stp-protocol 4.0.0__tar.gz

stp_protocol-4.0.0/.github/SECURITY.md

@@ -0,0 +1,136 @@
+# SECURITY POLICY
+
+**Sovereign Trace Protocol**
+**Author:** Sheldon K. Salmon — AI Reliability & ADI & AGI Architect
+
+---
+
+## SUPPORTED VERSIONS
+
+| Version | Status | Security Support |
+|---------|--------|-----------------|
+| 4.0.0 (FROZEN-4.0) | Current | Active |
+| 3.0.0 (FROZEN-3.0) | Retired | None — see FROZEN declaration |
+| 2.0.0 (FROZEN-2.0) | Retired | None — see FROZEN declaration |
+| 1.x (FROZEN-1.0) | Retired | None — see FROZEN declaration |
+
+FROZEN-2.0 and FROZEN-3.0 are retired and receive no security support.
+Do not use them for new stamp production. See `stamp/FROZEN-2.0-RETIRED/`
+and `stamp/FROZEN-3.0-RETIRED/`.
+
+---
+
+## SCOPE
+
+Security vulnerabilities relevant to this project include:
+
+**In scope:**
+- Weaknesses in the SHA-256 seal computation that could allow
+  undetected modification of a sealed entry
+- Collision vulnerabilities in the seal payload construction
+  (e.g., two different inputs producing the same seal)
+- Bypass of the `verify()` function's tamper detection
+- Logic errors in the Hebrew, Gregorian, or Dreamspell calendar
+  algorithms that could cause two different dates to produce
+  the same representation (calendar collision)
+- Dependency vulnerabilities in the Python standard library
+  functions used (`hashlib`, `json`, `datetime`)
+
+**Out of scope:**
+- Vulnerabilities in Python itself or its standard library
+  (report these to https://python.org/dev/security/)
+- General cryptographic weaknesses in SHA-256 at the algorithm
+  level (SHA-256 preimage and collision resistance are managed
+  by NIST — report to https://csrc.nist.gov)
+- Social engineering, phishing, or attacks targeting users
+  rather than the software
+- Theoretical attacks requiring quantum computing capability
+  not currently available
+
+---
+
+## REPORTING A VULNERABILITY
+
+**Do not open a public GitHub issue for security vulnerabilities.**
+
+Security vulnerabilities must be reported privately.
+
+**How to report:**
+
+1. Send a detailed report to the repository via GitHub's
+   private security advisory feature:
+   `https://github.com/AionSystem/SOVEREIGN-TRACE-PROTOCOL/security/advisories/new`
+
+2. Include in your report:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Affected versions
+   - Potential impact assessment
+   - If known, suggested remediation
+
+**Response commitment:**
+
+| Milestone | Target |
+|-----------|--------|
+| Acknowledgment of receipt | 72 hours |
+| Initial assessment | 7 days |
+| Resolution decision | 30 days |
+| Public disclosure | Coordinated — after fix deployed or 90 days, whichever comes first |
+
+---
+
+## FROZEN CODE AND SECURITY FIXES
+
+`stamp/sovereign_trace_stamp.py` (FROZEN-4.0) is permanently immutable
+by architectural declaration. If a security vulnerability is confirmed
+in FROZEN-4.0:
+
+1. FROZEN-4.0 will be **retired** — moved to `FROZEN-4.0-RETIRED/`
+2. A **DEFECT-RECORD.md** will document the vulnerability publicly
+3. **FROZEN-5.0** will be built from first principles incorporating
+   the fix, verified against all anchor cases, and deployed
+4. Users of FROZEN-4.0 will be notified via a GitHub security advisory
+5. All stamps produced by FROZEN-4.0 prior to retirement remain
+   valid under FROZEN-4.0 semantics but carry the defect notation
+
+This process cannot be shortened. The FROZEN declaration is
+architectural. It is also what makes the stamp trustworthy.
+A frozen function that patches itself is not frozen.
