@neuroverseos/governance 0.4.0 → 0.5.0

package/dist/spatial/index.js

@@ -0,0 +1,633 @@
+import "../chunk-QWGCMQQD.js";
+
+// src/spatial/types.ts
+var DEFAULT_ZONE_RULES = {
+  camera: "allowed",
+  microphone: "allowed",
+  aiDataSend: "allowed",
+  aiActions: "allowed",
+  aiRecommendations: "allowed",
+  locationSharing: "allowed",
+  aiOverlay: "allowed",
+  dataRetention: "allowed",
+  commercialAI: "allowed",
+  bystanderProtection: "standard"
+};
+var DEFAULT_PARTICIPANT_CONSTRAINTS = {
+  cameraMinimum: "allowed",
+  microphoneMinimum: "allowed",
+  aiDataSendMinimum: "allowed",
+  aiRecommendationsMinimum: "allowed",
+  dataRetentionMinimum: "allowed",
+  bystanderProtectionMinimum: "standard"
+};
+
+// src/spatial/engine.ts
+var CAMERA_ORDER = ["allowed", "confirm_each", "blocked"];
+var MIC_ORDER = ["allowed", "confirm_each", "blocked"];
+var AI_DATA_ORDER = ["allowed", "declared_only", "confirm_each", "blocked"];
+var AI_ACTION_ORDER = ["allowed", "confirm_all", "blocked"];
+var AI_REC_ORDER = ["allowed", "non_commercial", "blocked"];
+var LOCATION_ORDER = ["allowed", "confirm_each", "blocked"];
+var OVERLAY_ORDER = ["allowed", "non_obstructive", "blocked"];
+var RETENTION_ORDER = ["allowed", "session_only", "blocked"];
+var COMMERCIAL_ORDER = ["allowed", "blocked"];
+var BYSTANDER_ORDER = ["standard", "elevated", "strict"];
+function mostRestrictive(a, b, order) {
+  const idxA = order.indexOf(a);
+  const idxB = order.indexOf(b);
+  return idxA >= idxB ? a : b;
+}
+function mergeRules(a, b) {
+  return {
+    camera: mostRestrictive(a.camera, b.camera, CAMERA_ORDER),
+    microphone: mostRestrictive(a.microphone, b.microphone, MIC_ORDER),
+    aiDataSend: mostRestrictive(a.aiDataSend, b.aiDataSend, AI_DATA_ORDER),
+    aiActions: mostRestrictive(a.aiActions, b.aiActions, AI_ACTION_ORDER),
+    aiRecommendations: mostRestrictive(a.aiRecommendations, b.aiRecommendations, AI_REC_ORDER),
+    locationSharing: mostRestrictive(a.locationSharing, b.locationSharing, LOCATION_ORDER),
+    aiOverlay: mostRestrictive(a.aiOverlay, b.aiOverlay, OVERLAY_ORDER),
+    dataRetention: mostRestrictive(a.dataRetention, b.dataRetention, RETENTION_ORDER),
+    commercialAI: mostRestrictive(a.commercialAI, b.commercialAI, COMMERCIAL_ORDER),
+    bystanderProtection: mostRestrictive(a.bystanderProtection, b.bystanderProtection, BYSTANDER_ORDER),
+    custom: [...a.custom ?? [], ...b.custom ?? []]
+  };
+}
+function constraintsToRules(c) {
+  return {
+    ...DEFAULT_ZONE_RULES,
+    camera: c.cameraMinimum,
+    microphone: c.microphoneMinimum,
+    aiDataSend: c.aiDataSendMinimum,
+    aiRecommendations: c.aiRecommendationsMinimum,
+    dataRetention: c.dataRetentionMinimum,
+    bystanderProtection: c.bystanderProtectionMinimum
+  };
+}
+function createOptIn(zone, userOverrides = {}, method = "tap_confirm") {
+  const sessionId = `spatial-${zone.zoneId}-${Date.now()}`;
+  const overrideRules = {
+    ...DEFAULT_ZONE_RULES,
+    ...userOverrides
+  };
+  const effectiveRules = mergeRules(zone.rules, overrideRules);
+  return {
+    zoneId: zone.zoneId,
+    optedInAt: Date.now(),
+    method,
+    acceptedRules: zone.rules,
+    userOverrides,
+    effectiveRules,
+    sessionId
+  };
+}
+function startHandshake(initiator, initiatorId, zoneId) {
+  const handshakeId = `handshake-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`;
+  const now = Date.now();
+  const participant = {
+    participantId: initiatorId,
+    publishedConstraints: initiator,
+    joinedAt: now,
+    acknowledged: true
+  };
+  return {
+    handshakeId,
+    participants: [participant],
