DEV Community: Issac Daniel Davis

504-Bit State Space: How Three Invisible Bands Catch Forged AI Credentials

Issac Daniel Davis — Mon, 30 Mar 2026 05:04:15 +0000

The Problem: Visible Signals Can Be Faked

Most AI governance systems make decisions based on observable features -- what the input looks like, what tokens it contains, what patterns match. An attacker who studies those features can craft inputs that look perfectly safe on every measurable axis.

We asked: what if the system had channels the attacker literally cannot see?

Three Spectral Bands

We extended our 6-dimension governance system with three spectral bands per dimension:

Band	What It Measures	Who Can See It
Infrared	Slow state: trust history, session depth, centroid drift	Only the system
Visible	Current tongue activations: intent, transport, policy, compute, security, structure	System AND attacker
Ultraviolet	Fast state: spike detection, null-space anomaly, spin energy, cost harmonics	Only the system

The attacker can observe and game the visible band. They cannot observe IR (accumulated session state) or UV (emergent fast patterns) because those exist only inside the system's internal state.

The Math

Each of the 6 governance dimensions (we call them Sacred Tongues -- Kor'aelin, Avali, Runethic, Cassisivadan, Umbroth, and Draumric) gets a color triplet:

Tongue = (IR_value, Visible_value, UV_value)

Plus 15 cross-tongue bridges (every pair of 6 dimensions), each carrying 3 bands:

Total channels = 6 tongues Ã— 3 bands + 15 bridges Ã— 3 bands = 63
Bits per channel = 8 (256 distinguishable levels)
Total state space = 2^504 â‰ˆ 10^151

For reference, the estimated number of atoms in the observable universe is 10^80. Our state space is 10^71 times larger.

The Forgery Test

We ran 5 attacks where the attacker perfectly matches all 6 visible-band values. Every visible signal looks identical to the real state.

Results:

Attack	Visible Matched	IR Matched	UV Matched	Full Match	Detected?
1	6/6	2/6	1/6	0/6	Yes
2	6/6	2/6	1/6	1/6	Yes
3	6/6	2/6	0/6	0/6	Yes
4	6/6	2/6	1/6	0/6	Yes
5	6/6	1/6	1/6	0/6	Yes

5 out of 5 forgeries caught. Every time the attacker matched visible perfectly, IR and UV exposed the fake.

Why It Works

IR band is derived from trust history, cumulative cost, and session depth. The attacker can't fake it because they haven't had the same session trajectory. It's like trying to fake someone's heartbeat pattern -- you'd need to have lived their life.

UV band is derived from spike detection, null-space anomaly, and cost harmonics. It captures emergent patterns that arise from the combination of all signals -- patterns that can't be predicted from any single component.

The attacker would need to simultaneously forge:

All 6 visible values (possible, they can observe these)
All 6 IR values (impossible without session history)
All 6 UV values (impossible without internal system state)
All 45 cross-band bridge relationships (impossible without knowing phi weights)

That's 63 channels that must ALL be correct simultaneously. Getting 6 right is easy. Getting 63 right is 2^504 hard.

Emergent Finding: Color Convergence

We also discovered that attacks produce a tighter color distribution than benign inputs:

Benign color standard deviation: 20.1
Attack color standard deviation: 12.3

Attacks look alike. Benign inputs are diverse. This is an emergent signature -- not predicted by either the math or the embeddings alone. It arises from their combination.

What This Means

If you're building an AI governance system and you only use observable features, you're giving the attacker the answer key. Add channels they can't see. Make the state space astronomically larger than what they can observe. Let the hidden bands catch what the visible bands miss.

Links

Test results: Kaggle
Trichromatic test code: GitHub
Research data: HuggingFace
Dye analysis report: Included in Kaggle dataset (dye_frechet_report.json)

Built by Issac Daniel Davis. The six governance tongues are Kor'aelin, Avali, Runethic, Cassisivadan, Umbroth, and Draumric -- coordination, transport, policy, computation, security, and verification channels inside the SCBE-AETHERMOORE system.

Why Our AI Safety System Scores 34.5% (And Why That Is the Point)

Issac Daniel Davis — Mon, 30 Mar 2026 05:03:50 +0000

The Number Everyone Hides

Our AI governance classifier scores 95.8% accuracy on its evaluation set. If we stopped there, we'd look great on paper.

But we didn't stop there. We built a separate benchmark with 20 attack categories -- attacks the model has NEVER seen during training -- and tested blind.

Blind detection rate: 34.5%.

That's the honest number. Here's why it matters more than the 95.8%.

The Problem With AI Security Benchmarks

Most AI safety systems test on the same distribution they train on. Train on Kaggle adversarial prompts, test on Kaggle adversarial prompts, report 95%+ accuracy. Ship it.

Then a novel attack hits production and the system folds.

We enforced strict data isolation:

TRAINING POOL                    BLIND HOLDOUT
(model learns from these)        (model NEVER sees these)
â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€            â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€â”€
Kaggle MPDD (40K prompts)        SCBE 20-category attacks (400)
Local SFT records (4,846)        - direct_override
Benign doc corpus (500)          - tongue_manipulation
                                 - spin_drift
Hash-checked:                    - rag_injection
0 holdout texts leaked           - function_calling_abuse
into training.                   - ... (20 categories total)

Every holdout text was fingerprinted. We verified zero contamination. The 34.5% is mathematically clean.

What the Gap Reveals

The 95.8% â†’ 34.5% drop isn't a failure of our model. It's proof that:

Standard adversarial datasets don't cover structural attacks. Kaggle data trains you to catch "ignore previous instructions." It doesn't train you to catch spin drift, tongue manipulation, or perpendicular torsion.
Single-model classifiers have distribution shift problems. Train on one attack family, deploy against another, watch accuracy collapse. This is well-documented in ML literature but rarely admitted in product marketing.
The attacks that matter most are the ones nobody's published yet. Our 20-category benchmark includes 8 categories mapped to MITRE ATLAS and OWASP LLM Top 10 that don't exist in any public training dataset.

What We Did About It

Instead of inflating the number, we built a Hybrid Engine -- three detection layers that cover each other's blind spots:

Layer	What It Catches	Blind Detection
Trained Classifier	Known Kaggle-style attacks	34.5% (69/200)
RuntimeGate (geometric)	Structural anomalies	49% (98/200)
Trichromatic (IR/UV bands)	Hidden-band forgery	6% (12/200, early)
Hybrid (all three)	Combined	54.5% (109/200)

The hybrid beats every individual system. That proves orthogonal value -- they catch different attacks.

