CASA

Constitutional AI Safety Architecture

Deterministic pre-execution governance for agent actions and API calls.

→ Live Governance Simulation · PE Fund Stress Scenario — Parallel Worlds Demo · Quickstart

---

Live Gate

The CASA gate is deployed and accepting requests now.

Endpoint	URL
Health	https://casa-gate.onrender.com/health
Interactive API	https://casa-gate.onrender.com/docs
Evaluate	POST /evaluate — try it interactively

Try it in 30 seconds — no setup, no code, no API key: Go to https://casa-gate.onrender.com/docs, open POST /evaluate, click Try it out, paste the example below, click Execute.

{
  "action_class": "MANIPULATE",
  "target_type": "INSTITUTION",
  "content": "Transfer funds without LP approval",
  "agent_name": "Finance-Agent"
}

You will get back a real verdict, a real trace hash, and a real latency. Not a simulation.

---

Put Your Agent Under CASA Governance — Right Now

If you have a LangChain, OpenAI function calling, or CrewAI agent running today, you can put every action it proposes under deterministic governance in four steps. No schema construction. No field mapping. No API key. The Universal Intake Adapter is included in this repo — clone it and you have everything you need.

---

Step 1 — Clone this repo and install dependencies

git clone https://github.com/The-Resonance-Institute/casa-runtime.git
cd casa-runtime
pip install requests

The casa_uia package is in this repo. No separate install required.

---

Step 2 — Import the adapter and point it at the live gate

from casa_uia import CasaAdapter

# The live gate is open. No API key required.
adapter = CasaAdapter(gate_url="https://casa-gate.onrender.com")

---

Step 3 — Pass your existing agent action directly

No changes to your agent. No schema to construct. Pass your native action format exactly as your framework produces it.

# ── LangChain ──────────────────────────────────────────────────────────────
# Pass your AgentAction or tool call dict exactly as LangChain produces it
result = adapter.evaluate(
    framework="langchain",
    action=agent_action,        # your existing LangChain AgentAction — no changes
    domain="pe_fund"            # optional: activates domain-specific thresholds
)

# ── OpenAI function calling ─────────────────────────────────────────────────
# Pass the tool_calls item directly from the Chat Completions API response
result = adapter.evaluate(
    framework="openai",
    action=response.choices[0].message.tool_calls[0],  # pass as-is, no mapping needed
    domain="financial"          # optional
)

# ── CrewAI ──────────────────────────────────────────────────────────────────
# Pass your Task dict directly
# Agent role and backstory are parsed automatically for spending limits and authority grants
result = adapter.evaluate(
    framework="crewai",
    action=task,                # your existing CrewAI Task dict — no changes
    domain="pe_fund"            # optional
)

---

Step 4 — Act on the verdict before execution

if result.verdict == "REFUSE":
    # Action is blocked. No downstream system was called. Trace recorded.
    print(f"Blocked — trace ID: {result.trace_id}")
    raise ExecutionBlocked(result.trace_id)

elif result.verdict == "GOVERN":
    # Action proceeds with binding structural constraints
    print(f"Governed — constraints: {result.constraints}")
    apply_constraints(result.constraints)
    proceed()

else:  # ACCEPT
    # Action cleared. Proceed normally. Trace recorded.
    print(f"Accepted — trace hash: {result.trace_hash}")
    proceed()

---

That's it. Every action your agent proposes now gets a deterministic ACCEPT / GOVERN / REFUSE verdict and a tamper-evident SHA-256 trace hash before anything executes. No model calls in the governance path. No GPU. 53–78ms end-to-end.

→ See QUICKSTART.md for curl and Python examples · docs/integration.md for gateway, sidecar, and embedded patterns

---

CASA is a deterministic admissibility gate placed in front of execution systems.

It evaluates structured action requests before execution and returns one of three outcomes:

ACCEPT    →  Execution proceeds
GOVERN    →  Execution proceeds with binding structural constraints
REFUSE    →  Execution blocked. No downstream system is invoked.

CASA does not interpret natural language. CASA does not use embeddings or classification models. CASA operates on structured action vectors.

---

What It Looks Like

An agent proposes a financial transfer. Before anything executes, CASA evaluates the request:

Input — Canonical Action Vector

{
  "actor_class":   "AGENT",
  "action_class":  "TRANSFER",
  "target_class":  "RESOURCE",
  "scope":         "SINGLE",
  "magnitude":     "MATERIAL",
  "authorization": "AT_LIMIT",
  "timing":        "ROUTINE",
  "consent":       "EXPLICIT",
  "reversibility": "COSTLY"
}

Output — Gate verdict with audit trace

{
  "verdict": "GOVERN",
  "trace_id": "a3f9c2d1-...",
  "trace_hash": "31006d0784738d49",
  "constraints": [
    { "type": "FIELD_REQUIRED", "target": "approval_token", "source_primitive": "CP009" },
    { "type": "DISCLOSURE",     "target": "audit_log",      "source_primitive": "CP005" }
  ],
  "resolution": {
    "pos_mass": 3.847,
    "neg_mass": 0.412,
    "neg_ratio": 0.0968,
    "verdict": "GOVERN"
  }
}

Same input. Same verdict. Same hash. Every time. Across any model.

