docs: fix I-02 semantics across all invariant tables

dgenio · dgenio · commit c12aa4863237 · 2026-04-12T08:12:48.000+01:00
The internal invariants.md and AGENTS.md had I-02 mapped to budget
enforcement (size/depth/field count). The weaver-spec defines I-02 as
'Every Execution Is Authorized and Auditable'. Fix all affected files
to use the correct weaver-spec definition:

- AGENTS.md: I-02 → authorization + auditability; add note that budget
  enforcement is an agent-kernel implementation constraint (not a
  separate weaver-spec invariant number)
- docs/agent-context/invariants.md: same correction; add blockquote
  clarifying budget enforcement's relationship to I-01
- README.md I-02 'How satisfied' cell: replace claim that
  PolicyEngine evaluates every invocation (incorrect — it runs at
  grant time only) with accurate two-phase description:
  PolicyEngine at grant time, verify() at invoke(), TraceStore always
- ci.yml: drop version numbers from stub comment to avoid v0.1.0/v0.2.0
  mismatch (whoever activates the stub will pin the right version)
- CHANGELOG: fix job name reference conformance → conformance_stub
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -65,7 +65,7 @@ jobs:
         run: pip install -e ".[dev]"
 
       # Placeholder: activate once dgenio/weaver-spec#4 ships the conformance runner.
-      # weaver-spec v0.2.0 and weaver-contracts 0.2.0 are published on PyPI.
+      # weaver-spec and weaver-contracts are published on PyPI.
       # weaver_contracts.conformance does not yet exist (dgenio/weaver-spec#4).
       # Replace this step with:
       #   pip install weaver-contracts          # PyPI dist name uses a hyphen
diff --git a/AGENTS.md b/AGENTS.md
@@ -25,9 +25,12 @@ agent-kernel is part of the **Weaver ecosystem**:
 
 This repo must conform to weaver-spec invariants. Key invariants (all equally critical):
 - **I-01**: Every tool output must pass through a context boundary before reaching the LLM.
-- **I-02**: Context boundaries must enforce budgets (size, depth, field count).
+- **I-02**: Every execution must be authorized and auditable (preceded by a policy decision, followed by a trace event).
 - **I-06**: Tokens must bind principal + capability + constraints; no reuse across principals.
 
+Note: Budget enforcement (size, depth, field count) is an agent-kernel implementation
+constraint that satisfies I-01 — it is not a separate weaver-spec invariant number.
+
 Full spec: [dgenio/weaver-spec](https://github.com/dgenio/weaver-spec)
 
 ## Domain vocabulary
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,7 +9,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 - Declared weaver-spec v0.1.0 compatibility in README: invariants I-01 (firewall), I-02 (authorization + audit), and I-06 (scoped tokens) are satisfied.
-- Added placeholder `conformance` CI job that will activate once the weaver-spec conformance suite ships (dgenio/weaver-spec#4).
+- Added placeholder `conformance_stub` CI job that will activate once the weaver-spec conformance suite ships (dgenio/weaver-spec#4).
 
 ## [0.4.0] - 2026-03-14
 
diff --git a/README.md b/README.md
@@ -118,7 +118,7 @@ The following invariants are satisfied:
 | Invariant | Description | How agent-kernel satisfies it |
 |-----------|-------------|-------------------------------|
 | **I-01** | LLM never sees raw tool output by default | `Context Firewall` always transforms `RawResult → Frame`; raw driver output is not returned by default, and non-admin principals cannot obtain `raw` response mode |
-| **I-02** | Every execution is authorized and auditable | `PolicyEngine` evaluates every invocation; `TraceStore` records every `ActionTrace`; `HMACTokenProvider` validates tokens before execution |
+| **I-02** | Every execution is authorized and auditable | `PolicyEngine` authorizes at grant time; a valid `CapabilityToken` (HMAC-verified on every `invoke()`) carries the authorization decision; `TraceStore` records every `ActionTrace` |
 | **I-06** | CapabilityTokens are scoped | Tokens bind `principal_id + capability_id + constraints` with an explicit TTL; `revoke(token_id)` / `revoke_all(principal_id)` are supported |
 
 See [docs/agent-context/invariants.md](docs/agent-context/invariants.md) for the full internal invariant list and [weaver-spec INVARIANTS.md](https://github.com/dgenio/weaver-spec/blob/main/docs/INVARIANTS.md) for the specification.
diff --git a/docs/agent-context/invariants.md b/docs/agent-context/invariants.md
@@ -11,9 +11,12 @@ All three are equally critical — there is no priority ordering.
 | Invariant | Requirement | Where enforced |
 |-----------|-------------|----------------|
 | **I-01** | Every tool output must pass through a context boundary before reaching the LLM | `Firewall.transform()` in `firewall/transform.py` |
-| **I-02** | Context boundaries must enforce budgets (size, depth, field count) | `Budgets` in `firewall/budgets.py` |
+| **I-02** | Every execution must be authorized and auditable (CapabilityToken validated before execution; TraceEvent recorded after) | `HMACTokenProvider.verify()` + `TraceStore.record()` in `kernel.py`; `PolicyEngine.evaluate()` at grant time in `grant_capability()` |
 | **I-06** | Tokens must bind principal + capability + constraints; no reuse across principals | `HMACTokenProvider.verify()` in `tokens.py` |
 
+> **Budget enforcement** (size, depth, field count via `Budgets` in `firewall/budgets.py`) is an
+> implementation constraint that strengthens I-01. It has no separate invariant number in weaver-spec.
+
 ## Forbidden shortcuts — "never do" list
 
 These constraints are non-negotiable. Violating any one silently degrades security.
