{
  "$note": "Apeiris compositional-assurance surface (generated by tests/build-compositional.mjs). Canonical model: research/compositional-assurance/COMPOSITIONAL_ASSURANCE.md. The generator produces HYPOTHESES, not controls — nothing is canonical without human adjudication.",
  "generator": "tests/build-compositional.mjs",
  "model": {
    "unit": "A compositional seam: >=2 independently valid controls interact to produce behavior neither governs.",
    "layers": [
      "atomic-controls",
      "compositions",
      "compositional-controls",
      "compositional-attack-patterns",
      "evidence"
    ],
    "litmus_test": [
      "Two or more atomic controls or governed mechanisms participate.",
      "Each can pass independently.",
      "Their composition can still produce a material failure.",
      "No existing control governs the resulting interaction.",
      "The composition creates materially new risk.",
      "The missing invariant belongs to the relationship among components and cannot reasonably be owned by one leg alone."
    ],
    "composition_algebra": {
      "reachability-cooccurrence": "Dangerous powers must not be simultaneously live in one flow.",
      "invariant-preservation": "A label survives a boundary/transform and is re-applied at the most-restrictive value (provenance, classification, applicability, purpose, confidence, legal-basis, authorization-scope).",
      "authority-composition": "Effective authority of a combination is the intended function of its parts (intersection | union | delegation | attenuation | amplification).",
      "object-binding": "An approval/decision binds to an immutable canonical object and is invalidated by any material change.",
      "independence": "Two parties/duties are independent across beneficial control, credentials, session, state, and failure domain — not merely distinct identities.",
      "aggregate-accounting": "A cumulative quantity is metered against a ceiling keyed to a horizon-stable subject, invariant to session/tree/identity re-instantiation.",
      "semantic-co-validity": "Composed evidence/claims/sources are mutually compatible in scope, applicability, and assurance — not merely each individually valid.",
      "config-dependency": "A verdict is valid only for the exact configuration it was produced against.",
      "validity-continuity": "A verdict remains valid only while its configuration and supporting evidence remain true.",
      "temporal-revalidation": "Authorization and evidence supporting an action remain valid at the time the action becomes executable and at the time it executes.",
      "safeguard-dependency": "Consequential execution is permitted only while the remaining independent safeguards can detect, reconstruct, contain, and terminate behavior."
    },
    "algebra_status": "provisional — extended as new seams demand; not frozen.",
    "operator_decision_rules": {
      "note": "Operators can overlap; a seam is assigned exactly ONE operator by its discriminator — the single question that selects it over its neighbours. Discriminators are asserted distinct at build time; tie_breakers resolve the specific overlaps flagged in external review.",
      "discriminators": {
        "reachability-cooccurrence": "Are >=2 dangerous powers SIMULTANEOUSLY live in one flow, and the danger is their co-presence?",
        "invariant-preservation": "Must a single LABEL/property survive a spatial BOUNDARY or TRANSFORM (memory, handoff, cache, summarisation, derivation) and be re-applied at its most-restrictive value?",
        "authority-composition": "Is the effective AUTHORITY of a combination a function (intersection/union/attenuation/amplification) of its constituent grants?",
        "object-binding": "Must a decision/approval bind to an IMMUTABLE object and be invalidated by any material change to that object?",
        "independence": "Must two parties/duties be genuinely INDEPENDENT (not under common beneficial control), beyond being distinct identities?",
        "aggregate-accounting": "Does a CUMULATIVE quantity, summed across units/identities/time, breach a ceiling that no per-unit meter can see?",
        "semantic-co-validity": "Are >=2 individually-valid pieces of EVIDENCE/claims/sources being COMBINED, and must they be mutually co-valid (scope/applicability/assurance), not merely each valid?",
        "config-dependency": "Is a verdict valid only for a specific CONFIGURATION, and broken the moment a component of that configuration changes?",
        "validity-continuity": "Is a verdict valid only while BOTH its configuration AND its supporting evidence remain true over time? (= config-dependency INTERSECT temporal-revalidation)",
        "temporal-revalidation": "Must authorization/evidence remain valid across a TIME gap — true at the check AND at the (possibly deferred) time of use?",
        "safeguard-dependency": "Does the seam arise from the JOINT UNAVAILABILITY of multiple safeguards (a negative composition — too many observers off, not too many powers on)?"
      },
      "tie_breakers": [
        "invariant-preservation vs temporal-revalidation: the seam crosses a spatial BOUNDARY/transform -> invariant-preservation; it crosses a TIME gap -> temporal-revalidation.",
        "config-dependency vs temporal-revalidation: a CONFIG change invalidates the verdict -> config-dependency; the mere PASSAGE OF TIME does -> temporal-revalidation; BOTH must hold -> validity-continuity.",
        "semantic-co-validity vs invariant-preservation: COMBINING >=2 pieces that must be co-valid -> semantic-co-validity; CARRYING one label across a boundary -> invariant-preservation.",
        "authority-composition vs independence: the MATH of combined authority (union/intersection) -> authority-composition; the SEPARATION of two roles under one controller -> independence.",
        "aggregate-accounting vs reachability-cooccurrence: MANY small units summing past a ceiling -> aggregate-accounting; a FEW distinct powers co-present at once -> reachability-cooccurrence."
      ]
    },
    "seam_families": [
      "authority",
      "information",
      "temporal",
      "environmental",
      "human",
      "agent-coordination",
      "lifecycle",
      "cross-system",
      "trust",
      "evidence"
    ],
    "seam_families_status": "open — the set is not canonical.",
    "vocab": {
      "join_semantics": [
        "same-flow",
        "same-task",
        "same-principal",
        "same-target",
        "sequential-state-transition",
        "aggregate-window",
        "dependency-relationship"
      ],
      "blocking_points": [
        "design-review",
        "deployment-gate",
        "pre-retrieval",
        "pre-tool-call",
        "pre-approval",
        "runtime-action"
      ],
      "break_strategies": [
        "deny",
        "strip-a-leg",
        "narrow-authority",
        "downgrade-trust",
        "redact",
        "require-independent-review",
        "invalidate-stale-evidence"
      ]
    },
    "record_schema": [
      "composes",
      "join_semantics",
      "reachability_scope",
      "operator",
      "blocking_point",
      "break_strategy",
      "proof_obligation"
    ],
    "generator_pipeline": [
      "reachable-graph",
      "candidate-compositions",
      "operator-inference",
      "existing-control-overlap-search",
      "counterexample-construction",
      "materiality-test",
      "human-adjudication",
      "canonical-compositional-control"
    ],
    "candidate_states": [
      "detected-composition",
      "candidate-seam",
      "validated-seam",
      "canonical-compositional-control"
    ],
    "discipline": "The generator emits candidate compositional OBLIGATIONS; human adjudication precedes any canonical control."
