LACP

Control-plane-grade agent harness for Claude, Codex & Hermes.

LACP is a harness-first execution framework with policy-gated operations, verification/evidence loops, 5-layer memory, and auditable agent workflows — all local-first, zero external dependencies.

---

Stable Release — LACP is stable for daily local-first operations. Defaults, command contracts, and core workflows are backward-compatible. If something regresses, open an issue.

Contents

• Quick Start
• Why teams adopt LACP
• Use-case recipes
• Documentation
• Architecture
• Features
• Prerequisites
• Install Options
• Who It's For
• Testing
• Security
• Contributing

What LACP is (by harness definition)

LACP is an agent harness with control-plane governance:

• Harness layer: tasks, verification contracts, evidence manifests, replayable run loops
• Control-plane layer: risk tiers, budget gates, context/session contracts, approvals, provenance

This keeps the core value clear: not just generating output, but producing auditable, policy-compliant outcomes.

Policy gates	Risk tiers (safe/review/critical), budget ceilings, context contracts, and session fingerprints — every agent invocation is gated and auditable.
5-layer memory	Session memory, Obsidian knowledge graph, ingestion pipeline, code intelligence (GitNexus), and agent identity with hash-chained provenance.
Hook pipeline	Modular Python hooks for Claude Code — session context injection, pretool guards, write validation, and stop quality gates with local LLM eval.
Obsidian brain	First-class vault management, mycelium-inspired memory consolidation, QMD indexing, and config-as-code with auto-optimization.
Multi-agent orchestration	dmux/tmux session management, git worktree isolation, swarm workflows, and Claude native worktree backend.
Local-first security	Zero external CI by default, no secrets in config, environment-driven credentials, TTL approval tokens for remote execution.
Execution tiers	trusted_local, local_sandbox, and remote_sandbox (Daytona/E2B) with policy-driven routing and provider override.
Evidence pipelines	Browser e2e, API e2e, smart-contract e2e harnesses with manifest evidence, auth checks, and PR preflight gates.

---

Quick Start

Install

# Homebrew (recommended)
brew tap 0xNyk/lacp && brew install lacp

# or cURL bootstrap
curl -fsSL https://raw.githubusercontent.com/0xNyk/lacp/main/install.sh | bash

Bootstrap & Verify

lacp bootstrap-system --profile starter --with-verify
lacp doctor --json | jq '.ok,.summary'

After bootstrap: .env is created, dependencies installed, directories scaffolded, Obsidian vault wired, and verification artifacts produced.

For the full setup and daily operator flow, start with the Runbook and Local Dev Loop.

First Gated Command

# Route a task through LACP policy gates
lacp run --task "hello world" --repo-trust trusted -- echo "LACP is working"

# Make claude/codex/hermes default to LACP routing (reversible)
lacp adopt-local --json | jq

Why teams adopt LACP

• Predictable execution: every run passes through deterministic policy and budget gates.
• Auditability by default: artifacts, provenance, and verification logs are first-class outputs.
• Local-first security posture: remote execution is opt-in and secrets stay environment-scoped.
• Multi-agent without chaos: worktree/session isolation keeps parallel runs reproducible.

Use-case recipes

1) Harden local agent usage in under 5 minutes

lacp bootstrap-system --profile starter --with-verify
lacp adopt-local --json | jq
lacp posture --strict

2) Run one risky command with explicit policy controls

lacp run \
  --task "dependency update with tests" \
  --repo-trust trusted \
  --context-profile default \
  -- pnpm up && pnpm test

3) Generate PR-ready evidence before opening a PR

lacp e2e smoke --workdir . --init-template --command "npx playwright test --grep @smoke"
lacp api-e2e smoke --workdir . --init-template --command "npx schemathesis run --checks all"
lacp pr-preflight --changed-files ./changed-files.txt --checks-json ./checks.json

4) Run parallel agents safely on isolated worktrees

lacp worktree create --repo-root . --name feature-a --base HEAD
lacp up --session feature-a --instances 3 --command "claude"
lacp swarm launch --manifest ./swarm.json

---

Documentation

Guide	What You'll Learn
Runbook	Daily operator workflow, command map, troubleshooting entry points
Local Dev Loop	Fast build/test/verify loop for contributors
Framework Scope	What LACP is, what it is not, and design boundaries
Implementation Path	Step-by-step rollout plan for full harness adoption
Memory Quality Workflow	How memory ingestion, expansion, and validation are run safely
Incident Response	Triage and recovery flow when policy gates fail
Release Checklist	Pre-release, release, and post-release controls
Troubleshooting	Common errors, doctor diagnostics, fix hints

