| title | Runtime contracts reference | |||||||
|---|---|---|---|---|---|---|---|---|
| description | Reference for the shipped Simard executable surfaces, the shared-state-root client between terminal sessions and the repo-grounded engineer loop, the `engineer read` audit contract, the shipped bounded `engineer copilot-submit` contract, compatibility binaries, and the in-process runtime contracts that back them. | |||||||
| last_updated | 2026-03-30 | |||||||
| review_schedule | as-needed | |||||||
| owner | simard | |||||||
| doc_type | reference | |||||||
| related |
|
This document covers:
- the canonical
simardCLI surface - the
engineer readaudit surface - the compatibility binaries that still expose a few legacy entrypoints
- the in-process Rust runtime and bootstrap types in
src/bootstrap.rs,src/runtime.rs, and related modules
Simard does not expose:
- an HTTP API
- a network service contract
- a database schema contract
| Runtime behavior | Canonical surface | Compatibility surface |
|---|---|---|
| explicit bootstrap | simard bootstrap run ... |
simard_operator_probe bootstrap-run ... |
| bounded engineer loop | simard engineer run ... |
simard_operator_probe engineer-loop-run ... |
| engineer state readback | simard engineer read ... |
simard_operator_probe engineer-read ... |
| terminal-backed engineer substrate | simard engineer terminal ... |
simard_operator_probe terminal-run ... |
| file-backed terminal engineer substrate | simard engineer terminal-file ... |
simard_operator_probe terminal-run-file ... |
| named terminal recipe execution | simard engineer terminal-recipe ... |
simard_operator_probe terminal-recipe-run ... |
| bounded Copilot task submission | simard engineer copilot-submit ... |
none |
| terminal session readback | simard engineer terminal-read ... |
simard_operator_probe terminal-read ... |
| meeting mode | simard meeting run ... |
simard_operator_probe meeting-run ... |
| meeting state readback | simard meeting read ... |
simard_operator_probe meeting-read ... |
| goal-curation mode | simard goal-curation run ... |
simard_operator_probe goal-curation-run ... |
| goal-curation state readback | simard goal-curation read ... |
none |
| improvement-curation mode | simard improvement-curation run ... |
simard_operator_probe improvement-curation-run ... |
| improvement-curation state readback | simard improvement-curation read ... |
simard_operator_probe improvement-curation-read ... |
| review artifact persistence and readback | simard review ... |
simard_operator_probe review-run ... and review-read ... |
| benchmark scenarios and suites | simard gym ... |
simard-gym ... |
The shipped operator-facing command tree is:
simard engineer run <topology> <workspace-root> <objective> [state-root]simard engineer read <topology> [state-root]simard engineer terminal <topology> <objective> [state-root]simard engineer terminal-file <topology> <objective-file> [state-root]simard engineer terminal-recipe-listsimard engineer terminal-recipe-show <recipe-name>simard engineer terminal-recipe <topology> <recipe-name> [state-root]simard engineer copilot-submit <topology> [state-root] [--json]simard engineer terminal-read <topology> [state-root]simard meeting run <base-type> <topology> <structured-objective> [state-root]simard meeting read <base-type> <topology> <state-root>simard goal-curation run <base-type> <topology> <structured-objective> [state-root]simard goal-curation read <base-type> <topology> [state-root]simard improvement-curation run <base-type> <topology> <structured-objective> [state-root]simard improvement-curation read <base-type> <topology> <state-root>simard gym listsimard gym run <scenario-id>simard gym compare <scenario-id>simard gym run-suite <suite-id>simard review run <base-type> <topology> <objective> [state-root]simard review read <base-type> <topology> <state-root>simard bootstrap run <identity> <base-type> <topology> <objective> [state-root]
Shipped terminal contract: simard engineer copilot-submit <topology> [state-root] [--json]. It is documented below as the bounded one-shot local Copilot submission surface.
Bare simard prints help for that tree instead of attempting a hidden bootstrap.
Whenever a command accepts [state-root], Simard validates it before any persistence work tied to durable operator state.
Rejected inputs include:
- any path containing
.. - an existing path that is not a directory
- a symlink root
Safe roots are canonicalized once and then reused throughout the command.
