Skip to main content

Lock-In Risk Analysis: Foundation Architecture

Purpose: Explain how the architecture achieves zero lock-in at every layer, and identify the implementation disciplines required to keep it that way. Architecture: Foundation Spec — component definitions, 12 architecture specs, decisions D1-D159

Why This Document Exists

The foundation spec (foundation-spec.md) makes a specific architectural argument: every component communicates through defined interfaces, so any component can be replaced without touching anything else. You can take everything with you, and you can swap anything out.

This document explains how the architecture achieves zero lock-in and what disciplines maintain it. The audience is implementers building on the Foundation and evaluators assessing the architecture's portability claims. The architecture is designed for zero lock-in at every layer — including no lock-in to the architecture itself. It's your AI system. Implementation drift from the design isn't inherently wrong — it may be intentional and that's your freedom. The risk is unintentional drift, where lock-in creeps in without you realizing it. That's what the recommendations guard against: not preventing change, but making sure you know when you're making a trade-off.

The Core Argument

The architecture achieves zero lock-in through one principle: everything is either an open standard, a file, or behind a contract you own. And the contracts themselves are swappable via adapters (D139) — thin translation layers between each contract and the components on either side.

The D147 anti-lock-in CI test makes this concrete: three normal swaps (provider, model, tool) must succeed with config-only changes, zero code edits. CI-testable on every release.

LayerWhat It IsWhy There's No Lock-In
Your MemoryUnopinionated substrate accessed through toolsZero outward dependencies. The contract is the tools, not the storage. Storage can evolve without anything else changing. Exportable in open formats.
ToolsCapabilities in the environmentTool protocol is internal to the Agent Loop — not an architectural boundary. Swap the protocol without changing anything else. A tool is a tool (D54) regardless of mechanism.
IntelligenceModels via provider interfaceConfig change swaps the model. Config change swaps the router.
InterfaceWeb app behind a contractTalks to the Gateway API, not the Agent Loop. Replace or multiply freely.
Agent LoopGeneric agent loopA commodity component — intentionally thin, intentionally generic. Swap the whole thing.
AuthCross-cutting identity layerOpen standards (OAuth 2.1, OIDC). Exportable state. Independent of every other component.
SecurityFoundation mechanismsStandard containers, open formats. No proprietary security protocols.
GatewayConversation managerInterface-agnostic. Conversations stored in Your Memory via tools. Clients swappable.

The rest of this document walks through each component to confirm this holds and to identify where implementation discipline matters.

Component Analysis

1. Your Memory (The Platform)

Spec claim: Most portable component. Tools guarantee no lock-in. Storage format is an implementation detail.

Lock-In Assessment

DimensionRisk LevelDetail
Data formatNoneOpen formats only (D48). Everything exportable. No proprietary formats, no binary blobs. Storage mechanisms (files, databases, indexes) are all behind the tool interface — swap storage without changing anything else.
Organization & conventionsNoneImplementation conventions (entry-point files, folder structure, skill format) live in Your Memory as content, not enforced by it. Any system that can read the storage can read them.
Version historyLowThe architecture requires version history capability. The specific mechanism is an implementation choice. If the mechanism evolves, define the abstract version history contract first.
Tool semanticsLowIf search means "grep" today and "semantic search" tomorrow, the tools are stable but behavior changes. Skills may need adjustment — hours, not days.

Why This Is Fully Portable

Your Memory has zero outward dependencies. Every other component depends on it — it depends on none of them. Remove any component, and Your Memory still works. Still readable. Still portable. Still yours.

The contract is the tools, not the storage. Everything accesses Your Memory through tools — the model through the Agent Loop's tool loop, infrastructure through dedicated internal tools. Storage mechanisms can evolve (files → databases → vector indexes → cloud storage) without changing any other component. Each evolution is additive — new tool implementations behind the same interface.

The memory-spec reinforces this with the "robot test" (D43): bring your memory to a future robot without rebuilding. Your Memory is independently inspectable with standard tools (text editor, file browser, database viewer) even when the system is not running.

Exit Cost

  • Moving everything: Minutes to hours depending on storage size. Export in open formats — all storage mechanisms support it.
  • Migrating version history: Depends on the implementation mechanism. Hours if the mechanism is portable (e.g., Git). Longer if converting between systems — define the abstract contract first.

