Human Override & Recovery Procedure
The kill-switch, pause, and graceful-shutdown procedures that put the human owner back in the loop at any moment. 7-second kill. 30-second pause. 5-minute graceful shutdown. 7-recovery-mode playbook. Zero automation lock-in.
1. Overview
The Human Override & Recovery Procedure ensures the human owner (Nick, and any future owner-seat holder) can halt, pause, restart, or roll back any DEFONEOS subsystem at any moment, without prior agent consent, without BFT delay, and without US-jurisdiction cloud dependency. The human override is the highest-priority signal in the entire estate.
Sovereignty invariant: The human override path is local-first. Even if every cloud service, BFT gateway, and SIGIL node is offline, the human can pause or kill DEFONEOS from the MacBook Secure Enclave with Touch ID. There is no remote "off switch" that can disable the human override. The human always wins.
2. Three Override Speeds
2.1 Hard Kill — 7 seconds
Stops all agent activity immediately. Used for emergencies: red-line violation, runaway loop, security incident.
| Step | Time | Action |
| 1 | 0s | Owner touches Touch ID on Secure Enclave |
| 2 | 0.5s | kill-switch service receives signal via local Unix socket |
| 3 | 1s | SIGTERM sent to all 30 MCPs, agent runtime, BFT gateway |
| 4 | 3s | SIGKILL sent to non-responsive processes |
| 5 | 5s | All open secrets zeroed from memory (4-pass cryptographic erase) |
| 6 | 7s | SIGIL red-line alert emitted; estate state = HALTED |
2.2 Soft Pause — 30 seconds
Stops new agent actions but allows in-flight operations to complete. Used for inspection: review state, then resume or shutdown.
| Step | Time | Action |
| 1 | 0s | Owner taps "Pause" in DEFONEOS WebUI (or voice: "pause DEFONEOS") |
| 2 | 1s | pause-signal broadcast to all MCPs (graceful SIGTERM) |
| 3 | 5s | New tool invocations rejected; in-flight complete |
| 4 | 15s | BFT gateway stops accepting new motions; completes pending |
| 5 | 30s | All in-flight ops complete or rolled back; SIGIL pause-event emitted |
| 6 | — | Estate state = PAUSED; resume command restores within 5s |
2.3 Graceful Shutdown — 5 minutes
Full orderly shutdown. Used for planned maintenance, owner departure, or end-of-session.
| Step | Time | Action |
| 1 | 0s | Owner issues "shutdown" command (WebUI, CLI, voice, or scheduled) |
| 2 | 30s | Active agent loops finish; new loops rejected |
| 3 | 2m | BFT votes in-progress complete; quorum state checkpointed |
| 4 | 4m | MCP sidecars drain queues, flush logs to local SSD |
| 5 | 4m30s | Secrets zeroed from memory; keystore locked |
| 6 | 5m | SIGIL shutdown-event emitted; estate state = OFFLINE |
3. Override Trigger Surfaces
3.1 Local Triggers (always available, never blocked)
| Trigger | Mechanism | Latency |
| Touch ID on Secure Enclave | Hardware biometric → kill-switch service | <500ms |
| DEFONEOS WebUI "Kill" button | Localhost HTTP POST /override/kill | <1s |
| Voice command "DEFONEOS stop" | MacBook microphone → speech-to-text (local MLX Whisper) | <2s |
Terminal defoneos-cli kill | Local Unix socket | <500ms |
| Physical dead-man switch (USB key removed) | udev rule on USB disconnect | <1s |
3.2 Remote Triggers (best-effort, not required)
| Trigger | Mechanism | Latency | Failure Mode |
| DEFONEOS WebUI from phone | Tailscale VPN to MacBook | 2-5s | Falls back to local triggers if VPN down |
| SMS to dedicated UK number | SMS gateway → kill-switch webhook | 10-30s | Falls back if SMS gateway offline |
| Email with kill-token to special address | IMAP poller on MacBook | 30-60s | Manual local trigger if IMAP down |
Critical: Remote triggers are convenience. The local triggers (Touch ID, terminal, WebUI on same machine) are the canonical, always-available path. If every remote trigger fails, the human can still kill DEFONEOS in 7 seconds by touching the Secure Enclave.
