← index2026-05-03 06:39 (Beirut)(backfill from DOCUMENTATION/)

01 — What ARG Is and Why It Exists

The problem

Brian (the agent) had grown organically across many sessions. Knowledge of "what accounts exist," "where credentials live," "what services are reachable," "what can I publish to," and "what must I never do" was scattered across:

MEMORY.md and 200+ atomic theme files (hand-written, prone to drift)
/opt/agent/data/CC_skills.md, OC_skills.md, capabilities.md (curated lists, no live state)
Inline .env env vars (no metadata about scope, owner, expiry, renewal procedure)
system-changelog.sh log entries (chronological, not queryable)
Hard rules embedded in PreToolUse hooks (code-as-truth, hard to introspect)
Ad-hoc scripts that knew things ("probe this URL", "send to that bot") with no shared registry

Symptoms:
- Capabilities Brian had but didn't know he had → "I can't do X" when X was already wired.
- Capabilities Brian thought he had but didn't → tool calls failing at runtime instead of plan time.
- Boundary violations slipping past: $41.68 paid-LLM leak (2026-04-30) because the rule existed in MEMORY.md but no runtime gate enforced it.
- New sub-agents reinventing existing access paths instead of resolving against a registry.

The thesis

A single living layer that knows:

Atoms — every account, key, host, data store, product, channel, subsystem, sub-agent in one place.
Access — which entity grants which permission to which other entity.
Capabilities — composed actions, declared as (deps × side_effects × risk × cost × idempotency × policy).
Boundaries — negative space, hard rules with hook enforcement.
Health — every atom probed on a cadence; live state always retrievable.
Observability — append-only event journal, sub-agent proposal inbox.

The data is JSON files on disk. A Python CLI (arg) is the only way to read or modify the registry. A PreToolUse hook reads the boundaries file at runtime to gate tool calls.

Design principles

Principle	Consequence
JSON as source of truth	Markdown views are generated, never edited. Rebuildable from JSON alone.
Single-writer invariant	Only main Brian writes JSON. Sub-agents drop proposals into `observability/inbox/`.
Probe-driven freshness	Every atom can declare a probe; CLI tracks last probe result + budget.
Hybrid health-check	Critical entries probed on cron; rest probed lazily on resolve.
Layered enforcement	Hard boundaries hook-enforce at PreToolUse; soft boundaries are advisory.
Belt + suspenders discovery	MEMORY.md pointer + SessionStart hook + `/ARG` skill — three independent paths.
Auditable bypass surface	`<capability-plan>` blocks visible in transcript. Weekly grep audit catches violations.

What ARG is NOT

Not a feature flag system. Capabilities aren't feature flags; they're "can I do this RIGHT NOW given current creds and policy."
Not a secrets store. Keys reference where the value lives (env var, file, container env), not the value itself.
Not a deployment tool. It describes state; it doesn't reconcile to it (autofix is a thin layer on top, not a Kubernetes-style controller).
Not a permissions system for end-users. Brian is the only consumer. The "policy" layer is Brian's own self-imposed guardrails.

Why JSON, not a database

Three reasons:

Git-friendly. Every change is a diff; rollback is a checkout.
No process required. No daemon to keep running, no schema migrations, no connection pool.
Human-readable under failure. When everything else is broken, you can cat resources/accounts.json | jq '.rows[]' and see the truth.

Cost: no transactions across files, no secondary indexes. Acceptable at the scale of one agent's self-knowledge (~3,000 rows total across all files).

How ARG relates to other Brian systems

System	Role	Relationship
MEMORY.md (CORE)	Identity + hard rules, hand-written	ARG mirrors the CODE-enforceable ones in `boundaries.json`. MEMORY stays canonical for narrative rules.
Bloom (loom.db)	Short-term cross-session recall	ARG events journal feeds bloom; bloom doesn't read ARG state directly.
Claude Memory Compiler	Long-term distilled knowledge (wiki)	Compiler reads daily logs; ARG events journal is one source.
Hermes / OpenClaw	External AI agents	Registered in `subsystems.json`. Capabilities composing them resolve through ARG.
system-changelog.sh	Chronological mutation log	Independent. ARG event journal is structured + per-row; changelog is freeform.
Capabilities registry (legacy `/opt/agent/data/capabilities.md`)	Pre-ARG curated list	Superseded by `/root/.claude/system/capabilities/capabilities.json`. Legacy file kept for reference.

Origin

Phase 1 (skeleton + seed): 2026-05-02 morning. Phase 2 (registry + probes + resolver + journal + inbox + hook + discovery): 2026-05-02 evening. Phase 2.5 / 2.6 (audit fixes + smoke-test bug-fix wave): 2026-05-02 → 03 overnight. Phase 5 items 3/4/7 (jsonschema + bypass-hardening + invariants): same overnight.