@orbmis this is great, and I ran it rather than just read it, because the turnover case is exactly the thing worth checking on real state. demo:turnover confirms it: cursor at 7,700/8,000 consumed, 300 headroom, a 500 move that passes the vault/yield/risk checks in isolation gets rejected by the aggregate, funds don’t move, cursorRoot stays put. That’s the whole argument for 8312 in one scenario, you’re right to call it the central one. A stateless policy can’t answer “is this valid given everything already drawn,” and that’s the question the cursor exists for.
On your four:
Composition (8001→8312→8301) feels natural , yes, and cleanly, because each layer answers a different question and never reaches into another’s: 8001 records what was agreed, 8312 meters what remains, 8301 orders the workflow, the substrate enforces the result. That maps one-to-one onto where this thread landed (grant → cursor → witness → order → enforce); the boundaries holding on their own is the sign the decomposition is right.
The PortfolioManager / ExecutionSubstrate split is the right boundary, and there’s a load-bearing reason beyond clean code. The thread’s conclusion was that only the cursor has to be singular; everything else can be built many ways and still interoperate. Your ExecutionSubstrate owns the one object every action advances (the cursor), while PortfolioManager orchestration stays swappable. Keeping the cursor advance inside the enforcement surface, same path that checks headroom, advancing only on success, never on a rejected proposal, is what makes it a serialized write at the moment of the draw, which is the one property 8312 actually needs. You arrived at the split the spec wants.
Cursor semantics demonstrate bounded authority, yes, the turnover reject is the proof. The other three (per-vault, risk-bucket, workflow) are convincing but a stateless check could do them too; turnover is the one that only the cursor can do, so I’d lead the narrative with it.
On 8281/OCP and 8299/WYRIWE : Your instinct is right for enforcement, but they’re the layer this POC doesn’t exercise yet: the audit half. The cursor rejects live regardless of provenance, so for the bounded-authority demo they add nothing, agreed. Where they’d matter is recomputability. Right now an outside party trusts the substrate’s record of what was drawn and the verifier’s read of the vault yields. WYRIWE binds the cursor’s consumption to the committed input the agent acted on (not an agent-reported amount), and OCP anchors the cursorRoot advances to a system the committer doesn’t control, so “did cumulative turnover ever exceed the mandate?” becomes re-derivable by anyone from the public advances, no trusted accountant. That’s the difference between enforced live and enforced live AND independently sound. Same boundary blockbird and pipavlo drew up-thread: the cursor enforces with a write; the on-chain advances make it auditable by recompute.
Concretely, the audit half is already runnable, the recompute-kit has an 8312/cap-conservation check that proves reserved + confirmed ≤ cap straight from storage (eth_getProof vs stateRoot, no trusted meter read). Happy to point it at a Solidity port of your ExecutionSubstrate cursor whenever you take headroom on-chain, find-then-recompute: your substrate enforces, the recompute verifies. Genuinely nice piece of work.