agent harnesses (Claude Code, OpenCode, Hermes) to platform agents (OpenClaw). None of them encode knowledge as formal facts with provenance. None of them verify extractions against an existing knowledge base. None of them can prove properties about their own rulesets.
 Their safety is heuristic (prompt-based guardrails that consume LLM tokens and can be evaded with clever phrasing). Their memory is flat (JSONL transcripts without content-addressed identity or provenance chains). Their reasoning is entirely neural — when you ask "why did you decide that?", the answer is a regenerated LLM explanation, not a retrieved inference chain.
 Passepartout's architectural bet is that this problem is worth solving — that a system which can surface contradictions with provenance, derive new facts from observations, and verify claims against a provenanced knowledge graph is fundamentally different from a system that can only call an LLM and hope the response is correct.
 The cost is the ontological work that is genuinely difficult. The reward is a system that cannot hallucinate at the reasoning level, whose memory is provable rather than empirical, and whose knowledge accumulates across sessions through deduction rather than through LLM re-prompting. For a life's knowledge stored in a personal memex, this is not a performance advantage. It is a category difference.
 The competitive advantage is not any single feature. It is the architecture's ability to accumulate verified knowledge from four independent sources (gates, deduction, verified LLM proposals, human authoring) and to make that knowledge queryable with provenance. Competitors accumulate chat transcripts. Passepartout accumulates a provenanced, self-verifying knowledge graph. Transcripts become stale and unreliable. The knowledge graph becomes richer and more trustworthy with every session.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Hermes	67fac2444b	Fix Untitled titles: convert all YAML frontmatter to org-style headers	2026-06-04 20:56:03 +00:00
Hermes	284c5bd324	Break design/ files into subfolders by ** heading (43 new files)	2026-06-04 20:47:17 +00:00
Hermes	9ce3883005	Remove old design-decisions.org, update cross-refs to design/ folder	2026-06-04 20:24:17 +00:00
Hermes	2ee60b5b4a	Split design-decisions.org into design/ subfolder (10 files, one per section)	2026-06-04 20:16:02 +00:00
Hermes	d938f353e4	Fix stage weights: Lisp Machine 13, AI Inference 14	2026-06-04 20:07:49 +00:00
Hermes	8b1b481828	Stages: rename titles, fix execution order, remove all numbered references	2026-06-04 20:04:34 +00:00
Hermes	5ac701e8ec	Restage with descriptive titles: agent arc first, network arc second - New execution order: Now → Neurosymbolic Agent → Lisp Machine → AI Inference → Social Protocol → AI Weights → AI Training → What Remains - Rename files to match (stage-1-gate, stage-2-lisp-machine, stage-3-inference, stage-4-social-protocol) - Remove stage numbers from titles: just descriptive names - Sequential weights 10-17 - Update nav links and stage table in _index.org and architecture _index.org - Rebuild: 145 files, 0 errors	2026-06-04 19:51:52 +00:00
Hermes	60e9c1d7a6	Reorder stages by execution order: 0 → 2 → 1 → 3 → 4 → 5 → 6 → 7 - Update sidebar weights: Stage 2 (12) before Stage 1 (13) - Update stage overview table in _index.org to match execution order - Fix navigation links (← prev → next) in stage-1-social-protocol and stage-2-verification to reflect true execution sequence - Rebuild: 145 files, 0 errors	2026-06-04 19:47:31 +00:00
