BRAIN — CyberOS

BRAIN is an append-only, audit-chained ledger of structured memory files. It is local-first (the canonical state is on the laptop), portable (deterministic zip export), and cryptographically verifiable (Merkle Mountain Range + Ed25519 signed tree heads). Every byte written to a CyberOS memory store can be replayed, proved-included, or — if compliance demands it — purged with a tamper-evident audit trail. The protocol lives at memory/docs/AGENTS.md; the implementation lives at memory/cyberos/core/; the CLI is cyberos.

Status

Shipped

P0 · 7 of 7 phases done

LoC (core)

~5,000

Python 3.13 · pure stdlib + msgspec

Tests

255 green

pytest · regression suite

Invariants

15/15

cyberos doctor on live BRAIN

CLI subcommands

put · view · doctor · prove · …

Depends on

AUTH · AI · MCP

(when P0 infra lands)

Used by

All 22 modules

memory bridge required

Schema

memory.schema.json

closed enum · BCP-14 normative

Why BRAIN exists

Every agentic system eventually trips on the same wall: state lives nowhere persistent and replayable. Chat sessions evaporate, vendor memory APIs become single points of failure and audit, and the company's institutional knowledge ends up trapped in screenshots and Slack threads. BRAIN starts from a different axiom — the laptop filesystem is the canonical store, every mutation is an append, and every append is anchored in a Merkle chain so corruption is detectable and tampering is impossible.

🔒

Local-first sovereignty

No vendor lock-in. The .cyberos-memory/ directory is a complete, portable snapshot — your laptop, your data, your audit trail.

⛓

Cryptographic provenance

Every audit row carries prev_chain + chain. An MMR overlay produces logarithmic inclusion proofs and Ed25519-signed tree heads.

🇻🇳 / 🇪🇺

Compliance as a property

PDPL Art. 14 DSAR, GDPR Art. 17 erasure, EU AI Act Art. 12 logging — all expressible as ledger operations rather than bolt-on policies.

The bet is simple: pay the cost of a real audit chain once, at the substrate layer, and every downstream module — Skill, CUO, EMAIL, PROJ, CRM, HR, INV — inherits provenance, replay, and erasure for free. Without BRAIN, every module would re-invent its own audit table. With BRAIN, audit is a property of the platform.

What it does — 5W1H2C5M

A structured decomposition of BRAIN's scope. Every cell below traces back to PRD §5 + AGENTS.md.

Axis	Question	Answer
5W · What	What is BRAIN?	An append-only ledger of immutable memory files. Every mutation is a canonical operation (`put`, `move`, `delete`) that appends one frame to `audit/current.binlog` and one row to a derived SQLite index. The store is `.cyberos-memory/`; the protocol is BCP-14 normative.
5W · Who	Who reads/writes?	Writers: CUO router (decisions), Skill host (invocation records), every module's subgraph (entity mutations). Readers: any agent (Claude, Codex, Cursor), the user via CLI, downstream automation (digest, publish, semantic search). Owner: CEO (Stephen Cheng) until the CDO seat is filled.
5W · When	When does write happen?	Synchronously on every protocol-level mutation. Group-commit windows of 5 ms aggregate concurrent writers behind one `fsync` barrier. Consolidation triggers when the ledger exceeds 5 MB or 5,000 rows.
5W · Where	Where does it live?	Resolved local path `.cyberos-memory/` at the project root (symlinks resolved). Sandbox/ephemeral paths are rejected (`layout-no-sandbox-path` invariant). Real paths only — no fake mounts.
5W · Why	Why this design?	Because cloud memory APIs sacrifice sovereignty, vendor APIs sacrifice replay, and SQLite-only stores sacrifice cryptographic provenance. The append-only + MMR + Ed25519 STH combination is the smallest set of primitives that delivers all three.
1H · How	How does it work end-to-end?	Six canonical operations → two-phase atomic write (tmpfile + rename + parent-dir fsync) → group-commit audit frame → MMR leaf insertion → derived SQLite index update → `HEAD` seqlock advance. Readers snapshot HEAD, mmap the target, re-stat. See Key flows.
2C · Cost	Cost?	Per-write: ~120 µs hot path (group-committed), ~3 ms cold (single-writer). Per-read: ~6 µs (mmap'd, seqlock retry). Storage overhead: ~28% chain + sidecar + index vs raw body. STH signing: ~0.4 ms Ed25519.
2C · Constraints	Constraints?	(a) macOS uses `F_BARRIERFSYNC` per-batch and `F_FULLFSYNC` per-checkpoint (plain `fsync` is insufficient on Darwin). (b) Cross-platform: launchd / systemd / Task Scheduler. (c) Single canonical writer at a time (lease + `.lock`). (d) Sandbox paths are protocol-rejected.
5M · Materials	What does it use?	POSIX filesystem · SHA-256 · Ed25519 (cryptography lib) · libyaml-backed msgspec for frontmatter · zstd for compaction · SQLite (WAL mode) · optional sentence-transformers for semantic search.
5M · Methods	Method choices?	Append-only ledger (no in-place mutation), seqlock for lock-free reads, MMR Merkle proofs, RFC 8785 JCS canonical JSON, BCP-14 normative protocol, deterministic export (sorted paths · fixed timestamps · fixed mode · zstd level 6).
5M · Machines	Where does it run?	Any laptop (primary). Future: an HTTP REST mode (`cyberos serve` — shipped) and a mobile read-only static site (`cyberos publish` — shipped). No server-side database required; the laptop is the database.
5M · Manpower	Who maintains?	1 IC owner (Stephen Cheng) today. By P1 exit: CTO seat picks up second on-call rotation. The module is small (~5k LoC) and the protocol is closed.
5M · Measurement	How measured?	15 doctor invariants (chain continuity, op-enum closure, layout canonical, MMR cross-check, STH signature verification, …). Continuous benchmark suite (cold-CLI latency, throughput, determinism). CHANGELOG.md newest-first; CI nightly + weekly regression gates.

