Skip to main content
Version: v0.9.0a2
Spec

Spec-13-Capability-Based-Instructions

2 min readSpec contributorDraft ยท future hardened-core line

What this spec defines

Structural separation between recalled content and executable instruction, plus the capability gate required to promote memory into instruction.

Extraction statusโ€‹

This file contains the ADR-010 prose extraction for ADR-003 capability-based instruction handling. The first implementation slice shipped in #373: FactValue.interpret_as exists, local instruction writes require instruction:write, and recall preserves instruction/content channels. The remaining federation/admission pieces target a future hardened-core line and are not part of the active alpha release horizon.

Principleโ€‹

Recalled memory is data.

It MUST NOT become executable instruction merely because it appears in context. Promotion from content to instruction requires an explicit capability grant and a structurally separate channel.

FactValue extensionโ€‹

The capability redesign introduces an instruction interpretation marker on facts or recalled units. A fact marked as instruction-like MUST be treated as data unless the caller has the required capability to execute or inject that instruction.

Write-time enforcementโ€‹

Writing instruction-typed facts MUST require explicit instruction:write authority. General write authority is insufficient. Cross-organization instruction-typed facts SHOULD be quarantined or rejected unless a trusted deployment relationship explicitly permits them.

Recall-time enforcementโ€‹

Recall MUST preserve provenance and interpretation metadata. The recall pipeline MUST NOT collapse untrusted content into executable instructions. Agent runtimes must receive content and instructions through separate structures.

Federation boundaryโ€‹

Receiving nodes MUST NOT promote inbound content to instruction based on a sender's assertion alone. Any instruction interpretation that crosses federation must be revalidated against local policy and capability grants.

Auditโ€‹

Nodes SHOULD audit instruction writes, rejected promotions, cross-org instruction quarantine, and capability failures.

Out of scopeโ€‹

This spec does not define lazy instruction discovery, boot-stub delivery, or instruction manifest retrieval; those belong to Spec-X1-Lazy-Instruction-Discovery.