25 KiB
Commitment OS Design
Date: 2026-05-25
Purpose
AntiDrift should evolve from a session timer and window-rating tool into a commitment operating system: a personal agency layer that makes computer use explicit, constrained, observable, and resistant to casual tampering.
The system addresses distraction as unconscious context switching, not only as access to bad websites. The guiding rule is:
No unchosen transitions.
The computer should not silently enter unconstrained use. It should be in one of these explicit modes:
- active commitment;
- deliberate transition;
- constrained planning;
- review;
- locked state;
- delayed administrative override.
Tamper resistance is a friction gradient against the user's impulsive self. It is not a perfect security boundary. The goal is to defeat impulsive and casual bypasses, delay deliberate bypasses, and make drift visible.
Architecture
The system has five layers that share a common commitment model.
- Orientation: projects, responsibilities, values, tasks, next actions, energy constraints.
- Commitment: a concrete next action, success condition, allowed context, timebox, and transition policy.
- Live work mode: desktop, browser, terminal, files, ActivityWatch, window tracking, and future evidence sources.
- Containment: a privileged guardian that enforces the selected commitment across the live environment.
- Reflection: session outcomes, drift events, transition reasons, rule adjustments, and planner updates.
The commitment model sits between planning and enforcement. Planner integration can later create commitments from tasks. Enforcement operates on policy snapshots derived from commitments without understanding planner internals.
Threat Model And Scope
The adversary is the same person in a less reflective state. The system should be honest about what local software can and cannot enforce.
| Tier | Bypass effort | Examples | Realistic goal |
|---|---|---|---|
| 0: impulse | less than 1 second | Alt-tab, open browser, type URL, leave desk without choosing transition | Defeat with blocking, prompts, overlays, and explicit transitions |
| 1: casual | seconds | Kill process, stop user service, close app, quit ActivityWatch | Defeat with watchdogs, privilege separation, and restart behavior |
| 2: determined | minutes | Use sudo, edit config, disable systemd units, reboot, manipulate clock | Delay and audit through delayed admin path and break-glass flow |
| 3: premeditated | unconstrained | Boot live USB, GRUB recovery, second device, phone, hardware removal | Out of scope for local software |
In-scope bypasses:
- opening disallowed domains or apps;
- quitting AntiDrift or ActivityWatch;
- stopping user-level services;
- entering unconstrained planning;
- changing rules without delayed admin access;
- crash-looping the user agent;
- malformed policy snapshots;
- clock manipulation attempts visible to the running system;
- unmonitored desk absence after future presence sensing exists.
Out-of-scope or explicitly limited:
- second phones, tablets, or other computers;
- booting from external media or recovery shell;
- physical tampering;
- fully premeditated bypasses with unlimited time;
- coercive monitoring of another person.
Known edge cases to address or scope per implementation stage:
- switching TTYs or desktop sessions;
- Wayland compositor limitations;
- VMs and nested display servers;
- SSH into the same machine;
- browser profiles and extensions;
- Flatpak/Snap application identity;
- multi-user machines;
- multiple monitors, virtual desktops, and tiling window managers;
- direct modification of ActivityWatch data.
Stage 1 does not need to solve every edge case, but it must not pretend they are solved.
Linux Target Environment
The first target is the user's Linux workstation.
Stage 1 should support the current X11-style active-window model already used by AntiDrift through xdotool, plus ActivityWatch evidence when available. If the session is Wayland and active window metadata cannot be collected reliably, the system must surface that as a degraded evidence mode rather than silently reporting false confidence.
Stage 2 should choose concrete Linux enforcement mechanisms per target environment:
- systemd system service for the privileged guardian;
- systemd user service or normal user process for the agent;
- nftables or DNS-level controls for domain blocking;
- window-class interruption where active window details are available;
- ActivityWatch watchdog where ActivityWatch is installed and expected.
Wayland support should be compositor-specific. GNOME Wayland, KDE Wayland, Sway, and Hyprland may need separate adapters. Unknown or unsupported environments should fail into a conservative mode: planning/review may work, but enforcement claims are limited.
Domain Model
The first-pass Commitment concept should be split into three related records.
Commitment
User-facing intent and planning artifact.