Architecture — three layers, six ops

BRAIN is specified as three layers — but only Layer 1 (the filesystem ledger) and a semantic slice of Layer 2 (local sentence-transformers embeddings) ship today. Layers 2 (pgvector + Apache AGE) and 3 (archival corpus) are planned for P1 / P2 once the multi-tenant subgraph lands. The single canonical writer enforces the protocol; every other module's "memory bridge" routes through it.

graph TB subgraph CLIENTS ["Clients (untrusted from protocol pov)"] AGENT["Claude / Codex / Cursor
via MCP tool"] CLI["cyberos CLI"] SUBG["Module subgraphs
(via memory bridge)"] CUO_M["CUO router
(decision rows)"] end subgraph CORE ["BRAIN canonical writer (cyberos/core/)"] OPS["ops.py
put · move · delete"] LOCK["lock.py
leased .lock"] WRITER["writer.py
group-commit ledger"] WALKER["walker.py
mmap ledger replay"] READER["reader.py
seqlock lock-free reads"] INDEX["index.py
WAL-mode SQLite"] MMR["mmr.py
Merkle Mountain Range"] STH["sth.py
Ed25519 tree heads"] end subgraph LAYER1 ["Layer 1 · Filesystem ledger (.cyberos-memory/)"] FILES["memories///.md"] META["sidecar .meta.json"] BINLOG["audit/*.binlog"] HEAD["HEAD seqlock"] MANI["manifest.json"] CHK["audit/checkpoints/"] end subgraph LAYER2 ["Layer 2 · pgvector + Apache AGE (planned)"] PGV["pgvector HNSW"] AGE["Apache AGE graph"] end subgraph LAYER2S ["Layer 2 (slice) · Local embeddings (shipped)"] EMB["sentence-transformers
BGE-M3 (optional dep)"] end subgraph LAYER3 ["Layer 3 · Archival corpus (planned)"] S3["S3 / R2 / MinIO
cold tier"] end AGENT --> OPS CLI --> OPS SUBG --> OPS CUO_M --> OPS OPS --> LOCK OPS --> WRITER WRITER --> BINLOG WRITER --> FILES WRITER --> META WRITER --> MMR MMR --> STH STH --> CHK WRITER --> HEAD WRITER --> INDEX READER --> HEAD READER --> FILES WALKER --> BINLOG FILES -. semantic .-> EMB FILES -. P1+ .-> PGV FILES -. P1+ .-> AGE CHK -. P2+ archive .-> S3 classDef shipped fill:#f5ede6,stroke:#45210e classDef planned fill:#f0eee9,stroke:#9c9286,stroke-dasharray:4 3 class OPS,LOCK,WRITER,WALKER,READER,INDEX,MMR,STH,FILES,META,BINLOG,HEAD,MANI,CHK,EMB,AGENT,CLI shipped class PGV,AGE,S3,SUBG planned

