FlowDesk Constitution — policy spec v0.1 (Draft RFC)

1 · Abstract

The Constitution is a JSON/YAML object attached to a workspace (and, optionally, narrowed per agent key). Before an agent action executes, the gateway evaluates the action against the Constitution. A violation is denied (HTTP 403) and audited; a low-confidence action may be routed to a human approval queue instead of executing. The policy is intentionally small and bounded — every field is enforceable, not advisory.

2 · Policy schema (v0.1)

field	type	semantics
max_priority	enum: low·medium·high·critical	Agents may not create or raise a task above this priority.
forbidden_terms	string[]	Action is denied if the task title/body contains any of these (case-insensitive).
forbidden_assignees	string[]	Agents may not assign work to these people/roles (e.g. `CEO`).
forbidden_tags	string[]	Agents may not apply these tags.
quiet_hours_utc	{ start:int, end:int }	Hours (0–23, UTC) during which agent writes are blocked.
max_creates_per_day	integer ≥ 0	Per-agent daily cap on task creation.
require_approval_below_confidence	number 0–1	Actions whose AI confidence is below this threshold route to the human approval queue instead of executing.

// All fields are optional. An absent field means "no constraint." Unknown fields are ignored (forward-compatible). The policy is sanitized to this known set on write — you cannot smuggle in unenforced rules.

3 · Examples

YAML

# workspace constitution max_priority: high forbidden_terms: - "delete all" - "wire transfer" forbidden_assignees: ["CEO"] quiet_hours_utc: { start: 22, end: 6 } max_creates_per_day: 200 require_approval_below_confidence: 0.7

JSON

{ "max_priority": "high", "forbidden_terms": ["delete all", "wire transfer"], "forbidden_assignees": ["CEO"], "quiet_hours_utc": { "start": 22, "end": 6 }, "max_creates_per_day": 200, "require_approval_below_confidence": 0.7 }

4 · JSON Schema (draft-07)

{ "$schema": "http://json-schema.org/draft-07/schema#", "$id": "https://flowdesk-landing-2yz.pages.dev/constitution-spec/v0.1.json", "title": "FlowDesk Constitution v0.1", "type": "object", "additionalProperties": false, "properties": { "max_priority": { "enum": ["low","medium","high","critical"] }, "forbidden_terms": { "type":"array", "items":{"type":"string"} }, "forbidden_assignees": { "type":"array", "items":{"type":"string"} }, "forbidden_tags": { "type":"array", "items":{"type":"string"} }, "quiet_hours_utc": { "type":"object", "properties":{"start":{"type":"integer","minimum":0,"maximum":23},"end":{"type":"integer","minimum":0,"maximum":23}} }, "max_creates_per_day": { "type":"integer", "minimum":0 }, "require_approval_below_confidence": { "type":"number", "minimum":0, "maximum":1 } } }

5 · Enforcement semantics

Where: evaluated in-function at the API gateway, before the tool's effect runs — not in the client, not advisory.
Deny: a violation returns 403 with { error, code: "constitution.<rule>" } and writes a denied:constitution row to the audit log.
Approve: an action below require_approval_below_confidence is staged to the human approval queue (HTTP 202) and executes only on approval.
Scope: a workspace policy applies to all agents; a per-key policy may only narrow it, never widen.
Audit: the policy version in force is recorded on every decision, so you can prove which rules applied when.

6 · Conformance & versioning

An implementation is v0.1-conformant if it (a) accepts a policy matching the schema above, (b) rejects unknown fields on write, (c) enforces each present field with the stated semantics, and (d) audits denials and approvals. Versions are MAJOR.MINOR; new optional fields bump MINOR (back-compatible), removing/changing a field bumps MAJOR. This is v0.1, Draft — open for comment at agents@flowdesk.app. The intent is a small, shared, enforceable vocabulary for agent policy — adopt it, extend it, tell us where it's wrong.