harbormaster governing

Bounded agent execution · under governance

Govern what your
agents are allowed to do.

An agent you can only watch is an agent you can't stop. harbormaster is the gate at the harbor mouth: it authorizes each action, bounds how it runs, and keeps an append-only record of every decision — and no single part can do another's job.

Get started See it verified
Clearance gate· harbor mouthrequest 01

Governance tuple

Manifest · declared capabilities

Decision

logbookappend-only · hash-chained · never rewritten

Decisions stream in as the gate cycles real requests. Earlier lines never change — that's the witness.

Separation of powers

One boundary. Three faculties.
No part holds two.

SEFACA entangled watching with doing and ate itself. harbormaster splits the three powers — deny, execute, record — into three modules, each structurally incapable of the others' jobs.

GOVERN

Clearance

The only part that can say no. A pure decision: tuple + manifest + policy → allow or deny.

can denyyes
can executeno
can recordno

Deterministic and fail-closed. Same inputs, same decision — every time.

BOUND

Berth

An assigned, bounded slot. Runs the action under exactly the limits clearance granted — nothing more.

can denyno
can executeyes
can recordno

Minimal-sufficient: every isolation layer must name a threat it closes, or it's gone.

WITNESS

Logbook

An append-only ledger of every decision and outcome. A write-once sink — read by observers, altered by no one.

can denyno
can executeno
can recordyes

No execution is recorded after the fact. Witness is the precondition, not the receipt.

Verified, not asserted

The rules are checked
three ways down.

Most sandboxes ask you to trust their prose. harbormaster's invariants are pinned by tests, generalized by property checks, and proven across every interleaving by a model checker.

unit

Exemplified

Each invariant holds on a concrete case — the test names carry the rule they pin.

property

Generalized

The same rules hold over thousands of generated inputs: determinism, fail-closed totality, append-only.

TLA+

Modeled

A model checker explores every ordering of clearance → witness → berth. 377 states, no escape.

weaken a guard · the model refuses
// drop the witness check from RunBerth, then:
$ gmake verify-formal

Error: Invariant NoExecWithoutWitness
        is violated.
The behavior up to this point:
  state 1  logUp = TRUE
  state 2  decision[r1] = "allow"
  state 5  executed = {r1}  ← never witnessed

5 states. The counterexample is the proof.

Who authorized this?

The reviewer slot is
the whole point.

Every action runs under a governance tuple. It names not just the actor, but the authority that must have signed the policy — a role distinct from the actor.

[persona:agent:reviewer@env(project:workspace)]
persona the intent it runs under agent the actor reviewer the signing authority env the host project the repo workspace the worktree

When agent equals reviewer, clearance denies. An agent cannot be its own reviewer.

Get started

Bring your own agent.
We'll hold the gate.

Install the CLI, write a manifest declaring what an action needs, and govern a run. The decision and its outcome land in the logbook before anything executes.

terminal
# install
$ curl -sSL https://harbormaster.dev/install.sh | sh

# govern an action: clearance → witness → berth
$ hbm clear "[default:aygp-dr:jwalsh@nexus(harbormaster:/work)]"
→ allow  runs under granted bounds, witnessed

# an agent reviewing itself is refused
$ hbm clear "[p:jwalsh:jwalsh@nexus(x:y)]"
→ deny   agent cannot be its own reviewer

# read the append-only ledger
$ hbm log

harbormaster wraps execution. It is not the agent loop, a dashboard, or a policy author — it evaluates the policy your reviewer signed, and refuses anything outside it.

Read the spec How it's verified