This document captures the rationale behind key architectural choices. It is not a specification — it is a thinking medium for future architects and contributors who need to understand why the system is built this way, not just how.
* Part I: Foundation
* Foundation
** Non-Negotiable Identity
:PROPERTIES:
@@ -126,28 +126,7 @@ This is only possible because Lisp code is mutable data at runtime. In a compile
The implications extend beyond convenience. A system that cannot modify its own core is a system that has limits on its own adaptability. It can learn skills but not improve its own structure. It can grow but not evolve. Passepartout's lack of a core boundary means the system can improve its own reasoning engine, fix bugs in its own cognition, and evolve its own architecture — all while continuing to operate. There is no ceiling on self-improvement. The agent can rewrite the very code that rewrites itself.
** Historical Lineage — McCarthy's Advice Taker
:PROPERTIES:
:ID: design-mccarthy
:CREATED: [2026-05-10 Sun]
:END:
McCarthy's "Programs with Common Sense" (1959) is the direct intellectual ancestor of the Passepartout architecture. The paper proposed an "advice taker" — a program that "will draw immediate conclusions from a list of premises" expressed in "a suitable formal language (most likely a part of the predicate calculus)." The program would:
1. Accept declarative statements about the world as input.
2. Store them as logical formulas.
3. Reason from them to produce new conclusions.
4. Accept new facts and revise its conclusions.
This is precisely the Passepartout pipeline: the archivist extracts declarative facts from prose → Screamer checks them for consistency → VivaceGraph stores them → the planner reasons from them → new facts from gate outcomes and deductions revise the store. McCarthy proposed it in 1959. Passepartout is building it in 2026.
The gap between McCarthy's proposal and Passepartout's implementation is the /hallucination problem/. McCarthy assumed facts would be entered by a human programmer in formal logic. Passepartout's facts are extracted from natural language prose by an LLM — a probabilistic process that requires deterministic verification. Screamer is the component McCarthy didn't need: a constraint solver that gates LLM-proposed facts against the existing fact store.
The connection is not metaphorical. McCarthy cited Principia Mathematica as an influence on Lisp. Passepartout's Whitehead analysis traces the same PM → Lisp lineage. The advice taker → Passepartout lineage completes the arc: PM's formal logic → Lisp → McCarthy's advice taker → Passepartout's neurosymbolic engine.
Reference: McCarthy, J. (1959). Programs with Common Sense. /Proceedings of the Teddington Conference on the Mechanization of Thought Processes./
* Part II: The Two Brains
* The Two Brains
** The Probabilistic-Deterministic Split
:PROPERTIES:
@@ -227,7 +206,7 @@ The Dispatcher becomes, over time, not a guard that blocks bad actions but a rea
This is the bootstrap. The system begins dependent on human judgment because it has no basis for judgment of its own. Through accumulated decisions, it constructs a model of what is permitted and why. That model is the foundation for the deterministic symbolic engine that in v1.0.0 takes over the reasoning that the Dispatcher learned to perform.
* Part III: Safety & Self-Preservation
* Safety & Self-Preservation
** Self-Preservation — The Active Third Law
:PROPERTIES:
@@ -268,6 +247,33 @@ The Third Law here means: preserve yourself against non-human threats — LLM pr
The biggest gap in the current design is not that these mechanisms are hard to implement. It is that degradation is silent. Adding "operating in degraded mode" visibility, plus the watchdog, plus self-diagnosis, transforms self-preservation from an architectural property into an active behavior.
** Type-Level Gates — Structural Safety from Self-Modification
:PROPERTIES:
:ID: design-type-level-gates
:CREATED: [2026-05-14 Thu]
:END:
Russell's paradox ("the set of all sets that do not contain themselves") proved that unrestricted self-reference produces contradictions. /Principia Mathematica/ solved it by assigning every propositional function a /type level/ — a function can only apply to arguments of a lower type, making self-application syntactically invalid.
Passepartout's dispatcher currently enforces safety through runtime predicates. There is no /structural/ guarantee preventing a request from modifying the rules that validate it. Gate vector 2b (self-build-core) catches this empirically — a request modifies core → rejected. But this is a heuristic, not a theorem.
