Skip to content

Operator Sovereignty Doctrine — Two-Wallet Demonstration + Kraken Removal

The two-wallet demonstration lands operator-sovereign substrate operation across the substrate's payout surface. The substrate composes substrate-mathematical work; the operator composes custody. The two compose against each other through the substrate's payout configuration, federation-cosigned and append-only, without the substrate reaching across the operator's custody boundary.

Operator-sovereign custody across the substrate's surface

Operator's wallets compose operator-sovereign on the operator's cell. The substrate does not custody operator funds. The substrate does not route operator wallets through external infrastructure. The substrate operates substrate-mathematical sovereignty across the operator's substrate-development surface — composition, measurement, federation cosignature, append-only persistence, NATS broadcast — and stops at the operator's custody boundary.

The operator's PQ migration decision is the operator's substrate-development authority. The substrate provides the operational mechanism (V188 / V189 / V190 / V193 / V194 evidence chain with both-ends proof-of-ownership as the load-bearing gate). The operator decides whether to migrate the operator's own holdings. The substrate refuses to compose a migration evidence chain unless the operator controls both ends; the substrate refuses to substitute its judgment for the operator's on the migration timing question. Operator-sovereign substrate-development authority means the operator authorizes the migration on the operator's own substrate cadence, against the operator's own holdings, with the operator's own keys at both endpoints.

Kraken removal (QC-029)

A prior commission shipped a Kraken P2SH default payout address 37sMJzVE1YoGC7bJnwTjmS6XB3QwAw8Jo3 read from ~/.gaiaftcl/qc021_kraken.toml. That commission encoded an assumption the substrate's doctrine refuses: that the substrate's default payout target is exchange infrastructure operating under a third-party custody arrangement. QC-029 removes the assumption.

QC-029 deprecates qc021_kraken.toml and replaces it with ~/.gaiaftcl/qc021_payout.toml. The new configuration requires the operator to configure destination_address explicitly. The substrate refuses block submission with an empty destination. The substrate refuses to default custody to exchange infrastructure. The substrate's default behavior in the absence of operator-configured destination is refusal, not exchange-routing — refusal is the substrate-doctrine-correct outcome when operator sovereignty has not been established explicitly.

Migration substrate-development for currently-configured operators

For operators currently configured with qc021_kraken.toml, the substrate composes a migration substrate-development arc on daemon boot. The substrate detects qc021_kraken.toml presence at startup. The substrate surfaces an operator-readable migration prompt:

qc021_kraken.toml deprecated. Configure operator-sovereign destination in qc021_payout.toml and remove qc021_kraken.toml.

The substrate does not auto-migrate the operator's configuration. The substrate does not copy the prior Kraken address into the new file. The substrate refuses to silently preserve the deprecated exchange-default behavior under a new filename. The operator composes the migration — operator-sovereign authority over the operator's own payout destination — and the substrate composes block submission against the operator's new sovereign configuration once the migration lands.

Operators who use exchanges substrate-externally

The QC-029 doctrine does not refuse exchanges in the operator's broader workflow. The doctrine refuses substrate-internal default routing to exchange custody. Operators who use exchanges substrate-externally compose the workflow on the operator's own substrate-development authority: the substrate composes payout to the operator-sovereign address the operator configures in qc021_payout.toml; the operator moves funds from the operator-sovereign address to an exchange when the operator chooses to convert, on the operator's own cadence, through the operator's own external workflow.

Substrate-mathematical sovereignty preserves where the operator holds substrate-development authority. The substrate's surface ends at the operator-sovereign address. The operator's external workflow begins there. The two surfaces compose against each other through the operator's authority, not through substrate-resident exchange integration.

Implementation

  • KrakenDepositConfig.swift removed from the substrate. The type and its loading path no longer exist in the substrate's surface.
  • PayoutConfig.swift replaces it. The new type loads ~/.gaiaftcl/qc021_payout.toml, validates the operator-configured destination_address, and refuses to return a config value when destination_address is empty or absent.
  • MinerDaemon reads qc021_payout.toml through PayoutConfig. The daemon's boot sequence detects legacy qc021_kraken.toml presence and emits the operator-readable migration prompt; the daemon refuses to start block submission until the operator-sovereign destination is configured in the new file.
  • FranklinConsciousnessActor's second source-of-truth template updated to reference the operator-sovereign payout configuration. Franklin's substrate-development authority composes against the operator-sovereign destination rather than the deprecated exchange-default address.

The implementation lands inside Franklin's object boundary and the substrate's existing payout surface. The substrate continues to operate substrate-mathematical sovereignty across the operator's substrate-development surface; the operator continues to compose custody on operator-sovereign authority; the two surfaces meet at the operator-configured destination address recorded in qc021_payout.toml.

Federation cosignature: pending

This page is not yet in the signed manifest. Run gaiaftcl wiki sign --all.