System model
Penrose is a staged referee with a one-way evidence flow.
untrusted source
│
├─ P1 sanitize and archive
├─ P2 extract grounded claims
├─ P3 classify falsifiability
├─ P4 screen economic feasibility
├─ P5 identify duplicate or known claim structure
├─ P6 bind data and reconstruct a faithful executable test
├─ P7 run deflation, power, robustness, cost, and holdout controls
├─ P8 issue a verdict or routing state
└─ P9 human-only review
Trust boundaries
Untrusted inputs
Source text, uploaded claims, model output, generated code, external corpus records, and vendor data are all untrusted at entry. They are parsed and validated; they never grant permissions.
Trusted deterministic engine
The engine owns verdict thresholds, trial accounting, data-contract validation, holdout state, corpus eligibility, and append-only scientific records.
Sandboxed reconstruction
Model-written strategy code runs only through the sandbox path. Static scans and runtime contracts reject filesystem, network, process, deserialization, and look-ahead hazards.
Human authorization
P9 is outside the model and outside the dashboard write surface. A survivor is a proposal until an authorized person approves it.
Persistent state
| State | Purpose | Reset behavior |
|---|---|---|
| Decisions and trial ledger | Scientific and search record | Preserved |
| Receipts and audit logs | Reproduction and provenance | Preserved |
| Source archive | Exact submitted evidence | Preserved |
| Holdout burns | Single-use confirmation history | Preserved |
| Active corpus | Epoch-scoped learning evidence | Rebuilt |
| Reports and dashboard projections | Human-readable derived views | Rebuilt |
Local and public operation
The local engine may contain private sources or data. A public website should publish only a separate, allowlisted projection of safe records. Public readers do not need access to raw data, private source files, holdout values, model keys, or writable engine state.