Kernel

The LumenFlow kernel is domain-agnostic. It enforces policy, scope, and evidence rules for any pack.

Tip

Software-delivery workflows (WUs, lanes, gates, memory) are provided by the Software Delivery Pack.

Packs

Packs are pluggable extensions that teach the kernel new tools and policies — they carry the domain knowledge while the kernel stays generic. Open

Kernel Runtime

The end-to-end pipeline every tool call passes through: scope check, policy evaluation, dispatch, evidence write. Open

Scope Intersection

A 4-level permission check (workspace, lane, task, tool) where all four must agree before an action proceeds. One deny anywhere is final. Open

Policy Engine

A deny-wins cascade: a restrictive policy at any level stays restrictive — lower levels cannot loosen it, only tighten it. Open

Evidence Store

Immutable, content-addressed receipts for every tool call — not logs, verifiable audit records that outlive the agent session. Open

Tool Execution

How dispatched tool calls run inside the bwrap sandbox with OS-enforced write confinement and secret deny overlays. Open

Package Architecture

How the kernel, runtime, and surface layers are split across npm packages and what each owns. Open