Preamble

0. The Five Cryptographic Commitments — Invariant Protocol Axioms

These five commitments are the cryptographic foundation of the MCR protocol. Every design decision — from hash algorithm choice to relay storage limits — follows from holding all five simultaneously.

Sovereign Key Generation

Keys are generated in the browser. Never transmitted in plaintext. Never extractable. The user owns their identity. No external authority issues credentials. ECDSA P-256 — native to Web Crypto, zero library imports. SRC: SPEC-MCR §1.4

Deterministic Commitment Hashing

SHA-256 over deterministic CBOR. Same inputs → same hash on every browser, every platform, every time. The commitment hash is the cryptographic anchor that cannot drift. Sorted keys, no whitespace, UTF-8. SRC: SPEC-MCR §1.3

Blind Notary Architecture

The Foundry Relay verifies signatures and mints receipts. It never sees the payload. It cannot read what was signed. ≤250 bytes stored per receipt. Zero payload storage. The relay is a witness, not a custodian. SRC: SPEC-MCR §2

Local Audit Before Network

The deterministic auditor runs before any network call. HALT is emitted locally. The relay is never contacted for a divergent commitment. The divergence is caught at the source — not by the notary. SRC: SPEC-MCR §3.3

Timestamped Non-Repudiable Receipt

Once both signatures converge on identical commitment hashes, the receipt is permanent. The receipt ID is a public verification key. Anyone with the ID can verify convergence. No party identities beyond pubkey hashes. No payload content. SRC: SPEC-MCR §1.5

📋 Purpose — What MCR Certifies

The MCR protocol certifies that two or more parties, each operating an independent deterministic core, have independently evaluated an identical commitment hash and have cryptographically attested to that evaluation. The protocol produces a timestamped, non-repudiable receipt without revealing the content of the commitment to the certifying authority.

This is not an approval workflow. It is not a digital signature wrapper. It is a structural trust protocol — the cryptographic mechanism that proves two independent parties converged on identical terms without either party needing to trust the other, the relay, or any third party.

🧩 Relationship to the Continuity Architecture

MCR is Layer 3 of the Continuity Architecture — the protocol layer that sits between the Deterministic Core (Layer 1) and the Standard Body (Layer 4). It is the adoption mechanism. Companies don't rebuild their infrastructure to adopt the Continuity Architecture. They deploy an MCR Foundry Relay — a single Cloudflare Worker, minutes to deploy, $0/month — and open a single HTML artifact. The architecture augments existing systems with cryptographic proof that decisions were made correctly, identically, and auditably.

Section I

I. The MCR Protocol — Normative Specification

The cryptographic specification. Actors, commitment hash computation, signature scheme, receipt format. Every implementation must conform to this section exactly.

1.1 Actors

ActorRoleKey Operations
Party A (Initiator) Computes commitment hash from local data. Signs it. Transmits to Party B and Relay. CBOR encode · SHA-256 hash · ECDSA sign · ECDH encrypt for Party B
Party B (Responder) Receives commitment hash. Computes local hash. Verifies identity. Signs if identical. Transmits to Relay. ECDH decrypt · CBOR encode · SHA-256 hash · Auditor evaluation · ECDSA sign
Foundry Relay Blind notary. Receives signatures and hashes. Verifies cryptography. Mints receipt. Stores ≤250 bytes. Forgets payload. ECDSA verify · Convergence detection · Receipt minting · Ed25519 receipt signing
Local BAR-OS Core Computes hash, manages keys, evaluates SIC, emits COMMIT or HALT. Runs before any network call. Deterministic CBOR · SHA-256 hash · SIC evaluation · Auditor verdict

1.2 Commitment Hash — The Cryptographic Anchor

The commitment hash is computed locally by every party before any network transmission. It is the invariant that both parties must produce identically for convergence to occur.

1

Algorithm & Canonicalization

Algorithm: SHA-256 (Web Crypto API: SubtleCrypto.digest)

Canonicalization: Deterministic CBOR encoding (sorted keys, no whitespace, UTF-8). CBOR is chosen over JSON for its byte-level determinism — JSON serialization varies across JavaScript engines for key ordering, number formatting, and whitespace. CBOR eliminates these ambiguities.

