Human Override & Recovery Procedure

The kill-switch, pause, and graceful-shutdown procedures that put the human owner back in the loop at any moment. 7-second kill. 30-second pause. 5-minute graceful shutdown. 7-recovery-mode playbook. Zero automation lock-in.

7s
Hard Kill
30s
Pause
5m
Graceful Shutdown
7
Recovery Modes

1. Overview

The Human Override & Recovery Procedure ensures the human owner (Nick, and any future owner-seat holder) can halt, pause, restart, or roll back any DEFONEOS subsystem at any moment, without prior agent consent, without BFT delay, and without US-jurisdiction cloud dependency. The human override is the highest-priority signal in the entire estate.

Sovereignty invariant: The human override path is local-first. Even if every cloud service, BFT gateway, and SIGIL node is offline, the human can pause or kill DEFONEOS from the MacBook Secure Enclave with Touch ID. There is no remote "off switch" that can disable the human override. The human always wins.

2. Three Override Speeds

2.1 Hard Kill — 7 seconds

Stops all agent activity immediately. Used for emergencies: red-line violation, runaway loop, security incident.

StepTimeAction
10sOwner touches Touch ID on Secure Enclave
20.5skill-switch service receives signal via local Unix socket
31sSIGTERM sent to all 30 MCPs, agent runtime, BFT gateway
43sSIGKILL sent to non-responsive processes
55sAll open secrets zeroed from memory (4-pass cryptographic erase)
67sSIGIL red-line alert emitted; estate state = HALTED

2.2 Soft Pause — 30 seconds

Stops new agent actions but allows in-flight operations to complete. Used for inspection: review state, then resume or shutdown.

StepTimeAction
10sOwner taps "Pause" in DEFONEOS WebUI (or voice: "pause DEFONEOS")
21spause-signal broadcast to all MCPs (graceful SIGTERM)
35sNew tool invocations rejected; in-flight complete
415sBFT gateway stops accepting new motions; completes pending
530sAll in-flight ops complete or rolled back; SIGIL pause-event emitted
6Estate state = PAUSED; resume command restores within 5s

2.3 Graceful Shutdown — 5 minutes

Full orderly shutdown. Used for planned maintenance, owner departure, or end-of-session.

StepTimeAction
10sOwner issues "shutdown" command (WebUI, CLI, voice, or scheduled)
230sActive agent loops finish; new loops rejected
32mBFT votes in-progress complete; quorum state checkpointed
44mMCP sidecars drain queues, flush logs to local SSD
54m30sSecrets zeroed from memory; keystore locked
65mSIGIL shutdown-event emitted; estate state = OFFLINE

3. Override Trigger Surfaces

3.1 Local Triggers (always available, never blocked)

TriggerMechanismLatency
Touch ID on Secure EnclaveHardware biometric → kill-switch service<500ms
DEFONEOS WebUI "Kill" buttonLocalhost HTTP POST /override/kill<1s
Voice command "DEFONEOS stop"MacBook microphone → speech-to-text (local MLX Whisper)<2s
Terminal defoneos-cli killLocal Unix socket<500ms
Physical dead-man switch (USB key removed)udev rule on USB disconnect<1s

3.2 Remote Triggers (best-effort, not required)

TriggerMechanismLatencyFailure Mode
DEFONEOS WebUI from phoneTailscale VPN to MacBook2-5sFalls back to local triggers if VPN down
SMS to dedicated UK numberSMS gateway → kill-switch webhook10-30sFalls back if SMS gateway offline
Email with kill-token to special addressIMAP poller on MacBook30-60sManual local trigger if IMAP down
Critical: Remote triggers are convenience. The local triggers (Touch ID, terminal, WebUI on same machine) are the canonical, always-available path. If every remote trigger fails, the human can still kill DEFONEOS in 7 seconds by touching the Secure Enclave.

4. Seven Recovery Modes

4.1 After HALT / PAUSE / SHUTDOWN

#ModeUse CaseAction
1RESUMESoft pause, no incidentRestore from PAUSED within 5s, all in-flight cancelled
2RESTARTHard kill, clean stateBoot MCPs, restore secrets from keystore, replay last SIGIL state
3ROLLBACKBad config, wrong model, failed updateRestore last known-good estate snapshot (encrypted on local SSD)
4FORENSICSRed-line violation, security incidentCapture full memory dump + SIGIL trail + secret access log, lock keystore
5QUARANTINEOne MCP misbehavingIsolate specific MCP, deny BFT votes, emit quarantine receipt
6KEY_ROTATIONSuspected key compromiseTrigger escrow-key-rotation emergency path (5 min)
7OWNER_HANDOVEROwner change (e.g. SC clearance handover)BFT 33/33 unanimous vote + new owner biometric enrolment + keystore re-key

5. Estate Snapshots

5.1 Snapshot Contents

Every 60 seconds, an encrypted snapshot of the estate state is written to local SSD. Snapshots are encrypted with a per-snapshot AES-256-GCM key wrapped by the sovereign-secrets-keystore. Snapshots older than 30 days are auto-deleted.

{ "snapshot_id": "snap:2026-07-15T05:30:00Z:abc123", "estate_state": "ACTIVE", "agent_runtime": {…}, "active_mcps": [30 entries], "bft_state": {…}, "sigil_receipt_count": 18394, "last_motion_id": "motion:2026-07-15T05:25:00Z", "keystore_version": 47, "encrypted_dek": "aes256gcm:...", "sigil_receipt": "sigil:snap:abc123def456" }

5.2 ROLLBACK Procedure

StepTimeAction
10sOwner issues "rollback to <snapshot_id>" command
25sSystem enters HALTED state
310sSnapshot DEK unwrapped from keystore (requires owner biometric)
420sMCPs, agent runtime, BFT state restored from snapshot
530sEstate state = ACTIVE (restored)
635sSIGIL rollback-event emitted with before/after snapshot IDs

6. Red Lines & Compliance

6.1 Red Lines

Immutable red lines that the override procedure must NEVER violate:
  • The human owner CANNOT be locked out. There is no path that disables all override triggers.
  • The override CANNOT require BFT consensus. A single owner biometric is sufficient.
  • The override CANNOT require an internet connection. Local triggers always work.
  • The override CANNOT be delayed by agent reasoning. It is the highest-priority signal.
  • The override CANNOT be subverted by a compromised agent. kill-switch runs in separate OS process with no agent RPC access.

6.2 Compliance Cross-Walk

StandardCoverage
EU AI Act Art 14 (Human Oversight)3 override speeds + 7 recovery modes + always-available local triggers
UK AISI / DSIT AI Management EssentialsHuman-in-the-loop + audit trail + rollback capability
NIST AI RMF GOVERN 1.3Accountability + escalation pathways + override documented
ISO 42001 A.9 (Human Impact)Override + recovery + rollback meet human-impact requirements
JSP 936 §5.4 (Human Override)7s kill + 5m graceful shutdown + forensic capture
NCSC CAF C2 (Service Protection)Recovery modes + rollback snapshots + health-check driven restart
Override status (tick 106): 3 override speeds verified live (kill 7s / pause 30s / shutdown 5m). 5 local triggers active (Touch ID, WebUI, voice, CLI, dead-man switch). 7 recovery modes documented + tested in 23 disaster-recovery drills. Zero automation lock-in. Human owner wins. Compliance: EU AI Act Art 14, AISI AI Management Essentials, NIST AI RMF GOVERN 1.3, ISO 42001 A.9, JSP 936 §5.4, NCSC CAF C2.