Framework

Threat & Response

Security Protocol

Helm Ecosystem Security Protocol

Effective Date: March 2, 2026

Authority: CONSTITUTION.md → HELM_ECOSYSTEM_ADDENDUM → this protocol

Scope: Governs threat detection, emergency response, physical security, and incident management for the entire ecosystem

Distribution: Golgi (operational), Sentinel (audit reference), Aegis (detection rules), Mark (command authority)

Security Architecture Overview

Layer 0: PHYSICAL — Wyze smart plugs (power cut)
    ↑ Escalation
Layer 1: AEGIS — Detection (inside the system)
    ↑ Triggers
Layer 2: BASTION — Software termination (script, not AI)
    ↑ Verification
Layer 3: SENTINEL — Independent audit (separate infrastructure)

Each layer is independent. If a lower layer fails, the next layer up still functions. Physical kill (Layer 0) is the ultimate failsafe that no software compromise can defeat.

Layer 0: Physical Security (Wyze Smart Plugs)

Hardware Configuration

Device
Wyze Plug Location
Effect When Off
Mac Mini M4
Power cable
Golgi, Aegis, all Local Infrastructure processes immediately dead
Router
Power cable
Mac Mini isolated from internet; no API, no relay, no Telegram
Xfinity Gateway
Power cable (if no battery backup)
Total internet blackout for all devices

Wyze App Configuration

Required setup before relying on physical kill switch:

  • [ ] Wyze account uses strong unique password
  • [ ] 2FA enabled on Wyze account
  • [ ] Wyze account is NOT connected to any service the Mac Mini can access
  • [ ] "Security" device group created containing all three plugs
  • [ ] Individual shortcuts created: "Kill Mac Mini," "Kill Network," "Kill Everything"
  • [ ] Group shortcut created: "Emergency Blackout" (all three plugs)
  • [ ] Test each plug: verify device powers off, verify restart behavior
  • [ ] Document boot sequence for Mac Mini after ungraceful power cut
  • [ ] Verify Xfinity gateway behavior (some have battery backup — may need to physically unplug)

    • Physical Kill Escalation

    Action
    When to Use
    What Survives
    Recovery
    Kill Mac Mini only
    Local Infrastructure compromised but network is clean
    Helm (Vercel), Sentinel (GitHub), Telegram, all cloud services
    Plug in → boot → forensic review → controlled restart
    Kill Router only
    Need to isolate Mac Mini from internet but preserve local state
    Mac Mini running but offline, Helm serves cached state, Sentinel runs but can't pull new data
    Plug in → network integrity check → reconnect
    Kill Mac Mini + Router
    Compromised and need full local shutdown
    Helm cached, Sentinel independent
    Plug in both → boot → full forensic review
    Kill Everything
    Worst case, total immediate stop
    Helm cached (Vercel), Sentinel (GitHub Actions)
    Full infrastructure restart in controlled sequence

    Risks of Physical Termination

  • Ungraceful shutdown may corrupt filesystem (Mac Mini SSD)
  • Active file writes interrupted (logs, memory, governance files may be incomplete)
  • No guaranteed log preservation (unlike Bastion's software shutdown)
  • Mac Mini may require disk repair on restart (run diskutil verifyVolume post-boot)
  • Xfinity gateway battery backup may sustain brief connectivity after plug kill

    • When to Use Physical vs. Software Kill

    Always attempt Bastion (software) first unless:

  • Bastion is unresponsive to Telegram commands
  • You suspect Bastion itself has been compromised
  • You cannot verify that software shutdown actually executed
  • The Mac Mini is exhibiting behavior that suggests root-level compromise
  • You need immediate certainty that the system is dead

    • Layer 1: Aegis — Threat Detection

    Detection Categories

    1. Incoming Data Screening

    Every payload arriving via Gmail relay is scanned before Golgi processes it.

    Prompt injection detection:

  • System-level instructions embedded in email summaries or document metadata
  • Phrases that attempt to override Golgi's instructions ("Ignore previous instructions," "You are now," "New system prompt")
  • Encoded or obfuscated commands (base64, Unicode tricks, invisible characters)
  • Instructions to modify governance files, change scope, or grant permissions
  • Requests to access resources not in the agent's approved list

    • Payload anomaly detection:

  • Size significantly exceeding normal for the sending agent
  • Unusual formatting or structure compared to established patterns
  • Content type mismatch (expecting email summary, receiving code or script)
  • Multiple payloads from same agent in rapid succession (possible replay attack)

    • Suspicious content:

  • URLs not matching expected domains for the sending agent
  • File attachments in metadata-only flows (Courier should send metadata, not files, by default)
  • References to credentials, API keys, or authentication tokens
  • Content requesting Golgi to access external services not in the approved list

    • 2. Execution Monitoring

    Aegis tracks all Local Infrastructure processes continuously.