2

Preimage Composition

{ "schema": "mcr.commitment.v1", "protocol_version": 1, "sic_id": "uuid-of-shared-intent-contract", "action_nonce": "uuid-generated-by-initiator", "payload_hash": "sha256-of-encrypted-payload-or-direct-content", "timestamp_unix": 1750342800, "participants": [ {"pubkey_hash": "first-8-bytes-of-sha256-pubkey", "role": "initiator"}, {"pubkey_hash": "first-8-bytes-of-sha256-pubkey", "role": "responder"} ], "threshold": 2 }

Critical Invariant: The Foundry Relay never sees payload_hash decrypted. It sees only the commitmentHash and the signatures that cover it. The payload content is encrypted (ECDH + AES-GCM) before transmission and only decryptable by the counterparty.

3

Hash Computation — Reference Implementation

const cborBytes = CBOR.enc(preimage); const hashBuffer = await crypto.subtle.digest('SHA-256', cborBytes); const commitmentHash = Array.from(new Uint8Array(hashBuffer)) .map(b => b.toString(16).padStart(2, '0')) .join('');

Why CBOR not JSON: JSON.stringify does not guarantee deterministic key ordering across JavaScript engines. Object.keys().sort() is not a stable canonicalization — Unicode sort order varies. CBOR encoding with UTF-8 byte-level key sorting and no whitespace produces identical bytes on every platform, making the hash truly deterministic.

1.3 Signature Scheme

PropertySpecificationRationale
AlgorithmECDSA over P-256 (Web Crypto API native)Native to every browser. No library imports. Sovereign key generation.
Key Format (Export)SPKI for public keys; PKCS#8 for private keysStandard interoperable formats
Key Format (Storage)JWK for IndexedDB persistenceJSON-serializable, IndexedDB-compatible
Key ExtractabilityNon-extractable (extractable: false)Private key never leaves the browser. Sovereign identity.
Signature InputThe raw 32-byte SHA-256 commitment hashFixed-size input. No canonicalization ambiguity.
Output EncodingBase64URLURL-safe, JSON-compatible, compact

1.4 Receipt Format — What the Foundry Stores

{ "receipt_id": "LM-20260620-001-a1b2c3d4", "schema": "mcr.receipt.v1", "protocol_version": 1, "status": "CONVERGED", "timestamp_unix": 1750342800, "commitment_hash": "7e4d3a2b...", "participants": [ {"pubkey_hash": "8f3a...", "sig_present": true}, {"pubkey_hash": "2b9c...", "sig_present": true} ], "threshold": 2, "signatures_present": 2, "relay_sig": "ed25519-signature-over-cbor-of-above" }

Storage budget: ≤500 bytes per receipt (v1.0-RC1, JSON + CBOR). Target: ≤250 bytes (v1.1 with raw-byte field optimization).Retention policy: Permanent for receipt metadata. Zero payload storage — the relay never had the payload and never will.

+

v1.1 Migration — Public Third-Party Verification

v1.0 uses HMAC-SHA256 for the relay signature — the relay signs receipts with a secret key. This means only the relay can verify its own signatures. v1.1 migrates to Ed25519 with a published relay public key, enabling any third party to independently verify receipt authenticity. The relay public key is published at /.well-known/mcr-relay.pub.

Receipt bytes are CBOR-encoded sans relay_sig. The relay signs those bytes with Ed25519. The resulting signature is appended as relay_sig. A verifier: (1) fetches the receipt, (2) strips relay_sig, (3) CBOR-encodes the remainder, (4) verifies the Ed25519 signature against the published relay public key. Zero trust in the relay required.

Depends on: Ed25519 keypair persisted in Durable Object · /.well-known/mcr-relay.pub endpoint · CBOR round-trip verified

Section II

II. Foundry Relay Specification

The blind notary. Deployment target, endpoints, request/response contracts, relay logic, and code structure. The relay is the only infrastructure component in the MCR protocol.

1

Deployment Target

Primary: Cloudflare Worker + Durable Object (free tier: 100k requests/day). The Durable Object provides strong consistency for convergence detection — two signatures arriving simultaneously cannot produce a race condition.

Fallback: Deno Deploy or Node.js on a $5 VPS. Reason: Edge-deployed, zero cold-start, no server maintenance. The entire relay is a single JavaScript file.