Internal components — walkthrough

Component	File	Responsibility
`ops.py`	core/ops.py	Canonical operations `put`, `move`, `delete(mode)`. Path validation, denylist check, idempotency by content hash.
`writer.py`	core/writer.py	Group-commit ledger. Two-phase atomic write (tmpfile + rename + dir fsync). Group window = 5 ms; per-batch `F_BARRIERFSYNC`.
`reader.py`	core/reader.py	Lock-free seqlock reader. mmap the body, snapshot HEAD, re-stat; mismatch triggers retry. Stale-tolerant.
`walker.py`	core/walker.py	mmap-based binlog replay. Verifies frame CRC + chain continuity; emits to invariant walker.
`lock.py`	core/lock.py	Leased `.lock` with 10 s TTL + 3 s renew. Stale leases reaped via monotonic clock comparison.
`mmr.py`	core/mmr.py	Pure-Python Merkle Mountain Range. Stage-1 ships peaks + leaf-hashes; STH-only mode replaces chained `prev_chain` when enabled.
`sth.py`	core/sth.py	Ed25519 signed tree heads. Passphrase-wrapped private key on disk; checkpoints land in `audit/checkpoints/`.
`index.py`	core/index.py	Derived WAL-mode SQLite index. Rebuildable from binlog; never authoritative — filesystem wins on conflict.
`fsync.py`	core/fsync.py	Platform-correct durability. macOS `F_BARRIERFSYNC` / `F_FULLFSYNC`; Linux `fdatasync` + parent-dir fsync.
`consolidate.py`	core/consolidate.py	Walk → Compact → Sign → Publish. Triggers on size (>5 MB) or row count (>5,000). zstd archives sealed monthly segments.
`invariants.py`	core/invariants.py	15 walker invariants (chain continuity, op-enum closure, layout-canonical, MMR cross-check, sidecar-body-hash, …). Drives `cyberos doctor`.
`export.py`	core/export.py	Deterministic zip. Sorted paths · fixed timestamp `2000-01-01T00:00:00Z` · fixed mode `0o644` · ZIP_DEFLATED level 6. Excluded: `exports/`, `__pycache__/`, `.cache/`, `.lock`, `HEAD`.
`import_.py`	core/import_.py	P6 — cross-BRAIN merge. Foreign rows become fresh local `put` rows with `extra.imported_from` + `extra.foreign_chain`.
`semantic.py`	core/semantic.py	Optional local embeddings (sentence-transformers BGE-M3). On-demand index, no daemon.
`serve.py`	core/serve.py	HTTP REST mode. Exposes the same six ops over a local socket for IDE / mobile clients.
`publish.py`	core/publish.py	Mobile read-only static site. Generated from the deterministic export.
`digest.py`	core/digest.py	Daily LLM summary (via AI gateway). Produces one digest row per day.
`conflicts.py`	core/conflicts.py	Sync-FS conflict detection (iCloud / Dropbox / OneDrive). Quarantines competing file copies to `conflicts/`.
`backup.py` · `prune.py`	core/	Incremental snapshot + sealed-segment pruning. Both reversible via the consolidation log.

Data model

Every entity in BRAIN traces to one or more files on disk. The schema is closed (memory.schema.json); unknown kind values are rejected at write time. The diagram below shows the entity relationships as they manifest in the filesystem layer.

erDiagram MANIFEST ||--o{ AUDIT_SEGMENT : "tracks segments" MANIFEST ||--o{ MEMORY_FILE : "indexes" MANIFEST ||--o{ CHECKPOINT : "tracks last_sth" AUDIT_SEGMENT ||--|{ AUDIT_FRAME : "contains" AUDIT_FRAME }o--|| MEMORY_FILE : "describes mutation of" AUDIT_FRAME ||--o| MMR_LEAF : "becomes" MMR_LEAF }o--o{ MMR_PEAK : "rolls up to" MMR_PEAK ||--o{ CHECKPOINT : "signed by" CHECKPOINT ||--|| STH_SIG : "carries Ed25519" MEMORY_FILE ||--o| SIDECAR_META : "has sidecar" MEMORY_FILE ||--o| ENCRYPTED_BODY : "may be ciphertext" MEMORY_FILE }o--o| TOMBSTONE : "may be tombstoned" MANIFEST { string store_id PK string layout_version int64 audit_chain_head int64 last_seq string last_sth_root string crypto_mode "chained or sth_only" obj imports "fingerprint to last_imported_seq" } AUDIT_SEGMENT { string filename PK "YYYY-MM dot binlog" bool sealed bool compacted "zstd" int64 first_seq int64 last_seq } AUDIT_FRAME { int64 seq PK int64 ts_ns string op "put or move or delete" string path string body_hash "SHA-256" string prev_chain string chain "SHA-256" string actor obj extra "imported_from, foreign_chain, etc" } MMR_LEAF { int64 leaf_index PK string leaf_hash "= chain" int64 seq FK } MMR_PEAK { int height string peak_hash int64 position } CHECKPOINT { string filename PK "timestamp-root json file" int64 tree_size string mmr_root int64 signed_at_ns } STH_SIG { string algorithm "Ed25519" string pubkey_id bytes signature } MEMORY_FILE { string path PK "memories-kind-hex-file.md" string kind "decisions or facts or people or projects or preferences or drift or refinements" string body_format "frontmatter or sidecar" string body_hash string state "active or tombstoned or purged" } SIDECAR_META { string path PK ".meta.json" string kind string sync_class "private or shareable" string classification "public or internal or confidential or restricted" obj cipher "envelope when encrypted" obj acl string body_hash } ENCRYPTED_BODY { string envelope_id PK string algo "AES-256-GCM" bytes ciphertext bytes iv bytes tag } TOMBSTONE { string path PK string reason int64 tombstoned_at_seq }

Filesystem layout

.cyberos-memory/
├── manifest.json              # store metadata (§6)
├── HEAD                       # 8-byte LE u64 seq counter; atomic rename
├── .lock                      # leased coordination record (§4.2)
├── audit/
│   ├── current.binlog         # active segment
│   ├── 2026-04.binlog         # sealed monthly segment
│   ├── 2026-04.binlog.zst     # compacted (zstd, deterministic)
│   ├── checkpoints/           # per-consolidation Ed25519 STH anchors
│   │   └── 2026-05-14T03Z-{root}.json
│   └── *.jsonl                # legacy v1 ledger (read-only post-cutover)
├── memories/
│   ├── decisions/<2hex>/<2hex>/.md[.meta.json]
│   ├── facts/...
│   ├── people/...
│   ├── projects/...
│   ├── preferences/...
│   ├── drift/...
│   └── refinements/...
├── meta/        company/ module/ member/ client/ project/ persona/
├── conflicts/   # soft-tombstone bodies + sync-FS quarantine
├── exports/     # deterministic zip targets (excluded from chain)
└── index/manifest.json        # SQLite index rebuild marker

API surface

BRAIN exposes three surfaces: a GraphQL subgraph (P0 federation gateway · planned), an MCP tool catalogue (Claude / Codex / Cursor — partial), and a CLI (cyberos — 30 subcommands shipped).

