# The GRRC Charter
#### What a Certification Asserts — and What It Deliberately Does Not

**Status:** Public-facing charter — owner-authored governance, Phase 34 / Slice 218. Companion to the whitepaper *Trust Will Decide the Robot Age* and to the *GRRC Trust Model v1.1*; member of the company-docs family under GRRC's institutional identity. Doc-of-record, sha-pinnable. Content version **v1.1**; doc-of-record filename `GRRC_Charter_v1.0.md`.

**Authored:** 2026-06-20 (US-East). The owner authored every governance claim in §A–§J **verbatim** at the Slice-218 ratification gates; the model's contribution is **structural only** — headings, front matter, and pressure-testing against the four conditions, the trust model, and the whitepaper (`HH-161` STRICT). The model authored **zero** governance meaning.

**Institutional identity (CD #864):** authored under the abstract certifier body **GRRC (Global Robot Registration and Certification)** — the institutional identity of record. The concrete operator/parent-company name is **DEFERRED (company TBD)** and is not baked into any durable identifier; the root of trust is a crypto-agile key-id, not an operator name. GRRC is institutionally separate from RES and from the Laws of Robots brand (fixer ≠ certifier, mirrored at the entity/brand layer).

**Relationship to its companion documents:** the whitepaper argues *why* an independent trust layer must exist and states the four conditions; the trust model is the internal *how* (the owner-authored cert mechanics); this charter is the public *what it means*. It is consistent with both by construction and reopens neither — where the trust model settled a value, this charter restates it in public terms without altering it.

---

## §A — What GRRC is, and why it stands apart

GRRC is the certification body responsible for attesting to a narrow, verifiable property of an autonomous robot's reasoning: that the reasoning engine has not suffered an integrity fault that would cause it to self-de-certify.

GRRC exists because the party that must be trusted cannot credibly certify itself. The robot is an autonomous agent with a body; its conduct cannot be verified by capability specifications or maker assurances alone. GRRC's role is strictly to certify this narrow property — never to build, operate, or control the robot itself.

RES provides the robot's internal reasoning and decision-making layer and is currently the first and only implementation of that property. GRRC certifies the property, not any specific product or maker. Today a single operator oversees both RES and GRRC; GRRC is intended to become a genuinely independent entity.

## §B — What a "Certified" stamp asserts

A valid GRRC certification asserts two narrow things only:

First, reasoning integrity — that the robot's reasoning engine has not suffered an integrity fault that would cause it to self-de-certify.

Second, genuineness — that the clearance is signed by the certifier against the embedded trust anchor and is not self-issued.

This is a process and tamper claim about the reasoning trace. The stamp certifies that the reasoning engine operated without an integrity fault that would have triggered self-de-certification; it does not certify that the resulting actions were correct or that the owner's rules were wise.

## §C — What "Certified" deliberately does NOT assert

A GRRC certification does not assert any of the following:

- That the robot's decision or outcome was good or correct.
- That the owner's rules were wise or sufficient.
- That the robot is otherwise safe, secure, or defect-free.
- That the robot conforms to the full Law catalog.
- That it binds a specific rulebook version or passed a defined test battery.

A certification that vouches for everything vouches for nothing. By keeping the claim narrow and bounded, GRRC produces a durable, verifiable attestation rather than an unbounded assurance that cannot be checked. GRRC does not bless the owner's rules or guarantee the wisdom of the robot's actions.

## §D — Who defines the limits

The owner of the robot defines its limits. The owner authors the Laws and preferences that govern the robot's behavior. The owner can make those constraints stricter at any time, but no one — including the owner — can lower the immutable safety floor established by the Laws.

GRRC does not substitute its judgment for the owner's and arrives with no worldview of its own to impose. GRRC certifies only that the reasoning engine operated without an integrity fault that would have triggered self-de-certification; it does not approve, validate, or bless the owner's rules themselves.

## §E — How the claim is verified, and the record behind it

The foundation of GRRC's verifiability is the robot's tamper-evident audit chain. Every decision, every certification-relevant event, and every erasure is recorded in an append-only, hash-linked, single-headed (fork-guarded) log. This chain can be verified offline against cryptographic signatures and is the examinable record that any third party with the artifacts can audit.

When per-subject erasure is exercised, only the sensitive payload content is destroyed. The hash links, sequence, and the fact that an authorized erasure occurred remain intact and verifiable. Verifiability of occurrence and integrity and the ability to erase subject content are therefore complementary, not contradictory.

The charter defines the claim as verifiable. However, the public verification API that would allow a non-expert to easily check it is deferred. "Verifiable" here means verifiable in principle by someone with access to the artifacts and the necessary expertise — not yet checkable by any layperson through a simple tool.

