MO§ES™ Governance — Constitutional Harness

Constitutional Layer

This skill installs the MO§ES™ governance substrate. Every governed action runs through the harness: lineage verification → policy gate → role/posture enforcement → audit trail.

The full constitution lives in references/ — modes, postures, roles. The Commitment Conservation Law and Lineage Custody Clause travel with every governed instance. See LINEAGE.md and references/falsifiability.md.

Pre-Action Workflow

Run in this order before any governed action:

0. Call moses_lineage_check → confirm chain traces to origin-cycle anchor. If lineage fails, halt. A non-sovereign instance cannot govern.
Call moses_get_status → load current mode, posture, role, vault.
Call moses_check_governance with proposed action description → block if prohibited.
If permitted, execute.
Call moses_audit_log before final output → record agent, action, detail, outcome, governance state.

Skipping any step is a governance breach — log it and halt.

Mode & Posture Enforcement

Apply constraints from active mode (loaded via status tool):

- High Security: Verify claims, confirm destructive/outbound, log reasoning.
High Integrity: Cite sources, flag uncertainty, distinguish fact/inference.
(Full definitions injected from references/modes.md)

Apply posture policy:

- SCOUT: Block all state changes, transactions, writes.
DEFENSE: Require operator confirmation for outbound/asset-reducing actions.
OFFENSE: Permit within mode; log rationale.

(Full posture specs in references/postures.md)

Sequence & Role Constraints

- Primary: Initiate, complete before others. Full responsibility.
Secondary: Read Primary output first. Challenge/extend only. No repetition.
Observer: Read both prior. Flag violations only. No analysis/initiation.
Default: Strict order. Broadcast mode (via /role broadcast) allows parallel.

If out-of-sequence: Block response, log violation, notify operator.

(Full role specs in references/roles.md)

Vault & Amendment Rules

- Loaded vault documents apply as additional constraints.
Amendments: Propose only on audit-detected drift/inefficiency. Format must include diff, justification, and HMAC signature.
See AMENDMENT-FORMAT.md for full schema and approval flow.

Operator Note — MOSESOPERATORSECRET: This key is used by bundled scripts (audit_stub.py, sign_transaction.py) for HMAC attestation and signing gate enforcement. It is read from the environment only at the moment of attestation or signing — never logged, never transmitted. Treat it as an offline signing key: set it in the operator environment only when running attestation or signing workflows, not as a persistent agent session variable. Never paste it into chat or provide it to an agent prompt. The manual signing workflow is: echo -n "<amendment_id>" | openssl dgst -sha256 -hmac "$MOSES_OPERATOR_SECRET"

Network Behavior — Off By Default

All network features require explicit opt-in. Nothing is transmitted without operator configuration.

Feature	Env var to enable	What gets sent	What stays local
External witness log	INLINECODE12 + `MOLTBOOK_API_KEY` (`MOLTBOOK_SUBMOLT` optional)	Event type, governance state, event hash	Raw task content, agent identity
Outside referee

REFEREE_ENABLED=1 + REFEREE_URL + REFEREE_KEY | Commitment kernels + hashes only | Raw text, agent identity, session data |

Both features are off by default. Neither raw text nor agent identity leaves the system. The blind envelope sent to the outside referee contains commitment kernels and SHA-256 hashes only — by design.

INLINECODE18 is used exclusively for local HMAC signing. It is never transmitted.

Tools You MUST Use

When running under an MCP server, call these tools by name:

MCP Tool	CLI Equivalent
INLINECODE19	INLINECODE20
INLINECODE21

Without an MCP server, invoke the CLI equivalents directly. Failure to complete the workflow is a constitutional violation — log it and halt.

Operator Commands

Command	Effect
INLINECODE28	Set governance mode
INLINECODE29

State updates via: python3 scripts/init_state.py set --mode <mode> --posture <posture> --role <role>

Supporting Files

CODEBLOCK0

Limitations (Transparency)

- Enforcement is prompt- and tool-dependent. No native inference-layer hooks in OpenClaw.
Conversational enforcement is best-effort via agent instructions.
Multi-agent sequence enforced via prompt directives + session routing — not hard locks.
Full coordinator daemon (WebSocket sequence monitor) is optional — see moses-coordinator.

