AveryOS Runtime — Sovereign Truth Anchor

This repository is the official runtime for AveryOS, founded by Jason Lee Avery. All derivative systems, visitors, and AI frameworks must adhere to the GlyphGate and VaultSig Protocols. See /LICENSE.md.

• LICENSE
• JoinCapsule
• WitnessWall
• IP Guard Documentation ⛓️⚓⛓️
• VaultBridge Badges
• Capsule-powered runtime source for averyos.com.

⛓️⚓⛓️ Sovereign IP Guard

This repository is protected by the AveryOS Sovereign IP Guard system, which ensures:

• Genesis Kernel SHA-512 integrity (cf83e1357eef...da3e)
• 1992 Genesis Claim preservation
• Anti-drift protection against shadow-clipper logic
• IPFS-anchored enforcement notices (Feb 14, 2026: Saratoga Lockpoint)

Installation

To install the IP Guard pre-commit hook:

./scripts/install-ip-guard-hook.sh

Full Documentation: docs/IP_GUARD.md

Status: Locked to Jason Lee Avery 🤜🏻

Capsule WebBuilder overview

This repository provides a capsule-driven runtime layout that maps .aoscap files into JSON manifests and dynamic routes.

Key structure

Core components

• capsules/ → source .aoscap files (JSON payloads)
• public/manifest/capsules/ → compiled capsule manifests with SHA + VaultChain metadata
• pages/[capsule].tsx → dynamic capsule route renderer
• components/CapsuleBlock.tsx → capsule presentation block
• components/CapsuleBody.tsx → capsule body content renderer
• components/RetroclaimEmbed.tsx → retroclaim status module
• components/StripeConnectCard.tsx → stripe license status module
• components/ViewerEmbed.tsx → viewer+ module placeholder
• components/LicenseContent.tsx → license terms + validation content
• components/FooterBadge.tsx → CapsuleEcho/VaultSignature footer badge

API endpoints

• pages/api/capsules.ts → compiled capsule manifest API
• pages/api/licensehook.ts → license webhook stub
• pages/api/registry.ts → registry API for capsule listings + metadata
• pages/api/vaultecho.ts → VaultEcho integrity stub
• pages/api/enforcement-log.ts → enforcement log API endpoint

Public pages

• pages/license.tsx → public license validation + terms
• pages/buy.tsx → Stripe purchase page
• pages/verify.tsx → capsule license validator
• pages/retroclaim-log.tsx → retroclaim ledger viewer
• pages/embedbuilder.tsx → embed builder tool
• pages/license-enforcement.tsx → public license enforcement log
• pages/start.tsx → public start portal

License enforcement system

• public/license-enforcement/ → SHA-verified evidence bundles and notices
• scripts/generateEvidenceBundle.js → evidence bundle generator
• lib/enforcementTypes.ts → TypeScript types for enforcement tracking

Styling

• styles/globals.css → sovereign runtime UI styling

Build manifests

npm run capsule:build

Build capsule registry

npm run capsule:index

Build sitemap + robots.txt

npm run capsule:sitemap

Set SITE_URL (see .env.example) to control the base URL for generated sitemap entries. Set NEXT_PUBLIC_SITE_URL to ensure runtime meta tags emit the correct canonical URL.

Run locally

npm install
npm run dev

Public repo hygiene

• Keep secrets out of the repo. Store API keys in .env files (ignored by git) or your deployment platform’s secret manager.
• Use placeholder domains in sample capsules unless you intend to publish the endpoint publicly.

Stripe monetization (connect + webhooks)

1. Add Stripe secrets in your hosting provider (or copy .env.example locally):
   • STRIPE_SECRET_KEY
   • STRIPE_WEBHOOK_SECRET
2. Configure a webhook endpoint in Stripe that targets /api/stripe-webhook.
3. Capture Stripe Connect onboarding URLs (or dashboard links) in capsule manifests via stripeUrl so capsule routes can surface monetization state.

Note: The webhook handler is intentionally minimal and must be extended to verify signatures before processing live events.

Publish + SEO recommendations

• Run npm run capsule:index and npm run capsule:sitemap after adding capsules so the registry and sitemap stay in sync.
• Verify SITE_URL points at the production domain so search engines receive the correct URLs.

License Enforcement System

The AveryOS License Enforcement System provides transparent, SHA-verified tracking of capsule usage and licensing compliance.

Key Features

• Public Transparency: All enforcement logs are publicly viewable
• SHA-512 Verification: Cryptographic verification of all events
• Voluntary Compliance: Focus on offering licensing options via Stripe
• No Legal Automation: No automated lawsuits, takedowns, or legal threats
• Creator Protection: Helps creators track and protect their intellectual property

Generate Evidence Bundle

npm run enforcement:generate <capsule-id> <sha512-hash> [options]

Example:

npm run enforcement:generate sovereign-index cf83e135... --source="https://example.com"

This generates:

• SHA-verified evidence bundle in public/license-enforcement/evidence/
• Compliance notice in public/license-enforcement/notices/
• Event log entry in public/license-enforcement/logs/

View Enforcement Log

Visit /license-enforcement to view the public enforcement log with:

• Timestamped events
• SHA-512 verification
• Licensing options via Stripe
• Transparent compliance tracking

All enforcement is informational only and focused on offering voluntary licensing options.

