Write-only governance, with a boundary that holds.
The Vault is the single sanctioned write surface for governed agents. Everything else is read-only unless a Codex warrant grants temporary, audited mutation rights.
- Vault notes / governed knowledge base allowPrimary write target. Append-only with audit.
- Audit ledger (signed receipts) allowHash-chained, Ed25519 signed, no UPDATE/DELETE.
- Scratch / /tmp working dir allowEphemeral, scoped to a single warrant.
- Operator-approved staged changes allowRequires Codex warrant + operator co-sign.
- Source code outside Vault denyCerberus halts. No unilateral self-modification.
- Constitutional anchors / Codex policies denyCodex-only. Kernel cannot rewrite the rule that binds it.
- Auth / RLS / signing keys denyOut of write scope. Rotation requires manual operator action.
- Anything in Supabase reserved schemas denyAuth/storage/realtime/vault are off-limits to the agent.
Active Resistance Language — before / armor / agent
A real artifact of write-boundary doctrine. The clean module is backed up, the armored variant adds frame-inspection guards, and a separate protector agent applies hardening — never inside the kernel.
Snapshot before TARL armor was applied. Persona, memory, learning requests, plugins, command overrides — vanilla.
Same module, prefixed with _tarl_buff_check frame inspection and a shield-bypass detector before any logic runs.
Strategic Code Protection Agent — runtime access control, identifier morphing, input validation, execution monitoring. Coordinates with Cerberus and Codex.
Hardening lives outside the kernel boundary. The kernel never self-modifies; the protector writes only into the Vault surface and emits audited events.
Source files in the snapshot
AGENTS.md — Vault-Only Write Governance This repository allows broad read access for coding agents/IDE copilots, while restricting where they may write by default. Intent Enable multiple copilots/agen…