Trust Archer with your bids because the architecture trusts nothing.

Every tool gated by a named capability. An agent that reads your email cannot invoke the proposal generator — the framework refuses to give it the tool. Capabilities declared at registration, cannot be added at runtime.

Each pipeline stage declares exactly which tools it needs at startup. Parse can read documents but cannot write proposals. Propose can draft output but cannot call external APIs. The capability boundary is enforced before execution, not after. If a tool is not on the approved list, it does not run. Period.

Content from outside (emails, uploads, forms) cannot reach a privileged tool as a raw string. Tool functions with SanitizedString parameters cannot be called with plain text. Sanitization pipeline: Unicode normalization, control-char strip, fence-marker strip, length cap.

“Not a runtime assertion. Not a linter rule. A language-level guarantee.”

Every external string passes through the SanitizedString boundary before it can touch a tool call. The compiler enforces the constraint — you cannot pass a raw string where a SanitizedString is expected. The code will not compile.

Hard cost cap enforced via reservation pattern. Before a call runs, worst-case cost reserved and checked. If it would exceed, call fails before money leaves. Reservation replaced with actual cost after. On error, reservation released.

“A cap that fires before the spend, not after it.”

Parallel fan-out handled correctly — the system uses a synchronous critical section to reserve budget across concurrent calls. No race condition, no double-spend. If the cap fires mid-execution, the current step completes and the pipeline stops gracefully. No half-finished work left behind.

Single source-of-truth dict declaring agent delegation. Frozen at startup. Five invariants verified before accepting traffic: acyclic topology, mailroom agents can’t hold unsafe capabilities, mailroom can’t initiate delegation, unsafe capability tool-maps stay empty, pricing bounds respected.

Misconfigured mesh fails at startup with a named error — not at runtime when a bid is in flight. The directed graph is a compile-time constant. If an agent tries to send a message to a non-adjacent agent, the message is dropped and the violation is logged. Prompt injection cannot cascade through the system even if one agent is compromised.

Every call writes a row: model, input tokens, output tokens, cost USD at sub-cent precision, duration, stage. Mesh events (cap fires, delegation audits, cycle rejections) log distinct status values.

“Numeric(10, 6) — sub-cent precision, per call, per stage.”

Cost is tracked at the stage level: Parse, Takeoff, and Propose each report their individual cost. The dashboard rolls these up per bid, per month, and per trade. Master tier gets exportable cost reports for job costing. TurnBudget ensures no single run ever surprises you.

Every query filters by org_id at database level. Bids, scope items, takeoff history, embedding index — none touches another org’s data. Historical bid learning retrieves from your org only.

Cross-tenant leak would require breaking every query path. Tenant isolation is enforced at every layer — database, file storage, and processing pipeline. Each account operates in its own namespace. Cross-tenant queries are architecturally impossible, not just access-controlled.