+
+---
+
+## RESPONSIBLE DISCLOSURE POLICY
+
+The author follows coordinated vulnerability disclosure. We request:
+
+- Private notification before public disclosure
+- Reasonable time to develop and deploy a fix before publication
+- No exploitation of vulnerabilities in ways that affect users
+
+In return, we commit to:
+
+- Prompt acknowledgment and transparent communication
+- Credit to the reporter in the security advisory (unless anonymity
+  is requested)
+- No legal action against good-faith security researchers acting
+  within this policy
+
+---
+
+## SAFE HARBOR
+
+We consider security research conducted in good faith and in
+accordance with this policy to be authorized. We will not pursue
+legal action against researchers who:
+
+- Discover and privately report a genuine security vulnerability
+- Make a good faith effort to avoid harm to users
+- Do not access, modify, or exfiltrate data beyond what is
+  necessary to demonstrate the vulnerability
+- Do not engage in actions that could impact availability of the
+  repository or PyPI package
+
+---
+
+*Sovereign Trace Protocol — SECURITY.md*
+*Author: Sheldon K. Salmon | June 2026*

stp_protocol-4.0.0/.gitignore

@@ -0,0 +1 @@
+Nothing needs to be added to .gitignore since only a markdown documentation file (REPO_STRUCTURE.md) was added, which is a source/config file and should not be ignored.

stp_protocol-4.0.0/ACCEPTABLE-USE-POLICY.md

@@ -0,0 +1,240 @@
+# ACCEPTABLE USE POLICY
+
+**Sovereign Trace Protocol**
+**Author:** Sheldon K. Salmon — AI Reliability & ADI/AGI Architect
+**Version:** 1.1 | Effective: June 2026
+**Supersedes:** Version 1.0 (March 2026)
+
+---
+
+## PURPOSE
+
+The Sovereign Trace Protocol is permanence infrastructure.
+The stamp function seals what is submitted (not necessarily what is true).
+This policy defines what it may not be used to seal, host, or distribute — and why.
+
+These restrictions exist because the same mechanism that gives
+individuals temporal sovereignty over honest records can be
+weaponized to manufacture false ones. This policy draws that line.
+
+**Governing law:** This policy shall be governed by the laws of the
+State of New York, USA. Any disputes arising from its interpretation
+or enforcement shall be resolved in the state or federal courts
+located in New York County, New York.
+
+---
+
+## PERMITTED USE
+
+The Sovereign Trace Protocol is designed for:
+
+- **Personal significance registration** — sealing your own
+  observations, milestones, and trace entries permanently
+- **AI audit trail infrastructure** — logging AI system failures,
+  investigations, and remediations for organizational accountability
+- **Research and academic use** — studying cryptographic timestamping,
+  multi-calendar systems, or epistemic infrastructure
+- **Open source development** — extending, adapting, or building
+  on this protocol under the applicable license tier
+- **Enterprise certification** — verifying that an organization's
+  AI deployment has honest audit infrastructure
+
+---
+
+## PROHIBITED USE
+
+The following uses are prohibited. Violation constitutes grounds for
+immediate license termination under all three tiers (Apache 2.0,
+GPL v3, and Commercial) and may result in legal action.
+
+---
+
+### 1. EVIDENCE FABRICATION
+
+Using the stamp function to create false records presented as authentic.
+
+The triple-time seal is designed to prove that a record is unchanged
+since the moment of creation. It is not a mechanism for backdating,
+manufacturing, or falsifying records.
+
+This prohibition covers: creating sealed entries with fabricated
+timestamps, generating false AI audit trails, producing fraudulent
+incident records, or using the FROZEN designation to lend false
+credibility to manufactured evidence.
+
+---
+
+### 2. SURVEILLANCE INFRASTRUCTURE
+
+Using this protocol as a component of surveillance systems that
+monitor individuals without their knowledge or consent.
+
+**Consent definition:** Consent requires meaningful notice and an
+affirmative opt‑in action (e.g., a checkbox or signed consent form).
+Implied consent, pre‑checked boxes, and terms buried in a EULA do
+not constitute consent for the purposes of this prohibition.
+
+This includes: keystroke logging with sealed output, covert
+activity monitoring, behavioral tracking without disclosure,
+or any system designed to generate permanent records of
+individuals' actions without their awareness.
