Skip to content

Mandates & Charter

Declare the outcomes your agents must uphold. Xybern compiles, enforces, and proves them.

Every competitor asks you to write rules: IF an action matches this pattern THEN block it. Rules are the primitive, and primitives are easy to copy. Xybern lets you work one level up. You declare a Mandate, a plain-language outcome ("no personal data may ever leave the organisation", "no payment above 10,000 without a named human approver"), and Xybern compiles it into the right mix of enforcement, backtests it against your real history, and signs it into your Charter.

What a Mandate compiles into

An LLM compiles each outcome into the smallest mix of enforcement primitives that upholds it:

Layer What it covers
Deterministic (action matchers, content patterns) The enumerable cases. Zero latency, fail closed, the backbone. You never write the regex, the compiler does.
Semantic guard Paraphrase and euphemism the deterministic layer cannot enumerate. One guard per mandate. This is why Xybern holds 100% catch under paraphrase where keyword rules collapse.
Verdict conditions Risk-shaped cases, expressed over the Risk Verdict dimensions (e.g. escalate when blast radius is severe).
Sequence detectors Multi-step patterns (velocity, ordered exfiltration).

You see exactly what your outcome compiled into before it goes live, as a table of primitives with what each matches, its decision, and why the compiler chose it.

Nothing about enforcement changes

The compiled primitives are stored as ordinary enforcement rules underneath. The existing engine evaluates them, the policy set hash that signs every decision already includes them, and the verdict second pass already handles the verdict primitives. Mandates are a management-plane concept on top of the enforcement you already trust. The advanced Policies view still lets power users author raw primitives directly, they are simply the substrate beneath the Charter.

Lifecycle

declare outcome  →  compiled (LLM produces the primitive mix)
review           →  see the primitives, backtest against real history
save             →  shadow (log only)  or  active (enforce)
active/shadow    →  disabled  (compiled rules removed)
                    recompile (re-run the compiler on the same outcome)

Default to shadow. A mandate in shadow logs what it would have done without affecting traffic. Promote it to active when the backtest and shadow results look right.

Backtest before you deploy

Before a mandate ever enforces, replay it against your workspace's real decision history and see exactly what it would have done: how often it would fire, what it would have caught that was previously allowed, and the deterministic vs semantic vs verdict coverage split. Policy authoring becomes engineering, not guesswork.

The Charter

The signed, versioned collection of your workspace's mandates. The Charter carries an HMAC signature over the whole collection, the policy set hash proving which compiled rules are in force, and a coverage rollup. Every time a mandate is activated or disabled the Charter is re-signed and the change is sealed to the Provenance Vault, so the evolution of your standing law is itself tamper evident.

Where it sits

Mandates are the top layer of a four-layer authorisation stack, each more specific than the one above:

Layer Object Scope
Charter Mandates standing law of the workspace
Access Profiles job boundary per agent
Intent Contracts approved plan per mission
Risk Verdict signed decision record per action

Standing law, then job, then mission, then action.

API

Agent facing (API key auth):

Method Path Notes
POST /v1/enforce/mandates {outcome_text, agent_id?} compiles and stores a draft mandate
GET /v1/enforce/mandates list, filter by status, agent_id
GET /v1/enforce/mandates/{id} full detail including the compiled mix and signature

Dashboard (Charter tab): compile a preview, backtest it, save as shadow or active, activate, disable, recompile, delete, and view the signed Charter.

Webhooks and vault

Webhook events: mandate.created, mandate.activated, mandate.disabled. Every lifecycle event and every Charter re-signing is sealed to the Provenance Vault, with the mandate signed by canonical-JSON HMAC over its outcome and compiled mix on activation.