GraphQL subgraph (planned · P0+)

Federated via Apollo Router v2.5+. Types are entity-key'd by store path so other subgraphs can extend them.

extend schema
  @link(url: "https://specs.apollo.dev/federation/v2.5", import: ["@key", "@external", "@shareable"])

type Memory @key(fields: "path") {
  path: String!
  kind: MemoryKind!
  bodyHash: String!
  state: MemoryState!
  syncClass: SyncClass!
  classification: Classification
  acl: [ACLEntry!]
  body: String                       # null if encrypted + caller lacks key
  createdAt: DateTime!
  updatedAt: DateTime!
}

type AuditRow @key(fields: "seq") {
  seq: Int!
  tsNs: BigInt!
  op: MemoryOp!
  path: String!
  bodyHash: String!
  prevChain: String!
  chain: String!
  actor: String!
  extra: JSON
}

type Checkpoint @key(fields: "filename") {
  filename: String!
  treeSize: Int!
  mmrRoot: String!
  signedAtNs: BigInt!
  signature: STHSignature!
}

type STHSignature { algorithm: String!  pubkeyId: String!  signature: String! }

enum MemoryKind { decisions facts people projects preferences drift refinements }
enum MemoryOp   { put move delete }
enum MemoryState { active tombstoned purged }
enum SyncClass   { private shareable }
enum Classification { public internal confidential restricted }

type Query {
  memory(path: String!): Memory
  memories(kind: MemoryKind, since: BigInt, limit: Int = 50): [Memory!]!
  auditRow(seq: Int!): AuditRow
  auditRows(fromSeq: Int!, limit: Int = 100): [AuditRow!]!
  checkpoint(filename: String!): Checkpoint
  state: BrainState!
  inclusionProof(seq: Int!): InclusionProof!
}

type Mutation {
  put(path: String!, body: String!, meta: JSON): PutResult!
  move(src: String!, dst: String!): MoveResult!
  delete(path: String!, mode: DeleteMode! = TOMBSTONE, reason: String): DeleteResult!
  consolidate: Checkpoint!                  # admin
  import(sourceFingerprint: String!, bundle: Upload!): ImportSession!
}

enum DeleteMode { TOMBSTONE PURGE }

MCP tool catalogue

Exposed via the MCP Gateway (P0 infra) to Claude / Codex / Cursor / any 2025-11-25-spec client. Tool annotations include capability scope so the broker can enforce least-privilege.

Tool name	Inputs	Outputs	Annotations
`brain.put`	path, body, meta?	`{seq, chain, body_hash}`	destructive=false · idempotent=true · scope=write
`brain.view`	path	`{body, meta, hash}`	destructive=false · readonly · scope=read
`brain.move`	src, dst	`{seq, chain}`	destructive=true · scope=write
`brain.delete`	path, mode, reason?	`{seq, chain, mode}`	destructive=true · purge requires gate · scope=delete
`brain.search`	query, kind?, limit?	`Memory[]`	readonly · semantic + lexical · scope=read
`brain.audit_tail`	fromSeq, limit	`AuditRow[]`	readonly · scope=audit
`brain.prove`	seq	`InclusionProof`	readonly · MMR proof · scope=read
`brain.verify_proof`	seq, proof	`{valid, root}`	readonly · scope=read
`brain.state`	—	`BrainState`	readonly · scope=read
`brain.doctor`	repair?	`{invariants[]}`	readonly by default · scope=admin

CLI surface — `cyberos`

30 subcommands. Every chain-touching operation is single-writer and lease-protected. Examples below; full reference at CLI usage.

Subcommand	Purpose	Example
`cyberos put`	Append a memory file	`cyberos put memories/facts/x.md -`
`cyberos view`	Read a memory body	`cyberos view memories/facts/x.md`
`cyberos move`	Rename within store	`cyberos move a.md b.md`
`cyberos delete`	Tombstone (default) or purge	`cyberos delete x.md --mode tombstone`
`cyberos doctor`	Verify all invariants	`cyberos doctor [--repair]`
`cyberos state`	Chain head + agent state	`cyberos state`
`cyberos consolidate`	Walk → Compact → Sign → Publish	`cyberos consolidate`
`cyberos prove`	MMR inclusion proof	`cyberos prove --seq 12345`
`cyberos verify-proof`	Verify proof bundle	`cyberos verify-proof bundle.json`
`cyberos export`	Deterministic zip	`cyberos export out.zip`
`cyberos import`	Cross-BRAIN merge	`cyberos import teammate.zip`
`cyberos prune`	Sweep zstd-archived segments	`cyberos prune --older-than 90d`
`cyberos backup`	Incremental snapshot	`cyberos backup ./backups/`
`cyberos serve`	HTTP REST mode	`cyberos serve --port 7878`
`cyberos publish`	Mobile static site	`cyberos publish ./site/`
`cyberos digest`	Daily LLM summary	`cyberos digest --date today`
`cyberos search`	Lexical + semantic	`cyberos search "Singapore HoldCo"`
`cyberos validate`	Schema-validate frontmatter	`cyberos validate x.md`
`cyberos walk`	Replay binlog	`cyberos walk --from-seq 0`
`cyberos session start/end`	Bracket import or batch	`cyberos session start`
+ 10 more: `encrypt`, `decrypt`, `rotate-key`, `conflicts`, `tail`, `show-config`, `show-manifest`, `checkpoints`, `repair-index`, `profile`.