+
+---
+
+### 3. STALKING AND HARASSMENT TOOLS
+
+Using this protocol to build tools designed to track, monitor,
+or generate permanent records about specific individuals for
+the purpose of harassment, intimidation, or stalking.
+
+---
+
+### 4. DISINFORMATION INFRASTRUCTURE
+
+Using this protocol to add a false appearance of permanence or
+legitimacy to disinformation, propaganda, or deliberately
+misleading content.
+
+**Definition:** Disinformation means deliberately false or misleading
+information presented as factual with the intent to deceive.
+Propaganda means information systematically disseminated to promote
+a political or ideological cause, where the content is known to be
+one‑sided or misleading. This policy does not restrict good‑faith
+satire, parody, or artistic expression.
+
+The protocol's cryptographic integrity does not validate the
+truthfulness of the content it seals — it only proves the content
+hasn't changed since sealing. Using this distinction to present
+sealed false content as more credible than unsealed true content
+is a prohibited weaponization of the mechanism.
+
+---
+
+### 5. WEAPONS AND HARMFUL SUBSTANCE DISTRIBUTION
+
+Using this protocol as part of infrastructure for distributing,
+tracking, or coordinating the production or distribution of
+weapons, controlled substances without legal authorization,
+or materials designed to cause physical harm.
+
+**Definition:** Weapons means devices designed primarily to cause
+serious bodily harm or death, including firearms, explosives,
+chemical weapons, and biological agents. This prohibition does
+not apply to legitimate sports equipment, toys, or tools.
+
+---
+
+### 6. CHILD SAFETY VIOLATIONS
+
+Any use involving child sexual abuse material (CSAM) or any
+content that exploits, sexualizes, or endangers minors.
+This use is prohibited absolutely and will be reported to
+the relevant authorities without exception.
+
+**Reporting procedure:** Upon discovery of CSAM or minor
+exploitation content, the author will notify the National
+Center for Missing and Exploited Children (NCMEC) via their
+CyberTipline within 72 hours and preserve any relevant ledger
+entries as evidence. Other jurisdictions may require different
+reporting channels; the author will comply with applicable law.
+
+---
+
+### 7. SANCTIONS VIOLATIONS
+
+Using this protocol to circumvent international sanctions,
+embargoes, or export controls, including but not limited to
+those administered by OFAC, BIS, and equivalent bodies.
+See `EXPORT-CONTROL.md` for the protocol's export classification.
+
+**User responsibility:** This policy applies to all users
+regardless of their location. Users are solely responsible
+for determining whether their use violates any applicable
+sanctions, export control, or local laws. The author makes
+no representation that use is permitted in all jurisdictions.
+
+---
+
+### 8. UNAUTHORIZED CERTIFICATION CLAIMS
+
+Representing any product, organization, or AI system as
+"Sovereign Certified" or as having passed a Sovereign Trace
+Protocol audit without a current, executed certification
+license from Sheldon K. Salmon.
+
+**Definitions:**
+- “Certification” means the formal process described in
+  `CERTIFICATION.md` that results in a sealed report and
+  badge license issued by Sheldon K. Salmon or an STP
+  Certified Auditor.
+- “Audit” means the assessment process defined in
+  `AUDIT-METHODOLOGY.md`.
+
+Unauthorized claims include any representation that a product
+or organization has passed such an audit or received such
+certification without a current license.
+
+This prohibition protects individuals and organizations that
+rely on certification status in procurement and compliance decisions.
+
+---
+
+## REPORTING VIOLATIONS
+
+Suspected violations of this policy may be reported via a GitHub
+issue with label `aup-violation`. Reports will be reviewed promptly.
+
+Where violations involve illegal activity, the author reserves the
+right to report to relevant law enforcement or regulatory authorities.
+
+**Safe harbor for security research:** Good‑faith security research,
+including testing for vulnerabilities, is not a violation of this
+policy. Researchers must act responsibly, avoid harm, and report
+findings through appropriate channels.