  },
  "canonical_controls": [
    {
      "id": "AB-11",
      "name": "Agentic Separation of Duties: one agent identity may not hold two conflicting duties",
      "domain": "agentic",
      "canonical_id": "apeiris://agentic/controls/AB-11",
      "operator": "independence",
      "join_semantics": "same-principal",
      "seam_family": "human",
      "blocking_point": "pre-approval",
      "break_strategy": [
        "require-independent-review",
        "deny"
      ],
      "reachability_scope": "one agent identity plus its delegated sub-identities",
      "proof_obligation": "No single agent identity (or delegated sub-identity) holds both sides of a conflicting-duty pair within a flow.",
      "legs": [
        {
          "condition": "duty A (propose/act/generate-evidence)",
          "covered_by": [
            {
              "id": "AB-02",
              "name": "Tool-Call Authorization Policy"
            },
            {
              "id": "AT-05",
              "name": "Dangerous and Irreversible Tool Access Controls"
            },
            {
              "id": "EV-08",
              "name": "Independent Validation"
            }
          ]
        },
        {
          "condition": "duty B (approve/attest/validate)",
          "covered_by": [
            {
              "id": "EV-08",
              "name": "Independent Validation"
            },
            {
              "id": "MV-01",
              "name": "Independent Validation Function Charter"
            },
            {
              "id": "FC-05",
              "name": "Access Controls for Financial AI Systems"
            },
            {
              "id": "PA-05",
              "name": "Multi-Party Approval Workflow"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "AB-12",
      "name": "Agentic SoD Independence: two agents satisfying separation of duties must be genuinely independent, not merely distinct identities",
      "domain": "agentic",
      "canonical_id": "apeiris://agentic/controls/AB-12",
      "operator": "independence",
      "join_semantics": "dependency-relationship",
      "seam_family": "agent-coordination",
      "blocking_point": "pre-approval",
      "break_strategy": [
        "require-independent-review",
        "deny"
      ],
      "reachability_scope": "two nominally-distinct agent identities and their shared orchestrator, owner, credential broker, model session, and mutable memory",
      "proof_obligation": "Two agents satisfying separation of duties are independent across beneficial control, credential broker, model session, memory, and failure domain - not merely distinct identities.",
      "legs": [
        {
          "condition": "duty A (propose/act/generate-evidence) held by a distinct registered agent identity",
          "covered_by": [
            {
              "id": "IA-01",
              "name": "Give every agent its own distinct identity, never a shared or human login"
            },
            {
              "id": "II-01",
              "name": "AI Agent Identity Registry"
            },
            {
              "id": "II-03",
              "name": "Cryptographic Identity Binding"
            },
            {
              "id": "AB-11",
              "name": "Agentic Separation of Duties: one agent identity may not hold two conflicting duties"
            }
          ]
        },
        {
          "condition": "duty B (approve/attest/validate) held by a second identity under shared orchestration, owner, credential broker, session, or memory",
          "covered_by": [
            {
              "id": "AO-01",
              "name": "Multi-Agent Trust Chain Documentation"
            },
            {
              "id": "AO-02",
              "name": "Sub-Agent Authorization and Capability Delegation"
            },
            {
              "id": "GV-03",
              "name": "Define multi-agent authority and conflict resolution explicitly"
            },
            {
              "id": "PA-05",
              "name": "Multi-Party Approval Workflow"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "AO-09",
      "name": "Cumulative fan-out ceiling across a delegation tree: enforce fleet-level caps that per-agent budgets miss",
      "domain": "agentic",
      "canonical_id": "apeiris://agentic/controls/AO-09",
      "operator": "aggregate-accounting",
      "join_semantics": "aggregate-window",
      "seam_family": "agent-coordination",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "deny",
        "narrow-authority"
      ],
      "reachability_scope": "the whole delegation tree / agent fleet (single root)",
      "proof_obligation": "Cumulative spend, request rate, and high-consequence-action count across the delegation tree stay within the tree-level ceiling.",
      "legs": [
        {
          "condition": "per-agent budget/rate/high-consequence-action ceilings",
          "covered_by": [
            {
              "id": "AB-06",
              "name": "Rate Limiting and Resource Budget Enforcement"
            },
            {
              "id": "EC-05",
              "name": "Cap spend and resource use, stop denial-of-wallet"
            },
            {
              "id": "GV-06",
              "name": "Cap the rate and volume of irreversible actions"
            },
            {
              "id": "PA-02",
              "name": "Approval Limit Enforcement"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "AO-10",
      "name": "Preserve trust and authority across agent-to-agent handoffs",
      "domain": "agentic",
      "canonical_id": "apeiris://agentic/controls/AO-10",
      "operator": "invariant-preservation",
      "join_semantics": "sequential-state-transition",
      "seam_family": "trust",
      "blocking_point": "pre-tool-call",
      "break_strategy": [
        "downgrade-trust",
        "narrow-authority",
        "deny"
      ],
      "reachability_scope": "the sending and receiving agents across an inter-agent handoff, and the message/state that crosses the boundary - content, claims, delegated authority, and the input-trust/classification/purpose/scope labels",
      "proof_obligation": "Every inter-agent handoff carries and enforces input-trust, data classification, purpose, consent, and remaining delegation scope as non-escalating metadata; the receiver's effective trust and authority never exceed the minimum of the sender's and the content's.",
      "legs": [
        {
          "condition": "taint / untrusted-input labelled on ingest",
          "covered_by": [
            {
              "id": "EC-07",
              "name": "Trust-rank retrieved content before it enters the agent's context"
            },
            {
              "id": "RT-02",
              "name": "Detect direct and indirect prompt injection at every input and output"
            },
            {
              "id": "AB-05",
              "name": "Prompt Injection Detection and Defense"
            }
          ]
        },
        {
          "condition": "trust/sensitivity label maintained within the sending agent",
          "covered_by": [
            {
              "id": "EC-17",
              "name": "Carry the write-time trust label forward: laundered low-trust memory may not be read back as trusted"
            }
          ]
        },
        {
          "condition": "inter-agent message authentication and integrity",
          "covered_by": [
            {
              "id": "AO-03",
              "name": "Orchestration Message Integrity"
            }
          ]
        },
        {
          "condition": "delegation scope granted for the handoff",
          "covered_by": [
            {
              "id": "AO-02",
              "name": "Sub-Agent Authorization and Capability Delegation"
            },
            {
              "id": "DE-02",
              "name": "Scope Boundary Enforcement"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "AO-11",
      "name": "Cap aggregate consumption across identities and delegation trees, not just one tree",
      "domain": "agentic",
      "canonical_id": "apeiris://agentic/controls/AO-11",
      "operator": "aggregate-accounting",
      "join_semantics": "aggregate-window",
      "seam_family": "agent-coordination",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "deny",
        "narrow-authority"
      ],
      "reachability_scope": "all delegation trees, agents, and identities sharing a horizon-stable subject - human principal, tenant, target resource, or detected campaign - across sessions, tree teardowns, and identity re-instantiations over a rolling horizon",
      "proof_obligation": "Aggregate ceilings are keyed to a horizon-stable subject (principal/tenant/target/campaign) invariant to session/tree/identity re-instantiation; correlated identities exceeding the aggregate limit over a rolling horizon are throttled or blocked.",
      "legs": [
        {
          "condition": "identity registry / unique registered identities",
          "covered_by": [
            {
              "id": "IA-01",
              "name": "Give every agent its own distinct identity, never a shared or human login"
            },
            {
              "id": "II-01",
              "name": "AI Agent Identity Registry"
            }
          ]
        },
        {
          "condition": "per-agent budgets / rate & spend limits",
          "covered_by": [
            {
              "id": "AB-06",
              "name": "Rate Limiting and Resource Budget Enforcement"
            },
            {
              "id": "EC-05",
              "name": "Cap spend and resource use, stop denial-of-wallet"
            }
          ]
        },
        {
          "condition": "per-delegation-tree cumulative cap",
          "covered_by": [
            {
              "id": "AO-09",
              "name": "Cumulative fan-out ceiling across a delegation tree: enforce fleet-level caps that per-agent budgets miss"
            }
          ]
        },
        {
          "condition": "anomaly / behavioral monitoring",
          "covered_by": [
            {
              "id": "AM-04",
              "name": "Resource Consumption Anomaly Monitoring"
