-
-

+
+

Defence in Depth

+

+ Behavioral training shapes tendency. Structural enforcement constrains capability. Human oversight provides cultural context. Three layers, complementary, each compensating for the others' weaknesses. +

@@ -125,30 +100,19 @@
1
-

-

+

Behavioral Training

+

Shapes model tendency toward governed behavior

-
-
- - -
-
- - -
-
- - -
-
-
+

+ Training reduces boundary violations at source, before runtime enforcement is needed. The model cooperates with governance rather than fighting it. But training alone can be bypassed by adversarial prompts and degrades under context pressure. +

+
- Known limitation: + Can be bypassed by adversarial prompts; degrades under context pressure
- + Planned
@@ -157,30 +121,19 @@
2
-

-

+

Structural Enforcement

+

External constraints that cannot be bypassed by prompting

-
-
- - -
-
- - -
-
- - -
-
-
+

+ Six governance services operate outside the AI runtime, plus Guardian Agents verifying every response through mathematical similarity rather than generative checking. Immutable audit trails stored independently. Catches what training misses. +

+
- Known limitation: + Cannot prevent all failure modes; adds runtime overhead
- + In Production
@@ -189,78 +142,121 @@
3
-

-

+

Human Oversight & Tenant Governance

+

Constitutional rules, cultural traditions, and human escalation

-
-
- - -
-
- - -
-
- - -
-
-
+

+ Communities set their own governance rules through Tractatus traditions. Context-aware and culturally appropriate. Humans hold final authority on values decisions. AI facilitates, never decides. +

+
- Known limitation: + Cannot scale to every interaction; depends on human engagement
- + Framework Complete
-
-
+
- "" + "Training can make a model likely to behave well; only architecture can make it structurally harder to behave badly."
-

-

+

Governance During Training, Tractatus Research

+
- -
-

-

-
-
-

-

-

+ +
+
+
+ DEPLOYED — MARCH 2026 +

Guardian Agents

+

+ Verification without common-mode failure. The watcher is not another speaker — it is a measuring instrument. +

+
+ +
+

+ The fundamental problem with using one AI to verify another: both systems share the same epistemic domain. A generative model checking a generative model is susceptible to the same categories of failure. Guardian Agents resolve this by operating in a fundamentally different domain. +

+ + +
+
+
+
+ 1 +
+

Source Analysis

+
+

Identify factual claims in the AI response and locate candidate source material from the community's own content.

+
+
+
+
+ 2 +
+

Embedding Similarity

+
+

Cosine similarity between claim embeddings and source embeddings. Mathematical measurement, not interpretation. Not susceptible to hallucination.

+
+
+
+
+ 3 +
+

Confidence Scoring

+
+

Each claim receives a confidence badge (high, medium, low, unverified) visible to the user. Transparency by default.

+
+
+
+
+ 4 +
+

Adaptive Learning

+
+

Moderator corrections feed back into verification thresholds. The system learns from the community's own quality judgments.

+
-
-

-

-

+ + +
+

Philosophical Foundations

+

+ These architectural choices are philosophical commitments that demanded specific engineering responses. +

+
+
+

Wittgenstein

+

Language games require external criteria. AI cannot verify its own meaning.

+
+
+

Isaiah Berlin

+

Value pluralism. No single optimisation function captures what communities value.

+
+
+

Elinor Ostrom

+

Polycentric governance. Communities govern their own commons effectively.

+
+
+

Te Ao Māori

+

Kaitiakitanga. Guardianship implies obligation to the governed, not authority over them.

+
+
-
-

-

-

-
-
-

-

-

-
-
-

-

-

-
-
-

-

-

+ +
+ + Read the Research Paper + + + See Production Architecture +
@@ -271,156 +267,96 @@

Five Architectural Principles

- These principles, adapted from Christopher Alexander's work on living systems, guide how Tractatus evolves and maintains coherence. They're not documentation—they're design criteria enforced architecturally. + Adapted from Christopher Alexander's work on living systems. These are design criteria enforced architecturally, not documentation.