Hermes	0956711af4	Fold stage secondary docs into main pages: one note per stage - Merge stage-1-dependency-map.org (library tables) into stage-1-social-protocol.org - Merge stage-2-acl2-integration.org (integration approaches, risk, PDS constraint) into stage-2-verification.org - Delete both secondary files - Regenerate ID map - Rebuild: 145 files, 0 errors - Sidebar now shows one page per stage: Stage 0-7	2026-06-04 19:43:56 +00:00
Hermes	01bea0c982	Make Stage 0 the stages index: reader lands on 'now' with the full roadmap at a glance - Merge stage-0-now.org content into stages/_index.org (now titled 'Stage 0: Now') - Delete stage-0-now.org - Add stage overview table to the top of the page (8 stages, what changes, threat eliminated) - Update all cross-references from old stage-0 UUID to stages _index UUID - Regenerate ID map to reflect the deletion - Also fix page-list shortcode: .ByTitle -> .ByWeight so subpage listing matches sidebar order - Rebuild: 147 files, 0 errors	2026-06-04 19:40:43 +00:00
Hermes	c5d0695acf	Reorder architecture sidebar using weights: stages first, then foundation, epistemology, design, implications, reference - Add :WEIGHT: extraction to build script (from Org PROPERTIES into Hugo TOML frontmatter) - Shorten architecture _index.org staged progression to a single-line summary pointing to stages/ directory - Weight order (sidebar now reads in this order): stages/ (10-20) — the roadmap, early so references make sense lisp-foundation.org (21) — why Lisp knowledge-layers/ (30-32) — how the system knows design-decisions through neuro-comparison (40-45) — design systemic-effects (50) — implications org-knowledge-base through repo-organization (60-64) — reference - Rebuild: 148 files, 0 errors	2026-06-04 19:36:53 +00:00
Hermes	6e992cc0c5	Restructure three-pronged → knowledge-layers: collapse 11 files to 3, integrate into main architecture - Rename 'three-pronged' folder to 'knowledge-layers' — prong metaphor was misleading (implied parallel tines), replaced with epistemic layers (deductive base, empirical middle, probabilistic oracle — vertical stack) - Collapse 11 overlapping files into 3 coherent documents: - knowledge-layers/_index.org: core framework (two engines + one store, World Model formula, 0-14 layer table, provenance store design, conflict resolution, cold-start, stage mapping) - knowledge-layers/practical-implications.org: design-world-aware-of- physics, 10 powers, Schafmeister existence proof, epistemic transparency - knowledge-layers/neurological-empirical.org: neural networks in provenance framework (kept intact) - Relocate wolfram/mathematica and Schafmeister docs to ideas/viability/ - Integrate into main architecture _index.org: - Gate: expanded from two vectors (ACL2+LLM) to three (deductive, provenance/empirical, LLM oracle) - Autodidactic loop: split into Track 1 (deductive hardening, fast) and Track 2 (empirical validation, slow, experimental-feedback-driven) - See also: added Knowledge Layers cross-reference - Add all-lisp geometry engine note (ideas/lisp-geometry-engine.org) as concrete illustration of the empirical layer's effect on design work - Rebuild site: 148 files, 0 errors	2026-06-04 19:09:44 +00:00
Hermes	2e8cf19f9e	gbrain: sync converted org-mode brain files	2026-06-04 03:00:53 +00:00
Hermes	9b795df14e	Add missing _index.org files for 7 sections: stages, ai-agents-scoping, compliance, impact, social-protocol, verification, resources — rebuild clean after file reorganization	2026-06-03 21:50:01 +00:00
Hermes	ac99eed182	Move three-pronged system series into projects/passepartout/architecture/three-pronged/ — all 11 architectural notes grouped under Passepartout architecture	2026-06-03 20:32:41 +00:00
