01
Agent proposes
The agent describes what it wants to do before any outside system is touched.
Impact Boundary Core
Agents can prepare useful work. The Core decides whether that work may continue. Only admitted work reaches an adapter.
Core model
The agent stops at intent. The Core decides admission. Only admitted work becomes available to the adapter that can create real external impact.
Input
Impact Boundary Core
Adapter
Outcome
01
The agent describes what it wants to do before any outside system is touched.
02
The Core checks state, scope, policy, evidence, and whether the request still matches the current system.
03
The result is admitted, blocked, conflict, or needs approval. A request with large impact is held for a human, not run automatically.
04
Only admitted work becomes available to an adapter.
05
The adapter reports what actually happened after the external action was attempted.
Security model
The Core is not one final yes/no check. It receives a structured intent and moves it through controlled layers before any work can leave the Core.
Agent intent must pass through admission before it can become work.
The caller and the request shape are checked first. Malformed, oversized, or wrong-token requests stop here, before any decision work begins.
The request must describe one bounded action against a named target and scope, not a free-form command. Anything that does not fit the contract is rejected.
The request is tied to the current target state, captured as a state hash. If the world has moved on since the agent read it, the binding no longer matches and the action cannot slip through unchecked.
Policy evaluates the request and returns a candidate, not a verdict. Its output is untrusted until the Core validates it: policy can recommend, but it never authorizes impact by itself.
Only the Core turns a validated request into admitted work. Blocked, conflicting, or approval-needed requests never become a work order, so they never reach an adapter.
Adapter Host
Security does not come from trusting the agent or the adapter. It comes from keeping them apart: the agent submits through one door, adapter workers act through another, each with its own credential, and only the Core decides between them.
Every hop is bound by a hash: the decision, the state it was checked against, and the work order. A stale or altered handoff is rejected, not executed. And the whole path is recorded locally, step by step: intent, decision, work order, claim, outcome.
User code talks to the host. Adapters only receive admitted work.
Agent-side code
One local surface for state reads and proposed work.
POST /v0/read-state
Read state
POST /v0/intents
Submit intent
Idempotency-Key
Bind retry
Adapter Host binary
The host keeps the user flow, Core decision, and adapter handoff in one narrow local contract.
Local API + split auth
Ingress token / adapter token
State + policy callbacks
Configured connector URLs
Core decision
Admit / block / conflict
Local state store
WorkOrder, lease, local trace
Adapter handoff
Claim work / report outcome
no raw agent intent reaches the target
Adapter worker
The adapter translates admitted work into target-system changes.
POST /v0/adapter/work-orders/claims
Claim admitted work
Materialize admitted work
Materialize target change
POST /v0/adapter/outcomes
Report bound outcome