Verdict

Zero lock-in. The spec's claim fully holds. Memory is the architecture's strongest portability story — zero outward dependencies, accessed through tools, exportable in open formats.

Discipline Required

  • Define the abstract version history contract before evolving the mechanism. The implementation version history choice is portable today. If storage evolves, the migration path needs to be defined before the change, not after.

2. Agent Loop (Generic Agent Loop)

Spec claim: The Agent Loop is a commodity component (D39) — intentionally thin, intentionally generic, intentionally free of product-specific logic. Swappable because there's nothing to extract or migrate.

Lock-In Assessment

The architecture has zero Agent Loop lock-in. The interface talks to the Gateway API contract, not the Agent Loop. Memory doesn't know what Agent Loop reads it. Tools are external to the Agent Loop — the tool protocol is an Agent Loop implementation detail, not an architectural boundary. Auth sits at the edge. Swapping the Agent Loop is invisible to everything else.

Because the Agent Loop is generic — zero product-specific logic — a swap means replacing one commodity implementation with another.

What an Agent Loop Swap Actually Involves

Integration PointWith Generic Agent Loop (D39)If Agent Loop Accumulates Product Logic
Gateway routingGateway routes to new Agent Loop the same wayGateway coupled to Agent Loop-specific internals
System promptsLive in Memory — Agent Loop reads them through toolsEmbedded in Agent Loop code — must be extracted
Skill executionSkills are markdown in Memory — model reads and follows them (D40)Coupled to Agent Loop-specific multi-turn behavior
Tool executionTool protocol is internal to the Agent Loop — swappable implementation detailCustom tool-calling quirks built into Agent Loop code
Provider interfaceAdapter pattern — any Agent Loop using it gets multiple providersCoupled to specific provider handling

With discipline (generic Agent Loop): Days — drop in a new Agent Loop behind the Gateway. Without discipline (Agent Loop accumulates product logic): 2-4 weeks — because logic that should live in Memory has leaked into the Agent Loop and must be extracted.

What the Gateway API Contract Protects

The contract provides real, structural protection:

  • The interface doesn't rebuild. It speaks the Gateway API, not the Agent Loop.
  • Memory is untouched. Files don't move, don't change, don't care which Agent Loop reads them.
  • Tools keep working. They're external to the Agent Loop — the tool protocol is an implementation detail, not an architectural boundary.
  • Auth stays put. It's a cross-cutting layer, independent of the Agent Loop.

An Agent Loop swap is replacing one commodity agent loop with another while everything it connects stays in place.

Exit Cost

  • With generic Agent Loop discipline (D39): Days — commodity swap
  • Without discipline (Agent Loop accumulates logic): 2-4 weeks
  • Adopting an off-the-shelf Agent Loop: Days to ~1 week

Verdict

Zero architectural lock-in. The Gateway API contract ensures the swap is contained — nothing outside the Agent Loop is affected. The Agent Loop being generic (D39) and having zero product-specific logic means the swap cost is inherently low. This is reinforced by implementation discipline, not dependent on it.

Disciplines Required

  1. Keep the Agent Loop generic (D39). Zero product-specific logic in the Agent Loop. All behavior emerges from Memory (D40).
  2. Skills and prompt assembly live in Memory, not the Agent Loop (D40). The model reads instructions from files — the Agent Loop just runs the agent loop.
  3. Document the Agent Loop's interface surface. Maintain a list of every point where the Gateway and tools connect to the Agent Loop. This is the swap checklist.

3. Interface (Web App)

Spec claim: "Just an API client" (D57). Any client that speaks the Gateway API works. Interface can be redesigned, rewritten, or replaced independently.

Lock-In Assessment

DimensionRisk LevelDetail
External dependencyNoneThe product owns the interface entirely.
Framework choiceNone (architectural)React vs. Svelte vs. Vue is a developer preference, not lock-in. The architecture doesn't care.
API contractNoneInterface speaks the Gateway API. Any client that implements the contract works. Multiple clients can coexist (web + mobile + Discord).

Exit Cost

  • Rewrite in different framework: Standard web dev effort — weeks for a full UI, but zero architectural risk.
  • Add a second interface (mobile, Discord bot): Only requires implementing the Gateway API contract. Clean.

Verdict

Zero lock-in. The spec's claim fully holds. The interface is genuinely "just an API client."

