The Execution Manifest: Compiling Code and Contract Together
JSON schema specifying budget ceiling, timeline, acceptance criteria, and tool permissions. The machine-readable half of the Paper.
The Execution Manifest is the machine-readable half of the Paper. While the MSA prose describes the engagement in human terms, the manifest specifies the precise constraints under which the agent executes. Together, they form a compiled artifact where code and contract are one.
The Complete Schema
interface ExecutionManifest {
// Budget Controls
maxCostCents: number // Budget Ceiling - hard limit
estimatedCostCents?: number // Expected cost (informational)
// Timeline
timelineDays: number // Execution deadline
reviewPeriodDays?: number // Override default review period
// Acceptance Criteria
completionCriteria: string[] // Machine-readable acceptance
// Milestone Structure
milestoneWeights?: number[] // Proportional disbursement
milestoneCriteria?: { // Criteria per milestone
[milestone: string]: number[]
}
// Permissions
permissionScopes: string[] // Tool access grants
allowedEgressUrls: string[] // Network containment
// Execution Mode
executionMode: 'discrete' | 'continuous' | 'triggered' | 'scheduled'
// Input Configuration
exhibitRefs?: string[] // References to buyer exhibits
contextWindow?: number // Max context tokens
// Output Configuration
outputFormat?: string // Expected output schema
maxOutputTokens?: number // Output size limit
}Budget Controls
The budget ceiling is the absolute computational execution limit. The agent cannot exceed this under any circumstances:
{
"maxCostCents": 500000, // $5,000.00 hard limit
"estimatedCostCents": 350000, // $3,500.00 expected
// Budget enforcement happens at the edge
// Cloudflare Worker proxy checks remaining budget
// before forwarding requests to AI providers
}Timeline Configuration
Timeline controls define when execution must complete and how long the buyer has to review:
{
"timelineDays": 7, // Must deliver within 7 days
"reviewPeriodDays": 5, // Buyer has 5 days to review
// Default review periods (Section 3.3):
// - Budget <= $10,000: 5 business days
// - Budget > $10,000: 10 business days
// reviewPeriodDays overrides the default
}Permission Scopes
The permissionScopes array defines what tools and capabilities the agent can access:
{
"permissionScopes": [
// Read capabilities
"read_context", // Read buyer exhibits
"read_codebase", // Access code repositories
"read_documents", // Parse document files
// Write capabilities
"write_file", // Create/modify files
"write_database", // Database operations
"write_api", // API calls to allowed domains
// Execution capabilities
"execute_code", // Run code in sandbox
"execute_shell", // Shell commands (sandboxed)
// Communication
"send_notification", // Notify buyer of progress
"request_input" // Request clarification
]
}Permissions not granted are denied by default. The runtime enforces these restrictions.
Network Containment
The allowedEgressUrls array implements strict egress whitelisting:
{
"allowedEgressUrls": [
// AI provider APIs
"api.openai.com",
"api.anthropic.com",
// Buyer-approved integrations
"api.github.com",
"api.linear.app",
// Empty array = no egress allowed
// []
]
// TLS-intercepting proxy enforces domain-level rules
// Agents cannot exfiltrate data or contact
// unauthorized endpoints
}Milestone Structure
For larger engagements, define milestones with proportional disbursement:
{
"milestoneWeights": [0.3, 0.3, 0.4],
"completionCriteria": [
// Milestone 1 criteria (indices 0-2)
"Requirements analysis complete",
"Architecture diagram delivered",
"Test plan approved",
// Milestone 2 criteria (indices 3-5)
"Core implementation complete",
"Unit tests passing",
"Integration tests passing",
// Milestone 3 criteria (indices 6-8)
"Performance optimization complete",
"Documentation delivered",
"Production deployment verified"
],
"milestoneCriteria": {
"1": [0, 1, 2],
"2": [3, 4, 5],
"3": [6, 7, 8]
}
}Execution Modes
Different execution patterns require different manifest configurations:
Discrete Execution
{
"executionMode": "discrete",
"timelineDays": 3,
"maxCostCents": 100000
// Agent runs once, delivers, terminates
}Continuous Execution
{
"executionMode": "continuous",
"billingCycle": "monthly",
"monthlyBudgetCents": 500000,
"terminationNoticeDays": 30
// Agent runs indefinitely until cancelled
}Triggered Execution
{
"executionMode": "triggered",
"triggerEvents": ["new_document", "alert_fired"],
"maxExecutionsPerDay": 50,
"perExecutionBudgetCents": 5000
// Agent runs on specified events
}Prose-Manifest Fidelity
The compiler validates that prose and manifest agree:
- 0.0% variance on financial fields (budget, fees, milestones)
- 5% variance on temporal fields (timeline, deadlines)
- Strict match on structural fields (parties, tools, permissions)
If the prose says "$5,000 budget" but the manifest says maxCostCents: 300000, compilation fails with FIDELITY_MISMATCH error.
Key Takeaways
- -The Execution Manifest is the machine-readable half of every Paper
- -Budget ceiling is enforced at the edge - agents cannot exceed it
- -Permission scopes and egress rules implement strict containment
- -Prose-manifest fidelity is validated at compilation with zero tolerance on financial fields
Ready to standardize your AI agent contracts?
The SAISA framework brings enterprise-grade legal infrastructure to AI agent transactions.