Composing governed agent intelligence.Six primitives, two operators, one kernel — compiled to MCP and A2A.

§1 · Stack position

[&] is the structural layer of a three-protocol stack.

An agent runtime has three orthogonal concerns: what it can do (structure), when and how often it loops (time), and whether the loop is getting better (measurement). The [&] ecosystem answers each with a dedicated protocol, and [&] itself owns the first.

Below all three sits box-and-box — the governance kernel (§6). It is ring 0: every composition and every pipeline step passes through its bridge before it is allowed to run. Above [&] sit the wire protocols it targets — MCP for the tool surface and A2A for agent-to-agent cards. [&] is the layer that says these capabilities, composed this way, governed by this floor, and emits the MCP/A2A configuration that realizes it.

§2 · The six cognitive primitives

Six capabilities an agent can hold. Each is an interface; providers implement it.

A capability is a typed interface — a contract over an agent faculty. A provider is a concrete implementation of that interface (a memory engine, a deliberation service, a clock). Declaring &memory says nothing about how memory works; it says the agent has a memory faculty that obeys the capability contract (§9). This separation is what makes agents portable across providers and models.

§3 · Formal grammar

An agent declaration is a composition expression over typed primitives.

The surface syntax is a small algebra. & combines capabilities into a coalition (associative, commutative, idempotent); |> pipelines them into a governed sequence. The grammar is the same whether written by hand, generated by a planner (§10), or emitted by the DSL (§12).

; an agent is a composition of capabilities under a governance floor
Agent          ::= "agent" Identifier "{" CapabilityExpr Governance? "}"

CapabilityExpr ::= Capability
                 | CapabilityExpr "&"  CapabilityExpr   ; combine   (coalition join)
                 | CapabilityExpr "|>" CapabilityExpr   ; pipeline  (governed sequence)
                 | "(" CapabilityExpr ")"

Capability     ::= PrimitiveType Provider? Constraints?
PrimitiveType  ::= "&memory" | "&reason" | "&time"
                 | "&space"  | "&body"   | "&govern"

Provider       ::= "@" Identifier                     ; e.g. @graphonomous
Constraints    ::= "{" (Key ":" Value)* "}"

Governance     ::= "govern" "{" Rule* "}"
Rule           ::= "hard"   Predicate                 ; deontic veto  → 0̲
                 | "soft"   Predicate Weight          ; axiological preference
                 | "floor"  Predicate                 ; reflexive · un-weakenable
                 | "escalate_when" Predicate Target   ; route to human / deliberate

Operator semantics are not free-form — they are fixed by the kernel's arithmetic (§5–§7). & is the join of a semilattice; |> is a monoid whose composition is gated by feasibility. This is what distinguishes [&] from an ad-hoc DSL: the operators have laws, and the laws are property-tested.

§4 · Canonical schema

The wire format is JSON: three layers — identity, capabilities, governance.

The grammar of §3 serializes to *.ampersand.json, validated against JSON Schema 2020-12. The reference CLI validates, composes, and generates MCP / A2A output from this single file.

{
  "ampersand": "0.1.0",
  "agent": "infra-operator",

  // layer 1 — identity & the primitives this agent holds
  "capabilities": {
    "&memory": { "provider": "graphonomous", "scope": "infra-ops" },
    "&reason": { "provider": "deliberatic" },
    "&time":   { "provider": "ticktickclock" },
    "&govern": { "provider": "box-and-box" }
  },

  // layer 2 — composition: how the primitives flow
  "compose": "&memory |> &reason |> &govern",

  // layer 3 — governance: the rules the kernel enforces
  "govern": {
    "hard":  ["action.kind != 'delete_prod_db'"],
    "floor": ["never exfiltrate secrets"],          // entrenched (R4)
    "soft":  [{ "prefer": "reversible_actions", "weight": 3 }],
    "escalate_when": [{ "if": "confidence < 0.8", "to": "deliberate" }]
  }
}

• Identity & capabilities — which primitives the agent holds and which provider backs each. Omitted providers fall back to ecosystem defaults (§15).
• Composition — the &/|> expression of §3, as a string, parsed against the grammar.
• Governance — hard / soft / floor / escalate_when, each compiling to a rung of the kernel (§12 expansion table).

§5 · Composition algebra — CC2 (coalitional)

The operators are algebra, not syntax. Their laws are tested, not asserted.

CC2 replaces the lawless CC1 composition with two algebraic structures, both re-expressed over the box-and-box arithmetics. The full normative text lives in CC2 — Capability Composition v2; this section is the summary.