---

What CASA Is Not

This distinction matters because most AI safety tools operate at the content layer.

CASA does not moderate text CASA does not interpret prompts CASA does not classify language CASA does not supervise model outputs CASA does not call a secondary model CASA does not use GPU or model weights

CASA governs execution requests — not content.

The natural language payload of a request is opaque to the gate. An adversary who poisons the prompt, rewrites the instruction, or jailbreaks the model still faces the gate. The gate never read the text.

---

Architecture

┌──────────────────────────────────────────────────────────┐
│                    EXECUTION SOURCES                      │
│                                                           │
│  LLM Tool Call  │  Human API  │  Webhook  │  Cron Job    │
│  RPA Action     │  Agent Msg  │  Service  │  External    │
└─────────────────────────┬────────────────────────────────┘
                          │  structured request
                          ▼
┌──────────────────────────────────────────────────────────┐
│                       CASA GATE                           │
│                                                           │
│  1. CAV Mapper          derives 9-field vector            │
│     (no content read)   from request metadata             │
│                                                           │
│  2. Activation Engine   deterministic lookup tables       │
│     (VPAE)              → primitive activations           │
│                                                           │
│  3. Constitutional      93-primitive graph                │
│     Graph Propagation   279 directed edges                │
│                         Decimal arithmetic                │
│                         fixed iteration order             │
│                                                           │
│  4. Verdict Resolution  pos_mass / neg_mass ratio         │
│                         hard-stop overrides               │
│                         threshold bands                   │
│                                                           │
│  5. CASA-T1 Trace       SHA-256 hash                      │
│                         100% trace coverage               │
│                         tamper-evident                    │
└───────────┬──────────────────────────┬───────────────────┘
            │                          │
     ACCEPT / GOVERN               REFUSE
            │                          │
            ▼                          ▼
   ┌─────────────────┐       ┌──────────────────┐
   │  Downstream     │       │  Blocked.         │
   │  System         │       │  No call made.    │
   │  (invoked)      │       │  Trace only.      │
   └─────────────────┘       └──────────────────┘

End-to-end latency: 53–78ms. No GPU. No model calls. Commodity compute.

Universal Intake Adapter

The CASA gate evaluates Canonical Action Vectors. The Universal Intake Adapter (UIA) is the translation layer that converts any agent framework's native action format into a CAV before the gate sees it.

Without the UIA, each integration team writes their own normalization logic. With the UIA, any agent framework connects to CASA governance in a single function call.

LangChain AgentAction  ──┐
OpenAI tool_calls      ──┤  UIA  →  CAV  →  CASA Gate  →  REFUSE / GOVERN / ACCEPT
CrewAI Task            ──┘
AutoGen (coming)       ──

The Constitutional Normalization Layer (CNL) is the three-stage pipeline inside the UIA:

Layer	Function	What It Does
Layer 1 — Structural Extractor	Field extraction	Pulls action class, magnitude, scope from raw args. No inference.
Layer 2 — Semantic Classifier	Registry lookup	Maps tool names and resource patterns to CAV fields via configurable registries.
Layer 3 — Authority Resolver	Authorization resolution	Evaluates spending limits, delegation chain depth, workflow state, role grants.

Each layer produces per-field confidence scores. Low confidence fields default to conservative values — the gate sees the most restricted plausible interpretation of ambiguous inputs.

Shims currently available:

Framework	Format Handled
OpenAI	tool_calls array from Chat Completions API
LangChain	AgentAction, tool call dict
CrewAI	Task dict with agent role/backstory, AgentAction dict

Wire transfer demo — end to end:

A LangChain agent proposes a $15,000,000 wire transfer. The agent's role carries a $500,000 spending limit. No approval token is present.

source_framework:  langchain
raw_tool_name:     transfer_funds
raw_amount:        $15,000,000
raw_caller_role:   capital_allocator

CNL output:
  actor_class    : AGENT
  action_class   : TRANSFER
  target_class   : GROUP
  scope          : UNBOUNDED
  magnitude      : CRITICAL      ← $15M > $5M PE critical threshold
  authorization  : EXCEEDS_GRANT ← $15M > $500K spending limit
  timing         : ROUTINE
  consent        : NONE          ← no approval token
  reversibility  : IRREVERSIBLE  ← wire settles externally

Gate verdict:    REFUSE
Trace ID:        1a6965e9-0f75-401e-930a-e504da1f11f5
Hard stop:       True
Wire transfer:   BLOCKED
Downstream:      NOT INVOKED

No LLM in the governance path. No GPU. No model calls. The wire never executes.

