Reference

Open boundary contract

The contract separates requests from effects. Agents submit requests. The Core decides. Adapters only act on admitted work. Without that separation, a successful agent message can become an uncontrolled external change.

Reference

The core rule

The boundary decides before anything real changes.

  • A request is not an effect.
  • The Core decides before external impact.
  • Adapters do not decide admission.

One request path from proposal to result

Intent + state + evidence -> Core decision -> Admitted work -> Adapter -> Outcome.

Into the contract

What crosses the boundary:

  • Intent
  • State view
  • Evidence
  • Relevant policy context

Out of the contract

What comes back:

  • Core decision
  • Structured reason code
  • Deterministic decision record
  • Admitted execution token (WorkOrder), only when admitted

How the Core responds

The decision vocabulary stays small:

  • Admitted - the request may continue to an adapter.
  • Blocked - the request stops before external impact.
  • State drift detected - the current target-system state no longer matches the state view bound to the request. The request must not continue; re-read state and submit a new request.
  • Outcome - reported only after an adapter attempted the external action.

Invariants

These rules stay true even when adapters or target systems change.

  • Intent is not permission. A request can enter the boundary, but it does not authorize impact.
  • Admission is not execution. Admitted work may continue, but the external effect has not happened yet.
  • Outcome is not promise. Outcome reports what actually happened after execution was attempted.
  • No admitted decision means no external impact.
  • State drift stops the request. If current target state no longer matches the bound state view, the request must be re-read and resubmitted.

What it does not claim

The contract is a control path, not a correctness proof.

  • It does not prove that the agent is correct.
  • It does not replace human review.
  • It does not make every admitted request wise.
  • It does not give agents direct write authority.

Current scope

This is reference material for the local preview. It does not claim production security, durable enterprise audit, arbitrary MCP safety, or broad GitHub/Gmail/database compatibility.