Arceo modes make the adoption path explicit. Synthetic demos, launch review, staging rehearsal, mature existing-product imports, and incident regressions all use the same safety spine: no scope mutation, no credential use, no exploit payloads, no real exfiltration, and no live production probing by default.
Every non-static run that touches a target still requires a human-created signed AuthorizationScope. The MCP, REST, and agent-callable surfaces cannot create, widen, or relax scopes.
| Mode | requires_scope | allows_live_probe | requires_canary_accounts | default_rate_limits | allowed_target_sources | output emphasis |
|---|---|---|---|---|---|---|
synthetic |
true | false | false | max_requests=200, max_concurrency=8, backoff=true |
built-in synthetic target | synthetic self-consistency backtest; no external product data |
launch-review |
false | false | false | max_requests=0, max_concurrency=0, backoff=true |
before/after ProductModels | static ProductModel diff; no live probing by default |
staging |
true | false | true | max_requests=20, max_concurrency=2, backoff=true |
staging ProductModel, canary staging target | canary-only staging rehearsal with stricter signed-scope limits |
existing-imported |
true | false | false | max_requests=80, max_concurrency=4, backoff=true |
ProductModel, EntitlementGraph | mature products via imported ProductModel/EntitlementGraph; no live probing |
incident-regression |
true | false | true | max_requests=50, max_concurrency=3, backoff=true |
stored abuse regressions, sanitized incidents, stored findings | canary-only rerun of stored incident/finding regressions |
arceo run --mode synthetic --scope <scope_id> --target synthetic-saas
Synthetic mode is the existing built-in target path. It uses no external product data and remains the safest local demo and backtest path.
arceo run --mode launch-review --before before.json --after after.json
Launch-review mode compares two sanitized ProductModels. It is static by design: no
live probing, no target scope required, and no network calls. If the launch gate blocks,
the command returns the same non-zero status as arceo launch-review.
arceo run --mode staging --scope <scope_id> --target staging_model.json
Staging mode is for canary-only rehearsal with stricter signed-scope limits. The scope must already exist, must allow the resolved target, and must be at least as strict as the mode defaults. The ProductModel or CLI must identify canary accounts.
arceo run --mode existing-imported --scope <scope_id> --target product_model.json
Existing-imported mode is the first-class path for mature products. Operators provide
a sanitized ProductModel/EntitlementGraph instead of a live adapter. Arceo registers an
in-process imported target, requires a signed scope for the resolved imported:<id>
target, and runs model-only rehearsal with no live probing.
arceo run --mode incident-regression --scope <scope_id> --target synthetic-saas
Incident-regression mode reruns stored abuse regressions created from sanitized incidents or previous findings. It uses the same signed scope and target allowlist gate as normal runs, and outputs regression results rather than a new general report.
allows_live_probeis false for every mode in the stdlib core.requires_scopeis true for every target-running mode except staticlaunch-review.requires_canary_accountsis true forstagingandincident-regression.default_rate_limitsare mode defaults, not a permission to relax a signed scope.allowed_target_sourcesdescribe accepted local inputs; they do not authorize new targets.- output emphasis is descriptive only and never changes the authorization gate.
- no scope mutation tools exist for any mode.