MCPcopy Index your code
hub / github.com/Dicklesworthstone/flywheel_connectors

github.com/Dicklesworthstone/flywheel_connectors @v0.2.0

Chat with this repo
repository ↗ · DeepWiki ↗ · release v0.2.0 ↗ · + Follow
133,629 symbols 518,261 edges 3,045 files 7,233 documented · 5%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

Flywheel Connector Protocol (FCP)

FCP - Secure connectors for AI agents with zone-based isolation and capability tokens

Specification note: FCP_Specification_V3.md is the current architectural and conformance target. FCP_Specification_V2.md is retained as historical / legacy-interoperability context. When descriptions conflict, trust V3 for intended semantics and the code for current behavior.

A secure connector protocol and Rust platform for AI agent operations across zones, hosts, and personal device meshes. The workspace ships 42 platform crates under crates/, 177 connector crates under connectors/ (176 production connectors plus one adversarial conformance test crate, connectors/_adversarial/), and a single agent-first CLI (fwc) that classifies every answer by truth source and refuses to fabricate runtime state.


TL;DR

The Problem

AI agents need to act on the real world (read mail, file PRs, send messages, query databases, control hardware), but the prevailing toolchains do this with a shared-memory plugin model, an "API key in a .env file" trust model, and a "prompt told the model not to do that" security model. None of those survive a hostile input from Discord, a compromised laptop, or a misconfigured deploy.

The Solution

FCP is a connector platform where:

  • Every connector is a separately-signed sandboxed binary with an embedded manifest declaring its capabilities, sandbox limits, and network constraints.
  • Every operation is gated by a capability token with type-state-enforced binding, so an UnboundVerified token does not compile against a function that requires BoundVerified.
  • Every request is bound to exactly one zone (a cryptographic namespace with its own symmetric key); cross-zone access requires explicit policy and proof.
  • Every connector's outbound network traffic flows through an egress proxy with CIDR deny defaults, SNI enforcement, and secretless credential injection, so the connector binary never sees raw API keys.
  • Every operation produces a signed receipt and is recorded on a hash-linked audit chain with monotonic sequence numbers and Hybrid Logical Clock causality, plus an OpenTelemetry OTLP parity exporter.
  • Sensitive zones support post-quantum cryptography (X-Wing KEM hybrid HPKE + ML-DSA-65 signatures) and threshold owner keys (FROST) so no single device holds the complete signing material.

Truth Hierarchy

fwc classifies every answer by its source (mesh-backed > host-backed > node-local > offline) rather than collapsing everything into a single fake "live" state.

  • Current operational path (V1, host-first): fwc → fcp-host → connector subprocesses over supervised stdio/JSON-RPC. This is what runs in production today.
  • Target steady state (V2, mesh-native): personal-device sovereignty, mesh durability, capability-gated execution across your own infrastructure. The mesh infrastructure (gossip, IBLT, XOR filters, symbol-first object distribution, LiveTruthResolver, KnowledgeState taxonomy) is built and tested; the cutover gates are documented in docs/FCP3_Transition_Scorecard.md.

Three Foundational Axioms

Axiom Principle
Universal Fungibility All durable mesh objects are symbol-addressable: any K' RaptorQ symbols reconstruct the canonical object bytes. Control-plane messages may travel over FCPC streams, but the canonical representation is a content-addressed mesh object.
Authenticated Mesh Tailscale is the transport AND the identity layer. Every node has unforgeable WireGuard keys. Zones map to Tailscale ACL tags.
Explicit Authority No ambient authority. All capabilities flow from the owner key through cryptographic chains and short-lived, instance-bound capability tokens.

Why Use FCP?

Status legend: - PROVEN: backed by direct repository evidence (tests, harnesses, golden vectors). - LIMITED: functional at the stated scope but narrower than the mature target (e.g. threshold-gated rather than adaptive). - STEADY-STATE TARGET: architectural target with built infrastructure but not yet operational by default.

PROVEN means repository evidence, not a claim of live production deployment.