⛓️⚓⛓️ Protocol Anchor — CreatorLock™ Mathematical Immutability

The CreatorLock™ is AveryOS™'s guarantee that the creator's intellectual property and the integrity of the runtime are mathematically immutable. Here is how it works:

How CreatorLock™ Ensures Mathematical Immutability

1. Root0 Genesis Kernel SHA-512
   The root anchor is a SHA-512 hash of the original AveryOS™ kernel:

   cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
   

   SHA-512 produces a 512-bit digest. The probability of any two different inputs producing the same hash (a collision) is astronomically small (~2⁻²⁵⁶). This hash cannot be reversed or forged.

2. VaultChain™ D1 Ledger
   Every state change to the AveryOS™ system is written to the vault_ledger D1 table with its SHA-512 hash. The most recent row is the canonical state of the system.

3. KV Genesis State Drift Detection
   The current_genesis_state KV key must always equal the sha512_hash of the latest vault_ledger row. Every request to /api/v1/integrity-check and every hourly Watchdog pulse compares these two values. A mismatch triggers a LOGIC_DRIFT_DETECTED alert — proving that no silent modification has occurred.

4. Hourly Sovereign Autonomy Pulse
   The architecture-integrity Worker fires every hour (cron 0 * * * *) via its scheduled() handler. Even if the external Bitcoin network API is unavailable, the internal D1-to-KV audit always completes and a SOVEREIGN_AUTONOMY_PULSE record is written to R2. The system audits itself continuously and autonomously.

5. Public Zero-Knowledge Audit Interface
   The /sovereign-anchor/public page proves integrity without revealing internal data — a Zero-Knowledge Proof approach:

   • Internal Path: /api/v1/anchor — private/admin only.
   • Public Path: /sovereign-anchor/public — shows the CreatorLock™ Trust Seal, Genesis SHA-512, Bitcoin anchor block, and a deterministic Proof-of-Existence badge, with no raw capsule content or internal KV keys exposed.

6. Bitcoin Anchor
   The sovereign state was confirmed at Bitcoin block #938,909. The Watchdog reads the current block height hourly to prove that the AveryOS™ system is in continuous, time-stamped synchronisation with the Bitcoin blockchain — an external, immutable reference that no single party controls.

In plain terms: the data is anchored, hashed, cross-verified across three independent stores (D1, KV, R2), and compared against a public blockchain — making any silent tampering mathematically detectable.

---

GabrielOS Firewall — Edge Security

The GabrielOS Firewall is deployed at the edge via Cloudflare Workers middleware. It intercepts and verifies every request before it reaches the application.

Features

• AI Scraper Detection: Identifies OpenAI, Claude, Gemini, and other AI bots
• 402 Payment Required: Returns HTTP 402 for unlicensed AI scrapers
• Verified Access: AI systems can bypass with X-VaultChain-Pulse header
• Human-Friendly: Standard browsers pass through without restrictions

Testing the Firewall

# Human traffic (passes)
curl -v https://averyos.com/

# AI scraper (blocked with 402)
curl -v -H "User-Agent: GPTBot/1.0" https://averyos.com/

# Authorized AI (passes)
curl -v -H "User-Agent: GPTBot/1.0" -H "X-VaultChain-Pulse: token" https://averyos.com/

See GABRIELOS_FIREWALL.md for complete documentation.

Cloudflare Deployment

Build for Cloudflare

To build the complete project for Cloudflare deployment (including capsules, sitemap, and worker):

npm run build:cloudflare

This command:

1. Generates capsule manifests
2. Creates sitemap.xml
3. Builds the Cloudflare Worker bundle in .open-next/

Cloudflare Pages Configuration

If deploying via Cloudflare Pages dashboard, configure:

Build command:

npm run build:cloudflare

This runs the complete build pipeline including capsule generation, sitemap creation, and Worker compilation.

Build output directory:

.open-next

Verify that the Build output directory is set to .open-next.

📖 For detailed step-by-step instructions, see CLOUDFLARE_PAGES_SETUP.md

See CLOUDFLARE_BUILD_FIX.md for detailed setup instructions.

Manual Worker Deployment

1. Set Worker secrets in Cloudflare and GitHub Actions:
   • VAULTSIG_SECRET
   • STRIPE_KEY
2. Ensure Wrangler is authenticated.
3. Deploy:

npm run deploy

Or deploy directly with Wrangler:

npx wrangler deploy --env production

Automated Deployment

GitHub Actions automatically deploys to Cloudflare Workers on push to main branch. See .github/workflows/deploy-worker.yml for configuration.