PR1M3Claw

Current AI safety relies on system prompts and content filters — probabilistic guardrails that can be bypassed with creative prompt engineering. As enterprises deploy autonomous AI agents that make procurement decisions, modify employee records, and execute financial transactions, the gap between “the model usually follows instructions” and “the system physically prevents unauthorized actions” becomes a critical liability.

The industry lacks a governance layer that enforces constraints at the infrastructure level rather than the conversational level. Enterprises need deterministic safety — not “the model was told not to do that,” but “the system architecture makes it physically impossible.”

PR1M3Claw implements a 5-layer Guardian Architecture that enforces safety through physics, not persuasion. Layer 1 uses Biscuit cryptographic tokens with Ed25519 signatures and Datalog attenuation rules — sub-agents are mathematically provable subsets of their parent’s authority, making privilege escalation impossible by construction.

Layers 2 through 5 add a WASM capability sandbox with deny-all defaults (the execution boundary), a Rust semantic firewall with Llama-Guard-3 sidecar evaluation, a Constitutional Supervisor that co-signs every action via gRPC, and circuit breakers with health-score-based anomaly detection. Every layer operates independently — compromising one does not compromise the chain.

At the core is Ternary Moral Logic (TML) — a deterministic state machine where every agent action resolves to one of four states: Permit (+1), Sacred Pause (0), Prohibit (−1), or Self-Sacrifice (−2). There is no “probably safe.”

When an agent issues a tool call, the payload first passes through the Semantic Firewall — a Rust hyper proxy that canonicalizes Unicode (NFKC), scans for canary token leaks, sanitizes HTML via Archon patterns, and runs the content through Llama-Guard-3 for harm classification. If the firewall passes, the Constitutional Supervisor evaluates the action against TML rules and signs the payload with Ed25519.

Only then does the pipeline internally invoke the WASM Cage to provision a sandbox with the exact capabilities required for that specific intent hash. If at any point the system’s health score drops below 0.1, the Self-Sacrifice protocol activates: cryptographic keys are zeroized, storage is wiped, and the process is killed.

Multi-jurisdiction compliance (GDPR, CCPA, PIPEDA, Quebec Law 25) is encoded as TypeScript interfaces and Zod schemas — a missing lawful basis field is a compile-time error, not a policy violation discovered in an audit.

PR1M3Claw introduces a fundamentally different approach to AI safety — one where constraints are architectural rather than conversational. The 5-layer architecture is fully implemented through Milestone 12, with 9 TypeScript packages and 4 Rust crates, full CI/CD, and a Next.js 15 governance dashboard. The platform supports multi-jurisdiction privacy compliance across EU, UK, Canadian, Australian, and US regulatory frameworks.

Version 0.9.5 has shipped. The project is currently transitioning into an enterprise-secure agent host (M15), with OpenTelemetry observability, live dashboard wiring, and red team hardening as the final milestones before production deployment. The codebase is private during active development and security testing.