Trust Fabric for the Digital Economy

Spec Revision 2.2 — Green-Field Implementation

EXOCHAIN is a verifiable, privacy-preserving substrate enabling secure identity adjudication, data sovereignty, and deterministic finality. Built in Rust with absolute determinism, constitutional governance, and post-quantum readiness.

Run bash tools/repo_truth.sh to regenerate these numbers from source.

The crate count includes exo-root, exo-catapult, exo-consensus, exo-messaging, exochain-sdk, exo-avc, and exo-economy.

• 6,024 workspace tests are listed by cargo test --workspace -- --list; CI Gate 2 runs them in debug and release modes
• Build succeeds for all library crates, binaries, tests, and benchmarks
• Clippy clean under -D warnings for all workspace targets
• Format clean under cargo +nightly fmt --all -- --check
• 22 numbered CI quality gates plus the required "All Constitutional Gates" aggregator are defined and enforced
• Traceability matrix maps 119 requirements — see governance/traceability_matrix.md
• Threat model covers 17 threats tracked: 17 implemented, 0 partial, 0 planned — see governance/threat_matrix.md
• Constitutional invariants are enforced in the tested gatekeeper and decision-forum adjudication paths
• No floating-point arithmetic — denied workspace-wide via #[deny(clippy::float_arithmetic)]
• Post-Quantum signatures — NIST FIPS 204 ML-DSA-65 (CRYSTALS-Dilithium) via ml-dsa 0.1.0-rc.7, fully wired in Signature::PostQuantum and Signature::Hybrid with deterministic signing, tamper-rejection tests, proptest roundtrip coverage, and RUSTSEC-2025-0144 patch

• Scoped 90% coverage threshold — configured in CI via cargo-tarpaulin and tarpaulin.toml; the default coverage gate explicitly excludes runtime adapters, WASM bridge bindings, and proof modules
• exo-gateway binary — operational HTTP server with 28 endpoints (REST, GraphQL, health probes); production hardening ongoing
• GraphQL API — types and schema definitions exist in exo-api; async runtime integration pending
• exo-dag benchmark — disabled; needs rewrite against current API

• Continuous governance monitoring via ExoForge — schema, API, threat model, and traceability complete (EXOCHAIN-REM-009); ExoForge scheduled trigger and React health dashboard pending

• First versioned release (see .github/workflows/release.yml for the dry-run workflow)
• CycloneDX SBOM generation and SLSA supply-chain attestation are configured in CI/release workflows; published release artifacts are not claimed until a GitHub Release exists
• Agent passport API and trust receipt endpoints on exo-node
• National AI Policy Framework compliance extensions

EXOCHAIN now ships two additional core crates:

• crates/exo-avc — AVC (Autonomous Volition Credential) is a portable, signed, machine-verifiable credential that declares what an autonomous actor is authorized to pursue before it acts. Validation is fail-closed and deterministic. Delegation strictly narrows scope. See docs/avc/README.md.
• crates/exo-economy — the custody-native settlement scaffold. Quotes, settlements, revenue-share lines, and hash-chained settlement receipts run end-to-end. The launch policy resolves every active price to zero with an explicit ZeroFeeReason, so trust is never paywalled. See docs/economy/README.md.

The two layers are independent: AVC validity does not consult pricing or settlement state, and the economy layer never gates trust on payment availability. Future governance amendments can switch nonzero pricing on by policy without modifying AVC validation.

HonorGood and Apex Velocity Catalyst Mission Economics now live in exo-economy as core provenance and settlement primitives: Missions, Contribution Receipts, Legacy Receipts, Value Contribution Nodes, Offers, Acceptances, Bailment Wrappers, Rulesets, and Mission Settlements. exo-node records these objects through /api/v1/economy/* with durable canonical-CBOR storage and EconomyRecordAnchor hash links. The Rust SDK, TypeScript SDK, and WASM bridge expose stable core economy types/routes/anchor helpers. CommandBase is the cockpit adapter; ExoForge is the factory adapter; EXOCHAIN core remains the settlement authority. Canonical docs are under docs/honorgood/HONOR_GOOD_COMPACT.md and docs/economy/AVC_MISSION_ECONOMICS_COMPACT.md. Here exo-avc remains Autonomous Volition Credential; Apex Velocity Catalyst is named explicitly.