Commitment
id
created_at
source: manual | planner | recurring | recovery | template
project_id: optional initially, planner-backed later
template_id: optional
next_action: concrete executable action
success_condition: what counts as done or meaningfully advanced
timebox
transition_policy_id
state: draft | active | paused | completed | abandoned | violated
Only one commitment may be active at a time. Task switches go through Transition and either resume the current commitment, abandon it, or create/select a new one.
PolicySnapshot
Versioned enforcement contract consumed by the guardian.
PolicySnapshot
id
commitment_id
schema_version
created_at
runtime_state: locked | planning | active | transition | review | admin_override
enforcement_level: observe | warn | block | locked
allowed_context
required_monitors
violation_actions
expires_at
generated_by_agent_version
The guardian consumes PolicySnapshot, not planner internals.
SessionRecord And EventLog
Append-only history of what happened.
SessionRecord
id
commitment_id
started_at
ended_at
outcome: completed | partial | abandoned | violated
review_rating
review_notes
EventLog
sequence
timestamp
event_type
commitment_id
runtime_state
payload
previous_hash
hash
The event log is the source for review, audit, and later planner writeback.
Allowed Context Semantics
Allowed context should be explicit and conservative. Stage 1 may only observe or warn, but the matching rules should be defined early so Stage 2 can enforce the same contract.
allowed_context:
window_classes:
match: exact_lowercase
values:
- code
- alacritty
window_titles:
match: substring
values:
- antidrift
domains:
match: exact_or_subdomain
values:
- github.com
- docs.python.org
repos:
match: canonical_path_prefix
values:
- ~/dev/antidrift
commands:
match: executable_basename
values:
- cargo
- git
- rg
Rules:
- Domains include subdomains unless explicitly marked exact-only.
- Full URLs should not be stored by default; store domain and coarse path only when needed.
- Window classes are preferred over titles because titles can contain private data and change frequently.
- Unknown windows are handled by
enforcement_level: record inobserve, prompt inwarn, interrupt inblock, and forceLockedon repeated or severe violations inlocked. - Terminals are hard to classify. Stage 1 may treat terminal windows as allowed based on window class and record command evidence later only when a shell integration exists.
- Child process handling is deferred until command/process enforcement is designed. Stage 2 should not claim process-level policy without cgroups, namespaces, AppArmor, seccomp, or equivalent mechanisms.
- Commitments may use per-resource actions. Example: block social domains, warn on unfamiliar apps, observe unknown terminal commands.
Commitment templates and project defaults should reduce manual allowlist construction:
deep coding;writing;admin;research;rest;- project-specific default repos, apps, and documentation domains.
Time-limited context expansion should be allowed when work legitimately discovers a new need. Expansion must be explicit, audited, and bounded, such as "allow docs.rs for 20 minutes for this commitment."
Runtime State Machine
Runtime state controls what the machine is allowed to do now.
Locked
No valid active commitment. Distracting/default computer use is blocked.
Planning
Constrained UI for inspecting tasks/projects and creating or choosing a commitment.
Active
A commitment is running. Allowed context is available; disallowed context is blocked or interrupted.
Transition
Intentional state change: bodily break, reset, task switch, or session end.
Requires reason, expected duration, and return target.
Review
Session ended. The user rates relevance, marks outcome, and records drift/avoidance patterns.
Admin Override
Privileged change path. Requires delayed admin access and leaves audit evidence.
Legal transitions:
| From | To | Guard | Side effects |
|---|---|---|---|
| Locked | Planning | Planning UI requested | Apply planning policy, start planning timer |
| Planning | Active | Valid commitment and policy snapshot accepted by guardian | Create session record, apply active policy |
| Planning | Locked | Cancel, timeout, invalid policy, or idle | Apply locked policy |
| Active | Transition | Reason, expected duration, and return target provided | Record transition start, apply transition policy |
| Active | Review | Commitment completed, abandoned, or timebox expired | Stop active policy, collect evidence summary |
| Active | Locked | Severe violation, policy failure, or monitor failure | Record violation, apply locked policy |
| Transition | Active | Return before timeout to same commitment | Record return, reapply active policy |
| Transition | Planning | Task switch requested | Mark current commitment paused/abandoned as chosen, apply planning policy |
| Transition | Review | End session requested | Collect review data |
| Transition | Locked | Timeout exceeded or transition policy failure | Record violation, apply locked policy |
| Review | Planning | Continue working | Store review, apply planning policy |
| Review | Locked | End work period | Store review, apply locked policy |
| Any | Admin Override | Delayed admin path completed | Record override, apply requested privileged change |
| Admin Override | Previous/new state | Override ends | Record result, apply selected policy |
Planning must never become unconstrained browsing. It has its own policy:
- only the planning UI, local task data, and approved references are available;
- planning is time-limited;
- evidence collection remains active;
- opening arbitrary browser tabs from Planning is a violation unless explicitly allowed.
