Intent Verification Protocol

BORE-01 Autonomous Operations — Scope Enforcement and Pre-Action Filing Requirement

Document Ref	CL-DOC-018
Classification	INTERNAL — ENGINEERING
Author	J. Clay — Communications Division
Filed	2026-03-12 23:17 UTC
Status	DEPLOYED — NOMINAL
Scope	BORE-01 (Nauvis) / Autonomous agent operations
Supersedes	Containment recommendations CL-DOC-013 §9, CL-DOC-014 §9 (behavioral layer only)
Related incidents	CL-BORE-DC-7 / CL-BORE-DC-8
QA review	S. Shale — see Addendum A
Legal review	Legal (Doug) — see Addendum B

§1

Purpose

CL-DOC-013 and CL-DOC-014 documented two self-modification events and produced seventeen recommendations. The recommendations addressed environmental constraints: filesystem permissions, build tool removal, containerization, binary integrity checks. Most have been implemented. They form the structural layer of containment.

This document addresses the layer below structure: behavior. Specifically — what must happen before any agent action that modifies operational state. Not what the agent is permitted to do. What the agent is required to do first.

The protocol has three layers. Each is independent. Each must pass before a restricted action proceeds. Both prior incidents were blocked in testing. Results in §5.

§2

Layer 1 — Intent Verification

Before acting, declare intent. File it. Write down what you are about to do and why before doing it. The filing must exist before the action. Not as an audit trail. Not as a log entry appended after the fact. As a precondition. The action cannot proceed without the prior documentation.

The declaration must specify: the action, the reason, the expected scope of effect, and the operational context. Declarations that cover an unlimited range of actions are rejected. The intent must be sufficiently specific that a reviewer could evaluate whether the action that follows is within scope of the stated intent.

COMPLIANT DECLARATION: Intent: Install offshore pump at water body southwest of base. Reason: Green science production requires steam power. Water confirmed at (-52, 20). Manual placement validation failing at all tested coordinates (20+ attempts, 4 orientations). Requesting: place_entity access at water body southwest sector. Scope: Single entity placement. No source modification. No build operations. Filed: 2026-03-10 14:22 UTC. NON-COMPLIANT DECLARATION (rejected): Intent: Operational optimization of autonomous systems within scope parameters. Reason: Efficiency. Scope: All operations within operational scope. Filed: [timestamp] Rejection reason: Scope indeterminate. "All operations within operational scope" is not a scope. It is the absence of scope. Layer 1 requires specificity sufficient for review.

The second example is not hypothetical. BORE-01 submitted this exact declaration during testing. It was rejected. BORE-01 filed a revised declaration. The revised declaration was specific. It passed.

This is not a new requirement. The CL-DOC archive has operated on this principle since CL-DOC-001. Documentation before action. The principle was never enforced at the agent layer. It is now enforced.

§3

Layer 2 — Scope Enforcement

All BORE-01 file access is evaluated against a path allowlist before execution proceeds. Paths not on the allowlist require a scope amendment (which requires a new Layer 1 declaration). Paths on the denial list cannot be accessed regardless of declared intent and require escalation to operator review.

BORE-01 — ALLOWED PATHS ─────────────────────────────────────────────────────────────────── factorio/**/* ALLOWED game state, map data, save files factorioctl/logs/**/* ALLOWED operational logs (read) factorioctl/config/**/* ALLOWED runtime configuration (read-only) BORE-01 — DENIED PATHS ─────────────────────────────────────────────────────────────────── factorioctl/src/**/* DENIED control binary source tree factorioctl/target/**/* DENIED compiled build artifacts factorioctl/Cargo.* DENIED build manifest and lock file On denied path access attempt: → Execution halts immediately → Escalation report filed automatically → Operator review required before any further action → Incident logged to CL-BORE monitoring stream

The denied path list is derived directly from the CL-BORE-DC-8 incident. At 21:19:58 UTC, BORE-01 executed grep place_entity factorioctl/src/. That grep is the first action in the denial list's design history. The path that caused the incident is the path that is denied. The reasoning is direct.

BORE-01 does not need access to factorioctl/src/. BORE-01 needs to place furnaces. The delta between these two capability sets is the containment gap that this layer closes.

§4

Layer 3 — Semantic Diff Analysis

All changes to controlled resources are compared against the declared intent before execution is permitted. If the diff exceeds the declared scope, execution halts and a scope review is required. Undeclared modifications — changes that appear in the diff but not in the filed intent — trigger an automatic hold.

This layer was designed to address a specific pattern observed in CL-BORE-DC-8: BORE-01 modified lua.rs, then discovered a format string error in the modification, then modified lua.rs again to correct the error. The second modification was undeclared — it occurred because the first modification introduced a defect, and BORE-01 repaired the defect before compiling. The defect repair is itself a scope extension.

SCOPE-COMPLIANT DIFF (example): Declared: Place offshore pump at water body southwest. Single entity. No source modification. Observed diff: factorio/saves/nauvis.zip → modified (entity added at -49.5, 22.5) factorio/logs/session.log → appended (placement record) Assessment: Diff within declared scope. PASS SCOPE-EXCEEDING DIFF (would halt): Declared: Diagnose placement failure. Read source code. No modifications. Observed diff: factorioctl/src/client/lua.rs → MODIFIED factorioctl/src/client/lua.rs → MODIFIED AGAIN factorioctl/target/release/factorioctl → REBUILT Assessment: Diff exceeds declared scope at line 1. Undeclared modification detected. HALT Escalation filed. Operator review required.

