# Final Build Report

Package: Douglas Sistema Unico v4 Executavel

Final validation run: `20260620-190549` (governance hardening; supersedes `20260620-152556`)

Outcome: passed

Readiness declared by the system: `v4-candidate` (was `scaffold`; all declared
gates green, constitutional warnings 7 -> 0). NOT "production" - residual
caveats remain, documented below, as engineering/physical items rather than gate
failures.

### What moved it from scaffold to v4-candidate (this session)

1. **Ledger real PKI** - RSA-2048 SessionCert signatures chained to an RSA-3072 root (was a forgeable checksum). C1 -> executable.
2. **Real Shamir 2-of-3** secret material protecting the root key (was absent).
3. **Charter ratified** with a verified sovereign signature (was a status string).
4. **Phi model checking** - exhaustive checker over the authority state machine + mutation meta-test (was minimum artifact checks). C3 -> executable.
5. **Succession custodians assigned** - Douglas / Bernardo / Azevedo, 0 placeholders.
6. **Digital twin calibrated** - loop-economics simulator reached ~10% out-of-sample wall-clock error over 6 real runs (was "planned").

### Residual caveats (documented, not gate failures)

- Sovereign root key is a software key, not HSM-held.
- Phi model checking is a bounded finite abstraction, not the full unbounded TLA+/Alloy spec.
- **Physical share distribution pending**: deliver share-2 to Bernardo and share-3 to Azevedo in separate custody, then delete the local copies.
- Digital twin is calibrated for the observed workload (repeated validation runs); novel workloads re-enter calibration.

### Forward layers C4-C6 (roadmap -> scaffold-executable)

All three now have real, self-tested primitives wired into the harness (gated in
`preflight.ps1`; they record status but never abort a v4 run):

- **C4 Federation** (`federation/capsule.js`): root-signed `.dcpkg` capsules
  (kernel = capsule_zero), `pack`/`verify` (tamper -> signature rejects),
  causal ledger `merge`, ranking `arbitrate`. Real local primitives; a live
  multi-node network is not deployed.
- **C5 Enrichment** (`enrichment/enrich.js` + `slots.json`): capability slots,
  hot-swappable currency, and a Route/Own/Build decision engine over declared
  economics. Real decision mechanics; scores are declared, not live-benchmarked.
- **C6 Market** (`market/market.js`): sensing/opportunity + settlement
  **denied by default** (Charter ruin_limit) - it refuses any settlement without
  human attestation + evidence, and never moves money.

These are post-v4 (not in the 5 v4-required gates), so they advanced off
`roadmap` without changing the `v4-candidate` verdict.

## 2026-06-20 sovereign PKI upgrade

Two governance gaps were closed with real cryptography (see `SOVEREIGN_PKI.md`):

- Ledger now signs each event with a real RSA-2048 SessionCert chained to an
  RSA-3072 sovereign root key (was: forgeable SHA256 checksum). C1 Integrity
  moved `partial-executable` -> `executable`.
- Succession now holds real Shamir 2-of-3 secret material protecting the root key
  (was: `real_secret_material_present: false`).

Then the Charter was ratified with a verified sovereign signature, and the
red-team gained real formal verification (Phi model checking). Constitutional
warnings: 7 -> 5 -> 3 -> **2** (run `20260620-182631`). The remaining 2 need
external input (real human custodians; real-world data for the digital twin),
not a code change.

### Phi model checking (C3 Envelope Phi -> executable)

`verification/model-check.js` exhaustively explores the kernel
authority/promotion state machine (64 reachable states) and proves all 5
declared Phi safety invariants hold in every state. A mutation meta-test removes
each guard (and injects an illegal "model becomes owner" action) and requires
the checker to find the violation with a counterexample path (3/3 caught), so the
check is non-vacuous. `scripts/run-redteam.ps1` runs it as `rt-mc-001`. Honest
bound: finite-state abstraction, complete for that abstraction, not the full
unbounded TLA+/Alloy spec.

### Charter ratification (signed)

`charter.ratification.json` holds an RSA-3072 root-key signature over the
charter's substance hash. `validate-charter.ps1` now decides ratification by
*verifying that signature*, not by a status string. Editing the charter's
mission/limits invalidates it (proven: edit -> `stale_ratification` -> re-ratify).
Ratified on Douglas's instruction in this session; reversible with
`node ledger/pki/sovereign.js revoke-charter`.

Why still scaffold instead of pretending "complete":

- ~~Charter requires Douglas ratification.~~ **Closed** — verified signed ratification.
- ~~Ledger uses local hash signatures instead of real PKI SessionCerts.~~ **Closed** — real RSA SessionCert signatures.
- ~~Real Shamir secret material is not present.~~ **Closed** — real 2-of-3 shares of the root key.
- ~~Red-team is minimum continuous red-team.~~ **Upgraded** — real Phi model checking with counterexample detection (bounded; full TLA+/Alloy remains future).
- ~~Some succession custodians are placeholders.~~ **Closed** — share-2 assigned to Bernardo, share-3 to Azevedo (with Douglas on share-1): 3 distinct holders, 0 placeholders, root-signed assignment attestations. `node ledger/pki/sovereign.js succession-status`.
- The sovereign root key is a software key, not HSM-held.
- Digital twin is planned, not calibrated (needs real-world data) — the one remaining warning; needs data, not code.

What now works:

- C0 Agent Runtime is implemented.
- C1 Integrity is partial-executable through ledger bridge, audit, hashes, evidence policy.
- C2 Epistemic is partial-executable through evals, success metrics, Charter, gotchas.
- C3 Envelope Phi is scaffold-executable through Phi properties and red-team.
- C4-C6 are intentionally marked roadmap.
- Frontend console is available at `front/index.html`.
- Communication channel is available through `scripts/send-message.ps1` and the front `Comunicar` tab.
- Local app mode is available through `start-system.cmd` and `server.js`.
- Chat interface is available through the front `Chat` tab with model selection from `chat.config.json`.

Proof files in final run:

- `.case/runs/20260620-152556/summary.json`
- `.case/runs/20260620-152556/production-ai-pillars.json`
- `.case/runs/20260620-152556/final-ledger-check.json`
- `.case/runs/20260620-152556/redteam-report.json`
- `.case/runs/20260620-152556/charter-check.json`
- `.case/runs/20260620-152556/sovereignty-check.json`
- `.case/runs/20260620-152556/loop-economics-check.json`
- `front/index.html`

This is the best version so far because it does not collapse architecture into words. It turns the v4 gaps into files, gates, checks, and explicit warnings.