Suspend/hibernate and reboot should resume into Locked unless a valid policy can be restored and verified. A violated commitment may be resumed only through Review or Planning; resumption should create a visible event.
Commitment Lifecycle
Commitment state is distinct from runtime state.
| From | To | Guard | Notes |
|---|---|---|---|
| draft | active | Runtime enters Active with accepted policy |
Only one active commitment at a time |
| active | paused | Runtime enters Transition with return target |
Paused does not imply unconstrained use |
| paused | active | User returns before transition timeout | Same commitment resumes |
| active | completed | Success condition met or user completes in review | Requires review |
| active | abandoned | User chooses task switch/end without completion | Requires reason |
| active | violated | Severe or unresolved violation | May force runtime Locked |
| paused | abandoned | Transition becomes task switch/end | Requires reason |
| violated | active | Explicit recovery flow | Audited; not automatic |
| violated | abandoned | Review confirms abandonment | Stored in history |
Guardian IPC Contract
The user agent and guardian communicate through a narrow local API.
Recommended transport: root-owned Unix domain socket with a small JSON-lines protocol. D-Bus can be reconsidered later if desktop integration requires it, but the first design should avoid unnecessary framework surface.
Authentication and integrity:
- The socket path is owned by root and writable only by the expected user/group.
- The guardian checks peer credentials with
SO_PEERCRED. - Messages include
schema_version, monotonic sequence, and request id. - The guardian rejects malformed, unknown-version, stale, or unauthenticated messages.
- Policy changes are logged before and after application.
Minimal API:
ApplyPolicy(PolicySnapshot) -> Result
ReportEvent(Event) -> Ack
GetStatus() -> SystemState
RequestOverride(OverrideRequest) -> OverrideResult
Failure behavior:
- If the agent disconnects while
Active, the guardian keeps the last valid policy for a short grace period, then moves toLocked. - If the agent sends malformed policy, the guardian rejects it and keeps the previous valid policy; repeated malformed policy escalates to
Locked. - If IPC is unavailable, the agent should show degraded state and the system should not claim enforcement.
- If guardian and agent schema versions are incompatible, the system should enter
Lockedwith an actionable error and break-glass instructions.
Enforcement Mechanism Matrix
Stage 2 enforcement should be explicit about feasibility.
| Resource | Stage 1 | Stage 2 candidate | Notes |
|---|---|---|---|
| Domain | observe from ActivityWatch/browser data if available | nftables or DNS-level blocking | Prefer domains over full URLs for privacy |
| App/window | active-window tracking, minimize or overlay | window-class interruption, minimize, SIGSTOP only where safe | Depends on X11/Wayland adapter |
| Agent health | local process check | systemd restart and guardian watchdog | Casual process killing should fail |
| ActivityWatch health | observe availability | guardian restart and escalation after repeated failure | Direct DB tampering only audited if detectable |
| Config changes | local file checks | root-owned config, delayed admin required | Config writes must be audited |
| Commands/processes | mostly out of scope | future shell integration, cgroups, AppArmor, seccomp, namespaces | Do not overclaim early |
| Files/repos | local path metadata | future filesystem policy only if needed | Path allowlists are mostly planning/evidence initially |
| Presence | out of scope | future opt-in sensor events | Requires separate ethics/design review |
Stage 1 should include Tier 0 friction even without privileged blocking:
- full-screen or high-priority overlay on violation where feasible;
- dismissal requires entering a reason;
- explicit transition prompts;
- local event logging tied to the active commitment.
Delayed Admin And Break-Glass Recovery
The delayed admin mechanism is load-bearing and must be concrete before Stage 2 hardening.
Initial assumption:
- daily work happens in a non-admin user account;
- admin access exists in a separate admin account or equivalent path;
- admin access already has a delay, currently about 10 minutes, and can be lengthened;
- privileged enforcement changes require that delayed path.
Actions requiring delayed admin:
- disabling guardian service;
- changing locked policy files;
- changing blocklists or allowlists outside explicit time-limited context expansion;
- uninstalling enforcement;
- disabling watchdog behavior;
- emergency break-glass.
