Model-agnostic, and proving the work

Governance should not care which model runs the work, so the runtime became model-agnostic. A provider registry and per-provider adapters (Anthropic, OpenAI, Google, OpenRouter, local) sit behind a deterministic, audited router. Your API key lives in the OS keychain and is never placed in a request object, a log, an audit entry, or a skill's reach.

The spine came together end to end: route by risk and budget, send with the key isolated, parse the reply, gate every proposed tool through the PDP, execute only what is allowed, contain the output, record usage, repeat.

The principle that mattered most

Then a hard rule: if we are not validating that agents do what they say, governance is pointless. Everything must be evidence-based. The Evidence Gate extracts an agent's claims ("tests pass", "committed", "done") and blocks any claim not backed by a recorded deed in the audit ledger. An agent cannot say it ran the tests if there is no record of the tests running.

Alongside it: operator-signed self-integrity, so the system verifies its own configuration the way it verifies skills and boots into safe mode if tampered; secret and .env governance with Toby as the sole gatekeeper; and external-source governance that admits but taints, so content from the web or an MCP server is treated as data, never as instructions, and cannot exfiltrate to an unapproved destination.