The core rule
The boundary decides before anything real changes.
- A request is not an effect.
- The Core decides before external impact.
- Adapters do not decide admission.
One request path from proposal to result
Intent + state + evidence -> Core decision -> Admitted work -> Adapter -> Outcome.
Into the contract
What crosses the boundary:
- Intent
- State view
- Evidence
- Relevant policy context
Out of the contract
What comes back:
- Core decision
- Structured reason code
- Deterministic decision record
- Admitted execution token (WorkOrder), only when admitted
How the Core responds
The decision vocabulary stays small:
- Admitted - the request may continue to an adapter.
- Blocked - the request stops before external impact.
- State drift detected - the current target-system state no longer matches the state view bound to the request. The request must not continue; re-read state and submit a new request.
- Outcome - reported only after an adapter attempted the external action.
Invariants
These rules stay true even when adapters or target systems change.
- Intent is not permission. A request can enter the boundary, but it does not authorize impact.
- Admission is not execution. Admitted work may continue, but the external effect has not happened yet.
- Outcome is not promise. Outcome reports what actually happened after execution was attempted.
- No admitted decision means no external impact.
- State drift stops the request. If current target state no longer matches the bound state view, the request must be re-read and resubmitted.
What it does not claim
The contract is a control path, not a correctness proof.
- It does not prove that the agent is correct.
- It does not replace human review.
- It does not make every admitted request wise.
- It does not give agents direct write authority.
Current scope
This is reference material for the local preview. It does not claim production security, durable enterprise audit, arbitrary MCP safety, or broad GitHub/Gmail/database compatibility.