Governing the Determinism Spectrum in Legal Practice

Skill selection belongs to the model; the lawyer cannot compel a skill to fire. Commands invert that. A command is operator-invoked — a named, logged, auditable entry point into a procedure that runs the same way for every fee-earnerLegal-firm termAnyone in the firm whose time is billable — solicitors, paralegals — as distinct from support staff. in the firm. You cannot make the model choose the right path; you can hand the lawyer a path the model cannot decline.

• /conflict-check — a mandatory, logged conflicts search against current and former clients before any engagement, aligned to the Solicitors' Conduct RulesASCR 2015The binding professional-conduct code for NSW solicitors, made under the Uniform Law — covering confidentiality (r 9), conflicts of interest (rr 10–11) and the paramount duty to the court.Australian Solicitors' Conduct Rules ↗ (concurrent and former-client conflict duties). A conflict check that “usually runs” is a negligence claim in waiting; as a command it is a guaranteed gate with a record that it fired. conflicts
• /intake — one structured intake that runs identically every time and produces a consistent scoping artifact. Where a client arrives with an AI-formed view of merits and cost, the command deterministically surfaces the gap between what the AI implied and what the matterLegal-firm termA lawyer's term for a single client engagement or case — the ‘file’ on which work is done. actually involves — so the lawyer manages an explicit divergence rather than an invisible one. intake
• /costs-disclosure — generates the costs disclosure to a compliant template at matter open (basis of charging plus an estimate of total legal costs), captured in writing as soon as practicable after instructions. The command guarantees the disclosure was actually issued, not merely intended. billing
• /matter-open — encodes “how this firm runs this matter type” as a single invokable path: opening checklist, custodian list, key dates, supervising principal. Case management stops being the sum of each person's personal system and becomes a shared procedure the next person can pick up cold. consistency
• /aml-assess — runs the designated-services assessment and customer due-diligence workflow that becomes mandatory for law practices under the AML/CTF Tranche 2AUSTRAC · from 1 Jul 2026Anti-Money-Laundering / Counter-Terrorism-Financing reform that, from 1 July 2026, makes law practices providing certain “designated services” reporting entities to AUSTRAC — with customer due-diligence, record-keeping and reporting duties (enrolment opens 31 March 2026).Law Society of NSW: designated services ↗ regime. A new obligation lands with a hard commencement date; a command makes “did we assess this matter?” answerable. compliance

whether the conflict, costs and AML steps happened at all.

A skill phase written in natural language leaves both interpretation and code generation to the model at runtime — the right default for novel work, the wrong one for a calculation that must come out the same every time. Once a phase has been generated, reviewed and approved, the code is frozen as a versioned script and the phase reduced to “invoke it.” The non-determinism of re-derivation collapses into a reviewed, auditable artifact.

• Limitation-period calculator. Computes the limitation date deterministically from cause-of-action type and accrual date under the Limitation Act 1969 (NSW)Limitation periodsSets the statutory deadlines for commencing a claim (generally six years for contract or tort). Calculate it wrong and the client's claim can be extinguished.Limitation Act 1969 (NSW) ↗. A miscalculated or missed limitation date is one of the most common and most catastrophic claims against a firm — precisely the kind of arithmetic that must never be improvised afresh. deadlines
• Evidence & chronology assembly. A reproducible pipeline that normalises documents drawn from the DMS, Outlook and the eDiscovery platform into one sourced timeline. The same matter yields the same chronology every run, with every event tied back to a source document — ending the manual cross-referencing across three systems. evidence
• Costs-estimate computation. The s 174 estimate computed from matter parameters and the firm's rate card, so identical inputs produce an identical, defensible figure (or a reasoned range) rather than a number that drifts between fee-earners. billing
• Trust-account reconciliation. The monthly reconciliation arithmetic under the trust-accountingTrust moneyClient money a firm holds (e.g. settlement funds) must sit in a separate trust account under strict rules, reconciled regularly and subject to external examination. Mishandling trust money is among the gravest regulatory breaches.Law Society of NSW: trust-money conditions ↗ rules, computed the same way each period and ready for external examination — not re-improvised. compliance
• Court-form population. Procedural forms populated deterministically from matter data under the Uniform Civil Procedure RulesUCPR 2005 (NSW)The rules of civil procedure for NSW courts — governing pleadings, discovery (Part 21), evidence and the prescribed court forms.Uniform Civil Procedure Rules 2005 (NSW) ↗, removing transcription error from filings. filings

deadlines, trust arithmetic, and the contents of the evidentiary record.