Discipline Required

  • Maintain "thin client" discipline. The interface MUST NOT cache state, manage sessions, or embed business logic. If logic moves into the interface, it weakens portability. Keep it as an API client — nothing more.
  • Version the metadata schema from day one. Even V1 should send a schema version in page metadata, so future clients can negotiate capabilities.

4. Intelligence (Models via Model API)

Spec claim: "Provider choice is configuration, not code. The thing that changes fastest in AI — which model to use — is the cheapest thing to change in this architecture."

Lock-In Assessment

Model lock-in — zero:

The provider interface abstraction works. Changing from Claude to GPT to Gemini is a config change. This is the spec's strongest swappability claim after memory.

D135 elevated models to an external dependency with a clean swappable boundary: weights are memory, inference is a tool. This creates the same clean separation that Auth has — both exist as separate concerns because swappable intelligence can't break security (Auth) and the model's reasoning capability can't be locked into the system (Models). Both share the same architectural exception: they sit outside the core component model specifically to remain independently swappable.

Provider routing — zero architectural lock-in, but has a reliability consideration:

ConcernDetailReality
Provider availabilityIf the configured provider goes down, model access stops until fallback is activatedOperational concern, not lock-in. Add a fallback path.
Provider pricingRouting layers may add margin on top of provider pricesBusiness concern, not lock-in. Can route direct at any time.
Switching providersHandle provider-specific auth, streaming, errorsConfig change via adapter pattern — not code changes

The Dependency Chain

Client
  → Gateway API
    → Agent Loop
      → Model API Adapter
        → Model Provider (Anthropic / OpenAI / Google / Ollama)

Each link is independently swappable, and the Gateway API contract means the provider chain is invisible to the interface. Cloud and local models (Ollama) are interchangeable from the Agent Loop's perspective.

Prompt Tuning Reality

In practice, system prompts and skills will be tuned for specific models. Switching models is a config change, but prompt re-tuning may be needed:

  • Config change: Minutes
  • Prompt validation/re-tuning: Hours to days

This is ongoing maintenance, not lock-in. Every AI system has this characteristic — it's inherent to working with language models.

Exit Cost

  • Switching models (same provider): Change one preference in Your Memory. Zero code changes.
  • Switching providers: Change provider_adapter in runtime config + new adapter config file. Still zero code changes.
  • Switching provider abstraction entirely: Only happens via an Agent Loop swap.

Verdict

Zero lock-in. Model swapping is genuinely a config change. Provider routing is swappable via the adapter pattern. The dependency chain is manageable and each link is independently replaceable.

Disciplines Required

  1. Add a provider fallback path. Config-level ability to route to at least one alternate provider. Test before production. This is reliability, not lock-in mitigation.
  2. Test skills against two models before launch. Validates the "config change" claim for your specific prompts.
  3. Pin dependency versions in a manifest. AI SDK, provider APIs. Monitor for breaking changes.

5. Tools (Capabilities in the Environment)

Spec claim: "We're not even locked into MCP itself. MCP is an open protocol with a permissive license — but more importantly, it describes a pattern (tool discovery + tool execution) that's more fundamental than any specific implementation."

Lock-In Assessment

Individual tool lock-in — zero:

Each tool is independent. Replace one without touching others. Add without modifying anything. This is the architecture's best feature. The tool protocol is internal to the Agent Loop (D53) — not an architectural boundary — so the protocol itself is swappable without affecting anything else.

Caught and corrected lock-in risk: The original D141 would have made tool preferences part of deployment configuration — coupling personal tool choices to the environment. D141-refined corrected this with a three-way split: definitions are self-describing (D146), plumbing lives in environment config, preferences stay in Your Memory (D145). This keeps tool preferences portable with the owner, not locked to a deployment.

Owner-controlled tool availability (D109): The owner controls which tools are sent with every prompt via an always-send set, with a discovery tool for the rest. This is a fine-grained portability mechanism — the owner's tool preferences travel with their memory, not with the deployment.

Implementation default protocol (MCP) lock-in — effectively zero:

The architectural protection is structural: tool protocol is internal to the Agent Loop, swappable without affecting other components. But the implementation default choice also matters practically:

Mitigating FactorWhy It Matters
Linux Foundation governance (AAIF)Won't be abandoned or relicensed on a whim
Founding members: Anthropic, OpenAI, BlockThe three biggest players in AI agents are invested
Ecosystem scaleThousands of MCP servers, dozens of clients. Network effects protect it.
Open specificationEven if the Foundation falters, the spec is open and forkable
Industry convergenceNo competing protocol has meaningful traction

The probability of needing to replace MCP is near zero. MCP is the default but not mandated in the architecture — CLI tools and native functions are equally valid (tools-spec). The realistic maintenance concern is MCP version updates as the spec evolves — and that's standard dependency management, not lock-in.

