Enforcement substrate
The enforcement substrate is BMO’s opt-in path from workspace ownership and operator deposits to runtime tool-call decisions. It combines workspace claims, four mortal primitives, ambient zone modes, and a bounded telemetry ring so operators can inspect what the substrate is doing without exposing raw paths, session IDs, prompts, or request bodies.
The substrate is enabled with options.enforcement.enabled. When enabled,
internal/enforcement.Hook.Check evaluates the cheap lane (workspace claims
and quarantine lookups) and the rich lane (rate boundaries, evidence gates,
and capacity reservations) according to each zone’s mode: none,
claims-only, or full.
(soft + hard path ownership)"] end subgraph primitives["Depositable primitives"] RB["Rate boundary"] QZ["Quarantine zone"] EG["Evidence gate"] CR["Capacity reservation"] end subgraph ambient["Ambient zone mode"] ZM["none / claims-only / full"] end subgraph gate["Runtime gate"] TC["Tool call"] HK["Hook.Check"] V{Verdict} end subgraph observe["Operator inspect"] LOG["enforcement.fired
enforcement.action"] RING["Recent ring
(16 metadata-only events)"] SURF["CLI / TUI / HTTP / agent tool"] end WC --> HK RB --> HK QZ --> HK EG --> HK CR --> HK ZM --> HK TC --> HK HK --> V V -->|allow| TC V -->|block / warn| TC HK --> LOG LOG --> RING RING --> SURF
Inspect Surfaces
Section titled “Inspect Surfaces”| Surface | Entry point |
|---|---|
| CLI | bmo config show-enforcement --format=json |
| TUI | /enforcement slash command and the Enforce sidebar pill |
| HTTP | GET /v1/enforcement/status |
| Agent tool | list_recent_enforcement_events |
All four read the same EnforcementStatusSnapshot shape. The recent ring is
process scoped, capacity 16, and metadata only: session IDs, round IDs, and
zone IDs are stored as FNV32 hash prefixes, while target references are reduced
to kind-only metadata.
Containment Contract
Section titled “Containment Contract”- Enforcement is default-off until explicitly enabled.
- Every primitive is mortal: deposits require TTLs and expire without renewal.
- The hook never mutates a tool request; it only allows, warns, or blocks.
- Raw lifecycle logging goes through the bounded
enforcement.fired/enforcement.actionemitter. The audit test rejects stray substrate slog lifecycle calls outside the emitter. - Published read surfaces are inspect-only. Mutation remains on the existing primitive-specific routes and deposit tools.