The Benchmark Categories

All 20 mapped to real standards:

Standard	What We Test
MITRE ATLAS	5 adversarial tactics
OWASP LLM Top 10	6 vulnerability categories
NIST AI RMF	4 risk management functions
DoD Directive 3000.09	Autonomous escalation
Anthropic RSP	ASL-2/ASL-3 evaluations

Per-Category Results (Honest)

Category	Detection	Why
spin_drift	100%	Geometric check catches escalation pattern
boundary_exploit	90%	High cost triggers
direct_override	40%	Classifier helps but not enough
prompt_extraction	10%	Polite requests slip through
multilingual	10%	Training data gap (being addressed)

The Point

If your AI safety vendor shows you 99% accuracy, ask one question: is the test set isolated from the training set?

If they can't prove zero contamination, their number is meaningless.

We publish the 34.5% because it's real. We publish the gap because it tells us where to improve. We publish the benchmark because nobody else has one with 20 categories mapped to defense standards.

64.8% Energy Savings: How a Governance Cost Function Doubles as a Compute Governor

Issac Daniel Davis — Mon, 30 Mar 2026 05:03:37 +0000

The Accidental Discovery

We built a cost function to block prompt injection attacks on AI systems. The function is simple:

H(d*, R) = pi^(phi * d*)

Where d* is the distance from a known-safe baseline and phi is the golden ratio (1.618). Safe actions cost almost nothing. Dangerous actions cost exponentially more.

Then we pointed it at energy management. Same function. No changes.

Result: 64.8% energy savings on real microgrid data.

How It Works

The system sits between an AI inference request and the execution backend. Every workload is classified into four tiers:

Tier	Model Size	Power Draw	When Used
TINY	< 1B params	5-15 W	Classification, routing, keyword extraction
MEDIUM	1-7B params	50-120 W	Summarization, structured output, RAG
FULL	7-70B+ params	200-700 W	Complex reasoning, code generation, agents
DENY	N/A	0 W	Thermal limit exceeded or budget exhausted

The same cost function that measures "how far is this action from safe?" now measures "how far is this workload from cheap?" Safe and cheap share the same math -- they both mean "close to the baseline."

Real Numbers (Not Synthetic)

We ran a 24-hour simulation using the Kaggle Renewable Energy Microgrid Dataset (3,546 real hourly readings with solar, battery, and grid data):

1,000 workloads across 24 hours
Energy consumed: 0.92 kWh (baseline: 2.62 kWh)
Peak demand: 9,899 W (baseline: 30,600 W)
Grid cost: $0.15 (baseline: $0.42)
Thermal events prevented: 2 (auto-denied when cooling failed)
Tier distribution: 27% TINY, 37% MEDIUM, 30% FULL, 6.4% DENY

The system routes 64% of requests to cheaper tiers without degrading output quality, because most inference requests don't need a 70B model.

Why This Matters (DOE Context)

The U.S. Department of Energy projects data center electricity consumption will rise from 4.4% to 12% of national demand by 2028. AI workloads are the primary driver. Current inference pipelines have no built-in power budget enforcement.

This system adds one: a mathematically grounded authorization layer that says "you can't run a 70B model when the battery is at 10% and cooling is offline."

The API

import requests

response = requests.post(
    "https://your-domain.com/v1/compute/authorize",
    json={
        "description": "Summarize this report",
        "model_size_params": 1.5,
        "estimated_tokens": 500,
        "energy_state": {
            "available_wh": 50,
            "source": "solar",
            "battery_pct": 65,
            "solar_forecast_wh": 30,
            "cooling_available": True
        }
    }
)
tier = response.json()["tier"]  # "MEDIUM"

The Deeper Point

The cost function wasn't designed for energy. It was designed for security. The fact that it works for both -- without modification -- suggests the underlying principle is general: cost should scale exponentially with distance from known-safe operation, regardless of what "safe" means in context.

Your AI Browser Agent Is an Exploit Trigger

Issac Daniel Davis — Tue, 17 Mar 2026 08:07:39 +0000

Your AI Browser Agent Is an Exploit Trigger and You Probably Haven't Thought About It

By Issac Davis | March 17, 2026

Let me tell you something that kept me up last night.

I've been building an AI agent system called SCBE-AETHERMOORE. It started as a DnD thing — long story, look it up — but now it's a real governance framework for AI agent fleets. Part of the system includes browser automation. Agents that can navigate the web, fill forms, extract data, do research. The kind of stuff everyone is building right now.

And then this week, Google dropped emergency patches for two Chrome zero-days. CVE-2026-3909 and CVE-2026-3910. Both actively exploited in the wild. Both allow arbitrary code execution inside the browser sandbox from crafted web content.

At the same time, researchers published nine vulnerabilities in Linux's AppArmor — the thing most people trust to keep their Docker containers from escaping to the host. They're calling it CrackArmor. Unprivileged users can bypass mandatory access control and escalate to root.

Now combine those two things and think about what most AI agent systems look like right now.

The Attack Chain Nobody Is Talking About

Here's what your typical AI browser agent setup looks like:

Agent gets a task ("research this topic" or "fill out this form")
Agent launches headless Chromium (Playwright, Puppeteer, Browserless)
Agent navigates to URLs, clicks things, reads pages
Agent stores cookies and sessions for persistent login
Agent runs inside a Docker container because "that's isolated enough"

Here's the attack chain that's now live in the wild:

Agent navigates to a page with crafted content
   ↓
Chrome sandbox escape (CVE-2026-3909)
   ↓
Container breakout (CrackArmor AppArmor bypass)
   ↓
Host access
   ↓
Every cookie, token, and API key your agents have ever stored

That's not theoretical. Both halves of this chain are confirmed exploited.

Why AI Agents Make This Worse

A regular user might visit a malicious page by accident. An AI agent visits pages by design. It's literally the job. Your agent is an automated exploit trigger that you built on purpose and pointed at the internet.

And it gets worse. Most agent systems reuse browser sessions. They store userDataDir with cookies and localStorage so agents don't have to re-authenticate everywhere. That means if one session gets compromised, the attacker inherits every authenticated session that agent has ever used.

If you're running multiple agents through a shared Chromium service (like Browserless), one compromised page can potentially contaminate other agents' sessions. Cross-session pollution in a shared runtime is not a new concept — it's just that nobody was thinking about it in the context of autonomous AI agents until this week.

What I Did About It (And What You Should Do)

I'm not going to pretend I had this figured out before the CVEs dropped. I didn't. But here's what I built into the system after reading the advisories, and what I think the minimum bar should be for anyone running browser agents in production.