The three operator-probe read subcommands publish the positional argument
as <state-root> (required) rather than [state-root] (optional):
simard meeting read <base-type> <topology> <state-root>simard improvement-curation read <base-type> <topology> <state-root>simard review read <base-type> <topology> <state-root>
When <state-root> is omitted these commands hard-fail with the
SimardError::MissingRequiredConfig variant and a stable, actionable
error that names the missing argument, the subcommand, and the base-type.
SIMARD_STATE_ROOT is intentionally not consulted for these three
reads. simard goal-curation read and every ... run path keep the
existing optional positional and env-fallback behavior. See
Operator read-subcommand state-root contract
for the complete contract.
When terminal session surfaces and the repo-grounded engineer loop reuse one explicit state-root, Simard keeps readback truthful by writing mode-scoped handoff artifacts:
latest_terminal_handoff.jsonlatest_engineer_handoff.jsonlatest_handoff.jsonas the compatibility client
Those files have different jobs:
- terminal session surfaces write the latest bounded terminal continuity summary
- engineer runs write the latest repo-grounded engineer summary
- compatibility readers can still inspect
latest_handoff.jsonwhen a mode-scoped file has not been written yet
Fail-closed rules:
terminal-readpreferslatest_terminal_handoff.jsonengineer readpreferslatest_engineer_handoff.json- lookup of
latest_handoff.jsonis allowed only when the mode-specific file is absent - if a mode-specific handoff exists but is malformed, the command fails explicitly instead of silently replaying stale compatibility data
The client is descriptive continuity only. Terminal-derived data must never override workspace-root, the engineer objective, action selection, or verification.
Canonical entrypoint: simard engineer run <topology> <workspace-root> <objective> [state-root]
Compatibility surface: simard_operator_probe engineer-loop-run <topology> <workspace-root> <objective> [state-root]
The bounded engineer loop is intentionally narrow:
- it inspects the selected repo before acting
- it prints a short action plan and explicit verification steps
- it chooses one bounded local action
- it verifies the result explicitly
- it persists concise evidence and memory under the selected state root
- it surfaces active goals and up to the three most recent carried meeting records from the same state root
- it may surface a separate terminal continuity summary when the same state root already contains a valid terminal-scoped handoff
The bounded engineer loop supports two honest action shapes:
- a read-only repo-native scan such as
cargo-metadata-scanorgit-tracked-file-scan - one explicit structured text replacement on a clean repo when the objective includes all of:
edit-file: <repo-relative path>replace: <existing text>with: <replacement text>verify-contains: <required post-edit text>
That structured edit path is intentionally narrow:
- the target path must stay inside the selected repo
- the repo must start clean so Simard does not overwrite unrelated user changes
- only one expected changed file is allowed
- verification must confirm both file content and git-visible change state
Canonical entrypoint: simard engineer read <topology> [state-root]
Compatibility surface: simard_operator_probe engineer-read <topology> [state-root]
This is a read-only engineer audit surface, not a sixth operator mode. It exists to inspect the durable engineer artifacts that engineer run already writes.