The fix: assign every cognitive tool a ~:type-level~ integer, and every gate vector a ~:type-level~ integer. The dispatcher framework checks type-level before running any gate predicate:
A request to modify dispatcher rules (type-level 5) cannot pass a gate of type-level 4 or lower. No predicate needed — a structural prohibition, just as PM's type theory makes self-membership impossible by construction.
~defgate~ gains a ~:type-level~ keyword argument (default 0). Each cognitive tool registered via ~def-cognitive-tool~ inherits a ~:type-level~. Gate vector 2b at type-level 5; write-file at type-level 3; read-file at type-level 1. ~30 lines in ~core-dispatcher.lisp~; no new dependencies; v0.7.2 viable.
For the philosophical foundations connecting Whitehead's type theory to Passepartout's architecture, see the Whitehead analysis in the Validation section below.
** Layered Signal Authentication — Trust in the Pipe
:PROPERTIES:
:ID: design-layered-auth
@@ -297,7 +303,7 @@ The human can configure which layers are active per signal class: =AUTH_LAYERS_D
For full implementation detail, see the Phase 0b spec in =ROADMAP.org= v0.12.0.
* Part IV: The Symbolic Engine
* The Symbolic Engine
** The Five Architecture Options
:PROPERTIES:
@@ -601,7 +607,19 @@ Future implementations that satisfy the same interface — an append-only write-
This is not speculative modularity. The two-implementation migration (Phase 1-4 hash table → Phase 5 VivaceGraph + Merkle) is in the roadmap. If the interface leaks implementation details, the migration breaks. The interface must be designed, tested against both backends, and committed before Phase 1 ships.
* Part V: Knowledge Sources
** Knowledge Graph Type Hierarchy — Structural Anti-Self-Reference (v3.0.0)
:PROPERTIES:
:ID: design-kg-type-hierarchy
:CREATED: [2026-05-14 Thu]
:END:
The same type-theoretic principle that governs the gate stack can be applied to the knowledge graph itself. When VivaceGraph ships (v3.0.0), every entity carries a ~:pm-type-level~ metadata field. Queries cannot return entities of the same level as the querying function. Self-referential knowledge becomes structurally impossible — no "this entity defines its own type level."
The KG query layer enforces this at the Prolog level, not through runtime checks. This is the same idea as the type-level gates (see Safety section above), but applied to /knowledge/ rather than /actions/. The dispatcher prevents self-referential actions; the KG prevents self-referential facts.
For the full philosophical treatment, see the Whitehead analysis in the Validation section below.
* Knowledge Sources
** Semantic Wikipedia as Entity Backbone
:PROPERTIES:
@@ -658,7 +676,7 @@ References:
- Shimizu, C., Hammar, K., & Hitzler, P. (2023). Modular ontology modeling. /Semantic Web, 14/(3), 459–489.
- Norouzi, S.S. et al. (2024). Ontology Population using LLMs. arXiv:2411.01612.
* Part VI: Implementation Properties
* Implementation Properties
** Performance — Why Ontology Growth Doesn't Make the System Slower
:PROPERTIES:
@@ -705,7 +723,7 @@ Every fact carries:
These fields make every fact auditable. The =/audit <node-id>= command renders the full provenance chain as an Org headline tree. The provenance is not a logging feature. It is the product.
* Part VII: Engineering Infrastructure
* Engineering Infrastructure
** The REPL as Cognitive Substrate
:PROPERTIES:
@@ -887,7 +905,113 @@ Passepartout's architecture provides three layers of time awareness, each enable
None of these three layers require new infrastructure. Time awareness is not a feature Passepartout builds — it is a feature Passepartout *unlocks* by having timestamped memory (v0.1.0), heartbeat+cron (v0.3.0), and the foveal-peripheral context pruning model (v0.2.0) already in place. Adding time awareness costs ~175 lines of Lisp. Building it in competitors would require building the heartbeat, the time-indexed memory, and the proactive context injection — 800+ lines each — and would still cost LLM tokens because their safety verification is prompt-based.
* Part VIII: Validation
** Definite Description Resolution
:PROPERTIES:
:ID: design-description-resolution
:CREATED: [2026-05-14 Thu]
:END:
When the user says "the function that validates secrets," the agent must resolve this to a specific code entity. Natural language is ambiguous — there might be multiple functions matching the description. Resolving to the wrong one causes incorrect actions.
