Who is allowed to execute?
Models propose. The kernel disposes. Execution Authority defines the mathematical and legal boundary between intent and action — who can execute, under what constraints, with what proof, and at what cost.
The Narrow Gate
Every tool call that touches money, data, infrastructure, identity, or communication must pass through the Authority Court. The Authority Court evaluates each call against the principal's ceilings, the tool's effect manifest, and the current policy epoch. The output is a signed DecisionRecord — the legal and computational foundation of every execution.
Execution Authority Doctrine
Effect-Typed Tools
Every tool declares its effects. 23 canonical effect types with risk taxon (E0–E4), reversibility, blast radius, preflight requirements, and minimum evidence grade. Tools without declared effects cannot be registered.
Authority Court Protocol
Six-stage deterministic evaluation pipeline: contract pinning → ceiling checks → counterfactuals → invariants → preflight simulation → emit. Produces an AuthorizationDecision with ALLOW/DENY/REQUIRE_APPROVAL/REQUIRE_EVIDENCE/DEFER.
Two-Phase Commit
Irreversible effects require preflight → commit flow. CommitToken is single-use, bound to draft hash + ceilings snapshot + policy epoch + TTL. No token → no execution.
Signed Decision Records
Every Authority Court evaluation produces a DecisionRecord — signed, canonical, replayable. Contains policy epoch, intent, effects, counterfactuals checked, invariants passed, ceilings snapshot, and commit token hash.
Memory Provenance Gating
No unauthenticated memory in the authorization path. Every context capsule carries provenance chain, freshness constraints, scope boundaries, and retrieval receipts. Budget enforcement limits capsule count, age, sources.
Grounded Parameters
No raw coordinates. Every UI action references an ObservationArtifact digest with stable selectors (CSS, XPath, accessibility ID). Coordinates are only allowed as derived-from-observation with binding proof.
Canonical Message Types
| Schema | Version | Purpose |
|---|---|---|
AuthorizationRequest | v1 | Intent + ToolCallDraft + ContextCapsules → Authority Court |
AuthorizationDecision | v1 | ALLOW/DENY + ReasonCodes + CeilingsSnapshot + CommitToken |
DecisionRecord | v1 | Signed, canonical, replayable decision artifact |
CommitToken | v1 | Single-use execution token bound to draft+ceilings+epoch+TTL |
ContextCapsule | v1 | Authenticated memory with provenance chain |
ToolManifest | v1 | Effect-typed tool registration with schema pins |
ObservationArtifact | v1 | Grounded UI observation for RPA/web agents |