amr/hermes-brain
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
335735b6556191b95785c0a7b51e6c0d04291929
hermes-brain/projects/passepartout/architecture/architecture.org
Hermes 335735b655 Rewrite Passepartout architecture page as narrative introduction 
- architecture.org becomes a narrative: problem → three-subsystem solution
  → staged approach → what it means
- Moved TAM, revenue paths, analytical frames, strategy/IP links to _index.org
- _index.org is now the navigation hub with roadmap table and all catalog links
2026-05-24 19:31:13 +00:00

41 lines
4.4 KiB
Org Mode
Raw Blame History

:PROPERTIES:
:CREATED: [2026-05-24 Sun]
:ID: 1c3ec48b-446c-50d2-b53e-126a81f5143f
:ID: a1fac32a-47de-5fbd-b67d-29152c851747
:ID: 42c86e6f-4f27-4993-8238-b7bc7d15fb7b
:END:
#+title: Passepartout — A Verifiable Personal Intelligence
#+filetags: :passepartout:architecture:
Every layer of the modern computing stack — hardware, firmware, OS, compiler, runtime, network, application — is independently built and independently untrusted. Security is empirical: "no bugs found in this release" does not mean no bugs exist. We live with a patching treadmill, with CVEs treated as inevitable, with compliance audits that attest to process rather than proving correctness.
Passepartout replaces the entire stack with a single coherent architecture where the same gate stack verifies everything and the same prover proves everything consistent.
**One project, one image, one verified memory graph.**
Three subsystems compose into a single system:
- **Verification subsystem** — A gate that evaluates every proposed action — from the user, the LLM, or a network message — against formal policy before allowing it. Combines ACL2-verified decision procedures for security-critical checks with a probabilistic LLM for natural-language reasoning. The gate checks shell commands, DIDComm messages, and LLM-generated action proposals through the same decision procedure. Root as an attack target does not exist.
- **Environment subsystem** — A single Lisp image where editor (Lish), browser (Nyxt), shell (Lish), and agent coexist. No separate daemons, no IPC boundaries, no trust transitions between components. One address space, one evaluated memory graph, no MMU to attack. The distinction between tool and self dissolves.
- **Social protocol** — Self-sovereign DID identity, DIDComm encrypted messaging, personal data store, relay network, compute marketplace, liquid democracy. The protocol that connects Passepartout instances to each other. Every message is signed, DAG-tracked, and content-addressed. Communication becomes provable when you choose it to be.
All three subsystems operate in the same Lisp address space. All three are verified by the same ACL2 prover. The gate that authorizes a file read also authorizes a social protocol contract. The Merkle chain that proves a DIDComm message's provenance also proves the compiler output matches its source. There is one semantics, one proof, one machine.
**The staged approach:**
The full Lisp machine on custom silicon is the destination. But the path is designed so every stage delivers value independently.
Stage 0 is where we are — conventional Linux on x86, with Python (Hermes) as the agent runtime and gbrain as the knowledge store. Stage 1 adds message-level authentication with the social protocol. Stage 2 adds the verified gate as a software layer. Stage 3 is the Lisp machine emerging inside the host OS — SBCL image absorbing every interface into one address space. Stages 4 through 6 add in-process LLM inference, plist-native weights, and verified fine-tuning. Stage 7 is what remains when all computational threats are eliminated: physical, oracular, and specification limits that no machine can solve.
Each stage is usable. Each stage eliminates a class of threats that the previous stage could not. The migration from today's Hermes deployment to a full Passepartout machine is a progressive component swap, not a cut-over.
**What it means:**
When every action is gate-checked, every message is provable, and every computation runs on verified hardware, the security model shifts from empirical to deductive. Memory corruption — the dominant attack vector for decades — is structurally eliminated. Compiler backdoors are impossible because compilation is Lisp-to-Lisp within the verified evaluator. Malware has no execution path that bypasses the gate.
The downstream effects cascade: compliance becomes executable gate rules instead of annual audits. AI safety becomes a verified gate between the LLM and the action stream instead of probabilistic guardrails. The accumulated regression suite from every deployed instance becomes an industry certification — Underwriters Laboratory for AI.
Passepartout is not a product in an existing category. Verified infrastructure is a new category, and every existing category — cloud, AI, OS, social, payments, compliance, governance — eventually migrates into it because the alternative becomes indefensible.
Reference in New Issue View Git Blame Copy Permalink