Hooks fire deterministic code at fixed points in the loop. Their headline job here is at the exit — inspecting the turn's output before it is allowed to be “done” — but the same mechanism also gates each tool call: a PreToolUse hook can allow, deny or rewrite a call before it runs, and a PostToolUse hook inspects the result once it returns (though it cannot undo a call that already executed). Any of them can gate the work, and a stop-hook can re-drive it: returning a block decision with a reason prevents the model from stopping and feeds that reason back as its next instruction, so a failed check re-drives the work rather than landing on the lawyer's desk. The checks are not another review the lawyer must perform — they are gates the work has to pass. One guardrail is mandatory at the exit: the harness exposes a flag that is true when the model is already in a forced continuation, and the stop-hook must honour it or it will loop forever.

• Citation & authority verifier. Every cited case and statutory provision is checked against an authoritative source before any draft leaves the harness; an unverifiable citation cannot be the final turn. This is the direct, mechanical answer to the duty — now explicit in the NSW Supreme Court's generative-AI practice notePractice Note SC Gen 23The NSW Supreme Court's rules on using generative AI in proceedings (in force 3 February 2025): every AI-generated citation, authority and reference must be independently verified, and some uses require the court's leave.Supreme Court of NSW: Gen AI ↗ and reinforced by a run of Australian referrals over fabricated cases — that AI output be independently verified. citations
• Privilege gate. Before anything is marked producible in discoveryDiscoveryIn litigation each side must hand over (“give discovery of”) its relevant documents; a “producible” document is one that must be handed over, as opposed to one withheld on privilege grounds.UCPR 2005 (NSW), Part 21 ↗, a deterministic privilege check runs against advice and litigation privilege under the Evidence Act 1995 (NSW)Client legal privilegeSets out privilege in NSW — advice privilege (s 118) and litigation privilege (s 119) — protecting confidential lawyer–client communications from being compelled in evidence.Evidence Act 1995 (NSW) ss 118–119 ↗. Inadvertent disclosure of privileged material is irreversible; this is the canonical thing that must never be left to a model's good odds. privilege
• Confidentiality / egress gate. Blocks any output that would route client-identifying or privileged content to an un-approved destination — the concrete control behind the regulators' warning that confidential information cannot safely be entered into general AI tools. confidentiality
• Connector-access gate. The firm's systems are reached through curated connectors (MCP), not ad-hoc access — and a PreToolUse hook confines each pull from the DMS, Outlook or the eDiscovery platform to the custodians and date range authorised for the matter, denying anything that strays beyond the discovery order before it runs. A PostToolUse hook then stamps chain-of-custody provenance on every document returned and logs the access. The connector supplies the reach; the hooks make that reach scoped, least-privilege and auditable. evidence
• Disclosure gate. An engagement or advice cannot complete until the costs disclosure has issued and the client's consent is recorded — the obligation is enforced at the exit, not trusted to memory. disclosure
• Obligation-register gate. At matter milestones, a deterministic check against the firm's live obligation register (AML/CTF dates, trust deadlines, practising-certificate conditionsPractising certificateThe annual licence to practise in NSW carries statutory conditions — CPD, supervised practice for the newly admitted, and trust-money authorisation.Law Society of NSW: PC conditions ↗, CPDContinuing Professional DevelopmentMandatory annual training. In NSW, 10 CPD units per year (1 April–31 March), including at least one unit in each of four compulsory fields, one of which is ethics.Law Society of NSW: CPD ↗) so the firm sees its compliance posture continuously — instead of learning of a breach only after it has cost something. compliance

Where the property needs judgment rather than a pass/fail rule — “does this advice actually address the question asked?” — a prompt- or agent-type hook runs a cheap evaluator in the same slot. The shape is identical; only the oracle changes.

