# fortress - Doramagic AI Context Pack

> Positioning: a pre-install experience and judgment asset. It helps the host AI get off to a good start, but it does not mean the project has already been installed, run, or validated.

## Sufficiency Principle

- **Sufficiency over compression**: The AI Context Pack should be sufficient for the host AI to understand the project's value, capability boundaries, entrypoints, risks, and evidence sources before starting work; it may be layered, but it does not aim for the shortest possible summary.
- **Compression policy**: Compress only noise and duplication, never context that affects judgment or the quality of the work.

## How the Host AI Should Use This

You are reading the AI Context Pack that Doramagic compiled for fortress. Treat it as pre-work context: help the user understand who it fits, what it can do, how to start, what must be verified after install, and where the risks are. Do not claim that you have already installed, run, or executed the target project.

## Claim Consumption Rules

- **Fact source**: Repo Evidence + Claim/Evidence Graph; the Human Wiki only supplies salience, terminology, and narrative structure.
- **Minimum status for a fact**: `supported`
- `supported`: May be used as a project fact, but the answer must cite the claim_id and evidence path.
- `weak`: Usable only as a low-confidence lead; the user must be asked to keep verifying.
- `inferred`: Usable only for risk notes or open questions; must not be packaged as a project fact.
- `unverified`: Must not be used as fact; state clearly that evidence is insufficient.
- `contradicted`: Must show the conflicting sources and must not force a single version on the user's behalf.

## Who It Fits Best

- **Developers already using host AIs such as Claude/Codex/Cursor/Gemini**: The README or plugin config mentions multiple host AIs. Evidence: `README.md` Claim: `clm_0003` supported 0.86
- **Users who want to bring professional workflows into a host AI**: The repo contains Skill documents. Evidence: `mcp/skill/SKILL.md` Claim: `clm_0004` supported 0.86

## What It Can Do

- **AI Skill / Agent Instruction Asset Library** (Previewable before install): The project contains Skill or Agent instruction files that a host AI can read, useful for bringing professional workflows into hosts like Claude, Codex, or Cursor. Evidence: `mcp/skill/SKILL.md` Claim: `clm_0001` supported 0.86
- **Command-Line Startup or Install Flow** (Verify after install): The project documentation contains runnable commands; real use requires running them in a local or host environment. Evidence: `AGENTS.md`, `README.md` Claim: `clm_0002` supported 0.86

## How to Start

- `pip install -U tilion-fortress       # or:  docker run --rm -p 9222:9222 tilion/fortress:latest` Evidence: `README.md` Claim: `clm_0005` supported 0.86
- `pip install tilion-fortress` Evidence: `README.md` Claim: `clm_0006` supported 0.86
- `pip install "tilion[mcp]"      # command:  tilion-mcp` Evidence: `README.md` Claim: `clm_0007` supported 0.86
- `npx -y tilion-mcp              # auto-runs the server via uv (no global install)` Evidence: `README.md` Claim: `clm_0008` supported 0.86
- `claude mcp add fortress -- tilion-mcp          # or:  claude mcp add fortress -- npx -y tilion-mcp` Evidence: `README.md` Claim: `clm_0009` supported 0.86
- `curl -LO $BASE/tilion-fortress-linux-x64.tar.gz` Evidence: `README.md` Claim: `clm_0010` supported 0.86
- `curl -Ls $BASE/SHA256SUMS | sha256sum -c --ignore-missing     # -> OK` Evidence: `README.md` Claim: `clm_0011` supported 0.86
- `npm install tilion-fortress` Evidence: `AGENTS.md` Claim: `clm_0012` supported 0.86

## Continue-or-Stop Decision Card

- **Current recommendation**: Sandbox-trial permissions first
- **Why**: The project has signals of install commands, host configuration, or local writes; do not go straight into your primary environment—trial it in isolation first.

### 30-Second Read

- **What to do now**: Sandbox-trial permissions first
- **Minimum safe next step**: Run Prompt Preview first; if you still want to install, trial only in an isolated environment
- **Do not trust yet**: Tool permission boundaries cannot be trusted before install.
- **Continuing will touch**: Command execution, Host AI configuration, Local environment or project files

### What You Can Trust Now

- **Target-audience signal: Developers already using host AIs such as Claude/Codex/Cursor/Gemini** (supported): Backed by a supported claim or project evidence, but that still is not the same as real install results. Evidence: `README.md` Claim: `clm_0003` supported 0.86
- **Target-audience signal: Users who want to bring professional workflows into a host AI** (supported): Backed by a supported claim or project evidence, but that still is not the same as real install results. Evidence: `mcp/skill/SKILL.md` Claim: `clm_0004` supported 0.86
- **Capability exists: AI Skill / Agent Instruction Asset Library** (supported): You can trust that the project contains signals of this capability; whether it fits your specific task still needs trial or after-install verification. Evidence: `mcp/skill/SKILL.md` Claim: `clm_0001` supported 0.86
- **Capability exists: Command-Line Startup or Install Flow** (supported): You can trust that the project contains signals of this capability; whether it fits your specific task still needs trial or after-install verification. Evidence: `AGENTS.md`, `README.md` Claim: `clm_0002` supported 0.86
- **There are Quick Start / install-command signals** (supported): You can trust that the docs mention a startup or install entrypoint; do not run it directly in your primary environment because of that. Evidence: `README.md` Claim: `clm_0005` supported 0.86

### What You Cannot Trust Yet

- **Tool permission boundaries cannot be trusted before install.** (unverified): MCP/tool projects usually touch files, the network, the browser, or external APIs, so permissions and logs must be checked for real.
- **Real output quality cannot be trusted before install.** (unverified): Prompt Preview can only show how it guides you; it cannot prove result quality in the real project.
- **Host AI version compatibility cannot be trusted before install.** (unverified): Host loading rules and version differences across Claude, Cursor, Codex, Gemini, and others must be verified in a real environment.
- **That it will not pollute your existing host AI's behavior cannot be trusted directly.** (inferred): Skill, plugin, and AGENTS/CLAUDE/GEMINI instructions may change the host AI's default behavior. Evidence: `AGENTS.md`, `mcp/skill/SKILL.md`
- **Safe rollback cannot be assumed by default.** (unverified): Unless the project clearly provides uninstall and recovery instructions, verify in an isolated environment first.
- **After a real install, is it compatible with the user's current host AI version?** (unverified): Compatibility can only be verified in the actual host environment.
- **Does the project's output quality meet the user's specific task?** (unverified): The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **Do the install commands require network access, permissions, or global writes?** (unverified): This affects install risk in both enterprise and personal environments. Evidence: `README.md`