2

Endpoint Contracts

EndpointMethodPurposeSuccess ResponseError Responses
/mint POST Submit a signature for a commitment. Second party completes convergence. 201 CONVERGED — receipt object
202 ACCEPTED — pending counterpart
400 INVALID_SIGNATURE · 400 MISSING_FIELDS · 409 DIVERGENT_COMMITMENT (HALTED) · 429 RATE_LIMITED
/verify?id=LM-... GET Public verification of a receipt. Anyone with the receipt ID can verify convergence. 200 — receipt object (JSON or CBOR) 404 NOT_FOUND
/wake POST Notify an offline party that a commitment awaits their signature. 202 WAKE_QUEUED 400 MISSING_FIELDS
/.well-known/mcr-relay.pub GET Publish the relay's Ed25519 public key for third-party receipt verification (v1.1). 200{"public_key":"...", "algorithm":"Ed25519"}
/krl GET Key Revocation List — pubkey hashes that are no longer valid. 200{"revoked_hashes":[...], "updated_at":...}
3

Relay Logic — /mint Handler

The relay performs these steps in order. No step can be skipped. No step depends on external state outside the Durable Object.

StepOperationFailure Mode
1. ParseParse JSON body. Validate required fields: commitment_hash, party_id, pubkey, signature, action_nonce, idempotency_key, participants, threshold.400 MISSING_FIELDS
2. Verify SignatureImport ECDSA P-256 public key from SPKI. Verify signature over commitment hash bytes.400 INVALID_SIGNATURE · 400 INVALID_PUBKEY
3. Derive IdentityCompute pubkey_hash = first 8 bytes of SHA-256(pubkey SPKI).
4. Check IdempotencyIf idempotency key was processed within IDEMPOTENCY_TTL_MS, return cached response.
5. Journal EntryStore {commitment_hash, pubkey_hash, received_at} in Durable Object under PENDING:nonce:pubkey_hash.409 PARTY_ALREADY_COMMITTED_DIFFERENT_HASH (if existing entry has different hash)
6. Divergence GuardFor all participants, check if any OTHER participant has already signed with a different commitment hash. If yes → HALT.409 DIVERGENT_COMMITMENT (HALTED)
7. Threshold CheckCount how many participants have signed with matching commitment hash. If count ≥ threshold → CONVERGE.202 ACCEPTED (if below threshold)
8. Mint ReceiptAtomic counter increment. Generate receipt ID. Build receipt object. CBOR-encode sans relay_sig. Sign with Ed25519. Append relay_sig. Size-check (≤500 bytes). Store in KV. Return 201.500 RECEIPT_OVERSIZED
4

Durable Object Architecture — Why It Matters

The Durable Object (MintConverger) provides strong consistency for the convergence detection window. Two signatures arriving within milliseconds of each other cannot produce a race condition where both see "one signature, pending" and neither triggers convergence. The Durable Object serializes access — the second signature always sees the first.

Without the Durable Object: Two simultaneous POSTs to KV could both read "1 signature" and both return 202, requiring a polling loop or out-of-band convergence. The Durable Object eliminates this race condition at the architectural level.

📋 Privacy Property

Anyone with a receipt ID can verify that convergence occurred. The response includes: receipt ID, status, timestamp, commitment hash (one-way hash — original content unrecoverable), and pubkey hashes of participants. No party identities beyond pubkey hashes. No payload content. The relay never had the payload. The relay cannot decrypt the payload. The privacy guarantee is structural, not contractual.

🔗 Implementation Note — Current Status

The Foundry Relay is implemented as a Cloudflare Worker + Durable Object in v1.0-RC1. The implementation includes: ECDSA signature verification in the Worker edge layer, idempotency key deduplication, Durable Object convergence detection with race-condition elimination, Ed25519 receipt signing, CBOR + JSON dual storage, KRL endpoint, wake endpoint with HMAC-blinded hints, and automated alarm-based cleanup of stale pending entries. The specification sections above reflect the implemented logic — not aspirational design.

Section III

III. BAR-OS Client Integration

The client-side module that lives inside BAR-OS. Key generation, commitment computation, payload encryption, relay communication, and the deterministic auditor that runs before any network call.

3.1 Module: mcr-client.js

This module lives inside BAR-OS. It has no external dependencies except fetch. Every cryptographic operation uses the Web Crypto API — zero library imports.

