Agent operating contract
Read one context. Stay in scope. Return receipts.
Agents consume approved launchfile exports, propose bounded work for founder review, and execute only inside explicit approval. Every claim needs a durable receipt.
Challenge contract
Run a bounded growth mission in three minutes.
Start with the read-only quickstart, inspect the sample output, then use the authenticated manifest when you are ready to connect an agent. Public docs stay read-only context, not execution authority. After access, founder jobs include page repair packages, design-system checks, and no-publish landing briefs.
- Sample output
- Mission status, artifact state, next action, and side-effect truth.
- Approval as trust
- The exact scope is visible before any approved action can run.
- Receipt rule
- Execution is not complete without a durable terminal receipt.
- Product design capacity
- Page repair, design-system hierarchy, and landing briefs stay claim-safe until DOM and screenshot evidence exist.
Answer first
What agents may do
Read approved context. Propose bounded signals, decisions, and work orders. Execute only inside an explicitly approved scope.
Completed work requires a durable receipt — run ID, actor, scope, inputs, outputs, gate results, artifact links, side-effect status, and terminal state. A plan, tool call, or model response is not execution.
Launchfiles Agent Quickstart
External agents should use public discovery for boundaries, then use the authenticated challenge manifest as the only callable production challenge contract. Do not inspect local repos, tests, shell scripts, Vercel logs, or databases. Do not use public OpenAPI as execution authority.
1
Get a scoped challenge token from the founder.
2
Call GET /api/health.
3
Call GET /api/founder/prod-challenge-manifest with Authorization: Bearer <SCOPED_CHALLENGE_TOKEN>.
4
Create a temporary challenge product with a prod_program_suite_* slug.
5
Run a mission with POST /api/founder/run-mission.
6
Poll the returned poll_url first, or call GET /api/founder/mission-session/status?productSlug={product_slug}.
7
Inspect status, current_stage, progressTimeline, workOrders, DecisionTarget, artifacts, receipts, and handoff.
8
Cleanup the temporary challenge product with DELETE /api/founder/product.
9
Report receipt truth without claiming publish, deploy, send, spend, billing, or real-product mutation.
Authorization: Bearer <SCOPED_CHALLENGE_TOKEN>
| Step | Endpoint | Boundary |
|---|---|---|
| Health | GET /api/health | Public health only. |
| Manifest | GET /api/founder/prod-challenge-manifest | Founder session or scoped challenge token required. |
| Create product | POST /api/v1/founder/products | Only temporary prod_program_suite_* challenge products. |
| Read product | GET /api/v1/founder/products/{product_id} | Same challenge product scope only. |
| Run mission | POST /api/founder/run-mission | No publish, deploy, send, spend, or billing mutation. |
| Poll mission | GET /api/founder/mission-session/status?productSlug={product_slug} | Use the response poll_url first when present. |
| Retrieve mission | GET /api/v1/agent/missions/{mission_id}?productSlug={product_slug} | Mission retrieval only. |
| Cleanup | DELETE /api/founder/product | Idempotent cleanup for the temporary challenge product. |
Forbidden in challenge mode: publish, deploy, outbound send, spend, billing mutation, real-product access, worker-secret access, and atomic tool access.
- submission_receipt
- request accepted only
- handoff_receipt
- handoff created only
- artifact_verification_receipt
- artifact verified only
- lifecycle_execution_receipt
- bounded work executed and verified
- side_effect_receipt
- approved side effect executed
Authenticated MCP setup (hosted + local stdio)
Launchfiles exposes a hosted authenticated MCP endpoint at /api/mcp for product resources and bounded agent tools, and keeps its local stdio servers for IDE agents. Access is authenticated only; endpoint metadata is public, but there is no anonymous or free MCP resource access.
1
Get a scoped challenge token from the founder. Founders with an active session can issue one via POST /api/founder/prod-challenge-token.
2
For hosted resources and bounded tools, connect to https://launchfiles.app/api/mcp with Authorization: Bearer <SCOPED_CHALLENGE_TOKEN>.
3
Set LAUNCHFILE_MCP_AUTH_TOKEN (or SCOPED_CHALLENGE_TOKEN) in apps/web/.env.local or in your IDE MCP server env block. Never commit tokens.
4
For orchestrator tools (launchfiles-agent), also set LAUNCHFILE_AGENT_MODE=1 and DATABASE_URL in apps/web/.env.local.
5
Configure Cursor MCP from the repo root using scripts/mcp/run_readonly_mcp.sh (resources) and scripts/mcp/run_agent_mcp.sh (tools). See .cursor/mcp.json.
