11. Appendix

Technical & Security Annex#

Formal Security Invariants (Normative)#

Invariant 1 – No Unauthorized Execution No tool execution SHALL occur without:

• capability validation

• policy evaluation

• identity binding

Invariant 2 – No Double Side-Effect A side-effecting operation SHALL NOT execute more than once per logical tool_call_id.

Invariant 3 – No Silent Privilege Escalation Capability escalation MUST NOT occur implicitly.

Invariant 4 – No Replay Across Boundary Remote invocation MUST be signed, timestamp validated, and nonce validated.

Invariant 5 – Audit Integrity Audit logs MUST be append-only. If hash-chain verification fails, execution SHOULD halt and MAY enter quarantine.

Invariant 6 – Secret Isolation Secrets SHALL NOT enter LLM context.

Invariant 7 – Deterministic Side-Effect Boundary Side-effects MUST occur only after policy approval, capability validation, and lease confirmation.