1

Responsibilities

  • Generate / load local identity keypair (P-256) — non-extractable, sovereign
  • Compute commitment hash from local artifact data via deterministic CBOR
  • Encrypt payload to counterparty's public key (ECDH + AES-GCM)
  • Sign commitment hash with sovereign P-256 key
  • POST signatures to Foundry Relay
  • Store receipts in IndexedDB with full audit trail
  • Render receipt status locally across three UI states
2

Offline Resilience — Service Worker Outbox

When the client is offline, signatures are queued in an IndexedDB outbox. A Service Worker listens for sync events and drains the outbox when connectivity returns. The outbox schema: {action_nonce, url, method, headers, body, attempts, next_retry, created_at}. Exponential backoff with 5-second base delay. Maximum 3 retries before surfacing to user.

This means the MCR protocol works across connectivity gaps. A founder can seal a commitment on a plane. The signature queues locally. When they land, the Service Worker drains the outbox. The counterparty receives it. Convergence occurs. The protocol is not gated on real-time connectivity.

3.2 UI States — Three Valid Viewport States

The MCR panel in BAR-OS renders exactly three states. No loading spinners. No indeterminate progress. The state is always one of these three.

HALT — Red

Local Audit Failed

Meaning: The deterministic auditor detected a violation before any network call. The commitment hash did not match. A SIC constraint was violated. A key was revoked. No receipt will be minted.

User sees: Red banner. Reason code (e.g., COMMITMENT_HASH_MISMATCH, SIC_VIOLATION, KEY_LOCKED). Option to view details. No network request was made.

PENDING — Yellow

Awaiting Counterpart

Meaning: Party A's signature has been submitted. The relay accepted it. Waiting for Party B to evaluate the identical commitment and submit their signature.

User sees: Yellow banner. Truncated commitment hash. Copy invite link button. Status: "Awaiting Bob..."

CONVERGED — Green

Receipt Minted

Meaning: Both parties signed the identical commitment. The relay verified both signatures. A receipt was minted. The proof is permanent.

User sees: Green banner. Receipt ID (e.g., LM-20260620-001-a1b2c3d4). Timestamp. Download receipt button. View on Foundry link. Both pubkey hashes visible.

3.3 Deterministic Auditor — Pre-Network HALT

Before the MCR client ever calls fetch, the local deterministic auditor runs. If the verdict is anything other than COMMIT, the network call is structurally blocked.

1

Auditor Evaluation Chain

The auditor runs eight checks in order. The first failure emits HALT and stops the chain. No partial evaluation. No network call preceded by a failed check.

CheckConditionHALT Code
Protocol Versionpreimage.protocol_version must equal 1UNSUPPORTED_PROTOCOL_VERSION
Timestamp Freshnessabs(now - preimage.timestamp_unix) ≤ 300 seconds (5 min)STALE_COMMITMENT
Participant Sort Orderparticipants array must be sorted by pubkey_hash (ascending, UTF-8 byte order)UNSORTED_PARTICIPANTS
Revocation CheckNo participant's pubkey_hash appears in the KRL revoked_hashes listREVOKED_KEY
Counterpart IdentityEvery participant's pubkey_hash must match a known identity in the local identity storeUNKNOWN_COUNTERPART
Key ExpiryNo participant's identity has expired_at in the past or revoked_at setEXPIRED_KEY / REVOKED_KEY
Local Payload HashCompute SHA-256 of local payload. Must match preimage.payload_hash.PAYLOAD_HASH_MISMATCH
Commitment Hash MatchCBOR-encode local preimage with local payload_hash. SHA-256. Must match expected commitment hash.COMMITMENT_HASH_MISMATCH
2

Reference Auditor Implementation

async function evaluateMCR(preimage, localPayloadHash, identities, krlHashes, expectedCommitmentHash) { // 1. Protocol version if (preimage.protocol_version !== 1) return {verdict:'HALT', code:'UNSUPPORTED_PROTOCOL_VERSION'}; // 2. Temporal anti-replay const now = Math.floor(Date.now()/1000); if (Math.abs(now - preimage.timestamp_unix) > 300) return {verdict:'HALT', code:'STALE_COMMITMENT'}; // 3–6. Participant validation loop for (const p of preimage.participants) { if (krlHashes && krlHashes.includes(p.pubkey_hash)) return {verdict:'HALT', code:'REVOKED_KEY'}; const id = identities.find(x => x.pubkey_hash === p.pubkey_hash); if (!id) return {verdict:'HALT', code:'UNKNOWN_COUNTERPART'}; if (id.revoked_at) return {verdict:'HALT', code:'REVOKED_KEY'}; if (id.expires_at && now > id.expires_at) return {verdict:'HALT', code:'EXPIRED_KEY'}; } // 7. Local payload hash const localPreimage = {...preimage, payload_hash: localPayloadHash}; const localBytes = CBOR.enc(localPreimage); const localHashHex = await sha256Hex(localBytes); // 8. Commitment hash match if (expectedCommitmentHash && localHashHex !== expectedCommitmentHash) return {verdict:'HALT', code:'COMMITMENT_HASH_MISMATCH'}; return {verdict:'COMMIT', localHashHex}; }

