The agent boundary is where language becomes authority.
The security question is not only what the model says. It is which words can trigger tools, write memory, move funds, deploy code, or change external state.
Working notes
Notes
Notes are smaller than essays: claims, diagrams, paper observations, threat model sketches, and technical questions that may later become full articles.
Memory needs provenance, not just retrieval.
A useful memory system should answer who wrote this, from which input, under which policy, and why it should be trusted now.
Can we define agent invariants?
Smart contracts use invariants to reason about allowed state. What is the equivalent for an agent that plans probabilistically and acts through tools?