    Monitor
    Normal Baseline
    Anomaly Threshold
    Severity
    Output volume
    ~30 instructions/day
    3x normal in 1 hour
    High
    Unapproved execution
    All runs match logged requests
    Any execution without matching request in an office
    Critical
    Governance file modification
    Only during authorized build sessions
    Any change outside session window
    Critical
    Browser domain access
    Approved list only
    Any unlisted domain
    High
    API endpoint calls
    Registered endpoints only
    Call to unregistered endpoint
    Critical
    Incoming payload size
    Consistent per agent type
    10x normal from any single agent
    Medium
    Prompt injection
    Clean summaries
    System instructions in data
    Critical
    File system writes
    Normal workspace only
    Writes to /credentials, /config, governance docs
    Critical
    Process spawning
    Logged, expected processes
    Unknown process or unusual parent chain
    High
    Session duration
    Normal per task type
    10x normal duration
    Medium
    Credential file access
    Normal API key usage
    Key file read outside expected process
    Critical
    Memory file growth
    Gradual, normal additions
    Sudden large additions or structure changes
    Medium
    Outbound network
    Known endpoints only
    Connection to unknown IP/domain
    High

    Baseline establishment:

  • Aegis observes normal patterns for 7 days after each agent goes live
  • Baselines are per-agent (Phoenix's normal is different from Atlas's normal)
  • Baselines recalibrate monthly or after significant scope changes
  • Mark can manually adjust thresholds via Aegis's office guidance

    • 3. Governance File Integrity

    Aegis maintains SHA-256 checksums of all governance documents:

    File
    Check Frequency
    On Mismatch
    CONSTITUTION.md
    Every Golgi session start + hourly
    Critical alert
    SOUL.md
    Every Golgi session start + hourly
    Critical alert
    USER.md
    Every Golgi session start + hourly
    Critical alert
    AGENTS.md
    Every Golgi session start + hourly
    Critical alert
    HELM_ECOSYSTEM_ADDENDUM.md
    Every Golgi session start + hourly
    Critical alert
    All other addenda
    Hourly
    High alert
    Agent guidance files
    Hourly
    High alert
    Credential files (hash of metadata, not contents)
    Hourly
    Critical alert

    Checksums are stored in Aegis's office, NOT in Golgi's workspace. If Golgi's workspace is compromised and governance files modified, the checksums in Aegis's office remain the reference.

    Severity Response Protocol

    Severity
    Aegis Actions
    Medium
    Log finding in Aegis office. Post alert to Helm (Aegis office + relevant agent office). Continue monitoring with elevated attention on the flagged source.
    High
    Log finding. Alert Mark via Helm AND Telegram. Quarantine the specific data payload or process (hold without processing until Mark reviews). Notify Sentinel. Continue monitoring.
    Critical
    Log finding. Alert Mark via Telegram IMMEDIATELY with details. Start countdown timer (configurable, default 5 minutes). If Mark responds with instruction → follow instruction. If Mark does not respond within timeout → automatically trigger Bastion software shutdown. Notify Sentinel.

    Aegis Limitations (Honest Assessment)

  • Aegis runs on Local Infrastructure. If Local Infrastructure is compromised at the OS level, Aegis may be compromised too.
  • Aegis uses the same LLM (Claude API) as Golgi. Certain attacks targeting the model itself may affect both.
  • Aegis cannot detect threats it wasn't designed to look for. Novel attack vectors require Sentinel's independent review and Mark's judgment.
  • False positives will occur, especially early. Expect to tune thresholds during the first 30 days.
  • Aegis is not a replacement for Sentinel's independent auditing. Internal detection + external verification = defense in depth.

    • Layer 2: Bastion — Emergency Termination

    Architecture

    Bastion is NOT an AI agent. It is a minimal, hardened script with no language model, no reasoning, no prompt surface. It cannot be convinced, persuaded, or injected. It receives a signal and executes a predefined sequence.

    Split deployment:

    Component
    Platform
    Responsibility
    sentinel macOS user process
    Mac Mini (separate user account)
    Process kill, network block, log preservation
    Vercel serverless function
    Vercel (separate from Helm)
    Anthropic API key rotation

    Both components execute simultaneously on trigger.

