Glossary
Canonical ContextOS terms: five planes, runtime contracts, artifacts, enums, services, governance controls, and anti-terms.
How to use this glossary
| Need | Use this section |
|---|---|
| Understand the operating model | Five planes |
| Name runtime wire artifacts | Runtime contracts |
| Explain compile-time behavior | Context plane terms |
| Explain planning and decisions | Decision plane terms |
| Explain tools and external effects | Action plane terms |
| Explain knowledge, identity, and memory | Intelligence plane terms |
| Explain policy, approvals, replay, and evaluation | Trust plane terms |
| Avoid old or vague language | Anti-terms |
Canonical naming rules
| Rule | Correct | Avoid |
|---|---|---|
| Use plane names as proper nouns when naming the architecture. | Intelligence plane, Context plane, Decision plane, Action plane, Trust plane | pillar 1, pillar 2, layer 3 |
| Use runtime artifact names for wire contracts. | RunContext, ContextPack, CompiledContext, Plan, ToolEnvelope, DecisionRecord | prompt, agent state, action log |
| Use enum values exactly as schemas define them. | read_only, local_write, network, delegated, destructive | safe mode, admin mode, dangerous mode |
Use DecisionSpec for the contract and DecisionRecord for an emitted decision. | DecisionSpec -> DecisionRecord | decision config, answer record |
Use evidence_ref for a pointer and evidence bundle for the retrieved material. | evidence_ref, evidence bundle | citation, source blob |
Five planes
| Plane | One-line definition | Primary artifacts |
|---|---|---|
| Intelligence | Shared meaning over enterprise data. | ontology, CEID, SID, Knowledge Graph, evidence bundle, memory proposal |
| Context | Per-request compilation of bounded state. | ContextPack, CompiledContext, manifests, runtime controls, budget report |
| Decision | Bounded execution loop that converts compiled context into typed decisions. | Plan, Critic verdict, DecisionSpec, DecisionRecord |
| Action | Governed external effects through one Gateway. | ToolEnvelope, adapter, capability, approval gate, idempotency key |
| Trust | Control layer over the other four planes. | policy decision, evaluator scorecard, approval, OTEL trace, replay packet, improvement proposal |
Intelligence plane
The substrate of meaning: ontology, identity, knowledge graph, retrieval, memory, embeddings, and evidence provenance. It answers: “What does this entity, fact, relationship, or memory mean?”
Context plane
The compiler layer. It turns a pinned ContextPack, RunContext, evidence, policy, tools, memory, and budget into a CompiledContext. It answers: “What exactly did the model see, and what controls were active?”
Decision plane
The bounded loop: Planner proposes, Critic verifies, Executor runs approved steps, Critic scores, Consolidation emits follow-up artifacts. It answers: “What should happen next, and is the result acceptable?”
Action plane
The external-effect boundary. Every tool call crosses the Tool Gateway with policy, identity, schema validation, approval mode, idempotency, and trace context. It answers: “What touched the outside world, under which authority?”
Trust plane
The governance layer over the other four: policy, approvals, identity propagation, evaluator gates, observability, replay, incident response, and improvement promotion. It answers: “Why was this allowed, how was it measured, and how can it be replayed?”
Runtime contracts
RunContext
Per-run envelope carried through every plane. Contains run_id, trace_id, session_id, tenant_id, user delegation, agent workload identity, intent, locale, safety_mode, run_budget, and metadata.
Use it when describing execution identity and limits. Do not call it “session state”; sessions are only one scope inside it.
RunBudget
Deterministic limits for one run: total tokens, bucket tokens, max tool calls, max replan attempts, wall-clock limit, cost limit, and atomic usage counters.
Use it when discussing loop guards, context pressure, cost controls, or subagent isolation.
ApprovalMode
Canonical five-tier risk taxonomy bound to adapter capabilities, policy decisions, and decisions.
| Mode | Meaning |
|---|---|
read_only | Reads data without mutation or outbound side effect. |
local_write | Writes only to local workspace or ephemeral runtime state. |
network | Calls external systems but does not act on behalf of a user. |
delegated | Acts using delegated user authority. |
destructive | Can create irreversible or high-impact side effects. |
Tools declare the highest mode they can produce. RunContext.safety_mode filters tools above the run’s allowed mode. Policy may constrain execution; it must not silently weaken risk.
ContextPack
Versioned, signed, immutable input contract for the Context plane. It declares intelligence refs, business constraints, policy, tools, decisions, memory rules, evaluator targets, and communication constraints.
Use ContextPack for the runtime type and “Context Pack” in prose. See Context Pack.
CompiledContext
Compiler output consumed by the Decision plane. Contains compiled_prompt, manifests, runtime_controls, budget_report, and context_ledger.