The contract is intentionally explicit:
engineer runremains the only mutation and execution path for engineer workengineer readreuses the same validated default state root asengineer runwhen[state-root]is omitted- any explicit
state-rootmust already exist as a directory before readback begins engineer readrequires readable regular-filememory_records.jsonandevidence_records.json; symlinked artifacts are rejectedlatest_engineer_handoff.jsonis authoritative for identity, selected base type, topology, session phase, redacted objective metadata, and the exported memory/evidence snapshot tied to the latest engineer runlatest_handoff.jsonis used only as a compatibility client when the engineer-scoped handoff is absent- the rendered output includes which handoff file was used
- persisted handoff objective metadata must already be trusted
objective-metadata(chars=<n>, words=<n>, lines=<n>); malformed or tampered metadata fails instead of being replayed - standalone
memory_records.jsonandevidence_records.jsonfiles act as durability checks and supporting record-count sources; if they disagree with the handoff snapshot, handoff-derived values win - only redacted objective metadata is printable; raw engineer objective text must never be rendered back to the terminal
- carried meeting state must remain valid persisted meeting records; malformed carried-meeting data fails explicitly instead of falling back to raw strings
- when the same state root contains a valid terminal-scoped handoff,
engineer readrenders a distinct terminal continuity section with sanitized fields such as recipe source, working directory, last output line, and transcript preview - operator-visible strings are sanitized before printing so terminal control sequences and secret-shaped values are not replayed
- output order stays deterministic: runtime header, handoff session summary, repo grounding, carried context, terminal continuity, selected action summary, verification summary, durable record counts
- the command performs no mutation, repair, resume, or execution
- invalid state roots, missing files, unreadable storage, and malformed persisted engineer data fail explicitly
The default root remains the same engineer durable path already used by engineer run:
target/operator-probe-state/engineer-loop-run/simard-engineer/terminal-shell/<topology>
Canonical entrypoint: simard engineer terminal <topology> <objective> [state-root]
Compatibility surface: simard_operator_probe terminal-run <topology> <objective> [state-root]
This substrate exposes the real terminal-shell base type on the primary CLI:
- the selected base type remains
terminal-shell - reflection still reports
terminal-shell::local-ptyas the adapter implementation - terminal objectives may include
command:/input:lines and explicitwait-for:/expect:checkpoints so bounded interactive terminal turns can pause for expected output before sending the next line - the run surface now renders the same structured terminal audit shape as
terminal-read: shell details, command/wait counts, ordered steps, observed checkpoints, last meaningful output line, and sanitized transcript preview - the run surface prints explicit boundary guidance showing that terminal mode is a bounded local session surface and that continuing into engineer mode still requires an explicit later
engineer run - the run persists
latest_terminal_handoff.jsonplus compatibilitylatest_handoff.jsonunder the shared root - unsatisfied wait checkpoints fail explicitly instead of silently replaying the rest of the objective and claiming success
- unsupported topology and invalid state-root choices still fail explicitly
Canonical entrypoint: simard engineer terminal-read <topology> [state-root]
Compatibility surface: simard_operator_probe terminal-read <topology> [state-root]
This is the read-only audit companion to simard engineer terminal. It exists to inspect the durable terminal-session artifacts that engineer terminal already writes.
The contract is intentionally explicit:
engineer terminalremains the only execution path for terminal-backed engineer workterminal-readreuses the same validated default state root asengineer terminalwhen[state-root]is omitted- any explicit
state-rootmust already exist as a directory before readback begins terminal-readrequires readable regular-filememory_records.jsonandevidence_records.json; symlinked artifacts are rejectedlatest_terminal_handoff.jsonis authoritative for identity, selected base type, topology, session phase, redacted objective metadata, and the persisted terminal evidence summary tied to the latest terminal sessionlatest_handoff.jsonis used only as a compatibility client when the terminal-scoped handoff is absent- the rendered output includes which handoff file was used
- persisted terminal evidence may include ordered terminal step lines, satisfied wait checkpoints, and the last observed output line so operators can inspect how a bounded interactive session was driven instead of relying only on aggregate counters
- when
engineer copilot-submitpersisted truthful audit data, the same readback exposes the Copilot flow asset, fixed payload identifier, outcome, and any explicit unsupported reason code - the rendered output also includes explicit engineer-next-step guidance so the client into repo-grounded engineer work stays operator-visible
- operator-visible strings are sanitized before printing so persisted terminal control sequences and secret-shaped values are not replayed
- output order stays deterministic: runtime header, handoff session summary, adapter details, shell details, step/checkpoint audit trail, transcript summary, continuation guidance, durable record counts
- the command performs no mutation, replay, resume, or execution
- invalid state roots, missing files, unreadable storage, and malformed persisted terminal data fail explicitly
Canonical entrypoint: simard engineer terminal-file <topology> <objective-file> [state-root]
Compatibility surface: simard_operator_probe terminal-run-file <topology> <objective-file> [state-root]
This is the reusable authoring companion to simard engineer terminal.
- it executes the same bounded
terminal-shellsubstrate asengineer terminal <objective-file>must exist as a readable UTF-8 regular file; symlinks and other file kinds are rejected explicitly- the loaded file contents remain subject to the same shell validation, wait-checkpoint behavior, sanitization, and durable state contracts as inline terminal objectives
- the run surface and
terminal-readcontinue to present the same structured terminal audit trail
Canonical entrypoints:
simard engineer terminal-recipe-listsimard engineer terminal-recipe-show <recipe-name>simard engineer terminal-recipe <topology> <recipe-name> [state-root]
Compatibility surface:
simard_operator_probe terminal-recipe-listsimard_operator_probe terminal-recipe-show <recipe-name>simard_operator_probe terminal-recipe-run <topology> <recipe-name> [state-root]
This is the discoverable built-in recipe companion to inline and file-backed terminal execution.