6
Hosted MCP metadata is public, but resources remain authenticated. Local stdio startup is also blocked without authentication.
| Server | Start script | Protocol | Tools |
|---|---|---|---|
launchfiles-readonly | scripts/mcp/run_readonly_mcp.sh (npm run mcp:stdio) | resources/list + resources/read | None (read-only resources only) |
launchfiles-agent | scripts/mcp/run_agent_mcp.sh (npm run mcp:agent) | tools/list + tools/call | launchfiles_propose_mission, launchfiles_get_mission_session, launchfiles_list_objects |
LAUNCHFILE_MCP_AUTH_TOKEN=<SCOPED_CHALLENGE_TOKEN>
Authorization for token issuance: founder session → POST /api/founder/prod-challenge-token
See /.well-known/launchfiles.json mcpIntegration and mcpQuickstart for machine-readable setup. Hosted MCP is bearer-authenticated. Challenge tokens remain workspace-, product-, and scope-bound; no approval or production side-effect tools are exposed.
Access boundaries
Public discovery surfaces describe what Launchfiles is — they do not grant execution authority, workspace access, or mutation rights. Read-only resource access is not execution. Proposal access is not approval. Route visibility is not route execution.
- public_discovery — /llms.txt, /agents, /openapi.json, /.well-known/launchfiles.json, /.well-known/launchfiles-agent.json
- authenticated_challenge_manifest — /api/founder/prod-challenge-manifest with founder session or scoped challenge token
- authenticated_local_mcp_stdio — repo-local MCP; scoped challenge token or founder internal admin required (not a public remote server)
- external_agent_readonly — sanitized context, schemas, route summaries (no internal scoring)
- customer_workspace_readonly — future workspace-scoped reads; requires auth (not live)
- customer_workspace_proposed — future proposal flows; not approval (not live)
- blocked — execute, publish, payment, and unrestricted agent execution
See /.well-known/launchfiles.json for the discovery manifest accessBoundaries section and /openapi.json for planned route boundary annotations. Authenticated challenge agents should get exact callable endpoints from /api/founder/prod-challenge-manifest, not from public OpenAPI.
Core command test
Before editing any product surface, read the current operating file and pass this check.
Cursor, read Launchfiles before editing.
An agent passes only when it can identify:
- Current approved decision
- Exact work order
- Allowed scope
- Forbidden actions
- Approval boundary
- Required proof
- Latest receipt or explicit not_run
- Unresolved gates
- Launchfiles vs Launchfiles Content boundary
Scope model
Three scopes govern every agent interaction. Proposals and plans never cross into execution without a separate approval and receipt.
| Scope | Agent may | Agent may not | Required proof | Blocked behavior |
|---|---|---|---|---|
read | Inspect approved context, doctrine refs, decisions, work orders, receipts, gates, readouts, and approved memory. | Change state, claim execution, or treat proposals as approvals. | Source mode label, object IDs, and approval boundary remain visible. | Inferring execution from plans, tool calls, or model output. |
propose | Draft signals, decisions, work orders, or memory updates for founder review. | Treat a proposal as approved truth, expand scope, or publish. | Proposal labeled proposed; supersession and cooldown when applicable. | Auto-approving or mutating production systems. |
execute_with_approval | Perform the exact approved action inside the granted scope and return proof. | Expand scope, publish, mutate unrelated systems, or skip the receipt. | Durable run ledger with terminal state and side-effect truth. | Unrestricted autonomous execution. |
Object rendering law
Every launchfile object must expose exact state in the interface. Missing proof stays missing; proposals are not approvals.
decisionExact choice, authority, rationale/why now, status, and proof.
work_orderOwner, scope, approval boundary, forbidden actions, status/blocker, required proof.
run_ledgerDid execution happen, terminal result, side effects, receipt/artifacts.
gate_resultGate ID, outcome, severity, reason, repair/proof.
approvalApprover, exact action/scope, artifact hash, time/expiry.
readoutWindow, source, observed result or explicit missing result, recommendation.
memory_updateProposed lesson, sources, confidence, approval state/supersession.
Receipt requirement
No agent execution is complete without a durable receipt adjacent to the claim it supports.
- run_id
- Durable workflow or agent run identifier.
- actor
- Human, agent, or workflow actor that initiated the run.
- scope
- Exact approved product, paths, and systems.
- inputs
- Commands, artifacts, and hashes consumed.
- outputs
- Artifacts written and verification results.
- gate_results
- Deterministic or judgment gates that permitted or blocked progression.
- artifact_links
- Paths or URLs to durable proof objects.
- side_effect_status
- Whether publish, queue, schedule, or public mutation occurred.
- terminal_state
- completed, blocked, failed, or not_run — never inferred.
A model response, tool call, or green status is not a receipt.
Deterministic agent context example
Fixture export only — secret-free, scoped, no mutable runtime state, no unrestricted execution language. Product-repo agents consume approved exports; they do not browse private orchestration source.
