Anchor Capsule Protocol

(Sombra ↔ EMS Semaphore)

1. Purpose

The Anchor Protocol governs the creation, transfer, verification, rendering, and closure of Anchor Capsules between Sombra and EMS Semaphore.

Its function is to ensure that no artifact is rendered without constitutional admissibility, integrity, and witnessed completion.

2. Objects

Anchor Capsule

A sealed, signed unit representing a single admissible artifact.

An Anchor Capsule includes:

  • anchor_id

  • integrity hash

  • custody state

  • validity window

  • issuing signature (Sombra)

3. Anchor Capsule Lifecycle Boundary

An Anchor Capsule may exist only in the following states:

L0 — Draft

Unsigned. Internal to Sombra. Not eligible for OFFER.

L1 — Issued

Signed by Sombra. Contains anchor_id, integrity hash, and custody_state ∈ {HELD, QUARANTINED, ADMITTED}.

Eligible for OFFER only if custody_state = ADMITTED.

L2 — Offered

Transmitted via ANCHOR_OFFER.

Capsule becomes immutable. Any modification requires issuance of a new capsule.

L3 — Accepted

Semaphore returns ANCHOR_ACCEPT.

Capsule becomes SIGNAL-LOCKED. No mutation or reuse permitted.

L4 — Consumed

Semaphore completes processing via SIGNAL_COMPLETE or SIGNAL_ABORT.

Capsule resolves to:

  • SIGNALED (complete)

  • ADMITTED (abort without release)

  • HELD (rollback)

L5 — Expired

Validity window elapsed without ACCEPT.

Capsule is void and must not be reused.

Invariant:

An Anchor Capsule is immutable once offered, locked once accepted, and void once expired.

4. Messages

ANCHOR_OFFER

Issued by Sombra.

Contains exactly one Anchor Capsule in L1 state.

Semaphore MUST reject if:

  • capsule is expired

  • integrity hash mismatch

  • custody state ≠ ADMITTED

  • capsule lifecycle state ≠ L1

ANCHOR_ACCEPT

Issued by Semaphore.

Transitions capsule to L3 (Accepted).

SIGNAL_COMPLETE

Issued by Semaphore after successful render.

Transitions capsule to L4 (SIGNALED).

SIGNAL_ABORT

Issued by Semaphore when render is halted.

Capsule transitions to L4 with custody determined by abort reason.

RENEWAL_REQUEST

May be issued only for capsules in L5 (Expired).

Requires issuance of a new capsule with a new signature.

5. Processor Obligations

Sombra MUST:

  • never mutate capsules after OFFER

  • never reuse expired or consumed capsules

  • issue a new capsule for any change

  • honor SIGNAL-LOCK on ACCEPT

EMS Semaphore MUST:

  • verify lifecycle state before fetch or render

  • reject stale, mutated, or invalid capsules

  • never render without ACCEPT

  • always return terminal signal (COMPLETE or ABORT)

6. Closure Rule

No Anchor Capsule may exit the system without a witnessed terminal state.

There are no silent drops, orphaned renders, or unowned failures.