The Echo Angel Platform

The orchestrator governs the process. The app governs the artifact. The only model in the loop is yours.

Echo Angel is a governed-AI platform for professionals in regulated or confidentiality-bound fields. It is two tools plus the AI assistant you already use: a local-first research application that governs the documents you ship, and a session orchestrator that governs the work that produces them. Neither tool contains a model. Both connect to your own assistant as tool servers — the reasoning stays with the client you already use and trust.

Artifact Governance Process Governance Local-First Model-Free Tools

The Problem

Three gaps keep capable AI out of high-stakes professional work.

Confidently wrong output. A language model produces fluent text that is not always faithful to any source — and the failure runs in both directions. Fabrication: a claim or citation that sounds right and isn't. Omission: an answer that is accurate in everything it says and wrong by what it silently leaves out — the standard element never addressed, the consideration never raised. Most tooling defends against the first and says nothing about the second.

The exfiltration problem. The dominant way to apply AI to your own material is to send that material to a hosted model. For a confidentiality-bound professional, the transmission is itself the exposure — independent of whether the answer is any good.

The accountability gap. Even when the work goes well, what would you show an auditor? A chat transcript is not a record of what was checked, what was escalated to a human, or what the governance actually did. Professional work needs a trail, and AI-assisted work mostly doesn't leave one.

The Approach

Echo Angel does not try to out-verify the mainstream pattern. It is a different architecture.

  1. No model inside either tool. Both tools are model-free: the application makes no model call of its own, and neither does the orchestrator. Adopting the platform adds no new model that sees your content.
  2. Your assistant does the reasoning. The professional's own AI assistant — the client they already use — drives both tools. The orchestrator is the outer loop, wrapping any kind of working session; the application is the inner loop, for research and drafting work.
  3. Enforcement at the point of export. The application's trust properties are not advisory suggestions on a draft. At export, the app re-checks the exact document being finalized — every claim grounded, every standard element addressed — and emits it, or refuses with reasons. A check that passed on some earlier draft cannot wave a flawed final version through.
  4. Process accountability. Every session leaves an audit trail: what was intended, what happened, what was escalated to a human, and what governance fired — durably recorded as the work happens, not reconstructed afterward.
  5. Local by default. Local mode (the default — fully offline, fail-closed) keeps sources, drafts, citations, and records on your machine; a step that would require the network is refused. The web mode (a loud opt-in) is a separate, clearly marked choice that announces itself on every use.
  6. A content-free record when even the record is sensitive. For the most sensitive work, the orchestrator can keep a content-free work record: the structure and governance outcomes are kept; the content is never stored.
How the Echo Angel platform works: the orchestrator governs the process, the research application governs the artifact, and the only model in the loop is the professional's own assistant. An outer frame labeled Orchestrator wraps a working session. Inside, the professional's own assistant exchanges tool calls with the research application, which searches, verifies, cites, checks coverage, and finalizes against sources that stay on the machine. At export the document is emitted only if every claim is grounded and every standard element addressed; otherwise it is refused. A session timeline along the bottom shows the audit trail. ECHO ANGEL PLATFORM Two tools, one governed loop Process governance around the work · artifact governance at the point of export ORCHESTRATOR — GOVERNS THE PROCESS content-free mode available — structure kept, content never stored you your assistant the only model in the loop — yours, not ours any assistant client model-free tool calls exact passages · verdicts RESEARCH APP — GOVERNS THE ARTIFACT your sources — stay on your machine load sources search verify the exact quote cite (only what was captured) check coverage finalize — the export gate emits ✓ — or refuses, and says what is missing ✗ at export, the exact document is re-checked: every claim grounded · every standard element addressed session opened phases declared notes · decisions surfaced to a human closed · audit trail kept no model inside either tool local by default — the web mode is a loud opt-in every session leaves an audit trail
How the pieces interact: the professional's own assistant drives the orchestrator (process governance, outer loop) and the research application (artifact governance, inner loop); no model lives inside either tool.

