01
Check role status
Use the registry and contract to determine what the role normally means.
Operations explainer
Role Routing And Execution Contracts
A role name is not live permission. Role contracts describe normal capabilities, while the execution-role record and AgentJob allowlist decide what one transaction may do.
Role-routing comprehension
A role template becomes current only through task-local records.
Role routing separates registered role templates, task overlays, provisional roles, execution-role records, AgentJob allowlists, outputs, and validators.
The diagram is a static reader aid. It does not replace the source files, route dossiers, or claim-status records that govern the topic.
Mechanism
How to read this surface.
02
Check local adaptation
Task overlays and provisional roles are bounded to one job unless later registered.
03
Check the allowlist
Allowed reads, writes, outputs, validators, and stop conditions control current action.
Terms
Define the loaded words before using them.
- Role template
- A reusable role definition.Not current write permission.
- Provisional role
- A temporary one-job role.Expires unless explicitly registered.
- Allowlist
- The current transaction's permitted paths and outputs.Cannot be expanded by page prose.
Boundaries
What this page must not imply.
- No permission smuggling
- Labels do not grant writesOnly the current records can authorize a transaction's actual scope.
- No role registration
- Public pages cannot change rolesThe route explains role routing but cannot register, supersede, or expand roles.
Safe reading
A useful summary also names the unsafe one.
- Safe summary
- Supported readingRole routing requires registry status, source contract, execution-role record, AgentJob allowlist, outputs, and validators to be read together.
- Unsafe summary
- Forbidden shortcutA role label, task overlay, provisional role, or public page grants authority outside the current AgentJob.
Related routes
Continue through internal pages first.
Source basis
Use these as provenance, not primary navigation.
Source basis
Role routing explainer
Generated noncanonical upstream explainer: github-facing/role-routing-explainer.md.
Contract stack
Inspect the current job, not only the role name.
The safe inspection order is role registry, role contract, execution-role record, AgentJob, claim boundary, and completion evidence.
- Registered role
- Stable templateThe registered role describes normal capability and constraints, but does not grant current write permission by itself.
- Task overlay
- One-job adaptationA task overlay can constrain a registered role locally. It must not become a reusable role version by habit.
- Provisional role
- Expires after one jobA one-job provisional role is temporary unless later registered through a governed project-system path.
- AgentJob
- Actual boundaryThe allowlist decides allowed writes, outputs, source classes, validators, and stop conditions for the current transaction.
Overread prevention
Operational labels are useful only when they remain bounded.
The route family uses roles to make work reviewable. It does not turn labels, overlays, or provisional roles into durable permission grants.
- Template
- A role is descriptive until routedThe role registry and contract describe normal capability; the current task still needs an execution-role record and AgentJob.
- Gate
- Human-gated roles remain gatedA role contract can describe gate authority without making a normal route able to execute that gate.
Related reading
Continue through internal routes first.
These links keep the primary reader journey inside the website. Source links remain visible in the provenance section.
Source provenance
Source links are for inspection, not primary navigation.
The links below point to reviewed upstream source surfaces. This website adaptation remains downstream from those sources and from the registered authority records they cite.