The context infrastructure layer your AI strategy is missing.
Enterprise AI deployments hit the same wall: capable models, available cloud, shallow results. The root cause is not model capability — it is the absence of context infrastructure. ContextECF is the production implementation of the Enterprise Context Fabric — a verifiable, append-only, governance-native layer organized as a three-layer execution model: Access, Runtime Control, and Fabric Core. It sits between your enterprise systems and the agents that need to reason over them.
Enterprise AI has a context infrastructure gap.
Enterprise knowledge is scattered across CRM records, email threads, meeting transcripts, Slack conversations, Jira tickets, contract repositories. Each system holds a fragment. None hold the assembled meaning. When AI systems reconstruct context from scratch on every request, the result is slow, expensive, hallucinated, and non-compounding.
Multi-system fan-out for every interaction. Latency compounds across each connector hop.
Context windows filled with raw, redundant excerpts. Cost scales with noise, not signal.
Models fill the gaps where verified context is missing. Confidence is performative, not real.
No institutional memory. The system never learns what worked for your organization.
Five principles. Enforced in code, not slogans.
These aren't aspirational; they are the design constraints the canonical spec is held against and the ADR index enforces.
Search retrieves documents. Context engineering assembles meaning around a decision, relationship, or situation.
Identical requests produce identical context. Every output explainable to a regulator, an auditor, an executive.
Access control, residency, audit, compliance — native to the layer. Not bolted on by consuming applications.
Relationship strength, recency, activity, sentiment trajectory — context prioritized by what matters, not what is newest.
The metric that compounds. Organizations that structurally reduce it operate faster, at lower risk, with better AI outcomes.
Like enterprise networking — separated access, control, and core.
ContextECF is organized as a three-layer execution fabric, mirroring the hierarchical model Cisco established for enterprise networking. Three layers externally. Specialized engines internally. One signed execution path end-to-end.
Where work enters the Fabric.
The edge. Modes, connectors, SDK sidecars, IDE plugins, agent entry
points, MCP tools, and uploaded artifacts. Every task is identified,
scoped, and stamped with a tracking ID before it moves a single byte
inward. Read-only enforcement at MCPConnectorServer.
- 17 MCP ConnectorsSalesforce · Gmail · Slack · Jira · Zoom · Drive · SharePoint · M365 · Webex · Meet · LinkedIn · Zendesk · ServiceNow · Teams
- Mode SurfacesCodeLedger · Sales · Support · NetOps · Productivity
- SDK SidecarEmbeds in agent runtimes; compresses on-prem
- Agent Entry PointsIDE plugins · CLI · API · PR webhooks · Halo extension
- Application PrintsPer-connector scope justification, signed at build
- Connector GatewayOAuth2 + PKCE · token vault · SSRF validation · fetch timeouts
Where the manifest travels.
The heart of the Fabric. Context is compressed. Policies are
evaluated. The Runtime Escort validates every step. Destination
Guard blocks off-route actions. Approvals are routed to humans.
Capability receipts are signed and stamped. Nothing acts without
authority. tenant_id is JWT-signed at every boundary;
RLS enforces it at the database.
- Runtime EscortTracks every workflow from pickup to delivery
- Runtime ManifestAllowed tools · denied destinations · required approvals
- Targeted SearchOur target search technology selects only the connectors needed; skips below-threshold sources
- Context Reasoning CoreTier 1 deterministic · Tier 2 template · Tier 3 LLM (gated)
- Trust EnvelopeFive decision states: REUSED · STEP-UP · APPROVAL · DENIED · DRIFT
- Destination GuardValidates every tool boundary at execution time
- Five-Gate ExecutionFlag · tenant opt-in · permission · CFE preflight · risk ceiling
- Capability ReceiptSHA-256 signed proof of every scan, denial, and delivery
Where the Fabric remembers.
