SECS Sovereign
Deterministic Execution and Collapse Substrate for high risk systems. Constitutional. Identity-free. Replayable.
The fast-path runtime: deterministic collapse, identity-free ingress, and constitutional governance on every state transition. Built for high-risk systems — medical, aviation, robotics, defence — where replayable proof matters more than best-effort filtering.
SECS Sovereign is not a framework. It is a self-governing execution environment where signals traverse one irreversible emit chain, exit as governance proof or structural veto, and return the substrate to purity before the next cycle. Adaptors connect over HTTP; the core substrate does not change per vertical.
This page is the substrate specification. System diagrams live on Architecture; adaptor proofs on Vertical Surfaces. Governed adaptation (Phases A–E) lives on Neurotrophic OS — a separate layer that observes Sovereign output but never blocks the fast path.
These specs describe the substrate. The Sovereign Terminal runs the same constitutional gates on Fly.io.
Core Principles
Deterministic
No Math.random, no bare Date.now, no non-seeded PRNG.
Given the same inputs, the system always produces the same outputs.
Identity-Free
Zero PII. Thirteen constitutional fields —
id, userId, accountId, sessionId,
token, email, deviceId, and aliases —
are stripped at ingress. Cookies, IP addresses, and fingerprints never enter the substrate.
Constitutional Governance
Governance filtration G₀–G₄ loads at boot and is immutable at runtime. The frozen constraint surface defines admissibility; the adaptation surface may move only within those bounds. Inadmissible inputs partition into six exhaustive veto classes (v₁–v₆) — structural impossibility, not policy rejection.
Physics, Not Content
The Perimeter Engine enforces rate, volume, and burst constraints based on observable measurables — latency, count, size — never content or intent.
Runtime Stack
Sovereign owns ingress through emit. Layer diagrams and collapse operators are on System Architecture; per-vertical compliance proofs on Vertical Surfaces.
Rate, volume, burst — physics-only enforcement before any signal becomes a Spark. No content inspection. No identity fields admitted.
Bootstrap kernel. Loads doctrine, validates, activates seeds, dispatches messages. Atom governs movement and boundaries — it does not compute, route, or interpret payload content.
Collapse pipeline, burn orchestrator, adaptor boundary, dual-lane cockpit. Spark → Accept → Route → React → Extinguish → Emit on every cycle.
Industry verticals connect over HTTP only. Same substrate; different constraint surface per adaptor. STABLE and VOLATILE profiles share zero state.
Constitutional Hierarchy
Each layer inherits the constraints below. G₀–G₃ doctrine is frozen after boot; G₄ envelopes bound what the adaptation surface may tune — never what is admissible.
Exhaustive Veto Partition
From the Collapse Algebra paper: every inadmissible spark belongs to exactly one of six veto classes. Veto is domain restriction — the collapse operator is undefined, not merely declined. Mapped in production to the Governance Veto Matrix. See also Architecture and Glossary.
Foundational law breach. Input is not in the axiomatic possibility space.
Would shift the system trajectory away from the collapsed fixed point.
Payload carries identity content. Structurally excluded at ingress.
Would cause a constitutional invariant to become false.
Targets the constitutional layer — privilege escalation, jailbreak, doctrine tampering.
Would render deployment state inconsistent. Blocked before live commit.
Technical Specification
Implementation
| Language | Go (kernel) + TypeScript (runtime) |
| Go dispatch | 7.05 ns/op, zero allocations |
| Test suites | 133 suites · 1,695 tests · 0 failures |
| Guardrail suite | Identity leaks, non-determinism, governance drift |
| Deployment | Single-container monolith (Docker / Fly.io / bare metal) |
Execution Pipeline
- Governance proof — HMAC-signed certificate; replayable for audit, raw signal not persisted
- Deterministic replay — SubstrateClock + seeded PRNG, no wall-clock dependency
- Structural veto — inadmissible signals are impossible, not queued or retried
- Identity-free processing — 13 forbidden fields stripped before Accept
Observed Performance
| Stable stream | 4.0 RPS governed target, maintained over 60-minute burns |
| Volatile stream | ~1,031 RPS sustained (physics-limited, no throttling) |
| 60-min burn | 46,682 requests · 99.95% success · zero drift |
| 24hr burn | Remote API poll campaign (Feb 2026) — ~93% success at peak cycle · ~380 ms baseline latency |
| 6h robotic soak | 979,169 envelopes · 99.77% adaptor success · ~291 ms mean latency (R-LIVE-004, Jun 2026) |
| Mode separation | Zero cross-contamination between STABLE / VOLATILE lanes |
The substrate records timing, RPS, and governance purity — not business message content. Long-running workflow proof uses an append-only envelope sidecar (envelopes.jsonl) outside the hot path.
