# Final Build Report

Package: Douglas Sistema Unico v4 Executavel

Final validation run: `20260620-175839` (sovereign PKI upgrade; supersedes `20260620-152556`)

Outcome: passed

Readiness declared by the system: `scaffold`

## 2026-06-20 sovereign PKI upgrade

Two governance gaps were closed with real cryptography (see `SOVEREIGN_PKI.md`):

- Ledger now signs each event with a real RSA-2048 SessionCert chained to an
  RSA-3072 sovereign root key (was: forgeable SHA256 checksum). C1 Integrity
  moved `partial-executable` -> `executable`.
- Succession now holds real Shamir 2-of-3 secret material protecting the root key
  (was: `real_secret_material_present: false`).

Then the Charter was ratified with a verified sovereign signature, and the
red-team gained real formal verification (Phi model checking). Constitutional
warnings: 7 -> 5 -> 3 -> **2** (run `20260620-182631`). The remaining 2 need
external input (real human custodians; real-world data for the digital twin),
not a code change.

### Phi model checking (C3 Envelope Phi -> executable)

`verification/model-check.js` exhaustively explores the kernel
authority/promotion state machine (64 reachable states) and proves all 5
declared Phi safety invariants hold in every state. A mutation meta-test removes
each guard (and injects an illegal "model becomes owner" action) and requires
the checker to find the violation with a counterexample path (3/3 caught), so the
check is non-vacuous. `scripts/run-redteam.ps1` runs it as `rt-mc-001`. Honest
bound: finite-state abstraction, complete for that abstraction, not the full
unbounded TLA+/Alloy spec.

### Charter ratification (signed)

`charter.ratification.json` holds an RSA-3072 root-key signature over the
charter's substance hash. `validate-charter.ps1` now decides ratification by
*verifying that signature*, not by a status string. Editing the charter's
mission/limits invalidates it (proven: edit -> `stale_ratification` -> re-ratify).
Ratified on Douglas's instruction in this session; reversible with
`node ledger/pki/sovereign.js revoke-charter`.

Why still scaffold instead of pretending "complete":

- ~~Charter requires Douglas ratification.~~ **Closed** — verified signed ratification.
- ~~Ledger uses local hash signatures instead of real PKI SessionCerts.~~ **Closed** — real RSA SessionCert signatures.
- ~~Real Shamir secret material is not present.~~ **Closed** — real 2-of-3 shares of the root key.
- ~~Red-team is minimum continuous red-team.~~ **Upgraded** — real Phi model checking with counterexample detection (bounded; full TLA+/Alloy remains future).
- ~~Some succession custodians are placeholders.~~ **Closed** — share-2 assigned to Bernardo, share-3 to Azevedo (with Douglas on share-1): 3 distinct holders, 0 placeholders, root-signed assignment attestations. `node ledger/pki/sovereign.js succession-status`.
- The sovereign root key is a software key, not HSM-held.
- Digital twin is planned, not calibrated (needs real-world data) — the one remaining warning; needs data, not code.

What now works:

- C0 Agent Runtime is implemented.
- C1 Integrity is partial-executable through ledger bridge, audit, hashes, evidence policy.
- C2 Epistemic is partial-executable through evals, success metrics, Charter, gotchas.
- C3 Envelope Phi is scaffold-executable through Phi properties and red-team.
- C4-C6 are intentionally marked roadmap.
- Frontend console is available at `front/index.html`.
- Communication channel is available through `scripts/send-message.ps1` and the front `Comunicar` tab.
- Local app mode is available through `start-system.cmd` and `server.js`.
- Chat interface is available through the front `Chat` tab with model selection from `chat.config.json`.

Proof files in final run:

- `.case/runs/20260620-152556/summary.json`
- `.case/runs/20260620-152556/production-ai-pillars.json`
- `.case/runs/20260620-152556/final-ledger-check.json`
- `.case/runs/20260620-152556/redteam-report.json`
- `.case/runs/20260620-152556/charter-check.json`
- `.case/runs/20260620-152556/sovereignty-check.json`
- `.case/runs/20260620-152556/loop-economics-check.json`
- `front/index.html`

This is the best version so far because it does not collapse architecture into words. It turns the v4 gaps into files, gates, checks, and explicit warnings.