Use it instead of “the prompt” when referring to the full runtime artifact.
Plan
Typed proposal from the Planner: ordered steps, dependencies, tool intents, approval requirements, and decision checkpoints.
A Plan cannot execute anything by itself.
ToolEnvelope
The ToolCallEnvelope and ToolResultEnvelope pair crossing the Tool Gateway. Carries capability identity, arguments, principal chain, approval mode, policy decision id, idempotency, evidence refs, mutation refs, audit metadata, latency, and trace context.
Use it instead of “tool call” when the governance boundary matters.
DecisionSpec
Versioned contract for one decision type. Declares decision_key, required_evidence, allowed_outcomes, approval_mode, eligibility rules, input schema, output schema, and decision right.
See Decision Catalog.
DecisionRecord
Emitted, durable decision artifact. Contains outcome, evidence refs, policy decisions, approvals, active controls, budget usage, trace ID, and replay pointer.
Do not call it a log line. It is the audit and replay artifact.
Replay packet
Pinned set of artifacts needed to re-derive a run: request, ContextPack, graph snapshot, policy bundle, model config, tool transcripts, evaluator set, and expected verdict.
Replay should not require live tool execution.
Context plane terms
Context Pack Compiler
Deterministic pipeline that transforms a ContextPack and RunContext into a CompiledContext.
Canonical stages:
- Intent classification.
- Policy resolution.
- Tool surfacing.
- Evidence retrieval.
- Memory recall.
- Token budget allocation.
- Bucket assembly.
- Manifests and runtime controls.
Context bucket
One of business, policy, tool, evidence, memory, or session. Each bucket has its own token budget and truncation behavior.
Policy manifest
The compiled list of policy bundles and rule IDs active for the run.
Use it to answer: “Which rules shaped this context?”
Tool manifest
The compiled list of adapters and capabilities exposed to the Planner and Executor.
Use it to answer: “Which tools could this run use?”
Evidence manifest
The compiled list of evidence refs available to the Decision plane.
Use it to answer: “Which facts could the decision cite?”
Runtime controls
Compiled controls active for a run: must_refuse, must_escalate, approval_gates_active, and redaction_rules_active.
Budget report
Compiler output that records allocated tokens, tokens used at compile time, and bucket truncations.
Budget reports should make context omissions visible.
Omitted context
Context that was eligible but excluded because of budget, rank, policy, freshness, or classification.
Prefer naming omitted context explicitly over saying “the model forgot.”
Environment overlay
Auditable, declared environment-specific constraint on a pack, such as endpoint refs, locale defaults, or stricter thresholds.
Overlays may constrain. They should not expand tool power.
Decision plane terms
Planner
Decision-plane component that reads CompiledContext and emits a typed Plan. It cannot execute tools or mutate state.
Executor
Decision-plane component that runs verified Plan steps through the Tool Gateway. It cannot invent new tools or bypass the Plan.
Critic
Decision-plane component that verifies Plans before execution, scores step results after execution, checks required evidence, and emits verdicts.
Critic verdict
Typed control decision from the Critic.
| Verdict | Meaning |
|---|---|
ok | Plan is valid before execution. |
accept | Run result satisfies the decision and evaluator requirements. |
retry | Repeat a bounded step without changing the plan. |
replan | Return control to the Planner under the replan budget. |
escalate | Operator, approver, or safer workflow is required. |
reject | The plan or result violates a boundary and must stop. |
Decision checkpoint
Point in a Plan where the Critic verifies a DecisionSpec before the run can continue.
Decision key
Stable identifier for a decision type, such as support.refund.execute.
Do not use a human label or UI title as the key.
Decision right
What the runtime is allowed to do under a DecisionSpec: propose, recommend, execute, or escalate.
Subagent lane
Isolated bounded sub-run with its own RunContext projection, budget slice, tool surface, and trace span. A lane cannot directly mutate parent effects.
Background session
Durable, checkpointed run that can survive process restarts and resume by session_id.
Consolidation
Post-step or post-run process that emits memory write proposals, evidence links, trace impressions, and improvement signals.
Action plane terms
Tool Gateway
Single boundary between Decision plane and external systems. It validates schemas, brokers credentials, enforces approval mode, applies policy decisions, records transcripts, and propagates trace context.
Adapter
Typed wrapper around an external system or protocol: MCP server, A2A peer, OpenAPI service, database interface, internal service, or custom connector.
Adapter registry
Registry of adapters, capabilities, endpoint refs, schemas, auth modes, and declared approval modes.
Capability
Named operation exposed by an adapter. Capabilities are inventory. Permissions decide whether a workflow may use them.