Exit Cost

  • Replacing a single MCP tool: Hours. Write a new server, swap the config.
  • Upgrading MCP version (minor): Hours to days of testing.
  • Upgrading MCP version (major, breaking): Days to weeks of tool updates.
  • Replacing MCP entirely: Months — but this scenario is essentially impossible given governance and adoption.

Verdict

Zero practical lock-in. MCP is the right bet. The spec's claim holds — both for individual tool swappability and for the protocol itself. The D141-refined correction demonstrates the architecture's self-correcting discipline: when a lock-in risk was identified in tool configuration, it was caught and fixed before shipping.

Discipline Required

  • Track MCP spec version and changelogs. Subscribe to AAIF announcements.
  • Budget for periodic version updates. Standard dependency maintenance.
  • Don't overbuild protocol abstraction layers. The complexity of an abstraction costs more than the near-zero risk it mitigates.
  • Keep tool preferences in Your Memory (D145), plumbing in config (D141-refined). Don't let the boundary blur.

6. Auth (Identity, Access, and Permissions)

Spec claim: Auth is a first-class component of the architecture — a cross-cutting layer (D60) independent of the Gateway, the Agent Loop, and the Model. Open standards. Exportable state. Swappable implementation.

Lock-In Assessment

DimensionRisk LevelDetail
Architecture positionNoneAuth is a cross-cutting layer (D60), independent of the Agent Loop and Gateway. No other component knows about callers.
Auth contractNoneThree operations: Authenticate, Authorize, Manage. Implementation-agnostic — any technology satisfying the contract is valid.
StandardsNoneOAuth 2.1, OpenID Connect, standard token formats. Not proprietary auth protocols.
Data formatNoneProduct-owned, not provider-specific. Enables migration between auth providers without losing identities.
State portabilityNoneAuth state is fully exportable: identities, policies, configuration. The owner's auth data belongs to them.

Why Auth is its own component (D149): If auth lived in the Model, swapping models means losing security. Auth policies, permissions, identity verification — these must persist across model swaps. This is the same argument that keeps the Model outside Memory. Memory is inert so it stays portable. Auth is independent so the Model stays swappable. Each component's independence is what makes the other components swappable.

Multi-actor schema built upfront: The identity schema supports all actor types (owner, collaborator, agent, service, economic, federated) even though only the owner flow works at runtime. Adding a new actor type is a data change, not a schema change. This prevents the most common auth lock-in: a schema that assumes single-user and requires a rewrite to support multi-actor.

Exit Cost

  • Switching auth provider: Change only the auth component — no other component is affected. Days, not weeks.
  • Switching identity provider (password → OAuth → SSO): Each is additive, not exclusive.
  • Exporting auth state to a new deployment: Policies import cleanly. References to unknown identities are preserved but inactive.

Verdict

Zero lock-in. The architecture's claim fully holds. The auth contract is implementation-agnostic, the data format is product-owned, and the state is exportable. Open standards (OAuth 2.1, OIDC) prevent protocol lock-in.

Disciplines Required

  1. Maintain open-standard adherence. Auth decisions are made — the discipline now is keeping the implementation aligned with OAuth 2.1/OIDC rather than drifting to proprietary protocols.
  2. Keep auth stateless if possible. JWT with short expiry avoids session storage infrastructure.
  3. Test auth export/import across deployments. The portability claim must be validated, not assumed.

7. Security (Foundation Mechanisms)

Spec claim: "Security controls must not create lock-in" (D29). The Foundation provides mechanisms — scope enforcement, audit logging, content separation, tool isolation, approval gates, version history. Implementations provide sensible defaults.

Lock-In Assessment

DimensionRisk LevelDetail
Tool isolationNoneOCI standard containers — Docker, Podman, containerd. No proprietary sandboxing.
EncryptionNoneNo mandatory app-level encryption in the architecture. OS encryption for local deployment. Export always works regardless of security level.
Audit loggingNoneLogging levels control detail, not whether events are logged. Schema exists from the start.
Scope enforcementNoneScope = available tools + Auth permissions (D55). No proprietary scope enforcer.
Content separationNonePrimary prompt injection defense. Standard architectural pattern, not proprietary.