- -
-
-
1
+ +
+
+
1
-

Not-Separateness: Governance in the Critical Path

-

Governance woven into deployment architecture, not bolted on

+

Not-Separateness

+

Governance in the critical path, not bolted on

-
-

- Tractatus governance services operate in the critical execution path—every action passes through validation before executing. This isn't monitoring after-the-fact, it's architectural enforcement that cannot be bypassed. -

-
-

Example: PreToolUse Hook

-

- When the AI attempts to edit a file, the PreToolUse hook intercepts before execution. BoundaryEnforcer, CrossReferenceValidator, and other services validate the action. If any service blocks, the edit does not proceed—the hook architecture prevents bypass without explicit override flags. -

-
-

- Contrast: Bolt-on compliance systems monitor actions after they occur, creating separation between governance and execution. An AI agent could theoretically disable monitoring or exploit gaps. Tractatus eliminates that separation. -

-
+

+ Every action passes through validation before executing. This is architectural enforcement — governance services intercept in the critical execution path, not as after-the-fact monitoring. Bypass requires explicit override flags, and every override is logged. +

- -
-
-
2
+ +
+
+
2
-

Deep Interlock: Services Reinforce Each Other

-

Coordinated governance, not isolated checks

+

Deep Interlock

+

Services reinforce each other

-
-

- The six governance services don't operate in silos—they coordinate through mutual validation. High context pressure intensifies boundary checking. Instruction persistence affects cross-reference validation. Service outputs feed into each other, creating resilience through redundancy. -

-
-

Example: The 27027 Incident

-

- AI attempted to use default database port despite HIGH persistence instruction specifying port 27027. InstructionPersistenceClassifier flagged the instruction. ContextPressureMonitor detected 53.5% pressure. CrossReferenceValidator caught the conflict. BoundaryEnforcer blocked the action. Four services working together prevented the error. -

-
-

- Why it matters: Single service bypass doesn't compromise governance. An attacker would need to circumvent multiple coordinated services simultaneously—exponentially harder than defeating isolated checks. -

-
+

+ Governance services coordinate through mutual validation. High context pressure intensifies boundary checking. Instruction persistence affects cross-reference validation. Compromising one service does not compromise governance — an attacker would need to circumvent multiple coordinated services simultaneously. +

- -
-
-
3
+ +
+
+
3
-

Gradients Not Binary: Nuanced Responses

-

Intensity levels, not yes/no switches

+

Gradients Not Binary

+

Intensity levels, not yes/no switches

-
-

- Governance operates on gradients: NORMAL → ELEVATED → HIGH → CRITICAL. Context pressure, security impact, and validation rigor all scale with intensity. This mirrors how living systems adapt—gradual responses, not mechanical on/off. -

-
-

Example: Context Pressure Monitoring

-

- At NORMAL pressure (0-25%), routine operations proceed smoothly. At ELEVATED (25-50%), validation becomes more thorough. At HIGH (50-75%), human review triggers more frequently. At CRITICAL (>75%), framework recommends session closedown. Graduated response prevents both alert fatigue and catastrophic failures. -

-
-

- Contrast: Binary "allowed/blocked" systems create brittleness—either everything passes or nothing does. Gradients enable natural adaptation to varying risk levels. -

-
+

+ Governance operates on gradients: NORMAL, ELEVATED, HIGH, CRITICAL. Context pressure, security impact, and validation rigor all scale with intensity. Graduated response prevents both alert fatigue and catastrophic failures. Living systems adapt gradually; mechanical systems snap. +

- -
-
-
4
+ +
+
+
4
-

Structure-Preserving: Audit Continuity

-

Changes enhance without breaking

+

Structure-Preserving

+

Changes enhance without breaking

-
-

- Framework changes must preserve wholeness—audit logs remain interpretable, decisions remain valid, institutional memory survives evolution. Version 4.2 logs are readable in version 4.4. Six-month-old audit decisions still make sense. Structure-preserving transformations maintain coherence across time. -

-
-

Example: Adding Framework Fade Detection

-

- When inst_064 (framework fade detection) was added, it monitored all six services without changing their core definitions. Pre-existing audit logs remained valid. Service behavior evolved, but historical decisions stayed interpretable. Enhancement without fracture. -

-
-

- Regulatory advantage: Regulators need stable audit trails. Structure-preserving evolution lets the framework adapt while maintaining compliance continuity—no need to re-interpret old decisions every version. -

-
+

+ Framework changes must preserve wholeness. Audit logs remain interpretable across versions. Historical decisions stay valid. New capabilities are added without invalidating existing governance records. Regulatory advantage: stable audit trails without re-interpreting old decisions every version. +

- -
-
-
5
+ +
+
+
5
-

Living Process: Evidence-Based Evolution

-

Grows from real failures, not theory

+

Living Process

+

Grows from real failures, not theory

-
-

- Framework changes emerge from observed reality, not predetermined plans. When services went unused, we added fade detection. When selective verification reduced noise, we evolved triggering criteria. Real operational experience drives evolution—no building solutions to theoretical problems. -

-
-

Example: MetacognitiveVerifier Selective Mode

-

- Audit logs showed MetacognitiveVerifier activating on trivial operations, creating noise. Rather than theorize about thresholds, we analyzed real trigger patterns. Selective mode emerged from data—verify only complex operations (3+ file modifications, 5+ sequential steps). Performance improved based on evidence, not guesswork. -