Hermes	63279a995f	Add note: faster theorem proving — engineering approaches (incremental, ATP oracle, decision procedures, LLM guidance, hardware split)	2026-06-03 20:08:39 +00:00
Hermes	dd8759179a	Fix: GC constraint is silicon design focused on C, not a fundamental Lisp limitation — Symbolics Genera proved Lisp as systems language with proper hardware support	2026-06-03 19:37:16 +00:00
Hermes	a176eedd2b	Rewrite lisp-provers page as evergreen reference — remove conversational framing, 'things I was wrong about', 'key insight from conversation'	2026-06-03 18:38:20 +00:00
Hermes	179bcbaaa4	Create CL Modernization project — merge initiatives, corrected phases, and timeline into single comprehensive project page under projects/	2026-06-03 18:33:47 +00:00
Hermes	9553a90060	Unify concepts into ideas — move 7 org files from concepts/ to ideas/, update homepage and nav	2026-06-03 17:31:57 +00:00
Hermes	b1d00c79e6	Add Concepts section to homepage and nav, plus 4 new concept pages	2026-06-03 17:15:40 +00:00
Hermes	47be29b1d0	Add 4 new concept pages: Lisp vs Rust prover discussion, CL modernization initiative, corrected phases, timeline	2026-06-03 17:11:46 +00:00
Hermes	1f5fc89b46	gbrain: sync converted org-mode brain files	2026-06-03 03:06:39 +00:00
Hermes	56f0588b54	gbrain: sync converted org-mode brain files	2026-06-02 03:03:15 +00:00
Hermes	47ca8689fc	gbrain: sync converted org-mode brain files	2026-06-01 03:03:11 +00:00
Hermes	5087f98e4d	gbrain: sync converted org-mode brain files	2026-05-31 03:00:39 +00:00
Hermes	dbd651ba2c	gbrain: sync converted org-mode brain files	2026-05-30 03:00:27 +00:00
Hermes	2f1aacd39c	gbrain: sync converted org-mode brain files	2026-05-29 03:00:48 +00:00
Hermes	af132f7e88	gbrain: sync converted org-mode brain files	2026-05-28 03:01:01 +00:00
Hermes	3efbf760e6	gbrain: sync converted org-mode brain files	2026-05-27 03:00:59 +00:00
Hermes	7fa9dceb82	gbrain: sync converted org-mode brain files	2026-05-26 03:00:48 +00:00
Hermes	ed232e2122	gbrain: sync converted org-mode brain files	2026-05-25 03:00:38 +00:00
Hermes	386e6d40be	rewrite ideas/_index.org with full page listing	2026-05-25 01:22:38 +00:00
Hermes	f8240967f5	update org-ids after build	2026-05-25 01:14:50 +00:00
Hermes	f10bd14091	add note: 10 wider implications of the three-pronged system	2026-05-25 00:56:05 +00:00
Hermes	a4113c2d5c	add note: neural network models in the empirical middle	2026-05-25 00:48:30 +00:00
Hermes	0b77ea0ac9	add note: architectural integration of three-pronged system	2026-05-25 00:38:48 +00:00
Hermes	73fc33f02f	add note: 10 practical powers of the three-pronged architecture	2026-05-25 00:26:49 +00:00
Hermes	f09a59aaf3	add plain-language explanation of world model implications	2026-05-25 00:17:49 +00:00
Hermes	6b6838fb2c	add note: middle domain as world models — the Passepartout triple	2026-05-25 00:12:41 +00:00
Hermes	f3e2d15d47	add note: knowledge tree middle — logic to nanotechnology bridge	2026-05-24 23:59:30 +00:00
Hermes	cf3bd2ee54	add note: Passepartout bootstrapping Mathematica/mathlib autonomously	2026-05-24 23:55:38 +00:00
Hermes	d2387f1074	add note: viability of open-source Wolfram/Mathematica in Common Lisp	2026-05-24 22:54:02 +00:00
Hermes	64d027a0a0	add note: Schafmeister and Clasp — Lisp in computational nanotechnology	2026-05-24 21:05:07 +00:00
Hermes	5086ac4fbe	project index: what+why only, no jargon without links; architecture: explain Lisp and ACL2 at first mention	2026-05-24 19:57:55 +00:00
Hermes	73dea1f654	rewrite project _index.org broader intro (Environment, Knowledge, Verification); add Knowledge subsystem to architecture page	2026-05-24 19:51:03 +00:00
Hermes	d3300adbf7	drop Passepartout prefix from section index titles: Architecture, Social Protocol, Strategy	2026-05-24 19:43:39 +00:00
Hermes	34ab923308	rewrite project _index.org as full narrative intro; rewrite architecture.org to lead with concepts before Lisp	2026-05-24 19:40:51 +00:00
Hermes	335735b655	Rewrite Passepartout architecture page as narrative introduction - architecture.org becomes a narrative: problem → three-subsystem solution → staged approach → what it means - Moved TAM, revenue paths, analytical frames, strategy/IP links to _index.org - _index.org is now the navigation hub with roadmap table and all catalog links	2026-05-24 19:31:13 +00:00
Hermes	4c38127b45	Consolidate: 10 files merged into 5, 3 moves, 1 rename Merged: - verification-monopoly + evaluation-harness + collective-regression-suite - licensing + patent-strategy → strategy/ - moats + infrastructure-lock-in - lisp-economics + cost-structure - domain-gate-packages + gate-rule-encoding - revenue-table + first-mover-window → revenue.org Moved: sufficiency-flip, upgrade-lifecycle → strategy/ native-org-knowledge-base → architecture/ Renamed: revenue-hub.org → revenue.org Deleted: passepartout-economics.md orphan	2026-05-24 19:17:01 +00:00
Hermes	ede891f2ce	Merge verification-monopoly, evaluation-harness, collective-regression-suite into one page Combined all three under verification-monopoly.org with title: 'The Evaluation Harness — Collective Regression Suite as Certification Monopoly' Structure: (1) vision from monopoly, (2) service from harness, (3) spec from collective-regression. All three IDs preserved in PROPERTIES. Deleted evaluation-harness.org and collective-regression-suite.org.	2026-05-24 19:12:49 +00:00
Hermes	348f2736a8	Fix homepage headings: Org bold → proper headlines, H2 level	2026-05-24 18:57:59 +00:00
Hermes	0a8e77e949	Reorganize brain: projects/ top level, rename filenames, update homepage - Moved everything from ideas/passepartout/ to projects/passepartout/ - Moved legal structures to projects/flags/ - Created missing _index.org files for all subdirectories - Stripped redundant passepartout- prefix from filenames - Rewrote root _index.org as generalized brain index (projects + concepts) - Updated Hugo nav to Projects/Concepts - Updated build script section descriptions - Deleted stale ideas/passepartout-economics.md orphan	2026-05-24 18:54:14 +00:00
Hermes	4b60244919	Fix YAML frontmatter delimiter (\|--- → ---) in stage 2 and 3	2026-05-24 18:07:14 +00:00
Hermes	2578bfee61	Architecture reframe: rename triad/Stoa/Logos/Agora → Passepartout - Renamed ideas/stoa/ → ideas/passepartout/, all stage files prefixed passepartout- - Renamed triad-index/overview/systemic-effects → passepartout-* under passepartout/ - Renamed ideas/agora/ → ideas/passepartout-social-protocol/, stripped agora- prefixes - Merged overview and environment pages into architecture; deleted 3 redundant files - Renamed growth-strategy → enterprise-growth-strategy - Renamed alternative-growth-social-first → social-growth-strategy - Removed all Greek names: Stoa, Logos, Agora as product names - Updated 50+ files of cross-references to new naming - Kept org-id UUIDs intact throughout	2026-05-24 18:02:36 +00:00
