threat model & scope

Sovereign System Design is not generic “privacy hardening”, brand positioning, or a promise that nothing bad can ever happen to you.

Each architecture explicitly encodes:

• Which adversaries you’re prioritizing.
• Which risks you’re accepting as background condition.
• What you must change in behavior, infra, and governance for it to work.

The core standard stays the same:

Make your life, wealth, organization, and local world structurally uncapturable by any single vendor, jurisdiction, or regulator—and able to walk away.

We design for resilience and bounded exposure, not to place you “above” legitimate law or consequences. The aim is to prevent arbitrary, total capture by any one institution—not to erase cause and effect.

The model assumes you are already inside a Synthetic Stack where money, law, platforms, and narrative are all programmable control surfaces. Seven primary actor classes are considered.

1.1 State (national / regional / municipal)
Motives: tax, control, deterrence, asset visibility, narrative discipline.

• Legal compulsion (courts, regulators, agencies, administrative processes).
• Freezing and seizing via banks, exchanges, custodians.
• Bulk surveillance, data brokerage, cross-border information sharing.

Assumption: you might not be a Tier-1 intel target, but you live inside automated compliance systems that can affect you without a human decision.

1.2 Corporations (custodians, banks, SaaS, processors)
Motives: profit, license protection, ToS enforcement, risk offload, data extraction.

• Account freezes and closures.
• ToS-driven deplatforming.
• Quiet cooperation with regulators and law enforcement.
• Monetization and leakage of behavioral and transaction data.

1.3 Platforms (social, comms, app stores, content rails)
Motives: narrative control, “safety”, growth, regulatory risk management.

• Shadow bans, suspensions, permanent bans.
• Algorithmic throttling with minimal recourse.
• Payment, app-store, hosting, and domain lockouts.

1.4 Synthetic governance / AI gatekeepers
Models embedded inside banks, platforms, agencies, and vendors.

• Risk scoring and access control across finance, mobility, healthcare, services.
• Cross-institution correlation via shared data and models.
• Opaque “risk” labels that trigger real-world actions without your knowledge.

1.5 Middleware / data utilities
Chain analysis, KYC/AML utilities, credit bureaus, background-check services, data brokers.

• Correlate your behavior across multiple institutions.
• Feed watchlists and risk scores into banks, exchanges, and regulators.
• Act as hidden bridges between your actions and someone else’s adverse decision.

1.6 Ex-partner / insider (personal, professional, organizational)
Lovers, cofounders, family, “the techy one”, early members.

• Access to shared devices, accounts, seeds, and documents.
• Leverage via courts, HR, regulators, or internal process.
• Smears, leaks, doxxing, and social-graph manipulation.

Most catastrophic failures come from trusted proximity under stress, not strangers. The model treats insiders—including possible future versions of you—as real adversaries.

1.7 Non-state adversaries (from “random hacker” to organized crime)

• Scams, phishing, SIM swaps, social engineering.
• Commodity malware, ransomware, credential-stuffing.
• Technically competent but non-state operators with budget and time.

Coverage extends to capable non-state adversaries up to a defined ceiling below dedicated nation-state offensive teams.

The model treats your life, org, or cell as an integrated stack. Ten main surfaces are always in play:

