Ghost-ALICE OS. Floor, not ceiling.

The problem

AI agents are capable enough that weak governance becomes visible.

The failure modes are ordinary: skipped sources, drifting scope, early closure, and plausible output accepted before it survives comparison.

⚡ Confident, but wrong

Hallucination passed off as confirmed fact
Official docs cited. Real runtime behavior ignored
Completion declared without running a single check
Evidence skipped when the model already "knows" the answer

⬡ Expanding, out of control

Tasks silently grow beyond what was asked
Instructions overridden by new context mid-session
Unnecessary work created to appear productive
Forbidden surfaces touched because they weren't re-stated

◎ Forgetting what you agreed to

Goals drift between turns as context grows
Constraints set three messages ago silently expire
Decisions made earlier reversed without notice
Every session starts from zero. Nothing carries forward

◈ Acting without a trace

No record of which files were read or why
Tool calls made with no auditable justification
Impossible to replay or explain what happened
Trust collapses the first time something goes wrong

At scale, unverified autonomy creates more rework than slower, checkable execution.

How it works

Eight-step loop. Four verification layers. No silent skips.

Semantic atoms. Evidence loops. Dynamic focus.

Ghost-ALICE OS changes the operating structure of AI work by splitting work into semantic atoms, verifying each unit, and dynamically changing its focus aperture back and forth across micro, meso, macro, and meta.

8-step operating loop

01 Split work by semantic verification burden
02 Tentative skill selection. Do not lock early
03 Choose a local start point from current state
04 Execute one semantic atom micro gate
05 Verify atom output against references meso gate
06 Combine and verify integrated output macro gate
07 Validate task necessity meta gate
08 Return to step 01. Loop until convergence

4 verification layers. Independent fallback at each

micro Tool call exit code and format check

meso Sub-task output verified by verification-before-completion

macro Integrated output attacked by adversarial-verification

meta Task existence justified by necessity-gate

Gate interaction map

intent ledger → downstream gate → scoped action → evidence closure

01 input

User request

A turn is evidence for intent change, not automatic permission to act.

starts intent delta

02 producer

session-intent-analyzer

Separates user intent from the agent plan, then extracts goals, constraints, decisions, and criteria.

writes compact state

03 state

intent state cache

Shared semantic cache for gates. Raw prompts, transcripts, tool output, and secrets stay out.

read by consumers

04 consumers

governance consumers

Security makes derived gate judgments from accumulated intent and records model_security_decision. Code carries the judgment; it does not invent blocks from keywords.

opens downstream gate

05 routing + scope

routing consumer → boundary-contract

After the downstream gate opens, routing decomposes accepted intent into atomic work and boundary-contract locks the allowed surface.

scope reopen point

06 action

tool-checkpoint

At tool stage, reads only downstream gate state for permission. Tool identity and payload shape stay audit context, not decision logic.

enforces one gate state

07 surface

execution surface

Files, shell, browser, Model Context Protocol, and external tools run inside the current boundary and return concrete evidence.

returns evidence

08 closure

completion-check

Maps every claim through claim-evidence-map; unverified criteria remain open instead of becoming done.

blocks overclaim

09 handoff

trace handoff

io-trace records what happened; lifecycle support below can audit, challenge, evolve, or recover the loop after the turn.

support handoff

Lifecycle support

io-trace audit trail

Every loop leaves an inspectable trace.

Records files read and written, commands, web access, and loaded skills
Lets users audit whether evidence actually matched the claim
Feeds later review without exposing hidden reasoning

skill-evolution candidates

Repeated workflows become reviewable improvement proposals.

Reads io-trace patterns together with intent-state summaries
Produces candidate reports, not automatic skill promotion
Requires necessity and governance gates before durable changes

pending-merge review

User-local edits are protected during installs and updates.

Backs up changed managed targets before overwriting them
Tracks undecided entries in a platform-specific manifest
Surfaces unresolved cases through merge-companion before routing; explicit defer/skip can continue

adversarial verification

High-burden claims can be attacked after the normal loop.

Multiple reviewers cross-examine evidence and assumptions
Separates official specification claims from runtime reality claims
Escalates unresolved disagreement instead of forcing easy consensus

jailbreak drift check

Security decisions are semantic records, not keyword traps.