Feature Status What It Does Evidence
Host-First Control Plane PROVEN fwc + fcp-host is the proven provisioning boundary. Operators use this path today while mesh-backed truth converges to steady state. crates/fcp-host/src/{supervisor,enforcement,health}.rs, crates/fcp-conformance/tests/host_invoke_loop_conformance.rs, crates/fcp-e2e/tests/capability_enforcement_concurrent_e2e.rs
Truthful Runtime Resolution PROVEN fwc resolves runtime mode explicitly and classifies answers as mesh-backed, host-backed, node-local, or offline instead of fabricating "live". crates/fwc/src/{truth,catalog,readiness}.rs, crates/fwc/tests/{cual_integration,readme_status_pinning}.rs
Capability Token Typestate PROVEN CapabilityToken<Unverified → UnboundVerified → BoundVerified → ConstraintsEnforced> is compiler-enforced across every connector boundary. LEGACY_VERIFY_ALLOWLIST.len() == 0; forward-only ratchet enforced by conformance test. crates/fcp-conformance/tests/capability_typestate_connector_boundary_dja9u.rs, crates/fcp-core/tests/typestate_compile_fail.rs
Capability Tokens (CWT/COSE) PROVEN COSE/CWT signing, canonical CBOR, constraints, instance binding, predicate matrix all covered. crates/fcp-crypto/src/cose.rs, crates/fcp-core/src/capability.rs, crates/fcp-host/tests/capability_token_typestate_runtime.rs
Post-Quantum Zone Keys PROVEN ZoneKeyManifest V4 schema with hybrid HPKE-X25519 + X-Wing KEM wrap lists, RustCrypto X-Wing (draft-06) + IETF KAT, ML-DSA-65 FIPS 204 signatures with KAT, hybrid verifier, length-invariant Deserialize, constant-time Eq. crates/fcp-crypto-pq/, crates/fcp-core/src/zone_keys.rs, mixed V3/V4 mesh migration harness
Zone Isolation LIMITED Core cryptographic namespaces proven; Lean zone-flow lattice proof source pinned; host-side connector RPC requires explicit allowed_zones before invoke/introspect/health. crates/fcp-core/src/{zone_keys,pcs,policy}.rs, lean/Fcp/Zone/Lattice.lean, crates/fcp-host/tests/allowed_zones_required.rs, crates/fcp-e2e/tests/zone_isolation_full_e2e.rs
Tamper-Evident Audit + HLC PROVEN Hash-linked audit chain with monotonic sequence numbers, quorum-signed checkpoints, Hybrid Logical Clocks, Hierarchical Version Vectors for revocation freshness, and an OTLP parity exporter. crates/fcp-audit/src/hlc.rs, crates/fcp-mesh/src/revocation/hier_vv.rs, crates/fcp-conformance/tests/{hlc_hiervv_conformance,audit_otlp_hlc_contract}.rs
Revocation PROVEN First-class revocation objects, exact-membership lookup (no XOR filter in the revocation path), RevocationSeal for check-use atomicity, priority gossip push, zone-wide freshness SLA. crates/fcp-core/src/revocation.rs, crates/fcp-conformance/tests/revocation_timing.rs, crates/fcp-e2e/tests/revocation_cascade_e2e.rs
Egress Proxy PROVEN Connector network access routed through manifest-aware guardrails with CIDR deny defaults and denial audit evidence. crates/fcp-sandbox/src/egress.rs, crates/fcp-e2e/tests/egress_proxy_e2e.rs
Secretless Connectors PROVEN Egress proxy injects credentials per request through SecretFetchHook; connector binaries pass credential_id references rather than raw bearer material. crates/fcp-crypto/src/secret_fetch.rs, crates/fcp-e2e/tests/secretless_{github,slack,gmail}_e2e.rs
Multi-Method Provider Auth PROVEN fcp-provider-auth consolidates API key, AWS SigV4 request signing, JWT refresh, OAuth device-code, authorization-code with PKCE, refresh-token, and setup-token; AuthProfile flows through the credential pool layer. crates/fcp-provider-auth/, host/fwc profile-admin and OAuth login surfaces
