# TFBthumb Beta — What This Does Not Promise A bounded set of capabilities was independently verified. Everything else is out of scope by default and stays out of scope until a separate, named, verified extension says otherwise. These limits apply to every endpoint in the [API reference](API.md) and to every run executed under any TFBthumb beta key. ## What is verified (the bounded-claim set) - Continuous perception substrate (DOM mutations, network in-flight, animations, accessibility tree) fused into one stream. - Stable-element-id resolution; the substrate addresses affordances by accessible name, never by guessed coordinates. - Settle-by-observation; the substrate never reports `settled` until it observes quiescence on every signal. - Action gate (the Ceiling) refuses to dispatch a consequential intent without a single-use human-minted token. - Effect gate (the Sentinel) refuses to let a mutating wire request reach the server unless it was covered by an approved consequential intent or has its own token. - Hash-chained, fsync'd ledger; byte-level tamper detection. - Ed25519 verifier-closure custody; the verifier handed to the Ceiling holds only the public key. - Continuous-perception receipt of correctness: TFBthumb 0 flakes / 200 vs screenshot-diff baseline 130 flakes / 200 on the canonical harness. - Per-decision token economy: 7.7× fewer tokens, 55× fewer bytes than a screenshot loop. - Brain-layer refusal on DOM swap-attacks at the reversible tier; Ceiling-layer refusal at the consequential tier. ## What is explicitly NOT promised ### Browser scope - **Single tab only.** Multi-tab workflows are out of scope. A run is one Page object against one origin. - **No cross-origin iframe orchestration.** The substrate sees only the top-level document. - **No closed shadow root introspection.** Open shadow roots are pierced; closed roots are invisible to the sensor by Web Platform design. - **No webview / Electron / extension surfaces.** Beta runs in a sandboxed headless Chromium against public web URLs. ### Effect coverage - **GET-with-side-effects is not covered at the wire gate.** The Sentinel covers POST/PUT/PATCH/DELETE explicitly; an action that mutates server state via GET (a common anti-pattern; sometimes legitimate for tracking pixels) bypasses the wire gate. The action gate may still classify the click as consequential; that is a softer guarantee. - **Wire gate covers requests made from the page only.** Beacon/sendBeacon and Worker-issued requests carry the same coverage; non-page-issued telemetry (e.g., a browser extension on a logged-in customer's instance) is not in scope. ### Agent autonomy - **No unattended autonomous loops.** Every consequential action surfaces to your approver. The approval window is 10 minutes; an unanswered approval auto-denies. - **The deterministic RuleBrain is the only Brain available in beta.** It fills declared fields and clicks a declared submit target. LLM-Brain integration is its own future signed phase — the bounded-claim set was verified with RuleBrain, not with any specific LLM completer. - **No multi-step task planning.** Tasks are one structured intent (one form, one submit). Chained workflows are not in scope. ### Custody and identity - **Beta runs use TFB-hosted Authority.** The HumanAuthority that mints consequential tokens runs in the same wrapper process as the engine, on TFB infrastructure. For production deployments where the customer requires out-of-process Authority (the substrate supports it; the deployment is not yet built), that is a separate engagement. - **API keys are bearer tokens.** Treat them like passwords. Compromise is your responsibility; revocation is one POST away. - **Operator-machine-trust envelope (DAVID+ gap-B residual, named).** Pending consequential actions are approved by the operator on the M5 Max via the SwiftBar menu-bar plugin. The plugin reads its OPERATOR-tier API key from the macOS keychain and calls `/api/v1/operator/runs/{id}/approve`. The keychain provides marginal defense-in-depth (the key is not in a flat file in the home directory), but on a single-user development machine **any process running as the operator has effective approval authority** — keychain access is gated by code signing + entitlements, which unsigned development scripts cannot enforce against other unsigned operator-running processes. Beta-grade acceptable; production requires the substrate's "out-of-process Authority" residual to be built (separate user / hardware token / signed signing service). Both layers — the substrate's residual at `REVIEWER_PACKET.md §10` and the wrapper layer's residual here — must be closed before TFBthumb deploys outside the TFB-operated environment. ### Substrate evolution - **No Phase 5 statement.** The blueprint's Phase 5 (streaming embodied perception model with cursor/keyboard as proprioceptive input channels) is named as UNVERIFIED in `TFBthumb_BLUEPRINT.md` and remains so. Beta is not a path to it; Phase 5 is a research frontier, not an engineering task. - **Substrate may heal during beta.** The current version is `v0.2.2`; bug fixes that strengthen the substrate may land during your evaluation. Each version's gates re-run clean before the bytes go live. The runtime `GET /api/v1/version` always returns the live version your runs are bound to. ### Performance and reliability - **One run at a time per organization key.** Beta keys are not load-tested for concurrency. Production engagements size for parallelism explicitly. - **TFB infrastructure is the SPOF.** Beta runs on a single-region, single-process FastAPI server with one Chromium browser. Latency and uptime are evaluation-grade. We will tell you when this changes. - **No SLAs.** Beta is best-effort. Production engagements include named availability windows. ### Data handling - **Ledger receipts are retained for 30 days.** After that they roll off. Customers who need durable audit trails should download receipts via `GET /runs/{id}` and store them themselves. - **Page bytes are not durably stored.** The wrapper does not capture screenshots, full page dumps, or any HTML beyond what is needed to populate the structured observation the Brain reads. The structured observation IS captured (it is in the trace). - **Credentials are not handled.** Beta does not accept credentials in the API payload. If your target page requires login, you authenticate it in the target site's own flow before the agent loads it; the sandbox keeps that session per run; the session does not persist across runs. ## Compatibility with the inspector reviews These limits compose with the residuals named in `REVIEWER_PACKET.md §10`, the heal-loop entries in `DAVID_PLUS_REVIEW_v0_2_1.md §3`, and the engineering notes in `CODE_MECHANIC_REVIEW_v0_2_1.md §3`. Nothing here contradicts those documents; this is the customer-facing summary of the same boundaries. A future v0.3 may expand the bounded set. Until it does, this file is the contract.