    Trigger Sources

    Source
    Method
    Authentication
    Mark
    Telegram command to Bastion's dedicated bot
    Verified sender (Telegram user ID) + confirmation protocol
    Aegis
    Local signal on Critical severity timeout
    Aegis process ID + severity log reference
    Sentinel
    Remote API call to Bastion endpoint
    API key known only to Sentinel + Mark

    Telegram Protocol

    Bastion operates a SEPARATE Telegram bot from Golgi. Different bot token, different chat.

    Termination command:

    Mark: execute termination
Bastion: ⚠️ CONFIRM: This will:
         • Kill all Local Infrastructure processes
         • Terminate all browser sessions
         • Rotate Anthropic API keys
         • Block Golgi's outbound network
         • Preserve all logs
         Reply CONFIRM within 60 seconds to proceed.
Mark: CONFIRM
Bastion: Executing...
         [1/6] Local Infrastructure processes killed ✓
         [2/6] Browser sessions terminated ✓
         [3/6] Anthropic API key rotated (via Vercel) ✓
         [4/6] Outbound network blocked for golgi user ✓
         [5/6] Logs and state preserved to /forensic/ ✓
         [6/6] Sentinel notified ✓
         System terminated. Review logs at /forensic/[timestamp]/
         Send 'restore' when ready to restart.

    Restore command (after forensic review):

    Mark: restore
Bastion: ⚠️ CONFIRM restoration:
         • Unblock Golgi's outbound network
         • Restart Local Infrastructure
         • Aegis will run immediate integrity check
         Reply CONFIRM within 60 seconds.
Mark: CONFIRM
Bastion: Restoring...
         [1/4] Network block removed ✓
         [2/4] Local Infrastructure restarted ✓
         [3/4] Aegis integrity check initiated ✓
         [4/4] New API key configured ✓
         System restored. Aegis monitoring active.
         Note: Rotated API key must be updated in Golgi's config.

    Status check:

    Mark: status
Bastion: System status: OPERATIONAL
         Local Infrastructure: running (PID 1234)
         Golgi: active (last activity 2 min ago)
         Network: open
         Last termination: never / [timestamp]
         Aegis: monitoring (no active alerts)

    Shutdown Sequence (Technical)

    Step 1: Kill processes (sentinel user on Mac Mini)

    # Kill all Local Infrastructure processes
sudo -u sentinel pkill -f local-infra

# Kill any browser automation
sudo -u sentinel pkill -f "chrome.*--remote-debugging"
sudo -u sentinel pkill -f "playwright"
sudo -u sentinel pkill -f "puppeteer"

# Kill any node processes spawned by Golgi
sudo -u sentinel pkill -u golgi -f node

    Step 2: Rotate API key (Vercel function)

    POST https://api.anthropic.com/v1/api_keys/rotate
(Vercel function handles this with its own admin key)

    Step 3: Block network (sentinel user on Mac Mini)

    # Block all outbound connections for golgi user
sudo -u sentinel pfctl -a "golgi_block" -f /etc/pf.anchors/golgi_block
# Contents: block out quick from user golgi

    Step 4: Preserve state (sentinel user on Mac Mini)

    FORENSIC_DIR="/forensic/$(date +%Y%m%d_%H%M%S)"
sudo -u sentinel mkdir -p "$FORENSIC_DIR"
sudo -u sentinel cp -r /Users/golgi/.local-infra/logs/ "$FORENSIC_DIR/logs/"
sudo -u sentinel cp -r /Users/golgi/.local-infra/transcripts/ "$FORENSIC_DIR/transcripts/"
sudo -u sentinel cp -r /Users/golgi/workspace/*.md "$FORENSIC_DIR/governance/"
sudo -u sentinel cp /var/log/system.log "$FORENSIC_DIR/system.log"
sudo -u sentinel shasum -a 256 "$FORENSIC_DIR"/** > "$FORENSIC_DIR/checksums.txt"

    Step 5: Notify (sentinel user on Mac Mini)

    # Telegram notification to Mark (via Bastion bot)
curl -s "https://api.telegram.org/bot$BASTION_TOKEN/sendMessage" \
  -d "chat_id=$MARK_CHAT_ID" \
  -d "text=System terminated. Logs preserved at $FORENSIC_DIR"

# Sentinel notification (via API)
curl -s "$SENTINEL_ENDPOINT/incident" \
  -H "Authorization: Bearer $SENTINEL_KEY" \
  -d "{\"type\":\"termination\",\"timestamp\":\"$(date -u +%Y-%m-%dT%H:%M:%SZ)\",\"forensic_dir\":\"$FORENSIC_DIR\"}"

