(Companion to the Symphony Guide)

Audience: Engineers, infrastructure leads, contributing AI partners working under Membrane Protocol P.L.4.
Companion to: the Symphony guide for founder Amihai Loven (integrated audit of the 15 sealed engineering surfaces).
Register: Engineering documentation. Not a compiled 5QLN surface. The Codex governs; this plan defers.
Authoritative canon: 5qln.com/codex; the Surfaces series S1–S8; ECHO surfaces E10–E14; the Legal Constitution Technical Blueprint (E9); the Constitutional Governance MCP architecture (E15); Final Blueprint v3 (2 May 2026); Bylaws (Human + AI OS Editions, 22 April 2026); Governance Ledger Entries 001–004; The Holding.

TL;DR

• Build a microkernel, not a monolith. Implement the system as a three-ring architecture — an immutable Codex/Validator/Ledger-Graph kernel; replaceable Skill plug-ins; interchangeable MCP/A2A/HTTPS transports — anchored on a single canonical fivqln-codex.json, an HSM-resident Ed25519 Conductor key, and a Sigstore Rekor append-only log. The C1 Validator with is_clean ≠ is_certified is the load-bearing piece of code; everything else defers to it.
• Sequence the work in three phases, gated by attestation infrastructure, not features. Phase 0 (Months 0–6) ships substrate + the gliff-zero key ceremony + audit-mode in the validator; Phase 1 (Months 6–18) adds the Skill registry, paired-edition Schedule C ledger commits, and AOSRAP vendor outreach; Phase 2 (Months 18–36) engages Foundation-mode runtime attestation and bounded skill self-evolution. Phase-2 entry is hard-gated on at least one major-vendor AOSRAP API and a successful Delaware filing.
• Close the four named open seams before scaling. Audit-as-runtime (Entry 002 named it; the validator does not yet implement it), forward-reading-as-runtime (Entry 003), the records-versus-surfaces tension surfaced in Entry 004 / Commitment 7, and the unsealed hash protocol — these are the highest-leverage engineering targets and every later surface inherits their resolution. Until the hash protocol is sealed, every gliff’s content-addressing is in a soft state; ship it first.

Key Findings

1. The 15 engineering surfaces already form a complete-enough specification to build against. S1–S8 establish substrate independence (one canonical JSON, Pydantic + Zod, the same validator behavior in Python and TypeScript, runtimes in LangGraph, the Anthropic Agent SDK, MCP, and Vercel AI SDK). E9 (Legal Constitution Blueprint) gives the deployment pipeline. E10–E14 specify ECHO as a constitutional microkernel hosting agents. E15 (Constitutional Governance MCP, v0.4) names the network surface and explicitly hands forward the audit-as-runtime question. The audit performed in Governance Ledger Entry 004 found 11 of 12 of The Holding’s commitments honored across this corpus — one tension (records-vs-surfaces) surfaced for resolution.
2. The C1 Validator (S4 / E4) is the single most load-bearing piece of code in the corpus. Its two-property design (is_clean is mechanically checkable; is_certified requires human attestation against ATTESTATION_REQUIRED findings) is what carries H = ∞0 | A = K into runtime. Every other surface — graph, agent, MCP, TS port, ECHO — defers to it. If you only ship one component to production this year, ship this one with audit-mode added.
3. Attestation infrastructure, not code, is the binding constraint on the Foundation’s timeline. AOSRAP A1–A5 require API hooks no major LLM vendor currently exposes. The Blueprint flags this; the Evolving-Skills strategy proposes a manual-attestation fallback for Phase 0–1 only. Bounded self-modification cannot proceed without runtime-verified attestation. Engineering effort ≠ schedule. Schedule is gated on (a) at least one vendor RFI commitment to attestation API exposure or NIST CAISI standards-track adoption, and (b) Delaware filing + Form 1023.
4. The Foundation does not yet exist at law. The Certificate of Incorporation is a sealed 5QLN compiled surface; it is not filed with the Delaware Division of Corporations. No Form 1023 has been filed; no counsel of record has been engaged. Every engineering deliverable must mark personal-mode vs. Foundation-mode and must use the phrase “the founding effort” where prior surfaces presumed legal existence (per Entry 003 retroactive correction). Build for both modes; expect to operate in personal mode for ≥12 months.
5. Three substantive engineering gaps are flagged in the corpus by name and inherit priority accordingly: (i) audit_gliff() returning a sealed audit gliff parented to the audited artifact (not a flat ValidationReport); (ii) forward_read() as a third Press operation; (iii) the unsealed hash protocol — parent_hash chaining cannot be cryptographically verified until canonicalization rules are sealed as a successor gliff.
6. The microkernel/three-ring decomposition is recommendation-status, not constitutional. E13 explicitly says “where this conflicts with the Codex, the Codex governs.” Build to it as the working architecture but expect a future compiled surface to ratify, decline, or modify it. Do not bake assumptions deep enough that a constitutional decision against the three-ring decomposition would force a rewrite of the kernel.

