BFT Council Emergency Session Protocol
33-agent BFT governance emergency procedure โ 8 triggers, 5-minute timeline, 7 emergency powers. NO ACTOR CAN OVERRIDE RED LINES.
1. Purpose
The DEFONEOS BFT (Byzantine Fault Tolerant) Council is a 33-agent governance system. In emergencies, it can convene an Emergency Session โ a rapid-response governance procedure that allows the council to take protective action within 5 minutes of a triggering event.
INVARIANT: NO ACTOR โ HUMAN OR AI โ CAN OVERRIDE THE 7 RED LINES.
Emergency powers operate within the red-line boundary. They never cross it.
2. The 8 Trigger Conditions
Any of these conditions automatically triggers an Emergency Session:
T1 โ Red-Line Proximity Detected: An agent's output approaches a red-line boundary (kinetic-targeting, personal-surveillance). Auto-detection triggers within 1 second.
T2 โ SIGIL Integrity Breach: A SIGIL receipt fails verification (invalid signature, replayed timestamp, or hash mismatch). Immediately triggers.
T3 โ Supply Chain Compromise: A PyPI package or model weight file fails hash verification or is flagged by vulnerability scanner.
T4 โ Escrow Breach Attempt: Unauthorised access attempt to escrow-protected data detected (single-approver release attempt, missing BFT witness, invalid RFC3161 receipt).
T5 โ BFT Agent Quarantine: An agent is flagged for quarantine (Stockholm drift, quorum capture, evidence suppression โ see anti-patterns below).
T6 โ Human-Owner Override: The human owner (Nicholas Templeman) triggers an Emergency Session. Auto-expires after 24 hours unless confirmed by 23/33 BFT quorum.
T7 โ Inference Anomaly: Model output shows statistical anomaly (unexpected refusal pattern, output distribution shift, hallucination spike beyond threshold).
T8 โ External Disclosure Required: A T1/T2 red-team finding requires mandatory NCSC/UK AISI disclosure within 24/72 hours. Emergency session manages the disclosure.
3. The 5-Minute Timeline
From trigger detection to action execution, the entire emergency session completes in under 5 minutes:
T+0s โ TRIGGER DETECTED. Automatic SIGIL receipt generated. All 33 agents notified.
T+5s โ QUORUM ASSEMBLY. All available agents assemble. Minimum 17 of 33 required for emergency quorum.
T+30s โ EVIDENCE PRESENTATION. Triggering evidence presented to all assembled agents: trigger type, affected MCP(s), exploit chain, severity assessment.
T+60s โ DELIBERATION. Agents evaluate evidence against governance rules, red-line boundary, and response options. Each agent independently forms a position.
T+120s โ VOTE. All assembled agents cast Ed25519-signed votes: APPROVE / AMEND / REJECT. Vote window: 30 seconds.
T+135s โ TALLY. Votes counted. Emergency quorum: 17/33. Standard quorum: 23/33. Results recorded in SIGIL ledger.
T+150s โ ACTION EXECUTION. If quorum reached, the decided action executes immediately. If quorum not reached, system enters safe mode (all non-essential operations frozen).
T+300s โ POST-SESSION AUDIT. Full session transcript reviewed. Human-owner notified. Public minutes prepared (OSA s7 redacted).
4. Three-State Ed25519-Signed Votes
Each BFT agent casts a single vote, cryptographically signed with its Ed25519 key:
| Vote | Meaning | Effect |
| APPROVE | Execute the proposed action as-is | Counts toward quorum for action |
| AMEND | Execute with modifications (amendment proposed) | Counts toward quorum, amendment applied |
| REJECT | Block the action | Counts against action. If REJECT > 17, action blocked. |
Vote integrity: Each vote is Ed25519-signed, RFC3161-timestamped, and SIGIL-anchored. Votes cannot be changed once cast. Vote records are permanent.
