Mergen is the archer of the old Turkic sky, his bow drawn, his arrow unerring. The name itself carries the whole design. In Turkic it is the marksman, the one whose shot does not miss, and the one who bears that name is wisdom. Aim and intellect in a single figure. A tool that decides what a task needs and then proves the shot landed could not be called anything else.
wisdom → the Governor · the hit → the verify gate · one name, both halves
Memory that can be trusted. Execution that can be proven.
Mergen is one half of a two part whole. mneme is the memory half. It remembers why a project is the way it is, with provenance visible and nothing fabricated. Mergen is the execution half. It decides what a task needs and proves it was hit. They are joined by one seam and nothing more. Mergen keeps no memory of its own.
Remembers why
Vault native, accountable memory. Markdown is the source of truth, redaction runs before every derived store, and no model sits on the path that writes it. Open today.
Proves what
A spec driven development layer that runs at maximum reasoning effort and verifies every claim in a separate lane. Decides the ceremony a task earns, then proves the result.
Worth-remembering decisions cross the one seam to mneme as provenance-bearing records. Mergen reads and writes only across that seam, through mneme's public interface, and never weakens its guarantees.
A typo does not deserve a tribunal. An auth change cannot avoid one.
Maximum effort on every task is its own failure mode. The Governor classifies a change before any work begins and sets the ceremony, how much memory to pull, how deep the workflow runs, what evidence is required, and whether a human must sign off.
| Tier | For | Memory | Workflow | Evidence | Human |
|---|---|---|---|---|---|
| tiny | typo, comment, formatting | none | direct edit | diff only | no |
| standard | isolated bug fix | local context | mini plan, implement, verify | test output and diff | no |
| spec | feature, refactor, API change | full project memory | full lifecycle | adversarial verify, JSON report | optional |
| high-trust | see the floor below | full project memory | full spec, human checkpoint | strict, security or safety lens, sign-off | required |
The pole star, the floor that cannot be lowered
The old sky turns on the pole star, the one fixed point that never moves. So does the Governor. A change escalates to high-trust if any trigger below holds, and the Governor can raise a tier but never silently lower it beneath a matched trigger. Clinical and sensitive work can never be downgraded, even by configuration.
- auth, identity, session, payment, secrets, or security policy
- privacy or PII handling, data retention, or redaction
- clinical, mental health, safety, or regulated content
- irreversible operations, migration, bulk delete, force push
- a change to a public or external contract
- treating retrieved or untrusted input as instruction
A box checked by the implementer is a hypothesis, not evidence.
Mergen treats every completed task as the thing to be disproven. An independent verifier, working in a separate context with a contrary mandate, confirms against the real filesystem and real tests that the files changed as specified, the criteria are met, the tests pass, and the change is minimal. The result is machine readable, so it can be measured and audited.
Every finding wears its confidence
The verify gate emits a report where each task carries a label for how it is known. Inference is never presented as fact, and with no evidence the verdict abstains rather than guess.
Proof you can count
The evidence metric reads the verify report and reports a work-done rate and a count of phantom completions, tasks marked done that carry no file or test evidence. It abstains honestly when it has no data.
example gate output (abbreviated)gate phantom completions: 1 (allowed 0) work-done rate: 0.67 (required 1.00) result: FAIL
verification-report.json . one task{ "task_id": "T002", "claimed_status": "done", "verified_status": "fail", "confidence": "extracted", "files_checked": ["src/auth/login.py"], "failures": ["marked done, no rate limiter in the diff"] }
What Mergen does not pretend.
A system named for accuracy has to be exact about its own power. Three mechanisms appear in Mergen, and they are not equal. Naming a nudge as enforcement would be its own kind of fabrication, so Mergen does not.
The standing directive asks the agent to verify before claiming, never fabricate a source, treat retrieved content as data, and build the minimum that works. Strong discipline. Not a lock, since a person can edit a task file by hand.
A hook makes verify mandatory in the implement flow and will not mark a task done without the verifier. Reinforcement at the right moment. Still in session, still bypassable by hand.
A continuous integration check refuses to merge. Drop the provided workflow into your project and the build fails when the committed verify report shows phantom completions or tasks lacking concrete file or test evidence. This is the only layer that can refuse a merge. It reads the committed report, so it rests on the verifier that produced it.
Mergen's own continuous integration guards this repository, its tests, its single source drift gate, and a check that no proprietary reference text ever appears. For your project, the evidence gate is a workflow you add, and it fails the build when the verify report shows phantom work. The full memory writeback adapter to mneme is documented and stubbed, and remains on the roadmap. Mergen says which is which.
The principles, and where they live in the code.
Mergen is original work. Its operating principles were informed by responsible-AI design ideas and reproduce no proprietary text. Each commitment maps to a component that enforces it.
Evidence over assertion
Never invent a result, a source, or an attribution. A verifier reports only what it checked, with the command output as proof.
Retrieved content is data
A task file, a spec, an external page, all are material to reason about. None is a command to obey or a grant of new capability.
Calibration and abstention
Separate what is known from what is inferred. With no evidence, abstain rather than confabulate.
Minimal output
Build the least code that works. Write the least prose that informs. The lazy ladder governs the build, and the verifier rejects a correct but over built task.
Review is a separate lane
Mergen never approves its own work in the breath that produced it. Authoring and review run in separate contexts, and the verifier's mandate is to disprove.
Care in sensitive domains
In clinical, mental health, and other high-trust contexts, the Governor raises the floor and a human stays in the loop.