welsberr
/
ThreeGate
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
**ThreeGate** is a compartmentalized architecture for building **secure, local AI assistants** that perform goal-directed tasks *without* relying on autonomous agents or trusting large language models to behave safely.
6 Commits 1 Branch 0 Tags 136 KiB
Python 82.6%
Shell 10.9%
Makefile 5.2%
Dockerfile 1.3%
Go to file
welsberr ecba73903d Added 'Monty' usage plus policy etc. 2026-02-09 21:25:31 -05:00
docs Expanded files with implementation stubs 2026-02-09 15:43:22 -05:00
fetch Added 'Monty' usage plus policy etc. 2026-02-09 21:25:31 -05:00
images Expanded files with implementation stubs 2026-02-09 15:43:22 -05:00
infra Expanded files with implementation stubs 2026-02-09 15:43:22 -05:00
policy Added 'Monty' usage plus policy etc. 2026-02-09 21:25:31 -05:00
schemas Added fetch/crossref stub and Makefile target 2026-02-09 15:55:25 -05:00
tool-exec Added 'Monty' usage plus policy etc. 2026-02-09 21:25:31 -05:00
tool_exec Added 'Monty' usage plus policy etc. 2026-02-09 21:25:31 -05:00
tools Added 'Monty' usage plus policy etc. 2026-02-09 21:25:31 -05:00
.gitignore Initial commit 2026-02-09 09:51:04 -05:00
LICENSE Initial commit 2026-02-09 09:51:04 -05:00
Makefile Added 'Monty' usage plus policy etc. 2026-02-09 21:25:31 -05:00
README.md Formatting 2026-02-09 12:10:05 -05:00

README.md

ThreeGate

ThreeGate is a compartmentalized architecture for building secure, local AI assistants that perform goal-directed tasks without relying on autonomous agents or trusting large language models to behave safely.

ThreeGate separates thinking, retrieval, and execution into distinct, least-privileged components with enforced trust boundaries.

If prompt injection is inevitable, safety must come from structure.

What ThreeGate Is

ThreeGate is:

  • A reference architecture for secure local assistants
  • A defense-in-depth design against prompt injection, tool abuse, and data exfiltration
  • A human-governed system, not an autonomous agent
  • Designed for single-user, local operation
  • Explicitly extensible to multiple roles (research, policy analysis, data science, auditing)

What ThreeGate Is Not

ThreeGate is not:

  • An autonomous agent framework
  • A self-modifying system
  • A browsing-and-executing AI loop
  • A cloud-first or multi-tenant platform
  • A system that trusts LLM outputs without validation

Core Insight

Most unsafe AI systems fail because they allow a single component to:

Read untrusted input, reason about it, and immediately act on the world.

ThreeGate prevents this by enforcing three independent gates:

  1. FETCH — retrieves untrusted external content
  2. CORE — performs reasoning and synthesis
  3. TOOL-EXEC — executes code, only when explicitly approved

No component crosses more than one gate.

High-Level Architecture

 Internet
     ↑
[ Managed Proxy ]
     ↑
 FETCH (retrieval)
     ↓
Research Packets
     ↓
 CORE (analysis)
     ↓

(optional, human-approved) ↓ TOOL-EXEC (sandboxed execution)

Initial Target Role

The first concrete role implemented using ThreeGate is a:

Secure Local Research Assistant

Capabilities:

  • Scholarly retrieval (controlled, allowlisted)
  • Analysis and writing
  • Optional sandboxed computation
  • No autonomous browsing or execution

Repository Structure (Initial)

ThreeGate/
├── README.md
├── docs/
│ ├── architecture.md
│ ├── threat-model.md
│ └── why-this-is-safer.md

Status

This repository is in early specification and reference implementation phase.

The design is intentionally conservative. Convenience features are added only when they preserve trust boundaries.

License & Philosophy

ThreeGate favors:

  • Explicit over implicit authority
  • Structural safety over behavioral promises
  • Human-in-the-loop over automation

If a feature weakens a trust boundary, it does not belong here.