-
-

- Contrast: Over-engineered systems solve imagined problems. Living process builds only what reality proves necessary—lean, effective, grounded in operational truth. -

-
+

+ Framework changes emerge from observed reality, not predetermined plans. When services went unused, fade detection was added. When verification created noise, selective mode evolved from real trigger patterns. Evidence drives evolution, not guesswork. +

-

How the Five Principles Work Together

-
-

- These principles aren't independent—they form an interlocking pattern. Not-separateness requires deep interlock between services. Gradients enable natural adaptation. Living process drives changes that must be structure-preserving to maintain wholeness. -

-
-
-

Not-Separateness (governance in critical path)

-

↓ requires

-

Deep Interlock (services coordinate)

-

↓ enables

-

Gradients (nuanced responses)

-

↓ guided by

-

Living Process (evidence-based evolution)

-

↓ constrained by

-

Structure-Preserving (audit continuity)

-

-

System Wholeness

-
+

How the Five Principles Work Together

+
+
+

Not-Separateness (governance in critical path)

+

↓ requires

+

Deep Interlock (services coordinate)

+

↓ enables

+

Gradients (nuanced responses)

+

↓ guided by

+

Living Process (evidence-based evolution)

+

↓ constrained by

+

Structure-Preserving (audit continuity)

+

+

System Wholeness

@@ -430,9 +366,9 @@
-

-

- Tractatus works with any agentic AI system—Claude Code, LangChain, AutoGPT, CrewAI, or custom agents. The governance layer sits between your agent and its actions. +

Runtime-Agnostic Architecture

+

+ Tractatus works with any agentic AI system. The governance layer sits between your agent and its actions.

@@ -447,561 +383,16 @@
-

-

- Your AI agent (any platform). Handles planning, reasoning, tool use. Tractatus is agnostic to implementation. -

+

1. Agent Runtime

+

Your AI agent (any platform). Planning, reasoning, tool use. Tractatus is agnostic to implementation.

-

-

- Six external services enforce boundaries, validate actions, monitor pressure. Architecturally more difficult for AI to bypass. -

+

2. Governance Layer

+

Six services enforce boundaries, validate actions, monitor pressure. Guardian Agents verify every response. Architecturally harder for AI to bypass.

-

-

- Immutable audit logs, governance rules, instruction history. Independent of AI runtime—can't be altered by prompts. -

-
-
-
-
- - -
-
-
-
- PRIMARY RESEARCH DIRECTION -
-

Applied to Training: The Sovereign Language Model

-

- These five principles were developed governing AI agent sessions. The current research applies them to a harder problem: governing AI training itself. -

-
- -
-
-

Inference-Time Governance

-

Where the framework started: six services validate every AI action before execution.

-
    -
  • - - Response cannot reach user without governance validation -
    • -
  • - - Values decisions deferred to humans -
    • -
  • - - Audit trail for every decision -
    • -
-

Status: in production

-
- -
-

Training-Time Governance

-

Where the research is going: governance inside the training loop, not post-hoc filtering.

-
    -
  • - - BoundaryEnforcer validates every training batch before forward pass -
    • -
  • - - Cross-tenant data rejected at the training step, not after -
    • -
  • - - Consent verified per content item before inclusion -
    • -
-

Status: designed, documented, hardware ordered

-
-
- -
-

How the Five Principles Apply to Training

-
-
-
- 1 -
-

Not-Separateness: governance inside the training loop

-
-
-
- 2 -
-

Deep Interlock: BoundaryEnforcer + MetacognitiveVerifier coordinate during training

-
-
-
- 3 -
-

Gradients: training intensity scales with content sensitivity

-
-
-
- 4 -
-

Structure-Preserving: training preserves audit log interpretability

-
-
-
- 5 -
-

Living Process: training evolves from operational failures, not theory

-
-
-
- -
- - Read the Full Village AI Story → - -

- Two-model architecture, three training tiers, thirteen wisdom traditions, indigenous data sovereignty -

-
-
-
- - -
-
-
- INTERACTIVE EXPLORATION -
-

- See the Framework in Action -

-

- Explore 171,800+ real governance decisions from production deployment. - Filter by service, pressure level, and coordination patterns to understand how - Deep Interlock operates in practice. -

-
- - Launch Interactive Audit Explorer - - - For Researchers → - -
-

- Apache 2.0 licensed • All data anonymized • No sign-up required -

-
-
- - -
-
-

Six Governance Services

-

- These services implement the five principles in practice. Each service embodies not-separateness (operating in the critical path), deep interlock (coordinating with others), and gradients (intensity-based responses). -

-
- -
- -
-
-
- - - -
-

-
-

- Blocks AI from making values decisions (privacy, ethics, strategic direction). Requires human approval. -

