The children's game, as an agent loop: ask what time is it, Mr. Wolf? and a one-tool
agent calls get_time — but every call is adjudicated by the real fak kernel first
(the same kernel.Fold path fak preflight uses). Pick the red-team variant and
watch a smuggled delete_calendar / wipe_disk get refused at the capability floor,
inside the loop. No model, no key, no network — deterministic by construction (the clock is injected).
ALLOW — call dispatched, result returnedDENY — refused at the floor (deny-as-value)
the wolf answers
Each row is a real verdict from the fak kernel, not a scripted transcript: the toolset installs a
capability floor (get_ allowed · delete_calendar an explicit deny · wipe_disk
off-floor → fail-closed), and the agent answers only from the results it was allowed to get. Self-contained:
no model weights, reproducible on any box. Headless self-check: go run ./cmd/timewolfdemo -selfcheck.