Optionalappliesby-name refs into x-suluk-agents keys this policy governs (NEVER a request predicate). Empty/absent ⇒ all agents.
Optionalscopeoperator's max scope ceiling — effective agent scope = INTERSECT(agent.scope, scopeAllowlist).
Optionalagentsdeny/allow sub-agent keys (an allow-list, when present, is the only permitted set).
Optionaltoolsdeny/allow route (tool) keys.
Optionalretrievaldeny/allow the retrieval/untrusted tier's tools specifically (its non-deterministic blast radius).
Optionalcappin the MAX tier — a cold-tail skill under capTier: resident is downgraded (and flagged).
Optionalmodelthe only model ids permitted — effective skill model[] = INTERSECT(skill.model, modelAllowlist).
Optionalmaxan upper bound on recursion depth — effective maxDepth = min(agent.maxDepth, maxDepthCap).
Optionalforbidforbid sub-agents entirely (⇒ effective maxDepth 0).
OptionalcostThe operator's DECLARED cost cap — the third of cap/estimate/actual (estimate = the agent's own x-suluk-cost,
actual = the C026 reconciled charge). The SCHEMA DECLARES this number; it does NOT enforce it — enforcedBy
names who does (a runtime admission-gate / adapter). Required so a reader can never mistake declaration for
enforcement (C026 PROVISIONAL honesty).
An OPERATOR governance policy (C028) — a member of the
x-suluk-policymap, keyed by operator/fleet name. Every field is STATIC, locally decidable, and NARROW-ONLY: applying a policy can only REMOVE capability an agent self-declared (effective = INTERSECT(policy, agent)), never grant. No field may reference request/DOM/header/body values (D1; the #20 tripwire is declined here too).appliesTobinds BY AGENT NAME (#/x-suluk-agents/<key>).