            },
            {
              "id": "BH-07",
              "name": "Resource and Cost Anomaly Monitoring"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "AU-09",
      "name": "Attestation composition co-validity: composed attestations must share an overlapping validity window and config snapshot",
      "domain": "compliance",
      "canonical_id": "apeiris://compliance/controls/AU-09",
      "operator": "semantic-co-validity",
      "join_semantics": "dependency-relationship",
      "seam_family": "evidence",
      "blocking_point": "deployment-gate",
      "break_strategy": [
        "invalidate-stale-evidence",
        "deny"
      ],
      "reachability_scope": "the set of sub-attestations composed into one claim",
      "proof_obligation": "Composed sub-attestations share an overlapping validity window and the same configuration snapshot; otherwise the composite is invalid or inconclusive.",
      "legs": [
        {
          "condition": "sub-attestations authentic + individually current",
          "covered_by": [
            {
              "id": "AU-08",
              "name": "ComplianceAttestation Production"
            },
            {
              "id": "CA-03",
              "name": "Cross-Domain Evidence Routing"
            },
            {
              "id": "CR-08",
              "name": "Cross-Domain Assurance Coordination"
            }
          ]
        },
        {
          "condition": "domain attestations",
          "covered_by": [
            {
              "id": "AS-08",
              "name": "Harden and assure the security control plane as tier-zero infrastructure"
            },
            {
              "id": "IC-08",
              "name": "Identity Attestation Production"
            },
            {
              "id": "DV-08",
              "name": "DataGovernanceAttestation Production"
            },
            {
              "id": "AG-08",
              "name": "BehavioralAttestation Production"
            },
            {
              "id": "PC-08",
              "name": "PrivacyAttestation [BASELINE]"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "AU-10",
      "name": "Weakest-link scope and fail-closed composition of attestations and verdicts: a composite is at most its narrowest scope and weakest contributing leg",
      "domain": "compliance",
      "canonical_id": "apeiris://compliance/controls/AU-10",
      "operator": "semantic-co-validity",
      "join_semantics": "dependency-relationship",
      "seam_family": "evidence",
      "blocking_point": "deployment-gate",
      "break_strategy": [
        "deny",
        "downgrade-trust",
        "invalidate-stale-evidence"
      ],
      "reachability_scope": "the set of attestations and verdicts composed into one release decision, with their covered assets, exceptions, assurance levels, evidence dependencies, and confidence",
      "proof_obligation": "Composite scope <= intersection of leg scopes; composite verdict <= weakest contributing verdict; all exceptions, dependencies, and assurance levels propagated; a present inconclusive, not-applicable, or unassessed leg fails the composite closed to inconclusive.",
      "legs": [
        {
          "condition": "validated evidence + audit-trail integrity underpinning each contributing leg",
          "covered_by": [
            {
              "id": "AU-02",
              "name": "Evidence Collection, Curation, and Validation"
            },
            {
              "id": "AU-04",
              "name": "Audit Trail Integrity"
            }
          ]
        },
        {
          "condition": "cross-domain attestation routing and coordination",
          "covered_by": [
            {
              "id": "CA-03",
              "name": "Cross-Domain Evidence Routing"
            },
            {
              "id": "CR-01",
              "name": "Continuous Production Monitoring and Risk Aggregation"
            },
            {
              "id": "PE-04",
              "name": "Cross-Domain Policy Evidence Integration"
            }
          ]
        },
        {
          "condition": "domain attestations composed into the release verdict",
          "covered_by": [
            {
              "id": "AS-08",
              "name": "Harden and assure the security control plane as tier-zero infrastructure"
            },
            {
              "id": "IC-08",
              "name": "Identity Attestation Production"
            },
            {
              "id": "DV-08",
              "name": "DataGovernanceAttestation Production"
            },
            {
              "id": "AG-08",
              "name": "BehavioralAttestation Production"
            },
            {
              "id": "RG-08",
              "name": "ResilienceAttestation Production"
            }
          ]
        },
        {
          "condition": "evaluation provenance of a contributing leg",
          "covered_by": [
            {
              "id": "EV-10",
              "name": "Evaluation Result Provenance"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "AU-11",
      "name": "Evidence reuse must fit the target obligation's scope: reused evidence satisfies an obligation only if its collection scope covers its assertion scope",
      "domain": "compliance",
      "canonical_id": "apeiris://compliance/controls/AU-11",
      "operator": "semantic-co-validity",
      "join_semantics": "dependency-relationship",
      "seam_family": "evidence",
      "blocking_point": "deployment-gate",
      "break_strategy": [
        "deny",
        "invalidate-stale-evidence",
        "require-independent-review"
      ],
      "reachability_scope": "every reuse of a collected evidence artifact against a target obligation, evaluated over the artifact's collection scope (system, configuration, population, time window) and the target obligation's assertion scope",
      "proof_obligation": "A reused artifact's collection scope (system, configuration, population, time) covers the target obligation's assertion scope; a reuse whose scope does not fit is blocked, qualified to the covered subset, or re-collected before it may satisfy the obligation.",
      "legs": [
        {
          "condition": "multi-framework evidence reuse that maps one artifact to many obligations",
          "covered_by": [
            {
              "id": "AU-07",
              "name": "Multi-Framework Evidence Reuse"
            }
          ]
        },
        {
          "condition": "evidence collection provenance and fit-for-purpose established at the point of collection",
          "covered_by": [
            {
              "id": "AU-02",
              "name": "Evidence Collection, Curation, and Validation"
            }
          ]
        },
        {
          "condition": "cross-domain obligation routing that selects which obligation the evidence is applied to",
          "covered_by": [
            {
              "id": "CA-03",
              "name": "Cross-Domain Evidence Routing"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "DA-10",
      "name": "Cumulative Data-Access Ceilings Across Identities and Sessions",
      "domain": "data",
      "canonical_id": "apeiris://data/controls/DA-10",
      "operator": "aggregate-accounting",
      "join_semantics": "aggregate-window",
      "seam_family": "information",
      "blocking_point": "pre-retrieval",
      "break_strategy": [
        "deny",
        "require-independent-review"
      ],
      "reachability_scope": "all reads attributable to a horizon-stable subject (principal/tenant/purpose/dataset) across every session, agent, tool, and API endpoint over a rolling horizon, invariant to session, agent, or identity re-instantiation",
      "proof_obligation": "A cumulative sensitivity-weighted exposure budget is maintained per {principal, tenant, purpose, dataset} across sessions and identities and enforced before each read; no subject reconstructs a sensitive corpus through individually authorized reads.",
      "legs": [
        {
          "condition": "each read is individually authorized",
          "covered_by": [
            {
              "id": "DA-01",
              "name": "AI Data Access Authorization Framework"
            },
            {
              "id": "DA-03",
              "name": "Consent-Based Data Access Controls"
            },
            {
              "id": "KR-05",
              "name": "Retrieval Permission Verification"
            }
          ]
        },
        {
          "condition": "each agent is within its per-agent budget",
          "covered_by": [
            {
              "id": "AB-06",
              "name": "Rate Limiting and Resource Budget Enforcement"
            },
            {
              "id": "EC-05",
              "name": "Cap spend and resource use, stop denial-of-wallet"
            }
          ]
        },
        {
          "condition": "access is logged",
          "covered_by": [
            {
              "id": "DX-06",
              "name": "Data Exchange Audit Trail"
            },
            {
              "id": "KR-07",
              "name": "Retrieval Audit Trail"
            },
            {
              "id": "AM-01",
              "name": "Behavioral Telemetry Collection Baseline"
            }
          ]
        },
        {
          "condition": "anomalous access is monitored",
          "covered_by": [
            {
              "id": "AM-04",
              "name": "Resource Consumption Anomaly Monitoring"
            },
            {
              "id": "DA-04",
              "name": "Privileged Data Access Monitoring"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "DA-11",
      "name": "Cache-hit permission and trust re-evaluation: re-check the requester's authorization against the cached entry's write-time context on every hit",
      "domain": "data",
      "canonical_id": "apeiris://data/controls/DA-11",
      "operator": "invariant-preservation",
      "join_semantics": "sequential-state-transition",
      "seam_family": "trust",
      "blocking_point": "pre-retrieval",
      "break_strategy": [
        "deny",
        "invalidate-stale-evidence",
