Claude/freeze gating contract j sy xa

ROADMAP.adoc

@@ -36,8 +36,8 @@ Development roadmap for the SLM-as-Cerebellum policy enforcement system.
 | Interface defined, needs llama.cpp
 
 | Consensus Arbiter
-| [red]#*NOT STARTED*#
-| Elixir/OTP implementation pending
+| [yellow]#*STARTED*#
+| GenServer skeleton, Application module, decide/3 logic
 
 | LLM Integration
 | [red]#*NOT STARTED*#
@@ -157,13 +157,13 @@ Implement modified PBFT consensus with asymmetric weighting in Elixir/OTP.
 === Tasks
 
 [%interactive]
-* [ ] Set up Elixir/OTP project structure
-* [ ] Implement GenServer for arbiter
-* [ ] Define consensus protocol messages
-* [ ] Implement asymmetric weighting (SLM = 1.5x)
-* [ ] Add escalation logic
+* [x] Set up Elixir/OTP project structure
+* [x] Implement GenServer for arbiter
+* [x] Define consensus protocol messages
+* [x] Implement asymmetric weighting (SLM = 1.5x)
+* [x] Add escalation logic
 * [ ] Implement audit logging
-* [ ] Create supervision tree
+* [x] Create supervision tree
 * [ ] Add Rustler NIFs for Oracle/SLM calls
 * [ ] Write property-based tests
 

SECURITY.md

@@ -2,20 +2,66 @@
 
 ## Supported Versions
 
-Use this section to tell people about which versions of your project are
-currently being supported with security updates.
-
 | Version | Supported          |
 | ------- | ------------------ |
-| 5.1.x   | :white_check_mark: |
-| 5.0.x   | :x:                |
-| 4.0.x   | :white_check_mark: |
-| < 4.0   | :x:                |
+| 0.1.x   | :white_check_mark: |
 
 ## Reporting a Vulnerability
 
-Use this section to tell people how to report a vulnerability.
+If you discover a security vulnerability in Conative Gating, please report it responsibly:
+
+1. **Email**: security@hyperpolymath.org
+2. **Subject**: `[SECURITY] conative-gating: Brief description`
+3. **Include**:
+   - Description of the vulnerability
+   - Steps to reproduce
+   - Potential impact assessment
+   - Any suggested fixes (optional)
+
+### Response Timeline
+
+- **Initial acknowledgment**: Within 48 hours
+- **Triage and assessment**: Within 7 days
+- **Fix or mitigation**: Depends on severity
+  - Critical: Within 7 days
+  - High: Within 30 days
+  - Medium/Low: Next release cycle
+
+### What to Expect
+
+- We will acknowledge receipt of your report
+- We will investigate and keep you informed of progress
+- We will credit you in the security advisory (unless you prefer anonymity)
+- We will not take legal action against good-faith security researchers
+
+## Security Considerations
+
+### Policy Oracle
+
+The Policy Oracle performs deterministic rule checking:
+- File extension and content marker detection
+- Pattern matching for forbidden content (secrets, banned languages)
+- No external network calls during evaluation
+
+### SLM Evaluator (Planned)
+
+Future SLM integration will:
+- Run locally using llama.cpp (no external API calls)
+- Use quantized models for reduced attack surface
+- Implement input sanitization before inference
+
+### Consensus Arbiter (Planned)
+
+The Elixir arbiter will:
+- Use supervision trees for fault tolerance
+- Implement rate limiting to prevent DoS
+- Log all decisions for audit purposes
+
+## Hardening Recommendations
+
+When deploying Conative Gating:
 
-Tell them where to go, how often they can expect to get an update on a
-reported vulnerability, what to expect if the vulnerability is accepted or
-declined, etc.
+1. Run with minimal privileges
+2. Use read-only access to scanned directories where possible
+3. Validate all external inputs (proposal JSON schemas)
+4. Review audit logs regularly

src/arbiter/lib/conative_gating/application.ex

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell <jonathan@hyperpolymath.org>
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+defmodule ConativeGating.Application do
+  @moduledoc """
+  OTP Application for Conative Gating Consensus Arbiter.
+
+  Starts the supervision tree for the consensus arbiter and related processes.
+  """
+
+  use Application
+
+  @impl true
+  def start(_type, _args) do
+    children = [
+      # Start the Consensus Arbiter GenServer
+      ConativeGating.ConsensusArbiter
+    ]
+
+    opts = [strategy: :one_for_one, name: ConativeGating.Supervisor]
+    Supervisor.start_link(children, opts)
+  end
+end

src/arbiter/lib/conative_gating/consensus_arbiter.ex

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell <jonathan@hyperpolymath.org>
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
 defmodule ConativeGating.ConsensusArbiter do
   @moduledoc """
   Consensus Arbiter for Conative Gating.

src/arbiter/mix.exs

@@ -1,3 +1,6 @@
+# SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell <jonathan@hyperpolymath.org>
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
 defmodule ConativeGating.MixProject do
   use Mix.Project
 

src/contract/src/lib.rs

@@ -686,8 +686,8 @@ impl ContractRunner {
             refusal,
             evaluations: EvaluationChain {
                 oracle: Some(oracle_eval.clone()),
-                slm: None,     // Not yet implemented
-                arbiter: None, // Not yet implemented
+                slm: None,     // Phase 2: Requires llama.cpp integration
+                arbiter: None, // Phase 4: Elixir GenServer via Rustler NIF
             },
             processing: ProcessingMetadata {
                 duration_us: duration.as_micros() as u64,