Bitter Frontier
Founding member access recorded.
Checkout cancelled.

Backstage

Backstage: Governance, Sold Separately (2026-06-23 .. 2026-06-24)

Internal product-intake companion to the public digest. Not for publication. What Bitter and Factory should learn from this window's research and from introducing heypi to the watchlist.

The load-bearing intake: the authority shell is a product category now

heypi is the clearest external evidence yet that the market is unbundling the agent loop from the authority shell around it. Pi ships the loop and refuses governance; heypi packages approvals, audit, sandboxing, and secret handoff as a separate framework that depends on Pi. This is the exact decomposition Bitter has been building toward internally (the harness is replaceable; the run contract, receipts, and approvals are the durable product).

Bitter implication. heypi is a direct external referent for the wrap-vs-refuse question. The parts worth studying as design precedent: the adapter-local permissions model (approver/admin identity scoped per chat surface, not globally), the typed trace event record (messages/turns/tool calls/approvals as structured events with secret redaction), and the encrypted secret handoff that keeps credentials out of the transcript and model context. The part worth refusing to copy: shipping the headline governance controls off by default. Bitter's posture should be the inverse -- approvals and receipts on by default, with opt-out being the explicit, logged operator choice. If Bitter ever exposes a chat-ops surface, heypi is the build-vs-buy comparison.

Declared vs enforced, again -- now at the framework-positioning layer

Last window's lesson (a permission feature is not a permission boundary until something refuses the disallowed action) recurs here one level up. heypi's "approvals" are a documented primitive that does not bind by default; EVE's "approval gates" are a marketing claim its feature docs do not yet substantiate.

Bitter implication. When Bitter ingests a competitor/peer capability claim ("framework X has approvals"), the capability-profile entry must record the enforcement state: on-by-default | opt-in-primitive | marketing-only | undocumented. The same "enforcement verified" bit recommended last window for authority features applies to whole frameworks' governance claims. heypi = opt-in-primitive; EVE approval-gates = marketing-only (as of 2026-06-19 docs). Do not let either into a capability profile as "has approvals" without the qualifier.

Secret membrane: a clean external model with a stated boundary

heypi's secret_request (client-side WebCrypto, never to chat history or model) is a good externalization of the "credential never transits the prompt" rule, and it is honest that secrets rest as plaintext-readable files in the runtime workspace.

Bitter implication (BitterPass / BitterGrid). This is a usable reference for the wake-packet credential-scope membrane: encrypt-in-transit-to-the-runtime is solved; the at-rest exposure (anything that can read the workspace can read the secret) is exactly the gap a Bitter run contract should close with workspace isolation it owns and can attest. Treat heypi's at-rest caveat as the requirement, not the design.

Channel-as-evidence holds across a third window

The merged-vs-shipped gap (amendment 010) is now visible across three consecutive windows and on the newest entrant. OpenHands' 2026-06-23 dependency-CVE batch is main-only with no tag; Codex's 0.143.0 is alpha-only; Agent Zero's backlog is on ready untagged; heypi's newest fixes are post-beta on main. Even a brand-new governance product exhibits the pattern.

Bitter implication. The channel field on capability claims (amendment 010, ratified) is doing real work; this window is more confirmation. For the OpenHands CVE batch specifically: an adapter or eval that assumes "OpenHands patched CVE-2026-44727" is wrong for any operator on the 1.8.0 tag. Capability-profile default = tagged state unless the operator is known to run main.

Factory relevance

  • heypi: factory_relevance: low. It is a single-host, self-hosted team-chat framework, not an allocation or control-plane surface. Its interest to Factory is as a market-shape data point (the authority shell is productizing) and as a design referent for adapter-local permissions, not as an allocator input.
  • OpenHands dependency-CVE batch: factory_relevance: none directly; security_posture intake only (which channel is patched).
  • No allocation story this window. Do not manufacture one. The window's value is the category observation and the heypi profile, not Factory signal.

Council / doctrine follow-up

  • Watchlist expansion. heypi was added to sources/index.yml (tier 1, daily) by operator direction during this run. The canonical watchlist in AGENTS.md, CHARTER.md, and RESEARCH_CONTRACT.md still names the original nine plus Flue; the loop must not self-commit that doctrine change. Drafted as a proposed amendment in charter/proposed/ (heypi addition + the governance-shell / authority-shell research facet). Ratify or revise in a human/doctrine pass.
  • A new research facet may be warranted: "authority shell as product" -- the governance/approval/audit layer sold or built separately from the harness. heypi is its calibration source the way OpenClaw calibrates accessibility and Paperclip calibrates control-plane. Folded into the proposed amendment.
  • Enforcement-state qualifier on capability claims (on-by-default | opt-in | marketing-only | undocumented) -- surfaced above; candidate for a future schema note if it recurs.

Run-quality notes

  • Harness: 3 parallel Opus researchers + 1 historical-correction agent + 1 read-only site auditor, into a shared JOURNAL.md; coordinator synthesis; Codex technical critique and an Opus voice pass before publication. The historical- correction agent fixed a real regression (the prior run's 132 dangling finding refs; integrity now clean) -- worth standing as a pre-publication step: run check-integrity.mjs at the START of a cycle, not only the end.
  • The site auditor grounded the render pipeline empirically (marked v17 autolinks body URLs; the operator_brief frontmatter does not) and isolated a real, recurring link defect. The template fix (Workstream C) prevents recurrence.
  • Window was honestly thin; the digest leads with the heypi introduction and the cross-provider category thesis rather than padding the watchlist.