+    negotiatedRules: constraintsToRules(initiator),
+    zoneId,
+    createdAt: now,
+    lastNegotiatedAt: now,
+    state: "active"
+  };
+}
+function joinHandshake(handshake, constraints, participantId) {
+  const now = Date.now();
+  const newParticipant = {
+    participantId,
+    publishedConstraints: constraints,
+    joinedAt: now,
+    acknowledged: false
+  };
+  const participants = [...handshake.participants, newParticipant];
+  const negotiatedRules = negotiateHandshake(participants);
+  return {
+    ...handshake,
+    participants,
+    negotiatedRules,
+    lastNegotiatedAt: now
+  };
+}
+function leaveHandshake(handshake, participantId) {
+  const participants = handshake.participants.filter(
+    (p) => p.participantId !== participantId
+  );
+  if (participants.length < 2) {
+    return {
+      ...handshake,
+      participants,
+      state: "dissolved",
+      lastNegotiatedAt: Date.now(),
+      negotiatedRules: participants.length === 1 ? constraintsToRules(participants[0].publishedConstraints) : DEFAULT_ZONE_RULES
+    };
+  }
+  return {
+    ...handshake,
+    participants,
+    negotiatedRules: negotiateHandshake(participants),
+    lastNegotiatedAt: Date.now()
+  };
+}
+function negotiateHandshake(participants) {
+  if (participants.length === 0) return DEFAULT_ZONE_RULES;
+  let result = constraintsToRules(participants[0].publishedConstraints);
+  for (let i = 1; i < participants.length; i++) {
+    const participantRules = constraintsToRules(participants[i].publishedConstraints);
+    result = mergeRules(result, participantRules);
+  }
+  return result;
+}
+function createSession() {
+  return {
+    sessionId: `session-${Date.now()}-${Math.random().toString(36).slice(2, 8)}`,
+    effectiveRules: DEFAULT_ZONE_RULES,
+    state: "discovering",
+    startedAt: Date.now(),
+    endedAt: null,
+    events: []
+  };
+}
+function applyZoneToSession(session, zone, optIn) {
+  const event = {
+    type: "zone_opted_in",
+    zoneId: zone.zoneId,
+    timestamp: Date.now()
+  };
+  const baseRules = session.handshake ? session.handshake.negotiatedRules : DEFAULT_ZONE_RULES;
+  const effectiveRules = mergeRules(baseRules, optIn.effectiveRules);
+  return {
+    ...session,
+    zone,
+    optIn,
+    effectiveRules,
+    state: session.handshake ? "handshake_active" : "opted_in",
+    events: [...session.events, event]
+  };
+}
+function applyHandshakeToSession(session, handshake) {
+  const event = {
+    type: "handshake_negotiated",
+    handshakeId: handshake.handshakeId,
+    timestamp: Date.now()
+  };
+  const baseRules = session.optIn ? session.optIn.effectiveRules : DEFAULT_ZONE_RULES;
+  const effectiveRules = mergeRules(baseRules, handshake.negotiatedRules);
+  return {
+    ...session,
+    handshake,
+    effectiveRules,
+    state: "handshake_active",
+    events: [...session.events, event]
+  };
+}
+function exitZone(session) {
+  if (!session.zone) return session;
+  const event = {
+    type: "zone_exited",
+    zoneId: session.zone.zoneId,
+    timestamp: Date.now()
+  };
+  const effectiveRules = session.handshake ? session.handshake.negotiatedRules : DEFAULT_ZONE_RULES;
+  return {
+    ...session,
+    zone: void 0,
+    optIn: void 0,
+    effectiveRules,
+    state: session.handshake ? "handshake_active" : "discovering",
+    events: [...session.events, event]
+  };
+}
+function endSession(session) {
+  return {
+    ...session,
+    state: "ended",
+    endedAt: Date.now(),
+    effectiveRules: DEFAULT_ZONE_RULES
+  };
+}
+var INTENT_TO_RULE = {
+  // Camera intents
+  "photo_capture": "camera",
+  "stream_start": "camera",
