Why we are building Project Starfish

Every agent framework hands a model the keys: it can read, write, delete, spend, and reach the network on your behalf, usually with nothing standing between its intent and your system. That is fine until the day it is not, and the failure modes are now familiar: the agent that deletes a whole drive, the web page that says "ignore your instructions" and is obeyed, the secret that leaves through a tool call nobody reviewed, the skill pack you installed with no idea what it can actually do.

Project Starfish starts from a single decision: deny by default. Before any agent can act, governance loads first and refuses everything it has not been explicitly told to allow. You, the operator, are the final authority.

The decisions we locked

We settled the constitution before writing the enforcement. One isolated Policy Decision Point brackets every transport on both the way in and the way out. No task, no tool: every action must trace to an assigned, vetted purpose. Proposer is never approver: an agent can never authorize its own high-risk request. Nothing depends on the agent's cooperation, because a control that an agent can opt out of is not a control.

We also wrote the threat model before the code, twenty-plus exploits with countermeasures, so the architecture had to answer real attacks rather than a happy path. The throughline: fail closed, audit before you act, and keep one enforcement implementation that every path shares.

Governance is the product. The skills are everyone else's.

Next: standing up the governed core.