The Build — Echo Angel Research (the app: artifact governance)

The application governs the document that ships. It supplies your assistant a disciplined loop of model-free tools: load and search your sources, return a passage's exact captured text for verification, record a citation, check a draft's grounding, check its coverage, and finalize. Within the verify–cite–finalize loop, the checks are deterministic — the same document and the same sources produce the same verdict.

Grounded by construction. Every claim in a finished document is tied to a specific captured source passage. A citation cannot be recorded against a source that was not captured — the check is preventive, not an after-the-fact audit.

Omission defense. A coverage check requires every standard element to be addressed or visibly dispositioned. The element sets are a framework, not a one-off checklist — the same omission defense extends across work types.

The refuse-or-emit export gate. Finalizing is the enforcement point: the app re-checks the exact document being finalized and either renders it or refuses and says what is missing.

What it reads. Sources can be local documents, including PDFs and scanned or image files read through OCR. OCR is handled honestly: the application reports what it cannot read before you rely on it, and text recovered by OCR carries a spot-check flag that survives into the finished document — the caveat travels with the claim instead of disappearing into a log.

What it reaches. In the web mode, the application can fetch public pages, or sources you are authorized to access, which you declare and reach through your own sign-in — authorization is the user's recorded decision, not the app's claim. The application tells you, on every use, that the web mode reaches the web. A quality check rejects and reports pages it identifies as blocks, errors, or empty shells before they can enter your source library.

How it installs. The application installs as a single local executable; optional capabilities use system tools you provision; nothing phones home in v1; a planned licensing connector — which never receives your content — is on the roadmap.

Trust propertyWhat it means for you
Model-free toolsThe application makes no model call of its own — it adds no new model that sees your content
Grounded by constructionA citation cannot be recorded against a source that was not captured
Omission defenseA coverage check requires every standard element to be addressed or visibly dispositioned
The refuse-or-emit export gateAt export, the app re-checks the exact document being finalized and emits it or refuses with reasons
Visible boundariesLocal mode (the default — fully offline, fail-closed); the web mode (a loud opt-in) announces itself on every use
Honest extractionOCR-recovered text is flagged before you rely on it, and the flag survives into the finished document

The Build — Echo Angel Orchestrator (process governance)

The orchestrator wraps the working session itself — any kind of session, not only research. Its proof is the audit trail it produces.

Sessions you can name, leave, and resume. Sessions are named, resumable, and can run concurrently. Every call rebuilds its state from the durable record, so an interrupted session resumes where it stopped — restarts lose nothing.

A record that starts honest and stays complete. Every session's audit trail begins with a governance event — governance is engaged from the first call, not bolted on later. Events are written to the durable record before the governance checks run on them, and every check that fires is recorded with its outcome and reason: the log cannot quietly skip the uncomfortable parts.

Structure for the work. Work proceeds in bounded phases with declared intent, annotated with timestamped notes. When a decision needs a human, it is surfaced explicitly as a decision point — with a built-in governance check on how the accompanying recommendation is presented — rather than buried in prose.

Audit what was retained. The session record can be read back on demand, and the read-back respects the session's privacy settings — what you audit is what was actually kept.

A content-free option. For the most sensitive work, a session can keep a content-free work record: the structure and governance outcomes are kept; the content is never stored. The record proves the process was governed without retaining a word of what it governed.

Isolation, tested the hard way. Sessions are isolated per caller, and per tenant namespace in hosted form. A cross-caller isolation defect was found during real concurrent use, fixed, and verified — the kind of finding a platform only makes when it is genuinely being used.

Memory with discipline. Durable lessons persist in a cross-session observation catalog, and entries leave it only through a human-ratified retirement review — institutional memory that a single session can neither invent nor quietly erase.

Key design decision: the orchestrator's evidence is structural. It does not ask you to trust a summary of how the session went; it hands you the record of what was intended, what happened, what was escalated, and what governance fired — and for the most sensitive work, it can prove the process was governed without storing the content at all.

