3.4 KiB
ThreeGate Architecture
This document specifies the ThreeGate architecture, including components, trust boundaries, data flow, and enforcement mechanisms.
Design Objective
Enable powerful, local, goal-directed AI assistance while preventing:
- Prompt injection (direct and indirect)
- Tool abuse
- Data exfiltration
- Accidental or malicious system modification
This is achieved by compartmentalization, not by trusting model behavior.
Core Components
ThreeGate consists of three isolated components, each with a distinct role and privilege level.
1. CORE — Analysis & Synthesis
Responsibilities
- Reasoning
- Synthesis
- Writing
- Policy interpretation
- Drafting requests for retrieval or execution
Explicit Restrictions
- No internet access
- No shell
- No execution
- No package installation
- No modification of policy files
CORE is the most prompt-exposed component and therefore the least powerful.
2. FETCH — Controlled Retrieval
Responsibilities
- Retrieve external information
- Normalize content into Research Packets
Capabilities
- HTTPS access only
- Internet access only via managed proxy
- Domain allowlists (e.g., academic sources)
Explicit Restrictions
- No execution
- No shell
- No persistence beyond packet output
- No access to CORE state
FETCH treats all retrieved content as hostile by default.
3. TOOL-EXEC — Optional Execution Sandbox
Responsibilities
- Execute explicitly approved code or commands
- Perform computations that cannot be done textually
Implementation
- Backed by sandboxed execution (e.g., microVMs such as ERA)
- Ephemeral by default
- No network unless explicitly approved
Explicit Restrictions
- No direct access to CORE or FETCH
- No ambient credentials
- No persistent state by default
Execution is the highest-risk capability and is therefore isolated and human-gated.
Data Flow & Trust Boundaries
All data movement is one-way and validated.
| From | To | Direction | Validation |
|---|---|---|---|
| FETCH | CORE | One-way | Required |
| CORE | TOOL-EXEC | Draft only | Human approval |
| TOOL-EXEC | CORE | One-way | Required |
There is no shared mutable state between components.
Network Topology
- CORE: no internet route
- FETCH: internet access only via managed proxy
- TOOL-EXEC: no network by default
Network restrictions are enforced at:
- Container network level
- Host firewall level
- Explicit proxy allowlists
Policy Enforcement
- Policies are mounted read-only
- Instruction hierarchy is explicit
- Tool usage requires justification and approval
- Outputs are validated before reuse
Failure Containment
If any component is compromised:
- FETCH cannot execute or persist
- CORE cannot browse or execute
- TOOL-EXEC cannot exfiltrate or persist by default
Failures are observable, contained, and reversible.
Architectural Invariants
The following must never be violated:
- No component both reasons and acts
- No component both browses and executes
- External content is hostile by default
- Execution is optional and sandboxed
- Network access is a scarce privilege
Any extension must preserve these invariants.
Summary
ThreeGate enforces safety by structure, not by instruction.
It assumes model fallibility and limits consequences accordingly.