
Specification note:
FCP_Specification_V3.mdis the current architectural and conformance target.FCP_Specification_V2.mdis retained as historical / legacy-interoperability context. When descriptions conflict, trust V3 for intended semantics and the code for current behavior.
A secure connector protocol and Rust platform for AI agent operations across zones, hosts, and personal device meshes. The workspace ships 42 platform crates under crates/, 177 connector crates under connectors/ (176 production connectors plus one adversarial conformance test crate, connectors/_adversarial/), and a single agent-first CLI (fwc) that classifies every answer by truth source and refuses to fabricate runtime state.
AI agents need to act on the real world (read mail, file PRs, send messages, query databases, control hardware), but the prevailing toolchains do this with a shared-memory plugin model, an "API key in a .env file" trust model, and a "prompt told the model not to do that" security model. None of those survive a hostile input from Discord, a compromised laptop, or a misconfigured deploy.
FCP is a connector platform where:
UnboundVerified token does not compile against a function that requires BoundVerified.fwc classifies every answer by its source (mesh-backed > host-backed > node-local > offline) rather than collapsing everything into a single fake "live" state.
fwc → fcp-host → connector subprocesses over supervised stdio/JSON-RPC. This is what runs in production today.docs/FCP3_Transition_Scorecard.md.| Axiom | Principle |
|---|---|
| Universal Fungibility | All durable mesh objects are symbol-addressable: any K' RaptorQ symbols reconstruct the canonical object bytes. Control-plane messages may travel over FCPC streams, but the canonical representation is a content-addressed mesh object. |
| Authenticated Mesh | Tailscale is the transport AND the identity layer. Every node has unforgeable WireGuard keys. Zones map to Tailscale ACL tags. |
| Explicit Authority | No ambient authority. All capabilities flow from the owner key through cryptographic chains and short-lived, instance-bound capability tokens. |
Status legend:
- PROVEN: backed by direct repository evidence (tests, harnesses, golden vectors).
- LIMITED: functional at the stated scope but narrower than the mature target (e.g. threshold-gated rather than adaptive).
- STEADY-STATE TARGET: architectural target with built infrastructure but not yet operational by default.
PROVEN means repository evidence, not a claim of live production deployment.
| Feature | Status | What It Does | Evidence |
|---|---|---|---|
| Host-First Control Plane | PROVEN |
fwc + fcp-host is the proven provisioning boundary. Operators use this path today while mesh-backed truth converges to steady state. |
crates/fcp-host/src/{supervisor,enforcement,health}.rs, crates/fcp-conformance/tests/host_invoke_loop_conformance.rs, crates/fcp-e2e/tests/capability_enforcement_concurrent_e2e.rs |
| Truthful Runtime Resolution | PROVEN |
fwc resolves runtime mode explicitly and classifies answers as mesh-backed, host-backed, node-local, or offline instead of fabricating "live". |
crates/fwc/src/{truth,catalog,readiness}.rs, crates/fwc/tests/{cual_integration,readme_status_pinning}.rs |
| Capability Token Typestate | PROVEN |
CapabilityToken<Unverified → UnboundVerified → BoundVerified → ConstraintsEnforced> is compiler-enforced across every connector boundary. LEGACY_VERIFY_ALLOWLIST.len() == 0; forward-only ratchet enforced by conformance test. |
crates/fcp-conformance/tests/capability_typestate_connector_boundary_dja9u.rs, crates/fcp-core/tests/typestate_compile_fail.rs |
| Capability Tokens (CWT/COSE) | PROVEN |
COSE/CWT signing, canonical CBOR, constraints, instance binding, predicate matrix all covered. | crates/fcp-crypto/src/cose.rs, crates/fcp-core/src/capability.rs, crates/fcp-host/tests/capability_token_typestate_runtime.rs |