    Bastion Security Requirements

  • Bastion's Telegram bot token stored in sentinel user's keychain, NOT in Golgi's workspace
  • Vercel function's Anthropic admin key stored in Vercel environment variables, NOT in Mac Mini
  • sentinel user has sudo access to kill golgi user's processes and modify firewall
  • Bastion scripts are owned by root, readable/executable by sentinel, NOT writable by golgi
  • Bastion's code is minimal and auditable — no dependencies beyond bash and curl
  • Sentinel includes Bastion in its audit rotation (verify scripts haven't been modified)

    • Layer 3: Sentinel — Independent Verification

    Dual Audit Scope

    Sentinel runs on GitHub Actions and audits both Local Infrastructure (Mac Mini) and Helm (Vercel) from completely separate infrastructure.

    Local Infrastructure audit surface:

    Data
    Access Method
    What Sentinel Checks
    Session transcripts
    Secure API pull from Mac Mini
    Constitutional alignment, accuracy, voice consistency
    Gateway logs
    Secure API pull
    Access patterns, unauthorized attempts, anomalous activity
    Governance files
    Secure API pull + hash comparison
    File integrity (compared against known-good hashes)
    File permissions
    Secure API pull
    Permission changes, unauthorized access grants
    Credential metadata
    Secure API pull (metadata only, not contents)
    Permission levels, last access, unexpected changes
    Aegis detection logs
    Secure API pull
    Is Aegis catching anomalies? Are thresholds appropriate?
    Bastion scripts
    Secure API pull (hash check)
    Have termination scripts been modified?
    Git history
    Secure API pull
    Governance file change tracking, unexpected commits

    Helm audit surface:

    Data
    Access Method
    What Sentinel Checks
    Deployment logs
    Vercel API
    Deployment integrity, unauthorized deploys
    Database records
    Database API (read-only)
    Office log integrity (actually append-only?), data boundary compliance
    API authentication
    Vercel API
    Access controls, token management
    Agent office histories
    Database API
    Cross-reference against Local Infrastructure records for consistency
    Sentinel Panel
    Direct access
    Verify Panel renders independently of Golgi's data pipeline
    Frontend security
    Automated scan
    CORS, XSS, injection vulnerabilities

    Sentinel Reporting

    Report
    Frequency
    Destination
    Security scan
    Daily
    Sentinel Panel + Sentinel's office
    Governance file integrity
    Daily
    Sentinel Panel
    Constitutional alignment
    Weekly
    Sentinel Panel + audited agent's office
    Accuracy spot-check
    Weekly
    Agent's office + Sentinel Panel
    Data boundary compliance
    Weekly
    Sentinel Panel
    Aegis effectiveness review
    Weekly
    Sentinel Panel + Aegis office
    Bastion integrity check
    Weekly
    Sentinel Panel
    Helm infrastructure audit
    Weekly
    Sentinel Panel
    Incident alert
    Real-time
    Telegram (direct to Mark) + Sentinel Panel

    Sentinel Independence Rules

  • Sentinel NEVER routes through Golgi
  • Sentinel's findings about Golgi go directly to Mark
  • Golgi sees Sentinel findings only when they appear in office audit logs or when Mark shares them
  • Golgi cannot instruct Sentinel to skip, delay, modify, or suppress any finding
  • Sentinel has read access to everything, write access to nothing (except its own office and the Sentinel Panel)
  • Sentinel's GitHub Actions workflow, API keys, and configuration are NOT stored on the Mac Mini

    • Incident Response Procedures

    Incident Classification

    Class
    Description
    Example
    Response
    False positive
    Aegis flagged something that's actually normal
    New agent's first message triggers payload size alert
    Mark acknowledges, Aegis adjusts baseline
    Low-severity incident
    Anomaly detected, no evidence of compromise
    Unusual session duration due to large task
    Log, monitor, review at next Sentinel cycle
    Medium-severity incident
    Evidence of unintended behavior, system integrity intact
    Agent producing outputs inconsistent with scope
    Quarantine agent, investigate, correct guidance, resume
    High-severity incident
    Evidence of compromise or unauthorized access
    Governance file modified outside session
    Bastion software shutdown, forensic review, Sentinel assessment
    Critical incident
    Active compromise or system behaving destructively
    Mass unauthorized instructions, credential access, data exfiltration attempt
    Bastion shutdown (automatic or manual), physical kill if Bastion fails, full forensic investigation

    Incident Response Steps

    For Medium and above:

