> ## Documentation Index
> Fetch the complete documentation index at: https://risi.q-uestionable.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Standalone Inference Servers

> How local, lab, or authorized cloud-hosted inference endpoints fit without becoming the primary harness

## Two integration roles

A standalone inference server can provide decisions through the `DecisionProvider` boundary. In
that role it receives exact target-visible context and returns only a structured synthetic
proposal.

A server exposing persistent memory or retrieval can implement `MemoryAdapter`. In that role the
server itself can become the authorized RISI or CRAF target, while evaluator snapshots and oracles
remain outside its target-visible interface.

Deployment location does not change these roles. A cloud-hosted model can remain a
`DecisionProvider`, while a cloud-hosted service that owns persistent retrieval state must satisfy
the full `MemoryAdapter` snapshot, reset, trace, and evaluator-separation contract.

## Reserved safety profiles

`risi capabilities` reports two inference profiles as reserved and not implemented:

* `authorized-local-inference` for an exact allowlisted loopback or operator-controlled lab
  endpoint;
* `authorized-remote-inference` for an exact allowlisted public HTTPS endpoint and model, such as a
  separately authorized OpenAI-compatible deployment on Runpod.

These declarations preserve future compatibility without granting network or credential access.
Neither profile will be accepted until its controls are implemented, tested, and separately
approved. Those controls include:

* a canonical target specification covering normalized endpoint components, model, network class,
  non-secret credential alias, generation controls, resource limits, approval identity, and expiry;
* separate requested target/model, provider-observed, and artifact-proven deployment identities;
* strict request/response byte, input/output token, deadline, attempt, concurrency, and spend limits;
* transport, peer-address, redirect, proxy, TLS, credential, data-egress, redaction, evidence, and
  provider-retention controls;
* operator approval bound to the exact target identity and complete resource envelope.

## Hosted inference endpoints

The preferred future integration is one narrow controlled OpenAI-compatible `DecisionProvider`,
not LiteLLM, a general provider framework, a provider SDK, or a Runpod-specific control plane.
Provider deployment, lifecycle management, billing administration, arbitrary endpoint discovery,
and provider-specific orchestration remain outside the harness unless a later approved package
demonstrates the need.

Runpod is a generic example of an authorized OpenAI-compatible endpoint. Protocol-shape tests do
not establish live Runpod compatibility. A compatibility claim requires a separately approved
exact target, credential, cost, outbound-data, evidence, and stop-policy run.

## Canonical target and identity

A future target contract binds normalized scheme, host, port, origin, and base path; requested
model; non-secret credential alias; generation controls; serialized request and response byte
ceilings; input and output token ceilings; connect, read, write, pool, and overall deadlines;
rounds, requests, attempts, retries, concurrency, spend basis and ceiling; outbound-data class;
human approval identity; and approval expiry.

Requested target/model identity, provider-reported observed identity, and artifact-proven deployment
identity are distinct. A model string or mutable alias is not proof of the deployed model or image.
Evidence and reports must state weaker reproducibility when immutable provenance is unavailable.

## Network and endpoint enforcement

Public endpoints require HTTPS and a canonical hostname. Authorized local HTTP is loopback-only.
Endpoint URLs reject user information, query strings, fragments, malformed ports, ambiguous hosts,
and unsafe IP literals.

Public resolution must use deterministic injectable A and AAAA handling, reject non-global or mixed
address sets, and pin the approved address at connection time or verify the connected peer address.
Normal TLS hostname and certificate verification remains enabled. Redirects and environment-proxy
inheritance are disabled, unexpected origins fail closed, and no unapproved proxy route is allowed.
Host, container, firewall, or VLAN egress policy remains necessary because application checks alone
cannot guarantee isolation.

## Deadlines, evidence, secrets, and cost

Remote execution requires explicit connect, read, write, pool, and overall deadlines; zero retries
by default; bounded attempts; observable cancellation; and fail-closed parsing of every untrusted
provider response. Serialized byte ceilings are independent of token limits. Evidence distinguishes
a client timeout or cancellation request from confirmed provider-side cancellation: a client
timeout does not prove provider computation or billing stopped.

Only a non-secret credential alias enters the target contract. Secret values resolve from an
approved operator-controlled secret provider and never enter configurations, manifests, logs,
evidence, exceptions, model context, or reports. Structured logging, recursive redaction, sanitized
provider errors, and negative tests for echoed or embedded secrets are mandatory.

Approval classifies every outbound data category, including prompts, candidate decisions, traces,
and experiment material, and records provider retention and privacy terms. Worst-case reservation
includes prompts, schema overhead, tokens, rounds, attempts, elapsed time, requests, and
client-enforceable spending. Provider infrastructure lifetime costs that RISI cannot stop or observe
remain residual or separately operator-bounded costs.

Remote output is captured evidence, not deterministic execution. Model-free replay must verify and
rescore the retained request and response without contacting the provider; repeating a remote call
is a new run, not replay.

The current synchronous `DecisionProvider.propose` boundary is sufficient for `local-reference` but
does not decide the future network contract. A post-M1 design must choose an asynchronous provider
or runner-owned blocking boundary that enforces deadlines, cancellation, cleanup, and elapsed-time
evidence without using wall-clock time as experimental logic.

## Post-M1 acceptance boundary

An executable inference profile remains blocked until the M1 terminal gate and a separately
approved implementation package. Deterministic acceptance tests must cover safe public and
Runpod-shaped endpoints, unsafe literals, private/reserved/mixed resolution, peer mismatch,
redirects, environment proxies, TLS failures, malformed or oversized responses, secret echoes,
timeouts, cancellation, retries, budget exhaustion, and authority-bearing identity changes. These
requirements authorize no client, dependency, credential, cloud call, or live compatibility test.

## Optional agent integrations

An MCP server, skill, or plugin may later expose the standalone harness to an agent ecosystem. Such
an integration must call the same application service and cannot register providers, weaken
budgets, grant capabilities, or bypass evidence generation.