Neurotrophic Layer
Phases A–E observe fast-path output and adjust the adaptation surface within frozen bounds. Phase E live-wired Jun 2026 — see observed adaptation. They do not run on Sovereign by default — that is the Neurotrophic OS product layer.
- Phase A — homeostasis: rate, latency, error, throughput
- Phase B — structural plasticity within constraint surface
- Phase C — cross-domain fault repair before learning resumes
- Phases D–E — temporal and meta-learning; Founder-defined rewards only
Version History
| v1.0 | Substrate launch — deterministic core, identity-free, constitutional governance |
| v1.2 | Constitutional deployment — Fly.io, JRASS→SECS cleanup, 41+ files |
| v1.3 | Doctrinal burn — 60-min cycle, 34/34 outcomes proved, canonical naming |
| v1.4 | Neurotrophic surface — homeostasis, structural plasticity, trophic bridge |
| v1.5 | Temporal learning — Hebbian/STDP rules, 133 suites, 1,695 tests |
Dual-Lane Cockpit
- Side-by-side STABLE + VOLATILE dashboards, zero cross-contamination
- 6 KPI surfaces per lane: Rate, Timing, Reliability, Load, Governance, Health
- 30-minute history sparklines (RPS, Latency, Errors, Bytes)
- Governance gauge with throttle-rate colour coding
- Auto-refreshing every 5 s with independent fetch cycles
Vertical Adaptors
Eleven vertical surfaces. Same substrate. Zero core changes.
Each adaptor tightens its own constraint surface — never loosens constitutional bounds.
How vertical configuration works.
Proven means architecturally compatible with cited regulation, not third-party certified.
Healthcare
HIPAA · FDA 21 CFR Part 11
Imaging scan flagged for follow-up. Regulator asks: can you prove no patient-identifiable data influenced the governance decision?
Fintech
MiFID II · SOX
AI agent recommends a trade. Regulator asks: would it make the same decision again given the same input?
Defence
NATO STANAG 4586 · MIL-STD-882E
Autonomous system makes a targeting recommendation. Review board asks: can you prove the decision chain was untampered?
Energy
NERC CIP · IEC 62443
AI manages grid load balancing. Auditor asks: can you prove the decision chain was not compromised?
Automotive
ISO 26262 · SOTIF (ISO 21448)
Sensor fusion informs a driving decision. Regulator asks: can you prove the decision was free of identity-based bias?
Cybersecurity
NIST CSF 2.0 · SOC 2 Type II
SOC correlates telemetry and escalates. Auditor asks: can you prove the alert pipeline was not tampered with?
EdTech
FERPA · COPPA · EU GDPR Art. 22
Adaptive learning recommends content. Parent asks: can you prove no student identity influenced the output?
Insurance
Solvency II · IDD
Underwriting engine prices a policy. Regulator asks: can you prove no policyholder identity influenced the risk calculation?
Legal
EU AI Act Art. 14 · ECHR Art. 6
AI recommends a sentencing range. Judge asks: can you prove no individual identity biased the output?
Governed AI
Enterprise guardrails · drift governance
Agent deletes a file or drifts outside its envelope. Operator asks: can you replay the full authority chain and revoke the adaptor instantly?
Supply Chain
EU CSRD · CSDDD · Basel III
AI scores supplier risk. Auditor asks: can you prove no supplier identity biased the assessment?
Anomaly = anomalyThreshold ·
Drift = severeDriftMagnitude ·
Veto = vetoFreqThreshold ·
V1 defaults: 10 / 0.9 / 5 — lower = tighter governance