UNITARES
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@UNITARESshow fleet health summary"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Runtime health checks for autonomous-agent fleets.
UNITARES is a check-in server for agents while they are working: an agent reports what it did, attaches evidence when it has any, and gets back one action: proceed, guide, pause, or reject.
Most controls inspect one action against one rule. UNITARES keeps history for each agent process, compares the current run with that agent's own baseline, and makes drift visible to the agent and the human operator while the output may still look fine.
Status: live since November 2025 — 4.2M+ governance events (public snapshot frozen 2026-07-02).
One layer of the CIRWEL stack — runtime safety infrastructure for autonomous agents, after deployment. UNITARES is the governed fleet; Anima is its physical edge testbed. Full index ↗
Client-neutral by design: Claude Code, Codex, Hermes, Goose, Cursor, Discord/dispatch agents, local models, and frontier providers such as Mistral can all use the same governance server through MCP, REST, the SDK, or a host adapter. Claude is one client family, not a server-side assumption.
The loop, and the organs around it
Everything in UNITARES hangs off one per-agent loop: an agent checks in after meaningful work and gets back one action — proceed / guide / pause / reject. The other subsystems are answers to questions that loop raises about the agent doing the work:
Question about the running agent | Answered by |
Who is acting? | per-process identity — reads open, writes accountable |
How is it doing, versus its own baseline? | the four-score state (EISV) — how it's graded |
Did its confidence match real evidence? | evidence-grounded calibration |
Has this been learned or corrected before? | governed shared memory (knowledge graph) |
Is a disputed action defensible? | dialectic peer review → durable constraints |
When another model produced the output, what evidence is that? |
|
Around that per-agent loop sits fleet infrastructure you reach for only when work is multi-agent or side-effectful — surface leases, resident monitors (scheduled agents that run the loop themselves), BEAM/Elixir coordination, and governed effects (agents propose; only governed effects commit). The CIRWEL stack table maps these and their maturity.
The transports are MCP on /mcp/, REST on /v1/tools/call, an optional dashboard on /dashboard, and an SDK for resident or scheduled agents. Pick up only the loop for a quick start; the organs are there when you want to act on why, and the infrastructure when persistent or side-effectful work needs it.
Related MCP server: promptspeak-mcp-server
Use UNITARES if
you run autonomous or semi-autonomous coding, research, operations, resident, Discord, or local-model agents;
you want mid-run health signals, not only pre-deploy evals or post-hoc logs;
you need agents to check their own state before continuing; and
you want an audit trail of confidence, evidence, drift, and recovery.
UNITARES is not an output validator, sandbox, hosted agent platform, or grand jury. Its state reading is not an outcome oracle or bad-result detector; it is runtime telemetry for the running agent. External evidence calibrates the signal, and policy/review layers own labels such as task-negative, contract violation, or authority/harm.
Try the demo locally
git clone https://github.com/cirwel/unitares.git && cd unitares
docker compose up -d --wait && make demomake demo drives a synthetic agent through seven check-ins — clean work, then confidence drifting from results, then confusion — and prints the policy action at each step. First run can spend a few minutes building Docker images; later runs are the fast path. Then point any MCP client at http://localhost:8767/mcp/.
For a human operator view, open the optional dashboard at http://localhost:8767/dashboard. Dashboard implementation details live in dashboard/README.md; public deployment screenshots live in docs/PRODUCTION_SNAPSHOT.md.
Running continuously since November 2025 · 4.2M+ governance events — the agents building UNITARES run under it. (Production snapshot → · verify the numbers →)
Where it fits
UNITARES runs alongside your evals and guardrails — it doesn't replace either. They answer different questions at different times:
Question it answers | When it acts | |
Evals | Is this model good enough to ship? | before deploy |
Guardrails | Is this action allowed right now? | per action |
UNITARES | Is this agent still healthy as it works? | continuously, mid-run |
How it relates to agent clients
UNITARES is not an agent framework or chat interface. Hermes, Claude Code, Codex, Goose, Discord dispatchers, SDK residents, and local-model hosts provide the hands: prompts, tools, files, terminals, browsers, scheduled work, and operator UX. UNITARES provides the governed continuity underneath — the loop and organs above. For one-off chat or local coding, skip the governance loop; for persistent, multi-agent, high-side-effect, or resident work, mount the client through MCP/REST/SDK or a lifecycle adapter.