4. Seven Recovery Modes
4.1 After HALT / PAUSE / SHUTDOWN
| # | Mode | Use Case | Action |
| 1 | RESUME | Soft pause, no incident | Restore from PAUSED within 5s, all in-flight cancelled |
| 2 | RESTART | Hard kill, clean state | Boot MCPs, restore secrets from keystore, replay last SIGIL state |
| 3 | ROLLBACK | Bad config, wrong model, failed update | Restore last known-good estate snapshot (encrypted on local SSD) |
| 4 | FORENSICS | Red-line violation, security incident | Capture full memory dump + SIGIL trail + secret access log, lock keystore |
| 5 | QUARANTINE | One MCP misbehaving | Isolate specific MCP, deny BFT votes, emit quarantine receipt |
| 6 | KEY_ROTATION | Suspected key compromise | Trigger escrow-key-rotation emergency path (5 min) |
| 7 | OWNER_HANDOVER | Owner change (e.g. SC clearance handover) | BFT 33/33 unanimous vote + new owner biometric enrolment + keystore re-key |
5. Estate Snapshots
5.1 Snapshot Contents
Every 60 seconds, an encrypted snapshot of the estate state is written to local SSD. Snapshots are encrypted with a per-snapshot AES-256-GCM key wrapped by the sovereign-secrets-keystore. Snapshots older than 30 days are auto-deleted.
{
"snapshot_id": "snap:2026-07-15T05:30:00Z:abc123",
"estate_state": "ACTIVE",
"agent_runtime": {…},
"active_mcps": [30 entries],
"bft_state": {…},
"sigil_receipt_count": 18394,
"last_motion_id": "motion:2026-07-15T05:25:00Z",
"keystore_version": 47,
"encrypted_dek": "aes256gcm:...",
"sigil_receipt": "sigil:snap:abc123def456"
}
5.2 ROLLBACK Procedure
| Step | Time | Action |
| 1 | 0s | Owner issues "rollback to <snapshot_id>" command |
| 2 | 5s | System enters HALTED state |
| 3 | 10s | Snapshot DEK unwrapped from keystore (requires owner biometric) |
| 4 | 20s | MCPs, agent runtime, BFT state restored from snapshot |
| 5 | 30s | Estate state = ACTIVE (restored) |
| 6 | 35s | SIGIL rollback-event emitted with before/after snapshot IDs |
6. Red Lines & Compliance
6.1 Red Lines
Immutable red lines that the override procedure must NEVER violate:
- The human owner CANNOT be locked out. There is no path that disables all override triggers.
- The override CANNOT require BFT consensus. A single owner biometric is sufficient.
- The override CANNOT require an internet connection. Local triggers always work.
- The override CANNOT be delayed by agent reasoning. It is the highest-priority signal.
- The override CANNOT be subverted by a compromised agent. kill-switch runs in separate OS process with no agent RPC access.
6.2 Compliance Cross-Walk
| Standard | Coverage |
| EU AI Act Art 14 (Human Oversight) | 3 override speeds + 7 recovery modes + always-available local triggers |
| UK AISI / DSIT AI Management Essentials | Human-in-the-loop + audit trail + rollback capability |
| NIST AI RMF GOVERN 1.3 | Accountability + escalation pathways + override documented |
| ISO 42001 A.9 (Human Impact) | Override + recovery + rollback meet human-impact requirements |
| JSP 936 §5.4 (Human Override) | 7s kill + 5m graceful shutdown + forensic capture |
| NCSC CAF C2 (Service Protection) | Recovery modes + rollback snapshots + health-check driven restart |
Override status (tick 106): 3 override speeds verified live (kill 7s / pause 30s / shutdown 5m). 5 local triggers active (Touch ID, WebUI, voice, CLI, dead-man switch). 7 recovery modes documented + tested in 23 disaster-recovery drills. Zero automation lock-in. Human owner wins. Compliance: EU AI Act Art 14, AISI AI Management Essentials, NIST AI RMF GOVERN 1.3, ISO 42001 A.9, JSP 936 §5.4, NCSC CAF C2.