They check messages. We check missions.
Intent Capsules are the signed promise. Structural Verification is the proof the promise was kept. A deterministic symbolic floor that cannot be prompt-injected.
Per-call guardrails check individual messages. Content classifiers check individual outputs. But nobody checks whether the trajectory of an entire agent session served its declared intent. Reading ~/.ssh/id_rsa is not inherently malicious. Posting to an external URL is not inherently malicious. Doing both in a "refactor the auth module" session is exfiltration.
Five deterministic checks over the causal graph: SV-SECRET (undeclared secret access), SV-NET (undeclared network egress), SV-SCOPE (filesystem scope violations), SV-ENTITY (unauthorized entity access), SV-EXFIL (causal exfiltration path). The symbolic floor is the guarantee. No LLM in the verification path.