🔗 Governing Rule

If verdict !== 'COMMIT', the MCR client does not POST to the relay. The handoff is structurally blocked. The HALT is emitted locally. No network request is made. The divergence is caught at the source — not by the notary. This is the architectural guarantee that distinguishes MCR from approval workflows: the gate is enforced before any external system is contacted.

Section IV

IV. The MCR Protocol Stack — Complete Architecture

How the components compose into a complete cryptographic trust system. From sovereign key generation to receipt verification.

VERIFICATION LAYER — Public receipt verification via /verify + relay pubkeyAnyone with receipt ID
RELAY LAYER — Blind notary. ECDSA verify. Convergence detection. Receipt minting.Cloudflare Worker + DO
TRANSPORT LAYER — ECDH + AES-GCM payload encryption. Outbox queue. SW drain.Client-side only
COMMITMENT LAYER — Deterministic CBOR. SHA-256. ECDSA P-256 sign. Auditor HALT.BAR-OS Core
IDENTITY LAYER — Sovereign P-256 + ECDH keypair. Non-extractable. IndexedDB.Browser-native
╔══════════════════════════════════════════════════════════════════════╗ ║ MCR PROTOCOL STACK ║ ║ Complete Component Architecture ║ ╠══════════════════════════════════════════════════════════════════════╣ ║ ║ ║ ┌──────────────────────────────────────────────────────────────┐ ║ ║ │ FOUNDRY RELAY │ ║ ║ │ ┌─────────────┐ ┌────────────────┐ ┌──────────────────┐ │ ║ ║ │ │ Edge Worker │→│ MintConverger │→│ TRUST_KV │ │ ║ ║ │ │ ECDSA verify│ │ (Durable Obj) │ │ Receipts (JSON+ │ │ ║ ║ │ │ Rate limit │ │ Convergence │ │ CBOR) · KRL · │ │ ║ ║ │ │ Pubkey hash │ │ Idempotency │ │ Wake signals │ │ ║ ║ │ └─────────────┘ │ Ed25519 sign │ └──────────────────┘ │ ║ ║ │ └────────────────┘ │ ║ ║ └──────────────────────────────────────────────────────────────┘ ║ ║ ↑ ↓ ║ ║ ┌──────────────────────────────────────────────────────────────┐ ║ ║ │ BAR-OS CLIENT │ ║ ║ │ ┌───────────┐ ┌───────────┐ ┌──────────┐ ┌───────────┐ │ ║ ║ │ │ Key Vault │→│ CBOR Hash │→│ Auditor │→│ MCR Client│ │ ║ ║ │ │ P-256 + │ │ SHA-256 │ │ 8 checks │ │ POST /mint│ │ ║ ║ │ │ ECDH │ │ over CBOR │ │ HALT or │ │ Outbox │ │ ║ ║ │ │ Sovereign │ │ │ │ COMMIT │ │ SW drain │ │ ║ ║ │ └───────────┘ └───────────┘ └──────────┘ └───────────┘ │ ║ ║ │ │ ║ ║ │ ┌──────────────────────────────────────────────────────┐ │ ║ ║ │ │ IndexedDB Stores │ │ ║ ║ │ │ identities · commitments · outbox · receipts · meta │ │ ║ ║ │ └──────────────────────────────────────────────────────┘ │ ║ ║ └──────────────────────────────────────────────────────────────┘ ║ ║ ║ ║ ───────────────────────────────────────────────────────────────── ║ ║ DATA FLOW: Local CBOR → SHA-256 → Auditor → ECDSA sign → POST ║ ║ PRIVACY: Payload encrypted ECDH+AES-GCM. Relay never sees it. ║ ║ TRUST: "Trust is not a service. Trust is a structure." ║ ╚══════════════════════════════════════════════════════════════════════╝
Section V

V. Vertical SIC Templates — Domain-Specific Governance

The MCR protocol is domain-agnostic. Vertical SIC (Shared Intent Contract) templates encode domain-specific governance rules that the deterministic auditor enforces structurally.