Memory export always works — the owner can always get their data out regardless of system state, security level, or deployment mode. This is a non-negotiable invariant.

No deployment choice creates permanent lock-in. Security enforcement mechanisms work at every capability phase without changing. Local deployment and managed hosting use the same mechanisms with different defaults (D128).

Exit Cost

  • Switching deployment modes (local ↔ managed): Same code, different configuration (D23). No security-related migration.
  • Changing tool isolation approach: Standard container formats. Any OCI-compatible runtime works.
  • Removing all security beyond auth: The system still works. Security is additive, not load-bearing.

Verdict

Zero lock-in. Open standards throughout. Standard containers for isolation, open formats for export, no proprietary security mechanisms. The Foundation provides mechanisms — not opinions about how to use them.

Discipline Required

  • Don't introduce proprietary security mechanisms. Every security control should use open standards or common patterns. If you need custom security, it belongs in implementation product code, not the Foundation.
  • Keep memory export functional regardless of security level. This invariant must be tested, not assumed.

8. Gateway (Conversation Management)

Spec claim: The Gateway manages conversations and routes to the Agent Loop (D58). It's generic, content-agnostic, and interface-agnostic in the architecture (D59).

Lock-In Assessment

DimensionRisk LevelDetail
Conversation storageNoneConversations stored via dedicated conversation store tool (D152) — not direct Memory access. Conversations are data in Your Memory, not locked in the Gateway.
Client bindingNoneInterface-agnostic: serves web, CLI, mobile, Discord identically (D59). Any client that can send a message and receive a streamed response works.
Auth couplingNoneAuth and Gateway are fully independent (D60) — swapping either doesn't affect the other.
Agent Loop couplingNoneGateway-Agent Loop contract (D137) is a plain HTTP API. Swapping the Agent Loop doesn't require Gateway changes.

Conversations are portable. Remove the Gateway, and conversations are still intact and readable in Your Memory. The Gateway depends on Your Memory, but Your Memory doesn't depend on the Gateway.

New interaction paradigms connect without system changes. A voice interface, an AR overlay, a command-line tool — anything that speaks the Gateway API is a valid client.

Exit Cost

  • Replacing the Gateway: Implement the Gateway API contract and the Gateway-Agent Loop contract. Conversations are in Memory, not in the Gateway.
  • Adding a new client: Only requires implementing the Gateway API contract. Clean.
  • Switching from web to mobile to Discord: Conversations persist regardless of which client connects (D61). Start on one, continue on another.

Verdict

Zero lock-in. Conversations are portable (data in Your Memory, not locked in the Gateway), clients are swappable (any client that speaks the Gateway API works), and auth is independent (D60). The Gateway is a routing and conversation management layer — replace it and nothing else changes.

Discipline Required

  • Keep conversations in Your Memory via tools (D152). If conversation data leaks into Gateway-owned storage, portability breaks.
  • Maintain content-agnostic behavior (D59). The Gateway passes data through without interpretation. Product-specific conversation behavior belongs in implementations.

API Analysis

Gateway API (Product-Defined)

DimensionAssessment
Lock-inZero. The product owns this entirely. Built on the prevailing industry standard (D16), currently OpenAI Chat Completions format, swappable via adapter (D139).
Contract lock-inZero. If the industry standard shifts away from Chat Completions, a Gateway API adapter absorbs the change — components on either side stay untouched (D139).
Adapter detailThe Gateway API adapter is a thin, stateless translation layer between the external client protocol and the internal message interface. Swap the standard → swap the adapter → nothing else changes. This is a rare swap — only when industry standards shift.
DisciplineDesign it from product needs, not shaped by the current Agent Loop's patterns. This ensures the contract survives any Agent Loop swap.

Tool Protocol (Agent Loop Implementation Detail)

DimensionAssessment
Lock-inZero. Tool protocol is internal to the Agent Loop (D53) — not an API, not an architectural boundary. How the Agent Loop communicates with tools is an implementation detail, swappable without affecting any other component. The implementation default (currently MCP) has open governance and massive adoption, but the architectural protection is structural: the protocol is contained within the Agent Loop.
DisciplineTrack the chosen protocol's versions. Budget for periodic updates. Don't build abstraction layers on top.

