File-first execution
Simulation work becomes inspectable files: OpenFOAM dictionaries, SU2 configs, CalculiX input decks, mesh handoffs, scripts, logs, images, and reports. The file browser, agent tools, and governed shell see the same workspace tree — there is no agent-only ghost filesystem.
Governed shell
Commands run through a policy-aware runtime that records working directory, command family, approval status, output capture, exit status, and timing as typed evidence. Solver packs publish command candidates and allowlists so execution is powerful without becoming opaque.
Approval boundaries
Low-risk inspection is read-only. File writes, solver launches, package installs, public sharing, and destructive actions need the correct approval envelope. Action keys describe the operation kind, cwd, command-or-patch digest, blast radius, and reuse scope — so an approval is meaningful, not a rubber stamp.
Egress is locked down
ADR 0005 routes all outbound traffic through a deny-by-default proxy with rate limits. The agent cannot exfiltrate workspace contents to an arbitrary host. Knowledge fetches use signed providers; web search returns indexed snippets through a controlled lane.
Debug from the failed layer
If materialization fails, inspect the generated files and the CaseSpec contract. If meshing fails, inspect meshing logs and geometry. If solving fails, inspect solver logs and resource docs. If reporting fails, inspect artifacts and figure/QoI bindings. The platform points you at the failed layer; never blame the chat transcript.