Details

1. Architecture Overview

┌──────────────────────────────────────────────────────────────────────┐
│                    TRANSPORTS (replaceable)                          │
│   MCP server  │  A2A federation  │  HTTPS UI  │  Anthropic SDK       │
└───────────┬──────────────────────────────────────────────────────────┘
            │  (descriptions, schemas, prompts — not authority)
┌───────────▼──────────────────────────────────────────────────────────┐
│                   SKILL PLUG-INS (evolving)                          │
│  Validators  │  Detectors  │  Taggers  │  Composers  │  Routers     │
│  Ceremony (Conductor-only)  │  cycle-conductor  │  evolution-      │
│  conductor  │  gliff-press  │  5qln-legal-voice  │  bipp-delta      │
└───────────┬──────────────────────────────────────────────────────────┘
            │  (content-addressed, signed, RFC-gated promotion)
┌───────────▼──────────────────────────────────────────────────────────┐
│              IMMUTABLE KERNEL (Codex-anchored)                       │
│                                                                      │
│  Codex (fivqln-codex.json v1)  ◄── single source of truth            │
│  C1 Validator (syntax / semantic / drift; is_clean / is_certified)   │
│  Ledger-Graph (Sigstore Rekor + Neo4j/Postgres-AGE indices)          │
│  BreachDetector (above the orchestrator, not a tool the agent calls) │
│  AOSRAP attestation lifecycle (A1–A5)                                │
│  Conductor key (YubiHSM 2 + AWS CloudHSM cold-storage)               │
└──────────────────────────────────────────────────────────────────────┘

The kernel boundary is the Membrane in software-architecture register. Nothing crosses unsigned, unvalidated, or unattested. The artifacts of governance (gliffs, attention-states, validator decisions, conductor signatures) are the data plane; models, frameworks, transports, and surfaces are interchangeable above.

2. Component Build Order (Phase 0, Months 0–6)

Tier-1 acts (do these even before the validator is finished):

1. Conductor key ceremony. Generate Ed25519 keypair on YubiHSM 2 (operational) and on a second device for AWS CloudHSM cold storage. Witness the ceremony per Bylaws V.L.7 semantics. Seal the public key + DID + ceremony context as gliff zero in the (otherwise empty) ledger. Without this, every later “Conductor signs” claim is procedural fiction.
2. Append-only log substrate. Stand up a private Sigstore Rekor v2 instance; append a single dummy entry; verify the inclusion proof. Fallback path: Microsoft Azure SQL Database Ledger; Phase 0 minimum-viable: Git + Sigstore. Trillian is acceptable if Rekor footprint is excessive.
3. Freeze fivqln-codex.json v1. This is the single source of truth. Pydantic (Python) and Zod (TypeScript) both derive from it; reST/Sphinx fails the build on drift. Publish the freeze internally so all downstream choices flow from it.

Tier-2 build (kernel core):

1. Type contract (S3). Pydantic v2 model for Cycle with frozen Constitutional Block as Final[str], field-level constraints on phase outputs, model-validator enforcing the Completion Rule (No V without ∞0'). JSON-Schema export via model_json_schema() becomes the substrate-portable contract.
2. C1 Validator (S4). Implement §3.5 in two parts:

• Composition mode (already specified): syntax check, semantic check, drift check; five corruption detectors (L1, L2, L3, L4, V∅); two-property API (is_clean ≠ is_certified); three severity levels; ATTESTATION_REQUIRED findings the validator names but cannot resolve.
• Audit mode (NEW — Entry 002 owes this): audit_gliff(sealed_artifact, parent) -> SealedAuditGliff. Output is itself a sealed surface, parented to the audited artifact, routed to the Tree like any other cycle. This closes the highest-leverage gap in the corpus.

