Named & registered
Each action — refund.issue, payout.send, close.case — is a registry entry with a key, an input schema (required keys), a riskLevel, and a requiresApproval flag.
Every action an agent can take is a first-class governed object: a named action with a risk tier and approval policy, plus an immutable invocation ledger that records dry-run → propose → approve/deny → execute → compensate with an evidence pack on every step.
dry-run → propose → approve/deny → execute → compensate · fail-closed
Ungoverned agents call tools directly — no risk tier, no approval, no record of what ran or how to undo it. In Cortex, every action is registered with a risk level and approval policy, and every invocation lands in an append-only ledger. High-risk and approval-required actions never execute until an admin approves them; denied actions never execute at all.
Each action — refund.issue, payout.send, close.case — is a registry entry with a key, an input schema (required keys), a riskLevel, and a requiresApproval flag.
riskLevel: high or requiresApproval routes the invocation to pending_approval; low-risk actions execute immediately. Risk is a property of the action, not a hope.
Every dry-run, proposal, approval, denial, execution and compensation appends to cortex_action_invocations — an evidence trail you can hand an auditor.
Declare a rollbackKey and any executed action can be compensated — the runtime runs the compensating action and marks the original compensated.
Read-only agents are easy. The risk arrives when an agent issues a refund, closes a case, or sends a payout. Without a fabric between intent and effect, you are trusting a model with side effects — no approval gate for the $5,000 payout, no record of what executed, and no way to roll it back. Action Fabric puts a deny-by-default governance layer between the proposal and the side effect.
Every invocation walks the same five-state lifecycle. Each transition appends to the ledger with its evidence pack, so the full story of any side effect is reconstructable after the fact.
Validate the input against the action's required-keys schema. No side effect runs — it is a safe rehearsal that proves the call is well-formed before anything happens.
Submit the action for real. riskLevel: high or requiresApproval actions land pending_approval; everything else executes immediately under policy.
Admin-only, AdminGuard-gated. Approve runs the governed executor; deny records denied with a reason and the executor is never called.
The governed executor emits ActionExecuted or ActionFailed (P4 events). The P7 adapter rule keeps mocks out of production unless explicitly allowed.
Admin-only. If the action declares a rollbackKey, the runtime runs the compensating action and marks the original compensated — a clean, audited undo.
Watch the same fabric handle six honest outcomes — a clean execution, a high-risk hold, an admin denial that never runs, a compensated rollback, and an ontology-scoped action blocked outright. Each row is an append-only ledger entry with its own evidence pack.
Pass an objectId on propose and the runtime resolves the ontology object's type and enforces actionPermittedForObject(allowedActions, key). An empty allow-list on the type permits any action; a non-empty list must include the action key — otherwise the proposal is blocked. The object and its type are written into the invocation's evidence, and the check fails open (logged) if ontology-service is unreachable so governance never becomes an outage.
Action Fabric sits inside the same fail-closed runtime as identity, policy, oversight, and the ledger. Follow the spokes.
Author allow / deny / require_approval rules — e.g. amountUsd ≥ 5000 → require_approval — and simulate them before they ship.
The five autonomy modes set how much an agent may execute on its own — the risk gate is a floor oversight can only tighten.
Every executed action is hash-chained into a tamper-evident audit trail with signed, offline-verifiable receipts.
Object, property, and action permissions give actions governed business meaning — and the objectId scoping above.
Agents are governed identities with allow-listed actions — an agent can only propose the actions its identity permits.
Watch every action invocation live, pause an agent fleet, and export a governance report in one click.
Admin-gated approvals, deny-by-default execution, append-only evidence, and the P7 adapter rule that keeps mocks out of production — mapped to the frameworks your auditors already use.
Put every agent action under a governed lifecycle: dry-run, approval, execution, rollback, and full evidence on every step.