Twenty-three repeatable principles this site applies to every essay, every build, every trend
evaluation. They are not invention claims; they are study notes surfaced from public research,
public engineering practice, and reference builds. Unsupported principles leave the catalog.
Each axiom carries a tier — Law, Gate, Constraint, Guidance, Heuristic. The
tier marks mechanical enforcement or advisory guidance. The constitution section below
explains the tier system, the governance scope hierarchy, and auditable override semantics.
Catalog
The Axioms
The constitution and self-judgment establish the rules. The catalog below shows the
23 working principles themselves, one by one.
Most architectural problems have multiple solutions at different stack layers. The right choice is usually the smallest lever: least machinery, fewest broken neighbors, actual problem solved. A longer prompt before fine-tuning. A workflow before an agent. Plain function calling before MCP. The smallest lever ships faster, fails more visibly, and stays easier to reason about a year from now.
Where it shows up: Inaugural Determinism Ladder essay; the central decision-making frame across the stack.
Every lever in the agentic stack swaps a unit of model autonomy for a unit of determinism. The engineering job pushes as much work as possible out of raw model guessing and into known, repeatable execution. Right layer, more predictability. Wrong layer, brittle cost.
Where it shows up: The determinism-ladder spine running through every essay.
Never scale unmeasured work. Never measure unrefined work. Never refine unprobed work. The discipline runs forward (cheap probes before expensive optimization) and backward (every scaling step traceable to justifying measurement). Skipping a step compounds.
Where it shows up: Engine Audit operating prompt. Applied to every system the practice ships.
Generate, Verify, Refine — before commit. Before output ships into a repo, article, workflow, or customer-facing artifact, it passes through deliberate verification, often by a different model family or lens than the generator. GVAR is a site-publishing adaptation of this public pattern, not an originality claim. The pattern has public scale evidence: DeepMind's Aletheia (Feb 2026) applies a Generator -> Verifier -> Reviser loop to research-level mathematics, reaching about 90% on IMO-ProofBench Advanced and producing autonomous solutions to four open Erdos problems.
Where it shows up: Engine Audit prompt; the GVAR verification engine; this axioms page. Mechanically enforced by scripts/validate-verification.js — the build refuses to ship an essay without a panel-verified or pending-panel status.
A green status check differs from proof of work. Pair "running" with sentinels: heartbeat events, output-size assertions, drift monitors, idle-detection alerts. A workflow claiming "running" while producing no output creates the most expensive failure mode in the stack: silent and confident.
Where it shows up: Engine Audit prompt — the most-cited rule in production-ops postmortems.
When a system runs out of memory, the first reach usually optimizes allocator-adjacent code. Reverse it. Cut the working set first: smaller batch, smaller model, smaller cache, smaller chunk. Tune only what survives. Cheapest optimization: stopped work.
Where it shows up: Engine Audit prompt; pod-lifecycle policy.
Recurring problems needing human attention indicate system bugs. Encode escalation; avoid human mental backlogs. Backlogs degrade. Code persists. Escalation rules in code become tested, version-controlled, and observable; backlogs become tribal knowledge walking out the door.
Where it shows up: Engine Audit prompt; the operating principle behind n8n schedulers + scheduled tasks.
Before deviating from a known-good pattern, prove the known-good pattern works in the local environment. Most "recipe failed here" stories become environment problems hidden by customization. The canonical recipe is the diagnostic baseline; deviation without validation destroys debugging ability.
Where it shows up: Engine Audit prompt; standard practice on n8n node configurations and SDK calls.
Every deliverable starts with the done test. Acceptance criteria first, implementation second, validation third. The discipline forces clarity on "done" before any line of code or prose exists. The backlog follows this shape: every task lists ACs and definition-of-done.
Where it shows up: The backlog/tasks/ folder; the AC TDD chains for GVAR and the SDK comparison.
Open with concrete pain. Six weeks fine-tuning the wiki vs. two afternoons of RAG. The team hitting OOM at 3am. The chatbot confidently quoting last month's prices. Specifics turn architecture writing from abstract advice into earned wisdom. Claims without stories usually need more practice before earning the page.
Where it shows up: Editorial pattern in every essay published on the site.
Every quantitative claim, every named product, every "common knowledge" assertion with error risk needs a source or explicit source gap. The discipline is more honest than "trust the number," and it builds compounding credibility over years. No source? Say so. Source gaps build more trust than unsourced certainty.
Where it shows up: Verifier persona prompts in the GVAR engine. Editorial standard for the series.
Apply the "smallest lever wins" rule even at the AI layer itself. Most teams reach for a bigger model when a better prompt would have done. Then a longer system prompt. Then RAG. Then fine-tuning. Then an agent. Then a different model family. The model swap is the most expensive lever, not the easiest — keep it last.
Where it shows up: Specialization of axiom #1 to the AI stack.
Never ship a system without a written account of how it breaks. The most-trusted production systems have owners able to describe failure modes precisely. This description also becomes the requirements doc for eval / observability catching failures. Failure-mode-first is monitoring-first.
Where it shows up: Determinism Ladder series matrix column "Common failure mode"; the eighth-lever essay.
Before reaching for the protocol, the framework, or the platform — name two cheaper alternatives and explain why they don't fit. CLIs before MCP servers. Plain function calling before agent loops. SQLite FTS before vector RAG. The discipline filters out architecture done for prestige.
Where it shows up: Generalized from the inaugural essay's MCP "cheaper alternatives first" callout.