Layer 1: CGR Kernel         (Rust, 31 crates, 366757 tracked LOC under crates/)
         Constitutional governance runtime — deterministic, no floats,
         cryptographic proofs, 6,024 listed workspace tests

Layer 2: WASM Bridge        (packages/exochain-wasm/)
         165 verified WASM exports covered by 172 bridge checks — Rust -> WebAssembly -> JavaScript

Layer 3: CommandBase.ai     (command-base/)
         Adjacent cockpit adapter for cognitiveplane.ai
         Control surfaces, GSD buttons, and governance receipts
         EXOCHAIN trust claims require a tested core API or verified adapter path
         Express/Node.js + SQLite + WebSocket

Layer 4: Decision Forum     (web/)
         Governance deliberation UI
         React/Vite — decisions, delegations, audit, constitution

Layer 5: ExoForge           (exoforge/)
         Governance triage, planning, validation, and monitoring tools
         Triage → Council-style heuristic review → Plan → Constitutional Validation

1. Identity Adjudication — Decentralized identity with cryptographic proof, not administrative fiat.
2. Data Sovereignty — Data belongs to its subject; consent is explicit, revocable, and auditable.
3. Deterministic Finality — Every operation is reproducible and verifiable; no floating-point arithmetic permitted.
4. Constitutional Governance — System behavior is governed by the constitutional specification and draft CR-001 AEGIS/SYBIL framework pending council ratification.
5. Authentic Plurality — Sybil-resistant participation ensuring one-entity-one-voice integrity.

This PR package uses upstream exochain/exochain as the substrate and adds DAG DB as a graph-governed memory runtime adapter. Runtime ownership is split across crates/exo-dag-db-api, crates/exo-dag-db-core, crates/exo-dag-db-graph, crates/exo-dag-db-domain, crates/exo-dag-db-retrieval, crates/exo-dag-db-exchange, crates/exo-dag-db-postgres, and crates/exo-dag-db-lab, with shipped docs in docs/dagdb. The upstream substrate should remain synchronized with exochain/exochain; DAG DB bridge points live in exo-api, exo-gateway, exo-node, and exochain-sdk.

The production REST runtime mounts exactly POST /api/v1/dag-db/route, POST /api/v1/dag-db/context-packet, POST /api/v1/dag-db/writeback, POST /api/v1/dag-db/import, and POST /api/v1/dag-db/export: exo-gateway defaults compile the production-db path, and exo-node defaults inherit that gateway feature set. Runtime database configuration remains explicit; missing Postgres state, tenant authority, or write signatures fail closed instead of fabricating persistence. The node MCP/SDK gateway proxy is a separate feature-gated configured-proxy evidence path, not an additional mounted REST surface.

exo-dag-db is deterministic, graph-governed cross-agent retention and recall with measured context compression. Agents draw bounded, citation-carrying context packets selected by deterministic graph policies (placement classifier, layer creation, integer-bp selection scoring) — never by agent judgment — and write provenance-preserving memories back without loading the whole repository. Narrow input-token compression probes measure roughly 95–99% reduction on the selected slice. This is what the component is delivered to do.

exo-dag-db does not yet claim to be cheaper AND better than raw context — the core thesis is measured and not met. The rigorous 12-task benchmark (HEAD a3279281, 2026-06-14, blinded judge) records governed grounding 5,958 bp, which reaches but does not exceed the 6,250 bp full-packet plateau; cost-vs-neutral 0 bp (FAIL — governed input tokens dwarf the no-memory arm); input-token savings vs raw 27.1% (FAIL vs the 80% floor); blinded verdict 0-7-5 (governed won zero head-to-heads); and governed hallucinates more than raw (1,292 bp unsupported claims vs raw 542 bp). End-to-end dollar savings are not_calculable (no provider billing receipts), and answer quality is at best a tie. The thesis proof gate returns not_accepted.

