Module 07
Governance & principles
Authority stack, preview-by-default, VSL, Varro.
Learning intent
By the end of this module you will be able to
- Explain the authority stack and preview-by-default as safety constraints.
- Describe how Varro, VSL, agents, and callers relate to authoritative sources.
Success criteria
- State who wins when Varro and a source disagree.
- Explain why preview-by-default is not just an optional dry-run flag.
- Describe why an agent surface can cite sources without becoming authoritative.
Retrieval warm-up
Before the new material
Recall
Does the `ask` verb ever mutate state? If not, which verbs do?
Answer
No. `ask` is read-only; it retrieves authoritative truth. Only `run` (execute an action) and `create` (make a new artifact) mutate, and both under preview-by-default.
Recall
Both `show` and `ask` are read-only. What distinguishes them?
Answer
`ask` retrieves a value into the conversation; `show` renders a selection for presentation (a view or table). Same read, different intent.
Recall
What happens in a workflow when a `check` step fails?
Answer
`check` validates an artifact against its contract and emits diagnostics; it never executes. On failure the workflow fails closed, so any following `create` or `run` does not proceed.
Learner readiness
Before this reference page
Assumed terms:
Terms introduced or strengthened here:
- Action
- Authoritative sources
- Authority stack
- Checkable contract
- Preview-by-default
- Query
- Source of truth
- Specification
- Varro
- VSL
- Workflow
You are ready to continue when you can:
- point to the source artifact behind a Varro claim
- state what Varro is not allowed to replace
- explain what it means for one part of a specification to be checkable
- distinguish a mutating action from a read-only query
- explain why workflow order is load-bearing
Representation
Load-bearing diagram
Concept · grounded · RICH E4
Authority Stack
The layered authority model governing who may do what.
Worked examples
# layer 1 (authoritative sources): Rust model, governance contract,
# policy engine, knowledge graph
# layer 2 (the window): Varro
# layer 3 (callers): humans, agents
# invariant: if Varro and a source disagree, Varro is wrong.The Authority Stack is a strict three-layer ordering. Authoritative sources (the Rust model, governance contract, policy engine, knowledge graph) hold truth; Varro is only a window onto them; callers sit above Varro. The load-bearing invariant is the tiebreak rule: on disagreement the source wins and Varro is by definition wrong. Evaluate the consequence — Varro holds no independent state of record, so it can be rebuilt or replaced without data loss, and you never reconcile "what Varro thinks" against "what the model thinks."
authority lane "operator:magatama-program"
authority lane "agent:helios.demonstrator-import"
authority lane "reviewer:school-whs"At the source layer, authority is declared as named lanes inside a `system`: an operator lane, an agent lane, a reviewer lane. An action binds to a lane, so "who may do what" is data in the spec rather than scattered if-checks in code. Evaluate this against RBAC bolted on at the API edge: here the authority binding travels with the action contract through every phase of crystallisation, so the policy and the operation are co-located and co-versioned, and an unauthorised lane is a parse/governance failure, not a 403 discovered at runtime.
Try it
Author a VSL service whose authority lane, risk classification, and host-only runtime make the source authority and preview-by-default rule visible in the contract.
authority lane "operator:research"
# Complete a system where governed actions preview before commit.
Model answer (passes varro check vsl)
system mentormind.facilities.room_booking {
mission "Specify a governed room-booking surface for a campus, exposing booking state as typed contracts under research authority"
authority lane "operator:research"
domain education
maturity draft
context root = "helios://local/mentormind/facilities/room-booking?view=detail&tab=contract&bind=auto"
enum RoomState {
value free
value held
value booked
}
type Room {
field room_id: string required
field capacity: integer required
field state: RoomState required
}
compile booking-runtime -> varro
action hold-room {
risk low
binding required
input room_id: string required
}
query rooms.free {
output Room[]
}
workflow reserve-room {
inspect selection
resolve rooms.free
check hold-room
render center.detail
}
runtime specification {
host governed
commit-mode host-only
}
}
Common trap
❌ An engineer treats Varro like an application server that owns the database and is the authority — "ask Varro and trust the answer."
