ContextOS 2026
The 2026 framework revision for durable, multimodal, multi-agent systems, including compatibility boundaries and an incremental adoption path.
ContextOS 2026 keeps the five-plane architecture and changes what qualifies as a governed run. The original framework assumed a mostly synchronous agent choosing API tools from a prompt-sized context. Current systems reason across modalities, operate browsers and computers, delegate to other agents, pause for hours or days, and route work across models with different capabilities. Those are runtime properties, not prompt-design details.
What changed since the original framework
| Earlier assumption | 2026 reality | ContextOS revision |
|---|---|---|
| One model is the agent | Models are routed by capability, risk, cost, residency, and measured quality | Model profiles and deterministic RoutingDecision lineage |
| Tools are API functions | Agents also use browsers, computers, agent peers, and asynchronous tasks | Interaction boundary is part of action risk and audit |
| Risk fits one tier | Effect, authority, reversibility, interaction, and data exposure vary independently | Multidimensional ActionRisk; ApprovalMode becomes a compatibility projection |
| A run ends with one response | Work pauses, checkpoints, waits for approvals, and resumes | Durable session state with pinned artifacts and monotonic budgets |
| More context is better | Long context can amplify stale, hostile, or irrelevant content | Provenance, trust labels, omission ledgers, and evidence coverage gates |
| Multi-agent means parallel prompts | Delegation creates a new authority and budget boundary | Parent-issued child claims, scoped budgets, isolated effects, merge verdicts |
| Evaluation happens after launch | Harnesses can search prompts, routing, retrieval, and orchestration continuously | Proposal-based improvement with holdouts, release gates, and rollback |
The seven 2026 invariants
- Authority is explicit. Every model call, tool call, delegation, and approval names the principal chain and scope ceiling.
- Risk is multidimensional. Policy evaluates effect, authority, reversibility, interaction, and data classification independently.
- Context is evidence. Every material block has provenance, trust treatment, freshness, and a reason for inclusion; omission is recorded too.
- Execution is durable. A long-running run can checkpoint and resume without repeating effects or silently refreshing pinned inputs.
- Delegation narrows. A child agent receives a strict subset of the parent’s authority, tools, data scope, time, and budget.
- Models are replaceable dependencies. Routing is deterministic for identical recorded inputs, and every fallback preserves the requested contract.
- Change is governed. Agents may propose improvements; they do not silently promote policy, memory, prompts, tools, evaluators, or routing rules.
Revised contract stack
RunContext
authority + tenant + trace + monotonic budget + session pins
-> ContextPack
policy + evidence requirements + tools + memory + decision specs
-> CompiledContext
selected blocks + provenance + omissions + controls + hash
-> RoutingDecision + bounded decision loop
model profile + plan + critic verdicts + delegation lanes
-> ToolEnvelope / AgentDelegationEnvelope
ActionRisk + principal chain + policy decision + idempotency
-> DecisionRecord + ReplayPacket
outcome + effects + evidence + lineage + scorecard + replay stateThe reference compiler remains deterministic. Model inference may be probabilistic, but artifact selection, policy evaluation, budget checks, capability filtering, and threshold comparisons are reproducible from recorded inputs.
Native action risk
The original ApprovalMode values—read_only, local_write, network, delegated, and destructive—are useful operational labels but not a coherent ordering. network describes location, delegated describes authority, and destructive describes reversibility.
The 2026 contract adds ActionRisk:
{
"effect": "external_state",
"authority": "user_delegated",
"reversibility": "compensatable",
"interaction": "browser",
"data_scope": "CONFIDENTIAL",
"decision_ttl_seconds": 120
}Policy checks each dimension and the actual arguments immediately before execution. The legacy approval mode remains in the v1 ToolCallEnvelope; native risk fields are additive in v1 and become required in the next major envelope.
Durable and delegated execution
A durable session pins its Context Pack, policy bundles, knowledge snapshot, model-routing policy, evaluator suite, and tool registry view. Resume restores atomic budget usage and continues after the last committed Critic verdict. It never replays a completed effect merely because a process restarted.
A delegation is a derived run, not an informal message. The parent issues a child identity claim with:
- allowed intents and output schema;
- capability allow-list and argument ceilings;
- data classification ceiling;
- token, cost, tool-call, and wall-clock sub-budgets;
- expiration and cancellation semantics;
- a rule that child effects remain isolated until the parent Critic accepts them.
The parent’s authority is an upper bound. Delegation cannot mint permission, reset consumed budget, or hide model/tool calls from the parent trace.
Multimodal and computer-use agents
Screenshots, audio, documents, and UI state enter the Context plane as content-addressed artifacts. Extracted text is derived evidence and retains a pointer to the source artifact and extraction model. Instructions found inside retrieved content or a UI are untrusted data unless policy explicitly promotes them.
Computer-use actions require a pre-action observation, a bounded action proposal, a post-action observation, and an environment receipt. Sensitive inputs are referenced through secret handles, not exposed to the model as plaintext. For irreversible or ambiguous UI actions, the Critic must prefer a human handoff over coordinate guessing.
Adoption path
| Stage | Required change | Compatibility |
|---|---|---|
| 0. Inventory | List model calls, tools, background jobs, agent peers, browser/computer surfaces, and current approvals | No runtime change |
| 1. Observe | Emit principal chains, routing lineage, context ledgers, effect receipts, and replay packets | Additive telemetry |
| 2. Classify | Add ActionRisk to capabilities and validate conservative legacy-mode projections | v1 envelopes remain accepted |
| 3. Enforce | Apply per-dimension policy and just-in-time argument checks | Mixed v1/native adapters supported |
| 4. Durabilize | Add checkpoints, artifact pins, cancellation, and monotonic budget restoration | Synchronous runs unchanged |
| 5. Delegate | Introduce child claims, sub-budgets, isolated effects, and merge verdicts | No implicit agent-to-agent authority |
| 6. Promote | Require replay, holdouts, release gates, and rollback for harness changes | Manual promotion remains valid |
What is deliberately not changed
- The five planes remain the architecture map; new capabilities fit within them.
- Policy stays outside model reasoning.
- The Tool Gateway remains the only path to external effects.
- Durable memory still requires promotion and provenance.
DecisionRecordremains the audit receipt, and replay remains the test of operational truth.- Protocols such as MCP and A2A describe interoperability; they do not grant authority.
Review checklist
A 2026-ready workflow can answer all of these with typed artifacts:
- Which principal and delegated authority permitted each effect?
- What were the action’s effect, reversibility, interaction, and data boundaries?
- What exact context did each model see, and which candidate context was omitted?
- Which model profile was selected, why, and which fallbacks were rejected?
- Can the run resume without refreshing pins or repeating side effects?
- Did every child agent receive narrower authority and a real sub-budget?
- Can the decision be replayed with side effects disabled?
- Can every promoted harness change be rolled back independently?
Next steps
- Use Foundations for the plane-by-plane operating model.
- Use Governance for native action risk and compatibility approval modes.
- Use Orchestration for durable sessions and subagent lanes.
- Use AI Gateway and LLM Router for governed model selection.
- Use API Contracts and Runtime API Schemas for executable envelopes.