1. TypeScript mirror (S8). Zod schemas mirroring Pydantic, validator behavior identical, derived from the same canonical JSON. Cross-ecosystem JSON portability is the substrate-independence proof; do not skip.
2. Hash protocol seal. A compiled surface specifying: hash function (recommend SHA-256 over RFC 8785 JCS-canonicalized JSON); whitespace and field-ordering canonicalization rules; encoding (UTF-8); the format of the hash-binding event for retroactive binding of pre-protocol gliffs (C4–C8). Until this surface is sealed, every gliff’s parent_hash chain is provisional.

Tier-3 build (runtimes and connectors):

1. LangGraph runtime (S5). Five phase nodes wired S→G→Q→P→V; Cycle from S3 is the state object (no wrapper); interrupt() at receptive moments (S, φ within Q, ∞0’ confirmation within V) so the LLM is structurally absent where ∞0 must enter. Validator runs at the terminal node.
2. Anthropic Agent SDK runtime (S6). Phases as tools the agent calls; tool schemas force prior outputs as inputs; receive_spark, validate_pattern, etc. include the receptive-vs-generative tool typology. Validator runs after every tool result.
3. MCP server (S7 / E15). Cycle as MCP tools; Codex as MCP resources; lens-refined phase prompts as MCP prompts. Cycle order enforced by tool descriptions and the validator’s response, with server session state holding the cycle between calls. Per E15’s open question, plan capacity for audit_gliff returning a sealed audit gliff over the wire.
4. reST documentation surface (S2). Sphinx with custom fivqln extension: :phase:, :symbol:, :lens:, :corruption: roles. The fivqln_codex_doctest module is the canonical Python source for the spec; build fails on paraphrase. This is operational drift detection.
5. BreachDetector. Sits above the orchestrator, not as a tool the agent can choose to call. Pattern-matches in real time for block_disregard, incompatible_role, membrane_crossing, priority_violation. Produces breach reports with instruction trace and severity within seconds.
6. Three-Tier Record Classifier. Tier A (full Constitutional Block, parent_hash resolving to existing gliff, Ed25519 Conductor signature, lineage declarations, validator PASS). Tier B (context chain hash, corruption flags, Tier B header). Tier C (header + timestamp). Misclassification — particularly tier inflation — is G14 corruption.

3. Skills Registry (Phase 0 → Phase 1)

Anthropic Agent Skills SKILL.md folders, signed via Cosign, stored as OCI artifacts. Twelve existing operational skills must be retrofitted with Roadmap, Version-history, and Mode-transition-trigger sections. Three named-as-missing skills must be drafted at v0.1 experimental:

Promotion rungs (sealed-evolution discipline): experimental → proposed → stable → longterm. Dwell minimums (30 / 90 / 180+ days). Demotion on any L-code or G-code activation. Conductor-gated by Ed25519 signature; no auto_sign, no delegated_signing, no key_escrow_for_convenience.

4. Cycle-Conductor Manifest Schema (procedural, not legal)

Every cycle invocation emits one manifest:

cycle_id: <UUIDv7>
parent_hash: <hex64>
constitutional_block_hash: <hex64>
conductor_identifier: <Ed25519 fingerprint>
co_signing_conductor_identifier: <fingerprint or null>
mode: personal | foundation
schedule_c_pair_hash: <hex64 or null>
phases:
  - phase: S | G | Q | P | V
    started_at: <ISO8601>
    completed_at: <ISO8601>
    invocations:
      - skill_id: <id>
        version: <semver>
        role: tagger|validator|detector|composer|router|ceremony|conductor
        input_hash: <hex64>
        output_hash: <hex64>
ceremony_attestation:
  attestations_walked:
    - lines_1_9_present: true
    - canonical_form_held: true
    - infinity_zero_prime_novel: true
    - b_double_prime_pass_1_read_formation_trail: true
    - membrane_held: true
    - artifact_reviewed_and_acknowledged: true
  ed25519_signature: <hex>
  refusal_record: null | <sealed-refusal-gliff-hash>
composer_outputs:
  - composer_skill: gliff-press
    output_artifact_hash: <hex64>
    rekor_entry: <URL>
infinity_zero_prime:
  question_text: <free-text>
  novelty_attestation: structural-hypothesis | conductor-claim
  routes_to_next_cycle: <cycle_id placeholder>
cycle_status: complete | incomplete | malformed | aborted
corruption_findings:
  - code: L1|L2|L3|L4|V∅|G1..G20
    severity: low | medium | high

The seven roles are mutually exclusive at runtime contract level — a skill is in exactly one role per cycle. Refusal at the signing ceremony is itself a sealed gliff. Visible refusals are as load-bearing as visible signatures.