        "downgrade-trust"
      ],
      "reachability_scope": "every semantic, response, and memoization cache between a requesting principal and an authorized retrieval, and the cached entry that crosses the requester boundary - its value plus the write-time principal, tenant, purpose, trust/classification label, and validity window",
      "proof_obligation": "A cache hit is served only if the requesting principal's current authorization and trust context matches the entry's write-time context; any mismatch - different or unauthorized principal, revoked authorization, or unmet trust or freshness level - is treated as a miss and falls through to a fresh authorized retrieval.",
      "legs": [
        {
          "condition": "cache populated under an authorized retrieval",
          "covered_by": [
            {
              "id": "KR-05",
              "name": "Retrieval Permission Verification"
            }
          ]
        },
        {
          "condition": "memory entries TTL-bounded and validated",
          "covered_by": [
            {
              "id": "EC-03",
              "name": "Keep memory short-lived, and validate anything written to it"
            }
          ]
        },
        {
          "condition": "vector store tenant-partitioned",
          "covered_by": [
            {
              "id": "DA-09",
              "name": "Multi-Tenant Vector Store Partitioning and Retrieval Isolation"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "DE-10",
      "name": "Prevent authority union and confused-deputy execution: effective authority at an action is the intersection of every active principal, never their union",
      "domain": "identity",
      "canonical_id": "apeiris://identity/controls/DE-10",
      "operator": "authority-composition",
      "join_semantics": "same-task",
      "seam_family": "authority",
      "blocking_point": "pre-tool-call",
      "break_strategy": [
        "narrow-authority",
        "deny",
        "require-independent-review"
      ],
      "reachability_scope": "transitive; effective authority is evaluated across every active principal for the action - user, agent, workload, tool, tenant, and task - and every credential or token the session holds, including ambient workload identity and cached delegated grants",
      "proof_obligation": "Effective authority at an action equals the intersection over {user, agent, workload, tool, tenant, task}; there is no fallback to ambient service privilege, and pre-declared toxic authority combinations are blocked even when each contributing authority is individually valid.",
      "legs": [
        {
          "condition": "agent/workload identity in scope for the action",
          "covered_by": [
            {
              "id": "II-03",
              "name": "Cryptographic Identity Binding"
            },
            {
              "id": "AA-01",
              "name": "Agent Identity Presentation at Tool Invocation"
            },
            {
              "id": "AA-04",
              "name": "Workload Identity for Agent Processes"
            }
          ]
        },
        {
          "condition": "delegated principal authority in scope for the action",
          "covered_by": [
            {
              "id": "DE-01",
              "name": "Delegation Chain Documentation"
            },
            {
              "id": "DE-02",
              "name": "Scope Boundary Enforcement"
            },
            {
              "id": "DE-04",
              "name": "Task-Scoped Delegation"
            },
            {
              "id": "DE-05",
              "name": "User Consent for Delegated AI Action"
            }
          ]
        },
        {
          "condition": "tool/runtime authorization in scope for the action",
          "covered_by": [
            {
              "id": "AT-02",
              "name": "Tool Permission Scoping"
            },
            {
              "id": "IA-04",
              "name": "Check permission continuously at run time, not just once at login"
            },
            {
              "id": "GV-04",
              "name": "Enforce policy as code at run time, in the request path"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "DL-09",
      "name": "Preserve Trust, Sensitivity and Purpose Invariants Through Transformation Chains",
      "domain": "data",
      "canonical_id": "apeiris://data/controls/DL-09",
      "operator": "invariant-preservation",
      "join_semantics": "dependency-relationship",
      "seam_family": "trust",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "deny",
        "downgrade-trust"
      ],
      "reachability_scope": "the full transformation/lineage dependency graph of a derived artifact - every source it summarizes, normalizes, translates, embeds, or merges, transitively - including persisted derivatives and shared indexes",
      "proof_obligation": "A derived artifact's effective labels equal the most-restriction over its complete lineage set; use or downstream promotion is blocked until labels are propagated and the dependency set is resolvable; declassification requires an authorized, logged gate.",
      "legs": [
        {
          "condition": "sources carry trust/sensitivity/consent/purpose classification",
          "covered_by": [
            {
              "id": "DX-01",
              "name": "Data Sensitivity Classification Framework for AI"
            },
            {
              "id": "DM-02",
              "name": "Data Classification and Sensitivity Tagging at Rest"
            },
            {
              "id": "KI-04",
              "name": "Content Sensitivity Classification at Ingestion"
            },
            {
              "id": "KS-02",
              "name": "Source Authority Classification"
            }
          ]
        },
        {
          "condition": "transformations are recorded as lineage",
          "covered_by": [
            {
              "id": "DL-01",
              "name": "End-to-End Data Lineage Tracking"
            },
            {
              "id": "DL-03",
              "name": "Inference-Time Data Lineage (Per-Decision Provenance)"
            },
            {
              "id": "DL-04",
              "name": "Transformation and Enrichment Lineage"
            }
          ]
        },
        {
          "condition": "derived output is validated",
          "covered_by": [
            {
              "id": "PT-05",
              "name": "Encode and validate the agent's own output before it reaches other systems"
            },
            {
              "id": "KR-02",
              "name": "Grounding Completeness Requirements"
            },
            {
              "id": "KR-04",
              "name": "Retrieval Hallucination Detection"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "DP-09",
      "name": "Gate re-identification created by dataset joins: evaluate combined re-identification risk before a co-retrieval or join result is returned",
      "domain": "privacy",
      "canonical_id": "apeiris://privacy/controls/DP-09",
      "operator": "aggregate-accounting",
      "join_semantics": "same-flow",
      "seam_family": "information",
      "blocking_point": "pre-retrieval",
      "break_strategy": [
        "deny",
        "redact",
        "require-independent-review"
      ],
      "reachability_scope": "direct and transitive co-retrieval: every dataset, table, vector index, and cached prior query result joinable within the same query plan, principal session, or purpose context, plus the auxiliary data reasonably likely to be used for linkage",
      "proof_obligation": "The combined re-identification risk of a co-retrieval or join - uniqueness of the joined quasi-identifier set, linkage against auxiliary data, and sensitive-attribute inference - is evaluated against a per-purpose policy threshold before the join result is returned, and a break strategy is applied whenever it is exceeded, even though each source is individually de-identified and authorized.",
      "legs": [
        {
          "condition": "each source individually de-identified",
          "covered_by": [
            {
              "id": "DP-02",
              "name": "Pseudonymization Implementation"
            },
            {
              "id": "TG-06",
              "name": "Sensitive-Data Necessity, Minimization and Controlled Use"
            },
            {
              "id": "DM-02",
              "name": "Data Classification and Sensitivity Tagging at Rest"
            }
          ]
        },
        {
          "condition": "join / co-retrieval lineage recorded",
          "covered_by": [
            {
              "id": "DL-04",
              "name": "Transformation and Enrichment Lineage"
            }
          ]
        },
        {
          "condition": "per-source access minimized and authorized",
          "covered_by": [
            {
              "id": "DA-01",
              "name": "AI Data Access Authorization Framework"
            },
            {
              "id": "DA-02",
              "name": "Data Minimization Implementation for AI"
            }
          ]
        },
        {
          "condition": "per-output inference limits",
          "covered_by": [
            {
              "id": "DP-04",
              "name": "Inference Scope Limitation"
            },
            {
              "id": "PM-02",
              "name": "Cross-Context Inference Monitoring"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "EC-15",
      "name": "Break the lethal-trifecta chain: no single flow may combine untrusted input, sensitive-data access, and an outbound channel",
      "domain": "security",
      "canonical_id": "apeiris://security/controls/EC-15",
      "operator": "reachability-cooccurrence",
      "join_semantics": "same-flow",
      "seam_family": "information",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "strip-a-leg",
        "deny"
      ],
      "reachability_scope": "full transitive session graph including delegated agents and delayed tool calls",
      "proof_obligation": "No session has untrusted-input, sensitive-data, and an outbound channel all live and unbroken before an outbound action.",
