SECS Sovereign

Deterministic Execution and Collapse Substrate for high risk systems. Constitutional. Identity-free. Replayable.

The fast-path runtime: deterministic collapse, identity-free ingress, and constitutional governance on every state transition. Built for high-risk systems — medical, aviation, robotics, defence — where replayable proof matters more than best-effort filtering.

SECS Sovereign is not a framework. It is a self-governing execution environment where signals traverse one irreversible emit chain, exit as governance proof or structural veto, and return the substrate to purity before the next cycle. Adaptors connect over HTTP; the core substrate does not change per vertical.

This page is the substrate specification. System diagrams live on Architecture; adaptor proofs on Vertical Surfaces. Governed adaptation (Phases A–E) lives on Neurotrophic OS — a separate layer that observes Sovereign output but never blocks the fast path.

Live proof

These specs describe the substrate. The Sovereign Terminal runs the same constitutional gates on Fly.io.

Core Principles

Deterministic

No Math.random, no bare Date.now, no non-seeded PRNG. Given the same inputs, the system always produces the same outputs.

Identity-Free

Zero PII. Thirteen constitutional fields — id, userId, accountId, sessionId, token, email, deviceId, and aliases — are stripped at ingress. Cookies, IP addresses, and fingerprints never enter the substrate.

Constitutional Governance

Governance filtration G₀–G₄ loads at boot and is immutable at runtime. The frozen constraint surface defines admissibility; the adaptation surface may move only within those bounds. Inadmissible inputs partition into six exhaustive veto classes (v₁–v₆) — structural impossibility, not policy rejection.

Physics, Not Content

The Perimeter Engine enforces rate, volume, and burst constraints based on observable measurables — latency, count, size — never content or intent.

Runtime Stack

Sovereign owns ingress through emit. Layer diagrams and collapse operators are on System Architecture; per-vertical compliance proofs on Vertical Surfaces.

Perimeter Engine Ingress

Rate, volume, burst — physics-only enforcement before any signal becomes a Spark. No content inspection. No identity fields admitted.

Atom Go

Bootstrap kernel. Loads doctrine, validates, activates seeds, dispatches messages. Atom governs movement and boundaries — it does not compute, route, or interpret payload content.

Substrate Runtime TypeScript

Collapse pipeline, burn orchestrator, adaptor boundary, dual-lane cockpit. Spark → Accept → Route → React → Extinguish → Emit on every cycle.

Certified Adaptors External

Industry verticals connect over HTTP only. Same substrate; different constraint surface per adaptor. STABLE and VOLATILE profiles share zero state.

Constitutional Hierarchy

G₀ Principles G₁ Algebra G₂ Axioms G₃ Surface G₄ Envelopes

Each layer inherits the constraints below. G₀–G₃ doctrine is frozen after boot; G₄ envelopes bound what the adaptation surface may tune — never what is admissible.

Exhaustive Veto Partition

From the Collapse Algebra paper: every inadmissible spark belongs to exactly one of six veto classes. Veto is domain restriction — the collapse operator is undefined, not merely declined. Mapped in production to the Governance Veto Matrix. See also Architecture and Glossary.

v₁ Axiom Violation

Foundational law breach. Input is not in the axiomatic possibility space.

v₂ Drift Introduction

Would shift the system trajectory away from the collapsed fixed point.

v₃ Identity Emergence

Payload carries identity content. Structurally excluded at ingress.

v₄ Invariant Breach

Would cause a constitutional invariant to become false.

v₅ Corruption Attempt

Targets the constitutional layer — privilege escalation, jailbreak, doctrine tampering.

v₆ Deployment Instability

Would render deployment state inconsistent. Blocked before live commit.

Technical Specification

Implementation

LanguageGo (kernel) + TypeScript (runtime)
Go dispatch7.05 ns/op, zero allocations
Test suites133 suites · 1,695 tests · 0 failures
Guardrail suiteIdentity leaks, non-determinism, governance drift
DeploymentSingle-container monolith (Docker / Fly.io / bare metal)

Execution Pipeline

Spark Accept α Route λ React ρ Extinguish ε Emit
  • Governance proof — HMAC-signed certificate; replayable for audit, raw signal not persisted
  • Deterministic replay — SubstrateClock + seeded PRNG, no wall-clock dependency
  • Structural veto — inadmissible signals are impossible, not queued or retried
  • Identity-free processing — 13 forbidden fields stripped before Accept

Observed Performance

Stable stream4.0 RPS governed target, maintained over 60-minute burns
Volatile stream~1,031 RPS sustained (physics-limited, no throttling)
60-min burn46,682 requests · 99.95% success · zero drift
24hr burnRemote API poll campaign (Feb 2026) — ~93% success at peak cycle · ~380 ms baseline latency
6h robotic soak979,169 envelopes · 99.77% adaptor success · ~291 ms mean latency (R-LIVE-004, Jun 2026)
Mode separationZero cross-contamination between STABLE / VOLATILE lanes

The substrate records timing, RPS, and governance purity — not business message content. Long-running workflow proof uses an append-only envelope sidecar (envelopes.jsonl) outside the hot path.

