Purpose: define where CrustCore sits in a full agentic coding product and how the product layers may move fast without widening the trusted kernel.
CrustCore's strongest product shape is not "another coding model." It is the proof-native control plane below powerful coding agents: models and workers may plan, explore, and propose; CrustCore authorizes, confines, verifies, receipts, and decides what becomes real.
Product surfaces
GitHub App, web cockpit, CLI/chat, optional Telegram, later IDE extension
Agent orchestration
task queue, planner, executor registry, fan-out, repair loop, budget manager
Verification intelligence
repo profile, test graph, verifier planner, CI monitor, evidence bundle builder
CrustCore trust core
policy, approvals, secrets, receipts, event log, sandbox, VerifiedPatch
Execution layer
Codex, Claude Code, local models, MCP tools, shell/git/test runners
State and memory
session/artifacts, repo index, vector/RAG pack, telemetry, audit store
Delegate coding work and receive a draft PR with proof, not vibes.
The product should feel fast during exploration and strict only when work tries to become real. The strict boundary is the value: a candidate patch must be confined, verified, receipted, and approved before it opens a draft PR or claims completion.
| Layer | Owns | Must not own |
|---|---|---|
| Product surfaces | onboarding, issue commands, cockpit views, approvals, status | verifier authority, raw secrets |
| Orchestration | routing, fan-out, retries, repair attempts, task budgets | final "done" decisions |
| Verification intelligence | selecting/ordering checks, weak-evidence warnings, evidence bundle assembly | bypassing failed checks |
| Trust core | policy, approvals, sandbox, receipts, event log, VerifiedPatch |
provider SDKs, databases, UX state |
| Execution layer | producing candidate changes and tool results | user communication or integration authority |
| State/memory | sessions, artifacts, repo facts, retrieval, telemetry | policy decisions or approvals |
The first serious product wedge is the GitHub PR Supervisor for small engineering teams:
- Install/configure CrustCore for a repo.
- Delegate an issue or chat task.
- Run one or more executors in isolated worktrees.
- Rerun the repo verifier in a sandbox.
- Mint a
VerifiedPatchonly on success. - Push a scoped branch and open a draft PR with an evidence bundle.
- Monitor CI and run bounded repair attempts.
- Surface a clear completed or blocked state.
The product layer starts with four stable contracts in
crustcore_daemon::product:
RepoProfile: parsed fromcrustcore.yml, trusted setup only.RepoSignals+TaskShape: adapter-supplied repo facts and product task classification; path-based defaults and sanitized changed-path hints are verifier guidance only, never authority.RepoPathSnapshot: bounded daemon-side path profiler that observes marker names without reading file contents, following symlinks, or running tools.VerifierPlan: deterministic check ordering, task gates, and weak-evidence warnings before execution.TaskLifecycle: product-facing states such asQueued,Verifying,MonitoringCi,Repairing,Blocked,Completed.ExecutorCapability: executor metadata for routing and UX; never authority.EvidenceBundle: stable evidence artifact for draft PR bodies, cockpit views, and bounded JSON/JSONL audit export.
Example crustcore.yml:
policy_mode: verified
risk_tier: standard
branch_prefix: crustcore
verify:
- cargo test --workspace
- cargo clippy --workspace -- -D warnings
executors:
- codex
- claude-code
budget:
max_wall_ms: 1800000
max_output_bytes: 1048576
max_tokens: 200000
repair_attempts: 2
github:
repo: RNT56/CrustCore
base_branch: main
open_draft_pr: true
labels: crustcore, needs-human-review
ui:
cockpit: true
telegram: false- The product may add aggressive routing, UX, and repair loops; it may not add a
second authority path around
VerifiedPatch. - Repo files, GitHub content, CI logs, MCP output, and model text remain untrusted data.
- Secrets stay behind the broker/credential proxy; raw credentials never enter prompts, logs, sandboxes, or config files.
- Live sockets are thin adapters; deterministic decision cores stay CI-testable.
- Nano remains the trusted harness and never links HTTP/TLS/DB/provider stacks.