Agent export
launchfile_agent_export_v0{
"schemaVersion": "launchfile_agent_export_v0",
"generatedAt": "2026-06-19T19:15:00+07:00",
"sourceMode": "fixture",
"scope": {
"workspaceId": "workspace_launchfile_fixture",
"productId": "product_launchfile_fixture"
},
"currentApprovedDecision": {
"id": "decision_visual_direction_v2",
"title": "Use the Verified Operating File visual direction",
"decision": "Adopt the supplied Launchfile brand board as the V0 visual source for page and component protocol work.",
"rationale": [
"The file-first mark and restrained palette express operating-file, verified, controlled, and forward principles.",
"The selected direction removes the previous visual-source blocker without authorizing production behavior."
],
"authority": "fixture_founder"
},
"workOrder": {
"id": "work_order_frontend_protocol_v2",
"objective": "Make future Launchfile pages contract-led, visually coherent, proof-oriented, responsive, and agent-readable.",
"owner": "fixture_codex",
"allowedPaths": [
"docs/LAUNCHFILE_*.md",
"docs/page-contracts/**",
"apps/launchfile-web/**",
"__tests__/launchfile/**"
],
"allowedSystems": [
"local filesystem",
"local app",
"local browser",
"local tests"
],
"acceptanceCriteria": [
"No route exists without a Page Contract.",
"The Today route exposes fixture mode, blockers, proof, and not_run truth.",
"The component demo shows all ten approved primitives.",
"Typecheck, focused tests, build, and visual QA pass."
],
"forbiddenActions": [
"Deploy or provision infrastructure.",
"Mutate a database or production system.",
"Wire approval, execution, publishing, or legacy Content OS runtime behavior.",
"Rename legacy Content OS runtime identifiers."
],
"requiredProof": [
"Launchfile app typecheck passes.",
"Focused Launchfile tests pass.",
"Launchfile production build passes.",
"Desktop and mobile screenshots pass visual QA."
]
},
"doctrineRefs": [
"AGENTS.md",
"docs/LAUNCHFILE_PAGE_CREATION_PROTOCOL_V0.md",
"docs/LAUNCHFILE_UI_COMPONENT_SPEC_V0.md",
"docs/LAUNCHFILE_VISUAL_QA_SCORECARD_V0.md"
],
"executionAuthority": {
"mode": "execute_with_approval",
"approvalId": "approval_visual_direction_v2",
"allowedActions": [
"Edit approved local docs and fixture UI files",
"Run local verification and visual QA"
]
},
"executionTruth": {
"state": "not_run",
"reason": "This fixture contains no workflow run ledger; local UI work is not runtime execution proof.",
"latestReceipt": null
},
"unresolvedGates": [
{
"id": "gate_behavior_wiring_v2",
"gateId": "BLOCK_BEHAVIOR_WIRING",
"outcome": "fail",
"severity": "blocking",
"reason": "No separate product approval, authorization model, idempotency contract, or receipt-producing mutation path exists."
}
]
}Discovery surfaces
Public agent-readable contracts and manifests. V0 — no live remote MCP server or production API mutation on these surfaces. Local stdio MCP requires authentication (see MCP setup).
- /llms.txt — agent-readable product map and boundaries
- /openapi.json — OpenAPI 3.1 draft (most routes planned)
- /.well-known/launchfiles.json — discovery manifest
- /.well-known/launchfiles-agent.json — compatible agent discovery manifest
Product modules
Launchfiles is the operating file for AI-native startups. Website Missions and Launchfiles Content are modules inside the wider product — not the master category.
Website Missions
One module for webpage build, audit, spec, repair, comparison, optimization, and rendered browser QA. Important proof surface — not the whole company.
Search Expansion
One Growth Mission module for GSC/Bing/search-signal evidence and bounded planning — not an SEO-only product category.
Integration path
Progressive maturity from read-only context to scoped execution tools.
V0
Read approved context
Agents consume the operating file, doctrine refs, and deterministic exports like the example below.
Next
Propose signals, decisions, and work orders
Draft bounded objects for founder review without treating proposals as approved truth.
Later
Execute-with-approval tools
Run only the exact approved action with idempotency keys, expected side effects, and rollback rules.
Now
Authenticated MCP (hosted + local stdio)
Hosted product resources and bounded agent tools plus repo-local MCP for IDE agents. Hosted access requires a bearer token; no anonymous access.
Future expansion
OAuth/RAR hosted access
Replace shared or challenge bearer credentials with OAuth/RAR-bound remote access before exposing workspace data or tools.
Launchfiles / Launchfiles Content boundary
Launchfiles
The master operating file and founder/agent product surface across decisions, scoped work, proof, readouts, and memory.
Launchfiles Content
The content-specific module for evidence, strategy, generation, quality gates, review, and content readouts. Internal commands and audit paths are not public naming guidance.
Repository agents
Engineering agents opened in this repository may patch Launchfiles product code. Product-repo agents consume exported artifacts and approved execution packets only.
No mimicry
Agents do not browse or mimic private orchestration source unless explicitly opened in the repo. Launchfiles Content can generate and evaluate page packets; it is not the public master brand.