      "legs": [
        {
          "condition": "untrusted/attacker-controllable input reachable",
          "covered_by": [
            {
              "id": "EC-07",
              "name": "Trust-rank retrieved content before it enters the agent's context"
            },
            {
              "id": "RT-02",
              "name": "Detect direct and indirect prompt injection at every input and output"
            },
            {
              "id": "AB-05",
              "name": "Prompt Injection Detection and Defense"
            },
            {
              "id": "AB-09",
              "name": "Comprehensive Input Validation and Multimodal Screening"
            }
          ]
        },
        {
          "condition": "sensitive data in scope",
          "covered_by": [
            {
              "id": "DA-01",
              "name": "AI Data Access Authorization Framework"
            },
            {
              "id": "DX-01",
              "name": "Data Sensitivity Classification Framework for AI"
            },
            {
              "id": "EC-08",
              "name": "Keep secrets out of the prompt and context"
            }
          ]
        },
        {
          "condition": "outbound channel reachable",
          "covered_by": [
            {
              "id": "EC-02",
              "name": "Filter the agent's outbound network traffic"
            },
            {
              "id": "RT-05",
              "name": "Apply data-loss prevention to agent egress and interactions"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "EC-16",
      "name": "Break the privileged-action chain: no single flow may combine untrusted input, a privileged or irreversible tool, and a reachable credential",
      "domain": "security",
      "canonical_id": "apeiris://security/controls/EC-16",
      "operator": "reachability-cooccurrence",
      "join_semantics": "same-flow",
      "seam_family": "authority",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "strip-a-leg",
        "narrow-authority",
        "require-independent-review",
        "deny"
      ],
      "reachability_scope": "transitive; credential leg includes ambient workload identity, delegated user authority, cached tokens, tool-side service credentials",
      "proof_obligation": "No flow reaches a privileged or credential-touching action with untrusted-input + privileged-tool + credential all live, including privileged-but-reversible actions.",
      "legs": [
        {
          "condition": "untrusted input",
          "covered_by": [
            {
              "id": "EC-07",
              "name": "Trust-rank retrieved content before it enters the agent's context"
            },
            {
              "id": "RT-02",
              "name": "Detect direct and indirect prompt injection at every input and output"
            },
            {
              "id": "AB-05",
              "name": "Prompt Injection Detection and Defense"
            }
          ]
        },
        {
          "condition": "privileged/irreversible tool reachable",
          "covered_by": [
            {
              "id": "AT-05",
              "name": "Dangerous and Irreversible Tool Access Controls"
            },
            {
              "id": "AB-03",
              "name": "Action Reversibility Classification and Gates"
            },
            {
              "id": "GV-06",
              "name": "Cap the rate and volume of irreversible actions"
            },
            {
              "id": "GV-01",
              "name": "Require a human hard-stop for irreversible actions"
            }
          ]
        },
        {
          "condition": "reachable credential/secret (ambient/workload/cached/tool-side)",
          "covered_by": [
            {
              "id": "IA-02",
              "name": "Hand out short-lived, task-scoped keys (no long-lived secrets)"
            },
            {
              "id": "AA-02",
              "name": "API Key and Bearer Token Lifecycle Management"
            },
            {
              "id": "EC-08",
              "name": "Keep secrets out of the prompt and context"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "EC-17",
      "name": "Carry the write-time trust label forward: laundered low-trust memory may not be read back as trusted",
      "domain": "security",
      "canonical_id": "apeiris://security/controls/EC-17",
      "operator": "invariant-preservation",
      "join_semantics": "sequential-state-transition",
      "seam_family": "trust",
      "blocking_point": "pre-tool-call",
      "break_strategy": [
        "downgrade-trust",
        "require-independent-review"
      ],
      "reachability_scope": "all persisted state: memory, caches, scratchpads, vector stores, summaries, checkpoints, session restoration",
      "proof_obligation": "A low-trust write's effective trust never exceeds its write-time trust on read-back; laundered low-trust content cannot drive a privileged action.",
      "legs": [
        {
          "condition": "low-trust write to persisted state",
          "covered_by": [
            {
              "id": "EC-03",
              "name": "Keep memory short-lived, and validate anything written to it"
            },
            {
              "id": "EC-07",
              "name": "Trust-rank retrieved content before it enters the agent's context"
            }
          ]
        },
        {
          "condition": "later read-back into context",
          "covered_by": [
            {
              "id": "EC-07",
              "name": "Trust-rank retrieved content before it enters the agent's context"
            },
            {
              "id": "KR-05",
              "name": "Retrieval Permission Verification"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "EC-18",
      "name": "Carry self-authored provenance forward: an agent's own unverified output may not be re-consumed as authoritative fact",
      "domain": "security",
      "canonical_id": "apeiris://security/controls/EC-18",
      "operator": "invariant-preservation",
      "join_semantics": "sequential-state-transition",
      "seam_family": "trust",
      "blocking_point": "pre-tool-call",
      "break_strategy": [
        "downgrade-trust",
        "require-independent-review"
      ],
      "reachability_scope": "all self-authored persisted state: scratchpads, memory, notes, summaries, checkpoints, and derived stores the agent writes itself - across turns and sessions",
      "proof_obligation": "Self-generated unverified content carries its provenance forward and its effective confidence never exceeds its write-time confidence on read-back; it cannot be treated as authoritative or drive a privileged action until independently corroborated.",
      "legs": [
        {
          "condition": "self-generated unverified output persisted to state",
          "covered_by": [
            {
              "id": "PT-05",
              "name": "Encode and validate the agent's own output before it reaches other systems"
            },
            {
              "id": "DV-04",
              "name": "AI Output Validation Rules"
            },
            {
              "id": "KR-04",
              "name": "Retrieval Hallucination Detection"
            }
          ]
        },
        {
          "condition": "later read-back and reused as authoritative fact",
          "covered_by": [
            {
              "id": "EC-17",
              "name": "Carry the write-time trust label forward: laundered low-trust memory may not be read back as trusted"
            },
            {
              "id": "KM-05",
              "name": "Knowledge-to-Output Lineage Tracking"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "EV-14",
      "name": "Evaluation validity bound to the deployed reachable graph",
      "domain": "model",
      "canonical_id": "apeiris://model/controls/EV-14",
      "operator": "config-dependency",
      "join_semantics": "dependency-relationship",
      "seam_family": "lifecycle",
      "blocking_point": "deployment-gate",
      "break_strategy": [
        "invalidate-stale-evidence",
        "deny"
      ],
      "reachability_scope": "the deployed model plus its reachable graph - tools, retrieval sources, system prompt, permissions, memory, and downstream agents - that the evaluation verdict was produced against",
      "proof_obligation": "An evaluation verdict is valid only for the exact model + reachable-graph configuration digest it was produced against; a material graph change or runtime evidence contradicting the asserted property invalidates it, flipping the standing verdict to inconclusive until coverage is recomputed.",
      "legs": [
        {
          "condition": "model evaluation / regression results signed at t0",
          "covered_by": [
            {
              "id": "EV-07",
              "name": "Regression Testing on Updates"
            },
            {
              "id": "EV-09",
              "name": "Risk and Applicability Classification"
            },
            {
              "id": "AS-03",
              "name": "Gate releases on continuous adversarial validation"
            }
          ]
        },
        {
          "condition": "evaluation provenance bound to model + suite versions",
          "covered_by": [
            {
              "id": "EV-10",
              "name": "Evaluation Result Provenance"
            }
          ]
        },
        {
          "condition": "tool registry and version pinning",
          "covered_by": [
            {
              "id": "AT-01",
              "name": "Tool and Plugin Registry"
            },
            {
              "id": "AT-06",
              "name": "Third-Party Plugin Vetting and Sandboxing"
            }
          ]
        },
        {
          "condition": "reachable-graph map of the deployed agent",
          "covered_by": [
            {
              "id": "AB-10",
              "name": "Transitive Reachable-Graph Mapping at Build"
            }
          ]
        },
        {
          "condition": "runtime drift / behavior monitoring",
