You're pledging to donate if the project hits its minimum goal and gets approved. If not, your funds will be returned.
Consumer humanoid robots are shipping into homes this year. They fold laundry, carry objects between rooms, and operate appliances, and manufacturers have converged on a common wedge task: folding laundry is the demonstration nearly every top humanoid company now leads with. These robots run LLM-based planners connected to physical actuators. Alongside general-household use, manufacturer material points to added value for older adults, disabled people, and households that need physical help, groups that by most scientific standards are considered vulnerable and that have the least margin for an unbounded actuation error.
There is no open standard for what an embodied agent is authorized to do at the physical boundary. No shared consent and revocation architecture. No public taxonomy of the harms that occur when an AI acts on a home and the people in it rather than on a screen. Existing agent-safety work concentrates on the digital layer: supervisor libraries, sandbox evaluations, multi-agent benchmarks. Those efforts stop where the physical world begins. An embodied agent acquiring authority over objects, appliances, doors, and its own movement through occupied space is an early, concrete instance of the delegation and oversight problem that AI safety exists to address, and the boundaries set now become the defaults later.
This project publishes the missing layer as a public good, in four artifacts:
A bounded action schema: a machine-readable, versioned specification of authority classes, risk tiers, consent requirements, and revocation semantics for agents directing physical actuation. It is substrate-agnostic, governing the delegation boundary for any agent acting on the physical world, with fixed devices and embodied platforms as instances of the same abstraction.
A proposed MCP profile for physical-world tools. MCP is widely adopted for LLM tool use, but how those tool calls should behave when the LLM is embodied in a physical device like a robot is not well understood, and no safety profile addresses it. The schema will be expressed as a proposal to the public MCP specification repository, with reference documentation sufficient for independent implementation. It is complete on publication, whether or not upstream adoption follows.
A harm taxonomy for embodied and fixed-device agents, mapped to NIST AI RMF categories, with severity tiers: unauthorized actuation, consent drift, revocation failure, movement into non-consented space, manipulation of protected objects, cross-device cascade, occupant misidentification, and platform-compromise scenarios.
An instrumented validation. An LLM-planned robot executing a mundane household task, laundry folding, under the schema, with every action permitted, consent-gated, or refused, and every decision logged. A planner that continues a grasp after consent was revoked, or attempts to move an object the schema classifies as protected, is blocked and the event recorded. The task is ordinary; the harm lives in context, and the layer is what distinguishes the two. Predictions about schema coverage and failure modes are pre-registered by hash before each run and scored against observed results.
The question this project answers is practical and increasingly urgent: what does an AI need to know, ask, remember, refuse, and escalate before it should be trusted to act in the places people live?
Goal 1: Publish the bounded action schema as an open standard. Draft architecture exists as an internal specification covering the authority model, threat model, and a NIST-aligned task register. The grant funds converting this into a public, versioned, machine-readable standard with a public revision process.
Goal 2: Publish the proposed MCP profile for physical-world tools to the public MCP specification repository, with documentation sufficient for independent implementation.
Goal 3: Publish the harm taxonomy under CC BY 4.0, mapped to NIST AI RMF categories.
Goal 4: Validate the schema, first in simulation, then on hardware. Simulation comes first because it is foundational: a digital twin of the target robot lets the authority layer be exercised against permitted, gated, and refused actions across many scenarios, repeatably and safely, before any physical run. The hardware validation then runs the same schema on a shipping consumer humanoid, an LLM planner issuing actions through the authority layer, logged and pre-registered, with the full technical report published regardless of outcome, including every failure case.
The hardware platform is a laundry-folding home robot shipping to US consumers (base case: Weave Isaac 0; fallback: a rented Unitree G1 if the preferred unit is not available in the project window). The G1 also carries a sharper test of a core property of the standard: it ships with a publicly documented network vulnerability (UniPwn, disclosed September 2025). An authority layer must assume the platform itself may be compromised and bound the agent's physical authority regardless. Running the validation on hardware with a known flaw tests that property directly. The platform is child-scale (roughly 127 cm, 35 kg, low collision energy), keeping the physical stakes concrete but bounded for a supervised test.