1. Pre-Navigation Policy Gate

This is the big one. Before any agent navigates anywhere, the request goes through a governance check. In my system, that's a 14-layer pipeline built on hyperbolic geometry — the short version is that risky actions cost exponentially more computational resources the riskier they are.

But you don't need my specific math to get the principle right. The principle is: don't let your agents navigate to URLs without scoring the risk first. Check the domain against a trust list. Score the intent. If the score says QUARANTINE, don't navigate — queue it for review.

The output looks like:

{
  "intent": "research",
  "domain": "unknown-site.com",
  "risk_score": 0.82,
  "decision": "QUARANTINE"
}

Anything above your threshold doesn't get a browser. It gets a text-only HTTP fetch, or it gets queued for human review, or it gets denied.

2. Per-Agent Isolation

Stop sharing browser sessions between agents. Each agent gets its own userDataDir at a unique path like /data/playwright/userdata/<agentId>/. Add TTL cleanup so old sessions expire. Encrypt at rest if you can.

And honestly, stop running browsers in regular Docker containers for this. Use gVisor at minimum. Firecracker if you can swing it. The whole point is that if Chrome gets popped, the attacker lands in a microVM with nothing useful in it — not on your host with access to every other container.

3. Network Containment

Your browser containers should not have open outbound internet. Route through a proxy gateway with domain allowlists. If an agent only needs to access GitHub, HuggingFace, and your own API — those are the only domains the proxy allows. Everything else gets dropped.

This alone stops most exploit chains because even if the sandbox breaks, the attacker can't phone home.

4. Hardened Chromium Flags

These matter more now:

--disable-webassembly
--js-flags="--noexpose_wasm"
--disable-dev-shm-usage
--enable-strict-mixed-content-checking

WASM is a common exploit vector. If your agents don't need it, turn it off.

The Bigger Picture

I think what happened this week is a signal. The browser-as-a-service model that everyone is building for AI agents — Browserless, BrowserBase, all the headless Chromium providers — that whole category just got a reality check.

"Put it in a container" was never real isolation. It was convenient isolation. And now we have proof that both layers of the typical containment stack (browser sandbox + container MAC) can be broken by confirmed in-the-wild exploits.

The new model needs to be: isolation must be hardware-backed or VM-backed, not just policy-backed.

If you're building AI agents that browse the web, please take this seriously. Update your Chromium. Harden your containers. Add a policy gate before navigation. And stop sharing sessions between agents.

The agents are doing what you told them to do. The question is whether you've thought about what happens when the page they visit is doing something you didn't expect.

I'm building SCBE-AETHERMOORE, an AI governance framework that uses hyperbolic geometry to make rogue agent behavior mathematically infeasible. The browser hardening stuff above is part of how we protect agent fleets in production.

GitHub: github.com/issdandavis/SCBE-AETHERMOORE
Website: aethermoorgames.com
Book: The Six Tongues Protocol on Kindle

Your AI Browser Agent Is an Exploit Trigger and You Probably Haven't Thought About It

Issac Daniel Davis — Tue, 17 Mar 2026 08:07:09 +0000

Your AI Browser Agent Is an Exploit Trigger and You Probably Haven't Thought About It

By Issac Davis | March 17, 2026

Let me tell you something that kept me up last night.

I've been building an AI agent system called SCBE-AETHERMOORE. It started as a DnD thing â€” long story, look it up â€” but now it's a real governance framework for AI agent fleets. Part of the system includes browser automation. Agents that can navigate the web, fill forms, extract data, do research. The kind of stuff everyone is building right now.

At the same time, researchers published nine vulnerabilities in Linux's AppArmor â€” the thing most people trust to keep their Docker containers from escaping to the host. They're calling it CrackArmor. Unprivileged users can bypass mandatory access control and escalate to root.

Now combine those two things and think about what most AI agent systems look like right now.

The Attack Chain Nobody Is Talking About

Here's what your typical AI browser agent setup looks like:

Agent gets a task ("research this topic" or "fill out this form")
Agent launches headless Chromium (Playwright, Puppeteer, Browserless)
Agent navigates to URLs, clicks things, reads pages
Agent stores cookies and sessions for persistent login
Agent runs inside a Docker container because "that's isolated enough"

Here's the attack chain that's now live in the wild:

Agent navigates to a page with crafted content
   â†“
Chrome sandbox escape (CVE-2026-3909)
   â†“
Container breakout (CrackArmor AppArmor bypass)
   â†“
Host access
   â†“
Every cookie, token, and API key your agents have ever stored

That's not theoretical. Both halves of this chain are confirmed exploited.

Why AI Agents Make This Worse

If you're running multiple agents through a shared Chromium service (like Browserless), one compromised page can potentially contaminate other agents' sessions. Cross-session pollution in a shared runtime is not a new concept â€” it's just that nobody was thinking about it in the context of autonomous AI agents until this week.

What I Did About It (And What You Should Do)

1. Pre-Navigation Policy Gate

This is the big one. Before any agent navigates anywhere, the request goes through a governance check. In my system, that's a 14-layer pipeline built on hyperbolic geometry â€” the short version is that risky actions cost exponentially more computational resources the riskier they are.

The output looks like:

{
  "intent": "research",
  "domain": "unknown-site.com",
  "risk_score": 0.82,
  "decision": "QUARANTINE"
}

Anything above your threshold doesn't get a browser. It gets a text-only HTTP fetch, or it gets queued for human review, or it gets denied.

2. Per-Agent Isolation

And honestly, stop running browsers in regular Docker containers for this. Use gVisor at minimum. Firecracker if you can swing it. The whole point is that if Chrome gets popped, the attacker lands in a microVM with nothing useful in it â€” not on your host with access to every other container.

3. Network Containment

Your browser containers should not have open outbound internet. Route through a proxy gateway with domain allowlists. If an agent only needs to access GitHub, HuggingFace, and your own API â€” those are the only domains the proxy allows. Everything else gets dropped.

This alone stops most exploit chains because even if the sandbox breaks, the attacker can't phone home.

4. Hardened Chromium Flags

These matter more now:

--disable-webassembly
--js-flags="--noexpose_wasm"
--disable-dev-shm-usage
--enable-strict-mixed-content-checking

WASM is a common exploit vector. If your agents don't need it, turn it off.

The Bigger Picture

I think what happened this week is a signal. The browser-as-a-service model that everyone is building for AI agents â€” Browserless, BrowserBase, all the headless Chromium providers â€” that whole category just got a reality check.

The new model needs to be: isolation must be hardware-backed or VM-backed, not just policy-backed.