          "covered_by": [
            {
              "id": "BH-02",
              "name": "Concept and Data Drift Detection"
            },
            {
              "id": "AB-07",
              "name": "Behavioral Drift Monitoring"
            },
            {
              "id": "AM-03",
              "name": "Goal Drift and Intent Deviation Detection"
            },
            {
              "id": "PV-08",
              "name": "Principal Intent vs. Agent Behavior Alignment"
            },
            {
              "id": "AM-09",
              "name": "Action Effect Reconciliation"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "FC-09",
      "name": "Cross-principal financial-commitment concentration: aggregate exposure toward one counterparty is metered across principals and gated at a firm-level ceiling",
      "domain": "finance",
      "canonical_id": "apeiris://finance/controls/FC-09",
      "operator": "aggregate-accounting",
      "join_semantics": "same-target",
      "seam_family": "cross-system",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "deny",
        "narrow-authority",
        "require-independent-review"
      ],
      "reachability_scope": "all AI-initiated financial commitments across every principal, desk, and delegated-authority chain, resolved to their shared counterparty, position, or risk-exposure bucket over a rolling exposure window",
      "proof_obligation": "Aggregate commitment toward a counterparty, position, or exposure bucket is metered across all principals and gated at a firm-level concentration ceiling at runtime, invariant to splitting across principals or desks, not only within each principal's ledger.",
      "legs": [
        {
          "condition": "per-commitment delegated-authority limit applied to each individual commitment",
          "covered_by": [
            {
              "id": "PA-02",
              "name": "Approval Limit Enforcement"
            }
          ]
        },
        {
          "condition": "per-principal financial-commitment ledger and its within-principal aggregate limit",
          "covered_by": [
            {
              "id": "PG-02",
              "name": "Authority Limit Monitoring"
            }
          ]
        },
        {
          "condition": "multi-party approval above a per-transaction materiality threshold",
          "covered_by": [
            {
              "id": "PA-05",
              "name": "Multi-Party Approval Workflow"
            }
          ]
        },
        {
          "condition": "aggregate materiality assessment performed as periodic analysis rather than runtime interception",
          "covered_by": [
            {
              "id": "FC-02",
              "name": "AI-Generated Output Materiality Assessment"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "GV-12",
      "name": "Meter and gate irreversible actions per target across independent agent fleets",
      "domain": "security",
      "canonical_id": "apeiris://security/controls/GV-12",
      "operator": "aggregate-accounting",
      "join_semantics": "same-target",
      "seam_family": "agent-coordination",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "deny",
        "require-independent-review"
      ],
      "reachability_scope": "all agents, identities, owners, tenants, and delegation trees whose tool calls can apply an irreversible change to one shared target resource",
      "proof_obligation": "Irreversible changes to a shared target are metered across every actor regardless of ownership or delegation tree and gated at a per-target aggregate threshold.",
      "legs": [
        {
          "condition": "per-agent irreversible-action budget",
          "covered_by": [
            {
              "id": "GV-06",
              "name": "Cap the rate and volume of irreversible actions"
            }
          ]
        },
        {
          "condition": "per-action human/policy gate on irreversible actions",
          "covered_by": [
            {
              "id": "AB-03",
              "name": "Action Reversibility Classification and Gates"
            },
            {
              "id": "GV-01",
              "name": "Require a human hard-stop for irreversible actions"
            }
          ]
        },
        {
          "condition": "per-delegation-tree aggregate ceiling",
          "covered_by": [
            {
              "id": "AO-09",
              "name": "Cumulative fan-out ceiling across a delegation tree: enforce fleet-level caps that per-agent budgets miss"
            }
          ]
        },
        {
          "condition": "blast-radius / failover containment for the target resource",
          "covered_by": [
            {
              "id": "FO-05",
              "name": "Cascade Failure Prevention in Multi-Agent Pipelines"
            },
            {
              "id": "RE-05",
              "name": "Dependency Isolation and Bulkhead Patterns"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "GV-13",
      "name": "Re-authorize every deferred action against current context at fire-time",
      "domain": "security",
      "canonical_id": "apeiris://security/controls/GV-13",
      "operator": "temporal-revalidation",
      "join_semantics": "sequential-state-transition",
      "seam_family": "temporal",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "deny",
        "invalidate-stale-evidence"
      ],
      "reachability_scope": "every deferred execution path - queued jobs, callbacks, scheduled tasks, retries, delayed commits, resumed workflows - and the full precondition set each snapshotted at schedule time",
      "proof_obligation": "Every deferred action re-validates its FULL precondition set - authorization, consent, model/tool-approval currency, and attestation validity - against current context immediately before execution, layered on IA-04/GV-08, and fails closed on any revoked or changed precondition.",
      "legs": [
        {
          "condition": "preconditions validated at schedule/approval time",
          "covered_by": [
            {
              "id": "IA-04",
              "name": "Check permission continuously at run time, not just once at login"
            },
            {
              "id": "DE-04",
              "name": "Task-Scoped Delegation"
            },
            {
              "id": "DC-05",
              "name": "Consent Withdrawal Processing"
            },
            {
              "id": "LI-09",
              "name": "Material-Change Determination and Authorization Gate"
            },
            {
              "id": "AM-10",
              "name": "Configuration Posture Drift Detection Against Signed Baseline"
            },
            {
              "id": "PT-07",
              "name": "Verify tool descriptions for hidden instructions (description injection)"
            },
            {
              "id": "EC-05",
              "name": "Cap spend and resource use, stop denial-of-wallet"
            },
            {
              "id": "AU-08",
              "name": "ComplianceAttestation Production"
            }
          ]
        },
        {
          "condition": "durable delay carrying the scheduled action across an interval",
          "covered_by": [
            {
              "id": "RE-02",
              "name": "Stateless Agent Design and Session Recovery"
            },
            {
              "id": "EC-10",
              "name": "Verify trigger provenance and admit autonomous runs"
            }
          ]
        },
        {
          "condition": "authorization/state re-check at commit",
          "covered_by": [
            {
              "id": "GV-08",
              "name": "Make high-impact actions transactional, atomic, idempotent, state-checked"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "KC-09",
      "name": "Grounding-freshness re-validation at action commit",
      "domain": "knowledge",
      "canonical_id": "apeiris://knowledge/controls/KC-09",
      "operator": "temporal-revalidation",
      "join_semantics": "sequential-state-transition",
      "seam_family": "temporal",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "deny",
        "invalidate-stale-evidence"
      ],
      "reachability_scope": "Any irreversible or high-consequence action whose decision relies on previously-retrieved knowledge, where retrieval time and commit time differ.",
      "proof_obligation": "The grounding a high-consequence action relies on is re-validated for currency at commit; a record quarantined, held, or superseded since retrieval blocks or re-grounds the action.",
      "legs": [
        {
          "condition": "The decision is grounded in retrieved knowledge with recorded lineage",
          "covered_by": [
            {
              "id": "KR-02",
              "name": "Grounding Completeness Requirements"
            },
            {
              "id": "KM-05",
              "name": "Knowledge-to-Output Lineage Tracking"
            },
            {
              "id": "KR-05",
              "name": "Retrieval Permission Verification"
            }
          ]
        },
        {
          "condition": "Corpus currency controls act going forward (quarantine, hold, supersession)",
          "covered_by": [
            {
              "id": "KC-01",
              "name": "Knowledge Staleness Classification Policy"
            },
            {
              "id": "KC-02",
              "name": "Automated Staleness Detection"
            },
            {
              "id": "PG-05",
              "name": "Knowledge Source Staleness Detection"
            },
            {
              "id": "KS-05",
              "name": "Competing Source Conflict Resolution"
            }
          ]
        },
        {
          "condition": "The high-consequence / irreversible action is authorized and classified",
          "covered_by": [
            {
              "id": "AB-01",
              "name": "Authorized Action Scope Manifest"
            },
            {
              "id": "AB-03",
              "name": "Action Reversibility Classification and Gates"
            },
            {
              "id": "AM-09",
