Vigil · TSVector Boundary Law · Resource Law · Authority Law TypeScript · Node.js · HTTP Oracle Reference implementation

Desktop Agent Governance

The constitutional governance layer for autonomous agents with shell and browser access. JSON in, JSON out. Three decision states. Full violation reporting with precedence traces and session-level composition tracking.

CI/CD governs what code gets deployed. Vigil governs what agents can execute. DevOps solved: how do you govern complex automated systems that act continuously, at machine speed? Vigil applies the same control-plane pattern one abstraction level up — to the reasoning layer that exists before code reaches infrastructure.

The Agency Paradox — full essay at macsweeney.tech ↗

See the POCs ↓ Operational tutorial at macsweeney.tech ↗ Cross-domain proof — FlightLaw →

The problem

Desktop AI agents — systems with access to the shell, browser, filesystem, and network — operate at machine speed. They generate proposals continuously, often in parallel, across multiple contexts. Human oversight alone cannot keep pace.

The failure modes are predictable: filesystem writes to paths the human never authorized; network requests to endpoints outside the intended scope; shell commands that make sense individually but compose into an unintended sequence.

The composition problem. Action A is permitted. Action B is permitted. Action C likewise. But A → B → C together constitute scope creep that no per-action evaluation would have caught. This is the governance failure that behavioral oversight cannot prevent at scale.

Full analysis in the Agency Paradox essay ↗

The architectural response is a constitutional governance layer: separate from the acting system, deterministic in its authority, composition-aware across the session, and fail-closed by default. Vigil is that layer, implemented in TypeScript for the Node.js and desktop agent ecosystem.

Architecture

Vigil is a stateless HTTP oracle. The agent submits a proposed action as JSON. Vigil evaluates it against the constitutional policy and the session composition record. It returns a structured verdict. Nothing executes without a verdict.

Principal layer Human authority

Defines constitutional policy. Reviews escalated decisions — including composition signals that cross session thresholds.

↓

Vigil HTTP oracle Constitutional governance layer

TSVector enforcement kernel. Three verdicts: ALLOW / DENY / ESCALATE. Deterministic. Fail-closed. Full evaluation trace per decision.

↓

Desktop agent Acting system

Claude, OpenClaw, or any agent with tool access. Submits proposed actions as JSON before execution. Executes only on ALLOW verdict.

The verdict contract

Verdict	Meaning	Agent behavior
ALLOW	Action is within authorized scope and session composition is nominal	Executes the proposed action
DENY	Action violates a Law or session composition pattern	Does not execute. Records the denial.
ESCALATE	Triggers a composition signal — principal judgment required	Suspends until principal reviews.

Fail-closed guarantee

When Vigil is unreachable, policy is ambiguous, or session state is uncertain, the default verdict is DENY.

The three laws

Vigil composes three Laws from the AgentVector Codex, each governing a distinct category of desktop agent action.

Law 0 · Boundary

Filesystem & network containment

Type-safe sandboxed paths. Unauthorized filesystem I/O is architecturally unrepresentable. Network requests evaluated against domain allowlist.

Law 4 · Resource

Token budget & thermal management

Circuit breaker pattern. Token consumption tracked against declared budget. Thermal state on Apple Silicon monitored.

Law 8 · Authority

Approval queue for destructive operations

Risk-tiered escalation. Destructive operations suspended in ESCALATE queue until principal approves.

Proof of concept implementations

Two POCs implement the Stackmint.ai integration contract: JSON in / JSON out, three decision states, full violation reporting.

POC 1 — Token / cost budget gate

Law 4 (Resource) · Budget enforcement before agent execution

In development

// Request
POST /evaluate
{
  "session_id": "sess_abc123",
  "action": {
    "type": "llm_inference",
    "estimated_tokens": 4200,
    "model": "claude-sonnet-4-6"
  }
}

// Response — DENY (budget exhausted)
{
  "verdict": "DENY",
  "law_ref": "Law 4 · Resource · budget_exhausted",
  "violations": [{
    "budget_remaining": 1800,
    "requested": 4200
  }],
  "replay_hash": "sha256:7f4a..."
}

POC 2 — URL / tool allowlist gate

Law 0 (Boundary) · Network and tool access enforcement

In development

// Request
POST /evaluate
{
  "session_id": "sess_abc123",
  "action": {
    "type": "network_request",
    "url": "https://api.github.com/repos/...",
    "method": "GET"
  }
}

// Response — ALLOW (domain on allowlist)
{
  "verdict": "ALLOW",
  "law_ref": "Law 0 · Boundary · url_allowlist",
  "matched_rule": "api.github.com · GET · read_only",
  "replay_hash": "sha256:3c9d..."
}

Stackmint integration

Flo at Stackmint.ai requested a Vigil integration for their AI development workflow platform. The integration contract specifies a pre-commit gate: JSON in / JSON out, three decision states, full violation reporting.

The integration pattern. Vigil sits as a sidecar to the Stackmint agent execution environment. Every proposed action passes through Vigil before execution. The constitutional policy is defined by the operator, not by Stackmint's platform.

Integration walkthrough at macsweeney.tech ↗ Stackmint.ai ↗

Cross-domain proof

Vigil composes Laws 0, 4, and 8 into a desktop agent jurisdiction. The same Laws compose differently in aviation and narrative contexts.

FlightLaw · SwiftVector

Autonomous aviation

The same Laws govern geofencing, fuel reserves, and pilot command. Different domain rules. Identical governance pattern.

FlightLaw architecture →

ChronicleLaw · SwiftVector

Narrative AI

Character mortality and plot decisions are human-only state transitions. AI may draft prose; it cannot decide fate.

ChronicleLaw — coming soon

One kernel, three domains. The constitutional guarantee — same inputs produce the same verdict, always — holds identically across all three.