## §F — What certification can and cannot do to the robot

GRRC certification is informational and reputational only. It can never disable, seize, or remotely control the robot. Certification constrains and records; it is not a control surface. This is a fundamental, non-negotiable limit.

The robot checks its certification status locally using only the public trust anchor it holds. It operates identically whether or not GRRC is reachable. There is no runtime channel from GRRC into the robot.

When a self-de-certified robot is reinstated, it observes a certifier-signed supersession event in its own log that meets the four validity conditions. Recovery is never a remote restoration or command issued by GRRC. There is no "continue uncertified" backdoor that can force a blocked decision through, and owner self-clear or log-editing remains forbidden.

The robot's own self-de-certification — halting when it detects an integrity fault — is its internal safety floor working. This is categorically different from GRRC having any ability to stop or disable the robot, which is explicitly prohibited.

## §G — The single-operator reality and the road to independence

Today I am the president of both RES and GRRC. There is currently a single operator, with the intent to incorporate RES and GRRC as two separate legal entities. As Owner, I maintain full dominion over the robot, its knowledge, and its attributes; a GRRC certification, by contrast, is issued by the certifier and is not owned or controlled by the Owner.

GRRC is intended to operate as a genuinely independent certification body. Institutional independence is not yet achieved. The current reality is a single-operator exception that is explicitly acknowledged and will be phased out.

Cryptographic separation is enforced today: the robot will only accept a clearance signed by a dedicated certifier key that is cryptographically distinct from any owner key. This makes any attempt at self-clearing detectable and forbidden. However, cryptographic separation is not the same as institutional independence. The latter requires a distinct legal entity with separate operational control and key custody — a state the system is designed to reach but has not yet reached.

Independence, as used in this charter and the whitepaper, will mean at minimum a distinct legal entity operating GRRC with separate key custody, such that the certifier can be told "no" by the parties it judges and can survive doing so. Full institutional separation — a distinct legal entity operating GRRC with separate operational control and key custody — will be in place before GRRC certifies any robot publicly or for a genuine third-party customer. Internal friends-and-family beta testing does not meet that threshold, including any token fee charged solely to validate that payment processing works.

## §H — The cert lifecycle, in plain terms

A GRRC clearance is tied to one specific self-de-certification event on one specific robot for the specific fault being cleared. This binding prevents replay or reuse against a different robot or a later shutdown of the same robot.

Clearances have a default lifetime of 1 year (365 days). This lifetime is recorded as stamped intent on each clearance. Automatic expiry enforcement against the robot's clock is deferred to later GRRC-milestone work.

The certifier key is held in a separated vault, distinct from all RES production keys and general owner keys. It is never an owner key.

Revocation is performed by removing the compromised or retired key-id from the robot's trusted-anchor list. This immediately invalidates all clearances signed under that key. A richer revocation transport is deferred to a later GRRC-milestone build.

A robot resumes operation only when it observes a logbook event that meets all four of the following conditions:

1. The event is signed by the certifier against the embedded trust anchor.
2. The clearance is bound to the specific self-de-cert it supersedes.
3. The clearance is within its valid lifetime.
4. It is the most recent valid certification-relevant event in the logbook.

## §I — What is deferred, stated honestly

GRRC does not yet have everything it will eventually need. The following are explicitly deferred or not yet achieved:

- The public verification API that would allow a non-expert to easily check certification status (see §E).
- Hardware-root attestation.
- Full institutional independence — today a single operator oversees both RES and GRRC, with the stated intent to separate into distinct legal entities (see §G).
- A named operator or parent company — GRRC remains an abstract role identified by key-id (see §A).
- Automatic expiry enforcement against the robot's clock — the 1-year lifetime is currently recorded as stamped intent only (see §H).
- A richer revocation transport (such as CRL or OCSP-style mechanisms) — revocation is currently performed by removing the key-id anchor (see §H).
- Broader certification scope — full Law-catalog conformance, specific rulebook-version binding, and defined test batteries are not claimed (see §C).

Stating these gaps plainly and without euphemism is deliberate. A trust body that implied completeness where none exists would repeat the self-certification error the whitepaper criticizes. GRRC names what it does not yet do so its claims remain bounded, honest, and credible.

## §J — Additional commitments

The four conditions set out in this charter (independent, owner-defined, verifiable, and never safety-disabling) constitute GRRC's complete commitment set as of v1.0.

Additional commitments remain under consideration and will be evaluated following external review, demonstration, and operational experience. §J is reserved and revisable.

---

*End of the GRRC Charter v1.0.*
