meetLab/ Papers/ PAP · 03 — IR

Governance skills as the compilation layer.

Between policy (what we intend) and runtime (what executes), a typed intermediate representation is required. A governance skill is that IR — a declarative artifact that names triggers, inputs, constraints, workflow, ambiguity protocol, escalation routing, and failure modes, and compiles into the invariant set routed through enforce(…).

StatusStable
PaperPAP · 03 / 08
Sourcegovernance_skills_as_
compilation_layer.md
Last verified2026-04-21
Non-expansionno runtime schema · no corpus evidence
I.

Abstract

A governance skill is the intermediate representation between policy intent and runtime enforcement. It is a declarative artifact — not a prompt, not a function — that specifies the conditions under which a transition is evaluated, the artifacts required to evaluate it, the constraints the evaluation must honor, the workflow that produces terminal outcomes, the protocol for ambiguity, the routing for escalation, and the failure modes the skill itself governs.

A skill compiles into an invariant set registered against the enforcement dispatcher. This paper specifies the seven fields, their semantics, the compile step, and the anti-patterns that emerge when skills are treated as prose instead of IR.

II.

The IR claim

Policy is what an organization intends; runtime is what a system executes. Between them, ambiguity accumulates. Skills are the discipline that absorbs that ambiguity into a typed artifact the compiler can check. The claim is not "write better prompts"; it is that governance requires a typed intermediate representation whose fields are necessary and whose omissions are errors.

This is the same shape formal pipelines have taken elsewhere: IRs exist because end-to-end translation without one is brittle. Governance skills are that IR for lifecycle authority.

III.

Skill anatomy — the seven fields

trigger
The event-class that activates the skill. Must reference the event alphabet; free-text triggers do not compile.
inputs
Typed artifacts the skill reads. Each input carries a schema reference and a provenance requirement.
constraints
Pure predicates over (event, state, inputs). No side effects. No probabilistic terms.
workflow
Ordered evaluation steps producing a terminal outcome. A workflow that can return no terminal is ill-typed.
ambiguity protocol
The skill's behavior when inputs are missing, conflicting, or unparseable. Default is fail-closed; any non-default must be explicit.
escalation routing
The modeled role to receive the decision when runtime authority is insufficient. Escalation is a governed transition, not an exception path.
failure modes
The named failure modes this skill compiles into invariants. Every failure mode listed must have a matching invariant. Residue is recorded, not hidden.

A skill is well-typed if and only if all seven fields are present, reference declared event/artifact/authority registries, and produce a compilable invariant set.

IV.

Worked skill

skills/agent_tool_exec.skillv0.4
skill "agent_tool_exec" {
  trigger: event.type == "agent.tool_exec"

  inputs:
    - ack_envelope   : ACKEnvelope@v2    provenance: signed(trusted_keys)
    - session        : SessionState@v1   provenance: governed
    - tool_manifest  : ToolManifest@v1   provenance: registry

  constraints:
    C1  verify_signature(ack_envelope, trusted_keys)
    C2  ack_envelope.scope ⊇ event.requested_scope
    C3  event.tool_id ∈ tool_manifest.allowlist
    C4  event.caller ∈ ack_envelope.delegation_chain

  workflow:
    step admit      : require C1 ∧ C2 ∧ C3 ∧ C4
    step envelope   : bind(ack_envelope → decision_frame)
    step terminate  : PROCEED | HALT(301) | ESCALATE(runtime_operator)

  ambiguity_protocol:
    missing(ack_envelope) → HALT(301, "authority_missing")
    malformed(inputs)     → HALT(400, "ill_typed_skill_input")

  escalation_routing:
    on HALT(code=301)     → runtime_operator
    on HALT(code=409)     → policy_author

  failure_modes:
    - authority_smuggling_via_tool_call       → INV-AUTH-004
    - delegation_chain_forgery                → INV-AUTH-005
    - cross_surface_approval_divergence       → INV-EQUIV-007
}

This is not a prompt. It is an artifact with a schema the compiler checks.

V.

Compilation: skill → invariant set

compile skill (IR) typecheck lower to predicates bind to routing registry enforce(event)

1 · typecheck

Inputs resolve to declared schemas. Triggers resolve to the event alphabet. Escalation roles resolve to the authority graph. Failure modes resolve to registered IDs. Unresolved references are compile errors — not warnings.

2 · lower to predicates

Each constraint is lowered to a pure predicate over (event, state, inputs). Workflow steps lower to conjunctions; alternatives lower to branches that must terminate.

3 · bind to routing registry

The lowered invariant set is registered against the trigger in the routing registry. A governed surface that emits that trigger will evaluate the set through enforce(…).

4 · emit residue

Any failure mode listed without a matching invariant becomes a compile error. Any invariant not reachable from some trigger becomes a dead invariant warning. Any field omitted is a skill error.

determinism invariant

The compiler must not admit non-determinism through the back door: no invariant may depend on wall-clock time, unseeded randomness, or side-effecting evaluators. Replay stability is a property of the compilation pass, not of the author's intent.

VI.

Scope clauses

Every skill carries a scope clause and a non-expansion clause. Scope names the surface, event-class, and lifecycle window the skill governs. Non-expansion forbids the skill from claiming authority over transitions outside that window. Cross-skill overlap resolves through the routing registry, not through precedence in prose.

VII.

Anti-patterns

  • Prose-as-skill. A markdown description of intent, no typed fields, no compile step. Governs nothing at runtime.
  • Implicit fail-open. A workflow that returns no terminal on some branch. The compiler must reject this; the runtime must never encounter it.
  • Untyped escalation. Escalation targeted at a role that is not in the authority graph. The route terminates in a string, not a governed receiver.
  • Residue concealment. Failure modes declared without invariants, presented as governed. Honest compilation lists the residue.
  • Skill as prompt. Including natural-language model instructions in the constraint slot. Constraints are predicates, not guidance.
VIII.

Conclusion

A governance skill is typed, compilable, and routable. Treated as IR, it closes the gap between intent and enforcement; treated as prose, it reopens the same gap the compilation pipeline was built to close. The discipline is the compiler: what it accepts is governed; what it rejects is residue; what it emits is an invariant set the runtime can evaluate deterministically.

the mechanism policy skill (IR) invariant set enforce(event) PASS | HALT
paper · rev 012 · build 2026-04-21 skill (IR) → invariant set → enforce(event) → PASS | HALT meetLab · 2026