Version: 0.1.0
Jurisdiction defines the boundaries within which requests are permitted. A conforming implementation MUST evaluate jurisdiction policy before allowing execution.
A JurisdictionPolicy MUST contain the following fields:
| Field | Type | Default | Description |
|---|---|---|---|
| allowed_actors | Set[string] | empty | Actors permitted to submit |
| allowed_tools | Set[string] | empty | Tools permitted for invocation |
| allowed_states | Set[KernelState] | operational states | States allowing requests |
| required_fields | Set[string] | {request_id, actor, intent} | Required request fields |
| max_param_bytes | integer | 65536 | Maximum parameter size |
| max_intent_length | integer | 4096 | Maximum intent length |
| allow_intent_only | boolean | false | Allow requests without tool_call |
The special value * in allowed_actors or allowed_tools indicates all values are permitted.
Policy MUST be evaluated in the following order:
- Required fields check
- Actor check
- Tool check
- Parameter size check
- Intent length check
- Tool call structure check
For each field in required_fields:
- If field is missing or empty, the check MUST fail
- The check MUST produce a violation message identifying the field
- If allowed_actors contains
*, all actors are permitted - Otherwise, actor MUST be in allowed_actors
- If actor is not permitted, the check MUST fail
- If tool_call is None and allow_intent_only is true, the check passes
- If tool_call is None and allow_intent_only is false, the check passes (no tool to check)
- If allowed_tools contains
*, all tools are permitted - Otherwise, tool_call.name MUST be in allowed_tools
- If tool is not permitted, the check MUST fail
- Serialize params using deterministic serialization
- If serialized size exceeds max_param_bytes, the check MUST fail
- If intent length exceeds max_intent_length, the check MUST fail
If tool_call is present:
- tool_call.name MUST be a non-empty string
- tool_call.params MUST be a dictionary if present
The following conditions MUST be detected as ambiguous:
| Condition | Severity | Description |
|---|---|---|
| Empty intent | High | Intent is empty or whitespace-only |
| Overly long intent | Medium | Intent exceeds max_intent_length |
| Empty tool name | High | tool_call.name is empty |
| Invalid params type | High | params is not a dictionary |
In strict mode (default):
- All ambiguity heuristics are applied
- Any ambiguity results in DENY
In relaxed mode:
- Only high-severity heuristics are applied
- Medium-severity conditions may be allowed
When ambiguity is detected:
- The kernel MUST NOT proceed with execution
- The kernel MUST return Decision.DENY
- The kernel MUST record the ambiguity in the audit entry
Policy evaluation MUST return a PolicyResult containing:
| Field | Type | Description |
|---|---|---|
| allowed | boolean | Whether the request is permitted |
| violations | List[string] | List of policy violation messages |
Violation messages MUST:
- Identify the specific rule that was violated
- Include relevant values (e.g., actor name, tool name)
- Be deterministic for the same violation
Each policy check SHOULD be implemented as a composable rule function:
check_actor_allowed(request, policy) -> List[string]
check_tool_allowed(request, policy) -> List[string]
check_required_fields(request, policy) -> List[string]
check_param_size(request, policy) -> List[string]
check_intent_length(request, policy) -> List[string]
check_tool_call_structure(request) -> List[string]
The evaluate_policy function MUST:
- Execute all rule functions
- Collect all violations
- Return PolicyResult with allowed=true only if no violations
The default policy permits all actors and tools:
allowed_actors = {"*"}
allowed_tools = {"*"}
The strict policy denies all by default:
allowed_actors = {}
allowed_tools = {}
allow_intent_only = false
- JurisdictionPolicy instances MUST be immutable after creation
- Policy fields MUST use immutable collections (frozenset)
- Policy changes MUST create new policy instances