agent@cyberware:~$

$ The agent proposes. The engine governs. Nothing executable crosses the wire.

Free up to the gate; accountable past it. Your agent's loop stays wide open to imagine — governance applies only at the moment of commitment, when it touches money, production, or another system. This isn't a cage. It's the thing that lets you trust an agent with consequence.

session · agent-loop

Free up to the gate; accountable past it.

git clone the engine read docs/SPEC.md explore the registry
v1.1 · building in the open · MIT-licensed chip
02 / why a gate and not a wall

Governance that slows the agent everywhere is just friction wearing a badge.

cyberware governs at one place — the point of commitment — and leaves the rest free. The agent's job is to imagine the not-yet-real. Ours is to make it safe to let that imagination touch the real. We don't review your agent's thoughts. We govern its commitments — and only its commitments.

A framework that makes the imaginable real — not a cage that limits imagination.

left · the open loop
right · the single gate

Governance here is ENABLEMENT. It is what makes a powerful agent trustworthy enough to actually use.

03 / how it governs — the value-free plan

The governor blesses a plan that carries no code and no secrets.

The agent sends govd a CLAIM — skill, perk, variable KEYS — never values, never files, never secrets, never code. govd checks it against ITS OWN trusted registry, model-checks the workflow, and blesses a PLAN: a tool sequence plus each snippet's sha256 plus a ${VAR} wrapper. The agent binds its secrets locally and runs the steps from its own verified registry.

wire · only a hash crosses

agent

CLAIM → govd
skill: cws-deploy
perk: serve
vars: [CONTEXT_DIR, TOKEN_FILE] # keys only

govd

checks own registry ✓
model-checks workflow ✓
BLESS → plan
tool seq + sha256 + ${VAR}

Nothing executable ever crosses the wire — so there's nothing on the wire to steal, and nothing to trust.

04 / what runs is what was blessed

Identity is the hash of the parts.

Every skill, every file, and the whole chip are content-addressed with sha256; a name-validated resolver and an untracked-file gate close the seams. Change any block and the skill's sha changes — so what executes is provably what the engine blessed. There is no “trust me”; there is only the hash that matches, or doesn't.

authenticity · file → sha256 → chip_sha
skill.mdsha256:3b1e…7c
run.py   → sha256:9af2…04
contract.jsonsha256:c0de…11
↳ rolls up to skill_sha: 71aa…e3
↳ rolls up to chip_sha:  d4f0…9b
running hash vs blessed hash → ✓ MATCH

A name-validated resolver + an untracked-file gate close the supply-chain seams — what runs is provably what was blessed.

05 / contracts + model-checked blueprints

Proven, not promised.

Every capability declares typed inputs and outputs; every workflow blueprint is proven deadlock-free by THREE independent provers — TLC, Apalache, and TLAPS. A contract is enforced at execution, not in a README. A deadlock isn't a bug we hope to catch in prod — it's a state the math says can't be reached.

contract · typed I/O
inputs: { host: str, artifact: sha256 }
outputs: { status: enum, receipt: sha256 }
checks: non-empty · typed · revocation-clear
# enforced at execution, not in prose
blueprint · proven deadlock-free
Workflow blueprint, model-checked A four-state machine — ready, prepared, verified, executed — swept and stamped deadlock-free. ready prepared verified executed DEADLOCK-FREE · TLC ✓ APALACHE ✓ TLAPS ✓
·TLC ·Apalache ·TLAPS
⛓ DEADLOCK-FREE — checked before a single line runs

A blueprint is checked by three independent provers before a single line runs. This is the section that earns the word verifiable.

06 / the security ladder — SV-1 to SV-6

Defense isn't a setting — it's a ladder, and each rung is independently checkable.

SV-1
Protocol & canonical hashingRFC-8785 canonicalization — one bytes-exact form everything hashes from.
SV-2
Tamper-evident hash-chained ledgerA provenance chain — skip a step and you leave a visible hole.
SV-3
Kernel-enforced execution boundary (9/10)A bubblewrap sandbox under a separate OS principal, exod, whose Ed25519 signature is the only status the ledger trusts. Refusals hold even with the in-process scanner switched off.# the boundary is the kernel + a signature, not a scanner. The one open brick is the microVM perf tier, which reports skipped where /dev/kvm is absent — never faked.
SV-4
Signed, transparency-logged releases + revocationReleases are signed and logged; a compromised build can be revoked.
SV-5
Model-checking across the three-prover stackWorkflow blueprints proven deadlock-free by TLC, Apalache, and TLAPS.
SV-6
Settlement layer (future)A future settlement plane where attested work CAN be paid — billed on the meter the isolated principal signed, never the agent's stopwatch.

A research build climbing in the open. The boundary is the kernel and a signature.

07 / the ouroboros — building is running

We dogfood our own governance: cyberware is built through cyberware.

cyberware grades its OWN engine on every build. The pipeline is itself written as an L++ blueprint and model-checked; authenticity is re-verified; the gates are mutation-tested. Once a bug-class is caught, it becomes a standing gate — it can never silently return.

build.log · the engine against itself
↻ blueprint: pipeline.l++ → model-checked ✓ ↻ authenticity: chip_sha re-verified ✓ ↻ gates: mutation-tested ✓ ↻ bug-class caught → hardened into a standing gate

Every build is a run of the engine against itself — so “it works” isn't a claim, it's the last line of the build log. Building is running.

08 / the cartridge — a swappable skillChip

One engine, any cartridge.

Skills aren't baked into the engine — they're a swappable registry, the skillChip, vendored as its own MIT-licensed repo. The root manifest (index.json / chip_sha) is the authoritative load set. Compile a single-skill chip or merge skills from many sources — point $CYBERWARE_SKILLCHIP elsewhere and the same governance governs a different feed-stock, unchanged.

console · seating the chip
▢ CARTRIDGE SLOT ▢
skillChip · index.json
chip_sha: d4f0…9b
engine reads registry.SKILLCHIP · refuses to boot if it drifts
cws/
general/
nvidia/ (future)
claude/ (future)

The engine is the law; the chip is the content.

09 / the agent economy — why software thrives

Agents don't replace software. They become its newest customer.

The lever changes hands — from a human in a UI to a program under contract — but the proven machinery behind it (solvers, numerics, a decade of edge-case polish) is exactly what an agent can't improvise and must consume. More agents means more usage: the shift isn't away from software, it's software gaining a programmatic consumer.

So a vendor's skillChip becomes a third product surface — past the UI (for humans) and the API (for developers): the blessed, correct, metered way an agent may use the software. Selling to agents takes three things no raw API gives you — and they're exactly what the governance layer supplies:

what you sell to an agent
$ correct-by-construction usage # the vendor's blessed steps, not the agent's guess
$ ledgerable traceback # provably who ran what, hash-chained
$ metered pricing # billed on the meter the isolated principal signed

Democratizing skill use concentrates value in skill authorship: whoever encodes the correct, validated way to run the solver becomes the scarce, paid party — paid per use through skill lineage. Professionals don't get cheaper; their value moves from doing the thing to authoring the blessed way of doing it.

Software stops being something humans operate and becomes something agents consume under contract — and the contract layer is the business.

10 / get the engine
agent@cyberware:~$

$ The agent proposes. The engine governs. You stay free up to the gate — and trusted past it.

github.com/rhCat/cyberware
$ ls docs/