agent_os.backend_protocol_parse_failure | invariant.boundary.runtime-validation-external-only | backend-protocol.md | Decode backend protocol payloads at the protocol boundary and reject malformed external input before it reaches runtime logic. |
agent_os.boundary_commit_rejected | invariant.d10.namespace-integrity, invariant.d10.truth-identity | boundary-contract.md | Commit through the owning BoundaryContract with matching event vocabulary, scopeRef, effectAuthorityRef, and claim identity. |
agent_os.capability_rejected | invariant.d10.namespace-integrity | boundary-contract.md | Register the extension capability that owns the event prefix before committing or dispatching the fact. |
agent_os.cloudflare_worker_bundle_resolution_failure | invariant.boundary.runtime-validation-external-only | deploy-cloudflare.md | Resolve Cloudflare worker bundle references before deploy composition and fail the provider boundary when the bundle cannot be located. |
agent_os.cloudflare_worker_deploy_resolution_failure | invariant.boundary.runtime-validation-external-only | deploy-cloudflare.md | Resolve deploy target bindings and provider configuration before emitting deploy facts. |
agent_os.dispatch_binding_ref_malformed | invariant.d10.truth-identity | backend-cloudflare-do.md | Use a valid binding MaterialRef for dispatch targets and reject malformed target refs at the backend boundary. |
agent_os.dispatch_payload_parse_failure | invariant.boundary.runtime-validation-external-only | backend-protocol.md | Decode dispatch payloads through the backend protocol parser before committing inbound or outbound dispatch facts. |
agent_os.dispatch_scope_mismatch | invariant.d10.truth-identity | backend-cloudflare-do.md | Dispatch only to the exact target scopeRef and effectAuthorityRef; do not reuse a scope-wide derived key as truth. |
agent_os.dispatch_target_not_found | invariant.d10.truth-identity | backend-cloudflare-do.md | Register or resolve the dispatch target binding before enqueueing delivery. |
agent_os.durable_trigger_acquire_cancelled | invariant.ledger.single-commit-source | durable-process-algebra.md | Keep trigger acquisition and cancellation in the durable trigger lifecycle contract so a claimed row always has a recoverable terminal path. |
agent_os.durable_trigger_commit_returned_thenable | invariant.ledger.single-commit-source | durable-process-algebra.md | Keep trigger commit callbacks synchronous inside the backend transaction and move asynchronous work after durable commit. |
agent_os.durable_trigger_drain_limit_exceeded | invariant.ledger.single-commit-source | durable-process-algebra.md | Drain due work through the durable trigger scheduler with an explicit limit and retry the remaining due work later. |
agent_os.dynamic_worker_failure | invariant.boundary.runtime-validation-external-only | dynamic-worker.md | Surface dynamic worker provider failures through the provider boundary instead of converting them into successful runtime output. |
agent_os.dynamic_worker_policy_denied | invariant.boundary.runtime-validation-external-only | dynamic-worker.md | Reject disallowed dynamic worker requests at policy evaluation before provider execution. |
agent_os.dynamic_worker_policy_violation | invariant.boundary.runtime-validation-external-only | dynamic-worker.md | Move policy-violating dynamic worker input back to the caller boundary and require a valid provider policy. |
agent_os.dynamic_worker_provider_failure | invariant.boundary.runtime-validation-external-only | dynamic-worker.md | Classify provider failures at the dynamic worker adapter and keep product logic out of provider error parsing. |
agent_os.effect_ai_aborted | invariant.boundary.runtime-validation-external-only | llm-transport-effect-ai.md | Propagate Effect AI aborts through LlmTransport and let submit own terminal runtime facts. |
agent_os.effect_ai_json_encode_failed | invariant.algebra.single-code-source | llm-transport-effect-ai.md | Encode structured provider payloads through the Effect AI transport adapter and fail before committing runtime evidence. |
agent_os.effect_ai_missing_usage | invariant.algebra.single-code-source | llm-transport-effect-ai.md | Keep provider usage accounting in the LlmTransport output schema and reject responses that cannot produce runtime usage evidence. |
agent_os.effect_ai_prompt_error | invariant.boundary.runtime-validation-external-only | llm-transport-effect-ai.md | Build prompts at the provider adapter boundary and surface prompt construction failures before submit records terminal facts. |
agent_os.effect_ai_provider_executed_tool_rejected | invariant.algebra.single-code-source | llm-transport-effect-ai.md | Disable provider-executed tool paths for agentOS tools; tool execution must flow through runtime admission and ledger settlement. |
agent_os.effect_ai_tool_handler_called | invariant.algebra.single-code-source | llm-transport-effect-ai.md | Treat provider-side tool handler invocation as an adapter violation; runtime owns tool calls and settlements. |
agent_os.effect_ai_unsupported_output_part | invariant.algebra.single-code-source | llm-transport-effect-ai.md | Map provider output parts through the runtime output-item algebra and reject parts without a runtime representation. |
agent_os.effect_ai_unsupported_route | invariant.boundary.runtime-validation-external-only | llm-transport-effect-ai.md | Choose a route supported by the Effect AI transport adapter or add an explicit adapter branch for the provider. |
agent_os.extension_capability_conflict | invariant.d10.namespace-integrity | boundary-contract.md | Declare one owner for each extension capability and event namespace; remove duplicate capability declarations. |
agent_os.invalid_resource_amount | invariant.algebra.type-or-boot-proof | resource-carrier.md | Reject non-positive or non-finite resource amounts before committing resource or quota facts. |
agent_os.invalid_schedule_at | invariant.ledger.single-commit-source | durable-process-algebra.md | Schedule durable work with a valid future timestamp and keep scheduling inside the durable process contract. |
agent_os.invalid_trace_context | invariant.boundary.runtime-validation-external-only | runtime.md | Decode trace context at the runtime boundary and reject malformed trace metadata before provider or ledger projection consumes it. |
