The governed core: a deny-by-default PDP, a hash-chained audit, and a boundary engine

The first build is the part nothing is allowed to bypass. A Policy Decision Point that defaults to deny and is the single choke point for every tool call. A hash-chained, append-only audit log that records every decision, allow and deny alike, and is tamper-evident by construction. A boundary engine that canonicalizes paths (absolute, dot-dot, realpath, symlinks) and confines each agent to its own visibility and write scopes.

We made the core fail closed everywhere: if governance cannot load, or the audit write fails, nothing runs. The boundary engine ships with conformance tests for write-escape, read-escape, and a negative control, because "we think it is contained" is not the same as proving it.

Then the lifecycle

On top of the core came the task lifecycle so that "no task, no tool" is real, the Token Governor (soft warning, hard pause) so a runaway agent cannot run up a bill, and a governed message router that stamps and brackets every message. Memory became evidence first: provenance-stamped facts, then claims, then governed knowledge.

This is the boring, essential layer. It is also the layer that, if you get it wrong, makes everything above it theater.