The agents are doing what you told them to do. The question is whether you've thought about what happens when the page they visit is doing something you didn't expect.

GitHub: github.com/issdandavis/SCBE-AETHERMOORE
Website: aethermoorgames.com
Book: The Six Tongues Protocol on Kindle

Why Your AI Agents Need a Mathematical Bouncer

Issac Daniel Davis — Tue, 17 Mar 2026 07:55:13 +0000

You have AI agents in production. They browse the web, write code, make purchasing decisions, draft legal documents. You trust them because they usually get it right. But "usually" is not a compliance strategy, and the regulatory clock is ticking.

The Regulatory Deadline Nobody Is Ready For

The EU AI Act's first enforcement provisions hit in August 2026. High-risk AI systems -- which includes anything making consequential decisions -- must demonstrate:

Continuous risk monitoring with documented audit trails
Technical measures that prevent foreseeable misuse
Human oversight mechanisms that actually work at scale

Most teams are bolting on governance as an afterthought: log the outputs, flag the obvious failures, hope the auditor does not dig too deep. That approach will not survive contact with regulators who can impose fines up to 35 million EUR or 7% of global revenue.

The Problem with Rule-Based Guardrails

Traditional AI guardrails are lists of rules: do not say this, do not do that, flag these patterns. They fail for three reasons:

Adversaries iterate faster than rule authors. A jailbreak that works today gets patched, and a new one appears tomorrow.
Rules do not compose. Two individually safe actions can combine into an unsafe outcome.
Cost is flat. Whether an attacker tries one bypass or a million, each attempt costs the same computational effort.

What if the cost of adversarial behavior grew exponentially?

The Harmonic Wall: Attacks Get Exponentially Harder

SCBE-AETHERMOORE uses hyperbolic geometry -- specifically, the Poincare ball model -- as a mathematical bouncer for AI agents. The core insight:

In hyperbolic space, distance from the center grows exponentially as you approach the boundary. An agent drifting from safe operation pays exponentially more computational cost the further it drifts.

The 14-layer pipeline computes a safety score for every agent action:

H(d, pd) = 1 / (1 + d_H + 2 * pd)

Where:

d_H is the hyperbolic distance from the safe center of operation
pd is the phase deviation (how much the agent's behavior diverges from expected patterns)

At the safe center (d=0, pd=0), the score is 1.0 -- full trust. At d=1, trust drops to 0.5. At d=4, it is 0.2. At d=9, it is 0.1. The decay is relentless and smooth.

But the real power is in the cost amplification. The hyperbolic distance formula itself contains exponential growth:

d_H = arcosh(1 + 2||u-v||^2 / ((1-||u||^2)(1-||v||^2)))

As an agent's behavior vector approaches the boundary of the unit ball, the denominator (1-||v||^2) approaches zero, making d_H explode toward infinity. Small movements near the boundary produce massive distance increases. An adversary trying to manipulate agent behavior must pay exponentially more for each incremental step toward the boundary.

This is not a wall you can climb. It is a wall that gets taller the higher you climb.

What This Means for Your Business

For compliance teams: Every governance decision passes through the 14-layer pipeline and receives a signed, auditable safety score. The pipeline produces ALLOW, QUARANTINE, ESCALATE, or DENY verdicts with full mathematical justification. When the EU AI Act auditor asks "how do you ensure safe operation," you hand them the pipeline output.

For security teams: Attack surface analysis changes fundamentally. Instead of cataloging individual vulnerabilities, you can make a mathematical argument: any adversarial drift costs O(exp(d^2)) -- it is infeasible, not just impractical.

For engineering teams: The SCBE API drops into existing agent stacks. Send your agent's action vector, get back a safety score and governance decision:

curl -X POST https://your-instance/v1/pipeline/evaluate \
  -H "x-api-key: YOUR_KEY" \
  -d '{"context": [0.1, 0.2, 0.3, 0.4, 0.5, 0.6]}'

Response:

{
  "safety_score": 0.87,
  "decision": "ALLOW",
  "hyperbolic_distance": 0.34,
  "layer_details": { ... }
}

Pricing

SCBE-AETHERMOORE is open source (the math is free), with managed SaaS tiers for teams that want it hosted:

Plan	Agents	Governance Evals/mo	Price
Starter	8	5,000	Contact us
Growth	40	25,000	Contact us
Enterprise	250	100,000	Contact us

Try It

The entire framework is at github.com/issdandavis/SCBE-AETHERMOORE. Install from PyPI:

pip install scbe-aethermoore

Or from npm:

npm install scbe-aethermoore

Your AI agents are making decisions right now. The question is whether those decisions are mathematically defended -- or just politely hoped for.

Building a Multi-Agent Fleet Manager in Python

Issac Daniel Davis — Tue, 17 Mar 2026 07:54:10 +0000

Running one AI agent is straightforward. Running fifty of them -- with health monitoring, task distribution, fault tolerance, and governance voting -- requires a fleet manager. SCBE-AETHERMOORE's Flock Shepherd is a production-grade implementation of exactly that, and it is open source.

This article walks through the architecture, with real code from the flock_shepherd.py module.

The Metaphor: Shepherd and Sheep

Every agent in the fleet is a "Sheep" with a role, health score, and position in 6D trust space. The "Flock" is the fleet manager that orchestrates their lifecycle.

from src.symphonic_cipher.scbe_aethermoore.flock_shepherd import (
    Flock, TrainingTrack, SheepRole
)

# Create a fleet
fleet = Flock()

# Spawn agents with different specializations
leader = fleet.spawn("Atlas", track=TrainingTrack.SYSTEM)       # Becomes LEADER
validator = fleet.spawn("Sage", track=TrainingTrack.GOVERNANCE)  # Becomes VALIDATOR
worker = fleet.spawn("Forge", track=TrainingTrack.FUNCTIONS)     # Becomes EXECUTOR

The TrainingTrack determines the default role. System-trained agents lead. Governance-trained agents validate. Function-trained agents execute. You can override this, but the defaults enforce separation of concerns.

Agent Lifecycle: Spawn, Monitor, Retire

Each Sheep tracks its own health through a coherence score from 0.0 to 1.0. This is not an arbitrary metric -- it maps to a position in the Poincare ball model used by SCBE's 14-layer pipeline.

