Governed AI development. Standards, enforcement, and agent infrastructure for building software with AI agents inside auditable boundaries.
A finite, known circumference can contain infinite radii. The circumference is the governance layer — identity, permissions, review, enforcement. The radii are the agentic capabilities it safely enables. Define the boundary once. Build anything within it.
This repo contains the methodology, security controls, and agent configurations for governed AI agent development. Controls that exist only as documentation are not controls. Everything here either enforces a boundary or defines how to build within one.
Four layers. Each has exactly one job.
Layer 1: Infrastructure Contain, enforce, validate
Layer 2: Agents Infer, generate, select
Layer 3: Toolkit Execute deterministically, dual-write
Layer 4: Artifacts Record immutably
Infrastructure (OS, Seatbelt, pf, filesystem boundaries)
↓
Agents (Claude Code, Codex CLI — the agent runtime)
↓
Toolkit (just-bash — deterministic commands the agent selects)
↓
Artifacts (git + protected outputs — immutable record)
| Directory | Layer | Language | What it contains |
|---|---|---|---|
infra/ |
Infrastructure | Shell | Seatbelt sandbox, CIS benchmark, monitoring |
agents/ |
Agents | Python | Cross-model review pipeline (Claude + Codex) |
toolkit/ |
Toolkit | TypeScript | just-bash custom commands (building) |
artifacts/ |
Artifacts | Shell | Hooks, hash validation, scanning tools |
standards/ |
Cross-cutting | — | Language standards for Python, Go, TypeScript, just-bash |
.claude/ |
Agents | — | Agent profiles, skills, settings |
.github/ |
Infrastructure | — | CI pipeline, issue and PR templates |
- OS-level agent containment — macOS Seatbelt sandbox with deny-default profile, explicit allowlists for filesystem, mach IPC, and network
- Cross-model adversarial review — Claude Code output reviewed by OpenAI Codex via structured schema, findings returned synchronously to the agent
- Attestation chain — every file write auto-committed with agent hash on line 1, post-commit validation of hash prefix registration and SHA-256 match
- Language standards as constraint surfaces — the architect defines structure (types, interfaces, schemas), agents implement within it
- 13-check CI pipeline — markdownlint, yamllint, gitleaks, glassworm (Unicode injection), Semgrep SAST, SBOM generation, audit chain verification, hash validation, persona validation, sandbox syntax check
- Agent profiles with scoped permissions — builder (read/write only), reviewer (read only, adversarial stance), researcher (read + web, exploratory stance)
Identity is the behavioral containment. Code is too dynamic to be the boundary. Permissions are the boundary. Each agent has a discrete identity with scoped access, revocable independently.
Controls that exist only as documentation are not controls. The deliverable is enforcement. Where a control maps only to a markdown file, that is the gap to close.
The architect defines structure. Agents implement within it. You own packages, modules, interfaces, types. Agents own function bodies, method implementations, logic. The compiler or the test suite verifies the boundary — not the agent's judgment.