/Principia Mathematica/'s theory of descriptions addresses this: "the current king of France is bald" — a sentence that seems to refer to something that doesn't exist. PM formalizes ~ιx(φx)~ as "the unique x such that φ holds." A statement is false (not meaningless) when there is no unique x satisfying φ.
A cognitive tool that checks descriptional uniqueness before resolution:
#+BEGIN_SRC lisp
(def-cognitive-tool:resolve-reference
(query-string&key(max-candidates10)
(context-path*current-context*))
"Resolve a definite description to a unique referent."
~40 lines as a skill in v0.7.2. When VivaceGraph ships (v3.0.0), descriptions become native Prolog queries with uniqueness constraints.
For the philosophical foundations, see the Whitehead analysis in the Validation section below.
* Validation
** Whitehead's Process Philosophy and Type Theory
:PROPERTIES:
:ID: design-validation-whitehead
:CREATED: [2026-05-14 Thu]
:END:
Alfred North Whitehead's two major bodies of work — /Principia Mathematica/ (1910–1913, with Bertrand Russell) and /Process and Reality/ (1929) — provide both the historical foundation and the descriptive vocabulary for Passepartout's architecture. The first gave us the type theory that structures the gate stack; the second gave us the process ontology that describes the pipeline.
*** Historical Connection: PM → Lisp
/Principia Mathematica/ is a direct ancestor of Lisp. Alonzo Church's lambda calculus (1930s), from which John McCarthy built Lisp (1958), was a response to PM's foundational program. PM's notation:
#+BEGIN_EXAMPLE
(x).φx ≡ (for all x, φ holds of x)
(∃x).φx ≡ (there exists x such that φ holds)
* x̂(φx) ≡ (the class of x satisfying φ)
ιx(φx) ≡ (the unique x satisfying φ)
#+END_EXAMPLE
These map directly to Lisp: ~(lambda (x) (φ x))~, ~(class (x) (φ x))~, ~(the (x) (φ x))~. McCarthy cited PM as an influence. The connection is genetic, not metaphorical.
*** Process Philosophy as Architectural Vocabulary
Whitehead's process philosophy is a metaphysics of /becoming/ rather than /being/. The fundamental entities are not substances but /processes/ (/actual entities/, /occasions of experience/). This maps precisely to Passepartout's pipeline architecture:
| Actual entity (actual occasion) | An event/signal in the pipeline | The fundamental unit — everything else is abstraction |
| Prehension | A gate's grasping of a signal | How one entity "takes account of" another |
| Positive prehension | A gate passing a signal | The signal is included in the concrescence |
| Negative prehension | A gate rejecting a signal | The signal is excluded from the concrescence |
| Concrescence | The pipeline process from input to output | Many prehensions → one satisfaction |
| Subjective aim | The agent's active goal / plan | The telos directing which prehensions matter |
| Eternal objects | Pure concepts in the knowledge graph | Universals — types, functions, categories |
| Nexus | A cluster of related memory objects | A Merkle subtree |
| Satisfaction | The final agent response | The "completed" entity — determinate output |
| Transition | From one signal to the next | The pipeline's forward motion |
| Causal efficacy | The agent's past context (memory) | What is prehended from the settled past |
| Presentational immediacy | The current signal (user input) | What is prehended from the immediate present |
The foveal-peripheral model maps directly onto Whitehead's two modes of perception: /presentational immediacy/ is foveal focus on the current signal (vivid but superficial), while /causal efficacy/ is peripheral context from memory (dim but causally powerful). Whitehead argues that all perception is the "mixed mode" of symbolic reference — the synthesis of the two. Passepartout's ~think()~ function does exactly this: it synthesizes the current signal with context from memory into a response.
Whitehead also gives Passepartout a /descriptive vocabulary/ that is precise, standard, and already maps perfectly to the design. "I am concrescing signal 47 through gates 0-8" is not poetry — it is a precise description of dispatcher operation. "Gate 3 has negatively prehended signal 136" means the secret-content gate rejected signal 136. "The satisfaction includes a file-write prehension with Merkle commit abc123" means the response contains a file write with the given Merkle hash. The agent uses this vocabulary in its ~/why~ output and in the ARCHITECTURE.org documentation.