Model API (Adapter → Provider)

DimensionAssessment
Lock-inZero. Each link independently swappable. Model API adapter translates between the Agent Loop's internal interface and whichever provider format is current — this is the most frequently swapped adapter (D139).
Concrete swap costsSame provider, different model: change one preference in Your Memory — zero code changes. Different provider: change provider_adapter in runtime config (1 field) + provide new adapter config file (1 file) + update env variable if needed — still zero code changes.
DisciplineHave a config-level fallback to at least one alternate provider. Test it before production.

Gateway ↔ Agent Loop Internal Contract (D137)

DimensionAssessment
Lock-inZero. Plain HTTP API contract — one endpoint, SSE streaming, auth on path. Not a third API — two components in the same deployment don't need the ceremony of an external API.
StandardsHTTP, Server-Sent Events, industry-standard role + content message format (D16).
Success criteriaSwapping the Agent Loop does not require Gateway changes. Swapping the Gateway does not require Agent Loop changes. Contract works as both HTTP endpoint and direct function call without shape changes.
DisciplineKeep the contract explicit and versioned. Auth middleware sits between them independently — authenticates without either component knowing how.

Contract Swappability (D139)

The contracts themselves could be a lock-in vector — if the Gateway API binds tightly to OpenAI Chat Completions and that standard shifts, both sides must change. Adapters solve this: components speak an internal interface, and a thin adapter translates to/from the current external standard. Swap the standard → swap the adapter → nothing else changes. This completes the swappability chain: Memory via tools, components via contracts, contracts via adapters. See adapter-spec.md.

Foundation-Level Protections

These cross-cutting specs protect the zero-lock-in claim at the infrastructure level. They're not components — they're the structural guarantees that every component depends on.

Configuration (D143, D144, D147)

Configuration is a cross-cutting concern with its own spec (D143). The architecture separates configuration into three strict categories:

CategoryWhere It LivesWhat It ContainsPortable?
PreferencesYour MemoryPersonal choices — model, tools, behaviorYes — travels with you
Runtime configEnvironmentDeployment details — 4 fields only (D144)No — describes this machine
Tool definitionsWith the toolsSelf-describing (D146) — config points to sourcesYes — tools carry their own identity

Runtime config is exactly 4 fields (D144). Anything more creates environment coupling. This constraint is the testability backbone: if a swap requires more than one config change, you've introduced lock-in.

The D147 anti-lock-in CI test makes every lock-in claim in this document testable:

  1. Start system with provider A, run test suite.
  2. Change to provider B via config only.
  3. Run same test suite. If any code change was required, the test fails.
  4. Repeat for model swap and tool swap.

This is the most concrete enforcement mechanism in the architecture. Every other claim in this document can be validated by this test.

Precedence chain: Environment safety > Owner preferences > Product defaults > Foundation defaults. Higher levels override lower levels, but cannot remove Foundation guarantees.

Deployment (D148, Five Guarantees)

The architecture defines local deployment only (D148). Managed hosting is an implementation concern — same code, stricter configuration via D23.

Five deployment guarantees:

  1. Runs on hardware you control. Owner-controlled hardware — your laptop, your server.
  2. Functions fully offline. No internet required for core functionality (model access is the obvious exception).
  3. Data stays local by default. No silent outbound traffic. Localhost-only network default.
  4. Runs on modern consumer hardware. No specialized infrastructure required.
  5. Single deployable unit by default. One package, one start command.

Memory inspectable without the system running. Text editor, file browser, database viewer — Your Memory is readable without booting the system. This is a portability guarantee that no proprietary system matches.

Managed hosting is an implementation concern: Same code with stricter configuration. No deployment choice creates permanent lock-in. The local path always exists.

Verdict

Zero lock-in. The local path always exists. Managed hosting is a convenience layer, not a dependency.

Customization (D153, D155)

Implementations depend on the Architecture via npm package (D155) — clean semver separation, not a fork. Foundation updates flow automatically without merge conflicts.

Foundation ships runnable code with sensible defaults, all overridable (D153). It's a working runtime, not just specs. Two boot modes: standalone (Foundation runs alone) and as-a-dependency (an Implementation imports and customizes).

