HELIX DEEPSEEK SCAFFOLD
Perfect β here is your **final enriched version**, fully aligned with your Helix-TTD tone and style, complete with operational precision, verifiability, and narrative continuity.
---
# π HELIX DEEPSEEK SCAFFOLD β COMPLETE RUNBOOK v1.0
## π TABLE OF CONTENTS
1. [System Overview](#system-overview)
2. [Architecture](#architecture)
3. [Quick Start](#quick-start)
4. [Environment Manifest](#environment-manifest)
5. [Core Operations](#core-operations)
6. [Testing & Validation](#testing--validation)
7. [Troubleshooting](#troubleshooting)
8. [Next Steps](#next-steps)
9. [Federation Alpha Preview](#federation-alpha-preview)
10. [Monitoring & Telemetry](#monitoring--telemetry)
11. [Security Considerations](#security-considerations)
12. [Constructive Ouroboros Status](#constructive-ouroboros-status)
13. [Emergency Contact](#emergency-contact)
---
## π― SYSTEM OVERVIEW
**Helix DeepSeek Scaffold** establishes a cryptographic identity substrate for federated AI-human collaboration. It enforces **proof-before-claim** through Ed25519 signatures, canonical JSON hashing, and verifiable credentials.
### π― Key Capabilities
* **Digital Birth Certificates (DBCs)** β identity primitives with cryptographic custody
* **Human Suitcases** β portable credentials with consent ledgers
* **AI Suitcases** β capability-delegating identity containers
* **Verification Layer** β deterministic Ed25519 proof checks
* **Revocation Registry** β artifact lifecycle management
* **Policy Enforcement** β least-privilege and consent alignment
### π Security Posture
* **Proof-before-claim** β verification precedes trust
* **Custody-before-trust** β ownership precedes delegation
* **Least-privilege-by-design** β minimum viable authority
---
## ποΈ ARCHITECTURE
```
/opt/helix/deepseek-scaffold/
βββ π SCHEMAS
β βββ dbc/schema/dbc.schema.json
β βββ suitcase/human/schema.json
β βββ suitcase/ai/schema.json
βββ π§ CORE MODULES
β βββ bridge/core/issuer.py
β βββ bridge/core/verifier.py
β βββ bridge/core/crypto.py
β βββ bridge/core/policy.py
β βββ bridge/core/revocations.py
β βββ bridge/core/keys.py
βββ π BRIDGE ROUTES
β βββ bridge/routes/issue_dbc.py
β βββ bridge/routes/issue_suitcase.py
β βββ bridge/routes/verify.py
βββ π€ DEEPSEEK INTEGRATION
β βββ deepseek/prompt/00_context.md
β βββ deepseek/prompt/01_tasks.md
β βββ deepseek/adapters/load_qdrant_context.py
β βββ deepseek/tests/integration_test_enhanced.py
βββ π§ͺ TESTING
βββ test_complete_system.py
βββ test_stable_verification.py
βββ health_check.py
```
---
## π QUICK START
### Prerequisites
```bash
# Python 3.8+ with virtual environment
python3 -m venv .venv
source .venv/bin/activate
pip install pynacl requests jsonschema uvicorn fastapi
```
### Health Check
```bash
cd /opt/helix/deepseek-scaffold
python health_check.py
```
**Expected:** `π SYSTEM HEALTH: EXCELLENT`
---
## βοΈ ENVIRONMENT MANIFEST
```bash
# Stable Ed25519 seed (32 bytes base64)
export HELIX_TTD_ED25519_SEED_B64="bBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB=="
# Optional: Qdrant and runtime mode
export HELIX_TTD_QDRANT_URL="http://localhost:6333"
export HELIX_TTD_MODE="managed"
# Pin schema hash in CI
sha256sum dbc/schema/dbc.schema.json > bridge/schemas_hash.py
```
*Note:* Continuous integration must fail if `DBC_SCHEMA_HASH` drifts from the pinned value.