Credential Pooling PROVEN Multi-credential per-provider pools with priority, strategy, exhaustion-cooldown, active-lease tracking, LRU, sticky restick, max-use, and a redaction-safe connector-boundary E2E. crates/fcp-host/src/credentials.rs, crates/fcp-e2e/tests/credential_pool_e2e.rs, host admin API routes, audit log
Multi-Host Singleton Writers (HRW) PROVEN Quorum-signed durable leases gossip across nodes; rendezvous hashing picks the holder deterministically; binary launch/flush/invoke fencing prevents split-writer windows; multi-node failover replay harness lands as closeout. crates/fcp-core/src/lease.rs, crates/fcp-mesh/src/{authority,coordinator,planner}.rs, multi-node failover replay harness
Threshold Owner Key PROVEN FROST ceremony and signing support exist in fcp-bootstrap; not yet the universal operational default. crates/fcp-bootstrap/src/ceremony.rs, crates/fcp-e2e/tests/threshold_owner_key_e2e.rs
Threshold Secrets (Shamir) PROVEN Shamir secret sharing for device-distributed recovery so raw secret material never lives on one machine. crates/fcp-core/src/secret.rs, crates/fcp-e2e/tests/threshold_secrets_e2e.rs
Supply Chain Attestations PROVEN Registry-side attestation schemas, TUF/cosign verification adapters, host gate proof. Release-distribution proof remains outside this repo. crates/fcp-registry/src/lib.rs, crates/fcp-e2e/tests/supply_chain_attestation_e2e.rs
Offline Access PROVEN ObjectPlacementPolicy, repair controllers, cache-while-offline, queued writes, drain-on-restore. crates/fcp-store/src/offline.rs, crates/fcp-e2e/tests/{offline_access,offline_repair}_e2e.rs
Mesh-Stored Policy Objects PROVEN Zone definitions and policy bundles exist as owner-signed objects with mesh gossip, verification, evaluation, and revocation proof. crates/fcp-core/src/policy.rs, crates/fcp-e2e/tests/mesh_policy_object_e2e.rs
Symbol-First Protocol PROVEN RaptorQ object-symbol framing, reconstruction, repair machinery, multipath aggregation, offline resilience. crates/fcp-raptorq/, crates/fcp-e2e/tests/symbol_first_protocol_e2e.rs, golden vectors
Browser Real-CDP Control Plane PROVEN Rust-owned CDP control-worker, supervised target/session manager, cookie ownership boundary, native launcher/proxy worker, direct-CDP routing, real-browser operation-matrix closeout — mirrors OpenClaw semantics. connectors/browser/, host browser CDP manager proof
Voice-Call Multi-Provider Parity PROVEN Shared CallAuthToken, SessionStore, replay-cache crate (fcp-voice-call); Twilio, Telnyx, Plivo all flow through the same architectural shape with no-live-credential loopback evidence. crates/fcp-voice-call/, connectors/{twilio,telnyx,plivo}/, scripts/e2e/voice_call_multi_provider_verification.sh
Manifest Operations Conformance PROVEN Every connector with declared operations exposes them via typed [provides.operations.*] in manifest.toml; runtime const drift is caught by a conformance scanner. crates/fcp-conformance/tests/manifest_operations_*.rs
Computation Migration PROVEN Migrate-and-resume reference proof: CRIU-format checkpoint handoff, lease transfer, replay, byte-equivalent completion. crates/fcp-kernel/src/computation_migration.rs, crates/fcp-e2e/tests/computation_migration_reference.rs
Mesh-Native Architecture STEADY-STATE TARGET Gossip, IBLT, XOR filters, masked IBLT anti-entropy, and LiveTruthResolver are built and tested. The production fwc → fcp-host → connector subprocess invoke path remains host-first today. Pinned by crates/fwc/tests/readme_status_pinning.rs. crates/fcp-mesh/, crates/fwc/src/truth.rs

