protocol

KLIS-6: Observation & Scope Verification

Detecting Scope Violations by observing agent side-effects.

1. Purpose

A declaration is useless if not enforced. KLIS-6 defines the mechanisms for observing agent behavior ("Sniffing") and comparing it against the declared Intent Manifest to detect Scope Violations.

2. Declared vs. Observed Intent

  • Declared Intent: The signed NIM submitted to the Control Plane.
  • Observed Intent: The actual side-effects attempted by the agent during EXECUTION.

2.1. Intent Sniffing

The Execution Environment (the Runtime) MUST intercept "IO Calls" (Filesystem, Network, CLI) and map them to SPO Triples.

Mapping Rules (Examples):

  • fs.writeFileSync('/a.txt') -> MUTATES FILE:/a.txt
  • fs.readFile('/b.txt') -> CONSUMES FILE:/b.txt
  • rm -rf /c -> DELETES FILE:/c/*

3. Violation Handling

If Observed Intent is NOT a subset of Declared Intent:

3.1. Immediate Action

The Runtime MUST block the operation.

  • Error: ScopeViolationError: Agent attempted MUTATES on /etc/hosts but only declared CONSUMES.

3.2. Escalation Policy

  1. Strict Mode: Terminate the agent session immediately.
  2. Permissive Mode (Dev/Debug): Log a warning, potentially auto-amend the scope (Dynamic Lease Acquisition), and proceed if no conflict exists.
    • Note: Permissive mode defeats the anti-deadlock guarantees of KLIS-4 and SHOULD NOT be used in production.

3.3. Pre-Flight Rollback (The Undo)

If a Scope Violation is detected during execution, the Runtime MUST NOT only block the call but MUST trigger an immediate ABORT and use the Pre-Flight Backup to restore the resource to its pre-lease state.

4. Verification Lifecycle

  1. Pre-Execution: Manifest accepted.
  2. Runtime: Every syscall/tool-call checked against Manifest.
  3. Post-Execution: Verification Log produced.
    • Did the agent actually do what it said? (e.g., Declared PROVIDES, but created nothing?)
    • This "Under-utilization" is not a violation, but is useful metadata for optimization.

5. Security Restrictions

  • Side-Channels: Sniffers cannot catch everything (e.g., determining if a run_command internally reads a file).
  • Conservative Approach: If a tool is "Opaque" (e.g., execute_binary), the Sniffer MUST assume MUTATES on the broader scope (e.g., MUTATES CWD) or require specific manual declarations.

6. Non-Goals

  • Sandboxing: KLIS-6 detects the violation; the OS/Container (Docker/WASM) is responsible for the hard guarantee that the file wasn't touched. KLIS-6 is the "Traffic Cop", not the "Concrete Wall".

7. Resource Backups

The .klock/backups/ directory is a normative requirement for agents performing MUTATES or DELETES predicates. The Runtime MUST create a snapshot of the resource before granting the lease to enable atomic rollback.