1. Money & treasury
   Custody posture, KYC trail, bank and exchange dependence, on/off-ramps, cold/warm/hot tiering, inheritance paths.
   The model assumes Bitcoin itself will face increasing regulatory and analytical pressure; treasury architecture is built for an adversarial environment, not a neutral one.
   Choice of medium (BTC, XMR, cash, stablecoins, metals, goods, skills) is part of the risk profile and governed by the MOE Codex, not by improvisation.
2. Infrastructure & comms
   Cloud, SaaS, hosting, DNS, email, CRM, payments, messaging, social, and coordination tools—especially single-provider dependencies.
3. Law & paper
   Entities, title, trusts, contracts, insurance, operating agreements, liability exposure, and where “we’ll do it later” really means “you’re unprotected now”.
4. Narrative & data
   Public footprint, doxxability, reputational choke points, how your “sovereignty” aesthetic can be weaponized against you. Some “resistance” narratives themselves are treated as possible containment scripts that increase exposure instead of reducing it.
5. Identity & credentials
   Passports, IDs, visas, professional licenses, and any regime that can revoke your ability to work, move, or exist in a place.
6. Mobility & vehicles
   Travel patterns, airline and immigration databases, carrier watchlists, telematics in vehicles. Borders are treated as high-risk zones where device and account searches may be unusually invasive.
7. Somatic & capacity
   Health, nervous system, burnout, addiction, caregiving load. How capacity collapse cascades into financial, legal, and narrative vulnerability.
8. Self & dependents
   Future-you under fear or comfort (“I’ll just put it back on the easy thing”), plus children, elders, disabled family, staff, and others you are responsible for. Architecture is designed to make relapse harder and less catastrophic, not just to demand more willpower.
9. Local / physical & supply chain
   Food, water, energy, shelter basics; meds and critical tools; exposure to freight, sanctions, and vendor concentration.
10. Third-party professionals & services
    Lawyers, accountants, clinicians, therapists, consultants, and their record-keeping and reporting duties (SARs, mandatory reporting, discovery). Their files are treated as indirect attack surfaces, not neutral sinks.

Tools and brands are downstream of this map. Structure comes first.

The architecture is defined as much by the failures it wants to prevent as by the tools it chooses.

3.1 Non-negotiable design goals

• Structural uncapturability (relative, not absolute) — no single vendor, platform, or jurisdiction can unilaterally end your life, work, or cell.
• Redundancy with integrity — parallel rails without recreating a brittle mini-state or personality cult.
• Exitability — predesigned paths to walk away from banks, platforms, jurisdictions, founders, or members without total chaos.
• Damage containment — when something fails, loss is bounded and does not cascade through the entire stack.
• Symbolic, legal, and economic coherence — what you say you are (Bitcoin-native, voluntaryist, sovereignty-aligned) is actually reflected in rules and diagrams.
• Collapse literacy — the system can degrade into lower modes (bank outages, comms failures, logistics shocks) without erasing dignity or continuity.
• Forkability & anti-cult guardrails — systems can be forked and exited; no person (including me) is structurally irreplaceable. This exists partly to prevent cells from sliding into micro-tyrannies.

Every sovereignty move introduces new internal risk: more complexity, more governance load, more potential for disputes. The model makes these tradeoffs explicit and bounded instead of pretending they don’t exist.

3.2 Primary failure scenarios we design against

• Total financial ruin — most liquid / productive assets seized, frozen, stolen, or rendered unusable.
• Legal / incarceration catastrophe — key nodes legally hamstrung or imprisoned with no succession or continuity paths.
• Social / narrative killshot — reputational events that erase your ability to operate in your domain.
• Care / dependency collapse — a key earner or caregiver fails and there are no redundant structures; vulnerable dependents are exposed. Design is biased toward protecting children, elders, disabled, caregivers, and ecosystems.
• Internal betrayal meltdown — founder, partner, family member, or key member goes rogue and can unilaterally wreck everything from inside.

The work does not try to “beat everyone at everything.” It commits to specific threat bands and failure classes.

4.1 State, regulator, and bank/exchange capture (baseline to mid-tier)

• Overexposure to one broker, one bank, one exchange, one jurisdiction.
• Obvious seizure/freeze paths via easy-to-lean-on institutions.
• Inheritance and succession failures that invite state or court intervention.
• Structures where one lawsuit or investigation automatically destroys everything.

Designs emphasize separation between “visible / clean / off-grid” flows where lawful and appropriate, multisig / legal wrappers that require more than one jurisdiction or entity to move serious value, and paths to reduce future KYC exposure where that aligns with your ethics and legal obligations.

