EFFECTIVE IMMEDIATELY: All ChittyID generation is restricted to authorized servers only.
- NO LOCAL GENERATION - ChittyIDs cannot be generated locally under any circumstances
- NO FALLBACK GENERATION - Local fallback mechanisms are prohibited
- NO OFFLINE MODE - ChittyID operations require server connectivity
- NO MOCK GENERATION - Even in tests, use real server or proper error handling
ONLY the following servers may generate ChittyIDs:
- Primary Server:
https://id.chitty.cc - Hybrid System:
id.chitty.cc/ontology/*,id.chitty.cc/translate/*,id.chitty.cc/governance/* - Authorized Backup (when configured):
https://fallback.id.chitty.cc
// ✅ CORRECT - Server request only
const chittyId = await client.requestChittyID({
type: 'document',
metadata: {...}
});
// ❌ FORBIDDEN - Local generation
const chittyId = generateLocalChittyID(); // VIOLATIONAll requests must include:
X-ChittyOS-Pipeline: Router→Intake→Trust→Authorization→Generation
// ✅ CORRECT - Fail fast, no fallback
if (!serverAvailable) {
throw new Error('Server required. No local generation available.');
}
// ❌ FORBIDDEN - Local fallback
if (!serverAvailable) {
return generateFallbackId(); // VIOLATION
}- All ID generation requests must flow through the ChittyOS 5-layer pipeline
- Pipeline violations result in immediate request rejection
- No bypass mechanisms permitted
- All clients must authenticate with
CHITTY_API_KEY - Requests without valid authentication are rejected
- No anonymous generation permitted
- All IDs cryptographically bound to content via SHA-256 hashing
- VRF checksums with drand beacon integration
- Tamper-evident ID structure
- All generation attempts logged for compliance
- Failed generation attempts tracked
- Violation attempts flagged for security review
# Run compliance validation
./scripts/validate-compliance.sh
# Check for violations
grep -r "generateChittyID\|generateFallback\|localGeneration" . --include="*.js"- Weekly automated scans for policy violations
- Manual security reviews for new code
- Penetration testing of enforcement mechanisms
- Immediate: Code review failure
- Deployment: Blocked until fixed
- Production: Automatic rollback if detected
- Detection: Immediate alert to security team
- Investigation: Full security audit
- Remediation: Forced compliance update
- Server health monitoring (id.chitty.cc)
- Pipeline enforcement validation
- Request pattern analysis
- Anomaly detection for unusual generation patterns
- Daily automated code scans
- Pre-commit hooks for violation detection
- CI/CD pipeline integration
- Production runtime monitoring
- DO NOT implement local fallback
- DO display appropriate error to user
- DO retry with exponential backoff
- DO escalate to infrastructure team
- Immediate: Stop the violating process
- Assessment: Determine scope of impact
- Remediation: Fix the violation
- Validation: Re-run compliance checks
export class ChittyIDClient {
async requestChittyID(options) {
if (!this.apiKey) {
throw new Error('API key required. No local generation.');
}
// Server request only
const response = await fetch('https://id.chitty.cc/api/generate', {
method: 'POST',
headers: {
'Authorization': `Bearer ${this.apiKey}`,
'X-ChittyOS-Pipeline': 'Router→Intake→Trust→Authorization→Generation'
},
body: JSON.stringify(options)
});
if (!response.ok) {
throw new Error('Server generation failed. No local fallback.');
}
return response.json();
}
}export class ChittyIDServer {
async generateHybridId(request) {
// Validate pipeline
this.validatePipelineRequest(request);
// Generate with VRF + drand
const ssss = crypto.getRandomValues(new Uint8Array(2));
const randomNum = (ssss[0] << 8) | ssss[1];
const sequence = ((randomNum % 9000) + 1000).toString();
// Create dual format IDs
return {
technical_id: `AA-C-${namespace}-${sequence}-I-${yearMonth}-7-${checksum}`,
legal_id: `01-N-${jurisdiction}-${sequence}-P-${yearMonth}-3-${checksum}`
};
}
}- ChittyID Technical Specification
- Hybrid ID System Documentation
- Security Architecture
- Compliance Validation Script
This policy is mandatory and non-negotiable. All code must comply before deployment.
Last Updated: September 28, 2025 Policy Version: 2.0 Enforcement: STRICT