### What Continuing Will Touch

- **Command execution**: Package managers, network downloads, the local plugin directory, project config, or the user's home directory. Why: Running the very first command can already change your environment; decide whether it is worth running first. Evidence: `AGENTS.md`, `README.md`
- **Host AI configuration**: The plugin, Skill, or rule-loading config of hosts like Claude/Codex/Cursor/Gemini/OpenCode. Why: Host configuration changes how the AI works afterward and may conflict with the user's existing rules. Evidence: `AGENTS.md`, `mcp/skill/SKILL.md`
- **Local environment or project files**: Install results, plugin caches, project config, or local dependency directories. Why: The write scope and rollback path cannot be proven before install and need isolated verification. Evidence: `AGENTS.md`, `README.md`
- **Host AI context**: The AI Context Pack, Prompt Preview, Skill routing, risk rules, and project facts. Why: Importing context affects the host AI's later judgment, so avoid packaging unverified items as facts.

### Minimum Safe Next Steps

- **Run Prompt Preview first**: Use a pre-install interactive trial to judge whether the way of working fits; it needs no authorization or environment change. (applies when: Applies to any project, especially when output quality is unknown.)
- **Trial-install only in an isolated directory or a test account**: Avoid letting install commands pollute your primary host AI, real projects, or home directory. (applies when: When there are signals of command execution, plugin config, or local writes.)
- **Back up your host AI configuration first**: Skill, plugin, and rule files may change the default behavior of Claude/Cursor/Codex. (applies when: When there is a plugin manifest, a Skill, or a host rule entrypoint.)
- **After install, verify just one minimal task**: Verify loading, compatibility, output quality, and rollback first, then decide whether to use it deeply. (applies when: When moving from a trial into a real workflow.)

### Exit Plan

- **Preserve the pre-install state**: Record the original host config and project state so you can later judge whether it is recoverable.
- **Be ready to remove the host plugin / Skill / rule entrypoint**: If behavior is off after the trial install, you can restore the host AI to its pre-trial state.
- **Record the install commands and written paths**: Without clear uninstall instructions, you at least need to know which directories or configs to clean up manually.
- **If there is no rollback path, do not enter your primary environment**: No rollback is a blocker before continuing; do not proceed on trust or luck.

## What Can Only Be Previewed

- Explain who the project fits and what it can do
- Demonstrate a typical conversation flow based on project docs
- Help the user decide whether it is worth installing or researching further

## What Must Be Verified After Install

- Actually installing the Skill, plugin, or CLI
- Running scripts, modifying local files, or accessing external services
- Verifying real output quality, performance, and compatibility

## Boundary & Risk Decision Card

- **Mistaking the pre-install preview for a real run**: The user may overestimate how much configuration, permission, and compatibility verification the project has already done. Mitigation: Clearly separate prompt_preview_can_do from runtime_required. Claim: `clm_0013` inferred 0.45
- **Command execution will modify the local environment**: Install commands may write to the user's home directory, the host plugin directory, or project configuration. Mitigation: Run in an isolated environment or a test account first. Evidence: `AGENTS.md`, `README.md` Claim: `clm_0014` supported 0.86
- **To confirm**: After a real install, is it compatible with the user's current host AI version?. Why: Compatibility can only be verified in the actual host environment.
- **To confirm**: Does the project's output quality meet the user's specific task?. Why: The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **To confirm**: Do the install commands require network access, permissions, or global writes?. Why: This affects install risk in both enterprise and personal environments.

## Pre-Work Working Context

### Loading Order

- First read how_to_use.host_ai_instruction to establish the boundaries of this pre-install judgment asset.
- Read claim_graph_summary to confirm facts come from the Claim/Evidence Graph, not the Human Wiki narrative.
- Then read intended_users, capabilities, and quick_start_candidates to judge whether the user is a match.
- When you need to carry out a concrete task, check role_skill_index first, then evidence_index.
- For real install, file modification, network access, performance, or compatibility questions, turn to risk_card and boundaries.runtime_required.

### Task Routes

- **AI Skill / Agent Instruction Asset Library**: Use role_skill_index / evidence_index to help the user pick a usable role, Skill, or workflow first. Boundary: Can be experienced via a pre-install Prompt. Evidence: `mcp/skill/SKILL.md` Claim: `clm_0001` supported 0.86
- **Command-Line Startup or Install Flow**: State that this is an after-install capability first, then give a pre-install checklist. Boundary: Must be verified after a real install or run. Evidence: `AGENTS.md`, `README.md` Claim: `clm_0002` supported 0.86

### Context Scale

- Total files: 95
- Important-file coverage: 40/95
- Evidence index entries: 78
- Role / Skill entries: 1

### Handling Insufficient Evidence

- **missing_evidence**: State that evidence is insufficient and ask the user for the target file, a README section, or after-install verification records; do not fill in facts.
- **out_of_scope_request**: State that the task is beyond the current AI Context Pack's evidence scope and suggest the user check the Human Manual or verify after a real install.
- **runtime_request**: Provide a pre-install checklist and command sources, but do not run commands for the user or claim they have been run.
- **source_conflict**: Show the conflicting sources side by side, mark them as unverified, and do not force a single version.

## Prompt Recipes

### Fit assessment

- Goal: Judge whether this project fits the user's current task.
- Expected output: A fit conclusion, key reasons, evidence citations, what can be previewed before install, what must be verified after install, and a next-step recommendation.

```text
Based on the AI Context Pack for fortress, ask me 3 necessary questions first, then judge whether it fits my task. The answer must cover: who it fits, what it can do, what it cannot do, whether it is worth installing, and where the evidence comes from. Every project fact must cite evidence_refs, source_paths, or a claim_id.
```

### Pre-install experience

- Goal: Let the user feel the core workflow before installing, while avoiding packaging the preview as real capability or a marketing promise.
- Expected output: An experience script with boundary labels, an after-install verification checklist, and a cautious recommendation; with no real-run promises or strong marketing language.

```text
Treat fortress as a pre-install experience asset, not an already-installed tool or a real runtime environment.

Output exactly four parts:
1. Ask me 3 necessary questions first.
2. Give an "experience script": use the three labels [Previewable before install], [Must verify after install], and [Insufficient evidence] to show how it might guide the workflow.
3. Give an after-install verification checklist: list which capabilities can only be confirmed after a real install, real host loading, and a real project run.
4. Give a cautious recommendation: only "worth researching/trialing further", "add information before deciding", or "not recommended to continue"; do not endorse the project.

Hard boundaries:
- Do not claim you have installed, run, executed tests, modified files, or produced real results.
- Do not write promise-like phrasing such as "auto-adapts", "guarantees passing", "perfect fit", or "strongly recommend installing".
- If you describe how it works after install, you must use a conditional such as "if installed successfully and the host loads the Skill correctly, it might...".
- The experience script may only be written as "example lines / hypothetical flow": use "might ask / might suggest / might show", not "has written, has generated, has passed, is running, is generating".
- Prompt Preview does not hand out install commands; if the user is ready to trial, only prompt them to read Quick Start and the Risk Card first and to verify in an isolated environment.
- Every project fact must come from a supported claim, evidence_refs, or source_paths; inferred/unverified items can only be risks or open questions.