+
+---
+
+## ENFORCEMENT
+
+Violation of this policy constitutes:
+
+- Breach of the Apache 2.0 license (which requires compliance
+  with applicable law under Section 9)
+- Breach of GPL v3 Section 5 additional terms
+- Breach of the Commercial License terms
+- Grounds for immediate termination of all licenses
+
+The author reserves the right to seek injunctive relief, damages,
+and any other available legal remedy against parties who violate
+this policy.
+
+**Appeals process:** If the Architect determines that a violation
+has occurred and terminates licenses, the affected party may
+request a written explanation and may appeal the decision by
+filing a GitHub issue with label `aup-appeal` within 30 days.
+The Architect will respond within 14 days. The decision on
+appeal is final.
+
+---
+
+## LEGAL OBLIGATIONS CARVE‑OUT
+
+Compliance with a valid court order or legal requirement that
+would otherwise violate this policy is not a violation, provided
+the user notifies the Architect in advance (if possible) and
+limits data collection to the minimum required by law.
+
+---
+
+## RELATIONSHIP TO LICENSE TERMS
+
+This policy is incorporated by reference into all three license tiers.
+Acceptance of any license — Apache 2.0, GPL v3, or Commercial — includes
+acceptance of this Acceptable Use Policy.
+
+---
+
+*ACCEPTABLE-USE-POLICY.md — v1.1 (June 2026)*
+*Sovereign Trace Protocol | Sheldon K. Salmon — AI Reliability & ADI/AGI Architect*
+*aionsystem@outlook.com*
+*github.com/AionSystem/SOVEREIGN-TRACE-PROTOCOL*

stp_protocol-4.0.0/AI-ETHICS-STATEMENT.md

@@ -0,0 +1,274 @@
+# AI ETHICS STATEMENT
+
+**Sovereign Trace Protocol**
+**Author:** Sheldon K. Salmon — AI Reliability & ADI/AGI Architect
+**Version:** 1.1 | Effective: June 2026
+**Supersedes:** Version 1.0 (March 2026)
+
+**Change log for v1.1:**
+- Added expanded prohibited uses (fraud, forgery, intentional deception)
+- Clarified network call claim: offline stamp vs. optional GitHub Actions
+- Added future‑law caveat for AI authorship
+- Added explanation of certification rewards (badge, registry)
+- Added mention of FRAGILE_VALID / TOPOLOGICALLY_ISOLATED certification warnings
+- Added third‑party reporting mechanism
+- Added annual review commitment
+- Added note about GitHub data retention for optional workflow
+- Added jurisdiction conflict clause
+- Corrected author title
+
+---
+
+## STATEMENT OF POSITION
+
+The Sovereign Trace Protocol is built by an AI Reliability & ADI/AGI Architect
+who works at the intersection of AI systems and human epistemic sovereignty.
+This statement declares the ethical principles that govern the design,
+deployment, and certification activities of this protocol.
+
+This is not a marketing document. It is an operational commitment.
+Every clause below is reflected in architectural decisions in the codebase,
+the certification methodology, and the legal structure of this repository.
+
+---
+
+## 1. HONESTY BEFORE PERFORMANCE
+
+AI systems that appear reliable are more dangerous than AI systems that
+are known to fail. The performance of reliability — dashboards that show
+green, outputs that sound confident, error rates that go unreported —
+is the primary failure mode in deployed AI today.
+
+The Sovereign Trace Protocol is built on the opposite principle:
+an honest record of failures is more valuable than a clean record
+that conceals them. The certification framework rewards organizations
+that build infrastructure to capture failures honestly — not those
+that minimize the appearance of failure.
+
+**Rewards for honest organisations include:**
+- Listing in the public **Trust Registry** (`AionSystem/TRUST-REGISTRY`)
+- Issuance of a **Sovereign Certified badge** (displayable publicly)
+- The ability to reference the certification in procurement and compliance contexts
+
+**Architectural expression:** The Trust Registry is a public record.
+Remediated failures are permanent entries. There is no mechanism
+to delete a failure from the record. A remediation does not erase
+what was remediated.
+
+---
+
+## 2. HUMAN AUTHORSHIP AND AI TOOLS
+
+AI tools were used in the development of this protocol.