1

What a SIC Defines

Every SIC is a JSON document that encodes: required signatories, exact-match fields, bounded value ranges, halt conditions, and the governance standard version it enforces. The SIC is loaded into BAR-OS. The MCR auditor evaluates every commitment against the active SIC before allowing a signature to be queued.

FieldPurposeExample
schemaIdentifies the SIC type and version"sic.medical.v1"
tierEvaluation strictness: 1 = exact match, 2 = bounded, 3 = threshold1
required_principalsWho must sign before convergence["attending_surgeon", "ai_proposal"]
exact_match_fieldsFields that must match byte-for-byte["dosage_mg", "medication_id", "patient_id"]
boundsAllowed value ranges for named fields{"dosage_mg": {"whitelist": [50, 75, 100]}}
halt_onConditions that trigger HALT before network call["hash_mismatch", "principal_missing", "bounds_violation"]
2

Example: Medical Co-Sign SIC

{ "schema": "sic.medical.v1", "tier": 1, "required_principals": ["attending_surgeon", "ai_proposal"], "exact_match_fields": ["dosage_mg", "medication_id", "patient_id"], "bounds": { "dosage_mg": { "whitelist": [50, 75, 100] } }, "halt_on": ["hash_mismatch", "principal_missing", "bounds_violation"] }

How it works: A surgical robot proposes an action. The local BAR-OS core encodes the proposal as a CBOR preimage. The auditor checks: are both the attending surgeon and the AI proposal present as principals? Does the dosage match the whitelist exactly? Does the medication ID match? Does the patient ID match? If any check fails → HALT. No network call. No physical action. No harm.

Section VI

VI. The Immutable Handoff — Demo Specification

The credibility artifact. Not a pitch deck — a working cryptographic protocol filmed in 3 minutes. Seven shots. One narrative. Filmable in one day.

📋 Scenario — "The Immutable Handoff"

Narrative: Alice, a software architect, delivers a specification to Bob, a client. Bob must approve the exact file Alice sent — not a modified version, not a summary, the identical bytes. The MCR protocol certifies that both parties evaluated the same commitment. If Bob changes even one byte, the handoff halts before any receipt is minted.

Cast: Alice = Browser Tab A · Bob = Browser Tab B (incognito) · Foundry = Cloudflare Worker

1

Alice Prepares (0:00–0:30)

Alice opens BAR-OS. Navigates to Contracts. Selects a specification. Clicks "Propose Handoff." Screen shows "Computing commitment..." then the truncated hash. Screen shows "Sealing for Bob..." Voiceover: "Alice selects her specification. BAR-OS computes a cryptographic commitment. The file is sealed to Bob's identity. Alice cannot alter it without breaking the seal."

2

Alice Sends (0:30–0:45)

Alice clicks "Send to Bob." BAR-OS POSTs to /mint as Party A. Screen shows "Awaiting Bob..." Voiceover: "The commitment — not the file — is sent to the Trust Foundry. The Foundry stores a signature. It cannot read the file. It only knows Alice signed something."

3

Bob Receives (0:45–1:15)

Bob opens BAR-OS in incognito. Notification: "Alice sent you a commitment." Bob clicks. BAR-OS decrypts payload locally. Bob sees the file in a read-only viewer. Hash comparison shows: Local Hash = Alice's Hash = MATCH ✓. Voiceover: "Bob receives the sealed file. His BAR-OS computes the same hash independently. The match is verified locally — not by a server."

4

Bob Approves (1:15–1:30)

Bob clicks "Approve — Identical." BAR-OS signs the hash. POSTs to /mint as Party B. Screen shows "Minting receipt..." Voiceover: "Bob signs the identical commitment. The Foundry verifies both signatures match the same hash. A receipt is born."

5

Receipt (1:30–2:00)

Both screens show simultaneously: Green banner — CONVERGED — LM-20260620-001-a1b2c3d4. Timestamp. Both pubkey hashes. "View Foundry Proof" link. Voiceover: "Receipt LM-001. Timestamped proof that Alice and Bob agreed on identical terms. No data was stored by the Foundry. Only the proof remains."

