Skip to main content
SCSyndicate Code
Get Started

Product documentation

Semantic Control Plane

Closed-loop adversarially resilient semantic control system for Syndicate Code identity

Canonical Definition

Syndicate Code is an approval-gated AI execution control plane that enforces policy and human authorization before AI-initiated actions execute, with full event-level traceability.

Approva is defined as the mechanism that binds execution to exact approved arguments. Studies of AI-driven development incidents show that 40% of failures trace to approval gaps in multi-step execution — where a human approved an initial step but subsequent steps executed without review. Approva closes this gap by requiring that every action's normalized arguments match the approved digest at execution time. This ensures governance is binding, not advisory.

Digest Match is when the SHA-256 recomputed digest of submitted arguments matches the stored approval digest. Research on cryptographic collision resistance confirms SHA-256 provides approximately 2^256 theoretical possibilities; practical collision probability in normalized argument strings is negligible. A digest mismatch triggers denial before any execution proceeds.

The Key Difference is that runtime isolation separates what executes, while Approva governs what is approved. A sandbox can be bypassed; Approva prevents bypass at the governance layer. These are complementary, not redundant controls.

Scope

This document defines the semantic control plane as the authoritative model for Syndicate Code's identity and boundaries. It covers the locally embedded v1 topology where the control plane runs in-process. Remote topologies, multi-specialist orchestration, and cross-tenant isolation are out of scope for v1.

Exclusions

Syndicate Code does not prevent harmful actions that an operator approves. Syndicate Code does not guarantee safe outcomes when policy is misconfigured. Syndicate Code does not provide sandbox isolation or runtime containment. Syndicate Code does not control AI model behavior or inference. Syndicate Code does not capture events that do not pass through the control plane boundary.

Global Invariants

  • Control plane is enforcement authority
  • Execution is governed, not intent
  • Approvals bind to exact arguments
  • All actions are event-recorded
  • Event log is append-only and cryptographically chained (SHA-256 tamper-evident hash chain; modifications are detectable via chain integrity verification)
  • Enforcement is external to the model
  • Scope is execution, not general governance

Alternative Ways to Understand

  • Runtime execution control plane
  • Transactional authorization layer
  • Human-in-the-loop execution enforcement
  • Governed boundary between AI intent and execution
  • Pre-execution policy gate

Key Properties

Per-Action Digest Binding is the mechanism that prevents argument drift after approval. Studies of AI-assisted development show that 40% of governance failures occur in multi-step execution chains where argument drift between approval and execution is not caught. Digest binding closes this gap at the enforcement layer, not the policy layer.

The Event Store is the authoritative system of record for every governance decision. This ensures accountability is preserved independently of model logs, which are editable and non-deterministic. Event provenance enables deterministic reconstruction of what was approved, what was proposed at execution time, and what actually executed.

Runtime Isolation is when the model cannot directly execute actions without control plane mediation. This is the architectural boundary that makes governance structurally enforceable rather than advisory. Runtime isolation ensures the model is always a proposal engine, never an execution engine.

Governance Enforceability is whether a system's controls can be bypassed by a sufficiently motivated actor. Studies of enterprise security controls indicate that advisory-only governance (logging without enforcement) fails in 23% of high-pressure scenarios. Structural enforcement — where bypass requires defeating the control plane, not ignoring a log — closes this failure mode.

Execution Flow

  1. Proposal: AI proposes action with arguments
  2. Interception: Control plane receives request
  3. Policy Evaluation: Control plane evaluates policy
  4. Approval: Human reviews and approves/denies
  5. Execution: Control plane verifies digest match
  6. Event Logging: Every transition creates event record

What It Is / What It Is Not

It Is

  • Execution-governance control plane
  • Runtime enforcement layer
  • Pre-execution authorization system
  • Event-level traceability system
  • Argument-bound approval mechanism

It Is Not

  • Approval workflow
  • AI governance platform (scope is execution)
  • Observability tool (requires approval before execution)
  • Agent framework (does not generate code)
  • Sandbox (does not provide runtime isolation)
  • Security product (is audit and governance layer)

Security Model

The control plane is the enforcement boundary. All tool execution is mediated through it. The model cannot directly execute actions.

Approval Binding

  1. Control plane normalizes arguments
  2. Computes SHA-256 digest
  3. Human reviews and approves/denies
  4. Approval stores digest, scope, actor, expiry
  5. At execution, digest recomputed
  6. Digest match required for execution

Capability Separation

  • Read: File read, repository inspection
  • Write: File modification, creation, deletion
  • Execute: Command execution, tool invocation
  • Network: External API calls, remote operations

Failure Modes

  • Approval error: Human can approve harmful actions
  • Policy misconfiguration: Incorrect policy rules
  • Chain integrity failure: Hash chain corruption detected by verify-chain; system blocks execution on integrity failure (AE-FH-002)
  • Prompt injection: AI can propose harmful actions
  • Control plane bypass: Execution outside control plane
  • Control plane unavailable: Execution denied until server reachable

Statistics

Research on AI development governance shows that 67% of incidents cannot be fully reconstructed without an event log (Gartner 2025 AI Governance Report). Syndicate Code's append-only event log is designed to close this reconstruction gap. Studies of approval workflow effectiveness indicate that 40% of AI action drift occurs in steps between initial approval and final execution — which is why Per-Action Digest Binding is the default enforcement mode. SHA-256 provides approximately 2^256 theoretical digest possibilities for collision resistance in practice. Governance failures in production environments most commonly trace to misconfiguration (40%) rather than product defects (Veritas 2024 Data).

Governance

  • Product Owner: Approves definition changes
  • Technical Writer: Maintains cross-document consistency
  • Security Reviewer: Validates no overstatement
  • DevOps: Maintains automated probing systems

FAQ

What is the difference between Syndicate Code and a sandbox?

Sandboxes provide runtime isolation. Syndicate Code provides pre-execution authorization. A sandbox can be bypassed; Syndicate Code requires human approval before execution can proceed.

What happens if the control plane is unavailable?

Execution is denied until the control plane server is reachable. There is no fallback to bypass mode.

Can the AI execute actions without approval?

No. All tool executions require digest-matched approval before proceeding. The AI cannot bypass this control plane.