Execution model
Every request goes through planning, policy gates, and audit tracing before anything runs.
Engineering Deep Dive
Execution architecture and command contracts
Loading deep-dive sections and command-matrix data.
Engineering Deep Dive
Loading deep-dive sections and command-matrix data.
Technical
Execution model
Every request goes through planning, policy gates, and audit tracing before anything runs.
Coverage
Contract status: 32 implemented / 21 declared Total command families: 53
Last validated: 3/2/2026, 1:09:04 AM
What we track
user request -> policy + trust gate -> plan generation -> tool execution + hook sequence -> result validation -> audit log -> response returned to callerSource for command families:
32 implemented / 21 declared
Total command count: 400
Last validated snapshot: 3/2/2026, 1:09:04 AM
Showing 53 of 53 families.
/acp
Implemented/agent
Declared/agents
Implemented/approvals
Implemented/browser
Implemented/channels
Implemented/chat
Declared/clawbot
Implemented/codex
Implemented/companion
Implemented/completion
Declared/config
Implemented/configure
Declared/cron
Implemented/daemon
Implemented/dashboard
Declared/devices
Implemented/directory
Implemented/dns
Implemented/docs
Declared/doctor
Declared/doppelganger
Implemented/gateway
Implemented/health
Declared/hooks
Implemented/library
Implemented/live-browser-smoke
Declared/logs
Declared/memory
Implemented/message
Implemented/models
Implemented/node
Implemented/nodes
Implemented/onboard
Declared/pairing
Implemented/plugins
Implemented/qr
Declared/repl
Declared/reset
Declared/sandbox
Implemented/security
Implemented/serve
Declared/sessions
Declared/setup
Declared/skills
Implemented/status
Declared/system
Implemented/telegram
Implemented/tools
Declared/tui
Declared/uninstall
Declared/update
Implemented/webhooks
Implemented{
"requestId": "rq-2026-03-02-001",
"timestamp": "2026-03-02T01:09:04Z",
"route": "/v1/chat/completions",
"policy": "approved",
"commandFamily": "/status",
"result": "ok",
"elapsedMs": 214,
"hooks": [
"before-model",
"before-tool",
"after-tool",
"after-response"
],
"trace": [
"/api-gateway",
"/planner",
"/hooks",
"/tool",
"/validation",
"/audit-log"
],
"logFile": "/var/log/thomas/events.jsonl"
}{
"userPrompt": "List repository status",
"plan": {
"family": "status",
"command": "status",
"policyGate": "ok",
"approvalState": "required"
},
"execution": {
"output": {
"totalSteps": 6,
"exitCode": 0
},
"checks": {
"schemaValidation": true,
"policyGate": true,
"commandContract": true
}
},
"artifacts": {
"auditId": "rq-2026-03-02-001",
"artifactPath": "/var/log/thomas/events.jsonl"
}
}user request -> policy + trust gate -> plan generation -> tool execution + hook sequence -> result validation -> audit log -> response returned to callerthomas prompt "status"
thomas ask "List repository status"
thomas --help --jsoncurl -X POST https://127.0.0.1:8787/v1/chat/completions \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <local-token>" \
-d '{\n "model": "local-gpt",\n "messages": [{"role": "user", "content": "List repository status"}],\n "stream": false\n}'event: response.started
data: {"id":"evt-01","type":"response.started","request_id":"rq-2026-03-02-001"}
event: tool.delta
data: {"id":"evt-01","type":"tool.delta","tool":"status","payload":{"phase":"running"}}
event: response.final
data: {"id":"evt-01","type":"response.final","status":"ok","request_id":"rq-2026-03-02-001"}{
"id": "cmp-102",
"status": "ok",
"model": "local-gpt",
"request_id": "rq-2026-03-02-001",
"usage": {
"prompt_tokens": 14,
"completion_tokens": 32
}
}thomas prompt "status"
thomas ask "List repository status"
thomas --help --jsonclient
|-- parser + policy gate
|-- command planner
|-- execution runtime
\-- audit sink
|-- before-model hooks
|-- before-tool hooks
|-- tool.exec hooks
|-- after-tool hooks
\-- after-response hooksInstall package
Validate manifest and checksum
Activate in registry
Execute through protected path
Deactivate + remove runtime state
Uninstall package
{
"name": "thomas-plugin-guard",
"version": "0.1.0",
"entry": "dist/index.js",
"permissions": ["filesystem", "network:thomas-control"],
"hooks": [
"before-model",
"before-tool",
"after-tool",
"after-response"
]
}thomas plugin install ./dist/thomas-plugin-guard.zip
thomas plugin validate thomas-plugin-guard
thomas plugin activate thomas-plugin-guard
thomas plugin run thomas-plugin-guard --diagnostic
thomas plugin deactivate thomas-plugin-guard
thomas plugin uninstall thomas-plugin-guardCommand evidence snapshots
Row-level coverage metadata is present for families and linked to source artifacts.
Gateway contract coverage
HTTP contracts and CLI calls share the same guard and validation surface.
Plugin lifecycle replay
Next up: full install + policy-hook replay with trace replayability.