Hermes	cc3976fb7f	ideas: editorial sweep — atomization, interlinking, restructuring - Split competitive-analysis-2026-05.org → TOC + 9 competitor files in ideas/competitors/. Dropped date from filename. All competitor UUIDs generated, TOC keeps original UUID for backlink continuity. - Deleted passepartout-economics.org archive (replaced by 27-node KB). - Inlined 5 'See also' blocks into natural prose (compliance-index, first-mover-window, revenue-table, orders-of-magnitude-time, native-org-knowledge-base). - Linked 7 orphan compliance pages back to compliance index + finished truncated sentences. - Linked all 14 Agora requirement docs from topic-relevant pages (identity→lisp-machine-security, infrastructure→compute-marketplace, social-space→growth-strategy, exchange→agora-contracts, etc.). - Linked ai-industry-impact from investment-thesis, sufficiency-flip, verification-appliance, effects-growth-flywheel (up from 1 to 10+ pages). - Fixed CREATED timestamps to use git commit dates instead of today. - Made all links absolute from root (no port inheritance). - Removed stale agora/docs/ duplicate content.	2026-05-24 16:25:55 +00:00
Hermes	94f1871177	gbrain: sync converted org-mode brain files	2026-05-24 03:00:35 +00:00
Hermes	b3d91f2e55	fix: remove parenthetical (see ...) link pattern, use inline natural language links	2026-05-24 01:23:55 +00:00
Hermes	8f875dc192	fix: inline org-mode interlinks instead of parenthetical bare [[file:...]] links	2026-05-23 20:24:19 +00:00
Hermes	674b8b35ba	feat: legal structure alternatives — Texas vs Delaware, Wyoming DAO LLC, Panama LLC, trust jurisdictions with downsides analysis	2026-05-23 15:10:53 +00:00
Hermes	6f67316681	feat: legal structure practical setup — Delaware C-Corp + BVI IP Co with forms, costs, timelines, and what must be done by a lawyer	2026-05-23 14:32:36 +00:00
Hermes	4a322ef5cd	feat: asset protection structures research — Delaware C-Corp, BVI IP Co, series LLC, trust, with phased recommendations	2026-05-23 14:23:16 +00:00
Hermes	4d177832a1	feat: outbound sales compliance framework — CAN-SPAM, GDPR, UK GDPR, Egypt PDPL, CASL with Passepartout gate mappings	2026-05-23 14:19:22 +00:00
Hermes	59e9ced3e5	rewrite: combined growth strategy — Logos (top-down verification) + Agora (bottom-up communities) as two engines, one infrastructure	2026-05-23 14:01:43 +00:00
Hermes	89a9ee0c2c	feat: Agora entry strategy — organized communities as primary entry point with 4-phase rollout	2026-05-23 13:57:27 +00:00
Hermes	f4c72d3527	rewrite: Agora competitive landscape — replaces 20+ centralized platforms across social, publishing, video, messaging, e-commerce, identity, and work	2026-05-23 13:16:39 +00:00
Hermes	ca9557a5f9	feat: Agora competitive landscape — 4-layer analysis (publishing, payments, contracts, identity)	2026-05-23 13:09:43 +00:00
Hermes	9f52f99092	update: correct Agora characterization as 4-layer unified platform (pub+pay+contract+identity)	2026-05-23 12:50:54 +00:00
Hermes	3a7fbb38ca	feat: alternative social-first growth scenario	2026-05-23 12:19:38 +00:00
Hermes	04b2bf87dd	fix: label: → label: (inline bold, not headings)	2026-05-23 12:13:22 +00:00
Hermes	e1777d2538	Revert "fix: org-mode bold syntax — ** → * (double to single asterisk)" This reverts commit `a0a1481cae`.	2026-05-23 12:11:16 +00:00
Hermes	a0a1481cae	fix: org-mode bold syntax — ** → * (double to single asterisk)	2026-05-23 12:09:39 +00:00
Hermes	cddaaa4e69	gbrain: sync converted org-mode brain files	2026-05-23 11:57:03 +00:00
Hermes	dec20395b8	gbrain: sync converted org-mode brain files	2026-05-23 11:51:44 +00:00
Hermes	7c4eb5bf59	gbrain: sync converted org-mode brain files	2026-05-23 11:44:48 +00:00
Hermes	38f10960eb	gbrain: sync converted org-mode brain files	2026-05-23 11:41:35 +00:00
Hermes	7b8bf3ca5b	fix org-mode heading syntax in revenue-hub	2026-05-23 07:58:50 +00:00
Hermes	6da2633f11	gbrain: sync converted org-mode brain files	2026-05-23 07:49:47 +00:00
Hermes	558145741e	gbrain: sync converted org-mode brain files	2026-05-23 07:43:55 +00:00