Trust, audit, governance
Replay, approval modes, approval-gate handshakes, and the security boundary.
Replay Is the Real Audit Log
Why "we have logs" is not an audit story, and what a hash-chained Decision Record plus canonical replay actually buys you when an incident hits.
Replay Harness in Code: Reproducing a DecisionRecord Byte-for-Byte
Replay sounds expensive. The first replay harness I shipped ran in 18 seconds against an 8-minute production trace, because it does not re-execute tools — it re-runs the canonical loop against recorded transcripts. Here is the whole thing in TypeScript: hash-chain verifier, loop runner, DecisionRecord differ.
Approval-Mode Tiers: A Risk Taxonomy You Can Actually Ship
Why ad-hoc approval gates rot in production, and how five canonical risk tiers turn governance from a meeting into a contract.
Approval Gates in Code: The Destructive-Mode Handshake
An approval gate is not a button labeled 'approve'. It is a typed handshake between three actors — the agent's proposed call, the human approver's signature over a frozen evidence snapshot, and the gateway's redemption check. Here is each artifact in code, plus the worked path through a refund.
Prompt Injection Is a Boundary Problem, Not a Prompt Problem
Why "smarter prompts" don't defend against indirect prompt injection, and what changes when authority lives outside the model's view.