4.2 Corporate, platform, and middleware deplatforming

• Entire income streams sitting on one corporate stack.
• Comms and reach dependent on 1–2 major platforms.
• Hosting, DNS, app-store, and SaaS choke points ignored until the ToS email hits.
• Risk scoring by analytics providers that can cascade quietly across institutions.

The target state: losing a major platform or processor hurts, but does not end the stack.

4.3 Insider, ex-partner, and governance failures

• Shared accounts or seeds controlled by “the techy one” or “the founder”.
• No clean exits for divorce, cofounder splits, burnout, or death.
• Governance by vibes instead of explicit agreements and thresholds.

Protocol packs define roles, permissions, and triggers; onboarding, offboarding, expulsion, and shutdown are designed explicitly; forkability and exit rights are built in to prevent cult drift.

4.4 Non-state technical attacks (up to a defined ceiling)

• Hot-wallet overexposure, browser-extension custody, weak 2FA and recovery setups.
• Unsegmented balances where “this is everything I have” sits in one easy-to-hit place.

Treasury tiering and realistic account/endpoint hygiene are designed so a device or account compromise does not equal total ruin. Incident response and deep forensics remain out of scope.

4.5 Narrative warfare, lawfare, and symbolic choke points

• Smears, brigading, and selective leaks that impact income or safety.
• Your own narrative and branding being weaponized against you.
• Strategic complaints, lawsuits, and regulatory actions as tools of suppression.

Structure is designed so that projects, legal entities, and personal identity are separable, and so that internal documentation and agreements survive discovery and selective quotation better than “DMs and vibes”.

4.6 Supply chain, logistics, and local resilience

• Single suppliers for critical tools, meds, or inputs.
• Reliance on fragile freight and export regimes.
• No minimal redundancy for food, water, energy, or basic care.

4.7 Drift back into the Synthetic Stack

Without maintenance, almost everything drifts back toward convenience tools and identity-cosmetics that reintroduce capture. The Sovereign Immune System retainer and the Sovereign Immunity Log exist to track changes, rescore risk, and kill or restructure anything that quietly turns sovereignty into costume or cult.

The Immunity Log is primarily your asset; my side retains only minimal working notes, bounded by the Data Handling & Retention Policy.

There are classes of threat where it would be dishonest to imply coverage. These are treated as out of scope unless explicitly and separately addressed.

5.1 Tailored nation-state offensive operations

• Dedicated, named targeting by major security or intelligence services.
• Hardware implants, supply-chain interdictions, evil-maid, black-bag operations.
• Custom 0-day exploitation and persistent endpoint monitoring.

The architecture does not provide embassy-grade, Tails-level tradecraft. If this is your world, your entire life becomes security regimen; this practice focuses on civilian, collapse-literate sovereignty, not spycraft.

5.2 Retroactive erasure & fully compromised environments

The model cannot retroactively erase prior KYC, public behavior, historical communications, or existing legal footprints. Deeply compromised devices, accounts, and networks cannot be “magically cleaned” in a document.

The work focuses on forward-looking structures, migration paths, and treating “possibly compromised” systems appropriately.

5.3 Absolute anonymity or invisibility

No promises are made about perfect unlinkability or total absence from graphs, registries, or datasets. The goal is controlled, intentional legibility with minimized new trace, not permanent invisibility.

5.4 Criminal, coercive, or abusive use-cases

The architecture is for non-aggressive, voluntary actors: people, orgs, and cells who do not initiate violence, coercion, or fraud, and high-vulnerability nodes who need protection, not cover.

It is not here to hide assets from legitimate, earned obligations (e.g., clear debts, child support, reparations), nor to provide an operational shell for exploitation, trafficking, or predation. If work is being used to systematically exploit or trap others, engagement ends.

5.5 Device-by-device personal IT management

I do not become your ongoing IT department or hardware security engineer. Minimum viable practices and boundaries are defined; specialist work remains with specialist professionals.

Serious sovereignty changes your profile. It reduces some dependencies and risks while increasing others.