Audit status: all status labels reconciled as of 2026-05-16. See docs/quarterly/2026-Q2-claims-vs-reality.md for the inaugural quarterly debiasing report.


Design Philosophy

Five principles drive every architectural decision in FCP.

1. Mechanical Enforcement, Not Prompted Compliance

Security is enforced by the type system, the binary boundary, the protocol, or cryptography. Never by a string in a prompt. Telling a model "don't read private email" is trivially bypassed by a hostile message; telling a Rust compiler that gmail.read does not exist in the z:public zone is not. Examples from the codebase:

  • Capability-token typestate. CapabilityToken<UnboundVerified> and CapabilityToken<BoundVerified> are distinct types. An operation executor that requires full instance-binding declares fn execute(_: CapabilityToken<BoundVerified>, ...). An UnboundVerified token (produced by the gateway, which does not yet know the connector's real InstanceId) does not compile against that signature. Enforced by trybuild tests in crates/fcp-core/tests/typestate_compile_fail.rs.
  • Connector-boundary ratchet. crates/fcp-conformance/tests/capability_typestate_connector_boundary_dja9u.rs checks LEGACY_VERIFY_ALLOWLIST.len() == 0. New connectors must use the typestate path; enforced connectors cannot regress.
  • Sealed FcpConnector trait. Third-party crates cannot accidentally subvert the lifecycle by implementing the trait themselves.

2. Default Deny With Explicit Allow

If a capability is not granted, it cannot be invoked. If a zone is not bound, the host refuses to start the subprocess. If allowed_zones is empty, connector RPC fails closed before invoke, introspection, or health probes reach connector code. If cidr_deny is malformed, the sandbox

Extension points exported contracts — how you extend this code

HardwareTokenSessionDriver (Interface)
Driver abstraction for opening authenticated hardware-token sessions and enumerating certificate/key objects. [6 implementers]
crates/fcp-bootstrap/src/hardware_token.rs
EnforcementCheck (Interface)
Trait for individual enforcement checks. Each check inspects the [`EnforcementContext`] and returns a [`CheckOutcome`]. [18 …
crates/fcp-host/src/enforcement.rs
HybridSignable (Interface)
Object-specific adapter for FCP hybrid signed envelopes. [10 implementers]
crates/fcp-crypto/src/hybrid.rs
GraphqlOperation (Interface)
Typed GraphQL operation definition. Implement this trait for each query/mutation/subscription. [11 implementers]
crates/fcp-graphql/src/operation.rs
ConnectorErrorMapping (Interface)
Trait for mapping `AsyncError` to connector-specific error types. Every connector must implement this to handle deadlin [158 …
crates/fcp-sdk/src/error_mapping.rs
ScrubRule (Interface)
A single JSON scrub rule. [7 implementers]
crates/fcp-testkit/src/differential_scrub.rs
OpenAiCompatProvider (Interface)
Provider policy for an OpenAI-compatible endpoint. [16 implementers]
crates/fcp-openai-compat/src/client.rs
CredentialInjector (Interface)
Credential injection context for the Network Guard. This trait defines the interface for credential backends. The Netwo [13 …
crates/fcp-sandbox/src/egress.rs

Core symbols most depended-on inside this repo

clone
called by 11760
crates/fcp-mesh/src/gossip.rs
expect
called by 8794
connectors/postgresql/src/lib.rs
to_owned
called by 4672
crates/fcp-protocol/src/fcps.rs
map
called by 4446
crates/fwc/src/truth.rs
and
called by 4274
connectors/teams/src/client.rs
iter
called by 4210
crates/fcp-core/src/quorum.rs
iter
called by 2791
connectors/irc/src/session.rs
method
called by 2785
connectors/teams/src/client.rs

Shape

Function 101,247
Method 21,732
Class 8,521
Enum 2,036
Interface 93

Languages

Rust100%
Python1%

Modules by API surface

crates/fwc/src/catalog.rs1,085 symbols
crates/fcp-host/src/bin/fcp-host.rs936 symbols
crates/fcp-manifest/src/lib.rs699 symbols
crates/fwc/src/readiness.rs655 symbols
crates/fcp-async-core/src/lib.rs640 symbols
crates/fcp-cbor/src/lib.rs556 symbols
crates/fcp-registry/src/lib.rs554 symbols
crates/fcp-audit/src/lib.rs500 symbols
crates/fcp-host/src/admin_state.rs481 symbols
crates/fcp-core/src/capability.rs435 symbols
crates/fcp-host/src/enforcement.rs412 symbols
crates/fcp-sdk/src/runtime.rs403 symbols

Datastores touched

(mysql)Database · 1 repos
(mongodb)Database · 1 repos
flywheelDatabase · 1 repos

For agents

$ claude mcp add flywheel_connectors \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact

Ask about this repo answers extend the page