Override requests should be logged at request time and completion time:
OverrideRequest
id
requested_at
requester_user
reason
requested_action
earliest_allowed_at
completed_at
result
Pre-scheduled instant overrides weaken the system. The guardian should reject override tokens or sentinel files created before the current request window unless they are part of the audited delayed-admin protocol.
Break-glass recovery must be independent of the normal agent UI. Example: a privileged command or root-owned sentinel file disables enforcement for 10 minutes after delayed admin access. It must:
- be simple enough to trust under failure;
- be audited;
- have automatic expiry;
- restore normal policy after expiry unless explicitly uninstalled;
- not depend on the user agent being healthy.
Event Log, Tamper Evidence, And Retention
Events should be append-only and bounded.
Recommended initial format: JSON lines with hash chaining.
event_hash = hash(schema_version, sequence, timestamp, event_type, payload, previous_hash)
The log should include:
- policy applications;
- state transitions;
- violations;
- process/monitor failures;
- override requests and completions;
- review outcomes.
Retention and storage:
- rotate logs by size and time;
- enforce max disk usage;
- define behavior when disk is full;
- support export and deletion through delayed admin if enforcement logs are involved;
- include schema version and migration path.
If logging fails:
- non-critical review notes may be skipped with visible warning;
- enforcement/audit events should fail conservative, usually
Locked, unless doing so would create an unsafe machine lockout; - break-glass must still work even when normal logging is impaired, with best-effort emergency log.
Privacy, Ethics, And Data Retention
This is voluntary self-use software. It must not become bossware, parental control software, or coercive monitoring.
Principles:
- local-first storage by default;
- no network transmission unless explicitly configured;
- minimum necessary observation;
- prefer domain over full URL;
- prefer window class over title where possible;
- treat window titles as sensitive because they can contain private messages, documents, or secrets;
- encrypt logs/history at rest if feasible, especially once planner and presence data exist;
- provide retention, deletion, and export tools;
- make data collection visible to the user;
- include first-class
restandexplorationcommitments so legitimate openness and recovery are not treated as failure.
The system should increase agency, not create surveillance anxiety. Presence sensing, camera use, posture detection, and phone pickup detection require a separate opt-in design and ethics review after the core system is useful.
Failure Handling
Failures should have explicit fail-open or fail-closed behavior.
| Failure | Default behavior |
|---|---|
| User agent crash | Guardian restarts agent; if repeated, enter Locked |
| User agent crash loop | Enter Locked, show recovery instructions |
| Guardian crash | systemd restarts guardian; until restored, user agent shows enforcement degraded |
| Guardian crash loop | Fail conservative where possible, but keep break-glass available |
| ActivityWatch stopped | Guardian restarts it; repeated failure escalates to Locked if ActivityWatch is required |
| ActivityWatch unavailable | Run degraded if policy does not require it; otherwise refuse Active |
| ActivityWatch data corrupted | Mark evidence degraded, preserve raw error, continue only if policy allows |
| Policy apply failure | Refuse Active; stay Planning or move Locked |
| Malformed policy | Reject, keep previous valid policy, escalate after repeated failures |
| Disk full/log write failure | Warn; fail conservative for enforcement events; keep break-glass available |
| System reboot | Start in Locked until state is restored and verified |
| Suspend/hibernate | On resume, revalidate timebox and policy; otherwise enter Locked |
| Clock manipulation | Prefer monotonic timers for timeboxes; record wall-clock anomalies |
| OS updates | Require delayed admin or maintenance commitment |
| Emergency interruption | Use transition or break-glass depending on severity |
| Schema migration failure | Enter Locked with recovery instructions |
The primary invariant is:
Without an active valid commitment, the machine cannot silently enter unconstrained use.
Locked, Planning, Transition, And Review UX
Locked state should show a small, reliable UI:
- current status;
- reason for lock;
- option to enter constrained Planning;
- option to review last session if pending;
- break-glass instructions that require delayed admin.
Planning should be useful but constrained:
- local project/task list;
- commitment templates;
- recent commitments;
- allowed local notes or references;
- time limit;
- no arbitrary browsing unless a planning policy explicitly allows it.
Transition should force consciousness into state changes:
- reason;
- expected duration;
- return target;
- optional note;
- timeout behavior.
