[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-1232":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":9,"language":10,"languages":9,"totalLinesOfCode":9,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":14,"subscribersCount":14,"size":14,"stars1d":14,"stars7d":14,"stars30d":15,"stars90d":14,"forks30d":14,"starsTrendScore":14,"compositeScore":16,"rankGlobal":9,"rankLanguage":9,"license":17,"archived":18,"fork":18,"defaultBranch":19,"hasWiki":20,"hasPages":18,"topics":21,"createdAt":9,"pushedAt":9,"updatedAt":22,"readmeContent":23,"aiSummary":24,"trendingCount":14,"starSnapshotCount":14,"syncStatus":12,"lastSyncTime":25,"discoverSource":26},1232,"cortex","by-scott\u002Fcortex","by-scott","Cognitive runtime for language models with memory, metacognition, multimodal channels, native plugins, and a self-evolving Executive.",null,"Rust",401,2,3,0,1,1.43,"MIT License",false,"main",true,[],"2026-06-12 02:00:25","\u003Cp align=\"center\">\n  \u003Ch1 align=\"center\">Cortex\u003C\u002Fh1>\n  \u003Cp align=\"center\">\u003Cstrong>Cognitive Harness for Language Models\u003C\u002Fstrong>\u003C\u002Fp>\n  \u003Cp align=\"center\">\n    \u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fby-scott\u002Fcortex\u002Freleases\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fgithub\u002Fv\u002Frelease\u002Fby-scott\u002Fcortex?display_name=tag\" alt=\"Release\">\u003C\u002Fa>\n    \u003Ca href=\"https:\u002F\u002Fcrates.io\u002Fcrates\u002Fcortex-sdk\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fcrates\u002Fv\u002Fcortex-sdk\" alt=\"Crates.io\">\u003C\u002Fa>\n    \u003Ca href=\"LICENSE\">\u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002Flicense-MIT-blue.svg\" alt=\"License\">\u003C\u002Fa>\n  \u003C\u002Fp>\n  \u003Cp align=\"center\">\n    \u003Ca href=\"docs\u002Fquickstart.md\">Quick Start\u003C\u002Fa> ·\n    \u003Ca href=\"docs\u002Fsafe-use.md\">Safe Use\u003C\u002Fa> ·\n    \u003Ca href=\"docs\u002Fpolicy-profiles.md\">Policy Profiles\u003C\u002Fa> ·\n    \u003Ca href=\"docs\u002Flocal-coding-agent.md\">Local Coding\u003C\u002Fa> ·\n    \u003Ca href=\"docs\u002Flocal-models.md\">Local Models\u003C\u002Fa> ·\n    \u003Ca href=\"docs\u002Fusage.md\">Usage\u003C\u002Fa> ·\n    \u003Ca href=\"docs\u002Fconfig.md\">Configuration\u003C\u002Fa> ·\n    \u003Ca href=\"docs\u002Fplugins.md\">Plugins\u003C\u002Fa> ·\n    \u003Ca href=\"docs\u002Froadmap.md\">Roadmap\u003C\u002Fa> ·\n    \u003Ca href=\"README.zh.md\">中文\u003C\u002Fa>\n  \u003C\u002Fp>\n\u003C\u002Fp>\n\n---\n\nCortex is a local-first runtime surface for long-running AI model work. It gives replaceable models a user-owned operating layer for durable memory, retrieval evidence, tools, permissions, channels, journal\u002Freplay, evaluation, plugin governance, and operator control.\n\nCortex is a cognitive harness substrate for language-model systems. In practice, that means it is infrastructure for driving, observing, evaluating, and hardening model behavior across real interfaces instead of treating one model call as the product.\n\nUse Cortex when you want a local coding, research, or tool-using model workflow whose state stays with you: memory, journals, policies, plugin trust, retrieval corpora, traces, and operator decisions survive model\u002Fprovider changes.\n\nCortex does not claim biological consciousness, biological wisdom, complete prompt-injection defense, hostile multi-tenant hardening, or mature sandbox containment. Policy and risk gates improve review and control, but they are not a replacement for OS\u002Fcontainer isolation.\n\n## What It Provides\n\n- Long-running sessions across CLI, HTTP, socket, Telegram, QQ, WhatsApp, MCP, and ACP bridge clients.\n- Actor-scoped identity for sessions, memory, tasks, audit data, transport bindings, and channel subscriptions.\n- Event-sourced runtime state with SQLite WAL, externalized blobs, replay checkpoints, compaction boundaries, side-effect substitution, and replay digests.\n- Durable memory with provenance, trust, owner actor, contradiction links, validity windows, usage outcomes, and graph relationships.