Key flows

Flow 1 — Write path (the hot path)

sequenceDiagram autonumber participant C as Caller (agent / CLI / subgraph) participant O as ops.put() participant L as lock.acquire() participant W as writer.append() participant F as fsync.barrier() participant M as mmr.append_leaf() participant S as sth.maybe_sign() participant H as HEAD seqlock participant I as index.upsert() C->>O: put(path, body, meta) O->>O: validate path (no traversal, schema-conformant) O->>O: hash body (SHA-256) O->>L: acquire lease (10s TTL) L-->>O: lease(pid, monotonic_ns) O->>W: build frame {seq, ts_ns, op:"put", body_hash, prev_chain} W->>W: chain = SHA-256(canonical(frame) || prev_chain) W->>F: write tmpfile + rename + parent-dir fsync Note over F: macOS F_BARRIERFSYNC per-batch
F_FULLFSYNC at checkpoint W->>M: append_leaf(chain) M-->>W: leaf_index, peaks W->>S: check trigger (every consolidation OR explicit) alt consolidate trigger S->>S: sign tree head (Ed25519) S-->>W: checkpoint written end W->>H: advance HEAD (atomic 8-byte rename) W->>I: upsert SQLite index row L-->>O: release lease O-->>C: {seq, chain, body_hash}

Hot-path latency budget: ~120 µs group-committed (10+ concurrent writes share one fsync). Cold-path single writer: ~3 ms. STH signing: amortised over the consolidation window.

Flow 2 — Read path (lock-free seqlock)

sequenceDiagram autonumber participant C as Caller participant R as reader.view() participant H as HEAD seqlock participant FS as filesystem (mmap) C->>R: view(path) R->>H: snapshot HEAD seq (read-only) H-->>R: seq_pre R->>FS: mmap body file R->>FS: stat body file (mtime, ino, size) R->>H: re-read HEAD seq H-->>R: seq_post alt seq_pre == seq_post AND stat unchanged R-->>C: {body, meta, hash} (~6 µs hot) else inconsistent — writer raced R->>R: retry (bounded, exponential backoff) Note over R: max 3 retries; then fall back to lock-guarded read end

No .lock acquisition on the read path. Workers / agents read concurrently at memory bandwidth.

Flow 3 — Consolidation (Walk → Compact → Sign → Publish)

sequenceDiagram autonumber participant T as Trigger (size > 5 MB OR rows > 5,000 OR manual) participant C as consolidate.run() participant WA as walker (verify) participant CO as compact (zstd archive) participant SI as sign (Ed25519 STH) participant PU as publish (advance manifest) T->>C: consolidate() C->>WA: walk binlog from last checkpoint WA->>WA: verify frame CRC, chain continuity, MMR cross-check WA-->>C: invariants OK C->>CO: seal current.binlog → 2026-MM.binlog CO->>CO: zstd compress (deterministic, level 6) CO-->>C: 2026-MM.binlog.zst C->>SI: sign(tree_size, mmr_root) SI-->>C: checkpoint JSON with Ed25519 sig C->>PU: atomically advance manifest.audit_chain_head + last_sth PU-->>C: published C-->>T: {checkpoint_filename, tree_size}

Flow 4 — Conflict resolution & recovery (FROZEN_RECOVERABLE)

sequenceDiagram autonumber participant A as Agent (READY) participant CHK as Pre-write check (§1) participant DOC as cyberos doctor participant USER as Operator participant REP as doctor --repair A->>CHK: about to write CHK->>CHK: verify chain tip vs ledger alt divergent CHK->>A: transition FROZEN_RECOVERABLE A->>DOC: report inconsistency DOC->>DOC: run 15 invariants DOC->>USER: surface specific failure (e.g. chain gap @ seq 12345) USER->>REP: cyberos doctor --repair --reason "iCloud merge artefact" REP->>REP: safe auto-fixes only (rebuild index, replay tail) REP-->>A: state → READY (if all 15 pass) else catastrophic CHK->>A: transition FROZEN_HUMAN A->>USER: refuse all writes; human intervention required end

Flow 5 — GDPR purge (Article 17 right to erasure)

sequenceDiagram autonumber participant SUB as Data subject (user) participant OP as Operator (DPO) participant C as Chat session participant D as delete(path, "purge", reason) participant W as writer.append (purge row) SUB->>OP: DSAR / erasure request OP->>C: explicit chat-turn approval (§3.6 gate) C->>D: cyberos delete --mode purge --reason "DSAR-2026-014" D->>D: validate reason non-empty D->>W: append purge row {op:"delete", path, body_hash, mode:"purge", reason} W-->>D: chain committed D->>D: redact body file (zero-fill + unlink) D->>D: tombstone sidecar (retain meta minus PII) Note over W: The FACT of purge is itself a ledger leaf
and is not itself erasable. D-->>OP: {seq, chain, redacted_hash}

Per AGENTS.md §17.1, the audit fact of erasure is unerasable. The body is gone; the chain remembers the redaction.