What persists across calls is the actual architecture. Everything else is leaves. When a system feels confused, inspect memory between turns — the spine. Stateful design stays invisible until breakage; after breakage, state becomes the only thing mattering.
Where it shows up: GVAR engine state schema; LangGraph design discussion.
The meta-axiom running through everything the practice produces. Public comment without working proof becomes commodity content. Curated lists without applied evaluation become a blogroll. The differentiator and discipline: every reading gets a build testing it. Every recommendation gets an axiom-applied scorecard. The body of work itself becomes qualification.
Where it shows up: The strategy spine. Every weekly essay + build embodies this.
Every layer of an agentic system has an attack surface: prompt injection at the user boundary, data exfiltration through tool calls, token theft via context disclosure, supply-chain compromise of inference endpoints, jailbreaks engineered against model training. Threat-model BEFORE architecting, not after first compromise. The cheapest security is the unexposed layer. Every architectural decision in the determinism ladder pairs with this question: what does an adversary at this layer cost the system?
Where it shows up: MCP design doc (failure-mode section); model-portability essay (regulated-industries case); future essays on prompt injection, supply-chain risk, data residency. Every tool-use surface in every build the practice ships.
Cloud-managed AI APIs trade architectural autonomy for vendor determinism. Self-hosted open-weight models reverse the trade. Hybrid splits the difference. Data residency, latency budget, model specialization, security posture, and cost govern the right choice — not defaults. Deployment context is a first-class architectural decision, not a downstream consequence. Pick it before the model, prompt, or framework. Every other lever in the stack assumes prior deployment-context choice.
Where it shows up: Model-portability essay (the five exceptions are all deployment-context constraints); MCP design doc (CF Worker hosted + npm stdio dual-deploy); future essays on regulated-industry deployments, hybrid inference, edge AI.
Governance flows downhill. Every lower scope — enterprise under platform, project under workspace, run under project, session under user — inherits laws, gates, constraints, and guidance from every scope above it, and may not silently weaken them. A child scope can specialize, tighten, or extend. It cannot pretend an inherited rule vanished. Every override needs a name, bound, version, review path, and explicit authorization by a parent-declared override slot. If the system cannot explain the override — actor, reason, expiry, compatible semantics — the override does not exist. This constitutional layer turns a multi-tenant agentic platform into a deterministic policy map instead of opinionated agents arguing about applicable rules.
Where it shows up: The Platform Governance Inheritance doctrine (Nemotron, 2026-05-03). MCP Worker control plane enforces it mechanically: every canonical write resolves an effective_policy_snapshot from platform→leaf chain and rejects child writes weakening parent LAW or removing inherited GATE.
Models propose meaning. Schemas, constraints, validators, and lifecycle rules decide commit eligibility. The smartest agent cannot legalize a write violating an invariant the architecture cares about, and the architecture should make the invariant unreachable, not just unlikely. Build the integrity layer first. Let the model propose against it. Reverse the order and model confidence becomes a vector for catastrophic writes; better models worsen the failure mode because proposed mutations look plausible until state corruption. The discipline matches serious databases: foreign keys, check constraints, transactions, audit tables — they enforce instead of trusting the application.
Where it shows up: The Platform Governance Inheritance doctrine (Nemotron, 2026-05-03). Constitutional layer above #4 GVR — GVR is the operating procedure; this is the architectural commitment making GVR meaningful.
Tenant. Enterprise. Workspace. Project. User. Every scope must become explicit before any canonical write, cross-scope edge, or agent action touching data. The most expensive multi-tenant bugs hide implicit scope: writes landing in the wrong customer's data after no customer resolution, or queries crossing boundaries after session context inference. Scope is not metadata; scope is the address. Resolve scope before action, and prove the resolution in the audit trail. Cross-scope edges require declared policy on both sides — tenant boundaries described in code become tenant boundaries defensible in court.
Where it shows up: The Platform Governance Inheritance doctrine (Nemotron, 2026-05-03). Enforced at the action_envelope boundary: every canonical write must resolve at least one concrete target descriptor before policy evaluation, and multi-target actions satisfy the intersection — not the union — of applicable policies.
Actor identity tells source. Target identity tells law. The same agent invoking the same tool may proceed against one resource and fail against another; target-selected policy governs action, not caller trust. This frames confused-deputy bugs: abstract deputy authorization does not answer resource-specific authorization. Trusting actor while ignoring target creates the architectural shape behind excessive-agency incidents in the OWASP LLM Top 10. Resolve concrete target descriptors first. Look up policy governing THEM. Then evaluate action.
Where it shows up: The Platform Governance Inheritance doctrine (Nemotron, 2026-05-03). The formal frame behind the confused-deputy essay (/learn/2026-04-27-cheaper-alternatives-to-mcp). Enforced by validate_policy_mutation: every high-risk mutation must carry concrete target_descriptor + effective_policy_snapshot_id before persistence.
A frontier model produces evidence about possible answers. A verifier panel produces evidence about answer durability. An agent loop produces evidence about task-closing action. None produce decisions. Deterministic rules make decisions: schemas validate, contracts constrain, oracles adjudicate, gates block. Confident models deciding alone mirrors the loudest person winning a meeting; confidence and correctness diverge in both cases. Architecture needs gates the model must pass through. Name the gate. Write the rule. Surface evidence to the gate. Let the rule decide.
Where it shows up: The Platform Governance Inheritance doctrine (Nemotron, 2026-05-03). The constitutional principle behind the GVAR engine (#4) and the "ship with the failure mode named" gate (#13). Operationalized by the Tribunal layer, the oracle adjudication step, and the policy_mutation_validation contract.
