Docs / Reference

Authorization denial

Return entitlement_denied when subject identity lacks the entitlement required by the capability.

Plain English

This failure mode should return a structured protocol record with entitlement_denied, not an ambiguous framework or transport failure.

Why it exists

Independent callers need to branch on predictable protocol outcomes when a capability cannot safely execute.

Formal definition

A failure mode is a first-class protocol outcome with a stable denial.code or error.code, message, optional details, and evidence semantics.

Concrete example

Ground the concept before the schema.

Planning Agent invokes schedule_technician without service:dispatch permission.

authorization-denial.outcome.json

json

1{2  "invocation_id": "inv_authz_001",3  "capability_id": "schedule_technician",4  "capability_version": "1.0.0",5  "correlation": { "correlation_id": "case-authz" },6  "outcome": "denied",7  "success": false,8  "data": null,9  "error": null,10  "denial": {11    "code": "entitlement_denied",12    "message": "service:dispatch is required.",13    "retryable": false,14    "details": {15      "required_permission": "service:dispatch"16    }17  },18  "evidence_ids": ["evt_authz_denied"],19  "started_at": null,20  "completed_at": "2026-06-16T15:14:22.104Z"21}

Developer reference

Authorization denial outcome contract

Use this as the minimum machine-readable shape for tests and independent callers.

FieldValueMeaning

triggercondition

Planning Agent invokes schedule_technician without service:dispatch permission.

denial.code or error.codeentitlement_denied

service:dispatch is required.

event_typeexecution_denied

Evidence type or absence expected for this failure.

Relationships

Where this sits in the protocol.

Each concept should explain its neighbors so implementation teams can preserve the boundary across manifests, invocation, evidence, and tests.

Failure outcomes are produced during discovery, validation, authorization, lifecycle checks, execution, or timeout handling.

Evidence should record the decision path when an invocation reaches the host boundary.

Conformance should include both this failure and the neighboring happy path.

Visual model

01Caller sends or discovers a protocol surface.
02Host or infrastructure detects the failure condition.
03Caller receives entitlement_denied with structured details.

Implementation notes

Return a stable code that callers can match programmatically.
Include a human-readable message without depending on it for control flow.
Attach evidence when the host boundary received and evaluated the request.

Common mistakes

Throwing a raw exception instead of a protocol outcome.
Using different codes for the same failure across hosts.
Omitting evidence for denied or rejected requests that reached policy or lifecycle checks.

Related concepts

Keep reading through the boundary.

Outcome codes →Conformance cases →Govern invocation →