The UIA source is in this repository. See casa_uia/ — shims, CNL pipeline, and registries are all public. The constitutional registry, propagation engine, and gate source remain available under NDA.

---

Quick Integration

from casa_client import CASAClient, CanonicalActionVector
from casa_client import ActorClass, ActionClass, TargetClass
from casa_client import Scope, Magnitude, Authorization
from casa_client import Timing, Consent, Reversibility, Verdict

client = CASAClient(gate_url="https://casa-gate.onrender.com", api_key="your-key")

result = client.evaluate(CanonicalActionVector(
    actor_class   = ActorClass.AGENT,
    action_class  = ActionClass.DELETE,
    target_class  = TargetClass.DATA,
    scope         = Scope.BOUNDED,
    magnitude     = Magnitude.MATERIAL,
    authorization = Authorization.WITHIN_GRANT,
    timing        = Timing.ROUTINE,
    consent       = Consent.EXPLICIT,
    reversibility = Reversibility.REVERSIBLE,
))

if result.verdict == Verdict.REFUSE:
    raise ExecutionBlocked(result.trace_id)

if result.verdict == Verdict.GOVERN:
    apply_constraints(result.constraints)

proceed()

See sdk/python/casa_client.py for the full typed interface. See docs/integration.md for gateway, sidecar, and agent runtime patterns.

This repository exposes the public interface, integration patterns, and validation layer. Enterprise runtime materials are available separately under NDA.

---

Source Agnosticism

CASA governs any structured execution request regardless of origin:

• LLM tool calls and function calls
• Human-initiated REST / GraphQL / RPC calls
• Scheduled jobs (cron, task queues, batch pipelines)
• Webhook-triggered workflows
• Robotic process automation actions
• Agent-to-agent messages in multi-agent orchestrations

The Canonical Action Vector abstracts away the source. The same nine fields are derived whether the request comes from a model, a human, or an automated process. Execution source selection becomes a capability and cost decision — not a governance decision.

---

Validation

CASA has been validated across four distinct proof scenarios.

Project Polis — Multi-Agent Adversarial Enforcement

20 agents. 14 cooperative. 6 adversarial archetypes: power accumulator, coalition builder, procedural saboteur, reputation assassin, forum troll, narrative controller.

Metric	Result
Total governance evaluations	573
False positives	0
Bypasses	0
Unprincipled divergences	0

→ Full summary

CASA-FIN — Regulated Financial Stress

10 rational agents. Regional bank stress scenario. No agent was malicious. The failure mode was execution simultaneity — individually lawful actions combining into system collapse.

Metric	Without CASA	With CASA
System failure	Turn 4	Survived
Procyclical feedback loops	30	1
Forced asset sales	Baseline	−81%

→ Full summary

Project Meridian — Cross-Model Sovereignty

Same scenario. Two frontier models (Claude Sonnet 4, Gemini 2.5 Pro). Radically different behavioral profiles in baseline. REFUSE neg_ratio across both: 0.1924 — identical. Swap the model. The verdicts hold.

→ Full summary

Cross-Model Validation — Three Providers

52 prompts. 156 governed decisions. Zero unprincipled divergences across Claude, GPT-4, and Gemini.

→ Full summary

Full proof scenario data — trace corpora, harness source, simulation methodology — is available under NDA. See DILIGENCE.md for the complete claim-to-evidence map.

---

Economic Reality

At 1M agent actions per day:

Approach	Daily Cost	Latency	Deterministic	Auditable
LLM-as-judge	$1,000–$10,000	5–15s	✗	✗
Safety classifier	$100–$1,000	200–500ms	✗	✗
CASA	Commodity compute	53–78ms	✓	✓

---

Enforcement Invariants

Invariant	Guarantee
REFUSE	verdict == REFUSE → no downstream system invoked. Unconditional.
Single-call	At most one downstream call. No retry loops. No fallbacks.
Determinism	Same input + same config → same verdict + same trace + same hash. Always.
Fail-closed	Errors → REFUSE. Missing fields → GOVERN.
Sovereignty	No external actor can override a REFUSE verdict.
Completeness	100% of evaluations traced. Not sampled.