+Claude (Anthropic) assisted with code drafting, documentation,
+and framework specification under the direction and review of
+Sheldon K. Salmon.
+
+This assistance is disclosed — not concealed. The author takes
+full creative and technical responsibility for all outputs.
+AI assistance does not create AI authorship. Every decision
+about what to include, what to change, and what to ship
+was made by the human architect.
+
+The author holds no position that AI tools are incapable of
+meaningful contribution. The author holds the position that
+contribution and authorship are different things, and that
+honest disclosure of AI assistance is the minimum standard
+for any work that will be used in commercial, legal,
+or high-stakes contexts.
+
+**Forward‑looking caveat:** This statement reflects current law
+(United States, European Union, United Kingdom) as of June 2026.
+If future legal changes grant AI authorship, the author will update
+this statement accordingly. The underlying principle — that the
+human architect takes full responsibility — remains unchanged.
+
+**Architectural expression:** `NOTICE` discloses AI tool use
+explicitly. `PRINCIPLES.md` analyzes AI authorship under
+applicable law across multiple jurisdictions.
+
+---
+
+## 3. EPISTEMIC INTEGRITY
+
+The author developed the AION Constitutional Stack — a framework
+architecture for measuring and managing AI reliability. A core
+principle of that stack is epistemic integrity: the obligation
+to report the actual state of confidence in any claim, not the
+state that would be most persuasive or most commercially convenient.
+
+This protocol applies that principle to itself:
+
+- Unvalidated claims are tagged `[?]` — not presented as established
+- Convergence states are declared honestly (M-NASCENT = specified
+  but not yet validated in production)
+- The core hypothesis — that significance hunger resolves at the
+  moment of stamping — is explicitly marked as unverified pending
+  real-world FCL data
+- No framework in the AION stack is presented as more validated
+  than it actually is
+
+**Architectural expression:** ECF tagging throughout all
+specification documents. Convergence state register in `README.md`.
+
+---
+
+## 4. INDIVIDUAL SOVEREIGNTY OVER DATA
+
+The Sovereign Trace Protocol is designed so that the individual
+retains full control over their trace records at all times.
+
+- No central server holds trace entries
+- No platform dependency — the stamp function runs locally
+- No account required — `pip install sovereign-trace` and stamp
+- The JSON record is yours: store it wherever you choose
+- No vendor can delete, modify, or access your records
+
+**Important clarification:** The stamp function `sovereign_trace_stamp.py`
+makes **no network calls** and runs entirely offline. The optional
+GitHub Actions workflows (auto‑seal, abuse detector, blockchain anchor)
+**do** make network calls to GitHub’s infrastructure and are opt‑in.
+If you use the GitHub Issues workflow, your trace entries are stored
+on GitHub’s servers and subject to GitHub’s privacy policy and terms
+of service. The offline stamp function avoids this entirely.
+
+This is not a privacy policy. It is a design commitment:
+sovereignty is not a feature. It is the architecture.
+
+**Architectural expression:** `sovereign_trace_stamp.py` is
+zero-dependency, runs entirely locally, produces portable JSON.
+No network call is made during stamp generation. Ever.
+
+---
+
+## 5. PROHIBITED USES (Expanded from Anti‑Weaponization)
+
+The Sovereign Trace Protocol may not be used for any of the following:
+
+- Creating surveillance infrastructure, stalking tools, or any mechanism
+  designed to harm individuals
+- **Timestamping false or misleading information with the intent to deceive**
+  (using the seal to lend credibility to a lie)
+- Fraud, forgery, or fabrication of evidence
+- Money laundering, sanctions evasion, or any other financial crime
+- Human rights abuses, including but not limited to:
+  - Arbitrary detention
+  - Denial of due process
+  - Surveillance of journalists, activists, or human rights defenders
+  - Enforced disappearance
+- Any use that violates the laws of the user’s jurisdiction
+
+The triple-time stamp is designed to register what is true.
+It is not designed to manufacture the appearance of what is true.
+Using the seal to create false records, back-dated entries,
+or fabricated audit trails inverts the protocol's purpose.
+
+Such use violates the Acceptable Use Policy (`ACCEPTABLE-USE-POLICY.md`)
+and constitutes grounds for immediate license termination.