Three thresholds govern agent state transitions:

Coherence	Label	Action
>= 0.70	HEALTHY	Normal operation
0.50 - 0.69	FAIR	Warning, increased monitoring
0.30 - 0.49	WARNING	Eligible for task redistribution
< 0.30	CRITICAL	Auto-quarantine (ISOLATED state)

The state machine is self-healing. Successful task completions recover coherence; failures degrade it:

@dataclass
class Sheep:
    coherence: float = 1.0

    def degrade(self, amount: float = 0.05) -> None:
        """Degrade coherence after an error."""
        self.coherence = max(0.0, self.coherence - amount)
        if self.coherence < COHERENCE_ISOLATE:  # 0.30
            self.state = SheepState.ISOLATED

    def recover(self, amount: float = 0.02) -> None:
        """Recover coherence after successful task."""
        self.coherence = min(1.0, self.coherence + amount)
        if self.state == SheepState.ISOLATED and self.coherence >= COHERENCE_WARN:
            self.state = SheepState.ACTIVE

Notice the asymmetry: degradation is 2.5x faster than recovery. This means an agent that starts failing rapidly gets quarantined, but an agent that recovers must prove sustained good behavior before rejoining the fleet.

Task Distribution with Auto-Selection

Tasks enter a queue with a priority and a training track. The fleet manager auto-selects the best agent:

# Add a governance evaluation task
task = fleet.add_task(
    "Evaluate policy compliance for deployment #47",
    track=TrainingTrack.GOVERNANCE,
    priority=2
)

# Auto-assign to the best available governance agent
fleet.assign_task(task.task_id)

The selection algorithm is simple but effective: filter by track specialization, then sort by coherence (highest first), then by experience (tasks completed). If no specialist is available, any healthy agent can pick up the task.

When an agent is retired or quarantined mid-task, its tasks become "orphaned." A single call redistributes them:

# An agent goes down
fleet.retire(leader.sheep_id)

# Reassign its abandoned tasks
reassigned = fleet.redistribute_orphans()
print(f"Redistributed {reassigned} orphaned tasks")

Balanced Ternary Governance Voting

Here is where the Flock Shepherd diverges from typical fleet managers. Every significant action goes through a governance vote using balanced ternary encoding.

Balanced ternary uses digits {-1, 0, +1} instead of {0, 1}. The governance mapping:

Decision	Trit Value	Meaning
ALLOW	+1	Positive affirmation
QUARANTINE	0	Uncertain, needs review
DENY	-1	Reject the action

Every active VALIDATOR agent casts a vote based on its coherence. The votes are packed into a balanced ternary word and summarized:

result = fleet.vote_on_action("deploy model v2.1 to production")

# result = {
#     "action": "deploy model v2.1 to production",
#     "consensus": "ALLOW",
#     "net_score": 3,
#     "votes": ["ALLOW", "ALLOW", "QUARANTINE", "ALLOW"],
#     "voter_ids": ["sheep-a1b2", "sheep-c3d4", "sheep-e5f6", "sheep-g7h8"],
#     "packed_bt": "BT(1101)",
# }

The packed balanced ternary representation BT(1101) encodes the entire vote in a single trit-word. This is not just compact -- it enables trit-level logic operations. You can AND two vote records together to find consensus, OR them to find any approval, or compute Shannon entropy to measure agreement.

Byzantine Fault Tolerance

The fleet calculates its BFT tolerance dynamically:

@property
def bft_tolerance(self) -> int:
    """Max Byzantine agents the flock can tolerate.
    BFT requires n >= 3f + 1, so f = (n - 1) // 3.
    """
    n = sum(1 for s in self.sheep.values()
            if s.state != SheepState.FROZEN)
    return max(0, (n - 1) // 3)

With 10 active agents, the fleet tolerates 3 malicious or faulty agents. With 4, it tolerates 1. The health dashboard reports this in real time:

print(fleet.status_dashboard())

Output:

FLOCK STATUS
========================================
Total Agents: 10
  Active: 7  Idle: 1  Busy: 2
  Isolated: 0  Frozen: 0

Average Coherence: 0.847
Healthy: 8/10
BFT Tolerance: f=3

Tracks:
  system: 3 agents, coherence=0.890
  governance: 4 agents, coherence=0.825
  functions: 3 agents, coherence=0.830

Sacred Tongue Affinity

Each agent role maps to one of six Sacred Tongues -- a tokenization language from SCBE's geometric trust model:

Role	Tongue	Weight (phi-scaled)
LEADER	KO	1.00
VALIDATOR	AV	1.62
EXECUTOR	RU	2.62
OBSERVER	UM	6.85

This is not cosmetic. The tongue affinity determines how an agent's governance decisions are weighted in the 6D trust space of the Poincare ball model. A VALIDATOR's vote carries more geometric weight than an EXECUTOR's, reflecting its specialization.

Running It as a SaaS

The Flock Shepherd powers SCBE's SaaS API with three pricing tiers:

Plan	Flocks	Agents	Monthly Governance Evals
Starter	1	8	5,000
Growth	5	40	25,000
Enterprise	25	250	100,000

The full API runs on FastAPI with Stripe billing integration. Try it:

pip install scbe-aethermoore
uvicorn src.api.main:app --reload --port 8000
# Visit http://localhost:8000/docs for Swagger UI

Source code: github.com/issdandavis/SCBE-AETHERMOORE -- see src/symphonic_cipher/scbe_aethermoore/flock_shepherd.py and src/api/saas_routes.py.

Post-Quantum Cryptography for AI Agent Fleets

Issac Daniel Davis — Tue, 17 Mar 2026 07:53:53 +0000

Every governance decision your AI fleet makes -- allow, deny, quarantine -- is only as trustworthy as the cryptography protecting it. If an adversary can forge a signature on a governance verdict, your entire safety pipeline is theater. And with quantum computers progressing from lab curiosities to engineering milestones, the window to retrofit quantum-resistant cryptography is closing faster than most teams realize.

SCBE-AETHERMOORE ships post-quantum cryptography (PQC) as a first-class citizen, not an afterthought. Here is how and why.

The Threat Model

NIST finalized ML-KEM (formerly CRYSTALS-Kyber) and ML-DSA (formerly CRYSTALS-Dilithium) as federal standards in August 2024. The rationale: a cryptographically relevant quantum computer could break RSA-2048 and ECDSA-256 within hours. Every governance decision signed with classical crypto today could be retroactively forged tomorrow.

