Canonical workmode contracts, lease semantics, and authority-chain enforcement for workflow dispatch

Workmode and Authority Boundaries

Phase 5.1 establishes the foundational runtime contracts for workflow dispatch and admission in Nous-OSS. This document describes workmode contracts, lease semantics, and authority-chain guardrails that enforce deterministic, fail-closed admission before higher-level control-plane capabilities are layered on.

Overview

Workmode — Execution context that defines entrypoint, SOP path, allowed artifact surfaces, and scope boundaries.
Lease — Time-bound, non-transferable authorization for an orchestration agent to execute within a workmode.
Authority chain — Strict hierarchy: nous_cortex → orchestration_agent → worker_agent. Authority narrows down-chain only.

All dispatch admissions validate target identity, action admissibility, and authority-chain constraints. Invalid attempts are blocked and evidence-logged.

Chat is intent, not authority (PCP-001): Chat turns are proposals interpreted by the runtime. Chat cannot directly mutate execution state; control intents route through operator-control. See Operator Control and Chat.

Canonical Authority Chain

Authority	Role	May dispatch to
`nous_cortex`	Executive authority	`orchestration_agent`, `worker_agent`
`orchestration_agent`	Scoped orchestration	`worker_agent` only
`worker_agent`	Scoped execution	— (cannot dispatch)

Invariants:

WMODE-002: Authority must narrow down-chain. An orchestration agent cannot dispatch to cortex; a worker cannot dispatch to anyone.
WMODE-003: Nested orchestration is forbidden. An orchestration agent cannot dispatch to another orchestration agent.
WMODE-010: A worker agent cannot escalate authority or dispatch authoritative agents.

System Workmodes

Canonical system workmodes shipped with Nous:

Workmode	Purpose	Allowed artifact surfaces
`system:implementation`	Implementation workflow	`.worklog/`, `self/`, `docs/`, `packages/`, `scripts/`
`system:architecture`	Architecture ideation	`.architecture/` only
`system:skill_authoring`	Skill authoring	`.skills/` only

Skill-installed workmodes follow the pattern skill:<slug>:<entrypoint>.

Skill Creator Admission (Phase 7.5)

system:skill_authoring governs creation and revision of skill artifacts only. It does not grant admission or promotion authority.

Admission and promotion are control-plane decisions with additional hard gates:

Skill contract validation must pass (runtime artifacts present and valid).
SkillBench evidence must be complete and fixed-model-locked.
Attribution thesis evidence must classify uplift source and recommendation.
Final admission/promotion decision must be recorded by nous_cortex.

Blocked or invalid states return deterministic reason codes and evidence refs.

Examples:

SCM-003-WORKER-SELF-PROMOTION: worker lane attempted self-promotion.
SCM-005-MODEL-DRIFT: fixed-model drift detected in benchmark evidence.
SKADM-002-CORTEX-AUTH-REQUIRED: non-cortex actor attempted final decision.
EVID-001-MISSING-WITNESS: required witness linkage missing.

Lease Contract

A lease is issued by nous_cortex and grants an orchestration agent the right to execute within a workmode for a bounded time.

Lease rules:

Non-transferable
Revocable by cortex at any time
Cannot widen scope or capabilities after issuance without re-authorization
Context-profile switches require explicit transition event before downstream dispatch

Lifecycle: Lease exits when task objectives complete, TTL expires, budget guard trips, policy violation requires stop, or cortex revokes.

Lifecycle Admission

Lifecycle actions (start, pause, resume, stop, recover) are gated by:

Control state — Valid transitions only (e.g. pause requires running).
Confirmation proof — Required per ADR-004. Runtime-issued, scope-bound, action-bound. Cannot use stale or UI-only approval.

Unknown control state or missing confirmation proof → fail-closed (deny).

Recovery Governance (Phase 5.4)

Lifecycle action recover and resume authorization are governed by the failure-recovery architecture (AA-011):

Checkpoint protocol — Only committed checkpoints are resumable; two-phase prepare/commit ensures consistency.
Retry policy — Side-effecting operations require idempotency proof before retry; unbounded retry is impossible by contract.
Rollback policy — unknown_external_effect blocks blind auto-resume; explicit review-gated decision evidence required.
Terminal states — Every recovery flow ends in recovery_completed, recovery_blocked_review_required, or recovery_failed_hard_stop.

FR invariants (witnessd): FR-001 (committed checkpoints only), FR-004/FR-005 (retry budget, idempotency), FR-006/FR-007 (rollback, domain boundary), FR-008 (no orphan recovery).

See Recovery Governance for operator guidance.

Blocked Actions and Reason Codes

When a dispatch or lifecycle action is blocked, the admission guard returns a reasonCode and evidenceRefs.

Code	Meaning
`WMODE-002`	Authority widening blocked — e.g. worker attempting to dispatch, or orchestrator dispatching to cortex
`WMODE-003`	Nested orchestration blocked — orchestrator attempting to dispatch to orchestrator
`WMODE-010`	Worker escalation blocked — worker cannot dispatch to any authoritative agent
`POL-CONTROL-STATE-BLOCKED`	Control state undefined or invalid for admission
`OPCTL-CONFIRMATION-REQUIRED`	Lifecycle action requires confirmation proof
`OPCTL-INVALID-STATE`	Control state does not allow the requested action

All blocked outcomes include evidenceRefs (min 1) for audit linkage per ADR-002.

Operator Control — lifecycle command semantics, confirmation tiers
Security Baseline — witness evidence chain
Project Model — project types and governance

Workmode and Authority Boundaries

On this page