The enterprise backbone. The append-only, customer-owned Enterprise Context Ledger records every Normalized Context Event, every receipt, every outcome. Per-tenant hash chain. PostgreSQL-level triggers block updates and deletes. The longer the Fabric runs, the smarter the next shipment becomes. This is the asset that compounds.
- Enterprise Context LedgerAppend-only · tamper-evident · customer-owned
- Normalized Context EventsHashed into a per-tenant integrity chain
- Four-Disposition GateDISCARD · CACHE_ONLY · PROMOTE · PROMOTE_WITH_EPISODE
- Outcome ReceiptsWhat worked, what didn't, what to do next
- Institutional MemoryCross-Mode learning · ontology · industry patterns
- Context GraphRelationships · decisions · commitments — queryable
Three layers.
Access · Runtime Control · Fabric Core. The canonical model your buyers, auditors, and architects need.
Specialized engines.
Each layer contains purpose-built engines (this document covers them in §§ 4–22). The 3-layer model is the lens; the engines are the depth.
One signed path.
Every workflow is threaded end-to-end with a tracking ID, a manifest, and a capability receipt. No untracked agent work.
Join the customer's canopy. Don't replace it.
ContextECF enters your existing trust fabric as a node — not as a new authority that overrides your controls. Raw connector payloads, OAuth tokens, and customer secrets never leave the Fabric Node.
Policy · Manifests · Certification · Reporting
- Mode manifests (signed)
- Policy bundles
- Certification records
- Reviewer workflows
- Aggregate health
- Audit event references
Customer VPC
- Connector traffic
- Shadow Auditor dry-runs
- Data Janitor cleanup
- Local execution
- OAuth tokens (local)
- Raw source data (local)
Customer VNet
- Connector traffic
- Shadow Auditor dry-runs
- Data Janitor cleanup
- Local execution
- OAuth tokens (local)
- Raw source data (local)
Customer DC
- Connector traffic
- Shadow Auditor dry-runs
- Data Janitor cleanup
- Local execution
- OAuth tokens (local)
- Raw source data (local)
Identity stays yours.
Human users authenticate through your IdP (OIDC or SAML). MFA remains enforced by your IdP — ContextECF never bypasses it. Admin, reviewer, approver, and operator roles are mapped from your SCIM directory before any write-capable Mode action is enabled.
Workload Identity Federation replaces long-lived service account keys where your cloud platform supports it. It is not an MFA bypass mechanism.
GitOps as your source of truth.
Publishing a Mode writes the effective manifest, certification metadata, and policy references to your Git repository. Fabric Nodes reconcile from Git, or from a signed control-plane artifact derived from it.
Rollback is a revert. The GUI is never a hidden mutable control plane — every change produces a versioned manifest, a certification record, an audit trail, and a rollback target.
Every action is evaluated against a runtime contract.
This is what "reigning in the risks of AI agents" looks like in practice — not a policy document, but a contract evaluated on every execution request, returning one of five decisions.
| Decision | Meaning |
|---|---|
| REUSED_TRUST | All conditions pass. Proceed without friction. |
| STEP_UP_REQUIRED | Additional authentication or approval needed for this operation. |
| APPROVAL_REQUIRED | Action requires executive or governance approval before proceeding. |
| DENIED | Hard block. Policy conditions not met. Audit event written. |
| BLOCKED_CERTIFICATION_DRIFT | Mode or tool certification has drifted from approved state. Re-certification required. |
The Enterprise Context Ledger.
The platform's central technical contribution. Not a database — a verifiable, append-only memory fabric for enterprise relationships. Every signal that reaches it is a Normalized Context Event, hashed into a per-tenant integrity chain.
Not every signal earns a place in the ledger.
