Agent Runtime

Status: ✅ Decided — grounded in ADR-0012

The kernel treats agents as principals — AgentPrincipal instances bound by a delegation envelope specifying allowed Actions and Realms, a maximum risk class, and rate and blast-radius caps. The primary agent substrate is code-mode: the agent writes code in the kernel’s typed SDK that invokes Actions and reads, wrapping loops, branching, and batching around them.

MCP tools are thin single-shot wrappers over the same SDK for conversational or simple use cases. There is one governed boundary under both.

Authority is enforced per SDK call, not in the agent’s prompt. Every SDK→kernel call passes through AuthorityOperation. Reads, computes, and prepares run freely within the delegation envelope. A high-risk or irreversible Action throws DENY_REQUESTABLE — the agent’s code catches it and emits an approval request. Human approval becomes control flow that the code handles, not a prompt-level instruction the agent might ignore. The whole run is logged as a ToolTrace (the code, every SDK call, every authority decision).

The agent sandbox is a real engineering artifact: no raw DB credentials, no arbitrary network or filesystem access. Only the generated SDK is in scope inside the sandbox.

Sequencing: the Action/read layer is designed as clean, typed, generatable contracts from day one. The agent itself is built last (proof Phase 5) as a thin demonstrator — context, prepare, explain, with execution human-approved. The surface the agent depends on is ready long before the agent is built.

Open questions

The delegation envelope implementation is a required part of AgentPrincipal but its exact shape is not detailed in ADR-0012 — it must be designed during the proof.
If per-call enforcement proves too coarse for some workflows, the dry-run-in-scenario model (ADR-0005) is the escalation path, but Scenario is deferred.

← Architecture

Agent Runtime

See also

Open questions