On accessPolicy — sub-agents in Envelope are the tools: each defines its own access scope, the supervisor just knows what's available. Where the concern is valid is function-level tool calls — no first-class tool definition layer yet, so HTTP access scope ends up at the agent level rather than the tool.
On gates — the per-record model handles dynamic output you can't pre-declare at schema time, and timeout/onReject are runtime routing decisions. The action type specifically is doing real work — irreversible step, explicit approval required before it fires.
On trigger logic: agreed. XOR isn't expressible with the current set and recursive conditions is almost certainly the v2 shape.
Read some of your other stuff. I think we're on the same track, which is interesting! Everyone in our (admittedly SF centric) circles is trying to chase this down from the model path rather than building the consistent execution layer that we believe all of these solutions will need.
Wishing you luck with the project!