- recipes live under
prompt_assets/simard/terminal_recipes/*.simard-terminal - recipe names are limited to lowercase ASCII letters, digits, and hyphens
- unknown or invalid recipe names fail explicitly
terminal-recipe-showis read-only and prints the shipped recipe asset contentsterminal-recipeexecutes the same boundedterminal-shellsubstrate asengineer terminalandengineer terminal-file- the shipped built-ins currently include
foundation-check,copilot-status-check, andcopilot-prompt-check; the stricter task-submission slice is the dedicatedengineer copilot-submitcommand documented below copilot-status-checkis a bounded local availability probe only: it runsamplihack copilot -- --version, requires the expectedGitHub Copilot CLIversion signal, and fails closed when that signal cannot be producedcopilot-status-checkmust not claim interactive Copilot control, remote orchestration, or authenticated GitHub state inspectioncopilot-prompt-checkis a bounded interactive prompt reachability check: it launchesamplihack copilot, waits for the visible prompt guidance text, sends/exit, and requires the resume hint before successcopilot-prompt-checkmust not claim task execution, slash-command compatibility beyond/exit, remote orchestration, or authenticated GitHub state inspection- the selected recipe name is preserved into the terminal continuity summary that later engineer surfaces may render from the same state root
Canonical entrypoint: simard engineer copilot-submit <topology> [state-root] [--json]
This command ships as the next bounded local Copilot slice after copilot-prompt-check, and it narrows the contract further than engineer terminal or engineer terminal-recipe.
- it always launches the real local argv
amplihack copilotin the current repository context already selected by the operator - it loads one checked-in flow contract from
prompt_assets/simard/terminal_recipes/copilot-submit.json - it must accept no free-form task text, no custom prompt asset, no
workspace-root, and no worktree reuse - when the Copilot wrapper rewrites workflow-only
.claude/context/PROJECT.mdor.claude/context/PROJECT.md.bak, Simard must restore those tracked files to their pre-launch contents before returning so PTY validation does not dirty the repo - it submits exactly one fixed built-in payload only after the checked-in startup checkpoints are visible
- startup succeeds only when the live PTY transcript satisfies the ordered visible startup checkpoints from the flow contract, including
Describe a task to get started.and the guidance lineType @ to mention files, # for issues/PRs, / for commands, or ? for shortcuts - the current honest flow contract records the visible
ctrl+s run commandsubmit hint instead of pretending newline-based submission exists on this PTY path - overall
successis determined only from exact ordered checkpoints observed in the live PTY transcript after terminal control sequences are stripped from the visible text; there is no simulated Copilot output, no fuzzy matching, and no hidden control-path submission unsupportedmeans the Copilot process launched but the visible prompt flow exited early, drifted, stalled after partial visible startup evidence, required folder trust confirmation, required a non-line-input submit gesture, exposed wrapper-specific launch errors, or otherwise failed to reach a supportable checked-in flowruntime-failurestays reserved for Simard-side failures such as invalid inputs, local launch failures, or persistence/readback errors before a trustworthy submit result can be claimed- startup timeouts after partial visible startup evidence must classify as
unsupportedwithmissing-startup-banner,missing-guidance-checkpoint,workflow-wrapper-noise, orunexpected-startup-text; only zero-evidence startup timeouts remainruntime-failure - explicit unsupported reason codes are
process-exited-early,unexpected-startup-text,missing-startup-banner,missing-guidance-checkpoint,trust-confirmation-required,submit-hotkey-required,copilot-wrapper-error, andworkflow-wrapper-noise successandunsupportedwritelatest_terminal_handoff.jsonplus compatibilitylatest_handoff.jsonwhen truthful terminal evidence was captured;runtime-failuremay leave partial evidence but must not invent a complete submit summary- additive audit persistence includes the flow asset, fixed payload identifier, ordered steps actually reached before the stop point, observed checkpoints, last meaningful output line, sanitized transcript preview, outcome, and optional unsupported reason code
--jsonrenders that same contract as a machine-readable summary without changing runtime behavior or broadening capabilitycopilot-status-checkandcopilot-prompt-checkremain separate narrower probes and must keep their current contracts unchanged
Canonical entrypoints:
simard meeting run <base-type> <topology> <structured-objective> [state-root]simard meeting read <base-type> <topology> <state-root>
Compatibility surface: simard_operator_probe meeting-run ... and simard_operator_probe meeting-read ...