A deterministic four-disposition gate evaluates every inbound signal before NCE creation. Rule-based, not ML — auditable, deterministic, tenant-portable.
| Disposition | Behavior | Example |
|---|---|---|
| DISCARD | Dropped silently. Never reaches the ECL or cache. | Auto-notifications, out-of-office auto-replies. |
| CACHE_ONLY | Stored for pattern learning. Not promoted to ECL. | Acknowledgement-only replies, "thanks", "got it". |
| PROMOTE | Written to ECL as a verified NCE with provenance. | Substantive business communication, decisions, commitments. |
| PROMOTE_WITH_EPISODE | Written to ECL and episode candidate emitted. | Budget approvals, deal decisions, architectural commitments. |
Query the minimum. Skip the rest.
Targeted Search selects the minimum set of connectors needed to satisfy a task — and does not query the others. Our target search technology turns deployment time into structural retrieval quality.
A tenant running ContextECF for 12 months has fundamentally better context retrieval than one who just onboarded. Targeted Search has learned which data sources matter for which task types in your environment.
This improvement is structural and non-transferable. It cannot be replicated by a competitor starting from scratch — the learning is encoded in your ledger.
LLMs are optional. The deterministic floor is not.
Three tiers. Identical input produces identical output through Tier 1 and Tier 2. The LLM augmenter is BYO and gated behind a five-stage validation pipeline — falls back to deterministic output if validation fails.
| Tier | Requirement | Behavior |
|---|---|---|
| Tier 1 Deterministic Engine |
Always runs. | Rule-based extraction of structured sections — progress, risks, stakeholders, milestones. No external calls. Identical input ⇒ identical output. |
| Tier 2 Template Engine |
Optional. No LLM. | Handlebars template rendered from structured sections. Honors recipient communication preferences (bullet points, narrative) from the Directory Service. |
| Tier 3 LLM Augmenter |
Optional. Enterprise only. | Your LLM endpoint (BYO). Output passes through Grounding, Conflict, Quality, Consensus, and High-Stakes validation. Falls back to Tier 2 on failure. |
Default read-only. Action only behind five simultaneous gates.
ContextECF's default posture is observe-and-assemble, never act. Command Capsule execution is available — but only when all five gates pass. The execution scope is computed server-side and signed with SHA-256. Clients cannot forge it.
R4_EXECUTION_ENABLED=trueexecute permission for the action type.Authorized actions (v1).
SEND_REPLY Gmail
CREATE_EVENT UPDATE_EVENT Calendar
UPDATE_OPPORTUNITY CREATE_TASK Salesforce
Side-effect discipline.
External side effects never fire from the HTTP request path. The transactional outbox pattern guarantees exactly-once execution with idempotency keys generated at intent creation time.
A per-tenant, per-system circuit breaker prevents execution against unhealthy target systems. CLOSED → OPEN after 5 failures in 60s → HALF_OPEN after 120s.
Isolation as a first-class constraint.
Every architectural decision is filtered through tenant isolation.
tenant_id is never derived from request headers or body —
it is signed in the JWT and verified at every service boundary.
set_config('app.tenant_id', tenantId, true) on every query
rejectTenantOverride
middleware rejects X-Tenant-Id headers and body-level
tenant_id fields with HTTP 403 on all customer-facing and
data-plane services. Cache entries that cannot be validated against ACL
are evicted and the request is denied, logged, and the entry invalidated.
Marketplace listing to live Modes in 15 days.
The concrete path. Core deployment in 15 days; full Mode go-live including certification typically 30–45 days. ContextECF is listed as an Integrated SaaS on both GCP and AWS Marketplace.
Procurement & Provisioning
Plan selection on GCP or AWS Marketplace triggers automatic entitlement notification. Deployment Studio guides your platform admin through data plane selection, IdP configuration, SCIM sync, and initial policy defaults.
- Data plane: customer-managed GCP, AWS, or ContextECF-managed (SMB tier)
- Identity: OIDC or SAML to your enterprise IdP
- Directory: SCIM provisioning (users, groups, roles, reporting lines)
- Verify control plane:
curl https://api.contextecf.com/health/ready
Connector Authorization
For each system you integrate: OAuth2 admin consent, Application Print scope review, InfoSec sign-off, then enable backfill. Over-broad scopes are flagged before they reach production.