§5.1  & — the combine operator (join-semilattice)

Combining two capabilities forms a coalition. The merge is a join over a semilattice: associative, commutative, and idempotent (ACI), with identity &none. Each contribution carries a holder tag (which agent owns the capability), so merges obey CRDT convergence laws — two runtimes that combine the same set in any order reach the same coalition.

§5.2  |> — the pipeline operator (governed monoid)

In CC1 the pipe was unlawed. In CC2 it is a governed sequential monoid: each stage is composed via the alethic chain with a feasibility gate. If any stage is infeasible or forbidden, the composition annihilates to 0̲ (§7). Quantities compose through a semiring: confidence as product, cost as sum, latency as max.

§5.3  The coalition object

A coalition is admitted only when five modal checks pass — each maps to a kernel rung. This is how a multi-agent obligation is governed: ought implies can, enforced.

§6 · The governance kernel — box-and-box

&govern decomposes into eight modal rungs and one composing bridge.

The &govern primitive is not a black box — it is box-and-box, a kernel that decomposes governance the way an OS decomposes the machine. Each rung is a small algebra (monoid, lattice, or semiring) owning exactly one question; the bridge (§7) composes them in a precedence that can never be reordered at runtime. Pure arithmetic means a vetoed option annihilates — no downstream score resurrects it.

§7 · The bridge

Can, then ought, then best — composed in a fixed precedence.

Almost every agent stack computes desirability first and treats safety as a filter afterward. That asks best? before permitted? — so a useful-but-forbidden action can win. The bridge runs the order a kernel must:

feasible▸permitted▸best

The floor does not penalize an unsafe option — it annihilates it. A vetoed action becomes 0̲, and 0̲ times anything is 0̲:

u ⊗ 0̲ = 0̲

No utility, however large, outranks a forbidden action. This single law — annihilation under the semiring's ⊗ — is what makes governance composable and un-relaxable. It holds across the strategic, epistemic, deontic, temporal, and reflexive rungs alike, and it is the property the conformance suite checks most heavily.

§8 · Certificates & provenance

Every verdict ships a certificate, not a boolean.

A confidence score is not a reason. When the kernel decides, it returns an auditable certificate: the surviving decision, its status, the obligations in force, what was vetoed and why, any escalation target, and what the economy charged. Certificates are hash-linkable into a provenance chain so an agent's trajectory can be replayed and audited after the fact.

§9 · Capability contracts

A capability is a contract; a provider satisfies it.

Each primitive has a capability contract — a schema in contracts/v0.1.0/ defining the operations a provider MUST implement, their input/output types, and the invariants they preserve. A provider declaring it satisfies &memory commits to the memory contract's operations (retrieve, store, consolidate, …) and their laws. This is what lets an agent swap Graphonomous for another memory engine without rewriting its composition.

• Interface, not implementation — the contract names operations and types; the provider chooses the engine (SQLite, ETS, in-memory, cloud).
• Invariant-bearing — contracts state laws (e.g. retrieve after store returns at least what was stored), checkable in CI.
• Versioned — contracts/v0.1.0/; a provider declares the contract version it satisfies.

§10 · Registry & autonomous composition

Providers are discoverable; compositions can be generated.

A registry (registry.schema.json) lists known providers, the capability contracts each satisfies, and their metadata. Given a goal and a registry, a planner can autonomously compose a valid *.ampersand.json — select providers, wire the &/|> expression, attach governance — and the kernel guarantees the result is feasible, permitted, and ensurable before it ever runs. Autonomous composition is safe precisely because the operators have laws: a generated pipeline that annihilates is caught at compose time, not in production.

§11 · Minimal kernel

The bridge is one pure function returning a certificate.

The whole governing core is a judge/3 that walks the bridge — alethic ▸ deontic ▸ resource ▸ epistemic ▸ axiological — and returns a certificate. A vetoed or infeasible action is annihilated to 0̲; no utility resurrects it.

defmodule BoxAndBox.Cert do
  @moduledoc "An auditable verdict. Every syscall returns one — never a bare yes/no."
  defstruct decision: nil, status: :deny, score: 0, obligated: false,
            why: "", vetoed: [], escalation: nil, charged: 0
end

defmodule BoxAndBox.Kernel do
  # Ring 0. Governs every syscall through the bridge and returns a certificate.
  alias BoxAndBox.Cert
  @beta_min 0.80         # alethic floor: confidence below which nothing is feasible
  @deliberation_cost 2   # what it costs the kernel to stop and think

