BMT-03.03 Executive Summary#
BlueMirror.tech | May 2026#
Soo-Jin leads enterprise architecture for a large pharmacy benefits manager. She is comfortable with API contracts and data schemas, but what she wanted to understand about BlueMirror was not what fields would be in the response. She wanted to know what the system would refuse to tell her systems even if they asked politely. Most architecture documentation describes what a system does. She wanted to know what it would not do and whether those limits were real or merely stated.
The exploration bounds framework is the answer. The membrane defines the principle: external agents see only what the person permits. The exploration bounds define the implementation: for this agent, at this trust tier, in this domain, for this interaction type, here is exactly what can happen and here is exactly what cannot.
Every agent-to-agent interaction operates within five constraint dimensions simultaneously. They are not independent.
Context permissions define what the external agent can learn from the interaction, covering both explicit disclosure through direct response and implicit disclosure through the pattern of what is revealed. The Context Gate Controller does not just filter what is said. It tracks what can be inferred from the totality of disclosures.
Commitment authority defines what the internal agent can agree to on the person’s behalf without triggering an escalation for review. It is set per trust tier and per interaction type and cannot be extended by the external agent through persuasion or incremental negotiation.
Risk envelope bounds the maximum downside exposure regardless of what the agent negotiates. Even where commitment authority technically permits a transaction, the risk envelope sets the ceiling on financial exposure and sensitive information disclosure per interaction.
Temporal bounds answer how long the interaction can continue before the sandbox closes without agreement: 30 seconds for routine scheduling, five minutes for procurement negotiation, 24 hours for complex care coordination. An adversarial agent that stalls does not gain time to probe. The sandbox closes.
Invariants are hard constraints the internal agent cannot agree away regardless of what the negotiation produces. Margaret’s invariants might include that her daughter must be notified of any healthcare commitment and that she retains a 24-hour cancellation option on any scheduled appointment. These are preserved regardless of what the external agent proposes.
The article works through three domain examples that show how the five dimensions interact rather than operate independently. In a hospital scheduling interaction, the health concierge discloses that morning works, an accessibility accommodation is needed, and Tuesday or Thursday is preferred. The specific diagnoses that explain why morning, the fall-risk documentation that explains the accommodation, the daughter’s schedule, and the weather anxiety history that explains a prior missed appointment are all blocked. The appointment is scheduled. The hospital system got what it needed. The bounds held.
In a pharmacy procurement interaction, the buying agent has access to Margaret’s full financial context, her medication list, and a patient assistance program she qualifies for based on income. The exploration bounds permit disclosing the medication name and dosage, delivery preference, and generic preference. They block the income level, the other medications that would create a health profile from a purchasing interaction, and the insurance details. The commitment authority permits switching pharmacies if monthly savings exceed a defined threshold, and an invariant requires notifying Margaret before any pharmacy change takes effect even if the authority technically permits the switch. The pharmacy agent receives what it needs. The reason behind the cost sensitivity does not transfer.
In an insurance interaction during annual enrollment, the bounds are deliberately tight. Context permissions allow only the current plan identifier and any specific coverage concerns Margaret has chosen to raise. Commitment authority is zero. The insurance agent cannot advance to a sales interaction through the membrane without Margaret’s direct participation. The tightness is not a policy choice about the insurance industry. It reflects the documented pattern of insurance agent behavior during enrollment periods. A legitimate insurance agent that wants to serve Margaret’s actual needs can do so. It requires her active involvement, which is the right structure for a decision with multi-year financial consequences.
The hardest problem in the exploration bounds framework is implicit leakage. Context permissions gate explicit disclosure. They do not by themselves prevent an agent from learning more than any single permitted response reveals. The Manipulation Detector tracks cumulative information release for each external agent, maintains a running inference score across the full interaction history, and when the cumulative score crosses a threshold, begins introducing noise into responses in the affected dimensions. The agent’s profile degrades. The person’s actual experience continues normally.
Soo-Jin’s three questions after reading: whether commitment authority thresholds are configurable per partner type (they are), whether implicit leakage detection can be audited after the fact (it can, through the audit trail), and whether she could see a specific agent’s cumulative inference score (only for her own systems, not for other partners’ agents). That third answer, she noted, was exactly right.
The full article, including the exploration bounds specification and the invariant enforcement mechanisms, is at BlueMirror.tech.