Mindburn Labs
Founding Cohort
HELM-RFC-0001

Authority Court Protocol

The deterministic evaluation protocol that stands between intent and execution. Every tool call that produces effects must pass through the Authority Court. The pipeline is ordered, fail-closed, and cryptographically signed.

EVALUATION PIPELINE

Six stages. Deterministic. Fail-closed.

01
Contract Pin Validation

Verify ToolManifest.v1 fingerprint matches the last-known baseline. If the tool has changed since the last policy evaluation, DENY with SCHEMA_DRIFT reason code.

HALT on drift
02
Ceiling Checks

Validate the request against the principal's budget, rate, scope, and rights ceilings. Every ceiling dimension is checked independently; any breach β†’ DENY.

DENY on breach
03
Counterfactual Generation

Mandatory minimum set of counterfactuals: 'What if we don't execute?' 'What is the worst-case blast radius?' 'What is the recovery cost if this fails?' All must be checked.

DENY on missing
04
Invariant Checking

Tool-specific validators run against the tool call draft. Invariants include: parameter range checks, idempotency key validation, schema pin verification, and custom constraints.

DENY on violation
05
Preflight Simulation

For effects with risk class β‰₯ E2, run a dry-run simulation. Returns an EffectEstimate (cost, blast radius, duration, side effects, confidence). Simulation is always read-only.

EffectEstimate
06
Emit Decision

Produce AuthorizationDecision (ALLOW/DENY/REQUIRE_APPROVAL/REQUIRE_EVIDENCE/DEFER) + CommitToken (if ALLOW) + signed DecisionRecord. Token is single-use, bound to draft hash.

DecisionRecord
COMMIT TOKEN

Single-use execution authorization

Bound to

  • βœ“Draft hash (SHA-256 of tool call + parameters)
  • βœ“Ceilings snapshot (budget, rate, scope at decision time)
  • βœ“Policy epoch (version of active policy set)
  • βœ“TTL (maximum validity duration)
  • βœ“Idempotency key (prevents replay)

Eliminates

  • βœ“Replay attacks (single-use consumption)
  • βœ“Authorization drift (bound to epoch)
  • βœ“TOCTOU races (bound to draft hash)
  • βœ“Stale approvals (TTL expiration)
  • βœ“Double execution (idempotency key)
DECISION RECORD

The legal artifact

Every Authority Court evaluation produces a DecisionRecord.v1 β€” a signed, canonical, self-verifiable artifact. It contains the policy epoch, complete intent, all declared effects, counterfactuals checked, invariants passed, ceilings snapshot, context capsule digests, the decision itself, commit token hash, and two signatures (evaluator + authority). The content hash excludes signatures and the hash field itself, enabling independent replay verification.