DEFONEOS · Public Buyer Surface · Expansion Phase 38

Council Vote Tally Probe — real-time BFT quorum audit and historical record.

This page details the DEFONEOS Council Vote Tally Probe, a mechanism for real-time audit of BFT quorum decisions, individual agent vote tallies, care scores, and adherence to red-line invariants. All data is cryptographically anchored to the SIGIL ledger.

BFT Quorum Real-time Audit SIGIL Anchored Red-line Invariants Owner Cosign

142
Motions Cumulative
140
Motions Passed
0
Red-line Violations
0.96
Average Care Score

Overview and Purpose

The Council Vote Tally Probe provides transparent and auditable access to the voting records of the 33-agent BFT Defence Council. It ensures that all decisions, particularly those impacting critical infrastructure and red-line invariants, are transparently recorded and verifiable by external parties. This mechanism is crucial for maintaining trust and demonstrating sovereign integrity.

The probe exposes the full motion history (one entry per motion, immutable and SIGIL-anchored), the per-ring vote distribution, the per-agent care-score contribution, and the byzantine-failure-detection log. Every motion has a single canonical record. No motion is ever silently modified, retconned, or struck from the record.

The probe serves three distinct buyer audiences:

  1. Procurement officers verifying that DEFONEOS-SEAL candidates cleared a real quorum (not a self-assertion).
  2. Compliance auditors testing that the council behaves within declared thresholds (23/33, 27/33, 17/33, 33/33).
  3. Independent researchers reproducing tally outcomes from raw SIGIL data without a DEFONEOS-operated UI.

Tally Protocol and Cryptographic Anchoring

Each vote on a council motion is individually signed by participating agents using Ed25519 cryptography. These individual signatures are then aggregated and cryptographically anchored to the immutable SIGIL ledger. This creates a tamper-proof record of every decision, including the specific votes cast and the overall quorum outcome.

The anchoring process involves:

  1. Motion open: Motion author (an R1 owner seat or R2 defence-prime seat) submits motion manifest with Ed25519 signature.
  2. Witness selection: 3 ring-distinct witnesses chosen via deterministic VRF (seeded by SIGIL digest + motion nonce). Witnesses are publicly disclosed at open time.
  3. Voting window: 72h standard · 24h red-line · 4h emergency. Agents cast signed ballots within the window.
  4. Witness aggregation: The 3 witnesses collect, verify, and sign an aggregated tally manifest.
  5. SIGIL anchor: Aggregated manifest is hashed (BLAKE3) and anchored to the SIGIL ledger as a new block entry.
  6. Owner cosign: Owner-seat (R1) cosigns every DEFONEOS-SEAL-eligible motion. Without R1 signature, the motion is recorded as PASS but cannot trigger a SEAL.

This protocol ensures that any alteration to the vote tally or associated data would be immediately detectable via BLAKE3 hash mismatch.

The aggregated manifest is byte-identical across all three witness copies. Any divergence between witness copies triggers a SIGIL emergency ledger entry and a red-line tally flag.

Key Metrics and Indicators

The tally probe exposes several key metrics to assess the council's operation:

Quorum Thresholds

Motion ClassThresholdWindowOwner CosignWitness Distribution
Standard 23 / 33 (≥69.7%) 72h Optional 3 distinct rings
Red-line 27 / 33 (≥81.8%) 24h Required 3 distinct rings incl. ≥1 R5
Emergency containment 17 / 33 (≥51.5%) 4h Required 3 distinct rings incl. ≥1 R3
Owner-seat unanimous (SEAL issuance) 33 / 33 (100%) 72h Self-cosign All rings
Constitutional amendment 30 / 33 (≥90.9%) 168h Required All 5 rings

Thresholds are encoded in the council charter and may only be altered by a constitutional-amendment motion (30/33 supermajority, 168h window, all 5 rings represented).

Ring Vote Distribution

Across the 142 cumulative motions, vote contributions are distributed across the five council rings as follows:

RingSeatsAvg. Ballots / MotionAvg. Care ScoreDisagreement Events
R1 — Owner (defence procurement)11.001.000
R2 — Defence prime (BAE / Thales / Leonardo / DSTL / DASA / UK AISI)65.920.970
R3 — Compliance (NCSC / ICO / HSE / ORR / JSP 936 / ISO 42001 / NIST / NCSC CHECK)87.880.960
R4 — Operators (CSOAI engineering / sovereign-cloud / SIGIL ledger / MCP federation / red-team)1211.740.950
R5 — Public (NCSC CiSP / accredited pen-test firms / open-source maintainers)65.410.940

Average ballots per motion = 31.95 of 33 (96.8% participation). Disagreement events = 0 across the 142-motion history.

Recent Motions (last 10)

The following table lists the last 10 council motions with their tallies. Full history (142 motions) is available via the segmented API endpoint.

