System Architecture | Tractatus AI Safety Framework

Behavioral Training (Constitutional AI)

Structural Enforcement (Tractatus)

Jailbreaks often work by manipulating the AI's internal reasoning. Tractatus boundaries operate external to that reasoning—the AI doesn't directly evaluate governance rules. While not foolproof, this architectural separation makes manipulation significantly harder.

Five Architectural Principles

These principles, adapted from Christopher Alexander's work on living systems, guide how Tractatus evolves and maintains coherence. They're not documentation—they're design criteria enforced architecturally.

Not-Separateness: Governance in the Critical Path

Governance woven into deployment architecture, not bolted on

Tractatus governance services operate in the critical execution path—every action passes through validation before executing. This isn't monitoring after-the-fact, it's architectural enforcement that cannot be bypassed.

Example: PreToolUse Hook

When the AI attempts to edit a file, the PreToolUse hook intercepts before execution. BoundaryEnforcer, CrossReferenceValidator, and other services validate the action. If any service blocks, the edit never happens—architecturally impossible to bypass.

Contrast: Bolt-on compliance systems monitor actions after they occur, creating separation between governance and execution. An AI agent could theoretically disable monitoring or exploit gaps. Tractatus eliminates that separation.

Deep Interlock: Services Reinforce Each Other

Coordinated governance, not isolated checks

The six governance services don't operate in silos—they coordinate through mutual validation. High context pressure intensifies boundary checking. Instruction persistence affects cross-reference validation. Service outputs feed into each other, creating resilience through redundancy.

Example: The 27027 Incident

AI attempted to use default database port despite HIGH persistence instruction specifying port 27027. InstructionPersistenceClassifier flagged the instruction. ContextPressureMonitor detected 53.5% pressure. CrossReferenceValidator caught the conflict. BoundaryEnforcer blocked the action. Four services working together prevented the error.

Why it matters: Single service bypass doesn't compromise governance. An attacker would need to circumvent multiple coordinated services simultaneously—exponentially harder than defeating isolated checks.

Gradients Not Binary: Nuanced Responses

Intensity levels, not yes/no switches

Governance operates on gradients: NORMAL → ELEVATED → HIGH → CRITICAL. Context pressure, security impact, and validation rigor all scale with intensity. This mirrors how living systems adapt—gradual responses, not mechanical on/off.

Example: Context Pressure Monitoring

At NORMAL pressure (0-25%), routine operations proceed smoothly. At ELEVATED (25-50%), validation becomes more thorough. At HIGH (50-75%), human review triggers more frequently. At CRITICAL (>75%), framework recommends session closedown. Graduated response prevents both alert fatigue and catastrophic failures.

Contrast: Binary "allowed/blocked" systems create brittleness—either everything passes or nothing does. Gradients enable natural adaptation to varying risk levels.

Structure-Preserving: Audit Continuity

Changes enhance without breaking

Framework changes must preserve wholeness—audit logs remain interpretable, decisions remain valid, institutional memory survives evolution. Version 4.2 logs are readable in version 4.4. Six-month-old audit decisions still make sense. Structure-preserving transformations maintain coherence across time.

Example: Adding Framework Fade Detection

When inst_064 (framework fade detection) was added, it monitored all six services without changing their core definitions. Pre-existing audit logs remained valid. Service behavior evolved, but historical decisions stayed interpretable. Enhancement without fracture.

Regulatory advantage: Regulators need stable audit trails. Structure-preserving evolution lets the framework adapt while maintaining compliance continuity—no need to re-interpret old decisions every version.

Living Process: Evidence-Based Evolution

Grows from real failures, not theory

Framework changes emerge from observed reality, not predetermined plans. When services went unused, we added fade detection. When selective verification reduced noise, we evolved triggering criteria. Real operational experience drives evolution—no building solutions to theoretical problems.

Example: MetacognitiveVerifier Selective Mode

Audit logs showed MetacognitiveVerifier activating on trivial operations, creating noise. Rather than theorize about thresholds, we analyzed real trigger patterns. Selective mode emerged from data—verify only complex operations (3+ file modifications, 5+ sequential steps). Performance improved based on evidence, not guesswork.

Contrast: Over-engineered systems solve imagined problems. Living process builds only what reality proves necessary—lean, effective, grounded in operational truth.

How the Five Principles Work Together

These principles aren't independent—they form an interlocking pattern. Not-separateness requires deep interlock between services. Gradients enable natural adaptation. Living process drives changes that must be structure-preserving to maintain wholeness.

Not-Separateness (governance in critical path)

↓ requires

Deep Interlock (services coordinate)

↓ enables

Gradients (nuanced responses)

↓ guided by

Living Process (evidence-based evolution)

↓ constrained by

Structure-Preserving (audit continuity)

↓

System Wholeness

Tractatus works with any agentic AI system—Claude Code, LangChain, AutoGPT, CrewAI, or custom agents. The governance layer sits between your agent and its actions.

Tractatus Runtime-Agnostic Architecture Diagram showing Agent Runtime Layer, Tractatus Governance Layer with six services, Persistent Storage Layer, and Human Approval Workflows

Your AI agent (any platform). Handles planning, reasoning, tool use. Tractatus is agnostic to implementation.

Six external services enforce boundaries, validate actions, monitor pressure. Architecturally more difficult for AI to bypass.

Immutable audit logs, governance rules, instruction history. Independent of AI runtime—can't be altered by prompts.

🔍 INTERACTIVE EXPLORATION

See the Framework in Action

Explore 3,942 real governance decisions from production deployment. Filter by service, pressure level, and coordination patterns to understand how Deep Interlock operates in practice.

🤗 Launch Interactive Explorer on Hugging Face For Researchers →

Apache 2.0 licensed • All data anonymized • No sign-up required

Six Governance Services

These services implement the five principles in practice. Each service embodies not-separateness (operating in the critical path), deep interlock (coordinating with others), and gradients (intensity-based responses).

Blocks AI from making values decisions (privacy, ethics, strategic direction). Requires human approval.

Early Promise: Values boundaries enforced externally—harder to manipulate through prompting.

Stores instructions externally with persistence levels (HIGH/MEDIUM/LOW). Aims to reduce directive fade.

Early Promise: Instructions stored outside AI—more resistant to context manipulation.

Early Promise: Independent verification—AI claims checked against external source.

Early Promise: Objective metrics may detect manipulation attempts early.

Early Promise: Architectural gates aim to enforce verification steps.

Early Promise: Human judgment required—architecturally enforced escalation for values.

Click any service node or the central core to see detailed information about how governance works.

Interactive visualizations demonstrating how Tractatus governance services monitor and coordinate AI operations.

Tractatus is deployed in production using Claude Code as the agent runtime. This demonstrates the framework's real-world viability.

🔬
🔴
🏢
🤝
📊