- Connector Gateway validates Application Print scope justification
- Small data sample tested before full backfill enabled
- Fabric Node deployed via Helm for data-residency tenants
Initial Context Ingestion
ECL Writer ingests historical signals. The four-disposition gate classifies each. Hash chain verification runs continuously. After 48–72 hours of ingestion, the assembly engine begins producing context pods.
- Monitoring via
GET /v1/admin/ecl/ingestion-status - Manual chain validation:
SELECT r4_verify_ecl_chain(tenant_id) - First context output verified against a real task
Mode Activation
Five certified baseline Modes ship out of the box. Each is configurable for your org: connector scopes, SCIM group assignments, output sensitivity, execution permission. Shadow Auditor validates before any Mode goes live.
- Solutions Engineer reviews Shadow Auditor evidence
- Signed Mode manifest published to your GitOps repo
- Fabric Node reconciles within 60 seconds of commit
Adoption & ROI Measurement
Mode surfaces deploy through the Halo browser extension, Salesforce LWCs, the admin console, and direct API. Feedback collection activates learning loops. Adoption metrics surface in the admin dashboard.
- Explicit feedback: approve/reject on insights and proposed actions
- Implicit: dwell time, edit ratio, time-to-action
- Context Cost Units (CCU) tracked by department
Five certified Modes ship on day one.
Modes are the user-visible expression of the fabric. The runtime — ECL, Targeted Search, assembly, connectors, governance — is identical across all Modes. Only the capability gate, surface, and Aspect composition change.
| Mode | Primary Users | Core Value |
|---|---|---|
| CodeLedger Engineering | Software engineers · architects | Codebase context, PR history, incident patterns, on-call intelligence. |
| Customer Support Support | Support agents · CSMs | Full customer history, open cases, escalation context, relationship health. |
| Sales Revenue Revenue | AEs · RSDs | Deal intelligence, relationship signals, stakeholder mapping, renewal risk. |
| NetOps Operations | Network engineers · SREs | Operational context, incident correlation, topology awareness. |
| Productivity Cross-functional | All knowledge workers | Meeting prep, decision history, action tracking, context freshness. |
What needs attention right now — alerts, drift signals, open items. Risk surfaced before it becomes incident.
Past decisions, relationship patterns, outcome receipts. Continuity without tribal knowledge dependency.
Recommended actions — governed, explainable, approval-gated. Human-in-the-loop, not autonomous.
What the system knows and doesn't. Confidence, sources, gaps. Auditability built in.
Seventeen MCP connectors. Three layers of read-only enforcement.
Every connector extends MCPConnectorServer with enhanced
OAuth2 + PKCE, token vault, SSRF validation, fetch timeouts, and NCE
normalization. Raw events are never passed downstream.
Opportunity intelligence, stakeholder mapping, account history.
Thread classification, decision extraction, relationship signal.
Meeting cadence, participant resolution, episode anchors.
Channel context, thread linkage, workflow markers.
Transcript ingestion, Memory Admission Policy, DES-lite extraction.
Decision-grade document classification, contract signals.
Workflow linkage, episode formation around delivery items.
Case context, escalation patterns, customer health signal.
Read-only relationship signals. No autonomous outreach. Ever.
Context quality, translated to business velocity.
Every knowledge-work decision begins with a context-gathering phase. In enterprises without context infrastructure, that phase consumes 20–40% of a knowledge worker's day. When context is pre-assembled and delivered in under 10 seconds, the decision cycle collapses.
- Pre-meeting brief prep 15–30 min saved per meeting
- Account context for calls 20–45 min saved per customer call
- Incident response context 5–15 min faster time-to-context at incident start
- Onboarding ramp 20–40% reduction in context ramp time
- Improved renewal rates Drift detection surfaces at-risk accounts 30–60 days earlier
- Faster sales cycles Pre-assembled deal context reduces discovery overhead
- Reduced escalations Support Modes surface case history at contact start
- Lower transition cost Institutional Memory recovers context at role changes
- Relationship coverage % of key accounts with verified ECL history
- Decision coverage % of significant decisions with traceable provenance
- Targeted Search accuracy Precision of context retrieval (learned vs. heuristic)
- Context sufficiency rate % of Mode requests meeting the sufficiency threshold
The risks CTOs face. The runtime controls that answer them.