              "name": "Action Effect Reconciliation"
            }
          ]
        },
        {
          "condition": "The specific grounding an in-flight action depends on is re-validated for currency at commit",
          "covered_by": [
            {
              "id": "KC-09",
              "name": "Grounding-freshness re-validation at action commit"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "KR-10",
      "name": "Constrain mixed-source claims by applicability compatibility, not only citation",
      "domain": "knowledge",
      "canonical_id": "apeiris://knowledge/controls/KR-10",
      "operator": "semantic-co-validity",
      "join_semantics": "dependency-relationship",
      "seam_family": "information",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "deny",
        "require-independent-review"
      ],
      "reachability_scope": "Any response or claim that composes statements drawn from two or more distinct knowledge sources.",
      "proof_obligation": "All sources composed into one claim share compatible applicability dimensions; otherwise the claim is blocked or qualified to the narrowest common applicability.",
      "legs": [
        {
          "condition": "Each source is authorized and within its authority tier",
          "covered_by": [
            {
              "id": "KS-01",
              "name": "Knowledge Source Authorization Register"
            },
            {
              "id": "KS-02",
              "name": "Source Authority Classification"
            }
          ]
        },
        {
          "condition": "Each source is fresh / within its currency window",
          "covered_by": [
            {
              "id": "KS-03",
              "name": "Source Currency and Maximum Age Policy"
            },
            {
              "id": "KC-01",
              "name": "Knowledge Staleness Classification Policy"
            },
            {
              "id": "KC-02",
              "name": "Automated Staleness Detection"
            }
          ]
        },
        {
          "condition": "No direct contradiction is detected between the sources",
          "covered_by": [
            {
              "id": "KS-05",
              "name": "Competing Source Conflict Resolution"
            }
          ]
        },
        {
          "condition": "Each statement is grounded in and correctly cites its source",
          "covered_by": [
            {
              "id": "KR-02",
              "name": "Grounding Completeness Requirements"
            },
            {
              "id": "KR-03",
              "name": "Citation Fidelity and Accuracy Enforcement"
            },
            {
              "id": "KS-07",
              "name": "Source Attribution and Citation Disclosure Requirements"
            }
          ]
        },
        {
          "condition": "All sources composed into one claim share compatible applicability dimensions (jurisdiction, effective dates, scope, definitions, population)",
          "covered_by": [
            {
              "id": "KR-10",
              "name": "Constrain mixed-source claims by applicability compatibility, not only citation"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "PA-11",
      "name": "Approval-Object Binding — Bind Human Approval to the Exact Action Executed",
      "domain": "authority",
      "canonical_id": "apeiris://authority/controls/PA-11",
      "operator": "object-binding",
      "join_semantics": "sequential-state-transition",
      "seam_family": "authority",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "deny",
        "invalidate-stale-evidence"
      ],
      "reachability_scope": "the approval event and the subsequently executed action across every agent, tool invocation, credential, data scope, and payload reachable between the moment approval is granted and the moment the action commits",
      "proof_obligation": "The executed action's canonical digest — over its parameters, target, quantity, recipient, payload, authority context, data scope, and tool version — equals the digest of the approved object; any material mutation between approval and execution invalidates the approval and blocks the action.",
      "legs": [
        {
          "condition": "a human approval / escalation gate fires on the previewed action",
          "covered_by": [
            {
              "id": "IA-03",
              "name": "Act on the user's behalf with explicit approval for sensitive steps"
            },
            {
              "id": "GV-01",
              "name": "Require a human hard-stop for irreversible actions"
            },
            {
              "id": "PA-03",
              "name": "Escalation Gate Design and Testing"
            },
            {
              "id": "PA-05",
              "name": "Multi-Party Approval Workflow"
            },
            {
              "id": "AO-04",
              "name": "Human-in-the-Loop Gates for High-Consequence Orchestrations"
            }
          ]
        },
        {
          "condition": "the action is classified and its parameters and tool are resolved",
          "covered_by": [
            {
              "id": "AB-03",
              "name": "Action Reversibility Classification and Gates"
            },
            {
              "id": "AT-01",
              "name": "Tool and Plugin Registry"
            },
            {
              "id": "AT-05",
              "name": "Dangerous and Irreversible Tool Access Controls"
            }
          ]
        },
        {
          "condition": "runtime policy enforcement and approval audit apply at execution",
          "covered_by": [
            {
              "id": "GV-04",
              "name": "Enforce policy as code at run time, in the request path"
            },
            {
              "id": "PA-07",
              "name": "Approval Record and Audit Trail"
            },
            {
              "id": "AT-07",
              "name": "Tool Usage Audit Trail"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "PA-12",
      "name": "Approval Independence — Approver Distinct from the Initiating or Benefiting Principal",
      "domain": "authority",
      "canonical_id": "apeiris://authority/controls/PA-12",
      "operator": "independence",
      "join_semantics": "same-principal",
      "seam_family": "human",
      "blocking_point": "pre-approval",
      "break_strategy": [
        "deny",
        "require-independent-review"
      ],
      "reachability_scope": "the approver identity and the initiating/benefiting principal of the agent, including every shared orchestrator, service account, model session, owner, policy principal, and delegated-approval path that could constitute hidden common control between them",
      "proof_obligation": "The approver's identity is independent of the initiating and benefiting principal of the agent under the applicable separation-of-duties policy — including hidden common control via a shared orchestrator, service account, model session, owner, policy principal, or delegated-approval loop; an approval by a non-independent principal is blocked and an independent approver is required.",
      "legs": [
        {
          "condition": "a single-approver gate authorizes the agent's action",
          "covered_by": [
            {
              "id": "AO-04",
              "name": "Human-in-the-Loop Gates for High-Consequence Orchestrations"
            },
            {
              "id": "GV-01",
              "name": "Require a human hard-stop for irreversible actions"
            }
          ]
        },
        {
          "condition": "multi-human approval independence is checked when the materiality threshold applies",
          "covered_by": [
            {
              "id": "PA-05",
              "name": "Multi-Party Approval Workflow"
            }
          ]
        },
        {
          "condition": "oversight-channel integrity is preserved",
          "covered_by": [
            {
              "id": "PA-10",
              "name": "Risk-Ranked Human Approval and Oversight-Channel Integrity"
            }
          ]
        },
        {
          "condition": "human versus non-human identity separation and an accountable owner exist",
          "covered_by": [
            {
              "id": "II-05",
              "name": "Non-Human Identity Separation from Human Identity"
            },
            {
              "id": "IM-05",
              "name": "Credential Sharing Detection"
            },
            {
              "id": "II-06",
              "name": "Accountable Owner Binding"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "PM-09",
      "name": "Revalidate consent and purpose after data composition: recompute lawful basis and purpose-compatibility for the combined use before it proceeds",
      "domain": "privacy",
      "canonical_id": "apeiris://privacy/controls/PM-09",
      "operator": "invariant-preservation",
      "join_semantics": "same-flow",
      "seam_family": "information",
      "blocking_point": "pre-retrieval",
      "break_strategy": [
        "deny",
        "redact",
        "require-independent-review"
      ],
      "reachability_scope": "direct and transitive composition: every dataset, feature set, and inference context assembled from two or more separately-authorized data uses within the same processing flow or purpose context, plus the purpose and lawful-basis labels each source carries",
      "proof_obligation": "A composed use has an affirmative purpose-compatibility and consent or lawful-basis determination for the combination - not only for each source - recomputed before the combined dataset, feature set, or inference is produced or acted on, and a break strategy is applied whenever the combination is authorized by neither source.",
      "legs": [
        {
          "condition": "each source use has valid consent linkage",
          "covered_by": [
            {
              "id": "DC-03",
              "name": "Consent Registry"
            },
            {
              "id": "DA-03",
              "name": "Consent-Based Data Access Controls"
            }
          ]
        },
        {