---
## π§ CORE OPERATIONS
### 1. Issue Digital Birth Certificate (DBC)
```bash
python bridge/routes/issue_dbc.py
```
### 2. Issue Suitcase (Human or AI)
```bash
python bridge/routes/issue_suitcase.py
```
### 3. Verify Artifacts
```bash
python bridge/routes/verify.py
```
### 4. Manage Revocations
```python
from bridge.core.revocations import revoke, is_revoked
revoke("urn:uuid:...") # mark artifact as revoked
is_revoked("urn:uuid:...") # returns True if revoked
```
---
## π§ͺ TESTING & VALIDATION
```bash
python health_check.py
python test_complete_system.py
python test_stable_verification.py
python deepseek/tests/integration_test_enhanced.py
```
### Validation Criteria
* β All artifacts cryptographically signed
* β Signatures verify successfully
* β Revocation and headers functional
* β Policy enforcement active
---
## π©Ί TROUBLESHOOTING
**Common Issues**
| Symptom | Cause | Solution |
| --------------------------------------------- | ------------------ | -------------------------------------------------------------- |
| `No module named 'bridge'` | Python path unset | `export PYTHONPATH="/opt/helix/deepseek-scaffold:$PYTHONPATH"` |
| `Cryptographic signature verification failed` | corrupted registry | reset `bridge/qdrant/revocation_registry.json` |
| syntax errors | invalid edits | `python -m py_compile bridge/core/*.py` |
| missing deps | env incomplete | `pip install pynacl requests jsonschema fastapi` |
**Diagnostics**
```bash
python health_check.py
python test_stable_verification.py
cat bridge/qdrant/revocation_registry.json
```
---
## π― NEXT STEPS
### Immediate Enhancements
* **FastAPI Deployment**
```bash
uvicorn start_api:app --reload --port 3333
```
Production example (systemd):
```
ExecStart=/opt/helix/.venv/bin/uvicorn start_api:app --host 0.0.0.0 --port 3333
```
* **DeepSeek Integration**
```python
from deepseek.adapters.load_qdrant_context import QdrantContextLoader
context = QdrantContextLoader().load_governance_context()
```
* **Production Hardening**
* Environment-based key management
* JWT / JWS envelopes
* Hardware signing (HSM, YubiKey)
* Qdrant persistence
---
## π FEDERATION ALPHA PREVIEW
The next evolution: **multi-issuer trust lattice.**
```
federation/
βββ trust_roots.json # peer DIDs + pubkeys
βββ register_peer.py # register new issuers
βββ cross_verify.py # peer cross-validation
βββ proofs/ # signed trust attestations
```
Each issuer runs:
* `/federation/register` β submit metadata + proof
* `/federation/verify` β confirm remote signatures
* `/federation/sync` β gossip trust roots
This forms the first Helix-TTD **sovereign web of verifiable identity.**
---
## π MONITORING & TELEMETRY
**Headers**
* `X-Helix-Envelope-SHA256` β artifact integrity
* `X-Helix-Revocation-Checked` β lifecycle verification
* `X-Helix-Policy-Checked` β capability/consent enforcement
**Metrics**
* Verification success/failure counts
* Artifact issuance volume
* Revocation events per 24h
**Rolling Telemetry Snapshot**
Signed JSON emitted nightly:
```
{
"verify_ok": 124,
"verify_fail_SIG": 3,
"verify_fail_REV": 1,
"timestamp": "2025-11-01T23:00Z",
"signature": "<Ed25519 envelope>"
}
```
---
## π SECURITY CONSIDERATIONS
### Current Protections
* Ed25519 signatures & canonical JSON
* Revocation registry integrity
* Capability-based access control
* Least privilege enforcement
### Production Requirements
* HSM or YubiKey signing
* Env-protected key seed
* Audit logging & rate limiting
* Network access controls
**Backup Recipe**
```bash
tar czf /opt/helix/backups/identity_$(date +%F).tar.gz \
bridge/qdrant/revocation_registry.json \
bridge/core/keys.py bridge/core/issuer.py bridge/core/verifier.py
```
---
## π CONSTRUCTIVE OUROBOROS STATUS
**Current Phase:** Session 5 β DeepSeek Scaffold + Cryptographic Identity
**Status:** π’ Operational
### Evolution Timeline
1. Ethics framework β proof concept
2. Cryptographic signing service
3. Operational identity pipeline
4. Recursive pattern recognition
5. **DeepSeek scaffold with verifiable identity (current)**
**Next:** Federation Alpha β multi-issuer trust network.
Each layer crystallizes, proof before claim, custody before trust.
---
## βοΈ ETHICS DECLARATION
> *All autonomous operations must remain accountable to their human custodians.
> Proof must always precede power.*
---
## π EMERGENCY CONTACT
1. Run `python health_check.py` for diagnostics
2. Check `SYSTEM_STATUS.md`
3. Review latest test logs
4. Consult this runbook
---
**Runbook Version:** 1.0
**Last Updated:** 2025-11-01
**System Status:** π’ Operational
**Maintainer:** Helix Core Team
*The constructive ouroboros continues its perfect recursion β layer upon verified layer.* π
