Deployment safety
OSuite System Card
The system card is the deployment-safety companion to the PCAA paper. It explains what OSuite is intended to govern, which threats it targets, and what release discipline should exist around production use.
Why
A governance paper is not enough. Operators also need a deployment-safety document.
OSuite now separates research claims from deployment claims. The paper explains the action-certificate primitive. The system card explains intended use, threat model, runtime coverage, safeguards, and release gates.
Scope
Govern high-value runtime actions, preserve replayable evidence, and export assurance material without tying trust to one model vendor or runtime shell.
Frame work across openai-compatible gateways, managed agent platforms, framework SDK runtimes, tool-hook runtimes, and observer imports.
Threat model
Action misuse, approval bypass, evidence tampering, cross-workspace leakage, delegated authority abuse, spoofed trust materials, and insecure runtime bridges.
Canonical action envelopes, decomposed risk, uncertainty-aware escalation, workspace admission, signed plugins, replayable evidence, and runtime authority separation.
Release gates
Production release should be backed by governance-eval coverage, replay verification, approval latency and evidence-completeness metrics, plus explicit disclosure of partial-coverage runtime families. This is the discipline that turns governance from a feature set into a deployable operating layer.