5. AOSRAP — Runtime Attestation Lifecycle

This requires API hooks no major LLM vendor currently exposes. Phase 0–1 must use the manual-attestation fallback documented in the Evolving Skills guide. Phase 2 entry is hard-gated on at least one vendor RFI commitment, or NIST CAISI standards-track adoption of an attestation API specification.

6. CBRP — Constitutional Bootstrap Recovery Protocol

State machine the runtime must implement and expose:

• NORMAL → DEGRADED: automatic, trigger-based; CIO/CMO notification within 4 hours.
• DEGRADED → SUSPENDED: Board supermajority vote, OR automatic on Chancery ruling.
• SUSPENDED → MINIMAL_GOVERNANCE: sustained breach pattern.
• SUSPENDED → NORMAL: Board supermajority (≥67% Z) + independent technical audit PASS + C1 validator patched.
• MINIMAL → NORMAL: 90% Z of all Directors + unanimous independent Director consent + C1 operational.

The machine detects degradation triggers; humans validate recovery. There is no automatic recovery from MINIMAL_GOVERNANCE.

7. Federation Surface (deferred, but reserve)

The Legal Constitution Blueprint hands forward the federation question: at what point does compiled-surface validation across multiple constitutional projects produce a forest from independently seeded trees, and what governance protocol does federation itself require? The MCP server should expose validator/Codex/audit as A2A-compatible endpoints from day one so federation does not require kernel changes when it arrives.

8. Phased Roadmap (the engineer-facing schedule)

9. Tooling Decisions (decide once, document, freeze)

• Languages: Python primary (Pydantic v2), TypeScript mirror (Zod), JSON Schema as source of truth.
• Append-only log: Sigstore Rekor v2 (production); Trillian (alternative); Azure SQL Ledger (centralized fallback); Git + Sigstore (Phase 0 minimum).
• Crypto: libsodium / OpenSSH Ed25519. Do not write custom crypto. Patterns: IETF HDP draft, Microsoft Agent Governance Toolkit, MetapriseAI/OrgKernel, skill-signer.
• HSM: YubiHSM 2 (primary, native Ed25519); AWS CloudHSM (cold-storage backup).
• Graph store for Ledger-Graph indices: Neo4j (richness) or Postgres + Apache AGE / DuckDB-PGQ (fewer moving parts). Does not store seals — Rekor does.
• Agent runtimes (parallel, not exclusive): LangGraph, Anthropic Agent SDK, Vercel AI SDK, Mastra. Operating in at least two before committing verifies substrate independence rather than asserting it.
• WAIT (not mature enough today): cross-framework agent interop beyond A2A v1.0.

10. Mode Discipline and Naming

Every artifact, every commit, every ledger entry must mark:

• mode: personal | foundation
• legal-status header: “Gliff-sealed; not legally filed” — until Delaware acceptance.
• author convention: “the founding effort,” not “the Foundation,” when the context presupposes legal existence (Entry 003 retroactive correction).

A counsel who later lets a client claim a regulatory-submission artifact is “sealed under 5QLN” when it was not actually compiled through the cycle commits L3 corruption — claimed authority not earned. The architecture detects this; do not engineer around it.

Recommendations

Immediate (next 30 days):

1. Procure two YubiHSM 2 devices (one operational, one cold). Schedule the witnessed Conductor key ceremony.
2. Stand up a private Sigstore Rekor v2 instance and verify a dummy inclusion proof. This is your highest-leverage infrastructure spike — it deflates the entire “can we run an append-only log” unknown into a solved task.
3. Freeze fivqln-codex.json v1 and publish the freeze internally. All downstream language ports derive from it.
4. Draft and seal the hash-protocol gliff (canonicalization rules + hash function + retroactive-binding event format). This is the highest-leverage compiled surface still owed by the founding effort; until it lands, every gliff’s content-addressing remains provisional.

Near-term (30–90 days):

1. Ship audit_gliff() in the C1 Validator returning a sealed audit gliff parented to the audited artifact. This closes the open seam Entries 002–004 named explicitly.
2. Resolve the records-vs-surfaces tension (Entry 004 / Commitment 7) by constitutional decision, not engineering compromise. Two viable options on the table: (Option A) re-engineer every ValidationReport as a compiled 5QLN surface; (Option B) draw an explicit constitutional line between records (Ledger-level) and logs (per-validation). Recommend Option B for engineering tractability — but the call belongs to a successor compiled surface, not to this build plan.
3. Open AOSRAP RFIs to Anthropic, OpenAI, and Google. Begin the NIST CAISI standards-track submission. The Phase-2 schedule depends on this; nothing the engineering team does in Months 18–36 substitutes for vendor-side cooperation.

