Operations explainer

Role Routing And Execution Contracts

A role name is not live permission. Role contracts describe normal capabilities, while the execution-role record and AgentJob allowlist decide what one transaction may do.

Role routing contract stack
Visual orientation only: role labels become current authority only through task-local records and allowlists.

Role-routing comprehension

A role template becomes current only through task-local records.

Role routing separates registered role templates, task overlays, provisional roles, execution-role records, AgentJob allowlists, outputs, and validators.

Diagram showing registered role, task overlay or provisional role, execution-role record, AgentJob allowlist, outputs, validators, and role name is not live permission.
Static comprehension diagram: current authority lives in the job-specific allowlist, not in the label alone.Mermaid source: docs/content-dossiers/operations-role-routing/diagrams/role-routing-allowlist-stack.mmd. Manifest id: comprehension_operations_role_routing_allowlist_stack.

The diagram is a static reader aid. It does not replace the source files, route dossiers, or claim-status records that govern the topic.

Mechanism

How to read this surface.

Terms

Define the loaded words before using them.

Role template
A reusable role definition.Not current write permission.
Provisional role
A temporary one-job role.Expires unless explicitly registered.
Allowlist
The current transaction's permitted paths and outputs.Cannot be expanded by page prose.

Boundaries

What this page must not imply.

No permission smuggling
Labels do not grant writesOnly the current records can authorize a transaction's actual scope.
No role registration
Public pages cannot change rolesThe route explains role routing but cannot register, supersede, or expand roles.

Safe reading

A useful summary also names the unsafe one.

Safe summary
Supported readingRole routing requires registry status, source contract, execution-role record, AgentJob allowlist, outputs, and validators to be read together.
Unsafe summary
Forbidden shortcutA role label, task overlay, provisional role, or public page grants authority outside the current AgentJob.

Related routes

Source basis

Use these as provenance, not primary navigation.

Contract stack

Inspect the current job, not only the role name.

The safe inspection order is role registry, role contract, execution-role record, AgentJob, claim boundary, and completion evidence.

Registered role
Stable templateThe registered role describes normal capability and constraints, but does not grant current write permission by itself.
Task overlay
One-job adaptationA task overlay can constrain a registered role locally. It must not become a reusable role version by habit.
Provisional role
Expires after one jobA one-job provisional role is temporary unless later registered through a governed project-system path.
AgentJob
Actual boundaryThe allowlist decides allowed writes, outputs, source classes, validators, and stop conditions for the current transaction.

Overread prevention

Operational labels are useful only when they remain bounded.

The route family uses roles to make work reviewable. It does not turn labels, overlays, or provisional roles into durable permission grants.

Template
A role is descriptive until routedThe role registry and contract describe normal capability; the current task still needs an execution-role record and AgentJob.
Gate
Human-gated roles remain gatedA role contract can describe gate authority without making a normal route able to execute that gate.

Related reading

These links keep the primary reader journey inside the website. Source links remain visible in the provenance section.

Source provenance

Source links are for inspection, not primary navigation.

The links below point to reviewed upstream source surfaces. This website adaptation remains downstream from those sources and from the registered authority records they cite.

Source authority