Correction
✅ Varro is the window (layer 2), never the source (layer 1). The Rust model, governance contract, policy engine, and knowledge graph are authoritative; if Varro disagrees with them, Varro is wrong. Varro caches and presents truth, it does not own it.
Check yourself
Varro reports one value; the underlying Rust model reports another. Per the Authority Stack, which is authoritative, and what does that imply about where state of record lives?
Answer
The source wins; Varro is wrong by definition. Varro is only a window (layer 2) over authoritative sources (layer 1). State of record lives in the sources, so Varro holds no independent truth and can be rebuilt without data loss.
Concept · grounded · RICH E4
preview-by-default
Default-safe principle: actions preview before they commit.
Worked examples
$ varro run parse-paper --source paper.pdf
# PREVIEW: action parse-paper (risk low, binding required)
# authority: agent:helios.demonstrator-import
# would write: parsed_paper, round_trip_input
# re-run with --execute to commit
$ varro run parse-paper --source paper.pdf --executePreview-by-default means a mutating command (`run`, `create`) first renders the intended action, its risk class, and its authority posture, and commits nothing; the write happens only when `--execute` is supplied. This is the inverse of the usual CLI default where the command runs and `--dry-run` is opt-in. Evaluate the safety property: the safe path is the default path, so an agent or human cannot mutate by forgetting a flag — they can only mutate by adding one.
varro ask system status # read, runs directly
varro show gate.round_trip # read, runs directly
varro create demonstrator x # mutate -> previews firstPreview-by-default applies only to the mutating half of the five-verb grammar. `ask`/`show`/`check` are read-only and return immediately; `run`/`create` describe the governed action and its review/authority posture before committing. The asymmetry is deliberate: the gate is on state change, not on interaction. Compare a transactional DB shell where every statement is in an implicit transaction until COMMIT — here the COMMIT (`--execute`) is explicit and per-command, and reads are never in scope for it.
Common trap
❌ An engineer maps preview-by-default onto the familiar `--dry-run` pattern: the command runs for real unless you opt into a dry run.
Correction
✅ The polarity is reversed. Preview is the default; mutation is the opt-in (`--execute`). You cannot accidentally mutate by forgetting a flag — forgetting a flag yields a preview. This is what makes the surface safe for autonomous agents.
Check yourself
You issue `varro create thing x` with no extra flags. What does the system do, and what flag changes that?
Answer
It previews: it describes the intended governed action and its review/authority posture and commits nothing. The mutation occurs only if you re-issue with `--execute`. The safe (preview) path is the default; execution is opt-in.
Concept · grounded · RICH E4
VSL
Varro Specification Language: the typed contract language.
Worked examples
system mentormind.product.varro_v1 {
mission "..."
authority lane "operator:research"
domain education
maturity draft
compile workspace-runtime -> varro
}VSL (Varro Specification Language) is a declarative layer for the checkable structure of a system (its types, enums, workflows, views, and bootstrap descriptors) — explicitly distinct from the five-verb interaction grammar (`ask`, `show`, `check`, `run`, `create`). A `system` block is the top-level VSL unit, carrying identity, mission, authority, domain, and compile targets. There are no statements that execute; every line is a typed declaration the parser turns into a VslSystem with vecs of types/routes/views/agents/contexts/compile_targets/runtimes. Read VSL as a schema-and-contract language whose 'output' is a checked, lowerable specification, not an imperative program.
system mentormind.product.varro_v1 {
maturity draft
}Every VSL document carries a maturity rung from the closed ladder `draft -> checked -> bound -> hardened` (VslMaturity::{Draft, Checked, Bound, Hardened}). The rung is part of the contract, not metadata: `draft` permits unresolved references and inferred defaults, while higher rungs progressively forbid them. This makes VSL a language with a built-in soundness dial — the same source is held to a stricter standard as it climbs. Evaluate the consequence for tooling: a derived knowledge graph can be *capped* at the source's VslMaturity, so a claim can never be presented as more settled than the spec it came from. The maturity keyword is thus a first-class typing of confidence, native to the language.