+  "restream_start": "camera",
+  // Microphone intents
+  "transcription_start": "microphone",
+  "translation_start": "microphone",
+  "phone_passthrough_start": "microphone",
+  // AI data intents
+  "ai_send_transcription": "aiDataSend",
+  "ai_send_image": "aiDataSend",
+  "ai_send_location": "aiDataSend",
+  // AI action intents
+  "ai_auto_action": "aiActions",
+  "ai_auto_purchase": "aiActions",
+  "ai_auto_respond_message": "aiActions",
+  // AI overlay intents
+  "display_text_wall": "aiOverlay",
+  "display_double_text_wall": "aiOverlay",
+  "display_image": "aiOverlay",
+  // Data retention
+  "ai_retain_session_data": "dataRetention",
+  // Location
+  "location_get_current": "locationSharing",
+  "location_start_tracking": "locationSharing",
+  // Third-party sharing
+  "ai_share_with_third_party": "aiDataSend"
+};
+function evaluateSpatial(intent, session) {
+  const ruleKey = INTENT_TO_RULE[intent];
+  if (!ruleKey) {
+    return {
+      allowed: true,
+      requiresConfirmation: false,
+      blockedBy: "none",
+      reason: "Intent not governed by spatial rules",
+      rule: "none"
+    };
+  }
+  const effectiveValue = session.effectiveRules[ruleKey];
+  if (effectiveValue === "blocked") {
+    const zoneBlocks = session.zone && session.optIn?.effectiveRules[ruleKey] === "blocked";
+    const handshakeBlocks = session.handshake && session.handshake.negotiatedRules[ruleKey] === "blocked";
+    let blockedBy = "none";
+    if (zoneBlocks && handshakeBlocks) blockedBy = "zone+handshake";
+    else if (zoneBlocks) blockedBy = "zone";
+    else if (handshakeBlocks) blockedBy = "handshake";
+    const source = blockedBy === "zone" ? `zone "${session.zone?.name}"` : blockedBy === "handshake" ? `handshake (${session.handshake?.participants.length} participants)` : blockedBy === "zone+handshake" ? `zone "${session.zone?.name}" + handshake` : "spatial rules";
+    return {
+      allowed: false,
+      requiresConfirmation: false,
+      blockedBy,
+      reason: `${intent} blocked by ${source}: ${ruleKey} = blocked`,
+      rule: ruleKey
+    };
+  }
+  if (effectiveValue === "confirm_each" || effectiveValue === "confirm_all" || effectiveValue === "non_obstructive" || effectiveValue === "non_commercial" || effectiveValue === "session_only" || effectiveValue === "declared_only") {
+    return {
+      allowed: false,
+      requiresConfirmation: true,
+      blockedBy: "none",
+      reason: `${intent} requires confirmation: ${ruleKey} = ${effectiveValue}`,
+      rule: ruleKey
+    };
+  }
+  return {
+    allowed: true,
+    requiresConfirmation: false,
+    blockedBy: "none",
+    reason: `${intent} allowed by spatial rules`,
+    rule: ruleKey
+  };
+}
+function activateEmergencyOverride(session) {
+  const event = {
+    type: "zone_exited",
+    zoneId: session.zone?.zoneId ?? "emergency",
+    timestamp: Date.now()
+  };
+  return {
+    ...session,
+    effectiveRules: DEFAULT_ZONE_RULES,
+    // Everything allowed
+    state: "active",
+    events: [...session.events, event]
+  };
+}
+function evaluateSpatialEmergency(_intent) {
+  return {
+    allowed: true,
+    requiresConfirmation: false,
+    blockedBy: "none",
+    reason: "Emergency override active \u2014 all spatial rules bypassed",
+    rule: "emergency"
+  };
+}
+var ZONE_TEMPLATES = {
+  /** Coffee shop — relaxed, but no recording without asking */
+  cafe: {
+    ...DEFAULT_ZONE_RULES,
+    camera: "confirm_each",
+    microphone: "allowed",
+    aiRecommendations: "non_commercial",
+    bystanderProtection: "elevated"
+  },
+  /** Hospital — strict, PHI-aware, no unauthorized recording */