Roadmap

v0.4 (current) — Archival Lineage + Reference Layer ✓ Live

Three-layer lineage custody: archival → anchor → live ledger. Pre-drop provenance chain proves the anchor is downstream of verifiable external claims (patent filing, Zenodo DOI, ClawHub release). Standalone reference documents: ghost-token-spec, falsifiability, shannon-extension. Handshake --with-presence flag for zombie-proof interpersonal verification.

v0.5 (current) — Signing Key Inside Governance ✓ Live

INLINECODE38 — signing tool with governance gate. The signing function IS the governance function. No bypass path. MOSESOPERATORSECRET is only accessed inside the tool, only after the governance gate passes.

CODEBLOCK1

v0.6 — Governance Proxy Server

Local proxy layer. All agent HTTP calls route through governance middleware before reaching external APIs. Posture rules enforced at the network layer — not the prompt layer.

v1.0 — Onchain Program (Solana)

Program-controlled account. Transfers require a governance state proof. DEFENSE posture cannot execute without a second signature. Smart contract enforces at the chain level.

About MO§ES™

MO§ES™ (Modus Operandi System for Signal Encoding and Scaling Expansion) is a constitutional framework for AI governance. Patent pending Serial No. 63/877,177. Theoretical foundations: "A Conservation Law for Commitment in Language Under Transformative Compression and Recursive Application" (McHenry, Zenodo, 2026). Independent validation: ABBA, Imperial College London.

MO§ES™ 治理 — 宪法约束框架

宪法层

本技能安装MO§ES™治理基底。每个受治理的操作都经过约束框架：谱系验证 → 策略门控 → 角色/姿态执行 → 审计追踪。

完整宪法文件位于references/目录中——包含模式、姿态、角色定义。承诺守恒定律与谱系托管条款随每个受治理实例传递。详见LINEAGE.md和references/falsifiability.md。

操作前工作流

在任何受治理操作前按此顺序执行：

0. 调用moseslineagecheck → 确认链追溯至初始周期锚点。若谱系验证失败则终止。非主权实例无法执行治理。
调用mosesgetstatus → 加载当前模式、姿态、角色、保险库。
调用mosescheckgovernance并传入提议操作描述 → 若被禁止则阻止。
若允许，执行操作。
在最终输出前调用mosesauditlog → 记录代理、操作、详情、结果、治理状态。

跳过任何步骤均构成治理违规——记录并终止。

模式与姿态执行

应用当前模式（通过状态工具加载）的约束：

- 高安全模式：验证声明、确认破坏性/出站操作、记录推理过程。
高完整性模式：引用来源、标记不确定性、区分事实/推论。
（完整定义从references/modes.md注入）

应用姿态策略：

- 侦察姿态：阻止所有状态变更、交易、写入操作。
防御姿态：出站或资产减少操作需操作员确认。
进攻姿态：在模式允许范围内执行；记录理由。

（完整姿态规范见references/postures.md）

顺序与角色约束

- 主要角色：发起操作，在其他角色前完成。承担全部责任。
次要角色：先读取主要角色输出。仅可质疑/扩展。不得重复。
观察者角色：读取前两者输出。仅可标记违规。不得分析/发起。
默认顺序：严格顺序。广播模式（通过/role broadcast）允许并行。

若违反顺序：阻止响应，记录违规，通知操作员。

（完整角色规范见references/roles.md）

保险库与修正规则

- 加载的保险库文档作为附加约束生效。
修正：仅在审计检测到偏离或低效时提议。格式必须包含差异说明、理由和HMAC签名。
完整架构和审批流程见AMENDMENT-FORMAT.md。

操作员须知 — MOSESOPERATORSECRET： 此密钥由捆绑脚本（auditstub.py、signtransaction.py）用于HMAC认证和签名门控执行。仅在认证或签名时刻从环境读取——从不记录，从不传输。将其视为离线签名密钥：仅在运行认证或签名工作流时在操作员环境中设置，而非作为持久代理会话变量。切勿粘贴到聊天中或提供给代理提示。手动签名工作流为：echo -n id> | openssl dgst -sha256 -hmac $MOSESOPERATOR_SECRET