Common trap
❌ Typed VSL contracts replace prose, diagrams, and worked examples; a formal spec needs nothing else.
Correction
✅ No. VSL makes the checkable STRUCTURE of a spec load-bearing; the Helios type system and Lean proofs (the Crystal phase) harden it further. But intent, rationale, DIAGRAMS, and worked EXAMPLES still belong in an AI spec - formalisation complements them, it does not remove them. VSL is one layer of the puzzle, not the whole of it.
Common trap
❌ An engineer skims a .varro file and concludes it is a YAML/JSON-equivalent config format — structured key/value data with no semantics beyond what the consumer code chooses to read.
Correction
✅ VSL is a typed language with a parser, semantic analysis, a maturity ladder (`draft->checked->bound->hardened`), closed value sets (enums, compile targets), and validation rules (e.g. routes must be `helios://`, a system must declare `context root`). It lowers to contract artifacts. Config formats carry no enforced types, no maturity gating, and no lowering — VSL is a specification language, not a serialisation format.
Check yourself
VSL and the five-verb grammar (`ask`, `show`, `check`, `run`, `create`) are both 'Varro languages'. What does each do, and why are they distinct?
Answer
VSL is the declarative specification language for describing systems, types, views, workflows, and bootstrap descriptors — it produces a typed, checkable, lowerable spec. The five-verb grammar is the interaction grammar for driving Varro at the surface (asking, showing, checking, running, creating), where unknown verbs are rejected. They are distinct layers: VSL authors the contracts; the five verbs operate the window over them.
Concept · grounded · RICH E4
Varro
The specification system whose language is VSL.
Worked examples
# authority stack
# authoritative sources (Rust model, governance contract, policy engine, KG)
# -> Varro (the window) -> callers
# if Varro and a source disagree, Varro is wrongVarro is a governed query and control surface over the Helios platform — a system object with a conversational interface, not a chatbot or a database. The authority stack has three layers: authoritative sources (Rust model, governance contract, policy engine, knowledge graph) sit above Varro, which is the window, which sits above callers. The invariant is directional: if Varro and a source disagree, Varro is wrong by definition. Read this as a deliberate inversion of trust — Varro holds no ground truth, it only presents what the authoritative layer asserts. For a senior engineer, evaluate it as a strict read-through facade with no authoritative cache: correctness is defined by the sources, and Varro's job is faithful projection plus governed control, never substitution of its own state.
# preview-by-default
# Varro describes the intended governed action and its
# review/authority posture BEFORE any mutation; --execute is opt-inPreview-by-default is Varro's mutation discipline: it first describes the intended governed action and its review/authority posture, and performs no mutation until `--execute` is explicitly opted in. This pairs with the runtime `commit-mode host-only` setting — the surface can plan and present a mutation, but commit authority is reserved. Evaluate the safety property: the default code path is observation, and side effects require a distinct, explicit act, which makes accidental or implicit mutation structurally impossible rather than merely discouraged. Contrast with a typical CLI/API where the call *is* the effect; here describe-then-(maybe)-execute is the built-in two-phase contract.
Common trap
❌ An engineer treats Varro as the system of record — a backend or database that stores state, which callers read from and write to as the source of truth.
Correction
✅ Varro is a governed query and control *window* over authoritative sources (Rust model, governance contract, policy engine, knowledge graph), not a store. It holds no ground truth: if Varro and a source disagree, Varro is wrong. It also previews mutations by default (commit-mode host-only; `--execute` opt-in), so it is a faithful read-through-and-govern facade, not a database or write-authoritative backend.
Check yourself
In the Varro authority stack, what are the three layers and what is the rule when Varro and an authoritative source disagree?
Answer
Three layers, top to bottom: authoritative sources (Rust model, governance contract, policy engine, knowledge graph) -> Varro (the window) -> callers. The rule is directional: if Varro and a source disagree, Varro is wrong. Varro holds no ground truth; it faithfully projects and governs over the authoritative layer.
Module assessment · scored