#!/usr/bin/env python3
"""Stop-hook gate: a draft cannot leave the harness until every cited authority
is verified and no privileged material is marked producible.

The harness invokes this when the model tries to end its turn. Emitting a
"block" decision returns control to the model with `reason` as its next
instruction; exiting 0 silently lets the turn finish.
"""
import json, sys
from firm.verify import unverified_citations, privilege_breaches

payload = json.load(sys.stdin)

# Honour the forced-continuation flag, or this gate loops forever.
if payload.get("stop_hook_active"):
    sys.exit(0)

draft = payload["last_output"]
problems = unverified_citations(draft) + privilege_breaches(draft)
if problems:
    print(json.dumps({
        "decision": "block",
        "reason": "Resolve before finishing:\n- " + "\n- ".join(problems),
    }))
sys.exit(0)

cited authorities, privilege, confidentiality, and disclosure.

A loop construct runs a task repeatedly until a satisfactory outcome is reached. It is not deterministic on its own — but it raises the floor of what the firm can expect, and it composes naturally with hooks: the hook is the oracle, the loop is the driver. The honest caveat is that a loop is only as trustworthy as its verifier; a loop without a real test simply burns time.

• Discovery list, until clean. Redraft the list of documents for production until both the privilege gate and the relevance test pass — convergence on a verifiable property, not a single best-effort pass. discovery
• Pleadings, until conforming. Iterate a pleading until it satisfies the relevant procedural form requirements and the citation verifier reports clean. pleadings
• Chronology, until sourced. Refine the chronology until every event carries a linked source document — no orphan facts surviving into the brief. evidence

that a draft is only “finished” once a named test is satisfied.

A custom wrapper drives the harness through its API or CLI — the most deterministic surface, because the control flow lives in code the firm owns rather than in the model's discretion. A first headless call returns a session identifier; subsequent calls resume that session, preserving full context across turns, so an external program can hold a matter open, insert hard human gates between phases, and bound iteration. The model supplies capability; the wrapper supplies the guarantee that nothing leaves the firm unreviewed.

• Partner sign-off gate. Advice-to-client and court filings are gated behind a supervising principal's approval — a plan/approve/apply flow in which the “apply” step is structurally unreachable without sign-off. Partners stop being accountable for work they never saw. supervision
• Objective matter-state record. The wrapper emits a structured, real-time view of every matter — what ran, what's pending, what's blocked, what's overdue — visible upward without depending on whatever a junior chooses to report, and when. Supervision rests on an objective record rather than self-report. supervision
• Supervised-practice routing. Work by a newly admitted solicitor under a supervised-practice conditionSupervised legal practiceA statutory condition (s 49 of the Uniform Law) requiring newly admitted solicitors to practise only under supervision — typically for two years — before they may practise on their own.Law Society of NSW: PC conditions ↗ is automatically routed through a supervising-principal step, so the condition is enforced by the workflow, not by individual memory. supervision
• Cross-system custody. The wrapper owns the thread that drives the connector calls across the DMS, Outlook and the eDiscovery platform, turning evidence assembly into one governed flow with a single audit trail rather than ad-hoc cross-referencing. evidence

"""Deterministic envelope around the harness for a NSW matter.

The firm — not the model — owns the control flow: it opens a session,
holds it open by session id across turns, and makes the "serve" step
structurally unreachable without a supervising principal's sign-off.
"""
import json, subprocess

def run(prompt, session=None):
    """Run one turn of the harness; return its parsed JSON result.

    :param prompt: the operator instruction for this turn.
    :param session: a session id to resume, or None to open a new matter thread.
    :returns: the result dict, including `session_id` for continuation.
    """
    cmd = ["claude", "-p", prompt, "--output-format", "json", "--max-turns", "8"]
    if session:
        cmd += ["--resume", session]
    return json.loads(subprocess.run(cmd, capture_output=True, text=True).stdout)

draft = run("Draft the advice. Do not serve or file anything.")
sid = draft["session_id"]

# The advice cannot be served without a principal approving it first.
if principal_signs_off(draft["result"]):
    run("Finalise and send the approved advice to the client.", session=sid)

what reaches a client or a court, and who signed off on it.