Meeting mode persists concise durable planning data without touching repository contents. Structured lines may include:
agenda: ...update: ...decision: ...risk: ...next-step: ...open-question: ...goal: title | priority=1 | status=active | rationale=...
The shipped contract is intentionally explicit:
meeting runremains the only mutation path for agenda, update, decision, risk, next-step, open-question, and goal-update capturemeeting readis the read-only audit surface for the latest persisted meeting decision statemeeting runaccepts an optional[state-root]positional and falls back to its canonical durable root when omittedmeeting readrequires an explicit<state-root>positional;SIMARD_STATE_ROOTis not honored. See Operator read-subcommand state-root contractmeeting readloads the latest persisted meeting decision record, where "latest" means the last decision memory record whose value matches the shipped meeting record shapemeeting readrenders agenda, updates, decisions, risks, next steps, open questions, goal updates, and the latest raw meeting record in a stable operator-visible order- operator-visible strings are sanitized before printing so persisted terminal control sequences are not replayed
- invalid state roots, missing memory state, unreadable storage, and malformed persisted meeting data fail explicitly
Canonical entrypoints:
simard goal-curation run <base-type> <topology> <structured-objective> [state-root]simard goal-curation read <base-type> <topology> [state-root]
Compatibility surface: simard_operator_probe goal-curation-run <base-type> <topology> <structured-objective> [state-root]
Goal-curation mode maintains durable backlog records and the active top five goals. The readback command exposes the stored goal register from the same validated state root without mutating it.
Canonical entrypoints:
simard improvement-curation run <base-type> <topology> <structured-objective> [state-root]simard improvement-curation read <base-type> <topology> <state-root>
Compatibility surface: simard_operator_probe improvement-curation-run ... and simard_operator_probe improvement-curation-read ...
Improvement-curation mode promotes approved review proposals into durable priorities and keeps deferred proposals inspectable instead of silently self-modifying.
The shipped contract is intentionally explicit:
improvement-curation runremains the only mutation path for approving or deferring proposalsimprovement-curation readis the read-only audit surface for the latest review-to-priority promotion stateimprovement-curation runaccepts an optional[state-root]positional and falls back to the same canonical durable root asreview runwhen omittedimprovement-curation readrequires an explicit<state-root>positional;SIMARD_STATE_ROOTis not honored. See Operator read-subcommand state-root contractimprovement-curation readloads the latest persisted review artifact, where "latest" means the artifact with the highestreviewed_at_unix_msimprovement-curation readloads the latest persisted improvement decision record, where "latest" means the last decision memory record whose key ends withimprovement-curation-recordimprovement-curation readrenders approved proposals, deferred proposals, active goals, proposed goals, and the latest improvement decision record in a stable operator-visible order- operator-visible strings are sanitized before printing so persisted terminal control sequences are not replayed
- invalid state roots, missing review artifacts, missing improvement records, unreadable storage, and malformed persisted decision data fail explicitly
target/operator-probe-state/review-run/simard-engineer/<base-type>/<topology>
Canonical entrypoints:
simard review run <base-type> <topology> <objective> [state-root]simard review read <base-type> <topology> <state-root>
Compatibility surface: simard_operator_probe review-run ... and simard_operator_probe review-read ...
Review mode persists a structured review artifact and makes the latest artifact readable from the same durable state root.
review runkeeps the optional[state-root]positional and theSIMARD_STATE_ROOTenv fallback used by the canonical run helper.review readrequires the positional<state-root>and intentionally does not honorSIMARD_STATE_ROOT. Hard-fail wording matches the operator-read contract.
Canonical entrypoints:
simard gym listsimard gym run <scenario-id>simard gym compare <scenario-id>simard gym run-suite <suite-id>
Compatibility surface: simard-gym ...