Project health files

• CONTRIBUTING.md — contribution and PR expectations
• SECURITY.md — vulnerability disclosure process
• CHANGELOG.md — release history
• LICENSE — MIT

---

Architecture

lacp/
├── bin/                    # CLI commands (lacp <command>)
│   ├── lacp                # Top-level dispatcher
│   ├── lacp-bootstrap-system
│   ├── lacp-doctor         # Diagnostics (--json, --fix-hints)
│   ├── lacp-route          # Policy-driven tier/provider routing
│   ├── lacp-sandbox-run    # Gated execution with artifact logging
│   ├── lacp-brain-*        # Memory stack (ingest, expand, doctor, stack)
│   ├── lacp-obsidian       # Vault config management
│   ├── lacp-up             # Multi-instance agent sessions
│   ├── lacp-swarm          # Batch orchestration
│   └── lacp-claude-hooks   # Hook profile management
├── config/
│   ├── sandbox-policy.json     # Routing + cost ceilings
│   ├── risk-policy-contract.json
│   ├── obsidian/               # Vault manifest + optimization profiles
│   └── harness/                # Task schemas, sandbox profiles, verification policies
├── hooks/                  # Python hook pipeline for Claude Code
├── scripts/
│   ├── ci/                 # Test suites
│   └── runners/            # Daytona/E2B execution adapters
└── docs/                   # Guides and reference docs

Control Flow

Agent invocation
  → lacp route (risk tier + provider selection)
    → context contract validation
      → budget gate check
        → session fingerprint verification
          → sandbox-run (dispatch + artifact logging)

Features

Policy-Gated Execution

Every command routes through risk tiers (safe → review → critical), budget ceilings per tier, and context contracts that validate host, working directory, git branch, and remote targets before execution.

5-Layer Memory Stack

Layer	Purpose
Session memory	Per-project scaffolding under ~/.claude/projects/
Knowledge graph	Obsidian vault with MCP wiring (smart-connections, QMD, ori-mnemos)
Ingestion pipeline	brain-ingest converts text/audio/video/URLs into structured notes
Code intelligence	GitNexus AST-level knowledge graph via MCP (optional)
Agent identity	Persistent IDs per (hostname, project) + SHA-256 hash-chained provenance

lacp brain-stack init --json | jq          # Bootstrap all layers
lacp brain-ingest --url "https://..." --apply --json | jq
lacp brain-expand --apply --json | jq      # Full expansion loop

Hook Pipeline for Claude Code

Modular Python hooks enforcing quality at every session stage:

Hook	Event	Purpose
session_start.py	SessionStart	Git context injection, test command caching
pretool_guard.py	PreToolUse	Block dangerous operations (publish, chmod 777, fork bombs, secrets)
write_validate.py	PostToolUse	YAML frontmatter schema validation
stop_quality_gate.py	Stop	3-tier eval: heuristics, test verification, local LLM rationalization detection

Profiles: minimal-stop, balanced, hardened-exec, quality-gate-v2. Apply with lacp claude-hooks apply-profile <profile>.

Mycelium Network Memory

Biologically-inspired memory consolidation modeled on fungal networks:

Mechanism	Description
Adaptive path reinforcement	Frequently-traversed edges strengthen (like mycelium hyphae)
Self-healing	Pruned nodes trigger reconnection of orphaned neighbors
Exploratory tendrils	Frontier nodes in active categories shielded from pruning
Flow scoring	Betweenness centrality identifies critical knowledge hubs
Temporal decay	FSRS dual-strength model with forgetting curve

Multi-Agent Orchestration

# dmux-style multi-instance launch
lacp up --session dev --instances 3 --command "claude"

# Git worktree isolation
lacp worktree create --repo-root . --name "feature-a" --base HEAD

# Batch swarm execution
lacp swarm launch --manifest ./swarm.json

Evidence Pipelines

Generate machine-verifiable evidence for PR gates:

lacp e2e smoke --workdir . --init-template --command "npx playwright test --grep @smoke"
lacp api-e2e smoke --workdir . --init-template --command "npx schemathesis run --checks all"
lacp contract-e2e smoke --workdir . --init-template --command "forge test -vv"
lacp pr-preflight --changed-files ./changed-files.txt --checks-json ./checks.json

---

Prerequisites

Required	Recommended
bash, python3, jq, rg (ripgrep)	shellcheck, tmux, gh

The installer auto-detects and installs missing dependencies on macOS via Homebrew.

