Every real-world action goes through one governed channel with explicit allow-lists. The model can request an action; it never writes its own privileged commands, and it never reaches the shell directly.
A requested action is matched against an allow-list before anything runs. Off-list requests are refused and recorded; on-list ones execute through the single owning surface.
There is no side door. Because every action shares one ingress, a limit set at that door holds for the entire system.
The single action channelInvariant Every action passes one allow-listed channel. The model requests; it never issues its own commands.
Go deeper — the governed action channel
Why a single action surface with an allow-list bounds the blast radius by construction, not by good behavior.
