> ## Documentation Index
> Fetch the complete documentation index at: https://docs.core.vexa.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Governance

> Two axes — input trust × effect reversibility. Untrusted or irreversible → propose, approve, apply.

Governance is enforced at the **boundaries** (runtime, MCP Gateway, identity), never by the agent, and it
turns on **two axes**:

* **Input trust** (from the trigger): **trusted** (you, in [chat](/how-to/chat-workspace)) ⇒ the agent may
  write `rw`. **Untrusted** (email, web — attacker-controllable, prompt-injectable) ⇒ **propose-only**
  (`ro` workspaces).
* **Effect reversibility**: **reversible** (a workspace commit) ⇒ auto (git is the undo). **Irreversible**
  (send, order) ⇒ **gated**.

When propose-only or gated, the agent's output is **proposed actions** — `proactive-card.v1` frames on its
[Stream](/architecture/streaming): `record` (a task/note — payload is the file), `draft`, `send` (external).
**Untrusted agent proposes → human approves → trusted code applies**: a `record` is committed by a trusted
applier; a `send` is executed by the [Integration](/how-to/email-triage). There is **no
workspace-structure/schema check** anywhere — the workspace is [just files](/concepts#workspace).