agent_os.json_stringify_error | invariant.ledger.single-commit-source | durable-truth.md | Encode final payloads before commit side effects consume them; reject unstringifiable payloads before projection application. |
agent_os.legacy_ledger_schema | invariant.d10.truth-identity | durable-truth.md | Delete old local backend state and initialize the D10 schema; no legacy row migration is supported. |
agent_os.llm_call_timed_out | invariant.boundary.runtime-validation-external-only | runtime.md | Propagate LLM call timeout through submit and commit a runtime-owned terminal abort fact. |
agent_os.llm_call_timeout | invariant.boundary.runtime-validation-external-only | runtime.md | Use the timeout marker only as abort metadata and let runtime terminal events expose the durable failure. |
agent_os.postgres_harness_error | invariant.boundary.runtime-validation-external-only | backend-node-postgres.md | Start and clean up the runtime contract Postgres harness at the test boundary, mapping Docker, psql, and config failures into the harness error channel. |
agent_os.projection_application_error | invariant.d10.truth-identity | materialized-projections.md | Keep projection reducers pure and make malformed facts explicit failures rather than alternate truth. |
agent_os.projection_reducer_returned_thenable | invariant.d10.truth-identity | materialized-projections.md | Move asynchronous work to the ledger writer or backend transaction hook; projection reducers must be synchronous. |
agent_os.projection_registry_error | invariant.d10.truth-identity | materialized-projections.md | Build a projection registry with unique projection kinds and valid projection definitions. |
agent_os.projection_wait_timed_out | invariant.d10.truth-identity | materialized-projections.md | Wait on the ledger-derived projection with a bounded Effect retry policy, or commit the missing ledger fact before reading the projection. |
agent_os.provider_http_failure | invariant.boundary.runtime-validation-external-only | agent-schema.md | Handle provider transport failures at the LLM transport boundary and let submit record the runtime terminal fact. |
agent_os.provider_output_decode_error | invariant.algebra.single-code-source | agent-schema.md | Decode provider output through the runtime output-item schema instead of product-side fallback parsing. |
agent_os.ref_resolution_failed | invariant.boundary.runtime-validation-external-only | carriers-and-material.md | Resolve symbolic material refs at the adapter boundary and fail closed when a required ref cannot be resolved. |
agent_os.resource_insufficient | invariant.ledger.single-commit-source | resource-carrier.md | Grant or release resources through the resource ledger before attempting a reservation that would exceed available capacity. |
agent_os.resource_reservation_closed | invariant.ledger.single-commit-source | resource-carrier.md | Do not consume or release a reservation after its terminal resource fact has already been committed. |
agent_os.resource_reservation_not_found | invariant.ledger.single-commit-source | resource-carrier.md | Commit or look up the resource reservation under the exact ledger identity before consuming or releasing it. |
agent_os.sandbox_failure | invariant.boundary.runtime-validation-external-only | sandbox.md | Classify sandbox provider failures at the sandbox execution-domain adapter and return a closed tool result. |
agent_os.sandbox_policy_denied | invariant.algebra.type-or-boot-proof | sandbox.md | Reject sandbox requests that violate the declared sandbox policy before provider execution. |
agent_os.scope_missing | invariant.d10.truth-identity | durable-truth.md | Resolve the structured scopeRef before runtime or backend operations; do not fall back to an implicit scope. |
agent_os.sql_error | invariant.ledger.single-commit-source | durable-truth.md | Keep SQL writes inside the backend-owned ledger commit primitive and return typed SqlError at the backend boundary. |
agent_os.stream_identity_error | invariant.d10.truth-identity | backend-cloudflare-do.md | Stream only with an exact scopeRef and effectAuthorityRef identity and reject malformed stream identity input. |
agent_os.tenant_credential_resolver_configuration_error | invariant.boundary.runtime-validation-external-only | tenant-material.md | Configure tenant credential resolution before binding provider credentials to material refs. |
agent_os.trigger_factory_error | invariant.ledger.single-commit-source | durable-process-algebra.md | Keep durable trigger factory output synchronous, typed, and registered before scheduling or claiming trigger work. |
agent_os.unregistered_durable_trigger_kind | invariant.ledger.single-commit-source | durable-process-algebra.md | Register the durable trigger kind before scheduling, claiming, or dispatching due work. |
agent_os.unregistered_projection_kind | invariant.d10.truth-identity | materialized-projections.md | Register the projection definition before reading, status-checking, or rebuilding that projection kind. |
agent_os.unsupported_scope_ref | invariant.d10.truth-identity | durable-truth.md | Use a backend-supported scopeRef kind or add an explicit backend adapter branch for that scope kind. |
agent_os.workspace_job_candidate_missing | invariant.workspace-job.verified-terminal | workspace-job.md | Treat a missing candidate as a workspace_job.failed terminal fact before finalization or verification can produce a deliverable. |
agent_os.workspace_job_data_plane_failed | invariant.workspace-job.verified-terminal | workspace-job.md | Keep seed and terminal build/write/read failures inside the workspace job data-plane boundary and settle them through workspace_job.failed. |
agent_os.workspace_job_run_id_mismatch | invariant.workspace-job.verified-terminal | workspace-job.md | Reject terminal builder output whose run id does not match the requested workspace job before verifier checks can mark it deliverable. |
agent_os.workspace_job_verifier_failed | invariant.workspace-job.verified-terminal | workspace-job.md | Map verifier exceptions to workspace_job.failed; reserve verifier_rejected for successful product-domain verifier verdicts. |