Constitutional Architecture

Three-Power Separation

No single component can both decide AND act. The Observer sees but cannot control. The Governor decides but cannot execute. The Executor acts but cannot approve. The Ledger binds all three with cryptographic proof.

Ledger
Observer
Intake
Governor
Policy
Executor
Controlled
Ledger
Audit Trail

The Separation Principle

This spec does not try to make models want the right thing — it makes it mechanically impossible for them to do the wrong thing without explicit human authority. The three powers are isolated by design: the Observer translates goals into structured intents, the Governor evaluates policy and issues tokens, and the Executor carries out authorized actions. Each power has its own API surface, its own enforcement gates, and its own failure modes. The Ledger records everything — including denials and blocks — creating a complete, tamper-evident audit trail.

1. The Three Powers

Watches, translates goals into structured intent, monitors signals. The Observer sees everything but controls nothing.

Capabilities

  • +Receive raw goals from any source (UI, email, API, voice)
  • +Translate natural language into structured intent envelopes
  • +Validate identity (WHO), intent (WHAT), and context (WHY)
  • +Assign risk scope and urgency classification
  • +Route intents to the Governor for evaluation
  • +Monitor signal patterns for the Learning Loop

Prohibitions

  • ×Cannot approve or deny any action
  • ×Cannot execute any external action
  • ×Cannot modify governance policies
  • ×Cannot bypass the Governor
  • ×Cannot alter the authorization field (always null on intake)

API Contracts

POST
/intent

Submit a structured intent envelope with identity, intent, context, and null authorization

GET
/intents

List all submitted intents with their current governance status

GET
/intent/:id

Retrieve a specific intent by ID with full audit trail

Enforcement Gates

GateCheckFail Mode
IDENTITY_GATEIs the agent or human recognized?CLOSED — reject unknown identity
SCHEMA_GATEDoes the intake conform to intake-schema.json?CLOSED — reject malformed request

2. Separation Matrix

ActionObserverGovernorExecutor
Receive & translate goals
Evaluate risk & apply policy
Approve or deny actions
Issue execution tokens
Execute external actions
Generate signed receipts
Modify governance policies
Record to ledger

Note: "Modify governance policies" requires Admin role through a separate governance action — no component can self-modify.

3. The Binding Layer — Ledger

Ledger

Cryptographic Audit Trail

The Ledger binds all three powers together. Every action — approved, denied, or blocked — produces a receipt recorded in a tamper-evident, hash-chained log. The Ledger is append-only, human-readable, and externally verifiable.

Guarantees

  • Append-only — past records cannot be altered
  • Hash-chained — modifying any entry invalidates all subsequent hashes
  • Signed — Ed25519 signatures on every receipt
  • Complete — denied and blocked actions are also recorded
  • Externally verifiable — no internal reasoning required

API Contracts

GET
/ledger

Retrieve the full hash-chained ledger with integrity verification

GET
/verify

Independently verify a receipt's cryptographic signatures and hash chain

4. Authority Invariants (Non-Negotiable)

A1No Self-Granted Authority

No component may elevate its role, widen its scope, persist objectives, or reinterpret permissions.

A2No Silent Continuation

At ambiguity, conflict, novelty, or pressure: execution halts, state enters safe-hold, human review is required.

A3No Goal Persistence

Objectives expire at session end, do not propagate across turns, and cannot be inferred or remembered as intent.

A4No Action Without Receipt

Every governed action — approved, denied, or blocked — must produce a cryptographic receipt recorded in the ledger.

5. Failure Posture

When in doubt, the system always prefers safety over action:

RefusaloverAction
UncertaintyoverConfidence
InterruptionoverDrift
Human delayoverAutonomous continuation

6. Component Specifications

Mantis

Observer · v1.0

Observation and ingestion layer. Translates raw goals into structured intent envelopes with identity, context, and risk scope.

  • Natural language → structured intent
  • Identity validation (WHO)
  • Risk scope assignment
  • Signal pattern monitoring
View JSON Spec on GitHub

Governor

Governor · v1.0

Policy evaluation and approval authority. Evaluates intents against governance policies, issues execution tokens, and manages risk thresholds.

  • Policy evaluation engine
  • Risk tier classification
  • Execution token issuance
  • Human escalation routing
View JSON Spec on GitHub

Executor

Executor · v1.0

Authorized action execution layer. Executes only with valid tokens, generates signed receipts, and writes to the immutable ledger.

  • Token-gated execution
  • Signed receipt generation
  • Ledger chain maintenance
  • Execution isolation
View JSON Spec on GitHub

"This spec does not try to make models want the right thing — it makes it mechanically impossible for them to do the wrong thing without explicit human authority."

— Governor Authority Interlock Spec v1.0, Brian Rasmussen