The current procurement vertical uses deterministic checks before action preparation and execution. It is not a production security system; it is a visible portfolio boundary that proves uploaded document content cannot flow straight into a tool call.

• The security scan runs before a mock ERP payload is prepared.
• It scans the run document metadata, extracted notice JSON, evidence snippets, and prepared payload.
• It blocks obvious instruction-injection markers such as ignore previous instructions, exfiltrate, shell-like curl text, callback_url, and evil.example.
• It blocks payload/document publication-number mismatch.
• It allows only expected procurement/source URLs in action payloads: SIMAP and Swissgrid.
• Tool authorization is checked at execution time and only the mock_erp adapter is allow-listed.

• security.scan_passed
• security.scan_blocked
• tool.authorization_passed
• tool.authorization_blocked is reserved for the first non-allow-listed adapter path.

• The scan is deterministic and string-based.
• There is no tenant policy, auth model, secret broker, or real network egress control yet.
• Real ERP/document API writes remain intentionally out of scope for this MVP.