Install Options

All installation methods

Homebrew

brew tap 0xNyk/lacp
brew install lacp            # stable v0.3.0
brew install --HEAD lacp     # track main branch

cURL Bootstrap

curl -fsSL https://raw.githubusercontent.com/0xNyk/lacp/main/install.sh | bash

Verified Release (recommended for production)

VERSION="0.3.0"
curl -fsSLO "https://github.com/0xNyk/lacp/releases/download/v${VERSION}/lacp-${VERSION}.tar.gz"
curl -fsSLO "https://github.com/0xNyk/lacp/releases/download/v${VERSION}/SHA256SUMS"
grep "lacp-${VERSION}.tar.gz" SHA256SUMS | shasum -a 256 -c -
tar -xzf "lacp-${VERSION}.tar.gz" && cd "lacp-${VERSION}"
bin/lacp-install --profile starter --with-verify

Who It's For

LACP is for developers who want measurable, policy-gated, reproducible local agent operations with explicit pass/fail gates and artifact-backed records.

LACP is not for users looking for a chat UI, managed cloud orchestration, or who don't want to maintain local scripts/config.

Testing

lacp test --quick       # Fast smoke tests
lacp test --isolated    # Full isolated suite
lacp doctor --json      # Structured diagnostics
lacp posture --strict   # Policy compliance check

Individual test suites

scripts/ci/test-route-policy.sh
scripts/ci/test-mode-and-gates.sh
scripts/ci/test-knowledge-doctor.sh
scripts/ci/test-ops-commands.sh
scripts/ci/test-install.sh
scripts/ci/test-system-health.sh
scripts/ci/test-obsidian-cli.sh
scripts/ci/test-brain-memory.sh
scripts/ci/smoke.sh

Command reference

Core

Command	Purpose
lacp bootstrap-system	One-command install + onboard + verify
lacp doctor	Structured diagnostics (--json, --fix-hints, --check-limits)
lacp status	Current operating state snapshot
lacp mode	Switch local-only / remote-enabled
lacp run	Single gated command execution
lacp loop	Intent → execute → observe → adapt control loop
lacp test	Local test suite (--quick, --isolated)

Memory & Knowledge

Command	Purpose
lacp brain-stack	Initialize/audit 5-layer memory stack
lacp brain-ingest	Ingest text/audio/video/URLs into Obsidian
lacp brain-expand	Full brain expansion loop
lacp brain-doctor	Brain ecosystem health checks
lacp obsidian	Vault config management (audit/apply/optimize)
lacp repo-research-sync	Mirror repo research into knowledge graph

Orchestration

Command	Purpose
lacp up	dmux-style multi-instance launch
lacp orchestrate	dmux/tmux/worktree orchestration adapter
lacp worktree	Git worktree lifecycle management
lacp swarm	Batch swarm workflow (plan/launch/status)
lacp adopt-local	Install LACP routing wrappers for claude/codex

Security & Policy

Command	Purpose
lacp route	Deterministic tier/provider routing
lacp sandbox-run	Gated execution with artifact logging
lacp policy-pack	Apply policy baselines (starter/strict/enterprise)
lacp claude-hooks	Audit/repair/optimize hook profiles
lacp security-hygiene	Secret/path/workflow/.env scan
lacp pr-preflight	PR policy gate evaluation

Release & Evidence

Command	Purpose
lacp release-prepare	Pre-live discipline (gate + canary + status)
lacp release-verify	Release verification (checksum + archive + brew)
lacp e2e	Browser e2e evidence pipeline
lacp api-e2e	API/backend e2e evidence pipeline
lacp contract-e2e	Smart-contract e2e evidence pipeline
lacp canary	7-day promotion gate over retrieval benchmarks

Utilities

Command	Purpose
lacp console	Interactive slash-command shell
lacp time	Project/client session time tracking
lacp agent-id	Persistent agent identity registry
lacp provenance	Cryptographic session provenance chain
lacp context-profile	Reusable context contract templates
lacp vendor-watch	Monitor Claude/Codex version drift
lacp system-health	macOS/Apple Silicon workstation readiness
lacp mcp-health	Probe all configured MCP servers

Security

• No secrets in repo config — environment-driven via .env
• Zero external CI by default (LACP_NO_EXTERNAL_CI=true)
• Remote execution disabled by default (LACP_ALLOW_EXTERNAL_REMOTE=false)
• Risk-tier gating with TTL approval tokens
• Structured input contracts for risky runs
• Artifact logs for auditable execution history
• See SECURITY.md for vulnerability reporting

Contributing

Contributions welcome. See CONTRIBUTING.md for guidelines.

Support

If you find this project useful, consider supporting the open-source work:

Solana: BYLu8XD8hGDUtdRBWpGWu5HKoiPrWqCxYFSh4oxXuvPg

---

Need agent infrastructure, trading systems, or Solana applications built for your team?

Builderz ships production AI systems — 32+ products across 15 countries.

Get in touch | @nyk_builderz

License

MIT © 2026 0xNyk