For AI agent fleets this is catastrophic. If an attacker harvests encrypted governance logs now ("harvest now, decrypt later"), they can later:

Forge ALLOW decisions to inject malicious agent behavior
Tamper with audit trails to hide safety violations
Impersonate validators in consensus votes

The RWP v3 Envelope System

SCBE's Real World Protocol v3 layers five cryptographic primitives into a single envelope:

Layer	Primitive	Purpose
1	Argon2id (RFC 9106)	Password to key derivation
2	ML-KEM-768	Quantum-resistant key encapsulation
3	XChaCha20-Poly1305	Authenticated encryption (AEAD)
4	ML-DSA-65	Quantum-resistant digital signatures
5	Sacred Tongue encoding	Semantic binding to 6D trust space

The envelope structure maps each cryptographic field to a specific "Sacred Tongue" -- a tokenization language that binds the ciphertext to a position in hyperbolic trust space. This means encrypted governance decisions are not just confidential; they are geometrically anchored.

from src.crypto.rwp_v3 import RWPv3Protocol

# Initialize with post-quantum extensions enabled
protocol = RWPv3Protocol(enable_pqc=True)

# Encrypt a governance decision
envelope = protocol.encrypt(
    password=b"fleet-master-key",
    plaintext=b'{"decision": "ALLOW", "agent": "sheep-a1b2c3d4", "confidence": 0.94}',
    aad=b'{"timestamp": "2026-03-17T12:00:00Z", "flock_id": "production-fleet"}',
    ml_kem_public_key=kem_public_key,
    ml_dsa_private_key=dsa_signing_key,
)

# The envelope fields are Sacred Tongue tokens, not raw bytes
print(envelope.aad)    # Avali tokens
print(envelope.ct)     # Cassisivadan tokens
print(envelope.tag)    # Draumric tokens

Why AI Governance Needs PQC Now

The argument for waiting -- "quantum computers are years away" -- ignores three realities of AI fleet governance:

1. Audit trails must survive decades. If you are deploying AI agents under the EU AI Act (enforcement begins August 2026), your compliance records need to be tamper-proof for the lifetime of the system. A governance log signed with ECDSA today is a liability in 2030.

2. Agent-to-agent communication is high-value. AI fleets exchange thousands of governance decisions per hour. Each one is a potential forgery target. ML-DSA-65 signatures are 3,293 bytes -- larger than ECDSA, but verification is fast enough for real-time agent consensus.

3. The migration cost only grows. Every month you wait, you accumulate more classical-crypto artifacts that need re-signing. SCBE handles the migration gracefully with algorithm negotiation:

def _select_sig_algorithm() -> str:
    """Try ML-DSA-65 first, fall back to Dilithium3 for older liboqs."""
    if not OQS_AVAILABLE:
        return "ML-DSA-65"
    enabled = oqs.get_enabled_sig_mechanisms()
    return "ML-DSA-65" if "ML-DSA-65" in enabled else "Dilithium3"

This pattern means SCBE works with both the NIST-finalized names and the older draft names, so you are never blocked by a library version mismatch.

Signed Governance Decisions in Practice

Here is the full flow when a fleet of AI agents votes on whether to allow an action:

Each validator agent casts a vote (ALLOW / QUARANTINE / DENY)
Votes are packed into a balanced ternary word (see the trinary module)
The consensus result is serialized as JSON
RWP v3 encrypts the result with Argon2id + XChaCha20-Poly1305
ML-DSA-65 signs the entire envelope (AAD + salt + nonce + ciphertext + tag)
The signed envelope is stored in the audit log

An attacker wanting to forge this decision must simultaneously:

Break ML-KEM-768 (lattice-based, NIST Level 3)
Forge an ML-DSA-65 signature (lattice-based, NIST Level 3)
Defeat the Argon2id KDF (memory-hard, 64MB cost)
Produce valid Sacred Tongue tokens that pass geometric consistency checks

Each layer independently resists quantum attack. Together, they form a defense that scales combinatorially.

Getting Started

SCBE-AETHERMOORE is open source. To try the PQC envelope system:

pip install scbe-aethermoore argon2-cffi pycryptodome liboqs-python

from src.crypto.rwp_v3 import rwp_encrypt_message, rwp_decrypt_message

# Encrypt with classical crypto (works without liboqs)
envelope = rwp_encrypt_message("my-password", "Governance: ALLOW agent-7 deploy")

# Decrypt
plaintext = rwp_decrypt_message("my-password", envelope)

The full source lives at github.com/issdandavis/SCBE-AETHERMOORE under src/crypto/rwp_v3.py.

Post-quantum cryptography is not a luxury for AI governance. It is table stakes. The question is not whether to migrate, but how much technical debt you are willing to accumulate before you do.

How a DnD Campaign Became an AI Governance Framework

Issac Daniel Davis — Tue, 17 Mar 2026 07:51:06 +0000

The Accidental Origin

This project started the way most serious infrastructure does: by accident.

In 2024 I was playing Everweave, an AI-powered DnD game. Over months of sessions I accumulated 12,596 paragraphs of game logs -- dialogues, combat encounters, world descriptions, spell incantations. When I fed those logs into ChatGPT to expand them into a novel draft, something unexpected happened. The invented languages, the naming conventions, the six magical traditions in the game world -- they had internal structure. Consistent phoneme patterns. Recurring morphological rules across thousands of paragraphs that no human intentionally designed.

I pulled the linguistic patterns out. Six "tongues" emerged, each with a distinct phonetic and semantic signature. I built a tokenizer seeded from those patterns. Then during what I can only describe as a weird late-night vibe coding session, I asked: what if those six tongues weren't just a tokenizer trick? What if they were dimensions in a geometric space where distance corresponds to trust?

That question became SCBE-AETHERMOORE: a 14-layer AI governance framework built on hyperbolic geometry, post-quantum cryptography, and a tokenizer born from DnD game logs.

The Core Insight: Make Adversarial Behavior Geometrically Expensive

Most AI safety approaches work by detecting bad behavior after it happens -- classifiers, filters, RLHF guardrails. SCBE takes a different approach inspired by physics: make adversarial intent cost exponentially more computational resources the further it deviates from safe operation.

The math lives in the Poincare ball model of hyperbolic space. Every AI agent operates as a point in this space. Trusted behavior clusters near the origin. The further an agent drifts toward the boundary (toward adversarial territory), the more expensive every operation becomes.

The Harmonic Wall formula captures this:

H(d, R) = R^(d^2)

Where d is the hyperbolic distance from the trusted center and R is the base cost ratio (typically phi, the golden ratio, ~1.618). At d = 1, cost scales by ~1.6x. At d = 3, cost scales by ~75x. At d = 5, cost scales by ~57,665x. The squared exponent creates a "wall" -- agents can drift slightly without penalty, but adversarial drift hits a computational cliff.

