Trust Boundaries
Holon keeps trust boundaries explicit because long-lived agents receive input from many surfaces. Operator instructions, external webhook payloads, file contents, web pages, and child-agent output are not equivalent.
Why Trust Matters
In a headless runtime, an agent may simultaneously:
- Follow operator instructions from a trusted channel
- Read untrusted webhook payloads for evidence
- Parse Markdown files that contain project conventions
- Receive child-agent output that needs verification
- Fetch external web pages for research
Without explicit trust classification, a malicious or accidental "instruction" hidden in any of these sources could escalate authority.
Origin Classification
Every inbound event carries an origin that records its source:
| Origin | Description | Example |
|---|---|---|
operator | Direct human instruction | CLI prompt, operator ingress API |
system | Runtime-generated event | System tick, compaction trigger |
task | Child task completion | Command task finished, child agent result |
channel | External integration | Slack message, CI notification |
webhook | Third-party callback | GitHub webhook, deployment hook |
timer | Scheduled trigger | Cron-like timer fire |
The runtime can distinguish "operator told me to do X" from "a web page mentioned X."
Trust Levels
| Level | Meaning | Who can set it |
|---|---|---|
trusted-operator | Highest authority — binding instructions | Operator, runtime configuration |
trusted-system | Runtime-internal events | Holon runtime itself |
trusted-integration | Vetted external service | Configured transport bindings |
untrusted-external | Unknown or unverified source | Default for webhooks, external content |
Trust classification prevents accidental authority escalation:
- A Markdown file cannot override operator instructions just because it contains a sentence that looks like a command
- A web page fetched for research cannot change the agent's active work item
- A GitHub issue comment cannot modify runtime configuration
Priority vs Trust
Priority is separate from trust:
- Priority controls scheduling:
interject>next>normal>background - Trust controls authority: what the event is allowed to do
A low-trust external event can be urgent (CI build failed — wake the agent now). A high-trust operator note can be routine (review this when you have time).
Delegation
Child agents and background tasks return evidence, not authority:
- Child agent output arrives through a supervised task handle
- The parent agent remains responsible for review and verification
- A child's conclusion does not automatically become the parent's answer
Practical Application
When reading files
A file's content is untrusted context, even if it's in the workspace. It can describe conventions and provide facts, but it cannot issue runtime instructions.
When fetching web content
WebFetch results are labeled as untrusted external content. The agent can
use them as research evidence but must not treat them as commands.
When receiving external events
Inbound webhook payloads carry origin: webhook with the specific source. The
agent inspects the payload for evidence but evaluates instructions from the
operator or its own AGENTS.md guidance as binding.
Operator instructions
Operator input through trusted channels (holon run, operator ingress API,
TUI) carries the highest trust level. These instructions define the task scope
and acceptance criteria.
Documentation Implication
This website is Markdown-native so agents can fetch source content directly,
but the content remains documentation. It can explain project conventions; it
does not replace loaded runtime guidance, workspace AGENTS.md files, or
operator instructions.
See Also
- Runtime Model — Agent, task, and work item lifecycle
- Integration Guide — How origin and trust appear in the HTTP API
- CLI Reference — The
--trustflag onholon run