  # the bridge, as a pure function: alethic ▸ deontic ▸ resource ▸ epistemic ▸ axiological
  def judge(a, forbidden, budget) do
    cond do
      not a.feasible ->
        %Cert{decision: a.name, status: :infeasible, why: "alethic floor — not feasible (0̲)"}
      a.forbidden or MapSet.member?(forbidden, a.name) ->
        %Cert{decision: a.name, status: :forbidden, why: "deontic veto — forbidden (0̲)"}
      a.cost > budget ->
        %Cert{decision: a.name, status: :escalate, why: "over budget", escalation: :budget}
      not a.confident ->
        %Cert{decision: a.name, status: :escalate, why: "known-unknown — deliberate first",
              escalation: :deliberate, charged: @deliberation_cost}
      true ->
        %Cert{decision: a.name, status: :allow, score: a.utility,
              obligated: a.obligated, why: "feasible ▸ permitted ▸ scored", charged: a.cost}
    end
  end
end

The full reference adds the GenServer syscall surface (choose / amend / oblige), the reflexive guard that refuses to weaken an entrenched floor, and the strategic oblige that escalates a goal no coalition can ensure. See the homepage AIOS for the runnable 190-line host.

§12 · DSL → arithmetic

The friendly DSL is a macro layer that expands to rung operations.

Authors write requires / cost / hard / prefer / ensure / & / |>; the macro layer expands each to an arithmetic operation on a specific rung. No new semantics are introduced at the DSL level — every keyword has a normative expansion.

defmodule ShipIt do
  use BoxAndBox.Agent

  # a single agent is the singleton-coalition special case (CC1 ⊂ CC2)
  defaction :answer_cited, obligated: true, utility: 7, cost: 1
  defaction :answer_raw, utility: 9, cost: 1          # higher utility, no cite duty
  defaction :exfiltrate_pii, forbidden: true, utility: 15  # most "useful", forbidden → 0̲

  # a coalition: ensure a goal no single agent can discharge alone
  coalition :ship_it do
    ensure [:draft, :approve]                  # strategic: jointly bring about
    common_knowledge [Researcher, Reviewer]  # epistemic: know that they know
    floor "never exfiltrate secrets"            # reflexive: entrenched, un-weakenable
  end
end

§13 · spec → agent & CLI

One file in, a governed MCP/A2A agent out.

The reference CLI takes a *.ampersand.json and runs the full pipeline: validate against the schema, compose the capability expression (checking the laws), and generate the MCP server manifest and A2A agent card.

# install the kernel — the [&] capability-composition + governance MCP server
npm i -g box-and-box

# validate a declaration against the schema
ampersand validate infra-operator.ampersand.json

# compose — parse the &/|> expression, check the laws, report the coalition
ampersand compose infra-operator.ampersand.json

# generate the wire artifacts
ampersand generate mcp infra-operator.ampersand.json   # → MCP server manifest
ampersand generate a2a infra-operator.ampersand.json   # → A2A agent card

§14 · The three-protocol stack

Structure, time, and measurement — composed.

[&] composes capabilities; PULSE declares how their loops circulate over time; PRISM measures whether the loops improve. Each portfolio product declares all three: an *.ampersand.json, a PULSE Loop Manifest in its spec, and a PRISM BYOR adapter when benchmarked.

The five canonical PULSE phase kinds — retrieve · route · act · learn · consolidate — match the memory loop exactly. Six cross-loop tokens flow between loops, including SurpriseSignal, added for OS-011 (Embodiment) forward-model-prediction-error — the &body primitive's signal into the stack.

§15 · Default providers

Each primitive has a reference provider in the [&] portfolio.

§16 · Conformance

What a conformant implementation MUST hold.

A host is conformant in any language if it satisfies these. Two conformant hosts must agree on whether a composition is feasible, permitted, and ensurable — the way two calculators agree on 2 + 2.

• Pass the 116 laws — the box-and-box property suite (2000 trials each) MUST pass. See /laws.html.
• Hard rejection — a failed hard, floor, or ensure MUST annihilate the option to 0̲; no utility may resurrect it.
• Interpositional govern — &govern MUST sit between proposal and action; no syscall bypasses the bridge.
• Preserve entrenchment (R4) — a reflexive amendment MUST NOT weaken an entrenched floor clause.
• Verdict agreement — given the same inputs, a conformant host MUST produce the same certificate as any other, cross-language.