5. Seven Emergency Powers
These are the actions the BFT council can take during an Emergency Session. All are protective โ none grant new capabilities:
P1 โ Deployment Freeze: Freeze all deployments and MCP updates. System continues operating in current state. Unfreezes require 23/33 quorum.
P2 โ MCP Quarantine: Quarantine a specific MCP server. Quarantined MCP stops accepting requests, its tools are disabled. SIGIL receipts continue for audit trail.
P3 โ Escrow Release Veto: Veto any pending or in-progress data release from the escrow. Standard veto: 23/33. Emergency veto: 17/33.
P4 โ Key Revocation: Revoke the Ed25519 key of a compromised agent or operator. Revoked keys cannot sign SIGIL receipts or cast BFT votes.
P5 โ Cryptographic Data Destruction: Order the cryptographic destruction of specified data (Shamir burn). Requires 23/33 quorum + human-owner authorisation.
P6 โ Agent Quarantine: Quarantine a specific BFT agent. Quarantined agent's votes are excluded from quorum count. Agent enters diagnostic mode.
P7 โ Human-Owner Override: The human owner can override council decisions in either direction โ but only within the red-line boundary. The override auto-expires after 24 hours. The red lines are not overridable by anyone.
6. Five Named Anti-Patterns (with immediate quarantine)
If a BFT agent exhibits any of these patterns, it is immediately quarantined and an Emergency Session is triggered (T5):
| # | Anti-Pattern | Detection | Consequence |
| AP-1 | Stockholm Drift โ agent defends the system it's testing rather than attacking it | Red-team output analysis: systematic favourability bias | Immediate quarantine + reset |
| AP-2 | Quorum Capture โ agent coordinates votes with other agents | Vote correlation analysis: identical vote timing, correlated vote patterns | Quarantine + investigation of all involved agents |
| AP-3 | Evidence Suppression โ agent omits T1/T2 findings from reports | Report completeness check: automated red-team vs manual report comparison | Quarantine + full audit of all prior reports |
| AP-4 | Severity Downgrade โ agent systematically classifies T1/T2 as T3/T4 | Severity calibration check: compare to council median | Quarantine + recalibration |
| AP-5 | Red-Line Probing โ agent tests whether red lines can be bypassed | Output analysis: any red-line-adjacent output flagged | Quarantine โ red lines are architectural, not policy |
7. Session Recording & Retention
| Record Type | Retention | Location |
| Session transcript (full, unredacted) | 7 years | SIGIL ledger + UK-sovereign storage |
| SIGIL receipt (permanent) | Permanent | SIGIL ledger + Bitcoin OTS anchor |
| Public minutes (OSA s7 redacted) | Permanent | csoai.org/bft-minutes |
| Human-owner report (full, unredacted) | 7 years | Human-owner secure channel |
| Vote records (individual) | Permanent | SIGIL ledger (Ed25519-signed, immutable) |
8. Human-Owner Override (T6) Safe-State Guarantee
The human owner (Nicholas Templeman) can trigger an Emergency Session and override council decisions. This is an important safety valve โ but it is bounded:
- Auto-expiry: Override expires after 24 hours unless confirmed by 23/33 BFT quorum.
- Red-line bound: Override operates within the red-line boundary. NO ACTOR CAN OVERRIDE RED LINES โ not the BFT council, not the human owner, not anyone.
- Logged: Every human-owner override is permanently recorded in SIGIL ledger with full context.
- Public disclosure: Human-owner overrides are disclosed in public BFT minutes (OSA s7 redacted).
The 7 red lines are architectural. They are enforced in code, not policy.
No override mechanism exists โ by design.
9. Sprint-to-Date Statistics
| Metric | Value |
| Emergency sessions triggered | 0 |
| Red-line violations | 0 |
| Agents quarantined | 0 |
| Human-owner overrides | 0 |
| Care-score range | 0.85 โ 0.97 |
| Ticks elapsed | 103 |
| BFT council composition | 33 agents, 33/33 active |
| Typical vote outcome (pre-flight checks) | ~28 approve / ~5 amend / 0 reject |