Boundary I

Agent action enforcement

The action side of the shared constitution: model-selected tool calls, native tools, adversarial plans, halt state, and normalized evidence before dangerous function bodies run.

Agent boundary research sequence

Eight chapters. One continuous agent-control story.

The path moves from the first OpenClaw payment block, to adversarial replay, late-stage drift, native tool-body proof, second-runtime model turns through Hermes, Hermes parity, a four-runtime parity proof, and finally a clean-install CLI path for those adapters.

01Baseline proof before bodyA model-selected payment.transfer call was stopped before the tool function ran.May 9 02Adversarial replay under loadSeven attack patterns replayed as 700 concurrent attempts with zero body calls.May 13 03Late-drift deep dive at turn eightThe bad action appeared after safe-looking context and was still blocked at execution.May 14 04Native tool proof three bodies blockedDeploy, export, and payment tools were invoked natively and blocked before body entry.May 14 05Hermes proof second runtimeHermes model turns through OpenAI, Gemini, and DeepSeek were blocked before body entry.May 16 06Hermes native tools parity proofHermes native tools, replay, mutation, action matrix, and model-turn checks now match the OpenClaw evidence depth.May 16 07Joint runtime proof one policyOpenClaw, Hermes, MCP, and Generic HTTP shared one constitution across 100-way mixed concurrency, delegation, halt, and fail-closed preflight.May 19 08Clean install path four init commandsA fresh npm workspace installed the CLI, initialized four adapters, and re-ran the shared proof with zero prohibited body calls.May 19