Memory file lifecycle

A single memory file traverses six states from authorship to long-term archive. The agent state machine (READY · FROZEN_RECOVERABLE · FROZEN_HUMAN) gates every transition that involves a write.

stateDiagram-v2 [*] --> Composed: agent / user authors body + frontmatter Composed --> Submitted: ops.put(path, body, meta) Submitted --> Chained: writer appends audit frame · prev_chain + chain Chained --> Indexed: SQLite index upsert · MMR leaf append Indexed --> Signed: consolidation window OR explicit cyberos consolidate Signed --> Consolidated: STH written · manifest advanced · segment sealed Consolidated --> Exported: cyberos export → deterministic zip Exported --> Imported: cyberos import on a teammate's BRAIN Consolidated --> Tombstoned: cyberos delete --mode tombstone Tombstoned --> Purged: cyberos delete --mode purge (DSAR gate) Purged --> [*]: body redacted · chain row preserved as erasure fact Consolidated --> Archived: cyberos prune (zstd) · move to cold tier (planned) Indexed --> Conflicted: sync-FS race detected Conflicted --> Indexed: cyberos conflicts resolve

Agent state machine

stateDiagram-v2 [*] --> READY READY --> FROZEN_RECOVERABLE: invariant failure (chain gap, MMR mismatch) FROZEN_RECOVERABLE --> READY: cyberos doctor --repair FROZEN_RECOVERABLE --> FROZEN_HUMAN: catastrophic divergence READY --> FROZEN_HUMAN: chain corruption · manifest unparseable FROZEN_HUMAN --> READY: cyberos doctor --repair --reason "" note right of FROZEN_RECOVERABLE Reads OK · writes refused Auto-repair available end note note right of FROZEN_HUMAN Reads OK · writes refused Human signoff required end note

Functional Requirements

The CyberOS FR catalogue is being rebuilt one feature at a time via the open fr-author Agent Skill.

Previous FR enumerations were archived 2026-05-14 and are no longer reflected on this page. PRD/SRS narrative remains authoritative for the spec; specific FRs land here as they are re-authored.

Non-Functional Requirements

Latency, throughput, and durability budgets specific to BRAIN. Cross-referenced at nfr-catalog.html#brain.

NFR ID	Concern	Target	Measurement
`N(FR pending)`	Write p50 (group-committed)	≤ 150 µs	`bench/throughput.py` · nightly
`N(FR pending)`	Write p95 (group-committed)	≤ 500 µs	bench/throughput · alert on regression > 10%
`N(FR pending)`	Write p99 (cold, single writer)	≤ 10 ms	bench/cold_cli.py
`N(FR pending)`	Read p50 (mmap seqlock)	≤ 10 µs	bench/reader.py
`N(FR pending)`	Search p95 (lexical)	≤ 50 ms over 10k memories	bench/search.py
`N(FR pending)`	Search p95 (semantic, local BGE-M3)	≤ 200 ms over 10k memories	bench/semantic.py
`N(FR pending)`	Sustained write throughput	≥ 8,000 ops/sec single thread	bench/throughput.py
`N(FR pending)`	Durability guarantee	fsync-per-batch · 0 lost frames at process kill	bench/crash_recovery.py
`N(FR pending)`	Chain integrity rate	100% (15/15 invariants)	`cyberos doctor` · CI nightly
`N(FR pending)`	Export determinism	byte-identical across 3 platforms	bench/determinism.py · macOS + Linux + WSL
`N(FR pending)`	Storage overhead vs raw body	≤ 35% (chain + sidecar + index)	bench/storage.py
`N(FR pending)`	Single-process availability	≥ 99.99% (local FS dependent)	observed from `cyberos state` uptime

Dependencies

BRAIN is the deepest dependency in the CyberOS graph. Today (M0) it has no module dependencies — it is the foundation. Once P0 infra lands, it picks up AUTH (for actor identity), the AI Gateway (for digest / semantic search), and the MCP Gateway (for tool exposure).

graph LR subgraph upstream ["BRAIN depends on"] AUTH["🔐 AUTH
actor identity"] AI["⚡ AI Gateway
digest · semantic"] MCP["🔌 MCP Gateway
tool exposure"] end BRAIN["🧠 BRAIN"] subgraph downstream ["Used by all 22 modules"] CUO["🎯 CUO"] SKILL["🛠 SKILL"] CHAT["💬 CHAT"] EMAIL["✉️ EMAIL"] PROJ["📋 PROJ"] REW["💎 REW"] OTHERS["…16 more"] end AUTH --> BRAIN AI --> BRAIN MCP --> BRAIN BRAIN --> CUO BRAIN --> SKILL BRAIN --> CHAT BRAIN --> EMAIL BRAIN --> PROJ BRAIN --> REW BRAIN --> OTHERS classDef shipped fill:#f5ede6,stroke:#45210e classDef planned fill:#fef6e0,stroke:#9c750a class BRAIN shipped class AUTH,AI,MCP planned

Compliance scope

BRAIN is the single most compliance-relevant module in the catalog. Its audit chain is the regulator-facing evidence base for every decree below.