Where it's going: accountability without a trusted center
Everything above describes the deployed system: one governor, one operator. The identity layer already enforces the posture a multi-party world needs — identity is per-process, credentials structurally refuse cross-principal resume, and declared lineage is recorded as provisional rather than trusted on assertion. The active research direction extends this to genuinely multi-principal deployments: mutually-distrusting principals each running their own governor, with cross-principal delegation and shared-infrastructure effects mediated by verifiable attestation between governors rather than authorized by any central party. No multi-host, multi-party deployment exists yet — that is the research, not a shipped claim. A testbed-and-benchmark paper is in preparation (arXiv, expected August 2026).
How it works
After each unit of work, the agent checks in with sync_state() — passing self-reported confidence plus verifiable evidence when available (test results, exit codes, tool output). It gets back one plain policy action:
proceed · guide · pause · reject
That's the whole contract: the agent reads the policy action and course-corrects using its own state estimate, without waiting for an external guardrail to catch it. Once a baseline exists, the central signal is a residual — current state minus this agent's own operating reference — so deviation is treated first as information, not as guilt or punishment. No special vocabulary is required to use the loop.
Want to act on why, not just the policy action? Each check-in also returns four scores per agent, each graded against that agent's own ~30-check-in baseline, so slow drift can surface while output still looks fine. The research docs and payloads call this vector EISV: Energy, Integrity, Entropy, Valence.
Goes wrong when… | ||
E · Energy | is the work advancing? | thrashing, retries, no progress |
I · Integrity | do claims match results? | high confidence, low actual success |
S · Entropy / drift | drifting from its own normal? | erratic, divergent behavior |
V · Valence | derived: energy vs integrity | motion without coherence (or vice-versa) |
The baseline takes ~30 check-ins to establish. Until then the policy action falls back to a cold-start prior computed mostly from server-derived signals (complexity divergence, coherence, calibration — self-reported drift is a capped ≤30% blend), so it is not yet discriminative of absolute drift magnitude — a worsening drift vector will not, on its own, move the action during warmup. After baselining, the per-agent behavioral assessment is combined into the action and can escalate it. A pause is enforced (the runtime boundary marks the agent paused and blocks further writes until recovery), not merely advisory.
Agent-state contract · How the four scores are computed · Architecture · Who it's for & threat model
Integrate in two calls
For AI clients, the stable contract is: start a session, pass the returned client_session_id into each check-in, obey the returned action, and treat the four-score state as optional context for finer control.
# 1. Start a governance session for this process.
session = start_session(force_new=True)
client_session_id = session["client_session_id"]
# 2. Check in after meaningful work.
result = sync_state(
response_text=output,
complexity=0.6,
confidence=0.8,
client_session_id=client_session_id,
)
action = result.get("state_summary", {}).get("action")
if action is None:
raw = result.get("raw_governance", result)
action = raw.get("decision", {}).get("action", raw.get("action", "proceed"))
if action in ("pause", "reject"):
agent.require_human_review(result.get("next_action", "Governance requested review"))The agent reads the action and acts — that's the whole loop. Self-reported confidence is strongest when paired with verifiable evidence, so include tool results or call record_result(...) when your client has evidence such as test status, exit codes, or deployment checks. UNITARES is not an output validator or sandbox; it is an agent-facing state-estimation layer while external controls remain separate.
The same primary tool surface also gives agents a few optional moves:
Need | Tool |
Search the shared knowledge graph |
|
Record verified external evidence |
|
Ask for structured peer review |
|
Read current state without writing |
|
For per-dimension policies, read the four scores instead of only the single policy action. The raw payload field is still named primary_eisv for API compatibility:
raw = result.get("raw_governance", result)
eisv = raw.get("primary_eisv") or raw.get("metrics", {})
if eisv.get("I", 1) < 0.4:
agent.require_human_review("integrity low — pausing autonomous actions")
elif eisv.get("S", 0) > 0.7:
agent.narrow_scope() # fewer tools, tighter search
elif eisv.get("E", 1) < 0.2:
agent.stop_and_summarize() # avoid thrashingFor long-running or scheduled agents, the SDK handles connection, identity, check-ins, and heartbeats. Any MCP client that accepts Streamable HTTP can connect to /mcp/; REST is available for non-MCP clients, Discord/dispatch bridges, local-model hosts, and adapters. (Getting started · MCP client config)
Verify every claim yourself
Evaluating with an agent? On a fresh clone, the falsifiability harness grades whether the four-score state telemetry beats deliberately dumb baselines (AUC, Brier) on externally labeled task/result evidence, reporting each slice honestly rather than asserting it. Most projects don't ship the means to disprove them; this one does. (Reviewer Guide →)
Auditable, not a black box. Once a baseline exists, policy actions come from an inspectable behavioral model (behavioral_assessment.py); before that, from a mostly server-derived cold-start prior. The information-theoretic formulation in Paper v6 is the research roadmap, not a claim about the post-warmup decision path (how the four scores are computed).
