Creator Engine binds every agent-authored mutation to identity, mutation class, evidence, and a named ratifier — so agent work is reviewable, ratifiable, and shippable, straight from git clone.
ce runtime
Operator-ratified gates
Evidence in your repo
ce command groups in the current runtime surfacev3.0 MVP-complete is proven by the live open→review→merge spike; v3.1 pilot-ready is the active arc. The packaged runtime is still a repository-checkout 0.1.0 pre-release. Apache-2.0.
Today, agents claim completion, humans accept the claim, and "go ahead" in chat becomes de facto merge authority. There is no durable record joining the claim to identity, evidence, and an explicit ratifier. As agent throughput grows, ungoverned mutations become indistinguishable from confabulated progress.
Creator Engine treats this as a contract problem, not a tooling problem. Identity, mutation class, permitted actions, verification evidence, and the named ratifier are fixed before an agent acts — and recorded as durable, repo-visible artifacts after. Agents are productive proposers; humans remain the ratifiers.
Each agent invocation is bounded by an Assignment Envelope and lands evidence the next reviewer — or an auditor months later — can replay from the repository alone.
An Assignment Envelope fixes identity, mutation class, and permitted actions for a single agent invocation — before any work begins.
Agents implement inside an isolated, rootless worker. Every side effect is appended to a hash-chained ledger you can verify.
ce check and fan-in assemble spec, tests, and review into a read-only evidence packet. CI and review inform — they never ratify.
Privileged gates route to the Operator — the apex human authority. Deploys, governance changes, and settings flips stay human-ratified.
Primitives that make autonomy safe to scale — visible surfaces, isolated workers, and repo-local evidence, with the privileged floor reserved for humans.
Wraps Spec Kit with sidecar YAML — byte-identical compatibility. Every change traces to a spec, plan, and tasks triple.
An authority matrix and ratifier taxonomy bind each mutation to who may propose it and who alone may ratify it.
Nine baseline classes plus a privileged floor. Reserved-action vocabulary makes high-risk operations explicit, not implicit.
Attestation, ratification, and redaction records plus validator output reconstruct every mutation from git clone alone.
ce launch opens a visible tmux Controller seat and governed lanes — orchestration you can watch, not a black box.
Rootless Podman worker isolation with a credential broker. Parallel agent lanes, one driver per worktree, governed conflict taxonomy.
ce runtime
A local command-line runtime over your repository's .hermes/ state and tracked substrate. No daemon, no web server. Offline, uv-first install against a checked-in wheelhouse.
The current command surface — thirteen groups, no hidden authority:
ce checkRun conformance checksce doctorGoverned-environment preflightce initInitialize .hermes/ statece launchVisible Controller seatce laneGoverned visible lanesce workerRootless Podman isolationce ledgerAppend-only hash chaince faninRead-only evidence packetce queueIntegration dry-run previewce eventLocal CE-event chainsce pclCoordination ledgersce connectorConnector plans and bounded submitsce hudSeam alias for ce launchce fanin, ce queue, and connector output inform decisions; they do not ratify privileged action. The one-line uvx installer is post-v1 — today's public install is a repository checkout.
Review, CI, fan-in, and harness output inform the Operator — but never ratify on the Operator's behalf. These primitives hold regardless of release stage.
The apex human authority ratifies every privileged gate: deploys, governance amendments, identity/security changes, repo settings, branch protection, visibility flips.
Bounds exactly what an agent may do in a single invocation — identity, mutation class, and permitted actions, fixed up front.
An append-only hash chain of effects. ce ledger verify proves the chain is intact — tamper-evident by construction.
CI is a required check that informs ratification. The self-claim rejection invariant means an agent's own "done" never counts as authority.
A governed policy for what may be recorded and what must be withheld, with redaction records that keep the audit trail honest.
Turns "the agents disagree" into a governed resolution path — one driver per worktree, with parallel pairs and named escalation.
The difference isn't speed — it's whether you can still trust the result months later.
We name release stages plainly. v3.0 is MVP-complete; v3.1 pilot-ready is in progress; the public runtime package remains a 0.1.0 repository-checkout pre-release.
The live spike proved the governed loop end-to-end: one real PR opened, independently reviewed, and squash-merged by a distinct merge identity, with schema-valid evidence on the hash chain.
G-3.9 cleanup is next, followed by the agent-interaction contract, tokenomics gate, coordination layer, and G-7 product surface with the two-mode installer.
The public package is still installed from the repository's checked-in wheelhouse. No hosted service, no daemon, and no uvx one-liner yet; the Operator-only privileged floor is preserved.
git clone.Read the substrate, run the validator, and see every mutation bound to identity, evidence, and a named ratifier. Adopt it by cloning a repository — not by standing up infrastructure.