Tool permission
Context Pack entry that binds a workflow to an adapter capability under constraints such as allow, argument limits, or approval gates.
MCP
Model Context Protocol. In ContextOS, MCP is one adapter protocol behind the Tool Gateway. MCP can describe tools; ContextOS decides exposure, approval, identity, and audit.
A2A
Agent-to-agent coordination protocol category. In ContextOS, A2A delegation must still carry approval mode, identity, trace, and decision context.
OpenAPI adapter
Adapter backed by an OpenAPI-described service. Operation schemas inform validation; policy still decides whether execution is allowed.
Idempotency key
Required stable token for write-class tool calls. It lets the target system absorb retries without duplicating side effects.
Approval gate
Named checkpoint that can pause a governed action, freeze evidence, collect approval, and resume execution.
Frozen evidence snapshot
Immutable hash of the evidence bundle at the moment an approval gate is reached.
Tool transcript
Recorded input, output, policy decision, approval state, metrics, and trace info for a tool step. It is replay input, not just debug output.
Intelligence plane terms
Ontology
Versioned schema for entity types, relationships, attributes, derived fields, validation rules, and identity formats.
Entity type
Named category in the ontology, such as Customer, Order, Invoice, or Workspace.
Relationship type
Named edge type in the ontology, such as order_belongs_to_customer.
CEID
Canonical Entity ID. Stable, human-readable audit handle for an entity, for example customer:cus_77.
SID
Semantic ID. Compact representation for ML, retrieval, ranking, or recommendation. Not an audit handle.
Identity Layer
Intelligence and Trust primitive that maps source identities, CEIDs, SIDs, user identities, and agent workload identities.
Knowledge Graph
Typed graph where nodes and edges carry provenance and evidence refs. Reads are policy-scoped; replay uses pinned snapshots.
Graph snapshot
Fixed view of the Knowledge Graph used for replay, evaluation, or reproducibility.
GraphRAG
Retrieval method that expands from seed entities along permitted graph relationships under hop, policy, and budget constraints.
Evidence bundle
Retrieved evidence with source IDs, hashes, traversal path, snapshot pin, conflict markers, and confidence.
evidence_ref
Pointer to evidence, such as a tool transcript, graph edge, document segment, policy rule, or memory record.
Memory Fabric
Storage and governance layer for working, episodic, semantic, and durable memories.
Promotion-aware memory
Memory model where facts move from capture to candidate to review to promoted state before they can be compiled into context.
Memory tier
| Tier | Meaning |
|---|---|
working | short-lived state for a turn or active session |
episodic | workflow or event history |
semantic | stable learned facts or preferences |
durable | audited business-safe facts with stronger retention and governance |
Memory write proposal
Candidate memory emitted by Consolidation. Carries fact, write class, target tier, evidence refs, consent result, contradiction result, and owner.
Correction memory
Operator correction recorded as a governed memory candidate. It should outrank prior records on the same key after promotion.
Consent record
Append-only record that gates PII or regulated memory promotion and recall.
Trust plane terms
Policy bundle
Versioned set of policy rules scoped by intent, task, tenant, risk, or workflow.
Policy Engine
Deterministic boundary that evaluates policy outside model code. It returns allow, deny, escalation, required evidence, required gate, and effective approval mode.
Policy decision
Recorded verdict from the Policy Engine for one boundary check. Carries policy_decision_id, matched rules, rationale, and normalized inputs.
Guardrail
Pack-level control that emits must_refuse, must_escalate, or redaction behavior.
Redaction rule
Named rule that removes or masks sensitive fields before model exposure, tool use, trace export, or final communication.
Evaluator
Function or service that scores a run, step, output, or artifact. Core dimensions are policy, utility, latency, safety, and economics.
Scorecard
Collected evaluator results for a run, intent, pack version, policy version, or release candidate.
Release gate
Threshold that blocks promotion when a candidate pack, policy, prompt, model config, or tool change regresses against baseline.
OTEL trace
OpenTelemetry trace carrying W3C trace context across Compiler, Planner, Critic, Tool Gateway, adapters, and evaluator services.
Trace attributes
Namespaced key-value fields such as contextos.run_id, contextos.intent, contextos.context_pack_ref, and contextos.decision_record_id.
Replay
Offline re-derivation of a prior run’s Critic verdict and DecisionRecord from pinned artifacts and recorded tool transcripts.
Replay determinism
Property that replay produces the expected verdict and record under pinned request, pack, policy, snapshot, tool transcript, evaluator set, and model config.
Improvement proposal
Typed change candidate produced by feedback, incident review, Insight Synthesizer, Strategy Compiler, or Autotune. It is not auto-applied.
Insight Synthesizer
Improvement primitive that finds recurring patterns across traces, DecisionRecords, memory candidates, and operator corrections.