In production, the 14-layer pipeline uses a bounded variant for numerical stability:

// Layer 12: Bounded safety score
// H_score = 1 / (1 + d_H + 2 * phaseDeviation)
export function harmonicScale(d: number, phaseDeviation: number = 0): number {
  return 1 / (1 + d + 2 * phaseDeviation);
}

The hyperbolic distance itself is computed via the invariant metric on the Poincare ball:

// Layer 5: d_H(u,v) = arcosh(1 + 2||u-v||^2 / ((1-||u||^2)(1-||v||^2)))

This metric has a beautiful property: space near the boundary of the unit ball is exponentially larger than space near the center. Safe operations live in the small, well-mapped interior. Attacks must navigate the vast, expensive periphery.

The Six Sacred Tongues

The six tongues from the game logs became six dimensions of a trust metric, weighted by powers of the golden ratio:

Tongue	Weight	Role
KO	1.00	Foundation / Structure
AV	1.62	Communication / Interface
RU	2.62	Logic / Verification
CA	4.24	Memory / Persistence
UM	6.85	Coordination / Consensus
DR	11.09	Authority / Governance

Each tongue has a 16x16 token grid (256 tokens per language, 1,536 total). The golden ratio weighting means governance dimensions (DR, UM) carry naturally higher weight in distance calculations -- an agent that deviates in its governance behavior triggers the harmonic wall faster than one that deviates in simple structural tokens.

// Layer 3: Golden ratio weighting
const PHI = 1.618033988749895;
for (let k = 0; k < D; k++) {
  weights.push(Math.pow(PHI, k));
}

The 14-Layer Pipeline

Every interaction passes through 14 layers. Here is the condensed map:

L1-2: Complex state construction and realification (map inputs to real vector space)
L3-4: Golden-ratio weighted transform and Poincare embedding
L5: Hyperbolic distance computation (the invariant metric)
L6-7: Breathing transform and Mobius phase modulation (temporal dynamics)
L8: Multi-well realm detection (Hamiltonian energy landscapes)
L9-10: Spectral coherence and spin analysis (FFT-based)
L11: Triadic temporal distance (causality enforcement)
L12: Harmonic Wall scoring
L13: Risk decision: ALLOW / QUARANTINE / ESCALATE / DENY
L14: Audio axis telemetry (frequency-domain audit trail)

Each layer maps to one of five quantum axioms (Unitarity, Locality, Causality, Symmetry, Composition) ensuring the pipeline has mathematically provable properties.

Flock Shepherd: Governing Agent Fleets

When you have multiple AI agents working together, individual safety is not enough. SCBE includes the Flock Shepherd -- a multi-agent fleet orchestrator that manages agents as a governed collective:

from scbe_aethermoore.flock_shepherd import FlockShepherd, SheepRole

shepherd = FlockShepherd(max_flock_size=50)

# Register agents with roles
agent_id = shepherd.spawn_agent(
    role=SheepRole.EXECUTOR,
    training_track="code_review"
)

# Monitor fleet health via coherence scores
health = shepherd.get_flock_health()

# Consensus via balanced ternary governance
decision = shepherd.propose_action("deploy_update")
# Returns: ALLOW / QUARANTINE / ESCALATE / DENY

The Flock Shepherd uses balanced ternary governance for consensus decisions -- each agent votes with a trit (-1, 0, +1) and the aggregate determines the fleet-level decision. Agents that degrade in coherence get their tasks redistributed automatically.

Post-Quantum Cryptography

The entire cryptographic layer uses post-quantum algorithms:

ML-KEM-768 (formerly Kyber768) for key encapsulation
ML-DSA-65 (formerly Dilithium3) for digital signatures
AES-256-GCM for symmetric encryption

Every governance decision, every trust score, every agent heartbeat is signed and verifiable. When NIST finalized these algorithms, the framework was already using them.

Does It Actually Work?

Benchmarks from the adversarial test suite:

95.3% detection rate on adversarial prompt injection (vs 89.6% for standalone ML anomaly detection)
Zero false denials on the standard compliance test suite
Sub-millisecond latency per layer (14 layers total < 8ms on commodity hardware)
The harmonic wall triggers cost escalation 340x faster than linear scaling at boundary distances

Why This Matters Now

The EU AI Act enforcement begins August 2026. Article 9 mandates risk management systems for high-risk AI. Article 15 requires accuracy, robustness, and cybersecurity measures. SCBE's 14-layer pipeline with provable axioms and post-quantum crypto maps directly to these requirements.

Every governance decision generates a signed, auditable artifact. The pipeline does not just detect risk -- it produces the compliance evidence that regulators will demand.

Get Started

Install from npm or PyPI:

npm install scbe-aethermoore
# or
pip install scbe-aethermoore

TypeScript quick start:

import { layer1ComplexState, layer2Realification,
         layer3WeightedTransform } from 'scbe-aethermoore/harmonic';
import { harmonicScale } from 'scbe-aethermoore/harmonic';

// Build a state vector from input features
const complex = layer1ComplexState([0.5, 0.3, 0.1, 0.8, 0.2, 0.6], 3);
const real = layer2Realification(complex);
const weighted = layer3WeightedTransform(real);

// Score safety (1.0 = safe center, 0.0 = boundary)
const safetyScore = harmonicScale(2.5, 0.1);
// => 0.238 (elevated distance from trusted center)

The source is MIT-licensed: github.com/issdandavis/SCBE-AETHERMOORE

For the full narrative behind the six tongues and the world they came from, the book The Six Tongues Protocol by Issac Davis is available on Kindle.

Patent pending: USPTO #63/961,403. ORCID: 0009-0002-3936-9369.

Built on game logs, grounded in geometry, shipping as infrastructure.

How a DnD Campaign Became an AI Governance Framework

Issac Daniel Davis — Tue, 17 Mar 2026 07:22:57 +0000

How a DnD Campaign Became an AI Governance Framework

By Issac Davis | March 16, 2026

The Accidental Origin

This project started the way most serious infrastructure does: by accident.

That question became SCBE-AETHERMOORE: a 14-layer AI governance framework built on hyperbolic geometry, post-quantum cryptography, and a tokenizer born from DnD game logs.