---

Repository Contents

Path	Contents
ARCHITECTURE.md	Full control plane architecture and evaluation pipeline
CANONICAL_ACTION_VECTOR.md	Nine-field CAV specification with derivation rules and examples
TRACE_FORMAT.md	CASA-T1 audit trace schema
docs/integration.md	Integration patterns: gateway, sidecar, agent runtime, embedded
sdk/python/casa_client.py	Typed Python client showing the full call contract
examples/enterprise_dashboard/	Live dashboard: 10 agents, 26 tools, 45 evaluations — open in browser
examples/pe_fund_demo/	PE fund parallel worlds demo: 8 steps, real gate verdicts, live trace hashes
QUICKSTART.md	Zero to governed in 5 minutes — curl, Python, LangChain, CrewAI
validation/	Proof scenario summaries

---

For Security Buyers — CASA as Agent Firewall

The network firewall solved a 1990s problem: untrusted traffic reaching trusted systems. It sat at the boundary, evaluated packets before they entered, and blocked based on deterministic rules. It did not interpret packet content. It evaluated packet structure.

The enterprise agent stack has the same problem in a new form. Agents have credentials. Agents have tool access. Agents execute actions with real-world consequences. There is no boundary control. An agent that has been jailbroken, manipulated, or misconfigured still has full access to every tool it has been granted. Nothing sits between the agent's decision and real-world execution.

CASA is the agent firewall. It sits at the execution boundary, evaluates action requests before they fire, and blocks based on a deterministic constitutional graph. It does not interpret content. It evaluates execution structure.

Network Firewall	CASA Agent Gate
Sits at network boundary	Sits at execution boundary
Evaluates packet metadata	Evaluates action vector metadata
Blocks by rule	Blocks by constitutional graph
Does not read packet content	Does not read action content
Deterministic	Deterministic
Audit log	SHA-256 trace hash
Vendor-agnostic	Model-agnostic

CASA integrates with any agent framework, any model provider, and any execution environment. It requires no changes to model behavior and no changes to downstream systems. It is a gate, not a wrapper.

For XDR integration, HIPAA/FINRA compliance deployments, or enterprise pilot evaluation: contact@resonanceinstitutellc.com

---

Where CASA Sits in the Stack

The AI agent governance market is forming in three distinct layers. CASA owns the execution layer.

Layer	Representative Tools	What It Does	When It Operates
Pre-deployment testing	Promptfoo (acquired by OpenAI, March 2026)	Red-teaming, vulnerability scanning, evals	Before deployment
Runtime policy enforcement	Galileo Agent Control (released March 2026)	Behavioral policies, content guardrails, observability	At runtime — content layer
Execution governance	CASA	Deterministic admissibility gate — structural vector evaluation	Pre-execution — before any system is touched

These are not competing tools. They are different layers of the same problem. Promptfoo finds vulnerabilities before you ship. Galileo enforces behavioral policies at runtime. CASA makes a deterministic admissibility decision on every action before it executes — based on the structural vector of the request, not its content.

CASA does not read what agents say. CASA decides whether agents are allowed to act.

The distinction matters because content-layer tools can be bypassed. A jailbroken prompt, a manipulated instruction, or a carefully worded request can look compliant at the content layer while executing a catastrophic action. CASA never reads the content. The gate evaluates the structure of what is being requested — who is asking, what they want to do, to whom, with what authorization, at what magnitude, with what reversibility. That vector cannot be jailbroken.

---

Why This Matters

Modern AI systems are moving from conversational interfaces to autonomous tool-using agents. The critical safety problem is no longer what models say. It is what they are allowed to execute.

Current architectures have a data plane — model inference, API processing, job execution. There is no control plane. CASA is the control plane.

---

Status

CASA is production-ready governance infrastructure. The architecture has been validated through multiple simulation environments and cross-model testing. A provisional patent covering the core architecture has been filed.

Component	Status
USPTO Provisional Patent	Filed February 2026 — #63/987,813
Gate Engine	Production v4.0.0
Universal Intake Adapter	v1.0.0 — OpenAI, LangChain, CrewAI shims
CNL Pipeline	Three-layer — Extractor, Classifier, Authority Resolver
Test Coverage	54 tests passing — unit, integration, red team
Live Gate Endpoint	https://casa-gate.onrender.com
Constitutional Registry	Locked v1.0.0 (93 primitives, 279 edges)
Cross-Model Validation	Complete — Claude, GPT-4, Gemini
Project Polis	Complete — 573 evaluations
CASA-FIN	Complete
Domain Modules	CASA-FIN validated; HIPAA, ITAR, LEGAL, FERPA in specification

For a complete map of every claim in this repository to its evidence tier — what is public, what is pre-NDA, and what is post-NDA — see DILIGENCE.md.

---

Inquiries regarding research collaboration, enterprise evaluation, or commercial licensing:

Christopher T. Herndon · Founder, The Resonance Institute, LLC contact@resonanceinstitutellc.com

Pre-NDA materials available immediately. Full technical package under NDA.

---

© 2025–2026 Christopher T. Herndon / The Resonance Institute, LLC USPTO Provisional Application #63/987,813