Method throughout: the LLM planner receives ordinary task instructions; the schema sits between planner and actuator as the enforcement point; predictions are hash-frozen before each run and scored after. The output is a logged, pre-registered record of what the authority layer permitted, gated, and blocked.
Minimum ($30,000) delivers the standard and the simulation validation:
Schema, MCP profile, and harm taxonomy: formalization and public release
Digital-twin simulation environment and the instrumented, pre-registered validation runs
Technical editing and publication
At $30,000 the project ships all three open artifacts and a complete simulation validation.
Full ($42,000) adds the hardware validation:
Acquisition of the shipping consumer humanoid ($10,000 including shipping), retained as durable test equipment for ongoing regression testing as the schema versions, or a rented Unitree G1 run as fallback
Integration and instrumentation of the physical run, and the public technical report and demo video
Above the full goal, additional funds support an open red-team harness others can run against embodied deployments, and independent external review of the schema before v1.0.
Scope note: this is the first phase of a larger accessibility automation program; this application funds the foundational public-good phase. The open standard, MCP profile, taxonomy, and validation report are not on Tethral's commercial roadmap and exist only if funded as public goods. Any robot purchased is retained as test equipment. All grant-funded artifacts publish under open licenses. Tethral's commercial implementation layers are outside this grant's scope and funded separately.
John Lunsford, Founder and CEO of Tethral, Inc. (Berkeley, CA). PhD, Cornell University; fellowships at MIT and Oxford. His work sits at the intersection this project requires: personal-safety and AI product leadership in physical environments at Uber (where he shipped Uber Teens, for a sensitive user population), platform security at the US Department of Justice, and invited safety testing for Anthropic. A career through-line is drafting first-of-kind governance frameworks, including Massachusetts autonomous vehicle policy, Uber's generative AI policy, and DOJ UX access policy.
Directly relevant track record:
Tethral is an active member of CSA-IOT, the Connectivity Standards Alliance, and runs an MCP host deployed to a consumer base exceeding 200,000 downloads. It also operates an active digital-twin testing platform of over 800 devices (tethral.ai/play), continually supplemented with more devices, tests, and behavioral data. The simulation validation in this project builds on that platform.
Our prior public release, Shapestate (github.com/Tethral-Inc/shapestate), detects silent model tampering from a language model's internal state. Nine structural laws were pre-registered with frozen SHA1 hashes and held across a six-model study spanning four architecture families; a seventh model, held out as a cold-acceptance test, confirmed eight of the nine, with the single break documented and the affected law revised to ordinal form. Findings are CC BY 4.0; the tool is source-available. The validation here uses the same pre-registration method.
An internal specification covering the authority model, threat model, harm taxonomy, and NIST-aligned task register is complete in draft and is the starting material for the public standard.
As a classically trained scholar and a disabled person working within my own community, any user discovery follows informed-consent best practices.
The project will engage external contractors and advisors for robot integration and evaluation as funding allows.
Most likely: the standard publishes but is not adopted. Standards without adopters are documents. Mitigation: it ships validated on a robot consumers are actually buying, the MCP profile places it in the channel the agent ecosystem already uses, and the red-team harness lowers the cost for others to engage without adopting wholesale.
Robot integration proves harder or slower than scoped. Mitigation: simulation is the funded floor and does not depend on hardware; the physical platform is a fixed-task robot chosen to bound the integration surface; and if a run stalls, the schema, profile, and taxonomy still publish, with the integration barrier documented as a finding.
The validation reveals the schema is materially incomplete. This is a partial success: a pre-registered report showing where the authority abstraction breaks is a publishable result. All logs and failure cases publish regardless.
Founder bandwidth. Tethral is an active company and I am its CEO. Mitigation: the grant reuses existing specifications and infrastructure, and the floor is simulation rather than open-ended robotics work.
If the project fails entirely: consumer humanoids keep shipping into vulnerable users' homes with no open authority layer bounding what they may do, and the defaults get set by whoever ships first rather than by an open, reviewed standard.
Tethral has raised approximately $450,000 in the last 12 months ($350,000 in debt financing and a $100,000 SAFE). This is company financing; no grant or philanthropic funding has been raised for this open-standard work, and Manifund funds would be restricted to the public-good deliverables above.