In Production

The platform is not a concept piece — it is used to govern its own development. The sessions that build, test, and document Echo Angel run under the orchestrator: real, sustained production use across more than twenty governed sessions, which is exactly how the caller-isolation defect above was found and fixed.

Public, fully cited research deliverables have been produced under the platform's governance discipline. The lead example is the AI Harm Landscape compilation, live at ai-output-harms.pages.dev: nine parts, 248 citations across 43 sources — 205 of them warehouse-pinned to a captured source (most to a verbatim passage, the rest to a source-level reference), and every citation carrying a published verification status in the compilation's public register, including the minority marked provisional.

248
Citations in the lead public deliverable, each with a published verification status
205
Citations warehouse-pinned to a captured source
43
Sources, each captured and verifiable
308
Automated tests, green in continuous integration
0 / 0
High-severity first-party findings / residual known dependency vulnerabilities

Independent of its own use, the platform has been through bounded validation — bounded meaning each check demonstrates exactly what it tested, and is described that way.

CheckResultWhat it is — and is not
Adversarial enforcement-integrity evaluationFabricated citations were refused; a draft with a silent omission was refused; a clean draft was emittedDemonstrates the export gate on the tested paths — not a guarantee about every conceivable input
Static analysis of first-party code (open-source tooling, run locally — no code left the machine)0 high-severity findings across 91 files / 8,026 lines (3 medium and 18 low, all reviewed); the grounding, citation, and finalize core: 0 findingsBounded open-source scanning, not a third-party security audit
Dependency audit77 dependencies, 0 residual known vulnerabilities — the one finding was the environment's own installer tool, not an application dependency; it was upgraded and re-audited to zeroA point-in-time result, re-verified at each release
Automated test suite308 tests, CI-greenEvidence the shipped behavior is exercised — not a certification

All of the above: validated at product commit 221e1a0, 2026-06-10; re-verified at each release. This is honest, bounded evidence — not certification.

Honest Limits

What the platform does not claim.

  • Structural, not semantic. The export gate guarantees that every claim is cited and every standard element is addressed. It does not — and cannot — certify that a cited source actually says what the prose claims. That judgment remains a human responsibility; the platform removes whole classes of error, not the need for judgment.
  • The guarantees attach to the finalized document. Text copied out of an exploratory chat has not been re-checked and carries no disclaimer. The discipline is: draft freely, but produce anything you rely on through finalize.
  • The web mode reaches the web. It deliberately sends your chosen queries and fetches to the sites you target, and it says so on every use. The safe default is always local.
  • The orchestrator's built-in process gates are advisory in v1. They record, report, and surface — they do not halt a session. The audit trail shows what fired and what was done about it.
  • Not professional advice. Output is governed research synthesis; finished work carries a not-advice disclaimer directing the reader to a qualified professional.
Technical Details

This case study is the accessible layer; the depth lives in two whitepapers and a gated annex. Both tools are standard tool servers for the open Model Context Protocol, so they work with the assistant client you already use.

  • The application whitepaper covers the artifact-governance design — the model-free tool loop, grounding and coverage enforcement, the refuse-or-emit export gate, the local/web boundary, and the validation evidence — at a high level, without the build recipe. → /whitepapers/echo-angel-app.html
  • The orchestrator overview covers process governance — the session model, the audit trail, the content-free record, decision surfacing, and the v1 honesty bounds. → /whitepapers/echo-angel-orchestrator.html
  • The NDA-gated technical annex carries architectural and evaluation depth for serious technical evaluators, under protection — depth without the reproducible recipe.

Evaluate It

If you cannot send your material to someone else's model and cannot afford a confidently wrong document, the platform was built for your constraint set — and it is built to be interrogated, not taken on trust.

Read the application whitepaper Read the orchestrator overview Request the NDA-gated technical annex

This case study describes the platform at a high level; it is not a reproduction guide. Validation results: validated at product commit 221e1a0, 2026-06-10; re-verified at each release.

© 2026 Echo Angel Studio