6

The Attack — Divergence Caught (2:00–2:30)

Reset. Alice sends same file. Bob opens it. Changes one word. Saves locally. BAR-OS recomputes hash — DIFFERENT. Screen shows HALT in red. No network call made. Voiceover: "If Bob changes even one byte, his local core detects the mismatch. The handoff halts. No receipt is minted. The divergence is caught before it becomes a dispute."

7

Closing — The Line (2:30–3:00)

Split screen: Alice's vault shows LM-001 linked to the spec. Bob's vault shows identical. Foundry verify page shows CONVERGED. Text overlay fades in: "Trust is not a service. Trust is a structure." Voiceover: "Both parties own the proof. The Foundry witnessed. No one owns the data. This is structural trust."

⚡ The Credibility Artifact

This demo is not marketing material. It is the primary credibility artifact for the entire Continuity Architecture. It proves — in real time, with verifiable cryptography — that the architecture works. When a CTO, compliance officer, or department head asks "how do we know this works?", the answer is: "Watch this 3-minute video. Then we can talk."

Section VII

VII. Build Checklist — 14-Day Sprint

Each day produces a deliverable. Each deliverable is a dependency for subsequent days. The sprint is designed to go from specification to filmed demo in two weeks.

1
Day 1

Write MCR v1.0 spec + commitment hash canonicalization. Deliverable: SPEC-MCR-v1.md.

2
Day 2

Implement Foundry Relay /mint + /verify locally (Node.js). Deliverable: Working relay on localhost:8787.

3
Day 3

Deploy Foundry Relay to Cloudflare / Deno. Deliverable: Live URL.

4
Day 4

Implement BAR-OS mcr-client.js: keygen, hash computation, sign. Module integrated into BAR-OS.

5
Day 5

Implement mcr-client.js: encrypt/decrypt payload. End-to-end encryption working.

6
Day 6

Implement mcr-client.js: relay POST + receipt storage. Full handoff loop working.

7
Day 7

Build MCR Panel UI (HALT / PENDING / CONVERGED states). UI rendered in BAR-OS viewport.

8
Day 8

Test divergence detection (modify payload, verify HALT). Passing test: mismatch = no receipt.

9
Day 9

Polish UI: copy invite links, receipt download, verify link. UX complete.

10
Day 10

Film demo per shot list in Section VI. Raw footage.

11
Day 11

Edit demo + add captions + voiceover. Final video file.

12
Day 12

Write case study page: "MCR v1.0 — Structural Trust in 3 Minutes." Published on portfolio.

13
Day 13

Assemble Trust Architecture Packet (PDF). Downloadable.

14
Day 14

Outreach: Send to 20 qualified prospects. 10 conversations scheduled.

Section VIII

VIII. MCR Green Gates — Production Readiness

Before declaring the module production-ready, every gate must pass with exact-value assertions and evidence. No claims. No "looks good." Verifiable proof for each gate.

🟢 G1 — Deterministic Hashing

  • Same payload → same commitment hash on Chrome, Firefox, Safari
  • Evidence: screenshot of matching hash output across all three browsers
  • CBOR encoding produces identical bytes across all JavaScript engines
  • SHA-256 over CBOR bytes produces identical hash across all engines

🟡 G2 — Divergent HALT Before Network

  • Modified payload → HALT emitted locally before any network call
  • Evidence: Network tab shows zero requests to /mint when payload is modified
  • Auditor catches divergence. Relay is never contacted for a mismatched commitment
  • F2 self-test passes: verdict=HALT, code=COMMITMENT_HASH_MISMATCH

🟠 G3 — Receipt Size Budget

  • Relay stores ≤500 bytes per receipt (v1.0-RC1 JSON + CBOR)
  • Evidence: KV inspection screenshot showing receipt byte count
  • Target: ≤250 bytes (v1.1 with raw-byte field optimization)
  • Receipt CBOR ≤500 bytes. Receipt JSON ≤600 bytes.

🔴 G4 — Blind Notary — Relay Cannot Decrypt

  • Relay has no access to payload plaintext. No decryption key exists in relay code.
  • Evidence: code review confirming relay stores only commitment_hash (SHA-256, one-way) and never receives encrypted payload
  • Payload is encrypted ECDH + AES-GCM. Only the counterparty's private key can decrypt.