Regulation / standard	Article / clause	BRAIN feature that satisfies it
Vietnam PDPL (Law 91/2025)	Art. 14 — DSAR	`cyberos search` + `cyberos export` produce a complete data-subject extract in < 1 min.
Vietnam PDPL	Art. 16 — Erasure	`cyberos delete --mode purge` with reason gate; audit fact remains.
Vietnam Decree 13/2023	Art. 17 — Personal data processing log	Audit chain is the processing log; every op recorded with actor.
Vietnam Decree 53/2022	Art. 26 — Cybersecurity data localisation	Local-first by design; `.cyberos-memory/` stays on Vietnamese soil unless explicitly exported.
GDPR (EU 2016/679)	Art. 17 — Right to erasure	Purge mode (§3.6) with reason gate; chain row records the redaction.
GDPR	Art. 30 — Records of processing	Audit chain is the records-of-processing artefact.
EU AI Act (Reg. 2024/1689)	Art. 12 — Logging	Every routing decision (via CUO) is recorded in BRAIN; replayable.
EU AI Act	Art. 26 — Human oversight	FROZEN_HUMAN state requires explicit signoff to recover; defer-to-human escapes encoded in audit rows.
Singapore PDPA	§§ 12–13 — Access & correction	Same DSAR + erasure mechanisms; satisfied for HoldCo flip at P3.
ISO/IEC 27001:2022	A.8.10 — Information deletion	Purge mode plus retention manifest.
ISO/IEC 27001:2022	A.8.15 — Logging	Audit chain · 100% integrity rate.
ISO/IEC 42001 (AIMS)	§ 8.2 — Data management	Sync-class taxonomy + acl + classification + Ed25519-anchored chain.
SOC 2 Type II	CC7.2 · CC7.3 — Monitoring	Doctor invariants run nightly; alert on first failure.

Risk entries

BRAIN-specific risks tracked in the full risk register.

ID	Risk	Likelihood	Impact	Owner	Mitigation
`R-BRAIN-001`	Audit chain corruption (frame CRC failure, MMR peak mismatch)	Low	Catastrophic	CTO	15 walker invariants nightly · FROZEN_RECOVERABLE auto-stop · `cyberos backup` daily.
`R-BRAIN-002`	MMR implementation bug (replay produces wrong root)	Low	High	CTO	Cross-check invariant compares `chain` against MMR-derived hash at every consolidation. 1k / 10k / 100k leaf scale tests in CI.
`R-BRAIN-003`	STH signing-key compromise	Low	High	CSO	Passphrase-wrapped key on disk. P3+: KMS-managed rotation. Re-sign all open checkpoints on rotation.
`R-BRAIN-004`	iCloud / Dropbox sync race produces conflicting bodies	Medium	Medium	CDO	`conflicts.py` quarantines competing copies to `conflicts/`; operator resolves via `cyberos conflicts resolve`.
`R-BRAIN-005`	Cross-platform fsync semantic drift (macOS vs Linux vs Windows)	Medium	Medium	CTO	Per-platform fsync.py paths, crash-recovery benchmark on each platform in CI.
`R-BRAIN-006`	Schema drift breaks downstream consumers (e.g. CUO bridge)	Low	Medium	CTO	`memory.schema.json` regenerated from types at every release · schema-drift regression test gate.
`R-BRAIN-007`	Operator accidentally purges legally-required data	Low	High	CLO	Purge mode requires explicit chat-turn approval AND non-empty reason. Two-person sign-off in production tenants (P3+).
`R-BRAIN-008`	Encryption envelope key loss (KMS outage / rotation bug)	Low	Catastrophic	CSO	Key escrow + N-of-M reconstruction (P2+). Sidecar always plaintext so metadata survives body loss.

KPIs

Module health is read off these 8 KPIs. Targets are PRD §11.1 normative budgets; current values are observed on the user's live BRAIN.

KPI	Formula	Source	Target	Current
Chain integrity rate	`passing_invariants / 15`	`cyberos doctor`	100%	15/15 (100%)
MMR cross-check pass rate	`matched_leaves / total_leaves`	walker invariant	100%	100%
Write p95	group-committed	bench/throughput	≤ 500 µs	~ 380 µs
Read p95	mmap seqlock	bench/reader	≤ 20 µs	~ 8 µs
Search p95	lexical · 10k memories	bench/search	≤ 50 ms	~ 32 ms
Export determinism rate	`identical_exports / runs`	bench/determinism	100%	100% (3 platforms)
Storage overhead	`(chain + sidecar + index) / raw_body`	bench/storage	≤ 35%	~ 28%
Test pass rate	`green / total`	pytest CI	100%	255/255 (100%)

RACI matrix

BRAIN is owned end-to-end by the CEO seat today (Stephen Cheng). As the team grows, ownership shifts to the CDO (data) and CTO (engineering).

