A governed-agent kernel.
Agents that declare their model lane, their tools, and their blast radius up front — and a lifecycle that refuses to ship work that did not pass verify. The boundary is written down, not assumed.
name: db-migrator capability: code_write model: sonnet # a lane, not a default to the top tier tools: [read, edit, run-tests] side_effects: false # cannot push, deploy, or read a secret gate: human-approval # data-migration tag → operator re-entry
Four parts, each a declared seam.
No part is a black box. Each is a file you can read, diff, and gate in review before an agent ever runs.
Every agent, skill, and rule is a declared file — model lane, allowed tools, capability, side-effect flag. Validated against a schema at load. No agent grants itself a tool it did not declare.
Work moves SPEC → PLAN → EXECUTE → VERIFY → SWEEP → SHIP. Transitions are guarded: VERIFY fails, the machine reopens PLAN — there is no edge to SHIP. The path is the policy.
Recall is vector + full-text over a local store, scoped per project. Reads are always allowed; writes honor a per-session mode. Secrets are never a memory item — they source from env, not recall.
Lifecycle events fire typed hooks — session-start recall, per-act logging, pre-commit gates. The dispatcher is the one audited seam; a hook cannot reach a credential the kernel did not hand it.
A state machine, not a checklist.
VERIFY failing reopens PLAN. There is no shortcut to SHIP. The machine owns the path — the engineer does not override it inline.
dispatch({
agent: "db-migrator",
model: "sonnet", // escalate to opus only on uncertainty
isolation: "worktree", // parallel writers never share a tree
side_effects: false, // the kernel holds secrets, not the agent
});
// VERIFY fails → state machine reopens PLAN
// No edge to SHIP exists until VERIFY passesA governed kernel, not autonomous magic.
The kernel does not make agents smarter. It makes them accountable: every dispatch declares its lane and its boundary, the kernel holds the credentials, and the lifecycle owns the path to ship.
The kernel holds secrets. An agent that wants to deploy cannot — that capability lives on one audited side of the seam.
Model, tools, and isolation are declared at dispatch — not defaulted to the most powerful option. Escalate on uncertainty, not habit.
Every agent file is validated against a typed schema before it is allowed to run. An undeclared tool is a load-time error, not a runtime surprise.
A composition of the same base.
Agentic-Dev is an edition, not a fork — built on the audited Caisson base every other edition shares. It opens after the Compliance wedge lands.
One-time
Buy the edition outright and own the source. No recurring seat fee.
Per-module
Take the kernel à la carte onto your Caisson base. Pay for what you use.
Developer plan
Subscription — credits, framework updates, private-registry pulls.
Common questions.
What does the governed-agent kernel actually enforce?
The kernel validates each agent declaration against a schema at load time, holds all credentials, and owns the lifecycle state machine — so an agent that wants to deploy cannot. That capability lives on one audited side of the seam.
When does Agentic-Dev ship?
It is on the roadmap, post-wedge. Compliance lands first; Agentic-Dev opens once the base is proven in production.
Can I take just the kernel without the full edition?
Yes — per-module licensing is planned. You can pull the kernel à la carte onto the audited Caisson base.
Follow the build.
Agentic-Dev is on the roadmap, shipping after the Compliance wedge is proven in production. Watch the repo for milestones, or subscribe for low-frequency product updates.