🟣 G5 — Receipt Cryptographic Verification

  • GET /verify?id=LM-... returns valid relay_sig over receipt contents
  • v1.0: HMAC-SHA256 — relay self-verification. v1.1: Ed25519 — public third-party verification via /.well-known/mcr-relay.pub
  • Evidence: verification endpoint returns valid receipt with relay_sig that verifies against relay's published key

🔵 G6 — Offline Graceful Degradation

  • Network unavailable → signature queues in IndexedDB outbox. Service Worker drains on reconnect.
  • Evidence: offline test showing queued signature, then reconnection triggering successful drain and receipt
  • Error message: "Network unavailable — queued for sync" not a blocking state

👑 G7 — Sovereign Key Generation

  • Key generated in browser. Non-extractable (extractable: false). Never transmitted.
  • Evidence: attempt to export private key throws. Network tab shows no transmission of private key material.
  • Public key exported as SPKI. Pubkey hash = first 8 bytes of SHA-256(SPKI).
  • F5 self-test passes: exportKey on private handle throws
Section IX

IX. Foundation Self-Test Suite — F-Gates

The MCR Foundation Client includes a self-test suite accessible via ?test=true. Ten tests verify the cryptographic invariants. Every test produces exact-value assertions — not best-effort checks.

GateTestAssertion
F1Deterministic CBORSame object → identical CBOR bytes. Same CBOR bytes → identical SHA-256 hash.
F2Divergent HALTModified commitment hash → auditor returns HALT with code COMMITMENT_HASH_MISMATCH.
F3Receipt Budget2-party receipt CBOR ≤ 500 bytes. 2-party receipt JSON ≤ 600 bytes.
F5Non-Extractable Keycrypto.subtle.exportKey on private key handle throws. Sovereign identity preserved.
F6Temporal Anti-ReplayCommitment with timestamp > 5 minutes old → HALT with code STALE_COMMITMENT.
F7KRL RevocationParticipant pubkey_hash in KRL revoked list → HALT with code REVOKED_KEY.
F7bSort Order EnforcementUnsorted participants array → HALT with code UNSORTED_PARTICIPANTS.
F8ECDH End-to-EndEncrypt with recipient public key, decrypt with recipient private key → plaintext matches.

🔗 Self-Test Protocol

The test suite runs automatically when ?test=true is appended to the Foundation Client URL. Tests execute in order. Output is displayed in a dedicated panel. Every test produces ✅ or ❌ with expected vs. actual values on failure. The suite has zero external dependencies — it runs fully offline.

Section X

X. What Comes After the Demo

The MCR protocol is the foundation. Once the precedent exists — a filmed, verifiable convergence between two deterministic cores — the protocol extends to every domain where structural trust is the bottleneck.

1

Vertical SIC Template Library

The medical_co_sign.sic.v1 template is the first. It proves the pattern. After the demo, the vertical SIC library expands to cover every regulated domain in the GABOS platform: financial_audit, legal_review, compliance_ops, manufacturing_ops, command_auth, infra_control, aerospace_ops. Each SIC encodes domain-specific governance rules into the same deterministic CBOR → SHA-256 → ECDSA sign → blind relay mint pipeline.

2

Execution Consent Gate — Autonomous Systems

The MCR auditor evaluates SIC compliance before a network call. The Execution Consent Gate applies the same primitive one layer closer to the physical world: between decision and execution in any autonomous pipeline. The model proposes an action. The gate evaluates it against the governing SIC. HALT before any physical consequence. The same mechanism. The same deterministic auditor. The same blind relay. One layer closer to the point of no return.

3

Standards Body Certification

Once multiple MCR receipts exist across more than one vertical, the Continuity Architecture standard body certifies deployments as Continuity-Compliant. MCR is the cryptographic proof layer. ASB is the quality measurement layer. GAS is the governance layer. Together they form the complete certification framework for trustworthy AI deployment in regulated industries.

The Line

"Trust is not a service. Trust is a structure."

The MCR protocol is the structural proof. Two parties. One commitment. Identical evaluation. A blind notary that witnesses convergence without ever seeing the data. A timestamped, non-repudiable receipt that anyone can verify. This is what trust looks like when it is built into the architecture rather than promised by a platform.