This is a companion piece to Why AI Agents Don’t Follow Rules — The Case for Physical Governance.
The core thesis of this project remains: textual rules enforce at read time; physical constraints enforce at execution time. This post moves from theory to an auditable chain of facts. We aren't looking for a "vibe" that the AI is aligned; we are looking for a green checkmark on a commit the human didn't touch.
What we did (Facts only)
Inside a private monorepo governed by the AOS (AI Operating Standard), we stood up a minimal “smoke” tool to test our automated production line:
02_Production/A0000-A0999/A0000-A0099/0001_Phase_4A5_Smoke/
The Audit Trail (Names and Hashes)
-
Blueprint Registration: Registered in
00_Management/15_Technical_Specs/IMPERIAL_BLUEPRINT_300.mdunder## BP-0001(including metadata likelog_id: FSP) before the code was generated. We define the discipline before the agent writes a single line. -
Automated Forging: The tool tree was generated via our internal
0005_Template_Generator. We avoid manual "polishing" of the file structure to fake compliance; the output is a direct result of the 0005 standard.
Mold line CI (Phase 4A′.1) — generator matches bare python3
After the smoke milestone, we tightened the template generator so newly forged tools survive GitHub Actions evals-matrix without a local venv: early --help exit before heavy imports, optional dotenv, no pyright in the forged config/requirements.txt, and a timeout-wrapped scripts/run_pyright_timed.sh for offline runs. We added a regression pillar 0002_Template_Ci_Probe and recorded commands in:
00_Management/30_Exec/reports/STEP_4Aprime_1_verification_2026-04-12.md
Local Gates
We ran the following before any push attempt:
-
python3 evals/run_evals.py→ Exit 0 -
npx playwright test(in the tool’s dedicated fortress) → 1 passed, Exit 0 -
0061_Core_Vitals.py --scope a0000from repo root → OK / No RED ALERT
The Pre-Push Guard
A local git hook running 0061 again to ensure no "dirty" code leaves the local environment.
Commits on main
The auditable history rests on these key SHAs (representing the core tool, documentation, CI-hardening, and the mold-line follow-up):
-
d303ece0— Initial forging: Tool tree, inventory, and blueprint. -
85a524e0— Verification documentation and metadata sync. -
2bcbb52c— CI-hardening (fixing import orders for bare environments). -
9870fa67— Phase 4A′.1: 0005 mold + regression pillar0002_Template_Ci_Probe+ verification log +CURRENT_PHASEupdates. -
143dda68— Dev.to companion draft for 4A′.1 (same push as the green run below).
Imperial CI verification (private audit trail — full GitHub permalinks omitted):
-
Run (4A.5 line; commit
2bcbb52c): Actions Run ID24297937048— green. -
Run (includes 4A′.1 + this companion; tip
143dda68): Actions Run ID24314120937— green (internal UI: workflow run #18; matrix: vitals, evals bands, playwright-smoke, independent-judge, 1024 smoke — all green on that graph).
Why no
github.com/.../actions/runs/...links here: The monorepo is private. A permalink looks like “proof,” but for almost everyone it returns 404; it also embeds owner identity in the URL. We treat Run IDs + SHAs + repo-internal verification logs as the portable audit trail. For a visual receipt on Dev.to / Zenn, use a redacted Actions summary screenshot (crop the owner/repo chrome or mask it) — never paste the raw URL bar into an image.
“Plan A”: Humans off git commit / git push
For this milestone, we executed Plan A (our internal runbook for strict session rules): The sovereign (human) did not hand-type a single git commit or git push command. The agent performed all git operations using a consistent identity:
Cursor Agent <cursor-agent@local>
While git metadata can be manipulated, our claim of "Zero human git operations" rests on the triangulation of strict session rules (Plan A — our internal runbook name), repo-internal verification logs, and these commit timestamps.
Oracle Writes: The "Blocked" Receipt
We did not "re-film the stunt" for this post. The canonical evidence for our physical enforcement layer (Write blocked with Exit Code 2) remains the Phase-1 Step-1.6 log.
This is a proxy verification log (using stdin to reproduce boundary conditions and prove the hook is alive):
00_Management/30_Exec/reports/STEP_1_6_verification_2026-04-02.log
If your governance story cannot point to an executable boundary (hook, sandbox, or CI policy) plus a log line, you still only have prose.
Independent Judgment vs. “The Model Smiled”
Our CI pipeline includes an independent-judge job (using a vendor-separated LLM from the authoring agent).
If the only proof of quality is the same stochastic process that wrote the code, you have verification contamination.
CI is not wise. CI is externally scheduled embarrassment with a URL.
On the 143dda68 run, independent-judge, evals-matrix (per band), vitals-matrix, and Playwright smoke (including 0001_Phase_4A5_Smoke) completed green in one workflow graph — the same bar we cite in the companion thesis.
LLM Stack Migration: Enforcement is Physics
We recently completed a 7-pillar migration away from direct vendor-specific SDKs (documented in 00_Management/30_Exec/reports/STEP_4A_3_verification_2026-04-12.md).
Vendor churn is logistics. Enforcement is physics.
Limitations and Constraints
- Private Repo: This is a method write-up, not a tour of a public repo. We share the SHAs and paths to show the internal consistency of the monorepo.
-
CI Permissions: We maintain
permissions: contents: read. The push came from the agent environment, governed by Plan A (our internal runbook for strict session rules). -
Static Analysis: We occasionally skip long local
pyrightpasses using an explicit env flag during generation (IMPERIAL_GENERATE_SKIP_PYRIGHT=1on reforge batches); the evals + 0061 + CI suite carries the burden of proof afterward.
The Standard
If you want a vocabulary for this that isn't tied to our monorepo's specific "lore," check out the AOS (AI Operating Standard) v0.1 draft:
https://github.com/aos-standard/AOS-spec
A note for every “Sergeant Gemini” in the replies
If your favorite model insists a rollout is “safe” because it feels aligned, ask it for one thing: The Actions permalink where independent-judge, evals-matrix, and Playwright smoke all passed on that exact commit.
If it cannot produce that URL, it is not doing governance—it is doing cosplay.
Internal verification SSOT (4A.5): 00_Management/30_Exec/reports/STEP_4A_5_verification_2026-04-12.md
Internal verification SSOT (4A′.1): 00_Management/30_Exec/reports/STEP_4Aprime_1_verification_2026-04-12.md
Dev.to draft (source for this extension): 00_Management/30_Exec/reports/DEVTO_draft_phase4Aprime_ci_mold_2026-04-12.md
Top comments (0)