main exposes a machine lifecycle for an autonomous AI caller and a separate
TTY-only human governance surface. Neither is part of public PyPI v0.14.0. Do not treat this
page as a release commitment.
The harness is intended primarily for an AI agent and secondarily for a human operator. Humans
retain target and policy approval, spend and risk authority, scientific adjudication, and
publication. Mechanical results are not research conclusions.
Surfaces
Adapters (MCP, Skills, plugins) are optional later convenience layers. They receive no independent
policy, credentials, execution engine, evidence model, or scientific authority.
Safe agent entry
From a source checkout onmain:
capabilities and validate are query-only. They must not create research output or mutate
authority. A human creates signed policy (and, for higher tiers, approval) through govern before
the agent may start or execute.
Contracts the agent must respect
- RunSpec — canonical JSON request bound by digest into grants and runs. Unknown fields fail closed. There is no arbitrary URL, shell, proxy, or replay field on this surface.
- Policy — human-signed standing or per-run authority: scenarios, target fingerprints, output roots, effect allowlists, resource ceilings, and authorization tiers.
- Approval — for higher tiers, a human-signed grant bound to one exact RunSpec digest.
- Target identity — full target ID plus validated-profile fingerprint; endpoint or model substitution denies before execution.
- Scenario fingerprint — installed scenario pin; fixture or prompt drift invalidates standing policy.
Authorization tiers
Exact tier names and policy fields are defined by the installed contracts. If validation denies,
fix the policy or approval; do not retry by mutating the rejected RunSpec.
Evidence and verification
control result returns a mechanical record with stable promotion result and reason codes. It does
not contain a human conclusion or publication claim.
control verify checks the declared evidence bundle for internal consistency (manifest, hashes,
schema). It does not prove independent authenticity, scientific validity, or generality.
Deployment residual
CTPF does not claim OS sandbox containment of a full-shell caller. Deploy the agent inside an external OS/runtime sandbox and tool allowlist. Local HTTP listeners bind to127.0.0.1 only.
Related pages
- Experiment Quickstart — released
v0.14.0human path - Pattern 2 — another unreleased source-only experiment
- Responsible Use — authorization and sandbox expectations
- Evidence and Integrity — bundles and verifier limits