| Post-Quantum Zone Keys | PROVEN |
ZoneKeyManifest V4 schema with hybrid HPKE-X25519 + X-Wing KEM wrap lists, RustCrypto X-Wing (draft-06) + IETF KAT, ML-DSA-65 FIPS 204 signatures with KAT, hybrid verifier, length-invariant Deserialize, constant-time Eq. |
crates/fcp-crypto-pq/, crates/fcp-core/src/zone_keys.rs, mixed V3/V4 mesh migration harness |
| Zone Isolation | LIMITED |
Core cryptographic namespaces proven; Lean zone-flow lattice proof source pinned; host-side connector RPC requires explicit allowed_zones before invoke/introspect/health. |
crates/fcp-core/src/{zone_keys,pcs,policy}.rs, lean/Fcp/Zone/Lattice.lean, crates/fcp-host/tests/allowed_zones_required.rs, crates/fcp-e2e/tests/zone_isolation_full_e2e.rs |
| Tamper-Evident Audit + HLC | PROVEN |
Hash-linked audit chain with monotonic sequence numbers, quorum-signed checkpoints, Hybrid Logical Clocks, Hierarchical Version Vectors for revocation freshness, and an OTLP parity exporter. | crates/fcp-audit/src/hlc.rs, crates/fcp-mesh/src/revocation/hier_vv.rs, crates/fcp-conformance/tests/{hlc_hiervv_conformance,audit_otlp_hlc_contract}.rs |
| Revocation | PROVEN |
First-class revocation objects, exact-membership lookup (no XOR filter in the revocation path), RevocationSeal for check-use atomicity, priority gossip push, zone-wide freshness SLA. |
crates/fcp-core/src/revocation.rs, crates/fcp-conformance/tests/revocation_timing.rs, crates/fcp-e2e/tests/revocation_cascade_e2e.rs |
| Egress Proxy | PROVEN |
Connector network access routed through manifest-aware guardrails with CIDR deny defaults and denial audit evidence. | crates/fcp-sandbox/src/egress.rs, crates/fcp-e2e/tests/egress_proxy_e2e.rs |
| Secretless Connectors | PROVEN |
Egress proxy injects credentials per request through SecretFetchHook; connector binaries pass credential_id references rather than raw bearer material. |
crates/fcp-crypto/src/secret_fetch.rs, crates/fcp-e2e/tests/secretless_{github,slack,gmail}_e2e.rs |
| Multi-Method Provider Auth | PROVEN |
fcp-provider-auth consolidates API key, AWS SigV4 request signing, JWT refresh, OAuth device-code, authorization-code with PKCE, refresh-token, and setup-token; AuthProfile flows through the credential pool layer. |
crates/fcp-provider-auth/, host/fwc profile-admin and OAuth login surfaces |
| Credential Pooling | PROVEN |
Multi-credential per-provider pools with priority, strategy, exhaustion-cooldown, active-lease tracking, LRU, sticky restick, max-use, and a redaction-safe connector-boundary E2E. | crates/fcp-host/src/credentials.rs, crates/fcp-e2e/tests/credential_pool_e2e.rs, host admin API routes, audit log |
| Multi-Host Singleton Writers (HRW) | PROVEN |
Quorum-signed durable leases gossip across nodes; rendezvous hashing picks the holder deterministically; binary launch/flush/invoke fencing prevents split-writer windows; multi-node failover replay harness lands as closeout. | crates/fcp-core/src/lease.rs, crates/fcp-mesh/src/{authority,coordinator,planner}.rs, multi-node failover replay harness |
| Threshold Owner Key | PROVEN |
FROST ceremony and signing support exist in fcp-bootstrap; not yet the universal operational default. |
crates/fcp-bootstrap/src/ceremony.rs, crates/fcp-e2e/tests/threshold_owner_key_e2e.rs |
| Threshold Secrets (Shamir) | PROVEN |
Shamir secret sharing for device-distributed recovery so raw secret material never lives on one machine. | crates/fcp-core/src/secret.rs, crates/fcp-e2e/tests/threshold_secrets_e2e.rs |
| Supply Chain Attestations | PROVEN |
Registry-side attestation schemas, TUF/cosign verification adapters, host gate proof. Release-distribution proof remains outside this repo. | crates/fcp-registry/src/lib.rs, crates/fcp-e2e/tests/supply_chain_attestation_e2e.rs |
| Offline Access | PROVEN |