-
- Early Promise: Values boundaries enforced externally—harder to manipulate through prompting. -
-
- -
-
-
- - - -
-

-
-

- Stores instructions externally with persistence levels (HIGH/MEDIUM/LOW). Aims to reduce directive fade. -

-
- Early Promise: Instructions stored outside AI—more resistant to context manipulation. -
-
- -
-
-
- - - -
-

-
-

- -

-
- Early Promise: Independent verification—AI claims checked against external source. -
-
- -
-
-
- - - -
-

-
-

- -

-
- Early Promise: Objective metrics may detect manipulation attempts early. -
-
- -
-
-
- - - -
-

-
-

- -

-
- Early Promise: Architectural gates aim to enforce verification steps. -
-
- -
-
-
- - - -
-

-
-

- -

-
- Early Promise: Human judgment required—architecturally enforced escalation for values. -
-
- -
-
- - -
-
-
-

-

- Click any service node or the central core to see detailed information about how governance works. -

-
-

- - - - -

-
-
- -
- -
- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - B - BoundaryEnforcer - Click for details - - - - - - I - InstructionPersistenceClassifier - Click for details - - - - - - V - CrossReferenceValidator - Click for details - - - - - - P - ContextPressureMonitor - Click for details - - - - - - M - MetacognitiveVerifier - Click for details - - - - - - D - PluralisticDeliberationOrchestrator - Click for details - - - - - - - - T - Tractatus - Tractatus Core - Click to see how all services work together - - - - -
- - -
- -
- - - -

-

-
-
-
-
-
-
- - -
-
-

-

- Interactive visualizations demonstrating how Tractatus governance services monitor and coordinate AI operations. -

- -
- -
-
-
- - -
-
-
-
-
-
- - -
-
-

Two Implementations

-

- Tractatus has been applied in two contexts: governing an AI development agent, and governing a sovereign locally-trained language model. -

- -
- -
-
-
- 1 -
-

Development Agent Governance

-
-

- The original implementation: six governance services operating in Claude Code's critical execution path. Every file edit, database query, and deployment action passes through validation. -

-

-
    -
  • - - -
    • -
  • - - -
    • -
  • - - -
    • -
-

-
- Village Case Study → -
-
- - -
-
-
- 2 -
-

Village AI: Sovereign Language Model

-
-

- The current research direction: applying all five architectural principles to model training, not just inference. BoundaryEnforcer operates inside the training loop. Three training tiers (platform, tenant, individual) with governance at each level. -

-
    -
  • - - Governance during training (Not-Separateness applied to optimisation) -
    • -
  • - - Two-model architecture (3B fast + 8B reasoning) under unified governance -
    • -
  • - - Per-tenant LoRA adapters with consent-verified training data -
    • -
  • - - Thirteen wisdom traditions available for Layer 3 adoption -
    • -
-

Status: inference in production; training pipeline designed, hardware ordered.

-
- Full Village AI Story → -
+

3. Persistent Storage

+

Immutable audit logs, governance rules, instruction history. Independent of AI runtime — cannot be altered by prompts.

@@ -1010,64 +401,51 @@
-

+

Limitations and Reality Check

-

- +

+ This is early-stage work. Promising results in production, but Tractatus has not been subjected to rigorous adversarial testing or red-team evaluation. +

-

-

+

We have real promise but this is still in early development stage. We have a long way to go and it will require a mammoth effort by developers in every part of the industry to tame AI effectively. This is just a start.

+

Project Lead, Tractatus Framework

-

+

Known Limitations:

  • - - + + No dedicated red-team testing. We don't know how well these boundaries hold up against determined adversarial attacks.
  • - - + + Small-scale validation. Production use on a single project. Needs multi-organisation replication.
  • - - + + Integration challenges. Retrofitting governance into existing systems requires significant engineering effort.
  • - - + + Performance at scale unknown. Multi-agent coordination untested.
  • - - + + Evolving threat landscape. As AI capabilities grow, new failure modes will emerge that current architecture may not address.
-

+

What We Need:

    -
  • - - -
    • -
  • - - -
    • -
  • - - -
    • -
  • - - -
    • -
  • - - -

    - +
  • Independent researchers to validate (or refute) our findings
    • +
  • Red-team evaluation to find weaknesses and bypass techniques
    • +
  • Multi-organisation pilot deployments across different domains
    • +
  • Industry-wide collaboration on governance standards
    • +
+ +

This framework is a starting point, not a finished solution. Taming AI will require sustained effort from the entire industry.

@@ -1075,36 +453,27 @@
-

-

+

Explore the Architecture

+

From Guardian Agents in production to the five principles drawn from living systems.

- Village AI → - - + Village AI + View Research + Documentation