Infrastructure for trusting autonomous agents.
Tesserine runs AI agents on hardware you control, under a methodology the runtime enforces rather than suggests. The bet behind the system: autonomous work becomes trustworthy when the way of working is declared as data, enforced as contracts at runtime, executed in sealed isolation, and proven by evidence — not when you hope a prompt was followed.
The operator declares what — which agent, which methodology, which project. The runtime owns how. Every layer of the stack exists to close one gap between "an agent did something" and "we can trust what it did."
Five movements, each independently useful, each verifiable on its own:
| Component | What it contributes | |
|---|---|---|
| Declare | groundwork | Software delivery as an executable methodology: protocols, schemas, and skills that carry work from problem to merged change, with completion gated on evidence. |
| gazette | The proof that methodologies generalize: a second methodology that researches, writes, fact-checks, and publishes a periodical chronicle — every claim source-backed, archive gaps reported as news. | |
| agent-protocols | The draft standard for the form a declared protocol takes: contract, step graph, and prose in one canonical file, every diagram a computed projection. Groundwork's review and verify protocols are its first worked examples; its Tesserine binding maps the standard onto runa and groundwork. |
|
| Enforce | runa | The cognitive runtime. Loads a methodology, validates every artifact against its schema before it touches disk, and fires each step only when its declared dependencies are satisfied. If a step completes, its output provably meets the contract. |
| Run | agentd | The daemon. Each session gets an ephemeral rootless container, credentials whose host-side lifetime ends at startup, and a sealed, evidence-grade audit record when it finishes. |
| base | The supply-chain-verified substrate: a minimal Wolfi image carrying runa and a GPG-and-checksum-verified agent runtime, built from a self-documenting Dockerfile. | |
| Prove | example-hello | The whole stack demonstrates itself with one request and observable pass criteria. |
| Govern | commons | The constitution — enforced, not aspirational. Cross-component contracts carry downstream drift tests; the source-of-truth map names exactly one canonical home for every shared concept. |
(The former operational layer, ops, is retired — deliberately and on the record, with every former responsibility redirected to its successor in the canonical map below. Principles live at their canonical home, pentaxis93/principles.)
The canonical map of who owns what: commons SOURCE-OF-TRUTH.md.
Most agent infrastructure trusts upward: the model was prompted well, so the output is probably fine. Tesserine trusts downward, into things that can be checked:
- Methodologies are data, not code. A way of working is a TOML manifest, JSON Schemas, and instruction files. Execution order is never scripted — it emerges from the dependency graph of what protocols require and produce.
- Validation precedes existence. Agents deliver work through typed interfaces; an artifact that fails its schema is rejected with details and never written. Postconditions are enforced after every step.
- Isolation is the default, evidence is the exit. Sessions run as unprivileged users in ephemeral containers; secrets live exactly as long as they are needed; every completed session leaves a sealed audit record — directories read-only, metadata published atomically, tampering attempts refused loudly.
- The governance is mechanical. Shared contracts (exit codes, artifact schemas) are vendored downstream with provenance and parity tests, so drifting from the constitution fails CI instead of accumulating quietly.
The value is the guarantee: any declared process executes faithfully, regardless of its shape. A richer type-theoretic foundation for that guarantee is under active exploration — held honestly as an exploratory draft, not asserted as the current system.
Because a methodology is data, the stack's reach is not "coding agents" — it is any cognitive process you can declare as artifacts and protocols. Groundwork declares software delivery. Gazette declares investigative journalism over imperfect archives — and the same runtime enforces both, unchanged. Whatever disciplined process someone declares next — research, review, operations, analysis — inherits the full guarantee chain: typed inputs, gated execution, validated outputs, sealed evidence.
- See it work end-to-end: example-hello — one request, observable pass criteria.
- Run your first session: agentd quickstart — image build to sealed audit record.
- Feel the enforcement loop in two minutes, no agent required: runa quickstart.
- Read where the protocol form is headed: agent-protocols — a draft standard, with two real protocols re-expressed as proof.
Ecosystem release v0.2.0 is published (manifest); components version independently under a curated ecosystem version (ADR-0014). Pre-1.0 and under active development — the contracts above are what make that honest to say.
From tessera (mosaic tile — composition from modular pieces), tesseract (higher-dimensional structure), and Madeleine L'Engle's verb to tesser (folding through dimensions). The adjective form says this is about how you do things. What you do is wide open.