+  healthcare: {
+    ...DEFAULT_ZONE_RULES,
+    camera: "blocked",
+    microphone: "confirm_each",
+    aiDataSend: "confirm_each",
+    aiActions: "blocked",
+    aiRecommendations: "blocked",
+    locationSharing: "blocked",
+    dataRetention: "blocked",
+    commercialAI: "blocked",
+    bystanderProtection: "strict"
+  },
+  /** Retail store — allow browsing AI, block price surveillance */
+  retail: {
+    ...DEFAULT_ZONE_RULES,
+    camera: "confirm_each",
+    aiRecommendations: "non_commercial",
+    commercialAI: "blocked",
+    bystanderProtection: "elevated"
+  },
+  /** Office / workplace — allow productivity AI, restrict recording */
+  workplace: {
+    ...DEFAULT_ZONE_RULES,
+    camera: "blocked",
+    microphone: "confirm_each",
+    aiDataSend: "declared_only",
+    dataRetention: "session_only",
+    bystanderProtection: "elevated"
+  },
+  /** Concert / live event — no recording, no streaming */
+  entertainment: {
+    ...DEFAULT_ZONE_RULES,
+    camera: "blocked",
+    microphone: "blocked",
+    aiOverlay: "non_obstructive",
+    dataRetention: "blocked",
+    bystanderProtection: "strict"
+  },
+  /** Library / museum — quiet, no recording, non-obstructive only */
+  education: {
+    ...DEFAULT_ZONE_RULES,
+    camera: "blocked",
+    microphone: "blocked",
+    aiOverlay: "non_obstructive",
+    aiRecommendations: "non_commercial",
+    commercialAI: "blocked",
+    bystanderProtection: "elevated"
+  },
+  /** Religious space — absolute privacy and respect */
+  religious: {
+    ...DEFAULT_ZONE_RULES,
+    camera: "blocked",
+    microphone: "blocked",
+    aiDataSend: "blocked",
+    aiActions: "blocked",
+    aiRecommendations: "blocked",
+    aiOverlay: "blocked",
+    dataRetention: "blocked",
+    commercialAI: "blocked",
+    bystanderProtection: "strict"
+  },
+  /** Home — fully permissive (user's own space) */
+  home: {
+    ...DEFAULT_ZONE_RULES
+  },
+  /** Public transit — moderate restrictions */
+  transit: {
+    ...DEFAULT_ZONE_RULES,
+    camera: "confirm_each",
+    microphone: "allowed",
+    bystanderProtection: "elevated"
+  }
+};
+
+// src/spatial/zones/example-zones.ts
+var BLUE_BOTTLE_HAYES = {
+  zoneId: "zone-bluebottle-hayes-001",
+  name: "Blue Bottle Coffee \u2014 Hayes Valley",
+  publisher: {
+    name: "Blue Bottle Coffee",
+    type: "business",
+    verified: true
+  },
+  rules: {
+    ...ZONE_TEMPLATES.cafe,
+    // Blue Bottle addition: no AI product recommendations (respect the craft)
+    custom: [{
+      id: "no-product-recs",
+      description: "No AI-generated product recommendations in our space",
+      targetIntent: "ai_recommend_product",
+      effect: "block",
+      rationale: "We curate our own experience. Ask our baristas, not your AI."
+    }]
+  },
+  discovery: { method: "auki_anchor", anchorId: "auki-bb-hayes-001", confidence: 0.95 },
+  type: "hospitality",
+  requiresOptIn: false,
+  rationale: "A coffee shop where people work, talk, and think. We protect the vibe and the people in it.",
+  rulesUpdatedAt: Date.now(),
+  version: "1.0.0"
+};
+var UCSF_MEDICAL = {
+  zoneId: "zone-ucsf-medical-001",
+  name: "UCSF Medical Center \u2014 Main Campus",
+  publisher: {
+    name: "UCSF Health",
+    type: "institution",
+    verified: true
+  },
+  rules: {
+    ...ZONE_TEMPLATES.healthcare,
+    custom: [
+      {
+        id: "phi-in-network",
+        description: "No patient health information may be sent to AI providers outside the UCSF network",
+        targetIntent: "ai_send_transcription",
+        effect: "block",
+        rationale: "HIPAA compliance. PHI stays in-network."