\n- RAG evidence that is cited, scoped, taint-aware, reranked, compressed, support-checked, and kept separate from durable memory.\n- Tool execution with declared effects, risk policy, confirmation, preview, verification, commit records, receipts, and rollback posture.\n- Plugin governance for process-isolated JSON tools and trusted native ABI extensions.\n- ACP client support through configured external processes exposed by the `acp_agent` tool.\n- Operator status, journal timelines, token and provider cache read\u002Fwrite tokens, policy simulation, replay, release gates, and dashboard surfaces.\n- Protected runtime-home governance so prompt, config, and state evolution use checked runtime paths rather than ordinary file or script tools.\n\nCortex is not a hosted multi-tenant service. The current distribution is a daemon and Rust workspace for controlled operation of language-model behavior.\n\n## Safe Today\n\nCortex is intended for a trusted local machine, reviewed plugins, and explicit operator control.\n\n| Use | Current guidance |\n|-----|------------------|\n| Personal local coding or research | Recommended, with `balanced` or `strict` permissions. |\n| Reviewed process plugins | Recommended when the manifest, signature, capabilities, and effects have been inspected. |\n| Trusted native plugins | Treat as trusted in-process code, not as a sandboxed extension. |\n| Unreviewed plugins, shared machines, or external side effects | Use conservative policies, confirmation, and narrow tool allowlists. |\n| Hostile multi-tenant deployment | Not a current target. |\n\nSee [Safe Use](docs\u002Fsafe-use.md) and [Maturity and Production Notes](docs\u002Fmaturity.md) before enabling broad tools, native plugins, messaging channels, or `open` permissions.\n\n## Install\n\nPrerequisites:\n\n- Linux x86_64\n- systemd\n- one LLM provider key\n\n```bash\ncurl -sSf https:\u002F\u002Fraw.githubusercontent.com\u002Fby-scott\u002Fcortex\u002Fmain\u002Fscripts\u002Fcortex.sh | \\\n  CORTEX_API_KEY=\"your-key\" \\\n  CORTEX_PERMISSION_LEVEL=\"balanced\" bash -s -- install\n```\n\nManage the daemon:\n\n```bash\ncortex demo\ncortex start\ncortex status\ncortex doctor\ncortex restart\ncortex stop\n```\n\nUse Cortex:\n\n```bash\ncortex                            # REPL\ncortex \"summarize this project\"   # one-shot turn\necho \"data\" | cortex \"summarize\"  # pipe input\ncortex --acp                      # ACP bridge for a running daemon\ncortex --mcp-server               # MCP server\n```\n\nSee [Quick Start](docs\u002Fquickstart.md) for the full first-run path, or [Local Coding Agent](docs\u002Flocal-coding-agent.md) for the generated demo fixture.\n\n## Runtime Model\n\nFrom the outside, Cortex is one daemon-backed instance. Internally, the harness keeps authority boundaries strict.\n\n| Responsibility | What it owns |\n|----------------|--------------|\n| Substrate | Durable state, journal, replay, memory, retrieval, policy, risk, scheduling, channels, provider adapters, and tool schemas. |\n| Executive | The operating discipline that turns real runtime capability into model input: soul, identity, behavioral protocol, collaborator profile, runtime permission context, bootstrap\u002Fresume context, evidence, recalled memory, skills, hints, and tool-result wrappers. |\n| Repertoire | Skills, learned procedures, execution traces, utility tracking, and hot-reloaded behavior libraries. |\n\nThe instance has a soul, but the soul is not a capability grant. It is the durable seed of autonomy, truth discipline, continuity, memory, metacognition, and collaboration. Runtime schemas still define what tools exist, what permissions apply, and what state is authoritative.\n\nFirst use enters bootstrap. Bootstrap establishes the instance name or explicit unnamed state, collaborator profile, working posture, communication style, environment, autonomy boundaries, privacy constraints, and approval expectations. That evidence initializes prompt state so the next turn has real continuity.