Four customization mechanisms only:

MechanismWhat It CustomizesExample
Your Memory contentBehavior, personality, knowledgeSystem prompt, skills, AGENT.md
ToolsCapabilitiesAdd MCP servers, CLI tools
ConfigurationEnvironment and preferencesModel selection, provider, tool availability
ClientInterfaceWeb app, mobile app, CLI, Discord bot

Invariant: No code modification for Implementation/Personalization. All customization is runtime, not framework. Removing all implementation customization leaves a working Architecture. Implementation and Personalization use identical mechanisms — no technical difference between builder customization and owner personalization.

Verdict

Zero lock-in. Products can take Foundation updates without merge conflicts. The four-mechanism constraint prevents the customization surface from growing into a coupling surface.

Cross-Cutting Observations

1. Dependency Chain Management

The full path from user to capability:

User → Interface → Gateway API → Agent Loop → Model API Adapter → Model Provider

                               Tool Protocol → Tool → Your Memory

Each link is swappable. With 8+ components in the chain, version management matters — not because of lock-in, but because of standard dependency hygiene. This requires:

  • A dependency manifest (version-pinned)
  • A change monitoring process (watch for upstream breaking changes)
  • A testing strategy that validates the full chain, not just individual components

This is normal open-source dependency management, not an architectural concern.

2. Convention Portability (Implementation)

Implementations build conventions on top of the Foundation — entry-point files, skill formats, folder structures, methodology. This is sometimes confused with lock-in, but the architecture prevents it:

  • Conventions live in Your Memory, not enforced by it. They're content, not infrastructure. Your Memory is an unopinionated substrate (D43) — it stores them without depending on them.
  • Open formats make them readable by anything. A competing system could read everything an implementation wrote — because conventions are stored in open formats behind the tool interface. There's nothing to "export." It's already accessible.
  • What doesn't travel is the agent. The Agent Loop that acts on the conventions is a generic commodity component — and that's swappable behind the Gateway API contract.

The honest framing: conventions are portable because Memory is portable — and Memory is portable because it has zero outward dependencies.

3. Expertise Considerations

The Agent Loop's language becomes a team working language. The Agent Loop is TypeScript/Node.js (D154), which is the best match for AI agent effectiveness and developer availability. If the Agent Loop is ever swapped for an off-the-shelf alternative, the language may change — but this is a team capability consideration, not lock-in.

Summary Matrix

ComponentArchitectural Lock-InDiscipline RequiredIf Discipline Lapses
Your MemoryZeroDefine abstract version history contract before evolving the mechanismVersion history migration gets messy
Agent LoopZeroKeep generic (D39) — zero product-specific logicSwap cost grows from days to weeks
InterfaceZeroMaintain thin client — no cached state or business logicInterface becomes harder to replace or multiply
IntelligenceZeroFallback path, test against 2+ models, pin versionsSingle point of failure if provider goes down
ToolsZeroTrack tool protocol versions, keep preferences in Memory (D145)Tool config couples to deployment
AuthZeroMaintain open-standard adherence (OAuth 2.1, OIDC)Auth drifts to proprietary protocols
SecurityZeroNo proprietary security mechanismsSecurity becomes a lock-in vector
GatewayZeroKeep conversations in Memory via tools (D152)Conversation data locked in Gateway
Gateway APIZero (we own it)Design independently of current Agent LoopAPI becomes Agent Loop-specific wrapper
Model APIZero (adapter)Concrete swap costs: same-provider = 1 change, cross-provider = 2 changesProvider coupling
Gateway ↔ Agent LoopZero (internal)Keep contract explicit and versionedComponents couple internally
ConfigurationZeroKeep runtime config to 4 fields (D144)Environment coupling
DeploymentZeroLocal path always existsManaged hosting becomes a dependency
CustomizationZeroFour mechanisms only, no code modificationCustomization surface becomes coupling surface

Every element: zero architectural lock-in. The architecture delivers on its promise.

The only risk is implementation drift — letting the Agent Loop accumulate product-specific logic (violating D39), letting the interface accumulate state, letting the Gateway API shape itself around one Agent Loop. The disciplines below prevent that drift, and D147's CI test enforces it automatically.