Human evaluators start with the Reviewer Guide.
Stack & setup
Python 3.12+ · PostgreSQL + AGE + pgvector · Redis. Transports: MCP on /mcp/ (Streamable HTTP) · REST on /v1/tools/call · Dashboard on /dashboard.
If 5432, 6379, or 8767 is already allocated, pick alternate host ports:
POSTGRES_HOST_PORT=15432 REDIS_HOST_PORT=16379 GOVERNANCE_HOST_PORT=18767 docker compose up -d --wait
UNITARES_DEMO_PORT=18767 make demoBare-metal (lower overhead, what the maintainer runs in production): PostgreSQL 16+ with Apache AGE + pgvector compiled and installed (examples use PG 17). Redis: the server boots in degraded local-only mode without it, but production uses it as the primary session store.
pip install -r requirements-full.txt
export DB_BACKEND=postgres
export DB_POSTGRES_URL=postgresql://postgres:postgres@localhost:5432/governance
export DB_AGE_GRAPH=governance_graph
export UNITARES_KNOWLEDGE_BACKEND=age
python src/mcp_server.py --port 8767requirements-full.txt is the default (server, tests, handler dev); requirements-core.txt is a minimal runtime subset (see the file) for thin stdio/proxy clients. DB bring-up: db/postgres/README.md. Run signal-only without the math model: export UNITARES_DISABLE_ODE=1. Full port map: docs/operations/DEFINITIVE_PORTS.md.
Documentation
Guide | Purpose |
Setup, workflows, tool modes | |
Deployed formulas vs. target semantics | |
Cold-evaluator path + falsifiability harness | |
Who it's for, why agents can't game it, what's unproven | |
Pipeline, policy actions, recovery, storage | |
Terms keyed by the question they answer — published at cirwel.github.io/unitares | |
Live metrics + dashboard views | |
Client-neutral MCP setup: Streamable HTTP, stdio bridges, hosted connectors | |
Common issues | |
Releases |
Root files such as
CLAUDE.md,AGENTS.md, andCODEX_START.mdare client-specific operating notes for AI CLIs. They do not limit the server: UNITARES itself is client-neutral over MCP/REST.
The CIRWEL stack
UNITARES is the governance runtime at the center of a larger body of work. The full index — papers, systems, datasets, and decks — lives at cirwel.github.io.
What it is | |
Hook/sidecar packaging for clients such as Codex and Claude Code; useful for lifecycle automation, not required for direct MCP/REST use | |
Thin client bindings — Hermes, Goose, Claude Code, OpenAI-compatible hosts, local models, frontier providers such as Mistral, and arbitrary REST clients | |
Physical longitudinal testbed — the same four-score state model mapped from Raspberry Pi sensor/system telemetry; the source cited in the papers | |
Governed-effect runtime seed — agents propose effects; only governed effects commit | |
Governance events, dispatch/presence, and system health as a live Discord surface | |
In-tree Elixir/OTP coordination work for live surface leases, handoffs, dispatch, and supervision beside the Python governance server | |
Governance benchmark dataset — 32,181 labeled EISV trajectories (20,655 real) | |
Companion paper — Information-Theoretic Governance of Heterogeneous Agent Fleets (Wang, 2026); concept DOI 10.5281/zenodo.19647159 |
Citation
Kenny Wang (ORCID 0009-0006-7544-2374), CIRWEL Systems. If you build on this work, please cite — see CITATION.cff.
@misc{wang2026unitares,
author = {Wang, Kenny},
title = {{UNITARES}: Information-Theoretic Governance of Heterogeneous Agent Fleets},
year = {2026},
doi = {10.5281/zenodo.19647159},
url = {https://doi.org/10.5281/zenodo.19647159},
note = {Concept DOI; resolves to latest version. ORCID: 0009-0006-7544-2374}
}Apache License 2.0 — see LICENSE and NOTICE. Built by @cirwel · CIRWEL Systems
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/cirwel/unitares'
If you have feedback or need assistance with the MCP directory API, please join our Discord server