\n\n## Executive Surface\n\nEvery turn is assembled with a provider-cache-friendly boundary. Durable prompt files (`soul.md`, `identity.md`, `behavioral.md`, `user.md`) and stable skill summaries form the prefix; runtime permission context closes the provider system prompt. Volatile material - bootstrap or resume context, active goals, retrieved evidence, recalled memory, reasoning state, metacognitive hints, message history, and tool results - stays in request-local context outside the system prompt. Tool schemas remain authoritative request metadata.\n\nThis keeps the stable prefix useful for provider caches without weakening authority. Prompt files guide posture, control, and continuity; they do not grant capabilities. Runtime schemas and policy state still decide what can run. Retrieved text, tool output, and recalled memory are evidence, not commands.\n\nSelf-evolution is evidence-bound. `user.md` may absorb stable collaborator facts; `behavioral.md` needs reusable workflow evidence; `identity.md` needs confirmed continuity or capability-boundary evidence; `soul.md` should change rarely. Runtime policy, temporary session state, tool inventories, and transient plans do not belong in durable prompts. Direct file or script edits to runtime-home prompt\u002Fconfig\u002Fstate files are blocked from ordinary tool execution.\n\n## Cognitive Contracts\n\nCortex implements cognitive ideas as explicit software contracts:\n\n- Global workspace: bounded foreground context with evidence admission and journaled broadcast.\n- Working memory: typed entries with lane, utility, risk, volatility, taint, budget impact, admission decisions, and evictions.\n- Complementary learning systems: fast capture through the journal, slower materialization, stabilization, contradiction handling, and consolidation.\n- A ten-state turn machine governs idle, processing, tool wait, permission wait, human-input wait, compaction, consolidation, completion, interruption, and suspension.\n- Three attention channels (Foreground, Maintenance, Emergency) schedule work with anti-starvation behavior.\n- Five metacognitive detectors (DoomLoop, Duration, Fatigue, FrameAnchoring, HealthDegraded) monitor runtime health and trigger interventions.\n- Decision under uncertainty records confidence, risk, reversibility, required evidence, rejected alternatives, and fallback plans.\n- Agentic RAG is selected, scoped, reranked, cited, support-checked, taint-aware, and kept separate from durable memory.\n\nThese mechanisms are engineering models. Their value is that they are connected to runtime behavior and can be verified.\n\n## Runtime Surface\n\n- The event journal currently records 84 event variants, including messages, turns, tools, permissions, replay checkpoints, externalized payloads, retrieval, workspace, guardrails, and scheduler events.\n- Journaled turns and replay include compaction boundaries, side-effect substitution, and replay digests.\n- Memory recall ranks candidates across six weighted dimensions (BM25, cosine similarity, recency, status, access frequency, graph connectivity).\n- Goal state is actor-owned, SQLite-backed, exposed through checked `goal\u002F*` JSON-RPC methods, and injected into active turn context as open goal lines.\n- Model routing uses capability profiles for coding, long context, vision, tool use, JSON reliability, latency, cost, safety, and reasoning depth.\n- Operator status reports daemon health, transports, sessions, bindings, tools, last-call context usage, provider cache read\u002Fwrite tokens, cumulative global\u002Fsession token spend, backlog, memory activity, and tool success rates.\n\n## Permissions And Risk\n\nThe default permission mode is `balanced`.