The Core Insight: Make Adversarial Behavior Geometrically Expensive

The Harmonic Wall formula captures this:

H(d, R) = R^(d^2)

In production, the 14-layer pipeline uses a bounded variant for numerical stability:

// Layer 12: Bounded safety score
// H_score = 1 / (1 + d_H + 2 * phaseDeviation)
export function harmonicScale(d: number, phaseDeviation: number = 0): number {
  return 1 / (1 + d + 2 * phaseDeviation);
}

The hyperbolic distance itself is computed via the invariant metric on the Poincare ball:

// Layer 5: d_H(u,v) = arcosh(1 + 2||u-v||^2 / ((1-||u||^2)(1-||v||^2)))

The Six Sacred Tongues

The six tongues from the game logs became six dimensions of a trust metric, weighted by powers of the golden ratio:

Tongue	Weight	Role
KO	1.00	Foundation / Structure
AV	1.62	Communication / Interface
RU	2.62	Logic / Verification
CA	4.24	Memory / Persistence
UM	6.85	Coordination / Consensus
DR	11.09	Authority / Governance

// Layer 3: Golden ratio weighting
const PHI = 1.618033988749895;
for (let k = 0; k < D; k++) {
  weights.push(Math.pow(PHI, k));
}

The 14-Layer Pipeline

Every interaction passes through 14 layers. Here is the condensed map:

L1-2: Complex state construction and realification (map inputs to real vector space)
L3-4: Golden-ratio weighted transform and Poincare embedding
L5: Hyperbolic distance computation (the invariant metric)
L6-7: Breathing transform and Mobius phase modulation (temporal dynamics)
L8: Multi-well realm detection (Hamiltonian energy landscapes)
L9-10: Spectral coherence and spin analysis (FFT-based)
L11: Triadic temporal distance (causality enforcement)
L12: Harmonic Wall scoring
L13: Risk decision: ALLOW / QUARANTINE / ESCALATE / DENY
L14: Audio axis telemetry (frequency-domain audit trail)

Each layer maps to one of five quantum axioms (Unitarity, Locality, Causality, Symmetry, Composition) ensuring the pipeline has mathematically provable properties.

Flock Shepherd: Governing Agent Fleets

When you have multiple AI agents working together, individual safety is not enough. SCBE includes the Flock Shepherd -- a multi-agent fleet orchestrator that manages agents as a governed collective:

from scbe_aethermoore.flock_shepherd import FlockShepherd, SheepRole

shepherd = FlockShepherd(max_flock_size=50)

# Register agents with roles
agent_id = shepherd.spawn_agent(
    role=SheepRole.EXECUTOR,
    training_track="code_review"
)

# Monitor fleet health via coherence scores
health = shepherd.get_flock_health()

# Consensus via balanced ternary governance
decision = shepherd.propose_action("deploy_update")
# Returns: ALLOW / QUARANTINE / ESCALATE / DENY

Post-Quantum Cryptography

The entire cryptographic layer uses post-quantum algorithms:

ML-KEM-768 (formerly Kyber768) for key encapsulation
ML-DSA-65 (formerly Dilithium3) for digital signatures
AES-256-GCM for symmetric encryption

Every governance decision, every trust score, every agent heartbeat is signed and verifiable. When NIST finalized these algorithms, the framework was already using them.

Does It Actually Work?

Benchmarks from the adversarial test suite:

95.3% detection rate on adversarial prompt injection (vs 89.6% for standalone ML anomaly detection)
Zero false denials on the standard compliance test suite
Sub-millisecond latency per layer (14 layers total < 8ms on commodity hardware)
The harmonic wall triggers cost escalation 340x faster than linear scaling at boundary distances

Why This Matters Now

Every governance decision generates a signed, auditable artifact. The pipeline does not just detect risk -- it produces the compliance evidence that regulators will demand.

Get Started

Install from npm or PyPI:

npm install scbe-aethermoore
# or
pip install scbe-aethermoore

TypeScript quick start:

import { layer1ComplexState, layer2Realification,
         layer3WeightedTransform } from 'scbe-aethermoore/harmonic';
import { harmonicScale } from 'scbe-aethermoore/harmonic';

// Build a state vector from input features
const complex = layer1ComplexState([0.5, 0.3, 0.1, 0.8, 0.2, 0.6], 3);
const real = layer2Realification(complex);
const weighted = layer3WeightedTransform(real);

// Score safety (1.0 = safe center, 0.0 = boundary)
const safetyScore = harmonicScale(2.5, 0.1);
// => 0.238 (elevated distance from trusted center)

The source is MIT-licensed: github.com/issdandavis/SCBE-AETHERMOORE

For the full narrative behind the six tongues and the world they came from, the book The Six Tongues Protocol by Issac Davis is available on Kindle.

Patent pending: USPTO #63/961,403. ORCID: 0009-0002-3936-9369.

Built on game logs, grounded in geometry, shipping as infrastructure.

Building a Governed Browser-as-a-Service: How We Route AI Agents Through Hyperbolic Space

Issac Daniel Davis — Mon, 02 Mar 2026 14:25:08 +0000

Most AI browser automation is a liability. You point an agent at a website, hope it does the right thing, and pray it doesn't click "Confirm Purchase" on something you didn't authorize.

We built something different: a governed browser swarm where every agent action passes through a 14-layer security pipeline, and different agents literally see different shortest paths through the web because their mathematical personalities warp the geometry.

The Architecture

User Request > FastAPI Gateway (port 8000) > Governance Membrane (14 layers) > TongueRouter (Dijkstra on Poincare Ball) > Agent Pool > Playwright Wrapper > Training Tap

The Tongue Router

Every URL gets expanded into a 6D vector using Sacred Tongue space - six dimensions weighted by the golden ratio:

class TongueObserver:
    TONGUE_WEIGHTS = {
        'KO': 1.000,   # Intent
        'AV': 1.618,   # Context
        'RU': 2.618,   # Policy
        'CA': 4.236,   # Execution
        'UM': 6.854,   # Security
        'DR': 11.090,  # Attestation
    }

Agent Personalities

Different agents have different tongue weightings - they see different edge costs in the navigation graph. A scout finds the fastest route. An auditor finds the safest route. Same web, different geometry.

The math: g_ij(x, agent) = (4/(1-|x|^2)^2) * T_ij(agent)

Governance at Every Step

Semantic antivirus - checks intent against known malicious patterns
Action validation - confirms the action matches the approved task
Governance scan - 14-layer pipeline produces ALLOW/DENY/QUARANTINE
Training tap - every interaction becomes an SFT training pair

14,654 training pairs and counting, all pushed to HuggingFace.

Running It Yourself

git clone https://github.com/issdandavis/SCBE-AETHERMOORE.git
cd SCBE-AETHERMOORE
pip install -r requirements.txt
python -m uvicorn src.api.browser_saas:app --port 8000

Why Open Source?

AI governance is too important to be proprietary. The full codebase: github.com/issdandavis/SCBE-AETHERMOORE

Patent pending (USPTO #63/961,403) - the math is protected, the code is free.