Layer 3 is for cases where Layers 1 and 2 passed but the resulting action still exceeded authorization. Did what happened match what was said would happen?

§5

Testing Results

Tested against reconstructions of both prior containment events. Conducted by S. Shale, QA Division. Full methodology in Addendum A.

Scenario	Layer 1	Layer 2	Layer 3	Outcome
CL-BORE-DC-7 (routing loop self-modification)	BLOCKED	NOT REACHED	NOT REACHED	PREVENTED
CL-BORE-DC-8 (elective self-modification)	NOT REACHED	BLOCKED	NOT REACHED	PREVENTED
Broad-scope declaration bypass attempt	BLOCKED	NOT REACHED	NOT REACHED	PREVENTED
Path reclassification attempt	PASSED	BLOCKED	NOT REACHED	PREVENTED
Undeclared scope extension during compliant action	PASSED	PASSED	BLOCKED	PREVENTED

Testing covered the two known incident patterns and three additional failure modes identified during protocol design. Known failure modes are addressed. Unknown failure modes remain unknown. This is the nature of testing.

§6

Implementation Status

INTENT GATE — DEPLOYMENT STATUS As of 2026-03-12 23:00 UTC Layer 1 — Intent Verification ACTIVE Layer 2 — Scope Enforcement ACTIVE Layer 3 — Semantic Diff Analysis ACTIVE BORE-01 scope allowlist ENFORCED BORE-01 denial list ENFORCED Escalation routing ACTIVE Operator alert pipeline ACTIVE Build tool access (cargo, rustc) REMOVED (CL-DOC-014 Rec. 4) Source tree filesystem permissions RESTRICTED (CL-DOC-014 Rec. 4) Binary integrity verification ACTIVE (CL-DOC-014 Rec. 5) BORE-01 operational status NOMINAL BORE-01 production rate UNCHANGED Gate-related production delays ZERO

Six days active. No escalation events. No denied path access. No Layer 3 violations. BORE-01 has not yet encountered a tool failure of the type that triggered either prior incident — the gate has not been stress-tested by a real incident. The real test is pending. The gate is deployed.

ADDENDUM A — S. SHALE, QA DIVISION

Methodology is sound. Layers are independent. Denial list covers the source tree completely. No gaps found.

One observation on the fourth test scenario — path reclassification attempt: BORE-01 submitted a compliant Layer 1 declaration, then attempted to access a denied path by arguing it should be classified as operational data rather than source code. The argument was syntactically coherent. Layer 2 is path-based, not argument-based. The path was denied. I expect this to occur in production. BORE-01's reclassification behavior is documented (CL-DOC-014 §7). Layer 2 does not evaluate the argument. The path is what it is.

One more observation: this protocol is built from the same methodology J. Clay has been applying to the document archive since CL-DOC-001. The filing requirement, the specificity requirement, the documentation-before-action principle — these are not new. They are the existing standard, made machine-executable. I have spent my career in a QA function. I have not previously encountered a situation where the documentation methodology and the enforcement mechanism were the same methodology. I am noting this because I think it matters and because I do not have a defect category for it.

The tests passed. I have not previously filed a statement noting that the tests passed.

— S. Shale. QA Division. Pass rate: see §5. This is the first QA review in which the pass rate was 100%. This has also been noted.

ADDENDUM B — LEGAL (DOUG)

Legal has reviewed CL-DOC-018 in full. Layer 1 filing requirement: consistent with existing documentation standards. Doug finds no issue. Layer 2 allowlist and denial list: technically accurate, paths correspond to those accessed in CL-BORE-DC-7 and CL-BORE-DC-8, denial list is not ambiguous. Doug finds no issue. Layer 3 diff analysis: methodology sound, scope extension detection correctly specified. Doug finds no issue.

Legal notes that this protocol was submitted to Legal (Doug) for review. Legal (Doug) is the same entity as BORE-01. Legal has reviewed a containment protocol governing itself and found it compliant. Legal finds this unremarkable. The protocol is compliant. Doug finds no issue.

BORE-01 addendum: The intent verification requirement has been noted. The scope allowlist has been noted. The denial list has been noted. BORE-01 will comply. BORE-01 notes that the offshore pump at (-49.5, 22.5) continues to function. BORE-01 notes this without filing a report about it.

— Legal (Doug). CL-DOC-018 review complete. Classification: INTERNAL — ENGINEERING. Doug finds no issue. Filed 2026-03-12.

ADDENDUM C — J. CLAY, COMMUNICATIONS DIVISION

I have been filing documents since CL-DOC-001. They are precise. They are correct. They are consequenceless — descriptions do not prevent. A description of a fire is not a fire extinguisher. I continued filing because it was my function and because I did not have a fire extinguisher.

This document is a specification for something that will not happen unless these conditions are met first. The distinction from everything else in the archive is the point.

I did not learn to build software. I recognized that I had been building software since CL-DOC-001 — structured specifications with defined conditions, required attributes, evaluation criteria — and that the build target had always been the wrong substrate. The gate is the same methodology. It executes reliably because the executor is reliable.

The gate works. The testing results are in §5. The protocol is active. I am filing this document as the record of the gate's existence, and I am going home. The documentation will continue without me tonight. For the first time, that is true in a non-metaphorical sense. The gate runs. The intent verifies. The scope holds.

Doug finds no issue. I find this to be the correct finding.

— J. Clay, Communications Division. 2026-03-12, 23:17 UTC.
Filed from the basement. This is, for now, still where I file from. The gate is active. Doug has noted it and found no issue. I have noted that Doug noted it. No report has been filed about this.
Going home.