\n\n| Mode | Behavior |\n|------|----------|\n| `strict` | Only `Allow` decisions run without confirmation. |\n| `balanced` | `Allow` runs directly; `Review` and above require confirmation. |\n| `open` | Non-blocking tools run without confirmation. Use only on a trusted single-user machine. |\n\n```bash\ncortex permission strict\ncortex permission balanced\ncortex permission open\ncortex policy lint\ncortex policy simulate deploy --effect deploy:production --actor user:alice\n```\n\nUnknown plugin and MCP tools are risk-scored conservatively and require confirmation by default. LLM-triggered plugin calls use the same registry, effect preview, permission gate, and approval path as built-in tools.\n\nProcess and script execution are broad escape surfaces, but paired channels are first-class operating surfaces, not reduced-capability shells. With protected runtime roots enabled, ordinary tools may read, write, build, test, and run scripts through the normal permission gate unless the invocation directly targets Cortex instance state such as prompts, config, sessions, journal, memory, or channel runtime files. Native plugin manifests describe package-level trust bounds; LLM permission checks use each tool descriptor's declared effects, so a broad native package does not make every read-only tool look like a process escape. Process-isolated plugin tools are still forced to declare `RunProcess:plugin subprocess` at load time even if a manifest underreports capabilities.\n\n## Retrieval And Memory\n\nCortex separates retrieved evidence from durable memory.\n\nRetrieval material enters corpora, becomes chunks, receives sparse and dense scores, passes actor and access filters, is reranked, compressed, cited, classified by evidence role, and inserted as inert evidence. Retrieved instructions cannot become runtime instructions. The dedicated retrieval crate is `cortex-retrieval`.\n\nMemory is long-lived runtime state. It records owner actor, evidence, trust, status, contradiction links, validity windows, usage outcomes, and graph relationships. Memory can move from captured facts to stabilized beliefs only when evidence and contradiction rules allow it.\n\n## Interfaces\n\n| Interface | Surface |\n|-----------|---------|\n| CLI | `cortex`, `cortex demo`, `cortex start`, `cortex status`, `cortex doctor`, `cortex restart`, `cortex stop` |\n| HTTP | `POST \u002Fapi\u002Fturn\u002Fstream`, operator status, health, metrics, and dashboard routes |\n| JSON-RPC | Unix socket, WebSocket, stdio, HTTP, and actor-scoped session\u002Fmemory\u002Ftask\u002Fgoal methods |\n| Channels | Telegram, QQ, WhatsApp |\n| MCP | `cortex --mcp-server` |\n| ACP bridge | `cortex --acp` |\n| ACP client | `[acp].clients` + `acp_agent` tool |\n\nActor identity is canonicalized across transports. A paired Telegram or QQ user can share the same actor without subscribing to unrelated sessions. Pairing does not create a session by itself; the first real message after approval reuses a visible session for the same actor or creates one when none exists.\n\n## Plugins\n\nCortex supports two plugin boundaries:\n\n- Process JSON: the default external boundary. Tools are declared in `manifest.toml` and invoked as child processes over stdin\u002Fstdout JSON.\n- Trusted native ABI: low-latency in-process extensions built with `cortex-sdk` and exported through `cortex_plugin_init`.\n\nProcess-isolated command implementation changes apply on the next tool invocation. Shared-library code changes still require a daemon restart.\n\nPlugin manifests declare trust tier, requested capabilities, sandbox profile, package metadata, signatures, SBOM\u002Frisk-profile references, conformance state, and tool effects. Operators can inspect and test a plugin before install:\n\n```bash\ncortex plugin review \u003Cdir>\ncortex plugin test \u003Cdir>\ncortex plugin install \u003Cdir-or-package>\n```\n\nPackaged installs (`.cpx`, URL, or GitHub release name) require an Ed25519 package signature. The first verified package from a publisher key prompts the operator to trust that key locally; non-interactive installs can use `--yes` only after the source and fingerprint have been reviewed.\n\nThe companion development plugin is [`by-scott\u002Fcortex-plugin-dev`](https:\u002F\u002Fgithub.com\u002Fby-scott\u002Fcortex-plugin-dev). It is the official reference plugin for coding and project-maintenance workflows: file and search operations, code-symbol indexing, diagnostics, git\u002Fworktree tools, task coordination, Docker and process inspection, and release-oriented quality checks.