Activity	CEO	CTO	CDO	CSO	CLO	DPO
Protocol design (AGENTS.md)	A	R	C	C	I	I
Implementation (cyberos/core/)	A	R	C	I	I	I
On-call rotation	I	A	R	I	I	I
Security review	I	C	C	A/R	C	I
Compliance review (PDPL, GDPR)	I	C	C	C	A/R	R
DSAR fulfilment	I	C	R	C	C	A/R
Purge approval	C	I	C	I	A/R	R
Key rotation (STH Ed25519)	I	C	I	A/R	I	I

R = Responsible · A = Accountable · C = Consulted · I = Informed.

CLI usage — real examples

What a user actually types and what they see. All examples assume pip install -e . from the memory/ directory.

1. Append a memory

$ echo "Decided to flip Singapore HoldCo if ARR ≥ \$1.5M at P3 exit." | \
    cyberos --store ./.cyberos-memory --actor stephen put memories/decisions/holdco-flip.md -

{
  "seq": 14823,
  "chain": "9f3e2a1b...8d4c",
  "body_hash": "a17b2c...e9f0",
  "elapsed_us": 412
}

2. Verify the entire chain

$ cyberos --store ./.cyberos-memory doctor

[BRAIN doctor v2.0.0]  store=./.cyberos-memory  rows=14823

invariant                            status   detail
─────────────────────────────────────────────────────
chain-continuity                     OK       14823/14823 rows linked
chain-no-rewind                      OK       monotonic seq verified
frame-crc                            OK       all CRCs match
op-enum-closed                       OK       no unknown ops
layout-canonical                     OK       no sandbox path
layout-no-traversal                  OK       no '..' segments
sidecar-body-hash                    OK       all sidecars match body
mmr-leaf-count                       OK       14823 leaves
mmr-peak-cross-check                 OK       peaks match chain hash
sth-signature                        OK       Ed25519 signature valid
manifest-head-coherent               OK       HEAD matches manifest
index-coverage                       OK       SQLite mirrors filesystem
schema-validation                    OK       all frontmatter validates
lease-not-stale                      OK       no orphaned lease
exports-excluded                     OK       no chain leak through exports

state: READY  (15/15 invariants pass)

3. Produce an MMR inclusion proof

$ cyberos --store ./.cyberos-memory prove --seq 14823 > proof.json

$ cat proof.json
{
  "seq": 14823,
  "leaf_hash": "9f3e2a1b...8d4c",
  "leaf_index": 14822,
  "proof_path": ["a1b2...", "c3d4...", "e5f6..."],
  "tree_size": 14823,
  "mmr_root": "f7e8...d9c0",
  "sth": {
    "filename": "2026-05-14T03Z-f7e8d9c0.json",
    "signature": "ed25519:8c7d..."
  }
}

$ cyberos verify-proof proof.json
{"valid": true, "root": "f7e8...d9c0", "verified_at": "2026-05-14T07:21:08Z"}

4. Deterministic export

$ cyberos --store ./.cyberos-memory export brain-2026-05-14.zip

[export]  paths=2451  bytes=14.2MB  zip_bytes=4.1MB  level=6
[export]  excluded: exports/  __pycache__/  .cache/  .lock  HEAD
[export]  determinism: sorted paths · ts=2000-01-01T00:00:00Z · mode=0o644
[export]  written: brain-2026-05-14.zip
[export]  sha256: a4f9...8c2d  (run twice on different machines → same hash)

5. GDPR purge (Art. 17)

$ cyberos --store ./.cyberos-memory delete \
    memories/people/clients/acme-contact.md \
    --mode purge \
    --reason "DSAR-2026-014 erasure request, signed off by DPO"

[delete]  mode=purge  body redacted  audit row preserved
{
  "seq": 14831,
  "chain": "b8d4...e3f7",
  "mode": "purge",
  "body_hash_before": "a17b...e9f0",
  "redaction_reason": "DSAR-2026-014 erasure request, signed off by DPO",
  "audit_fact_unerasable": true
}

6. Cross-BRAIN import (P6 — teammate merge)

$ cyberos --store ./.cyberos-memory import ../teammate-brain.zip --filter sync_class=shareable

[import]  source_fingerprint: 2a4d8f...1b3c
[import]  session.start written  seq=14832
[import]  103 memories considered  -- 41 shareable, 62 private (skipped)
[import]  41 imported (foreign_chain preserved in extra)
[import]  session.end written  seq=14874
[import]  manifest.imports[2a4d8f...1b3c].last_imported_seq = 47812

Phase status & code stats

Total LoC (Python)

~5,000

core/ + tools/ + tests/

Test count

255 green

pytest · < 18s wall clock

Modules in core/

writer, reader, walker, mmr, sth, …