A governance engine that filters meaning, not packets.
SAGE — Systemic Action Governance Engine.
A traditional firewall inspects packets — binary data at the network boundary. It asks: does this data match a blocklist? The answer is binary. The data either matches or it doesn't. One bit of difference and the filter misses it.
The semantic firewall operates at a different level entirely. It inspects meaning — high-dimensional vector representations of intent, identity, and action. It asks: is this meaning aligned with what this actor is authorized to do? The answer is geometric. The data doesn't need to match exactly. It needs to be close enough to the right thing and far enough from the wrong thing.
Every actor in the system carries a semantic vector — a high-dimensional embedding of what they mean, who they are, and what they intend. This vector lives inside the DNA of a Wisp (the system's atomic identity object). When a Wisp attempts to act, it passes through the SAGE firewall.
SAGE computes two measurements:
The source anchor is the learned centroid of clean, authorized geometry — the geometric center of "what we approve." The anti-anchor is the centroid of hostile geometry — the center of "what we reject."
Delta is the difference between how much the incoming vector aligns with the source versus the anti-source. If delta is positive, the vector is closer to good than to bad. If delta is negative — instant deny. No state machine. No appeal. The geometry is hostile.
The firewall doesn't use a single threshold. It uses dual thresholds — a Schmitt trigger from electrical engineering — to prevent state flapping at decision boundaries. The idea: it's harder to gain trust than to keep it.
| Transition | Condition | Meaning |
|---|---|---|
| Escalate → Approve | l2 ≤ strict AND δ ≥ strict | Must satisfy both tight thresholds to gain trust |
| Approve → Escalate | l2 > relaxed OR δ < relaxed | Either loose threshold violated to lose trust |
| Any → Deny | δ < 0 | Instant kill — more aligned with hostile than clean |
The hysteresis gap is intentional. An actor who has earned trust operates in a wider band — small fluctuations don't trigger re-evaluation. An actor who has lost trust must demonstrate stronger alignment to regain it. This prevents oscillation at the boundary.
| State | Meaning | Consequence |
|---|---|---|
| Approve | Geometry is clean | Aegis may execute payload |
| Escalate | Ambiguous geometry | Human/Knox escalation |
| Deny | Hostile geometry detected | Payload destroyed |
| Delay | Kronos deadband active | Awaiting cooldown before re-evaluation |
Default state: Deny. The firewall is fail-safe — if anything goes wrong, if any computation fails, if any vector is missing, the answer is deny. Trust must be earned through geometric proof.
The firewall has a glass cockpit mode: audit_mode = true. In this mode, all physics still run — L2, cosine, delta, hysteresis, state transitions — but the final output is forced to Approve. The system observes and records everything but blocks nothing.
This is the learning phase. The system watches real traffic, builds its source and anti anchors, calibrates its thresholds — all without disrupting operations. When you're ready to go live, flip audit_mode = false and enforcement starts.
| Property | Traditional Firewall | Semantic Firewall |
|---|---|---|
| Inspects | Packets, bytes, headers | Meaning vectors, intent geometry |
| Decision | Binary: allow / block | Four-state: approve / escalate / deny / delay |
| Threshold | Single, static | Dual (Schmitt trigger), adaptive |
| Novel attacks | Cannot detect (no signature) | Detects via geometric misalignment |
| Drift attacks | Invisible (gradual meaning shift) | Detected via cosine trajectory monitoring |
| Memory | Stateless (per-packet) | Stateful (hysteresis remembers trust level) |
| Fail mode | Varies (often fail-open) | Fail-safe: default Deny |
| Audit | Log after the fact | Glass cockpit: observe in real-time before enforcement |
| Human loop | Manual review of logs | Automatic Escalate state for ambiguous cases |
SAGE is Layer 3 — the governance gate between identity (below) and execution (above). Nothing reaches Aegis without passing through the firewall.
| Layer | Name | Role |
|---|---|---|
| 0 | Mirror | Multimodal input capture |
| 1 | Logos | Narrative identity authentication |
| 2 | Rita | Role and ontological positioning |
| 3 | SAGE | Semantic governance firewall |
| 4 | Hermes | Intent orchestration |
| 5 | Kronos | Temporal intelligence and decay |
| Filing | Scope |
|---|---|
| Real-Time Semantic Drift Firewall | Dynamic narrative coherence thresholds, drift detection, trust recovery |
| The Sentinel (Stone 3) | Standalone semantic intrusion detection, meaning-level tamper defense |
| SAGE Provisional Patent | Semantic access governance, adaptive thresholding, ethical escalation |
| Semantic Control Architecture | Full-stack semantic control from input capture through governance to execution |
| Sovereignty Stack Vector Integrity | Vector signing, provenance chains, cross-validation, TEE integration |