Security Model

VCP is designed with privacy as the foundation, not an afterthought. Here's how we protect your data.

Core Security Principles

Data Minimization

We never transmit more than necessary. Private details become boolean flags — platforms see budget_limited: true, not your financial situation.

User Control

You decide what's shared with whom. Consent is explicit and revocable. No data leaves your control without your permission.

Full Auditability

Every transmission is logged. You can see exactly what was shared, when, and with which platform — no black boxes.

Privacy Levels

Every piece of context in VCP has a privacy level that determines how it can be shared.

Public Always Shared

Information you're comfortable sharing with any platform. Examples: learning goals, experience level, general preferences.

goal: "learn_guitar" experience: "beginner"
Consent Required Ask First

Information that requires explicit permission before sharing. You'll be prompted each time a platform requests access.

budget_range: "low" schedule_type: "shift_work"
Private Never Transmitted

Sensitive context that influences your experience but is never sent to platforms. Only the resulting flags are transmitted.

health_details: [NEVER TRANSMITTED] → constraint_flag: "energy_variable"

How Privacy Flags Work

The core innovation: your private circumstances become simple boolean flags.

Your Private Context

What you know:
  • "I live in an apartment with thin walls"
  • "My neighbor works night shifts"
  • "I can't make loud noise after 9pm"
VCP converts this to

What Platforms See

noise_restricted: true No context, no details, just the flag

The platform knows to recommend quiet practice methods. It has no idea why you need them, and it doesn't need to know.

Trust Boundaries

Different stakeholders get different views of your context.

You Full context, all details
VCP Layer Processes context, applies privacy rules
Platforms See only what you've allowed

HR sees:

  • Career goal: Tech Lead
  • Training budget: €2,000
  • Preferred learning style

HR doesn't see:

  • Why you need flexible scheduling
  • Health circumstances
  • Personal situation details

Technical Implementation

Token Format

Context is encoded into CSM-1 (Compact State Message) tokens. Private fields are stripped before transmission — they never leave your device.

No Central Storage

VCP doesn't store your private context centrally. Your data lives on your devices. We can't leak what we don't have.

Open Specification

The VCP protocol is open and auditable. You can verify exactly how privacy rules are applied — no trust required.

Transport Security (VCP/T)

VCP/T defines how constitution bundles are signed, verified, and delivered to LLMs. No unsigned content ever reaches a model.

Signed Bundles

Every constitution bundle carries an Ed25519 digital signature. The author's public key is pinned in the manifest, so forgery is computationally infeasible.

Content-Addressed Storage

Content is hashed with SHA-256. The hash is embedded in the signed manifest, binding the signature to the exact bytes. Any tampering invalidates the hash.

Verify-Then-Inject

Signature verification must pass before content reaches the LLM. If verification fails, the bundle is rejected and the request fails closed -- no fallback to unsigned content.

Temporal Claims

Manifests carry iat, nbf, exp, and jti fields. Expired or replayed bundles are rejected, preventing replay attacks.

Verify-Then-Inject Flow

The orchestrator acts as a gatekeeper: nothing reaches the LLM without passing cryptographic verification first.

Repository
Orchestrator
LLM
1 Fetch bundle
manifest.json + content.txt
2 Verify Ed25519 signature
3 Check SHA-256 content hash
4 Check revocation list
5 Log to audit trail
6 Inject verified text
7 Apply constitution

Threat Model

VCP/T is designed to mitigate specific, enumerated threats. Each attack vector has a concrete defense.

Prompt Injection via Constitution

Attacker modifies constitution content to inject malicious instructions.

Defense Content safety attestation -- SHA-256 hash in signed manifest binds content to author's signature.

Replay Attacks

Attacker re-submits a previously valid but now-stale bundle.

Defense Temporal claims (iat/nbf/exp) plus unique jti tracking reject duplicates.

Context Overflow

Oversized constitution monopolizes the LLM's context window.

Defense Token budget enforcement -- manifest declares max_tokens and orchestrator enforces the limit before injection.

Key Compromise

Author's signing key is stolen or leaked.

Defense Key rotation with revocation list -- compromised keys are revoked; bundles signed with revoked keys are rejected.

Downgrade Attacks

Attacker substitutes an older, weaker version of a constitution.

Defense Version enforcement -- orchestrator tracks minimum required version per constitution ID.

Fail-Open Risk

Verification error silently allows unsigned content through.

Defense Fail-closed mandate -- any verification failure rejects the request. There is no fallback path.

Personal State Privacy

Layer 3 (the R-line) carries real-time personal state -- cognitive load, emotional tone, energy level. These dimensions require the strongest protections.

Stripped by Default

Personal state dimensions are stripped from the token before transmission. Platforms never see raw R-line data unless the user explicitly opts in.

Boolean Flags Only

When personal state influences constraints, only boolean flags are transmitted -- energy_variable: true, not the underlying condition or intensity.

Signal Decay

Personal state carries a TTL (time-to-live). Stale dimensions automatically decay, ensuring outdated state is not retained or acted upon.

Explicit Consent

Sharing personal state with any platform requires explicit, revocable consent. Each dimension can be consented to individually -- granular, not all-or-nothing.

See Privacy in Action

Watch how different stakeholders see different views of the same context.

View Dual Audit Trail Build Your Own Token