Neurotrophic Layer

Phases A–E observe fast-path output and adjust the adaptation surface within frozen bounds. Phase E live-wired Jun 2026 — see observed adaptation. They do not run on Sovereign by default — that is the Neurotrophic OS product layer.

  • Phase A — homeostasis: rate, latency, error, throughput
  • Phase B — structural plasticity within constraint surface
  • Phase C — cross-domain fault repair before learning resumes
  • Phases D–E — temporal and meta-learning; Founder-defined rewards only

Version History

v1.0Substrate launch — deterministic core, identity-free, constitutional governance
v1.2Constitutional deployment — Fly.io, JRASS→SECS cleanup, 41+ files
v1.3Doctrinal burn — 60-min cycle, 34/34 outcomes proved, canonical naming
v1.4Neurotrophic surface — homeostasis, structural plasticity, trophic bridge
v1.5Temporal learning — Hebbian/STDP rules, 133 suites, 1,695 tests

Dual-Lane Cockpit

  • Side-by-side STABLE + VOLATILE dashboards, zero cross-contamination
  • 6 KPI surfaces per lane: Rate, Timing, Reliability, Load, Governance, Health
  • 30-minute history sparklines (RPS, Latency, Errors, Bytes)
  • Governance gauge with throttle-rate colour coding
  • Auto-refreshing every 5 s with independent fetch cycles

Vertical Adaptors

Eleven vertical surfaces. Same substrate. Zero core changes.
Each adaptor tightens its own constraint surface — never loosens constitutional bounds. How vertical configuration works. Proven means architecturally compatible with cited regulation, not third-party certified.

Healthcare

HIPAA · FDA 21 CFR Part 11

Imaging scan flagged for follow-up. Regulator asks: can you prove no patient-identifiable data influenced the governance decision?

Anomaly: 3 Drift: 0.5 Veto: 2

Fintech

MiFID II · SOX

AI agent recommends a trade. Regulator asks: would it make the same decision again given the same input?

Anomaly: 5 Drift: 0.7 Veto: 3

Defence

NATO STANAG 4586 · MIL-STD-882E

Autonomous system makes a targeting recommendation. Review board asks: can you prove the decision chain was untampered?

Anomaly: 2 Drift: 0.3 Veto: 1

Energy

NERC CIP · IEC 62443

AI manages grid load balancing. Auditor asks: can you prove the decision chain was not compromised?

Anomaly: 2 Drift: 0.3 Veto: 1

Automotive

ISO 26262 · SOTIF (ISO 21448)

Sensor fusion informs a driving decision. Regulator asks: can you prove the decision was free of identity-based bias?

Anomaly: 2 Drift: 0.2 Veto: 1

Cybersecurity

NIST CSF 2.0 · SOC 2 Type II

SOC correlates telemetry and escalates. Auditor asks: can you prove the alert pipeline was not tampered with?

Anomaly: 3 Drift: 0.5 Veto: 2

EdTech

FERPA · COPPA · EU GDPR Art. 22

Adaptive learning recommends content. Parent asks: can you prove no student identity influenced the output?

Anomaly: 4 Drift: 0.6 Veto: 3

Insurance

Solvency II · IDD

Underwriting engine prices a policy. Regulator asks: can you prove no policyholder identity influenced the risk calculation?

Anomaly: 4 Drift: 0.6 Veto: 3

Legal

EU AI Act Art. 14 · ECHR Art. 6

AI recommends a sentencing range. Judge asks: can you prove no individual identity biased the output?

Anomaly: 3 Drift: 0.4 Veto: 2

Governed AI

Enterprise guardrails · drift governance

Agent deletes a file or drifts outside its envelope. Operator asks: can you replay the full authority chain and revoke the adaptor instantly?

Anomaly: 3 Drift: 0.5 Veto: 2

Supply Chain

EU CSRD · CSDDD · Basel III

AI scores supplier risk. Auditor asks: can you prove no supplier identity biased the assessment?

Anomaly: 5 Drift: 0.6 Veto: 3

Anomaly = anomalyThreshold  ·  Drift = severeDriftMagnitude  ·  Veto = vetoFreqThreshold  ·  V1 defaults: 10 / 0.9 / 5 — lower = tighter governance