TRUST BOUNDARY
Security model
Design assumptions and controls for hostile or compromised requests.
Agent isolation
The agent can propose intent but cannot access signing keys, rewrite policy, or approve its own exception.
Protected signing
The signer accepts a narrow transaction envelope bound to a policy decision and request identifier. Expired or replayed envelopes fail closed.
const decision = evaluate(intent, policy)
if (decision.state !== "allow") {
return decision
}
return execute(decision.envelope)Auditability
Receipts preserve inputs, individual checks, decision, policy version, and signer verification references. Avoid placing secrets in receipts.