This isn't a policy stack — these are the architectural constraints enforced at runtime, on every request, with audit events written for every decision.
| Risk Category | Industry Pattern | ContextECF Response |
|---|---|---|
| Autonomous action | AI agents take actions without human approval. | Default read-only. Five-gate authorization. Human approval in the loop. |
| Hallucination | LLM outputs disconnected from business state. | Context assembled from verified events. Tier 1 deterministic floor. |
| Data exfiltration | Enterprise content routed through external AI APIs. | BYO-LLM. Fabric Node keeps raw data local. Control plane stateless vs. content. |
| Scope creep | Connectors accumulate excessive permissions. | Application Prints. Build-time scope justification. Mode Builder flags over-broad. |
| Audit gaps | AI decisions not traceable to source events. | Full derivation provenance on every artifact. ECL-native audit chain. |
| Tenant isolation failure | Multi-tenant systems expose cross-customer data. | JWT-only tenant derivation. RLS at the database. ACL fails closed. |
| Agent impersonation | AI systems act on behalf of users without disclosure. | No autonomous outreach. All output is clearly AI-generated context. |
One runtime. Many surfaces.
The runtime — ECL, Targeted Search, context assembly, signal engine, connectors, governance — is identical across all skins. Switching skins does not delete data. The capability gate hides surfaces that are not licensed.
| Skin | Entitlement | Data Plane | Key Capabilities |
|---|---|---|---|
| Personal Intendo | None — local always | Managed (local SQLite) | Personal ECL, assembly, search, myooo continuity. |
| Team | AWS Marketplace | Managed (Cloud) | + Shared assembly, CRM connectors, org search, drift detection. |
| Enterprise | AWS · GCP Marketplace | Managed or BYO | + Full governance, RBAC, audit export, SSO, SCIM, BYO data plane, BYO LLM. |
Five minutes. Seven points. The whole thesis.
Take this to your next architecture review. If a vendor cannot answer all seven against their stack, they are not selling context infrastructure.
Three layers — access, runtime control, core.
ContextECF is a three-layer AI execution fabric. The Access Layer connects users, agents, tools, and enterprise systems. The Runtime Control Layer compresses context, validates access, escorts the manifest, and blocks unsafe destinations. The Fabric Core records receipts, outcomes, and institutional memory so every future workflow starts smarter.
Context is infrastructure.
ContextECF is not an AI application. It is the context layer that makes enterprise AI reliable — sitting between your enterprise systems and the AI surfaces that need to understand what your organization knows.
The Federated Canopy means you keep control.
Raw data stays in your environment. Your IdP stays your IdP. The fabric joins your trust infrastructure as a node — not the other way around.
Application Prints govern every data access.
Every connector scope is justified by a specific use case in a versioned manifest. Scope creep is a build-time error, not a runtime discovery.
Context compounds.
The longer the fabric runs, the better Targeted Search gets, the richer institutional memory becomes, and the more precise context delivery is. Non-transferable; cannot be replicated by a competitor starting fresh.
Governance is runtime, not policy.
The Federated Canopy Trust Envelope evaluates every action before it occurs. Certification drift blocks execution automatically. The audit chain is traversable from any output back to verified source events.
The ECL is a balance sheet asset.
Customer-owned, verifiable, append-only. Survives vendor relationships. Grows in strategic value over time. Cannot be rebuilt retroactively.
Read the full technical deep-dive.
The complete CTO paper covers the full canonical specification — service inventory, ADR index, observability, scaling architecture, and the IP portfolio. Available under NDA to qualified enterprise evaluation partners and their legal counsel.