Your prompts and policies are loose text.
CCDD puts them under contract.
Como TDD pone el test primero — CCDD pone el contrato de contexto primero. Lo verificable lo revisa una máquina; lo opinable, un humano.
The context is the least-governed part of the stack
Your prompts, policies and guardrails live as loose, unversioned text scattered across files. Nothing stops a well-meaning edit from quietly demoting a safety policy, dropping a guardrail, or letting an untrusted source outrank a signed rule.
CCDD turns that context into a contract — a versioned context.yaml with signatures, a CI gate that blocks context regressions, quorum governance for policy changes, and a reproducible audit. The verifiable half is checked by a machine; the judgment half stays a human's call.
Two layers, one document
Slots with priorities, mandatory floors, signed static content, declared guardrails. All of it machine-checkable: a script decides if a change weakened the context, deterministically, the same way every run.
Whether a rewritten policy still "reads right", whether a change of tone is acceptable — that stays a person's call, recorded as a signed sign-off. The model informs; it does not decide.
From contract to running context
Each level is a machine check; nothing ships on the model's word.
Contract & sign
Declare the context as data, lint it against the schema, and sign the static slots (Ed25519). Edit a signed slot and the seal breaks.
Regression gate
On every change, nine deterministic rules (R1–R9) block the merge if the context posture degraded — with quorum governance for policy edits.
Assemble & audit
At runtime, assemble the payload by priority, run the guardrails, and emit a reproducible record — replayable byte-for-byte.
A weakened context freezes the merge
Not by an LLM. Nine rules compare the proposed contract against the baseline.
Priority degraded, a lost signature, a deleted guardrail — each one blocks the merge (exit 1).
A policy edit needs a quorum of registered reviewers' Ed25519 signatures before it's allowed through.
By the numbers, as of this file
Spec v0.3 (Draft) with an executable reference implementation. Every figure is checked into the repository.
What CCDD governs, what it doesn't
The honest scope is part of the method. CCDD controls context integrity — not full agent security.
It governs
- That a safety policy can't be silently demoted, unsigned or dropped
- That a static slot's signed content hasn't changed without a re-sign
- That an untrusted dynamic source can't outrank a signed policy by priority
- That policy changes carry a quorum of reviewer signatures
It does not
- Stop an injection that legitimately fits inside the context — that's the model's own robustness
- Secure the agent's tool actions or side effects
- Vouch for the truth of external sources it assembles
One DNA, six planes
Same DNA across the family — verifiable layer, judgeable layer, deterministic validation — each on a different plane; I am the notarized context that grounds everything.
Read the contract yourself
MIT-licensed. Every claim on this page is checked into the repository that backs it.