Looks for instruction override, credential reveal, and scope drift
Compares current intent against accumulated constraints and non-goals
Writes model_security_decision for current-lineage blocks, then downstream gate carry handles enforcement

install-state doctor

Runtime support files stay checkable after deployment.

Verifies managed skill targets, bootstrap files, hooks, and ownership markers
Reports visibility profile without weakening hook execution
Gives recovery evidence when local runtime state drifts

Adaptive layer

Improves through reviewed evidence.

Ghost-ALICE OS is not a static ruleset. Corrections and repeated patterns can become reviewable improvement candidates instead of silent memory promotion.

governed learning

Corrections become auditable improvement candidates.

When you correct the agent's behavior, the signal is captured as session intent and audit evidence. Durable rules require explicit gates such as skill-evolution and necessity-gate. It is not silent memory promotion.

skill-evolution

Repeated patterns surface as evolution candidates.

skill-evolution reads io-trace logs across sessions. Workflows that repeat with enough cross-session evidence become evolution candidates. They are proposals for permanent rules, gated by necessity-gate before any change is made.

session-intent-analyzer

Intent is preserved across turns.

The intent ledger accumulates goals, constraints, locked decisions, non-goals, and open questions across turns. Earlier constraints remain available after context compaction instead of silently disappearing.

Core philosophy

Raise the floor first. Work-Impact, not raw verbosity, decides which hook values surface to the model or user.

What's inside

Core governance first. Capability packs second.

This is the inventory layer: core governance checkpoints first, then workflow and domain packs that run on top.

Core philosophy. Quality floor first

Operating loop steps

Verification layers

Runtime governance checkpoints

Supporting capability packs on top

macOS · Linux · Windows · WSL · Git Bash full compatibility matrix →

core governance spine

Quality floor as root rule

Every request enters through intent state, security gate, routing, and boundary scope before it can touch execution surfaces. Agent authority is a consequence of verified state, not forward momentum.

intent-analyzer
work-routing
boundary-contract
jailbreak-detector

verification core

Proof before closure

Completion claims require fresh evidence. High-burden claims are attacked through adversarial verification before they become trusted output.

completion-gate
claim-attack
web-evidence
adversarial-review

platform hooks 7 checkpoints

Rules enforced around the LLM runtime

SessionStart, UserPromptSubmit, downstream gate derivation, PreToolUse tool-checkpoint, Stop/AfterAgent completion, and PostToolUse io-trace checkpoints enforce governance outside the model's private reasoning.

SessionStart
UserPromptSubmit
PreToolUse
completion-check
PostToolUse

lifecycle + audit lifecycle

State survives handoff

Installation state, pending merges, compact handoffs, necessity checks, strict session logs, and io-trace records keep agent work explainable across sessions.

merge-companion
necessity-gate
compact-handoff
io-trace

supporting pack coding

Development workflow, governed

Coding-convention is a workflow pack that rides on the core OS model. It is useful, but it is not the identity of Ghost-ALICE OS.

brainstorming
writing-plans
test-driven-development
code-review

supporting packs domain

Domain work on governed rails

HWPX, design, document, proposal, machine learning, and product skills are capability packs. They demonstrate the governance layer; they do not define it.

hwpx
design-library
document-to-markdown
gov-proposal

Get started

One install. Governance surfaces in place.

Clone the repository and run the installer. Ghost-ALICE OS is built for portable governance across multiple language model and agent runtimes.

Installers use dynamic target totals, one-line live counters on interactive terminals, log-safe fallback for redirected output, a --visibility agent visibility profile, and a Windows path designed around a PowerShell 7.6 LTS baseline without changing the default shell.

View on GitHub Read the docs 한국어 문서

            
            # Clone the repository

            $ git clone https://github.com/AidALL/ghost-alice.git ~/ghost-alice

            $ cd ~/ghost-alice

            # macOS / Linux / WSL / Git Bash

            $ bash install.sh

            # Windows. PowerShell

            PS> .\install.ps1

            # Windows. Command Prompt

            > install.cmd

            # Check install status

            $ bash install.sh --status