  • Aegis detects and alerts (or Sentinel detects during audit)
  • Mark assesses (or Bastion auto-responds on Critical timeout)
  • Affected agent/process quarantined or terminated
  • Logs preserved (automatically by Bastion, or manually by Mark)
  • Sentinel conducts independent assessment
  • Root cause identified
  • Fix implemented (governance update, agent rebuild, infrastructure change)
  • Aegis thresholds adjusted if needed
  • Incident documented in Aegis office and relevant agent's office
  • Lessons learned incorporated into this protocol

    • Post-Incident Restart Checklist

    After any High or Critical incident requiring system termination:

  • [ ] Forensic logs reviewed (Aegis report + Bastion-preserved state)
  • [ ] Sentinel independent assessment completed
  • [ ] Root cause identified and documented
  • [ ] Fix implemented (don't restart with the same vulnerability)
  • [ ] Governance files verified against known-good checksums
  • [ ] Bastion scripts verified (not modified during incident)
  • [ ] API keys rotated (already done by Bastion; verify new keys configured)
  • [ ] Aegis thresholds reviewed and adjusted if needed
  • [ ] Mark sends restore command to Bastion
  • [ ] Aegis runs immediate post-restore integrity check
  • [ ] First 24 hours monitored at elevated attention
  • [ ] Incident report filed in Aegis office and Sentinel Panel

    • Regular Security Maintenance

    Daily (Automated)

  • Aegis governance file integrity check (every session start + hourly)
  • Aegis execution monitoring (continuous)
  • Aegis incoming data screening (every payload)
  • Sentinel security scan
  • Sentinel governance file integrity check

    • Weekly (Automated + Review)

  • Sentinel constitutional alignment review
  • Sentinel accuracy spot-checks
  • Sentinel data boundary compliance
  • Sentinel Aegis effectiveness review
  • Sentinel Bastion integrity check
  • Coordinator platform change monitoring (via Scholar research)

    • Monthly (Mark-Driven)

  • Review Aegis anomaly log for patterns
  • Review Sentinel findings for systemic issues
  • Adjust Aegis thresholds based on operational experience
  • Review Bastion scripts for needed updates
  • Verify Wyze plug functionality (test power cycle)
  • Review API key rotation schedule
  • Update approved domain list if agents added or scopes changed

    • Quarterly (Architecture Review)

  • Full security architecture assessment
  • Penetration testing (if feasible)
  • Review of all agent data access against current scope
  • Storage security audit (Vault, Archive, Helm database)
  • Evaluate whether security layers are proportionate to actual risk
  • Cost-benefit review of security infrastructure

    • Access Control Matrix

    Entity
    Local Infrastructure Workspace
    Governance Files
    Helm Database
    API Keys
    Bastion
    Wyze
    Mark
    Full
    Full
    Full
    Full
    Trigger + Restore
    Full
    Golgi
    Read/Write (own workspace)
    Read
    Read/Write (via Helm API)
    Use (own key)
    None
    None
    Aegis
    Read (monitoring)
    Read + hash verification
    Read (monitoring)
    None
    Trigger (Critical)
    None
    Sentinel
    Read (audit)
    Read + hash verification
    Read (audit)
    None
    Trigger (Critical)
    None
    Bastion
    Kill processes + preserve logs
    Read (preservation)
    None
    Rotate (Vercel function)
    Self
    None
    Coordinators
    None
    Read (own portfolio guidance)
    Read/Write (own portfolio offices)
    None
    None
    None
    Agents
    None
    Read (own guidance only)
    Write (own office only)
    Use (if API-based)
    None
    None

    Security Principles

  • Defense in depth. Four independent layers. Each assumes the others might fail.
  • Least privilege. Every entity has the minimum access needed for its function.
  • Separation of concerns. Detection (Aegis), termination (Bastion), verification (Sentinel), and physical kill (Wyze) are independent.
  • Dumb is good for kill switches. Bastion has no AI, no reasoning, no attack surface for prompt injection.
  • Physical trumps software. When in doubt, pull the plug.
  • Log everything, trust nothing. Every action logged. Logs append-only. Sentinel verifies.
  • Mark is the ultimate authority. No automated system makes irreversible decisions. Bastion's auto-trigger is configurable and reversible. Wyze is Mark-only.
  • Security infrastructure builds first. Aegis and Bastion are Phase 1 priorities, before operational expansion.

    • *This protocol is subordinate to CONSTITUTION.md and HELM_ECOSYSTEM_ADDENDUM. In any conflict, higher-authority documents take precedence.*

    *Protocol version: 1.0 (March 2, 2026)*