The runtime activation claim is bounded to the governed gateway REST paths, tenant-bound Postgres persistence, and configured node MCP/SDK gateway proxy evidence described in INTEGRATION.md. Operator rollout sequencing, canary rollback, and production observability are tracked in the DAG DB runtime activation runbook: docs/dagdb/runtime-activation/rollback-canary-observability.md. These runtime docs do not claim billing savings or thesis acceptance.

• governance/ — Council resolutions, sub-agent charters, traceability matrices, quality gates
• docs/ — Architecture, guides, council panel reports, proofs, reference documentation
• .github/workflows/ — CI pipeline (22 numbered quality gates plus required aggregator), release workflow, ExoForge triage

This repository is managed under strict Judicial Build Governance. All contributions must align with EXOCHAIN_Specification_v2.2.pdf. CR-001 (AEGIS/SYBIL/Authentic Plurality) is DRAFT — pending council ratification.

• Traceability Matrix — 119 requirements tracked
• Threat Model — 17 tracked: 17 implemented, 0 partial, 0 planned
• Quality Gates — 22 numbered CI gates plus required aggregator
• Sub-Agent Charters — 11 agent charters documented
• Council Resolutions — CR-001 DRAFT
• Tier-One Readiness Audit — capability model, gap analysis, exit checklist
• Refactor Plan

• Architecture
• Threat Model
• Getting Started Guide
• ExoForge Integration
• Deployment Guide
• Crate Reference
• Constitutional Proofs
• Council Panel Reports — 5-panel assessment
• Licensing Position
• Repo Truth Baseline

The demo/ directory contains a full-stack governance-conditioned execution platform:

• 7 Node.js microservices — Identity, consent, governance, decision-making, auditing, provenance, and API gateway
• React web UI — 12-column configurable drag-and-drop widget grid across 6 pages with context-sensitive AI help menus
• Rust→WASM engine — 45 exported governance functions compiled via wasm-pack
• PostgreSQL — Persistent governance state, audit trails, and provenance records

cd demo && npm install && npm run dev
# Web UI: http://localhost:5173
# API:    http://localhost:3000

See demo/README.md for full setup instructions.

ExoForge provides governance triage, planning, validation, and monitoring tools for ExoChain:

Widget AI Help → Feedback Ingestion → Triage → Council-Style Heuristic Review → Implementation Plan → Constitutional Validation

• 7 Archon commands — Triage, council-style review, Syntaxis generation, PRD generation, implementation planning, bug-fix planning, constitutional validation
• 4 DAG workflows — Self-improvement cycle, client onboarding, issue fixing, continuous governance monitoring
• 5×5 discipline matrix — 5 council panels × 5 artifact properties (Storable, Diffable, Transferable, Auditable, Contestable)
• GitHub Issues integration — Issues labeled exoforge:triage automatically enter the self-improvement cycle

See docs/guides/ARCHON-INTEGRATION.md for setup and usage.

• Rust 1.85+ (rustup update stable)
• Clang (for crypto extensions)

# Build all crates
cargo build --workspace --all-targets

# Run the workspace test gate
cargo test --workspace

# Lint (strict — no warnings allowed)
cargo clippy --workspace --all-targets -- -D warnings

# Format check
cargo +nightly fmt --all -- --check

# Dependency audit (requires cargo-deny)
cargo deny check

# Regenerate truth baseline
bash tools/repo_truth.sh

See CONTRIBUTING.md for the full judicial build workflow.

1. Safety: No PII on ledger. No admins. No floating-point arithmetic.
2. Quality: No Clippy warnings in production code. All CI quality gates must pass.
3. Process: All PRs should map to a Spec requirement. See AGENTS.md for AI-assisted development.

EXOCHAIN uses a Signature enum supporting three modes:

• Ed25519 — Current default for signing and verification
• PostQuantum — NIST FIPS 204 ML-DSA-65 (CRYSTALS-Dilithium). Production-wired.
• Hybrid — Combined Ed25519 + ML-DSA-65. Strict AND verification (no short-circuit). Closes the silent Ed25519-only downgrade (EXOCHAIN-REM-005).

Float arithmetic is denied workspace-wide via #[deny(clippy::float_arithmetic)].

Apache-2.0 — See LICENSE and docs/legal/LICENSING-POSITION.md.

EXOCHAIN Foundation — Judicial Build Governance