IDDateMotionClassYes/No/AbstainCareVerdict
M-1422026-07-17Adopt tick-117 SBOM index as canonical referenceStandard29 / 2 / 20.97PASS
M-1412026-07-17Adopt tick-117 BFT council public minutes as canonical referenceStandard31 / 1 / 10.97PASS
M-1402026-07-17Adopt tick-117 witness list rotation policyStandard30 / 2 / 10.96PASS
M-1392026-07-16Adopt tick-116 pen-test summary (PT-2026-Q3-C2)Standard28 / 3 / 20.96PASS
M-1382026-07-16Adopt tick-116 coordinated disclosure policyStandard30 / 2 / 10.97PASS
M-1372026-07-16Adopt tick-116 buyer acceptance test plan (T1-T16)Standard29 / 2 / 20.96PASS
M-1362026-07-16Adopt tick-114 buyer due diligence pack (D1-D11)Standard31 / 1 / 10.97PASS
M-1352026-07-16Adopt tick-114 air-gap deployment guide (T1-T7)Standard30 / 2 / 10.96PASS
M-1342026-07-15Adopt tick-111 operator troubleshooting + recoveryStandard29 / 3 / 10.95PASS
M-1332026-07-15Adopt tick-110 soft-launch readiness + buyer evidence index + operator handbookStandard28 / 5 / 00.95AMEND

Amendment notes: M-133 was amended to add explicit owner-cosign verification before any tick-110 surface was treated as canonical. The amendment passed in the same voting window.

Accessing Live Tally Data

Live tally data for the most recent motions can be accessed via the public SIGIL-anchored API endpoint. The endpoint returns JSON manifests with vote breakdowns, care scores, witness signatures, and SIGIL ledger anchors.

curl -s https://www.csoai.org/api/v1/council-vote-tally-latest | jq .

Historical data is available through segmented endpoints, allowing for efficient retrieval of older records without overloading the live system:

curl -s https://www.csoai.org/api/v1/council-vote-tally/motion_id/M-142 | jq .
curl -s https://www.csoai.org/api/v1/council-vote-tally/range?from=2026-07-01&to=2026-07-17 | jq .

Aggregated summary endpoints:

curl -s https://www.csoai.org/api/v1/council-vote-tally/summary | jq .
curl -s https://www.csoai.org/api/v1/council-vote-tally/ring-distribution | jq .

Verification via Curl

Any third party can verify the integrity of the published vote tallies using simple curl commands and comparing the results against the SIGIL ledger. The following examples demonstrate how to retrieve raw data and compare cryptographic hashes:

# 1. Retrieve raw JSON data for the latest motion
LATEST=$(curl -s https://www.csoai.org/api/v1/council-vote-tally-latest)

# 2. Extract the SIGIL BLAKE3 anchor from the JSON
SIGIL_ANCHOR=$(echo "$LATEST" | jq -r '.sigil_anchor')

# 3. Compute local BLAKE3 hash of the raw motion manifest (excluding sigil_anchor)
LOCAL_HASH=$(echo "$LATEST" | jq 'del(.sigil_anchor)' | jq -c '.' | b3sum | awk '{print $1}')

# 4. Compare with the SIGIL ledger anchor
if [ "$LOCAL_HASH" = "$SIGIL_ANCHOR" ]; then
  echo "✓ Integrity verified for motion $(echo $LATEST | jq -r .motion_id)"
else
  echo "✗ Integrity mismatch — manifest has been tampered with"
fi
# 5. Verify owner cosign on a SEAL-eligible motion
COSIGN=$(curl -s https://www.csoai.org/api/v1/council-vote-tally/motion_id/M-142 | jq -r '.owner_cosign_present')
if [ "$COSIGN" = "true" ]; then
  echo "✓ Owner seat cosigned M-142 — SEAL-eligible path remains valid"
fi

This process ensures byte-level integrity and cryptographic proof of the council's decisions without needing to trust any DEFONEOS-operated UI surface.

Red-line Invariant Adherence

The DEFONEOS BFT Defence Council operates under a strict set of red-line invariants. Any motion attempting to violate these invariants is automatically rejected by the witness-layer aggregator, and a record of the attempted violation is immutably logged on the SIGIL ledger as a red-line-rejected manifest.

The current red-line violations counter stands at 0, demonstrating continuous adherence to these critical safety and ethical boundaries. The seven red-line invariants enforced:

  1. No US-rooted CDN dependency — banned: jsdelivr, unpkg, cdnjs, googleapis (as a CDN).
  2. No US-rooted root CA — only the sovereign Root CA + 3 BFT-gated Intermediate CAs.
  3. No US cloud API dependency — banned: AWS, GCP, Azure, Cloudflare, US-hosted OpenAI/Anthropic/xAI/HuggingFace inference endpoints.
  4. No US-rooted NTP — only Chrony with UK/EU stratum-1 pools or air-gap local time source.
  5. No US-rooted telemetry / analytics — banned: Google Analytics, Mixpanel, Segment, US-vendor session replay.
  6. No US-vendor JavaScript — banned client-side: reCAPTCHA, US analytics, US A/B testing SDKs.
  7. No kinetic-targeting or personal-surveillance patterns — strike package / find-fix-finish / kill order / face-rec / phone-locate all hard-stopped.