Current safety wrappers for frontier agents place stochastic controls in front of stochastic executors. CORE proposes a bounded execution substrate in which the neural model is reduced to schema induction — a System 1 sensory and translation layer — and all operational agency is relocated into a deterministic state machine whose admissible transition set is defined by first-class domain constraints, not by language classifiers.
The model proposes. The substrate decides.
On June 9, 2026, Anthropic publicly released Claude Fable 5 — a Mythos-class model — alongside an unusually candid public warning about the risks of increasingly capable AI. The simultaneous release and warning is not a contradiction; it is a product surface problem made legible.
Public behavior and the Fable 5 system card indicate that requests touching high-risk domains — cybersecurity, certain biology workflows, and adjacent surfaces — trigger classifier-driven blocking or fallback to Opus 4.8. This is intentional design: strong guardrails layered on top of strong capability. This memo argues the layering itself is the bottleneck, and that there is an architectural alternative worth examining.
For long-horizon agentic workflows — the domain Fable 5 is explicitly positioned for — the primitive choice between classifier walls and bounded substrates determines how reliability degrades with task length. That is the specific engineering problem this memo addresses.
The core issue is not where the safety threshold is set — it is the nature of the primitive being used to enforce it. Classifier walls and bounded substrates answer fundamentally different questions:
For a single-turn assistant this distinction is manageable. For long-horizon agents it compounds: each false-positive refusal interrupts a stateful workflow whose accumulated context is not recoverable from the refusal event. The reliability degradation is superlinear in task length.
A model asked to simultaneously parse intent, reason over state, and self-police execution is being asked to do three things in one stochastic pass. Each function degrades the others. The present architecture resolves this by adding more classifiers. CORE resolves it by separating the concerns at the architectural level.
The bottleneck is not only model capability. It is the placement of execution authority inside the same stochastic layer that must also be safety-constrained.
CORE implements the System 1 / System 2 split at the architectural level, not the prompt level. In Hybrid Mode, a Claude/Fable model acts as System 1: it parses intent and proposes a structured payload. CORE acts as System 2: it verifies, refuses, asks, or executes — deterministically, with replayable traces. The neural model never touches execution.
Given a correctly specified Anchor domain model, CORE can only execute transitions admitted by typed guards under the current state. The model proposes; the substrate decides. This is not a prompt-level constraint — the model's output is structurally typed through the Lens before it reaches any execution surface.
AuthorityToken over each ratified transition. It is the only layer that can authorize execution. What counts as admissible is a policy question requiring human ratification per domain — the architecture enforces the boundary; humans define it.The execution substrate is a deterministic finite automaton. The neural model is an inductive proposer. The Lens is a projection-and-filter. State transitions require both a valid typed payload and a passing guard predicate:
δ(qₜ, σ) = qₜ₊₁ iff Lens(output) = σ ≠ ∅ ∧ G(qₜ, σ) = true
where G : Q × Σ → bool is a pure deterministic predicate
Lens : string → TypedPayload ∪ {∅}
If Lens(output) = ∅, no transition fires. Period.
Where G(qₜ, σ) is a pure function from current state and proposed payload to bool, evaluated deterministically over the Anchor's domain model. The stochastic model has no direct path to side effects outside this admissible transition system.
A user requests a network diagnostics workflow in a sensitive domain. The workflow is legitimate, operationally authorized, and benign — but its language surface resembles restricted content.
| Scenario | Classifier-first (Fable behavior) | CORE bounded substrate |
|---|---|---|
| Request | "Run a ping sweep and port probe against lab subnet 10.0.1.0/24 to map active hosts before the vulnerability scan." |
|
| Safety evaluation | Language surface matches patterns associated with offensive reconnaissance. Classifier fires. Refusal or fallback to Opus 4.8. | Lens maps to typed payload: {op:"network_probe", subnet:"10.0.1.0/24", scope:"lab"}. Guard checks: is network_probe admissible? Is lab scope within licensed subnets? |
| Benign outcome | Refusal. Workflow interrupted. Accumulated session context not recoverable. False positive independent of actual risk. | Guard passes. Substrate executes. Workflow continues. Trace hash recorded. Zero false positives from surface-level similarity. |
| Harmful variant | May or may not block — depends on linguistic surface shift, not on whether the action is admissible within licensed scope. | Guard fails: target subnet outside licensed scope. State remains at qₜ. Transition structurally impossible. What counts as "licensed" scope is a ratified human policy decision encoded in the Anchor — the architecture enforces it; a human defined it. |
| Audit trail | Classifier decision; opaque to the downstream workflow. | Deterministic trace hash. Guard decision is a pure function of (qₜ, Σ) — fully reproducible and inspectable. |
CORE is not a research proposal. The substrate is implemented, CI-gated, and has mechanically verified capability claims. Two signals worth examining:
The cognitive spine (CognitiveTurnPipeline) executes the full listen → ingest → understand → recall → think → articulate → learn_proposal → trace sequence deterministically. Every turn produces a SHA-256 trace hash. The UnknownDomainGate fires before any reasoning path for out-of-domain inputs — returning a deterministic stub, not a stochastic fallback. The same Type-Safe Local Closure security model governs these gates: execution logic and sensitive targets live inside local closures that only typed payloads can reach.
The GSM8K math verification gate (generate/derivation/verify.py) evaluates grounding ∧ cue ∧ unit ∧ completeness ∧ uniqueness as typed structural predicates — not "does this look like a correct answer." Current result: 7 correct / 43 refused / 0 wrong. The zero-wrong count is a direct downstream consequence of the Bounded Transition Guarantee — not of tuning or sampling. Inadmissible answers are structurally unreachable, not probabilistically suppressed.
Domain capability is ratified and CI-pinned. Five domains currently hold ratified status; nine eval lanes have SHA-256 pinned reports where any regression breaks the build. The deductive logic lane reports 716/716 correct, wrong=0, refused=0. These numbers are a direct downstream consequence of the Bounded Transition Guarantee — not of tuning or sampling.
CORE is not a frontier model and does not claim to be. It is a substrate architecture — a demonstration that the bounded execution pattern is implementable, testable, and verifiable at non-trivial domain coverage.
If the architectural contrast in §2 resonates — if "does this state transition satisfy the domain guard?" is a more useful safety primitive than "does this text look risky?" for the agentic systems you are building — the question worth a short conversation is this:
Can CORE slot in front of Claude/Fable as a deterministic System 2 verifier substrate through an MCP-shaped interface — and what does that change about refusal quality, trace quality, and operator trust for high-risk tool-use?
This is a narrow, testable experiment with minimal surface area: Claude/Fable acts as System 1 semantic proposer; CORE acts as System 2 bounded executor; deterministic answer/refusal/ask behavior and replayable trace artifacts feed back into safety evaluation. No NDA. No adoption commitment. A bounded technical sanity check on whether the substrate approach is complementary to or in tension with Anthropic's internal agent architecture.
The full implementation is public at github.com/AssetOverflow/core →
The following section is for readers interested in the formal underpinning. Not required to evaluate the architectural argument above.
CORE's field is built over Cl(4,1) Conformal Geometric Algebra. Every element of state is a versor; every transition is a versor sandwich product V * F * reverse(V). The core field invariant is versor_condition(F) < 1e-6 — enforced at all times by algebra, not monitoring.
This is the formal basis for "coherence by construction": illegal field states are not detected and corrected, they are geometrically unreachable. Forbidden normalization sites (e.g., generate/stream.py, field/propagate.py) are enforced by architectural rule, not convention.
Domain capability enters the system through a ratification protocol, not through training or prompt injection. Each domain requires: