https://carpenter-ai.org/Recent content on CarpenterHugo -- gohugo.ioen© 2026 Carpenterhttps://carpenter-ai.org/docs/overview/Mon, 01 Jan 0001 00:00:00 +0000https://carpenter-ai.org/docs/overview/<h2 class="relative group">The Core Loop <div id="the-core-loop" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#the-core-loop" aria-label="Anchor">#</a> </span> </h2> <p>Carpenter agents follow a simple cycle: <strong>observe → generate code → review → execute → persist</strong>.</p>https://carpenter-ai.org/docs/arcs/Mon, 01 Jan 0001 00:00:00 +0000https://carpenter-ai.org/docs/arcs/<h2 class="relative group">What Is an Arc? <div id="what-is-an-arc" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#what-is-an-arc" aria-label="Anchor">#</a> </span> </h2> <p>An <strong>arc</strong> is a unit of work with a lifecycle. It is the <em>only</em> work abstraction in Carpenter — tasks, projects, cron jobs, and sub-steps are all arcs at different depths in a recursive tree.</p>https://carpenter-ai.org/docs/security/Mon, 01 Jan 0001 00:00:00 +0000https://carpenter-ai.org/docs/security/<h2 class="relative group">Threat Model <div id="threat-model" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#threat-model" aria-label="Anchor">#</a> </span> </h2> <p>Carpenter&rsquo;s threat model is <strong>prompt injection, not adversarial users</strong>. The danger is untrusted data — web content, webhooks, API responses — manipulating the AI into generating harmful code.</p>https://carpenter-ai.org/docs/research/Mon, 01 Jan 0001 00:00:00 +0000https://carpenter-ai.org/docs/research/<p>Carpenter&rsquo;s security model draws on several lines of research in agentic AI security. This page summarizes the key ideas and how they informed the design.</p> <h2 class="relative group">The Dual LLM Pattern <div id="the-dual-llm-pattern" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#the-dual-llm-pattern" aria-label="Anchor">#</a> </span> </h2> <p><strong>Simon Willison, 2023</strong> — <a href="https://simonwillison.net/2023/Apr/25/dual-llm-pattern/" target="_blank" rel="noreferrer">The Dual LLM pattern for building AI assistants that can resist prompt injection</a></p>https://carpenter-ai.org/docs/trust/Mon, 01 Jan 0001 00:00:00 +0000https://carpenter-ai.org/docs/trust/<h2 class="relative group">The Problem <div id="the-problem" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#the-problem" aria-label="Anchor">#</a> </span> </h2> <p>An autonomous agent that fetches web content, processes webhooks, or calls external APIs will inevitably encounter attacker-controlled data. The question isn&rsquo;t whether — it&rsquo;s how that data flows through the system without contaminating trusted operations.</p>https://carpenter-ai.org/docs/skills-and-memory/Mon, 01 Jan 0001 00:00:00 +0000https://carpenter-ai.org/docs/skills-and-memory/<h2 class="relative group">Skills <div id="skills" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#skills" aria-label="Anchor">#</a> </span> </h2> <p>Skills are knowledge-only markdown packages. They implement <strong>three-stage progressive disclosure</strong> to minimize context window consumption:</p> <table> <thead> <tr> <th>Stage</th> <th>What the agent sees</th> <th>Token cost</th> </tr> </thead> <tbody> <tr> <td><strong>1. Advertise</strong></td> <td>Compact index in system prompt: name + description</td> <td>~100 tokens per skill</td> </tr> <tr> <td><strong>2. Load</strong></td> <td>Full <code>SKILL.md</code> via <code>load_skill</code></td> <td>Varies</td> </tr> <tr> <td><strong>3. Read</strong></td> <td>Specific resource files via <code>load_skill_resource</code></td> <td>On demand</td> </tr> </tbody> </table> <p>Skills live at <code>skills_dir/{name}/SKILL.md</code> with optional <code>resources/</code> directories. Metadata is synced to a <code>skills</code> table in the database.</p>https://carpenter-ai.org/docs/platform/Mon, 01 Jan 0001 00:00:00 +0000https://carpenter-ai.org/docs/platform/<h2 class="relative group">Core vs Platform <div id="core-vs-platform" class="anchor"></div> <span class="absolute top-0 w-6 transition-opacity opacity-0 -start-6 not-prose group-hover:opacity-100 select-none"> <a class="text-primary-300 dark:text-neutral-700 !no-underline" href="#core-vs-platform" aria-label="Anchor">#</a> </span> </h2> <p>Carpenter separates platform-agnostic logic from platform-specific implementations:</p> <ul> <li><strong>Core</strong> (<code>carpenter-ai</code>) — Arc management, review pipeline, trust system, agent loop, model selection, skills, memory</li> <li><strong>Platform packages</strong> (<code>carpenter-linux</code>, <code>carpenter-android</code>, etc.) — Executors, sandbox backends, network egress enforcement, platform-specific tools</li> </ul> <p>Platform packages are thin. They register their implementations at startup, then hand off to the core:</p>