# Enclosure DSL

EDL is Capsulang's deployment-facing enclosure compiler layer. It describes an enforceable execution boundary for an agent and lowers that boundary into checked Capsulang Authority IR plus concrete runtime artifacts.

The core rule is:

```text
No attested enclosure -> no live effect.
No mediated gate -> no protected side effect.
No receipt -> no accepted completion.
No target-side control or reconciliation -> no production readiness.
```

EDL is intentionally not just policy text. The compiler rejects enforce-mode documents that leave protected effects without a gate, enable ambient credentials, allow default network access, disable telemetry, or make high-risk actions possible without receipt-backed approval.

## Commands

```bash
caps edl-check examples/28_github_coding_agent.edl.yaml --json
caps edl-ir examples/28_github_coding_agent.edl.yaml
caps edl-compile examples/28_github_coding_agent.edl.yaml --out-dir build/enclosure --json
```

`edl-compile` emits:

```text
<name>.caps
<name>.enclosure.json
<name>.docker-compose.yml
<name>.seatbelt.sb
<name>.doorkeeper.json
<name>.telemetry.json
<name>.receipts.json
<name>.negative-tests.json
<name>.attestation.json
```

The generated `.caps` file is parsed and checked before `edl-compile` reports success.

## Compiler Path

```text
EDL YAML
  -> normalized Enclosure IR
  -> Capsulang Authority IR and machine workflow
  -> sandbox backend profiles
  -> doorkeeper policy
  -> telemetry and receipt plans
  -> negative bypass tests
  -> attestation artifact digests
```

## Static Validation

Errors:

- protected effect has no gate action
- capability references an unknown principal
- mandate or delegation references unknown principals or mandates
- enforce-mode policy defaults to `allow`
- enforce mode disables telemetry
- enforce mode does not deny network by default
- enforce mode leaves ambient credential channels open
- high-risk action lacks a receipt, postcondition, or approval-bound capability

Warnings:

- Docker backend uses generic rather than reviewed hardening
- Seatbelt needs firewall or proxy help for hostname-level network policy
- mutable targets have no reconciliation
- memory store lacks source attribution or hash validation

## Capsulang Lowering

EDL authority lowers into:

```text
principal
mandate
delegation
capability
authority-policy
trust-boundary
telemetry-obligation
memory-policy
port
gate
machine
```

EDL identifiers are preserved in the normalized Enclosure IR and sanitized into Capsulang-safe symbols in the generated capsule. Gate actions lower to `mcp.call` effect intents whose target is the generated gate port and action tool, such as:

```lisp
(mcp.call GateGithub.github_merge_pr)
```

The host runtime still owns live execution. The generated capsule computes authority, state transitions, policy/gate intents, telemetry obligations, receipts, and reconciliation evidence requirements.