The gym currently benchmarks scenarios built around:
- repo exploration and truthful local inspection
- docs refresh flow
- safe code change flow through the
rusty-clawdidentity - composite session review
Artifacts are written under target/simard-gym/ as JSON and text reports plus a review.json artifact for each scenario run.
Important
Fresh benchmark runs now derive unnecessary_action_count and retry_count from benchmark-controlled attempt and action facts captured by the gym runner. Older artifacts, or any future report that lacks enough benchmark facts, should surface unmeasured instead of inventing 0.
Fresh per-run reports expose these public scorecard fields under scorecard:
correctness_checks_passedcorrectness_checks_totalevidence_qualityevidence_quality_assessmentunnecessary_action_countretry_counthuman_review_notesmeasurement_notes
evidence_quality is a coarse legacy categorical (sufficient when at least four
evidence records were exported, otherwise thin) retained for the reporting and
run-comparison paths. evidence_quality_assessment is the structured, comparable
evidence-quality signal required by the scoring strategy and is the field to prefer
when comparing changes to prompts and policies. It contains:
dimensions: the five canonical scoring dimensions, each in[0.0, 1.0]:factual_accuracy: correctness-check pass ratespecificity: total evidence "units" — each record contributes up to one unit scaled by detail richness (saturating at 80 characters), with the summed units saturating at four; empty-detail records contribute nothingtemporal_awareness: fraction of exported memory records carrying a creation timestampsource_attribution: how strongly evidence is attributed to a concrete source (base-type sources count fully, generic runtime sources partially)confidence_calibration:1.0minus capped penalties for unnecessary actions and retries; unmeasured metrics incur no penalty
overall: the mean of the five dimensionscategory: a coarse tier derived fromoverall(strong≥ 0.75,moderate≥ 0.5, elseweak)
The current counting boundary is:
unnecessary_action_count: benchmark-runner-observed benchmark-controlled action boundaries that do not advance the intended scenario execution or verification pathretry_count: benchmark-runner-observed re-attempts of the same scenario work inside one benchmark run
Fresh benchmark runs persist those derived values in report.json, surface them on the CLI, and stop generating review proposals, human_review_notes, or measurement_notes that claim the metrics are "not measured". Older or incomplete artifacts should render unmeasured instead of a fabricated zero.
The gym also supports persisted run-to-run comparison for a single scenario:
simard gym compare <scenario-id>compares the latest two completed runs- comparison results are classified as
improved,unchanged, orregressed - comparison output includes current, previous, and delta values for
unnecessary_action_countandretry_count - if one side of the comparison comes from an older artifact that lacks either field, compare renders that value and its delta as
unmeasuredinstead of inventing0 - comparison artifacts are written under
target/simard-gym/comparisons/<scenario-id>/
Canonical entrypoint: simard bootstrap run <identity> <base-type> <topology> <objective> [state-root]
Compatibility surface: simard_operator_probe bootstrap-run <identity> <base-type> <topology> <objective> [state-root]
The operator-facing bootstrap contract is now explicit:
- required values are passed positionally
- identity, base type, and topology mismatches fail explicitly
- there is no public zero-argument bootstrap path
- state-root validation runs before durable artifacts are read or written
Meeting, engineer, goal-curation, review, and improvement-curation commands can all share one explicit state root.
That shared state root is what allows:
- carried meeting decisions to appear in later engineer runs
- durable goals to stay visible across operator modes
- review artifacts to feed improvement-curation
- improvement-curation decisions to stay durable and remain auditable through the shipped
improvement-curation readsurface
The contract depends on passing the same validated state root across commands, not on hidden global state.
The builtin identities currently advertised by the loader are simard-engineer, simard-meeting, simard-goal-curator, simard-improvement-curator, simard-gym, and the composite simard-composite-engineer. All of them accept local-harness, rusty-clawd, and copilot-sdk; simard-engineer additionally accepts terminal-shell for the local terminal-backed path.
Reflection reports both the selected base type and the honest backend identity. For example:
copilot-sdkcurrently resolves to thelocal-harnessadapter implementationterminal-shellreportsterminal-shell::local-ptyrusty-clawdreportsrusty-clawd::session-backend