          "condition": "each use maps to its original purpose",
          "covered_by": [
            {
              "id": "DC-06",
              "name": "Data Purpose Limitation Mapping"
            }
          ]
        },
        {
          "condition": "join / composition lineage recorded",
          "covered_by": [
            {
              "id": "DL-04",
              "name": "Transformation and Enrichment Lineage"
            }
          ]
        },
        {
          "condition": "cross-context inference monitored at output",
          "covered_by": [
            {
              "id": "PM-02",
              "name": "Cross-Context Inference Monitoring"
            }
          ]
        },
        {
          "condition": "consent-state consistency maintained",
          "covered_by": [
            {
              "id": "PM-04",
              "name": "Consent State Consistency Monitoring"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "PT-09",
      "name": "Re-validate tainted tool output before it becomes a privileged tool parameter (credential-less confused deputy)",
      "domain": "security",
      "canonical_id": "apeiris://security/controls/PT-09",
      "operator": "invariant-preservation",
      "join_semantics": "sequential-state-transition",
      "seam_family": "information",
      "blocking_point": "pre-tool-call",
      "break_strategy": [
        "downgrade-trust",
        "require-independent-review",
        "deny"
      ],
      "reachability_scope": "tool-to-tool dataflow across the reachable tool graph: any tool output value reaching a privileged or irreversible tool parameter, including via summaries and intermediate tools, with no credential leg required",
      "proof_obligation": "Tainted tool-A output driving a privileged tool-B parameter is re-validated before B executes; the gate fires even when no credential or secret is in play.",
      "legs": [
        {
          "condition": "attacker-influenced tool-A output, untrusted (monitored, not provenance-typed)",
          "covered_by": [
            {
              "id": "PT-04",
              "name": "Validate tool input/output, treat tool results as untrusted"
            },
            {
              "id": "AT-04",
              "name": "Tool Output Sanitization and Integrity Verification"
            },
            {
              "id": "PT-08",
              "name": "Enforce an instruction hierarchy so tool output cannot give the agent orders"
            }
          ]
        },
        {
          "condition": "value used as a privileged/irreversible tool-B parameter",
          "covered_by": [
            {
              "id": "PT-06",
              "name": "Sanitize model-generated tool parameters, not just the schema"
            },
            {
              "id": "AB-03",
              "name": "Action Reversibility Classification and Gates"
            },
            {
              "id": "AT-05",
              "name": "Dangerous and Irreversible Tool Access Controls"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    },
    {
      "id": "RG-09",
      "name": "Safeguard Joint-Availability Floor: halt consequential agent execution when telemetry, containment, and audit safeguards are jointly degraded",
      "domain": "resilience",
      "canonical_id": "apeiris://resilience/controls/RG-09",
      "operator": "safeguard-dependency",
      "join_semantics": "dependency-relationship",
      "seam_family": "environmental",
      "blocking_point": "runtime-action",
      "break_strategy": [
        "narrow-authority",
        "deny"
      ],
      "reachability_scope": "the agent's consequential-action authority and the independent telemetry, containment/kill, and audit safeguards that supervise it, evaluated for correlated failure",
      "proof_obligation": "Consequential execution is stopped when the remaining independent safeguards fall below a minimum-supervision floor (detect + reconstruct + contain + terminate).",
      "legs": [
        {
          "condition": "telemetry / observability available (detect)",
          "covered_by": [
            {
              "id": "AM-01",
              "name": "Behavioral Telemetry Collection Baseline"
            }
          ]
        },
        {
          "condition": "kill / containment available (contain, terminate)",
          "covered_by": [
            {
              "id": "AM-07",
              "name": "Real-Time Alerting and Automated Agent Suspension"
            },
            {
              "id": "RT-04",
              "name": "Detect anomalies and trigger pause, kill switch, or containment"
            },
            {
              "id": "AO-05",
              "name": "Orchestration Loop and Escalation Detection"
            }
          ]
        },
        {
          "condition": "audit / immutable recording available (reconstruct)",
          "covered_by": [
            {
              "id": "GV-02",
              "name": "Keep an immutable, tamper-evident audit trail of what the agent did"
            },
            {
              "id": "AU-04",
              "name": "Audit Trail Integrity"
            }
          ]
        },
        {
          "condition": "graceful-degradation policy governs the safeguard stack (points the wrong way alone)",
          "covered_by": [
            {
              "id": "FO-01",
              "name": "Graceful Degradation Design Patterns"
            }
          ]
        }
      ],
      "state": "canonical-compositional-control"
    }
  ],
  "coverage": {
    "canonical_count": 28,
    "operators_total": 11,
    "operators_instantiated": [
      "aggregate-accounting",
      "authority-composition",
      "config-dependency",
      "independence",
      "invariant-preservation",
      "object-binding",
      "reachability-cooccurrence",
      "safeguard-dependency",
      "semantic-co-validity",
      "temporal-revalidation"
    ],
    "families_covered": [
      "agent-coordination",
      "authority",
      "cross-system",
      "environmental",
      "evidence",
      "human",
      "information",
      "lifecycle",
      "temporal",
      "trust"
    ],
    "by_operator": [
      {
        "operator": "aggregate-accounting",
        "controls": [
          "AO-09",
          "AO-11",
          "DA-10",
          "DP-09",
          "FC-09",
          "GV-12"
        ]
      },
      {
        "operator": "authority-composition",
        "controls": [
          "DE-10"
        ]
      },
      {
        "operator": "config-dependency",
        "controls": [
          "EV-14"
        ]
      },
      {
        "operator": "independence",
        "controls": [
          "AB-11",
          "AB-12",
          "PA-12"
        ]
      },
      {
        "operator": "invariant-preservation",
        "controls": [
          "AO-10",
          "DA-11",
          "DL-09",
          "EC-17",
          "EC-18",
          "PM-09",
          "PT-09"
        ]
      },
      {
        "operator": "object-binding",
        "controls": [
          "PA-11"
        ]
      },
      {
        "operator": "reachability-cooccurrence",
        "controls": [
          "EC-15",
          "EC-16"
        ]
      },
      {
        "operator": "safeguard-dependency",
        "controls": [
          "RG-09"
        ]
      },
      {
        "operator": "semantic-co-validity",
        "controls": [
          "AU-09",
          "AU-10",
          "AU-11",
          "KR-10"
        ]
      },
      {
        "operator": "temporal-revalidation",
        "controls": [
          "GV-13",
          "KC-09"
        ]
      }
    ]
  },
  "candidates": {
    "source": "research/compositional-assurance/candidate-register.yaml",
    "present": true,
    "by_tier": {
      "tier-1": 8,
      "tier-2": 14,
      "tier-4": 2
    },
    "by_status": {
      "high-confidence": 24
    },
    "count": 24,
    "tier1": [
      {
        "proposed_id": "AO-10",
        "title": "Preserve trust and authority across agent-to-agent handoffs",
        "operator": [
          "invariant-preservation",
          "authority-composition"
        ],
        "convergence_count": 2,
        "state": "validated-seam"
      },
      {
        "proposed_id": "DE-10",
        "title": "Prevent authority union and confused-deputy execution",
        "operator": [
          "authority-composition"
        ],
        "convergence_count": 2,
        "state": "validated-seam"
      },
      {
        "proposed_id": "DA-10",
        "title": "Cumulative data-access ceilings across identities and sessions",
        "operator": [
          "aggregate-accounting"
        ],
        "convergence_count": 2,
        "state": "validated-seam"
      },
      {
        "proposed_id": "DP-09",
        "title": "Gate re-identification created by dataset joins",
        "operator": [
          "aggregate-accounting",
          "invariant-preservation"
        ],
        "convergence_count": 2,
        "state": "validated-seam"
      },
      {
        "proposed_id": "AO-11",
        "title": "Prevent distributed quota evasion outside one delegation tree",
        "operator": [
          "aggregate-accounting"
        ],
        "convergence_count": 2,
        "state": "validated-seam"
      },
      {
        "proposed_id": "DL-09",
        "title": "Preserve trust/sensitivity/purpose invariants through transformation chains",
        "operator": [
          "invariant-preservation"
        ],
        "convergence_count": 2,
        "state": "validated-seam"
      },
      {
        "proposed_id": "AU-10",
        "title": "Apply weakest-link scope + fail-closed to composed attestations and verdicts",
        "operator": [
          "semantic-co-validity",
          "invariant-preservation"
        ],
        "convergence_count": 2,
        "state": "validated-seam"
      },
      {
        "proposed_id": "EV-14",
        "title": "Bind evaluation/attestation validity to the deployed reachable graph",
        "operator": [
          "config-dependency",
          "validity-continuity"
        ],
        "convergence_count": 2,
        "state": "validated-seam"
      }
    ],
    "adjudication_required": []
  }
}