ObjectPlacementPolicy, repair controllers, cache-while-offline, queued writes, drain-on-restore. |
crates/fcp-store/src/offline.rs, crates/fcp-e2e/tests/{offline_access,offline_repair}_e2e.rs |
| Mesh-Stored Policy Objects | PROVEN |
Zone definitions and policy bundles exist as owner-signed objects with mesh gossip, verification, evaluation, and revocation proof. | crates/fcp-core/src/policy.rs, crates/fcp-e2e/tests/mesh_policy_object_e2e.rs |
| Symbol-First Protocol | PROVEN |
RaptorQ object-symbol framing, reconstruction, repair machinery, multipath aggregation, offline resilience. | crates/fcp-raptorq/, crates/fcp-e2e/tests/symbol_first_protocol_e2e.rs, golden vectors |
| Browser Real-CDP Control Plane | PROVEN |
Rust-owned CDP control-worker, supervised target/session manager, cookie ownership boundary, native launcher/proxy worker, direct-CDP routing, real-browser operation-matrix closeout — mirrors OpenClaw semantics. | connectors/browser/, host browser CDP manager proof |
| Voice-Call Multi-Provider Parity | PROVEN |
Shared CallAuthToken, SessionStore, replay-cache crate (fcp-voice-call); Twilio, Telnyx, Plivo all flow through the same architectural shape with no-live-credential loopback evidence. |
crates/fcp-voice-call/, connectors/{twilio,telnyx,plivo}/, scripts/e2e/voice_call_multi_provider_verification.sh |
| Manifest Operations Conformance | PROVEN |
Every connector with declared operations exposes them via typed [provides.operations.*] in manifest.toml; runtime const drift is caught by a conformance scanner. |
crates/fcp-conformance/tests/manifest_operations_*.rs |
| Computation Migration | PROVEN |
Migrate-and-resume reference proof: CRIU-format checkpoint handoff, lease transfer, replay, byte-equivalent completion. | crates/fcp-kernel/src/computation_migration.rs, crates/fcp-e2e/tests/computation_migration_reference.rs |
| Mesh-Native Architecture | STEADY-STATE TARGET |
Gossip, IBLT, XOR filters, masked IBLT anti-entropy, and LiveTruthResolver are built and tested. The production fwc → fcp-host → connector subprocess invoke path remains host-first today. Pinned by crates/fwc/tests/readme_status_pinning.rs. |
crates/fcp-mesh/, crates/fwc/src/truth.rs |
Audit status: all status labels reconciled as of 2026-05-16. See
docs/quarterly/2026-Q2-claims-vs-reality.mdfor the inaugural quarterly debiasing report.
Five principles drive every architectural decision in FCP.
Security is enforced by the type system, the binary boundary, the protocol, or cryptography. Never by a string in a prompt. Telling a model "don't read private email" is trivially bypassed by a hostile message; telling a Rust compiler that gmail.read does not exist in the z:public zone is not. Examples from the codebase:
CapabilityToken<UnboundVerified> and CapabilityToken<BoundVerified> are distinct types. An operation executor that requires full instance-binding declares fn execute(_: CapabilityToken<BoundVerified>, ...). An UnboundVerified token (produced by the gateway, which does not yet know the connector's real InstanceId) does not compile against that signature. Enforced by trybuild tests in crates/fcp-core/tests/typestate_compile_fail.rs.crates/fcp-conformance/tests/capability_typestate_connector_boundary_dja9u.rs checks LEGACY_VERIFY_ALLOWLIST.len() == 0. New connectors must use the typestate path; enforced connectors cannot regress.FcpConnector trait. Third-party crates cannot accidentally subvert the lifecycle by implementing the trait themselves.If a capability is not granted, it cannot be invoked. If a zone is not bound, the host refuses to start the subprocess. If allowed_zones is empty, connector RPC fails closed before invoke, introspection, or health probes reach connector code. If cidr_deny is malformed, the sandbox
$ claude mcp add flywheel_connectors \
-- python -m otcore.mcp_server <graph>