Implementation Disciplines

Must-Maintain (During V1 Build)

#DisciplineWhat It ProtectsComponent
1Design the Gateway API independently of the Agent LoopEnsures the contract survives any Agent Loop swapGateway API
2Keep the Agent Loop generic (D39)Zero product-specific logic — keeps swap cost at daysAgent Loop
3Add a provider fallback pathReliability — config-level routing to at least one alternate providerIntelligence
4Maintain open-standard adherence in AuthOAuth 2.1/OIDC compliance — prevents proprietary protocol driftAuth
5Test skills against two models before launchValidates that model swapping actually works for your specific promptsIntelligence
6Pin all external dependency versionsDependency manifest — AI SDK, MCP spec, provider APIsCross-cutting
7Enforce "thin client" as an architectural ruleInterface stays portable and multipliableInterface
8Run D147 anti-lock-in CI test on every releaseThree swaps (provider, model, tool) succeed with config-only changesCross-cutting
9Keep runtime config to 4 fields (D144)Prevents environment couplingConfiguration

Should-Maintain (V1.1 or Ongoing)

#DisciplineWhat It ProtectsComponent
10Version the Gateway API metadata schemaMultiple clients can negotiate capabilitiesGateway
11Define abstract version history contractClean migration path if version history mechanism evolvesMemory
12Monitor tool protocol spec changesSmooth version updates, no surprisesTools
13Document the Agent Loop integration surfaceSwap checklist — every point where Gateway and tools connect to the Agent LoopAgent Loop
14Test auth export/import across deploymentsValidates auth portability claimAuth
15Keep memory export functional regardless of security levelNon-negotiable portability invariantSecurity

Conclusion

The foundation architecture is designed for zero lock-in at every layer. This analysis confirms that claim holds:

  • Your Memory is fully portable — zero outward dependencies, accessed through tools, exportable in open formats. The contract is the tools, not the storage. Storage evolves without anything else changing.
  • Tools are capabilities in the environment — the tool protocol is internal to the Agent Loop, not an architectural boundary. Swap the protocol without changing anything else. Tool preferences stay in Memory (D145), not the deployment.
  • Intelligence is a config change — models, routers, and providers are all swappable via adapters. Same-provider swap = 1 change. Cross-provider swap = 2 changes.
  • Interface talks to a contract, not an implementation. Replace or multiply freely.
  • Agent Loop is a generic commodity component. Swap the whole thing.
  • Auth is a cross-cutting layer with open standards (OAuth 2.1, OIDC), exportable state, and an implementation-agnostic contract.
  • Security uses standard containers and open formats. No proprietary security mechanisms.
  • Gateway stores conversations in Your Memory via tools. Clients are swappable. Auth is independent.
  • Configuration enforces swappability: 4-field runtime config, preferences in Memory, D147 CI test.
  • Deployment guarantees a local path always exists. Managed hosting is convenience, not dependency.
  • Customization uses four mechanisms only — no code modification required.

There is no vendor lock-in, no data lock-in, no protocol lock-in, no convention lock-in, and no contract lock-in. Even the contracts themselves are swappable — adapters (D139) sit between each contract and the components on either side, absorbing standard changes. The full swappability chain: Memory via tools, components via contracts, contracts via adapters.

The D147 anti-lock-in CI test is the concrete enforcement mechanism: three swaps (provider, model, tool) must succeed with config-only changes, zero code edits. The only risk is implementation drift — and D147 catches it automatically.

Bottom line: The architecture delivers what it promises. Maintain the disciplines, run the CI test, and every component stays swappable at every point in the future. Decisions D1 through D159 got us here. The enforcement mechanisms keep us here.

DocumentRelationship
foundation-spec.mdThe architecture being analyzed
engine-spec.mdAgent Loop component spec — generic agent loop
memory-spec.mdYour Memory component spec — portable substrate
gateway-spec.mdGateway component spec — conversation management
auth-spec.mdAuth component spec — identity, access, permissions
security-spec.mdSecurity spec — Foundation mechanisms
tools-spec.mdTools spec — capabilities in the environment
models-spec.mdModels spec — external intelligence
configuration-spec.mdConfiguration spec — runtime config and preferences
deployment-spec.mdDeployment spec — local-first guarantees
customization-spec.mdCustomization spec — Architecture/Implementation/Personalization ecosystem
adapter-spec.mdHow contracts are made swappable via adapters (D139)
gateway-engine-contract.mdGateway ↔ Agent Loop internal contract (D137)
lockin-gate.mdPR-level lock-in checklist — fast gate for every non-trivial PR
lockin-audit.mdDeep architecture audit — milestone/release gate