Two voices describe what Ojas is. One is about what agents do. The other is about what makes their output usable. Ojas never collapses the two into a single claim.
An agent's job is to produce a well-structured recommendation. It does not commit outputs, grant its own authority, or widen its own scope. Everything the agent may do is declared in its manifest, everything beyond the manifest is forbidden by the runtime.
Agents are scope-bounded, tool-mediated, tenant-scoped, and budget-limited. They run in a sandbox with allowed tools only, and they cannot exceed runtime or economic budgets. Proposals are structured, failures are structured errors, not silent fallbacks.
A proposal without evidence is not a proposal. Every proposal carries calibrated confidence, a validation result, an evidence report, and a full runtime trace. Calibration is against a declared regression corpus, with a maximum age, uncalibrated confidence cannot unlock auto-approval.
The external approval authority reads the evidence, applies policy, and emits a recorded decision. Decisions are auditable artifacts, not verbal agreements.
Ojas governs the run. External platform layers decide what happens next. In the current internal deployment, the external approval authority is Aegis. Future standalone deployments may connect Ojas to a different authority that implements the same boundary contracts.
The boundary is strict. Ojas does not self-approve. Approval decisions are recorded, typed, and cross-referenced to the proposal that triggered them.