Enforce resolved execution context for deterministic actor policy

docs/orchestration-engine.md

@@ -25,6 +25,17 @@ The orchestration runtime introduces explicit schema validation and deterministi
 
 Node payloads are persisted under the state root. Nodes do not inherit in-memory conversational context from previous node runs. Fresh context is reconstructed from the handoff and persisted state each execution. Sessions load project context from `AGENT_PROJECT_CONTEXT_PATH` at initialization, and orchestration writes project updates on each node completion.
 
+## Resolved execution contract
+
+Before each actor invocation, orchestration resolves an immutable `ResolvedExecutionContext` and injects it into the executor input:
+
+- `phase`: current pipeline node id
+- `modelConstraint`: persona-level model policy (or runtime fallback)
+- `allowedTools`: flat resolved tool list for that node attempt
+- `security`: hard runtime constraints (`dropUid`, `dropGid`, `worktreePath`, violation handling mode)
+
+This keeps orchestration policy resolution separate from executor enforcement. Executors do not need to parse manifests or MCP registry internals.
+
 ## Execution topology model
 
 - Pipeline graph execution is DAG-based with ready-node frontiers.
@@ -52,6 +63,7 @@ Security enforcement now lives in `src/security`:
 - Zod-validated shell/tool policy schemas.
 - `SecurityRulesEngine` for binary allowlists, path traversal checks, worktree boundaries, and tool clearance checks.
 - `SecureCommandExecutor` for controlled `child_process` execution with timeout + explicit env policy.
+- `ResolvedExecutionContext.allowedTools` is used to filter provider-exposed tools before SDK invocation, including Claude-specific tool gating where shared `enabled_tools` is ignored.
 
 `PipelineExecutor` treats `SecurityViolationError` via configurable policy:
 - `hard_abort` (default): immediate pipeline termination.