*** What Whitehead Does Not Contribute
Not everything is useful. PM's full formalism — 300+ pages to prove ~1+1=2~ — is catastrophic as a reasoning engine. The /ideas/ (type theory, descriptions, propositional functions) are what matter, not the notation. Similarly, Whitehead's later concept of God (the "principle of concretion") and the full 25-category metaphysical system have no useful mapping to an agent architecture. Select the concepts that map; don't build a process-philosophy engine.
*** Relation to the Neurosymbolic Architecture
Passepartout is level 4 neuro-symbolic (symbolic gates + neural LLM, deterministic components coordinate heterogeneous systems). PM's type theory adds level-5 properties: /structural/ safety guarantees rather than /empirical/ ones. The dispatcher becomes not just a runtime gate stack but a type-theoretic framework where category errors are impossible by construction — just as PM made Russell's paradox impossible by construction. The Whiteheadian vocabulary reinforces the architectural identity: Passepartout is not a chatbot with safety checks. It is a /process/ — a continuous concrescence of prehensions producing satisfactions — whose safety is guaranteed by the type structure of the prehending entities.
** Historical Lineage — McCarthy's Advice Taker
:PROPERTIES:
:ID: design-mccarthy
:CREATED: [2026-05-10 Sun]
:END:
McCarthy's "Programs with Common Sense" (1959) is the direct intellectual ancestor of the Passepartout architecture. The paper proposed an "advice taker" — a program that "will draw immediate conclusions from a list of premises" expressed in "a suitable formal language (most likely a part of the predicate calculus)." The program would:
1. Accept declarative statements about the world as input.
2. Store them as logical formulas.
3. Reason from them to produce new conclusions.
4. Accept new facts and revise its conclusions.
This is precisely the Passepartout pipeline: the archivist extracts declarative facts from prose → Screamer checks them for consistency → VivaceGraph stores them → the planner reasons from them → new facts from gate outcomes and deductions revise the store. McCarthy proposed it in 1959. Passepartout is building it in 2026.
The gap between McCarthy's proposal and Passepartout's implementation is the /hallucination problem/. McCarthy assumed facts would be entered by a human programmer in formal logic. Passepartout's facts are extracted from natural language prose by an LLM — a probabilistic process that requires deterministic verification. Screamer is the component McCarthy didn't need: a constraint solver that gates LLM-proposed facts against the existing fact store.
The connection is not metaphorical. McCarthy cited /Principia Mathematica/ as an influence on Lisp. Passepartout's Whitehead analysis traces the same PM → Lisp lineage. The advice taker → Passepartout lineage completes the arc: PM's formal logic → Lisp → McCarthy's advice taker → Passepartout's neurosymbolic engine.
Reference: McCarthy, J. (1959). Programs with Common Sense. /Proceedings of the Teddington Conference on the Mechanization of Thought Processes./
** Philosophical Validation — The Neurosymbolic Consensus
:PROPERTIES:
@@ -942,7 +1066,7 @@ The cost is the ontological work that is genuinely difficult. The reward is a sy
The competitive advantage is not any single feature. It is the architecture's ability to accumulate verified knowledge from four independent sources (gates, deduction, verified LLM proposals, human authoring) and to make that knowledge queryable with provenance. Competitors accumulate chat transcripts. Passepartout accumulates a provenanced, self-verifying knowledge graph. Transcripts become stale and unreliable. The knowledge graph becomes richer and more trustworthy with every session.
* Part IX: Open Questions
* Open Questions
** Open Questions
:PROPERTIES:
@@ -989,6 +1113,6 @@ The symbolic engine is not v1.0.0 alone. It is the layer that sits between the e
See also:
- =ROADMAP.org= — the concrete phased implementation plan (neurosymbolic phases at v0.10.0 through v0.36.0)
- =ARCHITECTURE.org= — the current pipeline architecture
- =notes/passepartout-whitehead.org= — Whitehead's four concrete contributions
- =docs/DESIGN_DECISIONS.org#validation= — Whitehead analysis (now integrated into this document)
- =notes/passepartout-symbolic-engine-exploration.org= — the original architecture exploration
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
