bcx 0.3.0

Bifrost Causal Exchange protocol primitives for signed causal meaning and proof composition.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

# BCX Threat Model

Status: planning document

BCX models verifiable causal accountability for consequential operations across
many carriers, ledgers, storage systems, and offline bundles. Its goal is to
prove what participants observed, declared, verified, enforced, acknowledged,
settled, and receipted. It does not prove a human or organization had an honest
internal motive.

## In Scope

- Forged causal parentage.
- Replay of valid operations.
- Tampering with signed invocation metadata.
- False broadening of delegated authority.
- Silent HTTP downgrade.
- Recursive WHY query abuse.
- Cross-domain disclosure mistakes.
- Confusing declared purpose with verified fact.
- Gateway claims about effects it cannot observe.
- Missing, redacted, contradictory, or unreachable evidence.
- Native binding confusion between HTTP, blockchain, storage, and offline
  evidence.
- Settlement finality overclaims.
- Cross-profile downgrade or replay.

## Out Of Scope

- Proving internal human intent.
- Revoking information already copied into uncontrolled systems.
- Making a compromised endpoint honest.
- Replacing TLS, QUIC, OS access controls, HSMs, or database authorization.
- Proving legal compliance without reviewed policy and legal packs.
- Providing anonymity when deployments require real identity by policy.
- Replacing Ethereum, Cardano, Bitcoin, XRP, SCITT, OpenTelemetry, or other
  underlying systems.
- Proving that an underlying chain or service is honest beyond its configured
  finality and evidence model.

## Security Claims

BCX may claim:

- this participant signed this declaration,
- this receiver observed this invocation,
- this policy digest governed this decision,
- this effect receipt was signed by this executor,
- this checkpoint was witnessed or settled under a named profile policy,
- this edge has a named assurance level.

BCX must not claim:

- the declared purpose was psychologically true,
- a gateway observed a database commit without integration evidence,
- an Ethereum, Cardano, Bitcoin, XRP, or other settlement receipt proves an
  offchain business purpose was honest,
- a missing parent does not exist,
- a redacted explanation is complete,
- an HTTP wrapper or blockchain transaction is proof by itself.

## Privacy Risks

BCX can become a surveillance graph if implemented carelessly. The protocol must
support:

- no universal identity,
- pairwise event identifiers,
- hash commitments,
- selective disclosure,
- encrypted evidence,
- predicate proofs,
- bounded WHY queries,
- public anonymous reads outside consequential profiles.

## Abuse Controls

Every WHY query must be authenticated and bounded by:

- audit capability,
- query purpose,
- maximum depth,
- maximum nodes,
- maximum response bytes,
- disclosure policy,
- trust-domain rules.