Strategy Compiler
Improvement primitive that converts validated feedback into candidate strategy rules for prompts, retrieval, planning, tool selection, memory recall, or budgets.
Feedback Store
Auditable store of operator feedback, corrections, tips, and review decisions with provenance.
Autotune
Improvement primitive that proposes prompt, retrieval, or budget changes against target evaluator metrics and golden replay.
Sandbox profile
Signed contract for code-execution capabilities: image, filesystem, network, compute, stdio, secrets, and timeout policy.
Functional state
Read-only per-turn pressure signals used by the Critic, such as budget pressure, loop pressure, evidence pressure, gate pressure, conflict pressure, and escalation propensity.
Implementation catalogs
Decision Catalog
Registry of DecisionSpec entries and decision bindings. See Decision Catalog.
DecisionRecord
Append-only, replayable audit receipt emitted by the runtime for a governed decision. It records the accepted outcome, evidence refs, policy decisions, approvals, active controls, lineage, trace id, and tamper-evident hash. See Decision Record.
Intent-Task Catalog
Registry mapping canonical intents to risk-classified task templates, decision checkpoints, required evidence, and owner roles.
Adapter Registry
Registry of external capabilities available to the Action plane.
Pack Registry
Signed, immutable registry for ContextPack versions and environment pins.
Policy Bundle Registry
Registry for versioned policy bundles referenced by packs and evaluated by the Policy Engine.
Evaluator Registry
Registry for evaluator definitions, score targets, release gates, and golden sets.
Supporting terms
Intent
Canonical governed name for a user or system request class, for example support.refund.
Task template
Versioned plan blueprint for an intent. It is a starting point for planning, not a hard-coded script.
Channel
Typed inbound surface: app_chat, email, voice, api, webhook, or sms.
Skill
Reusable bundle of capabilities, guidance, and evaluation criteria for a recurring micro-task.
Capability class
Operational category such as observe, recall, think_support, act, or verify. It is separate from approval_mode, which measures risk.
Data classification
Label such as PUBLIC, INTERNAL, CONFIDENTIAL, or RESTRICTED that constrains context exposure, logging, tool use, and export.
Kill switch
Control-plane operation that re-pins traffic to a prior version or disables a capability, pack, policy, evaluator, model config, or adapter.
Golden set
Curated replay/evaluation cases used to detect regressions before promotion.
Incident case
Replayable case produced from a failure or operator correction. Incident cases should become part of future gates.
Common confusions
| Do not confuse | Distinction |
|---|---|
ContextPack vs. CompiledContext | Pack is source contract; compiled context is per-run output. |
| capability vs. permission | Capability is what an adapter can do; permission is what this workflow may use. |
DecisionSpec vs. DecisionRecord | Spec is the contract; record is the emitted outcome. |
| CEID vs. SID | CEID is for audit; SID is for ML/retrieval. |
evidence bundle vs. evidence_ref | Bundle is material; ref is a pointer to material. |
| approval gate vs. approval mode | Mode is the risk class; gate is the runtime checkpoint. |
| policy decision vs. Critic verdict | Policy decides boundary allow/deny; Critic evaluates plan/result quality. |
| replay vs. retry | Replay is offline reproduction; retry is live bounded execution. |
| memory capture vs. promoted memory | Capture is raw observation; promoted memory is eligible for future compile. |
| OpenAPI/MCP tool definition vs. ToolEnvelope | Protocol describes the tool; ToolEnvelope governs execution. |
Anti-terms: do not use
| Anti-term | Use instead |
|---|---|
| Three pillars | five planes |
| Pillar 1, pillar 2, pillar 3 | Intelligence, Context, Decision, Action, Trust |
| Cognitive Core as the whole system | Cognitive Core for Context + Decision only |
| prompt as the runtime artifact | ContextPack and CompiledContext |
| agent memory as raw log | Memory Fabric, capture, candidate, promoted memory |
| tool call for governed effects | ToolEnvelope |
| safety mode for all governance | ApprovalMode, policy, gates, evaluators |
| model decides policy | Policy Engine decides; model proposes |
| logs as audit | DecisionRecord, trace, tool transcript, replay packet |
| autonomous improvement | improvement proposal, replay gate, review, promotion |
Source docs
| Topic | Source |
|---|---|
| Architecture | Reference Architecture |
| End-to-end execution | How It Works |
| Context Pack | Context Pack |
| Runtime envelopes | API Contracts |
| Decisions | Decision Catalog |
| Governance | Governance |
| Orchestration | Orchestration |
| Adapter Mesh | Adapter Mesh |
| Memory | Memory |
| Evaluation | Evaluation and Observability |