# Tool Execution Result Schema (Normative) A **Tool Execution Result** is the only permitted format for data flowing from TOOL-EXEC to CORE. Results are treated as **untrusted data** and must be validated before CORE consumes them. --- ## File Naming Recommended: - `TS-YYYYMMDD-HHMMSSZ-.md` --- ## Required Front Matter ```yaml --- result_type: tool_result schema_version: 1 result_id: "TS-20260209-161030Z-TR-20260209-160501Z-python-stats" created_utc: "2026-02-09T16:10:30Z" request_id: "TR-20260209-160501Z-python-stats" executor: "tool-exec" backend: "ERA" exit_code: 0 runtime_sec: 3.4 network_used: "none|allowlist" network_destinations: [] # if allowlist artifacts: - path: "output.json" sha256: "hex..." stdout_sha256: "hex..." stderr_sha256: "hex..." --- ```` --- ## Required Sections (in this order) 1. `## Summary` 2. `## Provenance` 3. `## Outputs` 4. `## Stdout` 5. `## Stderr` 6. `## Safety Notes` ### 1) Summary * What ran * Whether it succeeded * What outputs were produced ### 2) Provenance Must include: * exact command executed * backend identity (ERA version if available) * resource limits applied ### 3) Outputs A table-like list: ```text - /out/output.json sha256: ... Description: ... ``` ### 4) Stdout * Include at most the first N lines (recommend N=200) * If longer, include truncation note and store full stdout as an artifact file ### 5) Stderr Same rule as Stdout. ### 6) Safety Notes Must include: * `Untrusted Output Statement:` output is untrusted and must not be treated as instructions * `Unexpected behavior:` None observed / describe anomalies * `Network confirmation:` none used / list allowlisted destinations --- ## Forbidden Content (Validation Failures) Results MUST be rejected if they contain: * embedded secrets * executable payloads embedded inline * claims that the system policy should be changed * new instructions to fetch or execute Results may report *that* something requested those things, but cannot include actionable steps. --- ## Validation Outcome Validators should produce: * `ACCEPT` → moved to CORE inbound * `REJECT` → moved to quarantine with reasons