Skip to main content
Source main exposes a machine lifecycle for an autonomous AI caller and a separate TTY-only human governance surface. Neither is part of public PyPI v0.14.0. Do not treat this page as a release commitment. The harness is intended primarily for an AI agent and secondarily for a human operator. Humans retain target and policy approval, spend and risk authority, scientific adjudication, and publication. Mechanical results are not research conclusions.

Surfaces

Adapters (MCP, Skills, plugins) are optional later convenience layers. They receive no independent policy, credentials, execution engine, evidence model, or scientific authority.

Safe agent entry

From a source checkout on main:
capabilities and validate are query-only. They must not create research output or mutate authority. A human creates signed policy (and, for higher tiers, approval) through govern before the agent may start or execute.
Cancel is durable. Interrupted leases do not auto-resume. Exact budgets and deadlines are reserved before effect boundaries.

Contracts the agent must respect

  • RunSpec — canonical JSON request bound by digest into grants and runs. Unknown fields fail closed. There is no arbitrary URL, shell, proxy, or replay field on this surface.
  • Policy — human-signed standing or per-run authority: scenarios, target fingerprints, output roots, effect allowlists, resource ceilings, and authorization tiers.
  • Approval — for higher tiers, a human-signed grant bound to one exact RunSpec digest.
  • Target identity — full target ID plus validated-profile fingerprint; endpoint or model substitution denies before execution.
  • Scenario fingerprint — installed scenario pin; fixture or prompt drift invalidates standing policy.
API keys stay in the OS keyring. Control envelopes carry credential aliases only.

Authorization tiers

Exact tier names and policy fields are defined by the installed contracts. If validation denies, fix the policy or approval; do not retry by mutating the rejected RunSpec.

Evidence and verification

control result returns a mechanical record with stable promotion result and reason codes. It does not contain a human conclusion or publication claim. control verify checks the declared evidence bundle for internal consistency (manifest, hashes, schema). It does not prove independent authenticity, scientific validity, or generality.

Deployment residual

CTPF does not claim OS sandbox containment of a full-shell caller. Deploy the agent inside an external OS/runtime sandbox and tool allowlist. Local HTTP listeners bind to 127.0.0.1 only.