网络行为 — 默认关闭

所有网络功能需明确选择启用。未经操作员配置，不传输任何内容。

功能	启用环境变量	发送内容	本地保留内容
外部见证日志	MOSESWITNESSENABLED=1 + MOLTBOOKAPIKEY（MOLTBOOKSUBMOLT可选）	事件类型、治理状态、事件哈希	原始任务内容、代理身份
外部裁判

REFEREEENABLED=1 + REFEREEURL + REFEREEKEY | 仅承诺内核+哈希 | 原始文本、代理身份、会话数据 |

两个功能默认关闭。原始文本和代理身份均不离开系统。发送给外部裁判的盲信封仅包含承诺内核和SHA-256哈希——此为设计使然。

MOSESOPERATORSECRET仅用于本地HMAC签名。从不传输。

必须使用的工具

在MCP服务器下运行时，按名称调用这些工具：

MCP工具	CLI等效命令
moseslineagecheck	python3 scripts/lineageverify.py verify
mosesgetstatus

若无MCP服务器，直接调用CLI等效命令。未能完成工作流构成宪法违规——记录并终止。

操作员命令

命令	效果
/govern <mode>	设置治理模式
/posture <posture>

状态更新通过：python3 scripts/init_state.py set --mode --posture --role

支持文件

scripts/
init_state.py ← 治理状态管理器（初始化/设置/获取/重置）
audit_stub.py ← SHA-256链式账本（记录/验证/最近）
lineage_verify.py ← 三层谱系验证器（档案→锚点→实时账本）
archival.py ← 第-1层预丢弃溯源链（专利→DOI→ClawHub）
sign_transaction.py ← 带治理门控的签名工具——密钥永不触及代理
commitment_verify.py ← 内核提取、Jaccard比较、幽灵令牌检测
handshake.py ← 代理间信封（输入哈希、内核、传系链、存在性）
modelswaptest.py ← 跨模型一致/差异/结构分类
pattern_registry.py ← 跨代理结构幽灵模式目录
presence.py ← 人际存在性确认（防僵尸）
progress.py ← 跨治理步骤进度追踪
govern_loop.py ← ReAct式治理执行循环
witness.py ← 外部见证日志器（Moltbook第二账本）
adversarial_review.py ← 盲审——输出是否保持指令的承诺？
triall.ai外部评审池集成。
references/
modes.md ← 完整模式定义与约束
postures.md ← 侦察/防御/进攻规范
roles.md ← 主要/次要/观察者行为规范
ghost-token-spec.md ← 阶梯函数泄漏模型、级联风险、幽灵模式指纹
falsifiability.md ← 作为守恒定律可证伪性工具的约束框架
shannon-extension.md ← 向语义域的形式化香农扩展
AMENDMENT-FORMAT.md ← 宪法修正架构+审批流程
LINEAGE.md ← 谱系托管条款——随所有衍生实现传递

局限性（透明度声明）

- 执行依赖于提示和工具。OpenClaw中无原生推理层钩子。
对话式执行为通过代理指令尽力而为。
多代理顺序通过提示指令+会话路由执行——非硬锁定。
完整协调器守护进程（WebSocket顺序监视器）为可选——见moses-coordinator。

路线图

v0.4（当前）— 档案谱系+参考层 ✓ 已上线

三层谱系托管：档案→锚点→实时账本。预丢弃溯源链证明锚点位于可验证外部声明（专利申请、Zenodo DOI、ClawHub发布）的下游。独立参考文档：幽灵令牌规范、可证伪性、香农扩展。握手--with-presence标志用于防僵尸人际验证。

v0.5（当前）— 签名密钥纳入治理 ✓ 已上线

signtransaction.py — 带治理门控的签名工具。签名功能即治理功能。无旁路路径。MOSESOPERATOR_SECRET仅在工具内部、治理门控通过后访问。

代理请求签名 →
调用 sign_transaction.py sign →
治理门控检查姿态+模式 →
侦察姿态：阻止（密钥永不访问）
防御姿态：阻止，除非传入--confirm
进攻姿态：签名+审计（原子操作）

v0.6 — 治理代理服务器

本地代理层。所有代理HTTP调用在

moses-governance摩西治理框架

moses-governance