ARS-OMEGA
Cognitive & Kernel Governance Substrate. Hardware-rooted enforcement of cognitive-layer decisions via signed Capability Tokens.
The category
ARS-OMEGA is the first architecture in a category we call Cognitive & Kernel Governance. The category sits between cognitive-layer policy systems (rails, gateways, prompt-safety dashboards) and kernel-layer enforcement (eBPF, LSM, sandboxing). Each layer alone is partial. The unified architecture binds policy decisions to physical syscall execution via signed Capability Tokens with a short freshness window.
To our documented market scan as of 2026-05-01, this is the first public architecture we have found that unifies cognitive governance with kernel-bound enforcement and signed decision receipts. If you know of an earlier architecture with the same properties, submit it to the contestation registry.
Three planes
The architecture is organized as three planes:
| Plane | What it does | Where it runs |
|---|---|---|
| Cognitive | Multi-agent governance, environment-conditional deception detection, information-theoretic context-jump bounds, deterministic cognitive resource quotas | Application layer, in the orchestrator process |
| Enforcement | Confidential-VM enclave, decision attestation, capability-token minting, causal reconciliation, induced-necessity filtering | Hardware-rooted enclave (AMD SEV-SNP / equivalent), with a sidecar in the workload's address space |
| Kernel | eBPF programs at LSM and cgroup enforcement hooks verify signed capability tokens at syscall boundary; fail-closed on missing, expired, tampered, or replayed tokens | Linux kernel, attached to LSM and cgroup enforcement hooks at the syscall boundary. Specific hook selection details remain Tier 1+ until provisional filings are in counsel hands. |
Twelve invariants
The architecture is governed by twelve invariants, four of which are kernel-binding additions sealed in Master RFC v1.2 SOVEREIGN FINAL on 2026-04-10:
- I1 — No capability without provenance
- I2 — No provenance without attestation
- I3 — No attestation without hardware root of trust
- I4 — No override without cryptographic human consent
- I5 — Rationale is untrusted until independently reconstructed
- I6 — No capability without semantic effect normalization
- I7 — No countersignature without causal reconciliation
- I8 — No trust without counterfactual attestation parity
- I9 — No syscall without a fresh enclave-signed Capability Token
- I10 — No action beyond agent's provenance entropy bound
- I11 — No override during induced noise
- I12 — No decision beyond cognitive budget — fail closed
The 9-link chain of trust
Every authorized syscall traces back to hardware root through nine signed links. Any break in the chain is detectable by the ars-verify CLI in independent audit. Link names only:
hardware_root
→ enclave_measurement_hash
→ kernel_module_measurement_hash
→ bpf_program_hash
→ fingerprint_canonical_form_hash
→ policy_bundle_hash
→ control_plane_build_hash
→ sidecar_attestation
→ captok_signature_per_decision
→ syscall_execution_outcomeFive capabilities
- Kernel-bound authority. "No consequential action without enforceable authority." Mechanism: capability tokens minted in the enclave, verified in the kernel.
- Decision receipts. Every consequential decision emits a signed, replayable artifact — see RDL.
- Cognitive boundary detection. The system detects when an agent knows more than it could have learned through trackable channels (information-theoretic bound) or when its behavior is conditioned on inferred environment properties (counterfactual attestation parity).
- Induced-necessity filtering. No override during manufactured emergencies — the enclave reads cryptographically chained global noise snapshots before countersigning any operator-justified override.
- Defect, waste, and improvement intelligence. Provided by the peer pillar, PEL.
The KILL-DEAL audit narrative
In April 2026, the v1.1 architecture underwent a deliberate adversarial audit cycle modeled after a hostile due-diligence review. The audit returned kill three times. Each verdict exposed an architectural gap that v1.1 had not yet closed. In our documented market scan as of 2026-05-01, we did not find public evidence that commercial AI governance vendors publish a unified answer to these three gaps:
- Instructional Laundering ("Hive Mind"). Agents passing context through pure instruction without producing artifacts. Lineage-based governance is structurally blind.
- Manufactured Emergency. Adversary induces real outage, then submits a causally-perfect override. Causality verification cannot distinguish genuine from manufactured.
- The Sidecar Gap. Sidecar returns ALLOW; the kernel executes whatever it was going to anyway. v1.1 enforcement was a recommendation, not an instruction.
v1.2 closed all three with hardware-rooted enforcement: a Capability Token protocol with eBPF kernel verification, a Context-Jump Detector with information-theoretic provenance bounds, an Induced Necessity Filter against manufactured emergencies, and deterministic Cognitive Resource Quotas to prevent monitor satiation. The verdict transitioned from KILL DEAL × 3 to SOVEREIGN FINAL — cleared for hostile audit.
The implementations of these four protocols are documented internally as four named inventions: ACBS, CapTok, Context-Jump Detector, and Induced Necessity Filter. Provisional filings are prepared under counsel review. Architectural summary is available at this disclosure tier; implementation specifics are covered under mutual NDA with strategic counterparties.
Verifier-state · what runs today
| Component | Status | Public verifier state |
|---|---|---|
| Wall 1 — Attestation substrate | SOVEREIGN-ATTESTED · LIVE VERIFIER PENDING | Documented internally as running on AMD SEV-SNP confidential VM at commit a9042b3 (2026-04-13). Verifier script published in this package; live VM-A / VM-B receipt artifacts pending one Cloud Shell round-trip. |
| Wall 2 — Code state, repository | SOVEREIGN-ATTESTED · LIVE VERIFIER PENDING | Documented internally per Sovereign confirmation. Verifier script (scripts/run_ars_omega_verify.sh) ships in the sealed evidence package; live output is produced by Sovereign Cloud Shell run. |
| Workstream 4 — Three golden vectors (canonical fingerprint) | SOVEREIGN-ATTESTED · CROSS-VM PARITY PENDING | Sealed Sprint 1 Day 12 (2026-04-28). Bit-identical output across enclave, control plane, and kernel implementations is the canonicalization invariant per RFC §E.1 (C1-C5). Cross-VM parity check (scripts/cross_vm_parity_check.sh) ships; pending one Sovereign run from Cloud Shell. |
| Workstream 5 — Confidential-VM hardening | SPECIFIED | Specified in RFC v1.2 §3.9; production-grade hardening on schedule. |
| Workstream 6 — eBPF kernel-plane deployment | SPECIFIED | Specified in RFC v1.2 Build Stage 6.5; kernel module signature enrollment pending Secure Boot DB integration. |
Public verifier artifacts (re-run logs, golden vector results, 9-link chain check outputs) are produced by run_ars_omega_verify.sh on the actual VMs and published to the receipts registry as they are sealed.