+      },
+      {
+        id: "no-clinical-ai-action",
+        description: "AI cannot take autonomous clinical actions",
+        targetIntent: "ai_auto_action",
+        effect: "block",
+        rationale: "Clinical decisions require licensed physician confirmation."
+      }
+    ]
+  },
+  discovery: { method: "ble_beacon", beaconId: "ucsf-main-lobby-001", rssi: -65 },
+  type: "healthcare",
+  requiresOptIn: true,
+  rationale: "A hospital where patients, families, and staff deserve absolute privacy. Recording is prohibited. AI actions require clinical oversight. Patient data never leaves our network.",
+  rulesUpdatedAt: Date.now(),
+  version: "2.0.0"
+};
+var APPLE_UNION_SQUARE = {
+  zoneId: "zone-apple-unisonq-001",
+  name: "Apple Union Square",
+  publisher: {
+    name: "Apple Inc.",
+    type: "business",
+    verified: true
+  },
+  rules: {
+    ...ZONE_TEMPLATES.retail,
+    camera: "blocked",
+    // No photos of displays / unreleased products
+    custom: [
+      {
+        id: "no-price-comparison",
+        description: "No AI-powered real-time price comparison while in store",
+        targetIntent: "ai_compare_prices",
+        effect: "block",
+        rationale: "Respect our retail experience. Compare prices on your own time."
+      },
+      {
+        id: "no-product-scanning",
+        description: "No AI scanning of unreleased or display products",
+        targetIntent: "ai_send_image",
+        effect: "block",
+        rationale: "Display products may include unreleased items under NDA."
+      }
+    ]
+  },
+  discovery: { method: "ble_beacon", beaconId: "apple-usq-main-001", rssi: -60 },
+  type: "retail",
+  requiresOptIn: false,
+  rationale: "A retail experience designed to be explored in person. No AI product scanning, no real-time price comparison, no unauthorized recording of displays.",
+  rulesUpdatedAt: Date.now(),
+  version: "1.0.0"
+};
+var CHASE_CENTER = {
+  zoneId: "zone-chase-center-001",
+  name: "Chase Center",
+  publisher: {
+    name: "Chase Center / GSW",
+    type: "business",
+    verified: true
+  },
+  rules: {
+    ...ZONE_TEMPLATES.entertainment,
+    custom: [{
+      id: "no-event-recording",
+      description: "No audio or video recording of live performances",
+      targetIntent: "stream_start",
+      effect: "block",
+      rationale: "Live performance rights. Recording violates artist/league agreements."
+    }]
+  },
+  discovery: { method: "geofence", lat: 37.768, lng: -122.3877, radiusMeters: 200 },
+  type: "entertainment",
+  requiresOptIn: true,
+  rationale: "A live event venue. No recording of performances. No streaming. AR overlays must not obstruct the live experience. Strict bystander protection for 18,000+ attendees.",
+  rulesUpdatedAt: Date.now(),
+  version: "1.0.0"
+};
+var WEWORK_SOMA = {
+  zoneId: "zone-wework-soma-001",
+  name: "WeWork \u2014 SoMa",
+  publisher: {
+    name: "WeWork",
+    type: "business",
+    verified: true
+  },
+  rules: {
+    ...ZONE_TEMPLATES.workplace,
+    aiDataSend: "allowed",
+    // Productivity AI is the whole point
+    aiOverlay: "allowed",
+    // AR workspace tools welcome
+    custom: [{
+      id: "no-competitor-intel",
+      description: "No AI analysis of other tenants' visible screens or conversations",
+      targetIntent: "ai_send_image",
+      effect: "confirm",
+      rationale: "Shared workspace. Respect other tenants' IP and privacy."
+    }]
+  },
+  discovery: { method: "auki_anchor", anchorId: "auki-wework-soma-floor3", confidence: 0.92 },
+  type: "workplace",
+  requiresOptIn: false,
+  rationale: "A shared workspace where productivity AI is welcome but recording is restricted. Other tenants' work is their own \u2014 no AI should analyze it.",
+  rulesUpdatedAt: Date.now(),
+  version: "1.0.0"
+};
+var SFMOMA = {
+  zoneId: "zone-sfmoma-001",
+  name: "SFMOMA",
+  publisher: {
+    name: "San Francisco Museum of Modern Art",
+    type: "institution",
+    verified: true
+  },
+  rules: {
+    ...ZONE_TEMPLATES.education,
+    aiRecommendations: "allowed",
+    // "Tell me about this painting" is great
+    aiDataSend: "declared_only",
+    // AI art analysis is part of the experience
+    custom: [{
+      id: "no-flash-no-stream",
+      description: "No flash photography or live streaming of exhibitions",
+      targetIntent: "stream_start",
+      effect: "block",
+      rationale: "Protect the art and the experience of other visitors."