• Moving to non-custodial, parallel rails can reduce seizure risk while making your pattern more unusual.
• Routing more activity through Bitcoin can strengthen long-term position while attracting more analytics attention in some contexts.
• Entities and structures can protect assets while adding reporting and compliance surfaces.

The goal is not to vanish from every system. The goal is to control where and how you are legible, to whom, and on what terms, while keeping worst-case damage bounded.

Different people value different things above all else:

• Never losing family.
• Never going to prison.
• Never becoming dependent on a state again.
• Never crossing certain ethical lines.
• Never being forced to leave a particular place.

There is no assumed universal hierarchy. As part of intake (PETQ, Triage, Dossier), you are asked to name your non-negotiables and your sacrifice order.

Your self-perception of importance and risk is treated as untrusted input and cross-checked against structure: geography, role, visibility, dependencies, and history. Architecture is then designed to match your real ethics and risk appetite, not a fantasy of invulnerability.

Design assumptions:

• The next 3–10 years will not behave like the last 10.
• Synthetic governance, AI gatekeeping, CBDCs, analytics, and lawfare will increase in automation and reach.
• Bitcoin will see growing attempts at capture, surveillance, and segmentation.
• Your role, geography, and visibility may shift, changing your threat tier.

Today’s regulators, banks, and platforms are not assumed to be the final form of the Synthetic Stack. If your profile moves outside this spec, that becomes an explicit conversation and re-evaluation, not silent drift.

All five core engagements run on this threat model; they differ by depth and application.

• Sovereign Triage Brief — PETQ + short capture snapshot across money, infra, jurisdiction, comms, and a 30/60/90 Minimum Viable Sovereign Shift sequence. Answers: “Is there enough here to justify full architecture work?”
• Sovereign Intelligence Dossier — full capture map across all ten surfaces, dependency graph, Top-10 risk ranking, and a 30/60/90 MVSS plan keyed to your actual threat profile.
• SovStack Blueprint — sovereignty-native OS design built from the Dossier: treasury, liquidity, governance, contracts, conflict, exit, shutdown, somatic baselines, and architecture maps.
• Cell / Citadel Deployment — operationalizing the blueprint for a small cell or early citadel: protocol packs, treasury architecture, 3-month resilience skeleton, and drills for your specific failure scenarios.
• Sovereign Immune System — ongoing anti-drift: Sovereign Immunity Log, periodic risk refresh, and symbolic hygiene checks.

If your real-world situation turns out to sit beyond this spec (e.g., true nation-state targeting, active blackmail networks, open warzones), that does not automatically disqualify you, but it does change the conversation. The first step is honest calibration, not theatre.

My tools, notes, and communications are themselves an attack surface:

• Messages and documents can be compelled, intercepted, misinterpreted, or selectively exposed.
• I can be pressured, investigated, or taken offline.

Architecture assumes that anything sent to me could one day be compelled or exposed. Retention on my side is minimized and governed by the Data Handling & Retention Policy. Diagrams and patterns are designed so that even if they appear in a dump or courtroom, they reveal as little as possible and do not single-handedly destroy you.

Designs are built to remain useful even if I disappear tomorrow. If I ever become a single point of failure in your sovereignty, the architecture has already failed.

If you find serious flaws or blind spots in this threat model, I treat that as a bug report on the operating system. The default stance is to patch the design, credit the critique, and, where appropriate, tip sats.

If you have meaningful assets, responsibilities, or people depending on you, and you live mostly inside one jurisdiction, one custodian, one platform stack, or one informal social contract, your real threat model already includes:

• States, corporations, platforms, synthetic governance, and data utilities.
• Insiders, ex-partners, and non-state attackers.
• Your own future self under stress, and the people you care for.

The work here exists to turn that from silent, totalizing exposure into bounded, modeled risk with exits, redundancy, and explicit failure modes. If there is nothing meaningful to lose, you don’t need this. If there is, you probably do.