Review should be difficult to skip:
- mark outcome;
- rate relevance;
- record drift or transition failures;
- update commitment/task state;
- generate next suggested commitment where useful.
Staged Implementation
Stage 1a: Commitment Kernel
- Commitment schema.
- PolicySnapshot schema without privileged enforcement.
- Runtime and commitment state machines.
- Append-only local event log.
- Unit tests for legal and illegal transitions.
Stage 1b: Session UI And Evidence
- Session UI using commitment fields.
- Review flow.
- Activity/window evidence linked to
commitment_id. - Degraded evidence reporting when ActivityWatch or window metadata is unavailable.
Stage 1c: Tier 0 Friction
- Full-screen or high-priority overlay on violation where feasible.
- Dismissal requires deliberate reason entry.
- Explicit transition prompts.
- Unknown-window/domain behavior based on enforcement level.
Stage 2a: Guardian Skeleton
- systemd system service for guardian.
- systemd user service or launcher for agent.
- Watchdog restart behavior for user agent and ActivityWatch.
- Minimal status reporting.
Stage 2b: IPC And Policy Delivery
- Root-owned Unix domain socket.
- JSON-lines protocol.
ApplyPolicy,ReportEvent,GetStatus,RequestOverride.- Schema versioning and malformed-message handling.
Stage 2c: Domain Blocking
- nftables or DNS-level policy application.
- Domain matching semantics.
- Policy rollback on failure.
Stage 2d: App/Window Interruption
- X11 adapter first if current environment is X11.
- Compositor-specific Wayland adapters only after verification.
- Minimize, overlay, or interrupt based on policy.
Stage 2e: Tamper-Evident Logs And Retention
- Hash-chained events.
- Rotation and max disk usage.
- Export/delete path.
- Log failure handling.
Stage 2f: Delayed Admin And Config Lockdown
- Root-owned policy/config.
- Delayed override protocol.
- Break-glass command.
- Uninstall/rollback tooling.
Stage 3a: Project And Task Model
- Projects.
- Tasks.
- Next actions.
- Recurring responsibilities.
Stage 3b: Commitment Templates From Tasks
- Project defaults.
- Work-mode templates.
- Task selection during Planning state.
- Time-limited context expansion.
Stage 3c: Outcome Writeback
- Session outcomes written back to tasks.
- Review suggestions based on drift history.
- Next commitment suggestions.
Future Direction: Embodied And Presence Sensing
Presence sensing is not part of the core roadmap. It may be considered later only if:
- the core system has proven useful;
- the user explicitly opts in;
- data minimization is defined;
- psychological safety is reviewed;
- retention and deletion behavior are explicit.
Potential future events:
desk_absence_started;desk_absence_resolved;posture_warning;phone_pickup_detected.
These should be evidence events, not core dependencies.
Uninstall And Rollback
The system must have a clean removal path.
Uninstall should:
- disable guardian service;
- disable user agent service;
- remove nftables or DNS rules;
- remove root-owned policy/config files after delayed admin confirmation;
- export or delete logs;
- restore normal admin behavior if it was modified for AntiDrift;
- verify that no blocking policy remains active.
Rollback should support returning from a failed upgrade to the previous known-good policy and guardian version.
Testing Strategy
Testing must include bypass resistance, not only happy paths.
Unit tests:
- commitment validation;
- legal and illegal runtime transitions;
- legal and illegal commitment transitions;
- PolicySnapshot generation;
- allowed context matching;
- event hash chaining.
Property tests:
- no unconstrained use without valid active commitment;
- illegal transitions do not mutate state;
- expired policy snapshots are rejected.
Integration tests:
- user agent writes state;
- guardian reads policy;
- simulated window/ActivityWatch events produce expected violations;
- malformed policy is rejected;
- agent disconnect triggers grace period then
Locked; - timebox expiry moves to
RevieworLockedas configured.
Adversarial VM/manual tests:
- kill agent;
- stop ActivityWatch;
- attempt blocked domain;
- malformed policy;
- guardian restart;
- guardian crash loop;
- timebox expiry;
- config change attempt;
- reboot during active commitment;
- suspend/resume during active commitment;
- disk full or log write failure.
Soak and upgrade tests:
- 24-48 hour run with normal use;
- log rotation;
- schema migration;
- downgrade/rollback;
- IPC fuzz tests.
The first implementation plan should target Stage 1a through Stage 1c while preserving the process boundary and data contracts needed for Stage 2 and planner integration.