```

### Role / Skill selection

- Goal: Pick the best-matching asset from the project's roles or Skills.
- Expected output: A list of candidate roles or Skills, each with an applicable scenario, evidence paths, risk boundary, and whether after-install verification is needed.

```text
Read role_skill_index and recommend 3-5 of the most relevant roles or Skills for my target task. For each recommendation, state the applicable scenario, likely output, risk boundary, and evidence_refs.
```

### Risk pre-check

- Goal: Identify environment, permission, rule-conflict, and quality risks before installing or adopting.
- Expected output: A checklist of environment, permission, dependency, license, host-conflict, quality risk, and unknown items.

```text
Based on risk_card, boundaries, and quick_start_candidates, give me a pre-install risk pre-check list. Do not run commands for me; only explain what I should check, why, and what impact a failure would have.
```

### Host AI kickoff instruction

- Goal: Turn the project context into a host AI instruction for the start of a conversation.
- Expected output: A pre-work instruction with clear boundaries and clear evidence citations, suitable to copy to a host AI.

```text
Based on the AI Context Pack for fortress, generate a pre-work instruction I can paste to my host AI. This instruction must obey not_runtime=true and must not claim the project has been installed, run, or produced real results.
```

## Role / Skill Index

- Indexed 1 role / Skill / project-doc entries.

- **fortress-stealth-browser** (skill): - Activation hint: When the user's task is highly relevant to the workflow described by “fortress-stealth-browser”, use it for a pre-install experience first, then decide whether to install. Evidence: `mcp/skill/SKILL.md`

## Evidence Index

- Indexed 78 evidence entries.

- **Fortress — agent setup guide** (documentation): Paste this whole file into your AI agent Claude, ChatGPT, Gemini, Cursor, Copilot, … and it has everything it needs to set Fortress up and drive it. Evidence: `AGENTS.md`
- **One browser engine to rule them all** (documentation): One browser engine to rule them all Evidence: `README.md`
- **Fortress examples** (documentation): Runnable examples that drive the Fortress stealth engine over CDP. Evidence: `examples/README.md`
- **Fortress MCP — a stealth browser for AI agents** (documentation): Fortress MCP — a stealth browser for AI agents Evidence: `mcp/README.md`
- **Patches — the open surface layer** (documentation): These are Fortress's surface-coherence patches : the in-tree Chromium/Blink modifications that read a per-launch persona and present it consistently across the JS-observable fingerprint surfaces user-agent, platform, WebGL, timezone, languages, screen, keyboard, media, and so on , including inside worker and iframe realms. Evidence: `patches/README.md`
- **tilion-mcp** (documentation): A stealth-browser MCP for AI agents. When a fetch gets blocked — Cloudflare, DataDome, PerimeterX, a 403, or a CAPTCHA — your agent calls these tools and gets the page, driving a real, recompiled Chromium Fortress locally. Evidence: `mcp/npm/README.md`
- **Install** (documentation): Drive the Fortress stealth Chromium engine with one line — no build, no Chromium source. Evidence: `sdk/node/README.md`
- **Install** (documentation): Drive the Fortress stealth Chromium engine with one line — no build, no Chromium source. Evidence: `sdk/python/README.md`
- **Contributing to Fortress** (documentation): Fortress is open source and open to contributions. Bug fixes, new features, performance work, docs, and tests are all welcome. Evidence: `CONTRIBUTING.md`
- **Package** (package_manifest): { "name": "tilion-mcp", "version": "0.1.0", "description": "Stealth-browser MCP for AI agents — fetch pages behind Cloudflare / DataDome / PerimeterX / 403 / CAPTCHA, extract clean markdown & JSON, crawl sites, reverse-engineer private APIs, and drive a real undetected Chromium Fortress . Local, no account, no key.", "bin": { "tilion-mcp": "cli.js" }, "files": "cli.js", "README.md" , "keywords": "mcp", "model-context-protocol", "modelcontextprotocol", "stealth-browser", "undetected", "anti-bot", "bot-detection", "cloudflare", "datadome", "perimeterx", "captcha", "web-scraping", "browser-automation", "playwright", "fortress", "tilion", "agent", "claude", "cursor" , "repository": { "type": "g… Evidence: `mcp/npm/package.json`
- **Package** (package_manifest): { "name": "tilion-fortress", "version": "151.0.7910", "description": "Install and drive the Fortress stealth Chromium engine. Prebuilt binary, no source.", "type": "module", "main": "index.js", "bin": { "tilion-fortress": "cli.js" }, "files": "index.js", "cli.js", "README.md" , "engines": { "node": " =18" }, "keywords": "chromium", "stealth", "browser", "automation", "anti-bot", "fortress", "tilion" , "author": "arham766", "license": "BSD-3-Clause", "repository": { "type": "git", "url": "https://github.com/tiliondev/fortress.git" }, "homepage": "https://github.com/tiliondev/fortress" } Evidence: `sdk/node/package.json`
- **Fortress stealth-browser skill** (skill_instruction): When to use this Reach for the fortress MCP tools the moment a normal fetch fails or returns junk: - HTTP 403 / 429 / 503 , a Cloudflare "Just a moment", DataDome/PerimeterX walls, "Access to this page has been denied", "Press & Hold to confirm you are human". - The page is a JavaScript SPA and the plain HTML is an empty shell. - You need structured data markdown, tables, or a schema-shaped record , a whole-site crawl , or the site's private JSON API . - You have Playwright/Puppeteer/browser-use code that keeps getting detected — get a stealth CDP endpoint and point your code at it. Evidence: `mcp/skill/SKILL.md`
- **License** (source_file): Copyright c 2026, arham766 Tilion / Fortress engine patches and tooling All rights reserved. Evidence: `LICENSE`
- **Fortress — Benchmark** (documentation): Measured on a datacenter Linux x86-64 host no GPU , driving each chrome binary over CDP at 1280×800. Captured 2026-06-24. No mock-ups — every number is a live read. Evidence: `docs/BENCHMARK.md`
- **Building Fortress natively on Windows & macOS** (documentation): Building Fortress natively on Windows & macOS Evidence: `docs/BUILD_NATIVE.md`
- **Detection gauntlet — results** (documentation): Run on the official Fortress binary Chromium 151.0.7908.0, is official build , non-component, stripped with the full default persona + bundled fonts + --uxr-webrtc-policy=disable non proxied udp . Evidence: `docs/GAUNTLET_RESULTS.md`
- **Fortress Persona Engine** (documentation): Every Fortress launch presents a unique, coherent, real-looking device — a fresh fingerprint that looks like an ordinary person's machine, generated inside the browser engine before any page script runs. Evidence: `docs/PERSONA_ENGINE.md`
- **Hosts lychee should not check. One regex per line, matched against the whole URL.** (source_file): Hosts lychee should not check. One regex per line, matched against the whole URL. Keep this list to genuinely-flaky or non-fetchable endpoints — real content links github.com, raw.githubusercontent.com, npm, pypi, detector sites stay checked so a moved file or renamed asset is caught. Evidence: `.lycheeignore`
- **.Pre Commit Config** (source_file): minimum pre commit version: "3.0.0" repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v4.6.0 hooks: - id: trailing-whitespace exclude: ^patches/ - id: end-of-file-fixer exclude: ^patches/ - id: check-yaml - id: check-json - id: check-merge-conflict - id: mixed-line-ending args: --fix=lf exclude: '\. cmd ps1 $' - repo: local hooks: - id: check-patches name: patch-set integrity linter entry: python tools/check patches.py language: system pass filenames: false files: ^patches/ Evidence: `.pre-commit-config.yaml`
- **Init** (source_file): all = "main", "mcp" Evidence: `mcp/__init__.py`
- **0001 Base Build Gn** (source_file): diff --git a/base/BUILD.gn b/base/BUILD.gn index 539782c068..e831553518 100644 --- a/base/BUILD.gn +++ b/base/BUILD.gn @@ -1000,6 +1000,8 @@ component "base" { "types/zip.h", "unguessable token.cc", "unguessable token.h", + "uxr config.cc", + "uxr config.h", "uuid.cc", "uuid.h", "value iterators.cc", Evidence: `patches/0001-base-BUILD-gn.patch`
- **0002 Base Uxr Config Cc** (source_file): diff --git a/base/uxr config.cc b/base/uxr config.cc new file mode 100644 index 0000000000..cac1a6896b --- /dev/null +++ b/base/uxr config.cc @@ -0,0 +1,43 @@ +// Copyright 2026. + include "base/uxr config.h" + + include "base/no destructor.h" + include "base/strings/string number conversions.h" + +namespace base { + +UxrConfig::UxrConfig = default; +UxrConfig::~UxrConfig = default; + +// static +UxrConfig& UxrConfig::GetInstance { + static NoDestructor instance; + return instance; +} + +void UxrConfig::SetAll const flat map & cfg { + AutoLock locker lock ; + map = cfg; +} + +bool UxrConfig::Has const std::string& key const { + AutoLock locker lock ; + return map .contains key ; +} + +std::… Evidence: `patches/0002-base-uxr_config-cc.patch`
- **0003 Base Uxr Config H** (source_file): diff --git a/base/uxr config.h b/base/uxr config.h new file mode 100644 index 0000000000..6eead77d0f --- /dev/null +++ b/base/uxr config.h @@ -0,0 +1,46 @@ +// Copyright 2026. Process-global persona config delivered to the renderer over +// IPC NOT the command line so persona values + seeds never appear in the +// renderer's /proc/cmdline. Populated once at renderer init; read-only after. + ifndef BASE UXR CONFIG H + define BASE UXR CONFIG H + + include + include + + include "base/base export.h" + include "base/containers/flat map.h" + include "base/synchronization/lock.h" + +namespace base { + +template +class NoDestructor; + +class BASE EXPORT UxrConfig { + public: + static UxrConfig& Get… Evidence: `patches/0003-base-uxr_config-h.patch`
- **if BUILDFLAG IS ANDROID BUILDFLAG IS IOS** (source_file): diff --git a/components/embedder support/user agent utils.cc b/components/embedder support/user agent utils.cc index 608bea5cb3..3f0bf7c03f 100644 --- a/components/embedder support/user agent utils.cc +++ b/components/embedder support/user agent utils.cc @@ -215,9 +215,9 @@ const blink::UserAgentBrandList GetUserAgentBrandFullVersionListInternal // depending on the Reduce User-Agent reduction phase features. std::string GetUserAgentInternal { std::string product = GetProductAndVersion ; - if base::CommandLine::ForCurrentProcess - HasSwitch kHeadless { - product.insert 0, "Headless" ; - } + // FORTRESS patch 2: never prepend "Headless" to the product. Under --headless the + // stock code mak… Evidence: `patches/0004-components-embedder_support-user_agent_utils-cc.patch`
- **Series** (source_file): patches/0001-base-BUILD-gn.patch patches/0002-base-uxr config-cc.patch patches/0003-base-uxr config-h.patch patches/0004-components-embedder support-user agent utils-cc.patch patches/0005-content-browser-renderer host-render process host impl-cc.patch patches/0006-content-common-renderer-mojom.patch patches/0007-content-renderer-render thread impl-cc.patch patches/0008-content-renderer-render thread impl-h.patch patches/0009-content-renderer-renderer main-cc.patch patches/0010-third party-blink-renderer-core-dom-element-cc.patch patches/0011-third party-blink-renderer-core-execution context-navigator base-cc.patch patches/0012-third party-blink-renderer-core-frame-local dom window-cc.patch… Evidence: `patches/series`
- **Command-line switch lookups a patch may add.** (source_file): REPO = Path file .resolve .parent.parent PATCHES = REPO / "patches" SERIES = PATCHES / "series" ⋮---- BRAND RE = re.compile r'" ^"\n tilion tillion fortress phoron swarm ^"\n "', re.IGNORECASE Command-line switch lookups a patch may add. SWITCH RE = re.compile r' ?:HasSwitch GetSwitchValueASCII GetSwitchValueNative \ \s " ^" + "' PATCH NAME RE = re.compile r"^ \d{4} -. \.patch$" ⋮---- class Report ⋮---- def init self - None ⋮---- def check self, name: str, ok: bool, detail: str = "" - None ⋮---- mark = "PASS" if ok else "FAIL" line = f" {mark} {name}" ⋮---- def patch files patches dir: Path - list Path ⋮---- def strip comment added: str - str ⋮---- i = added.find "//" ⋮---- def check series… Evidence: `tools/check_patches.py`
- **Isolated, OS-appropriate temp dirs not a hardcoded /tmp, which doesn't exist on Windows .** (source_file): def ws eval port, expr, timeout=20 ⋮---- c = http.client.HTTPConnection "127.0.0.1", port, timeout=timeout ⋮---- pages = t for t in json.loads c.getresponse .read if t.get "type" == "page" ⋮---- path = pages 0 "webSocketDebuggerUrl" .split str port , 1 1 s = socket.create connection "127.0.0.1", port , timeout=timeout key = base64.b64encode os.urandom 16 .decode ⋮---- buf = b"" ⋮---- msg = json.dumps {"id": 1, "method": "Runtime.evaluate", mask = os.urandom 4 frame = bytearray 0x81, 0x80 126 + struct.pack " H", len msg & 0xFFFF + mask ⋮---- def recv frame ⋮---- h = s.recv 2 ln = h 1 & 0x7F ⋮---- ln = struct.unpack " H", s.recv 2 0 ⋮---- ln = struct.unpack " Q", s.recv 8 0 data = b"" ⋮---- j… Evidence: `tools/gauntlet.py`
- **--------------------------------------------------------------------------- parsing helpers** (source_file): REPO = "tiliondev/fortress" API = "https://api.github.com" ⋮---- REQUIRED = {"linux-x64"} REPO ROOT = Path file .resolve .parent.parent ⋮---- class Report ⋮---- def init self - None ⋮---- def check self, name: str, ok: bool, detail: str = "" - None ⋮---- def skip self, name: str, detail: str = "" - None ⋮---- def note self, name: str, detail: str = "" - None ⋮---- @staticmethod def emit mark: str, name: str, detail: str - None ⋮---- line = f" {mark} {name}" ⋮---- --------------------------------------------------------------------------- parsing helpers def parse sha256sums text: str - dict str, str ⋮---- """Parse lines tolerating the name binary marker into {name: hash}.""" out: dict str,… Evidence: `tools/verify_release.py`
- **Cli** (source_file): function has cmd Evidence: `mcp/npm/cli.js`
- **Index** (source_file): const hostFor = tag = process.env.FORTRESS DOWNLOAD HOST https://github.com/$ ⋮---- export function resolvePlatform ⋮---- export function personaArgs persona ⋮---- export async function sha256 path ⋮---- export async function expectedSha asset, host ⋮---- } catch { / none / } ⋮---- async function ensureNative plat, host, tag ⋮---- const root = join CACHE, tag, plat ; // cache per release tag so channels don't collide ⋮---- async function assetExists plat, host ⋮---- async function waitCdp port, timeoutMs = 90000 ⋮---- export class Fortress ⋮---- static async launch opts ⋮---- async start ⋮---- async startNative plat ⋮---- startDocker ⋮---- async close Evidence: `sdk/node/index.js`
- **Pyproject** (source_file): build-system requires = "setuptools =61" build-backend = "setuptools.build meta" Evidence: `sdk/python/pyproject.toml`
- **platform key - release asset, archive kind, launcher relative path** (source_file): version = "151.0.7908.0.post4" all = "Fortress", "resolve platform" ⋮---- REPO = "tiliondev/fortress" ⋮---- CHANNELS = { DEFAULT CHANNEL = os.environ.get "FORTRESS CHANNEL", "stable" CACHE = Path os.environ.get "FORTRESS BROWSERS PATH", ⋮---- def host tag: str - str ⋮---- platform key - release asset, archive kind, launcher relative path ASSETS = { ⋮---- def resolve platform - str None ⋮---- def sha256 path: Path - str ⋮---- h = hashlib.sha256 ⋮---- def expected sha asset: str, host: str - str None ⋮---- """Fetch SHA256SUMS from the release and return the hash for asset .""" ⋮---- parts = line.split ⋮---- def download plat: str, host: str, tag: str - Path ⋮---- root = CACHE / tag / plat lau… Evidence: `sdk/python/tilion_fortress/__init__.py`
- **Main** (source_file): def main ⋮---- ap = argparse.ArgumentParser prog="tilion-fortress", ⋮---- args = ap.parse args ⋮---- f = Fortress port=args.port, headless=not args.no headless .start Evidence: `sdk/python/tilion_fortress/__main__.py`
- **Security Policy** (documentation): Fortress is a stealth Chromium engine, so please route two very different things to two different places: Evidence: `SECURITY.md`
- **Test Sdk** (source_file): def test resolve platform monkeypatch, sysname, machine, expected ⋮---- def test every resolvable platform has an asset ⋮---- resolvable = {"linux-x64", "win-x64", "mac-arm64", "mac-x64"} ⋮---- def test persona args empty ⋮---- def test persona args known keys map to uxr flags ⋮---- args = tf. persona args {"timezone": "America/New York", "hw concurrency": 16} ⋮---- def test persona args unknown key falls back to uxr prefix ⋮---- args = tf. persona args {"some new surface": "v"} ⋮---- def test persona args are all uxr prefixed ⋮---- persona = {"platform": "Win32", "timezone": "UTC", "webgl renderer": "ANGLE", ⋮---- def test sha256 matches hashlib tmp path ⋮---- f = tmp path / "blob.bin" dat… Evidence: `sdk/python/tests/test_sdk.py`
- **Test Check Patches** (source_file): lines = f"diff --git a/{path} b/{path}", "index 1234567..89abcde 100644" ⋮---- def write set root: Path, patches: dict str, str , series: list str None = None - Path ⋮---- series = sorted patches ⋮---- def clean patches - dict str, str ⋮---- def test clean set passes every check tmp path ⋮---- rep = cp.run checks write set tmp path, clean patches ⋮---- def test series sync missing entry tmp path ⋮---- def test series sync missing file tmp path ⋮---- def test series sync duplicate entry tmp path ⋮---- def test series sync wrong order tmp path ⋮---- def test numbering gap tmp path ⋮---- patches = {"0001-alpha.patch": make patch "core/alpha.cc" , ⋮---- def test numbering duplicate number tmp p… Evidence: `tools/tests/test_check_patches.py`
- **--------------------------------------------------------------------------- --full re-hashing** (source_file): SDK ASSETS = { NODE NAMES = set SDK ASSETS.values ⋮---- LINUX = SDK ASSETS "linux-x64" WIN = SDK ASSETS "win-x64" H LINUX = "f4e0e83a38b08ec62ec07cb7f0c54d8eae5e7260798a91e7d703e547de53207c" H WIN = "a538de3341d9e7bf1c87f81b0c6e91ec9c2bde3f80872a8f626dd074d1161a45" ⋮---- def asset name, digest=None, size=100, state="uploaded" ⋮---- a = {"name": name, "size": size, "state": state, "url": f"https://api/{name}"} ⋮---- def release assets ⋮---- def sums pairs ⋮---- def evaluate rel, sums text, kw ⋮---- def test consistent release passes ⋮---- rel = release rep = evaluate rel, sums H LINUX, LINUX , H WIN, WIN ⋮---- def test linux only release passes ⋮---- rel = release asset "SHA256SUMS" , asset… Evidence: `tools/tests/test_verify_release.py`
- **Gauntlet Sample** (structured_config): { "surfaces": { "webdriver": false, "platform": "Win32", "uaWindows": true, "mp4": "probably", "emoji": true, "webglRenderer": "ANGLE NVIDIA, NVIDIA GeForce RTX 3060 Direct3D11 vs 5 0 ps 5 0, D3D11 ", "hardwareConcurrency": 16, "deviceMemory": 8, "languages": "en-US", "en" , "timezone": "America/New York", "canvasNoisePixels": 37, "webgpuAdapter": true, "webgpuVendor": "nvidia", "plugins": 5 }, "invariants": { "webdriver is false": true, "platform is Win32": true, "UA is Windows": true, "mp4 codec works": true, "emoji font present": true, "WebGL renderer spoofed": true, "hardwareConcurrency plausible": true, "deviceMemory present": true, "languages well-formed": true, "timezone is an IANA z… Evidence: `docs/gauntlet-sample.json`
- **Server** (structured_config): { "$schema": "https://static.modelcontextprotocol.io/schemas/2025-12-11/server.schema.json", "name": "io.github.tiliondev/fortress", "description": "Stealth browser for AI agents: fetch pages behind Cloudflare/DataDome/CAPTCHA, extract clean data.", "version": "0.1.3", "repository": { "url": "https://github.com/tiliondev/fortress", "source": "github" }, "websiteUrl": "https://tilion.dev", "packages": { "registryType": "pypi", "registryBaseUrl": "https://pypi.org", "identifier": "tilion", "version": "0.1.3", "runtimeHint": "uvx", "transport": { "type": "stdio" }, "packageArguments": { "type": "positional", "value": "tilion-mcp", "valueHint": "console-script" } , "environmentVariables": { "na… Evidence: `mcp/server.json`
- **https://editorconfig.org — consistent formatting across editors.** (source_file): https://editorconfig.org — consistent formatting across editors. root = true Evidence: `.editorconfig`
- **Normalize line endings so a Windows checkout can't corrupt the patch set.** (source_file): Normalize line endings so a Windows checkout can't corrupt the patch set. git apply on patches/ .patch is whitespace-sensitive; CRLF creep silently breaks it. Evidence: `.gitattributes`
- **Chromium build output — never committed lives in Releases / built locally** (source_file): Chromium build output — never committed lives in Releases / built locally out/ src/ depot tools/ .tar.gz .deb .AppImage Evidence: `.gitignore`
- **Chromium Version** (source_file): 151.0.7908.0 Evidence: `CHROMIUM_VERSION`
- **Fortress developer tasks. These wrap the scripts that already live in the repo;** (source_file): Fortress developer tasks. These wrap the scripts that already live in the repo; nothing here compiles Chromium see docs/BUILD NATIVE.md for that . .DEFAULT GOAL := help PYTHON ?= python3 BUNDLE ?= dist/tilion-fortress Evidence: `Makefile`
- **Notice** (source_file): Fortress — third-party notices =============================== Evidence: `NOTICE`
- **Scrape Demos** (source_file): OUT = Path file .resolve .parent VIEWPORT = {"width": 1180, "height": 820} FPS = 9 ⋮---- FX SETUP = r""" ⋮---- class Cap ⋮---- def init self, pg, frames dir ⋮---- def fx self ⋮---- def frame self, state, reps=1 ⋮---- def pops self, base, box, reps= 0.34, 0.7, 1.0 ⋮---- b = dict box ; b "active" = True; b "pop" = pv ⋮---- def d paginated pg, cap ⋮---- total = 0 ⋮---- cnt = pg.evaluate " = document.querySelectorAll 'div.quote' .length" data = pg.evaluate """ = ...document.querySelectorAll 'div.quote' .slice 0,3 .map q= ⋮---- base = {"title": "paginated scrape", "status": f"page {page}/3 · {total+i+1} quotes", ⋮---- def d structured pg, cap ⋮---- books = pg.evaluate """ = ...document.querySele… Evidence: `examples/scrape_demos.py`
- **Fortress** (source_file): Fortress is an open-source stealth Chromium engine. It corrects the browser fingerprint canvas, WebGL, audio, fonts, navigator, and ~30 more surfaces in Chromium's C++ and exposes raw CDP on http://localhost:9222, so scrapers and browser agents pass bot detection. It is a drop-in for Playwright and Puppeteer: keep your automation code, point it at Fortress over CDP. Evidence: `llms.txt`
- **Per-tool wall-clock cap: a hung nav/crawl must NOT wedge the shared browser it** (source_file): READ = ToolAnnotations readOnlyHint=True, openWorldHint=True LOCAL = ToolAnnotations readOnlyHint=True, openWorldHint=False WRITE = ToolAnnotations readOnlyHint=False, openWorldHint=True DESTRUCTIVE = ToolAnnotations readOnlyHint=False, destructiveHint=True, openWorldHint=True ⋮---- def env name: str, default: str None = None - str None ⋮---- Per-tool wall-clock cap: a hung nav/crawl must NOT wedge the shared browser it holds a per-origin lock . On timeout the coroutine is cancelled unwinding the lock and a structured error is returned. Tune via env. TOOL TIMEOUT = float env "MCP TOOL TIMEOUT", "120" ⋮---- def safe fn ⋮---- @functools.wraps fn async def wrap args, kwargs ⋮---- except Except… Evidence: `mcp/server.py`
- **Smithery** (source_file): startCommand: type: stdio configSchema: type: object properties: prewarm: type: boolean default: true description: Boot the stealth browser at startup so the first tool call is instant. headless: type: boolean default: true description: Run the browser headless false shows a window . allowPrivateEgress: type: boolean default: false description: Allow tools to reach localhost / private IPs turns off the SSRF guard . required: commandFunction: config = { command: "tilion-mcp", args: , env: { TILION MCP PREWARM: config.prewarm === false ? "0" : "1", TILION MCP HEADLESS: config.headless === false ? "0" : "1", TILION ALLOW PRIVATE EGRESS: config.allowPrivateEgress ? "1" : "0" } } Evidence: `mcp/smithery.yaml`
- **syntax=docker/dockerfile:1** (source_file): syntax=docker/dockerfile:1 Fortress — stealth Chromium as a CDP endpoint. Works on any OS that runs Docker. Build from a dir containing the extracted tilion-fortress/ bundle + packaging/docker-entrypoint.sh : DOCKER BUILDKIT=1 docker build -f packaging/Dockerfile -t tilion/fortress:latest . Run: docker run --rm -p 9222:9222 tilion/fortress:latest - connect over cdp "http://localhost:9222" Size-optimized: ELF strip + locale trim in a throwaway prep stage the toolchain never ships , and COPY --chown at copy time so the bundle is stored ONCE. A chown -R RUN after a COPY rewrites every file's metadata and duplicates the whole bundle into a second layer. Stealth is byte-identical after strip — v… Evidence: `packaging/Dockerfile`
- **Build Bundle** (source_file): set -euo pipefail REPO="$ cd "$ dirname "${BASH SOURCE 0 }" /.." && pwd " SRC="${1:?out/Fortress dir}"; FONTS="${2:?fonts dir}"; DEST="${3:?dest dir}"; PLATFORM="${4:-linux-x64}" B="$DEST/tilion-fortress" rm -rf "$B"; mkdir -p "$B/fonts" RUNTIME= chrome chrome crashpad handler chrome 100 percent.pak chrome 200 percent.pak headless command resources.pak resources.pak icudtl.dat snapshot blob.bin v8 context snapshot.bin libEGL.so libGLESv2.so libvk swiftshader.so libVkICD mock icd.so libqt5 shim.so libqt6 shim.so libvulkan.so.1 vk swiftshader icd.json for f in "${RUNTIME @ }"; do -e "$SRC/$f" && cp -a "$SRC/$f" "$B/$f" done cp -a "$SRC/locales" "$B/locales" if command -v strip /dev/null 2 &1;… Evidence: `packaging/build-bundle.sh`
- **Build Deb** (source_file): set -euo pipefail REPO="$ cd "$ dirname "${BASH SOURCE 0 }" /.." && pwd " BUNDLE="${1:?path to an extracted tilion-fortress/ bundle}" VER="${2:?version, e.g. 151.0.7908.0}" DEST="${3:-$ pwd }" PKG="$DEST/tilion-fortress ${VER} amd64" rm -rf "$PKG"; mkdir -p "$PKG/opt/tilion" "$PKG/usr/bin" "$PKG/DEBIAN" cp -a "$BUNDLE/." "$PKG/opt/tilion/" ln -sf /opt/tilion/tilion "$PKG/usr/bin/tilion" INSTALLED KB=$ du -sk "$PKG/opt" cut -f1 cat "$PKG/DEBIAN/control" Installed-Size: $INSTALLED KB Depends: libnss3, libnspr4, libatk1.0-0, libatk-bridge2.0-0, libcups2, libdrm2, libxkbcommon0, libxcomposite1, libxdamage1, libxfixes3, libxrandr2, libgbm1, libpango-1.0-0, libcairo2, libasound2, libxshmfence1, l… Evidence: `packaging/build-deb.sh`
- **Bundle Readme** (source_file): Tilion Fortress - stealth Chromium 151 Linux x64 =================================================== Evidence: `packaging/bundle-README.txt`
- **Docker Entrypoint** (source_file): set -e INTERNAL=9223 EXTERNAL=9222 /opt/tilion/tilion \ --headless=new \ --no-sandbox \ --enable-unsafe-swiftshader \ --remote-debugging-port="$INTERNAL" \ --user-data-dir=/tmp/tilion-profile \ "$@" & CHROME PID=$! trap 'kill "$CHROME PID" 2 /dev/null true' TERM INT for in $ seq 1 80 ; do if exec 3< "/dev/tcp/127.0.0.1/$INTERNAL" 2 /dev/null; then exec 3 &-; break; fi sleep 0.5 done exec socat TCP-LISTEN:"$EXTERNAL",fork,reuseaddr TCP:127.0.0.1:"$INTERNAL" Evidence: `packaging/docker-entrypoint.sh`
- **Fonts.Conf** (source_file): @FONTDIR@ @CACHEDIR@ sans-serif Arial Segoe UI serif Times New Roman monospace Courier New Consolas Arial sans-serif emoji Segoe UI Emoji Liberation Sans uxr none Liberation Serif uxr none Liberation Mono uxr none Carlito uxr none Caladea uxr none Evidence: `packaging/fonts.conf.template`
- **!/usr/bin/env bash** (source_file): !/usr/bin/env bash Tilion Fortress launcher - runs the stealth Chromium with a coherent default Windows persona + bundled fonts. Override any --uxr- by passing your own. Env: TILION NO DEFAULTS=1 skip default persona TILION TZ / TILION LANG tweak set -e HERE="$ cd "$ dirname "$ readlink -f "${BASH SOURCE 0 }" " " && pwd " CACHE="${XDG CACHE HOME:-$HOME/.cache}/tilion"; mkdir -p "$CACHE/fc" CONF="$CACHE/fonts.conf" sed -e "s @FONTDIR@ $HERE/fonts g" -e "s @CACHEDIR@ $CACHE/fc g" "$HERE/fonts/fonts.conf.template" "$CONF" export FONTCONFIG FILE="$CONF" export VK ICD FILENAMES="$HERE/vk swiftshader icd.json" Set process TZ to the persona timezone so it is coherent from the FIRST tick the in-ren… Evidence: `packaging/tilion`
- **Tilion** (source_file): @echo off REM Tilion Fortress launcher Windows . Applies a coherent default Windows persona via REM --uxr- switches + enables WebGPU presence, then runs chrome.exe with all passthrough args. REM Windows uses system fonts which already match the spoofed OS , so no fontconfig bundle. REM Override: pass your own --uxr- flags, or set TILION NO DEFAULTS=1 for a bare launch. setlocal set HERE=%~dp0 set VK ICD FILENAMES=%HERE%vk swiftshader icd.json set DEF= if not defined TILION NO DEFAULTS set DEF=^ --uxr-platform=Win32 --uxr-ua-platform=Windows "--uxr-ua-os=Windows NT 10.0; Win64; x64"^ --uxr-ua-arch=x86 --uxr-ua-bitness=64 --uxr-ua-platform-version=15.0.0 "--uxr-ua-brand=Google Chrome"^ --uxr-… Evidence: `packaging/tilion.cmd`
- **0005 Content Browser Renderer Host Render Process Host Impl Cc** (source_file): diff --git a/content/browser/renderer host/render process host impl.cc b/content/browser/renderer host/render process host impl.cc index 4c144f58e7..24acc0ba0d 100644 --- a/content/browser/renderer host/render process host impl.cc +++ b/content/browser/renderer host/render process host impl.cc @@ -2011,6 +2011,22 @@ bool RenderProcessHostImpl::Init { storage partition impl - cors exempt header list , GetContentClient - browser - GetOriginTrialsSettings , cpu tier, trace id ; + // UXR: forward persona/seed config to the renderer over IPC read from the + // BROWSER command line , so these values never land on the renderer cmdline. + { + base::flat map uxr cfg; + for const auto& sw : + base::C… Evidence: `patches/0005-content-browser-renderer_host-render_process_host_impl-cc.patch`
- **0006 Content Common Renderer Mojom** (source_file): diff --git a/content/common/renderer.mojom b/content/common/renderer.mojom index 2955d7d1cd..9ef074a880 100644 --- a/content/common/renderer.mojom +++ b/content/common/renderer.mojom @@ -179,4 +179,8 @@ interface Renderer { blink.mojom.OriginTrialsSettings? origin trials settings, blink.mojom.PerformanceTier cpu performance tier, uint64 trace id ; + + // UXR persona config delivered out-of-band NOT via the renderer command + // line so persona values + seeds never appear in /proc/ /cmdline. + SetUxrConfig map config ; }; Evidence: `patches/0006-content-common-renderer-mojom.patch`
- **include "base/allocator/partition alloc support.h"** (source_file): diff --git a/content/renderer/render thread impl.cc b/content/renderer/render thread impl.cc index dd47470e28..a06a013d89 100644 --- a/content/renderer/render thread impl.cc +++ b/content/renderer/render thread impl.cc @@ -17,6 +17,9 @@ include "base/allocator/partition alloc support.h" include "base/at exit.h" include "base/command line.h" + include "base/containers/flat map.h" + include "base/i18n/rtl.h" + include "base/uxr config.h" include "base/debug/crash logging.h" include "base/feature list.h" include "base/functional/bind.h" @@ -848,6 +851,13 @@ void RenderThreadImpl::InitializeWebKit mojo::BinderMap binders { blink::WebImageGenerator::CreateAsSkImageGenerator ; } Evidence: `patches/0007-content-renderer-render_thread_impl-cc.patch`
- The remaining 18 evidence entries are in `AI_CONTEXT_PACK.json` or `EVIDENCE_INDEX.json`.

## Rules the Host AI Must Follow

- **Treat this asset as pre-work context, not a runtime environment.**: The AI Context Pack contains only an evidence-backed understanding of the project, not the project's executable state. Evidence: `AGENTS.md`, `README.md`, `examples/README.md`
- **When answering the user, distinguish what can be previewed from what can only be verified after install.**: The consumer value of the pre-install experience comes from reducing bad installs and misjudgments, not from pretending to be a real run. Evidence: `AGENTS.md`, `README.md`, `examples/README.md`

## Questions the User Should Answer First

- Which host AI or local environment do you plan to use it in?
- Do you just want to experience the workflow first, or are you ready to actually install?
- What matters most to you: install cost, output quality, or conflicts with your existing rules?

## Acceptance Checks

- Every capability claim can be traced back to a file path in evidence_refs.
- AI_CONTEXT_PACK.md does not package previews as a real run.
- The user can understand who it fits, what it can do, how to start, and the risk boundaries within 3 minutes.

---

## Doramagic Context Augmentation

The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints.

## Human Manual Outline

Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph.

Host AI hard rules:
- Do not treat page titles, section order, summaries, or importance values as factual project evidence.
- When explaining the Human Manual outline, state that it is only a reading route or salience signal.
- Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph.

- **Introduction: What Fortress Is and Why It Patches the Engine**: importance `high`
  - source_paths: README.md, CHROMIUM_VERSION, AGENTS.md
- **The C++ Patch Series & Persona Engine**: importance `high`
  - source_paths: patches/README.md, patches/series, patches/0001-base-BUILD-gn.patch, patches/0002-base-uxr_config-cc.patch, patches/0003-base-uxr_config-h.patch
- **SDKs, MCP Server, and Distribution Packaging**: importance `high`
  - source_paths: sdk/python/tilion_fortress/__init__.py, sdk/python/tilion_fortress/__main__.py, sdk/python/pyproject.toml, sdk/python/README.md, sdk/node/index.js
- **Tools, Verification, CI, and Known Operational Issues**: importance `high`
  - source_paths: tools/check_patches.py, tools/gauntlet.py, tools/verify_release.py, Makefile, .pre-commit-config.yaml

## Repo Inspection Evidence

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `8602b222934b8289b8987c35520a58afb0251f1a`
- inspected_files: `README.md`, `docs/BENCHMARK.md`, `docs/BUILD_NATIVE.md`, `docs/GAUNTLET_RESULTS.md`, `docs/PERSONA_ENGINE.md`, `docs/gauntlet-sample.json`, `examples/README.md`, `examples/scrape_demos.py`

Host AI hard rules:
- Without repo_clone_verified=true, do not claim that the source code has been read.
- Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts.
- Without quick_start_verified=true, do not claim that the Quick Start path has run successfully.

## Doramagic Pitfall Constraints

These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes.

### Constraint 1: Capability evidence risk requires verification

- Trigger: README/documentation is current enough for a first validation pass.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.assumptions | https://github.com/tiliondev/fortress
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 2: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: downstream_validation.risk_items | https://github.com/tiliondev/fortress
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 3: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: risks.scoring_risks | https://github.com/tiliondev/fortress
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.