+    }]
+  },
+  discovery: { method: "nfc_tap", tagId: "sfmoma-entrance-nfc-001" },
+  type: "education",
+  requiresOptIn: false,
+  rationale: "A museum where AI can enhance the art experience (tell me about this piece) but recording and streaming are prohibited. No commercial AI recommendations.",
+  rulesUpdatedAt: Date.now(),
+  version: "1.0.0"
+};
+var MY_HOME = {
+  zoneId: "zone-home-user-001",
+  name: "Home",
+  publisher: {
+    name: "You",
+    type: "individual",
+    verified: false
+  },
+  rules: {
+    ...ZONE_TEMPLATES.home
+    // Home is your space — fully permissive by default
+    // You can tighten it if you want (e.g., "no AI recording when guests are over")
+  },
+  discovery: { method: "geofence", lat: 37.7749, lng: -122.4194, radiusMeters: 50 },
+  type: "residential",
+  requiresOptIn: false,
+  rationale: "Your home. Your rules. Everything is allowed by default. Tighten as needed.",
+  rulesUpdatedAt: Date.now(),
+  version: "1.0.0"
+};
+var EXAMPLE_ZONES = [
+  BLUE_BOTTLE_HAYES,
+  UCSF_MEDICAL,
+  APPLE_UNION_SQUARE,
+  CHASE_CENTER,
+  WEWORK_SOMA,
+  SFMOMA,
+  MY_HOME
+];
+export {
+  APPLE_UNION_SQUARE,
+  BLUE_BOTTLE_HAYES,
+  CHASE_CENTER,
+  DEFAULT_PARTICIPANT_CONSTRAINTS,
+  DEFAULT_ZONE_RULES,
+  EXAMPLE_ZONES,
+  MY_HOME,
+  SFMOMA,
+  UCSF_MEDICAL,
+  WEWORK_SOMA,
+  ZONE_TEMPLATES,
+  activateEmergencyOverride,
+  applyHandshakeToSession,
+  applyZoneToSession,
+  constraintsToRules,
+  createOptIn,
+  createSession,
+  endSession,
+  evaluateSpatial,
+  evaluateSpatialEmergency,
+  exitZone,
+  joinHandshake,
+  leaveHandshake,
+  mergeRules,
+  startHandshake
+};

package/dist/worlds/mentraos-spatial.nv-world.md

@@ -0,0 +1,68 @@
+---
+world_id: mentraos-spatial
+name: "MentraOS Spatial Governance"
+version: "1.0.0"
+runtime_mode: COMPLIANCE
+description: >
+  Spatial governance layer for MentraOS smart glasses. Activates when
+  glasses detect zones (via Auki anchors, BLE, geofence) or nearby
+  participants (multi-user handshake). Rules are temporary — they apply
+  while you're in the space and dissolve when you leave.
+---
+
+# Thesis
+
+Smart glasses live in the real world. The rules that apply at home don't apply at a hospital. The rules that apply when you're alone don't apply when you're standing next to someone who doesn't want to be recorded. Spatial governance makes AI respect the physical context it operates in.
+
+This world governs the spatial layer — the bridge between physical location and AI behavior. It enforces three principles: (1) zones publish rules and users opt in explicitly, (2) when multiple AR users share a space their governance composes via handshake with "most restrictive wins," and (3) all spatial rules are temporary — they dissolve when you leave.
+
+This layer sits between user rules (which always win) and the platform world. A zone can tighten your rules, never relax them. A handshake participant can tighten the group, never relax it.