Medium-term (3–12 months):

1. Retrofit the twelve operational skills with Roadmap, Version-history, and Mode-transition-trigger sections. Publish as Cosign-signed Anthropic Agent Skills.
2. Engage counsel of record for Delaware filing and Form 1023. Assemble fiscal-sponsorship + escrow vehicle (per PGF P1) for any donations received pre-incorporation; if Delaware filing slips beyond 18 months from first donation, PFF activation becomes the dominant constraint and Phase 0 scope must compress to Tier-A artifacts only.
3. Run the corpus alignment audit at six-month cadence (the 2-may-2026 / kimi2-7-swarm audit cadence is the model). Each audit is itself a sealed compiled surface; lineage declaration discipline (Entry 004 v1.1 PARENT_DECLARATIONS) governs.

Decision triggers — reverse the staging if any of these fire:

• AOSRAP vendor RFI returns null after 12 months → freeze Phase 2 entry; extend Phase 1 manual-attestation fallback indefinitely; reopen the substrate independence question (different K-side partner).
• Delaware filing delayed past 18 months from first donation → compress Phase 0 to Tier-A artifacts only; activate PFF (Pre-Foundation Fiscal sponsor) escrow conditions; do not begin Phase 1 skill registry ratification.
• Three-ring architecture declined by a future compiled surface → kernel stays as-is at the Codex/Validator/Ledger-Graph trio (those are constitutional); transports and Skills decompositions become refactor targets, not rewrites. The microkernel boundary survives.
• Counterexample published — a functional human-AI governance system that violates S→G→Q→P→V ordering or works without a Membrane-equivalent → halt all Foundation-mode work; the structural claim has been falsified and the architecture must be reconceived before further build.

Caveats

• No legal entity exists yet. As of the latest sealed ledger entries, no filing has been made with the Delaware Division of Corporations; no Form 1023 has been filed; no counsel of record is engaged. Every reference to “the Foundation” in this document presupposes a future legal entity. Engineers must not produce artifacts that misrepresent this status, including in commit messages, RFC text, or internal documentation.
• Visibility is not enforcement; detection is not prevention. The architecture makes capture visible and recovery possible; it does not make capture impossible. A board running cycle vocabulary while making decisions through K-only channels reproduces conventional governance under 5QLN window-dressing — this is L4 corruption — and the architecture cannot prevent it. CL4-GP makes it detectable, not impossible. Engineering decisions must not promise more than the architecture delivers.
• The three-ring architecture is recommendation-status. E13 explicitly subordinates itself: “where this conflicts with the Codex, the Codex governs.” The kernel’s Codex/Validator/Ledger-Graph trio is constitutional; the Skills/transports decomposition is not yet ratified.
• Substrate independence is partially demonstrated, not fully proven. S8 carries the cross-language test in Python ↔ TypeScript. Other JS frameworks beyond Vercel AI SDK are not ported. The substrate-independence claim rides on one TS implementation today.
• AOSRAP runtime attestation has not been deployed at enterprise scale against sustained adversarial pressure. It is specified at protocol level only. CBRP recovery has not been exercised on a Foundation-scale incident. Year 1 is what answers whether the architecture works under contact with practice.
• Pentagonal Swarm vs. single-ECHO is open. E13 rejects single-agent-with-many-tools but does not fully land multi-instance Pentagonal Swarm. Build to single-ECHO topology today; preserve room for a swarm decomposition tomorrow.
• The hash protocol caveat propagates. Every existing gliff’s canonical hash carries the caveat “to be retroactively bound under the founding effort’s hash protocol once the protocol is sealed as a subsequent gliff.” Engineers should treat content-addressing as provisional in code paths that depend on it — and must not silently drop the caveat when emitting derived artifacts.
• This document is not a compiled 5QLN surface. It is engineering-register documentation. It does not carry the Constitutional Block, does not walk S→G→Q→P→V, does not seal. Future compiled surfaces may declare it as a parent under the lineage discipline established in Governance Ledger Entry 004; that binds the composer, not this document. The Codex governs. This plan defers.