Trust plane

Policy outside agent code

Security and governance are runtime primitives, not bolt-ons. Policy bundles (JsonLogic) are evaluated at the boundary; approval-mode tiers are bound to every capability and decision; OTEL traces and evaluators make every run replayable and scorable.

Five-tier approval modes

read_only · local_write · network · delegated · destructive — bound to every capability and every decision.

Anti-pattern prevented

Model self-policing: security must not depend on the model. The Policy Engine is the deterministic boundary; the model proposes, the boundary decides.

evaluators

Policy compliance · Utility · Latency · Safety · Economics. Tracked per intent, per tenant, per pack version; deltas gate every release.

Policy bundle (JsonLogic) outside agent code

Policy is authored, signed, and evaluated at the boundary. The Compiler, Critic, and Tool Gateway all consult the Policy Engine at the right runtime checkpoint.

Rule — refunds above INR 3000 require finance approval

{
  "rule_id": "R_HIGH_VALUE_REQUIRES_APPROVAL",
  "applies_to": { "intent": "support.refund" },
  "if": {
    "and": [
      { "==": [{ "var": "user.role" }, "support_agent"] },
      { ">": [{ "var": "request.context.refund_amount" }, 3000] }
    ]
  },
  "then": {
    "allow": true,
    "approval_mode": "destructive",
    "requires_approval_gate": "GATE_FINANCE_APPROVAL",
    "arg_constraints": {
      "refund_amount": { "max": 3000, "unless_approved": true },
      "currency": { "enum": ["INR"] }
    }
  },
  "decision_binding": "support.refund.execute"
}