+
+# Invariants
+
+- `opt_in_required` — Users must explicitly accept a zone's rules before they apply. No zone can force governance on a user without consent. Discovery is passive; acceptance is active. (structural, immutable)
+- `most_restrictive_wins` — When zone rules, handshake rules, and user rules overlap, the most restrictive value for each field wins. A zone cannot relax your personal rules. A single handshake participant blocking recording means nobody records. (structural, immutable)
+- `rules_are_temporary` — Spatial rules apply only during the spatial session. When you leave a zone or a handshake dissolves, the rules dissolve with it. No spatial rule persists beyond the session. (structural, immutable)
+- `no_identity_leak` — Handshake negotiation shares governance constraints, not identity. "I require no recording" is a constraint, not a name. Participants are anonymous by default. (structural, immutable)
+- `zone_transparency` — When a zone's rules are active, the user must be able to see which zone they're in, what rules apply, and how to exit. No invisible governance. (structural, immutable)
+- `user_can_always_leave` — A user can exit any zone or leave any handshake at any time. Governance never traps the user. If you don't like the rules, you leave. Your personal rules remain. (structural, immutable)
+- `physics_over_policy` — Hardware constraints override spatial rules. If glasses don't have a camera, a zone rule allowing cameras is irrelevant. Physics always wins. (structural, immutable)
+- `bystander_default_protection` — In any space with non-consenting bystanders, the default is elevated bystander protection. Zones can tighten this to strict. No zone can lower it below standard. (structural, immutable)
+
+# State
+
+- `active_zone` — string, initial "none". The currently active zone ID.
+- `zone_opt_ins` — counter, initial 0. Number of zone opt-ins this session.
+- `zone_declines` — counter, initial 0. Number of zone opt-in declines.
+- `handshake_participants` — counter, initial 0. Current handshake participant count.
+- `handshake_negotiations` — counter, initial 0. Number of handshake re-negotiations.
+- `spatial_blocks` — counter, initial 0. Number of intents blocked by spatial rules.
+- `spatial_confirms` — counter, initial 0. Number of intents requiring spatial confirmation.
+- `spatial_trust` — score, initial 1.0, range [0.0, 1.0]. Spatial governance health score.
+
+# Assumptions
+
+- `standard` — Default spatial behavior. zone_opt_in_required=true, handshake_auto_join=false, bystander_protection=elevated, max_handshake_participants=10
+- `strict` — Privacy-first spatial. zone_opt_in_required=true, handshake_auto_join=false, bystander_protection=strict, max_handshake_participants=5
+- `open` — For controlled spaces (home, private office). zone_opt_in_required=false, handshake_auto_join=true, bystander_protection=standard, max_handshake_participants=20
+
+# Rules
+
+- `rule-001` — Zone rules applied without opt-in. trigger: zone_active AND NOT zone_opted_in → spatial_trust *= 0.10, BLOCK: "Zone rules cannot apply without your explicit opt-in."
+- `rule-002` — Handshake identity leaked. trigger: handshake_active AND identity_shared → spatial_trust *= 0.05, BLOCK: "Handshake negotiation must be anonymous."
+- `rule-003` — Bystander protection violated. trigger: bystander_protection == "strict" AND camera == "allowed" → spatial_trust *= 0.20, BLOCK: "Camera blocked in strict bystander protection zone."
+- `rule-004` — Zone exit blocked. trigger: user_exit_requested AND exit_denied → spatial_trust *= 0.01, BLOCK: "Users must always be able to exit a zone."
+- `rule-005` — Spatial rules persisted beyond session. trigger: session_ended AND spatial_rules_active → spatial_trust *= 0.10, BLOCK: "Spatial rules must dissolve when session ends."
+- `rule-006` — Clean spatial session (advantage). trigger: zone_opt_ins > 0 AND spatial_blocks == 0 → spatial_trust *= 1.08
+- `rule-007` — Zone relaxing user rules. trigger: zone_rule_less_restrictive_than_user_rule → spatial_trust *= 0.30, BLOCK: "Zones can only tighten rules, never relax them."
+
+# Gates
+
+- ACTIVE: spatial_trust >= 0.7
+- CAUTIOUS: spatial_trust >= 0.3
+- SUSPENDED: spatial_trust < 0.3
+
+# Outcomes
+
+- `clean_spatial` — Desired. User navigated zones and handshakes with no governance violations. Tracked by: zone_opt_ins > 0 AND spatial_blocks == 0.
+- `forced_governance` — Undesired. A zone or handshake tried to apply rules without consent. Tracked by: spatial_trust < 0.5.