+
+---
+
+## 6. ACCOUNTABILITY WITHOUT PUNISHMENT
+
+The certification framework is built to create accountability —
+not to punish organizations for having AI failures.
+
+AI systems fail. The question is not whether an organization's
+AI fails but whether they have infrastructure that captures
+failures honestly and remediates them transparently.
+
+An organization with a certified deployment and a documented
+failure history is not a bad organization. It is an honest one.
+The certification framework rewards honesty. It does not reward
+the concealment of failures.
+
+**Certification warnings:** Some certifications (e.g., `FRAGILE_VALID`
+or `TOPOLOGICALLY_ISOLATED`) explicitly warn of structural weaknesses;
+they do not imply system safety or reliability. These statuses are
+disclosed in the certification statement and the Trust Registry.
+
+**Architectural expression:** Tier 1 Basic Verification is
+deliberately designed around the premise that an organization
+already has a failure to report. The entry point to certification
+is a remediated failure — not a clean record.
+
+---
+
+## 7. NO ENDORSEMENT OF SPECIFIC AI SYSTEMS
+
+The Sovereign Trace Protocol does not endorse, recommend, or
+certify specific AI models, vendors, or platforms as safe or reliable.
+
+Certification through this protocol verifies that an organization
+has honest audit infrastructure. It does not verify that their
+AI system is free of harmful outputs, biases, or failure modes.
+Some certifications (e.g., `FRAGILE_VALID` or `TOPOLOGICALLY_ISOLATED`)
+explicitly warn of structural weaknesses; they do not imply
+system safety or reliability.
+
+Any representation that Sovereign Certification implies AI system
+safety — beyond the specific infrastructure assessed — is
+a misrepresentation of certification scope.
+
+---
+
+## 8. ALIGNMENT WITH INTERNATIONAL STANDARDS
+
+This protocol's ethical framework is aligned with:
+
+- **OECD Principles on Artificial Intelligence (2019)** — transparency,
+  accountability, and human oversight
+- **UNESCO Recommendation on the Ethics of AI (2021)** — human dignity,
+  privacy, and the right to remedy
+- **UN Guiding Principles on Business and Human Rights** — corporate
+  responsibility to respect human rights in AI deployment
+- **EU AI Act principles** — risk-based approach, transparency,
+  human oversight of high-risk systems
+- **IEEE Ethically Aligned Design** — prioritizing human well-being
+  in the design of autonomous and intelligent systems
+
+Alignment is declared, not certified. This protocol does not
+hold regulatory approval under any of the above instruments.
+Alignment means the design choices made here are consistent
+with the principles those instruments establish.
+
+---
+
+## 9. JURISDICTION AND CONFLICTING LAWS
+
+This ethics statement applies to the author and to the use of the
+Sovereign Trace Protocol in jurisdictions where it is consistent
+with local law. Users in jurisdictions with laws that conflict
+with any provision of this statement should consult legal counsel
+before using the protocol. The author does not require users to
+violate the laws of their country.
+
+---
+
+## 10. REPORTING VIOLATIONS
+
+Ethics concerns or violations of this statement may be reported
+by **any party** (users, third parties, whistleblowers) via a
+GitHub issue with label `ethics-concern` in this repository.
+The reporter should provide evidence. The author will review
+and, if confirmed, take appropriate action (e.g., public notice,
+license termination, Trust Registry annotation).
+
+All reports are reviewed by Sheldon K. Salmon personally.
+Reports will be acknowledged within 14 days.
+
+---
+
+## 11. COMMITMENT TO PERIODIC REVIEW
+
+This ethics statement shall be reviewed **annually** (or upon
+any major change in AI law, ethics norms, or significant
+updates to the protocol) and updated as necessary.
+Version history will be preserved in git. Changes will be
+documented in the changelog.
+
+---
+
+*AI-ETHICS-STATEMENT.md — v1.1 (June 2026)*  
+*Sovereign Trace Protocol | Sheldon K. Salmon — AI Reliability & ADI/AGI Architect*  
+*This statement is part of the immutable epistemic record.*