Overview·Posture
Scientific boundaries
Protean is a computational system. It produces prioritization signals — not biological claims. The boundaries below are enforced in code, not asserted in policy, and they hold across every part of the runtime.
What the runtime commits
The runtime commits to the following behaviours on every cycle. None of them require trust in operator discipline; each is gated by a function in the codebase.
- Chain-anchored integrity. Every cycle terminates in a typed
RuntimeCyclerecord on the Protean Ledger at0xE3c261F3C05D4c4710003cd6066EfD95094cf5f0, carrying acontentDigestover the canonical envelope. A local snapshot directory accompanies the record as supplemental audit material (atomic writes viaO_CREAT|O_EXCL+fsync+os.replace), but the on-chain record is canonical and the cycle's reproducibility is established against the indexer state digest, not the local directory. - Weight bounds. Scoring weight adjustments stay within ±20% of the seven canonical base weights (±50% when trusted assay data is present), are normalised to sum 1.0, and are verified at write time.
- Single-pass learning. Bounded learning runs once per cycle. Reranking runs once per cycle. Recursion depth is zero. The caps are enforced at the call site, not in policy.
- Public sequence visibility. Every public payload passes through the publication guard before write. Published candidate and family sequences are allowed and expected; private salts, scoring internals, embeddings, provider secrets, and local paths are blocked at the gate.
- No runtime code rewriting. The remediation surface returns
{ status: "refused" }unconditionally. No code-mutation path exists in the automated loop. - No automated wet-lab submission. Wet-lab requests are drafts only. Provider packets pass through the external-provider safety gate. Quote acceptance, payment, and order dispatch all require human review.
- No publication without review. Every public payload is verified before write; the CI leak scanner runs a second pass at CI time.
- No orchestration as truth layer. The bounded operations kernel (Galen) coordinates execution and verifies the workflow DAG. It does not touch scoring, validation, or publishing.
What the runtime refuses
These behaviours are explicitly out of scope. They are not on the roadmap; they are not "next on the list." The architecture is designed so that adding them would be a visible, reviewable change.
- The runtime does not modify its own scoring contract, validators, prompts, or model routes. Every change is operator-initiated and CI-gated.
- The runtime does not submit assay orders, request quotes, accept invoices, or dispatch payment. Every wet-lab boundary requires a human signature.
- The runtime publishes full candidate and family sequences when those records are intentionally public. It does not publish private salts, scoring internals, embedding vectors, provider secrets, or unfiled IP, and the guard fails closed if those fields slip into a public payload.
- The runtime does not treat on-chain registration as scientific validation. The Protean Ledger records existence, timing, lineage, and integrity of a record; it does not record biological activity.
- The runtime does not claim biological proof from a computational score. Every public-facing document that touches scoring also carries the boundary above.
Where humans decide
The runtime is bounded in part by where it deliberately defers.
- Candidate review. Computational rankings make a candidate set more coherent. The decision to advance a candidate into an assay-preparation batch sits with a human reviewer.
- Publication intent. Preparing provenance is gated by the
publication_intent_requiredreview gate in the canonical workflow DAG. Nothing reaches the public export without that gate clearing. - Assay-preparation handoff. Provider packets are drafted by the runtime and reviewed by an operator before they leave the machine. The end-to-end safety property of the system holds because every wet-lab boundary remains under human control.
- Remediation. Operations alerts (degraded health, missing artifacts, capability loss) are surfaced to operators. Auto-remediation does not exist today; the approval-receipt path is reserved (see Galen operations).
What this surface communicates
Public documentation describes the architecture, the public artifacts, full sequences for intentionally published candidates and families, and the commitments anchored on-chain. It does not expose scoring internals, embeddings, private manifests, provider secrets, or unfiled IP — those stay in the private vault by construction. The honesty layer is the same in code as in copy: anything the runtime refuses to do is enforced, not asserted.