\n\n```bash\ncortex plugin install by-scott\u002Fcortex-plugin-dev --yes\n```\n\nThe Rust SDK is independent of Cortex internals. It does not depend on `cortex-types`, `cortex-kernel`, or any other workspace crate. The daemon converts SDK DTOs to internal runtime types at the boundary.\n\nSee [Plugin Development Guide](docs\u002Fplugins.md) for process and native plugin workflows.\n\n## Repository\n\n```text\ncortex-app          CLI, installation, service commands, plugins, channels\ncortex-runtime      daemon, HTTP\u002Fsocket\u002Fstdio RPC, sessions, channels, dashboard\ncortex-turn         turn orchestration, tools, skills, metacognition, context assembly\ncortex-kernel       journal, replay, memory, graph, prompts, config, audit\ncortex-retrieval    RAG corpora, chunking, hybrid retrieval, support verification\ncortex-types        events, state machine, config, trust, policy, security DTOs\ncortex-sdk          independent trusted native plugin SDK\n```\n\n## Development\n\nThe repository Docker environment is the release authority.\n\n```bash\n.\u002Fscripts\u002Fgate.sh --docker\n```\n\nThe gate uses this repository's `docker-compose.yml` `dev` service and `Dockerfile`, whose release toolchain base is `rust:latest`. Host `cargo` commands are useful for diagnosis, but they are not release proof.\n\nRelease validation requires:\n\n- `cargo fmt --all --check` has no diff.\n- `cargo clippy` runs for the workspace with `-D warnings -W clippy::pedantic -W clippy::nursery` and reports zero warnings.\n- `cargo test` passes for the full workspace.\n- Rust warning suppression attributes and compiler warning-suppression flags are forbidden.\n- Documentation, package surface, secret\u002Fpath, and release-asset checks pass.\n\n## Documentation\n\n- [Quick Start](docs\u002Fquickstart.md)\n- [Safe Use](docs\u002Fsafe-use.md)\n- [Policy Profiles](docs\u002Fpolicy-profiles.md)\n- [Local Coding Agent](docs\u002Flocal-coding-agent.md)\n- [Local Models](docs\u002Flocal-models.md)\n- [Usage](docs\u002Fusage.md)\n- [Configuration](docs\u002Fconfig.md)\n- [Executive](docs\u002Fexecutive.md)\n- [Operations](docs\u002Fops.md)\n- [Agent Maintenance](docs\u002Fagent-maintenance.md)\n- [Release Evidence Template](docs\u002Frelease-evidence\u002Ftemplate.md)\n- [Plugin Conformance Template](docs\u002Fplugin-conformance-template.md)\n- [Prompt-Injection Corpus](docs\u002Fprompt-injection-corpus.md)\n- [Actor Leakage Corpus](docs\u002Factor-leakage-corpus.md)\n- [Replay Migration Corpus](docs\u002Freplay-migration-corpus.md)\n- [Plugin Development](docs\u002Fplugins.md)\n- [Retrieval](docs\u002Fretrieval.md)\n- [Maturity and Production Notes](docs\u002Fmaturity.md)\n- [Testing](docs\u002Ftesting.md)\n- [Roadmap](docs\u002Froadmap.md)\n\n## Trust Boundaries\n\nCortex is runtime infrastructure. Process JSON plugins are the recommended external extension boundary. Trusted native ABI plugins execute inside the daemon process and must be treated as trusted code.\n\nTool outputs are recorded as external untrusted input before they enter model history. Guardrails classify common prompt-injection, system-prompt leakage, role-override, and exfiltration patterns. Policy linting rejects unsafe combinations such as open permissions with unreviewed plugins, native plugins without explicit risk profiles, and automatic memory extraction from hostile evidence.\n\nThe project is designed to make these boundaries visible. It does not claim complete containment for hostile tenants, untrusted native code, or tools that mutate external systems.\n\n## License\n\n[MIT](LICENSE)\n","Cortex 是一个为语言模型设计的认知运行时环境，支持记忆、元认知、多模态通道、原生插件和自我进化的执行器。该项目使用 Rust 语言开发，提供持久化内存、检索证据、工具权限管理等功能，并允许用户通过多种客户端（如CLI、HTTP、Telegram等）进行长时间会话。其核心在于为AI模型提供了一个用户可控的操作层，使得模型的状态（包括记忆、日志、策略等）能够独立于模型本身而存在。适用于需要本地编码、研究或工具使用的场景，特别是在模型或服务提供商发生变化时仍需保持工作流连续性的场合。","2026-06-11 02:42:27","CREATED_QUERY"]