Impact Boundary Core

The Core is the decision step between agent work and real-world change.

Agents can prepare useful work. The Core decides whether that work may continue. Only admitted work reaches an adapter.

Core model

How the Core works.

The agent stops at intent. The Core decides admission. Only admitted work becomes available to the adapter that can create real external impact.

Input

Agent IntentRequested action
Context / StateCurrent facts
Policy / RulesAllowed scope

Impact Boundary Core

AdmissionValidate intent and permissions
VerificationSigned policy checks
DecisionAdmit / Block / Conflict
Impact ControlEnforce limitations
EvidenceAudit facts and results
State BindingBind to state snapshot

Adapter

GitHubRepo impact
DatabaseData ops
APIsTool actions
OrchestratorWorkflows

Outcome

ADMITTEDImpact allowed
BLOCKEDNo impact
CONFLICTRe-read required

01

Agent proposes

The agent describes what it wants to do before any outside system is touched.

02

Core checks

The Core checks state, scope, policy, evidence, and whether the request still matches the current system.

03

Core decides

The result is admitted, blocked, conflict, or needs approval. A request with large impact is held for a human, not run automatically.

04

Adapter acts

Only admitted work becomes available to an adapter.

05

Outcome is reported

The adapter reports what actually happened after the external action was attempted.

Security model

The controlled layers.

The Core is not one final yes/no check. It receives a structured intent and moves it through controlled layers before any work can leave the Core.

Security by design: five controlled layers.

Agent intent must pass through admission before it can become work.

Impact Boundary Core admission pipelineAgent intent moves through five controlled admission layers. Admitted work can leave the Core, while the direct impact path is blocked.Agent IntentRequested action1Ingress Guard2Intent Validation3State Binding4Policy Decision5AdmissionOutcomeAdmitted Work OrderImpact may leaveStructured intentDirect impact path blocked

Ingress guard

The caller and the request shape are checked first. Malformed, oversized, or wrong-token requests stop here, before any decision work begins.

Intent validation

The request must describe one bounded action against a named target and scope, not a free-form command. Anything that does not fit the contract is rejected.

State binding

The request is tied to the current target state, captured as a state hash. If the world has moved on since the agent read it, the binding no longer matches and the action cannot slip through unchecked.

Policy decision

Policy evaluates the request and returns a candidate, not a verdict. Its output is untrusted until the Core validates it: policy can recommend, but it never authorizes impact by itself.

Admission

Only the Core turns a validated request into admitted work. Blocked, conflicting, or approval-needed requests never become a work order, so they never reach an adapter.

Adapter Host

Separation is the security model.

Security does not come from trusting the agent or the adapter. It comes from keeping them apart: the agent submits through one door, adapter workers act through another, each with its own credential, and only the Core decides between them.

  • The Core decides. The agent can propose, but only an admitted Core decision can turn a request into work.
  • The adapter is dumb. It only translates admitted work into a real change. It cannot decide, skip a check, or invent work of its own.
  • The agent never sees the Core. It talks to the Host over one door and gets a decision back. It never reaches the Core or the decision path directly.
  • The worker never sees the agent side. Adapter workers claim admitted work over a separate door, with a separate credential. They never receive the agent's raw request or read its state.

Every hop is bound by a hash: the decision, the state it was checked against, and the work order. A stale or altered handoff is rejected, not executed. And the whole path is recorded locally, step by step: intent, decision, work order, claim, outcome.

User code talks to the host. Adapters only receive admitted work.

Agent-side code

Agent-side API

One local surface for state reads and proposed work.

POST /v0/read-state

Read state

POST /v0/intents

Submit intent

Idempotency-Key

Bind retry

Adapter Host binary

The local boundary host

The host keeps the user flow, Core decision, and adapter handoff in one narrow local contract.

Local API + split auth

Ingress token / adapter token

State + policy callbacks

Configured connector URLs

Core decision

Admit / block / conflict

Local state store

WorkOrder, lease, local trace

Adapter handoff

Claim work / report outcome

no raw agent intent reaches the target

Adapter worker

Target-side materialization

The adapter translates admitted work into target-system changes.

POST /v0/adapter/work-orders/claims

Claim admitted work

Materialize admitted work

Materialize target change

POST /v0/adapter/outcomes

Report bound outcome

The developer codes the agent side and the adapter side. The host binds them through Core-owned admission.

Boundaries

  • The Core is not an agent framework.
  • It does not auto-merge.
  • It does not prove semantic correctness.
  • It does not replace human review.
  • It controls the path from intent to external impact.