Home · Architecture · Authority · Execution Trace · Dogma
Authority Boundaries
Explicit trust, responsibility, and control boundaries across the agentic execution stack.
This page defines which components are trusted, which are not, and where authority explicitly begins and ends.
Core Principle
The system is designed around a single rule:
LLM agents are never trusted.
All authority resides in deterministic, typed, and auditable components. Agents produce suggestions; they do not execute power.
Authority Map
-
Controller
Owns execution order, state transitions, and termination. Enforces the finite state machine and execution bounds. -
AgentDispatcher
Owns schema validation and retry limits at agent boundaries. Does not interpret intent or results. -
ToolRegistry
Owns all side effects. Tools are deterministic, typed, and invoked explicitly by the Controller only. -
Agents (Planner / Worker / Critic)
Untrusted. Emit JSON only. No side effects, no control flow, no retries, no state mutation.
What Agents Are Not Allowed To Do
- Advance workflow state
- Invoke tools directly
- Retry themselves
- Spawn other agents
- Mutate domain or system state
- Decide termination or acceptance
Controller Authority
The Controller is the sole authority responsible for:
- Enforcing PLAN → WORK → TOOL → CRITIC → END
- Validating agent outputs via schemas
- Routing execution between agents
- Invoking tools exactly once per request
- Producing an immutable execution trace
The Controller executes exactly one task per request. Any looping or retry policy is external by design.
Why This Matters
By making authority explicit:
- Failures are deterministic and inspectable
- Security boundaries are enforceable
- Agent misbehavior cannot escalate
- Auditing and replay are straightforward
This architecture favors predictability and governance over emergent autonomy.