Attorney Command System

I am a practicing attorney, and I wrote the software behind my own legal practice. I call the system the Attorney Command System — ACS from here on — and I send the repository to a General Counsel’s lead engineer before our first call. In 2026, an enterprise hiring outside counsel for AI-native legal work should be able to read that lawyer’s code the way the lawyer reads their contracts.

ACS is, in one sentence, a persistent system that runs the legal work end to end — intake, enrichment, drafting, redlining, risk scoring, export — and hands me a clean deliverable to review, sign, and send. The attorney is the final surface, not the first one. Every command runs the same middleware against the same corpus, the same way every time, so the time I would otherwise spend assembling context, pulling prior redlines, and chasing down the template of record is already done before the draft reaches me. What arrives is the version the machine would ship; my job is to exercise the judgment that says yes, revise, or no.

A second piece of vocabulary lives inside the same codebase: the privilege shield — the architectural posture that keeps everything ACS produces inside attorney-client privilege and work-product protection. Privilege is not a checkbox bolted onto an output; it is a property of how the system is operated, end to end, by an attorney.¹

What ACS Actually Is

The whole system is operated through four Slack commands, and they are the only front door:

• /review marks up a contract.
• /send drafts and sends an email, letter, or notice.
• /template generates a clean instrument from your paper.
• /help answers a specific legal question in writing.

Four verbs cover the majority of transactional outside-counsel work for a growing company.² The commands are not attorney-only. A sales rep negotiating an MSA, a recruiter on an offer letter, a security engineer responding to a DPA, a founder reviewing a term sheet — any of them can invoke the commands from the Slack channel they already use. An attorney stands behind every output.

export async function dispatchSlackCommand(envelope: CommandEnvelope): Promise<unknown> {
  const enriched = await runEnrichmentMiddleware(envelope);
 
  switch (envelope.command) {
    case 'review':
      return handleReview(enriched);
    case 'send':
      return handleSend(enriched);
    case 'template':
      return handleTemplate(enriched);
    case 'help':
      return handleHelp(enriched);
    default:
      throw new Error('Unsupported command');
  }
}

No command produces work product on its own. Before any draft reaches a human, the dispatcher hands the envelope to a shared middleware that runs a fixed pipeline: create a record, resolve the matter’s variables from the tenant’s playbook,³ canonicalize the input to Markdown, diff against the client’s own precedent corpus, and write an audit event for every step. The model never sees a document in isolation; it sees the document plus the playbook plus whatever integration context is wired in.

export async function runEnrichmentMiddleware(envelope: CommandEnvelope): Promise<EnrichedRecord> {
  const recordId = newRecordId();
  await createRecord(recordId, envelope.tenantId, envelope.command, envelope.actorSlackId);
  await insertAuditEvent('record_creation', recordId, `Created record ${recordId}`);
 
  const variables = await resolveVariables(recordId, envelope.tenantId, envelope.actorSlackId, envelope.requestedVariables);
  await upsertRecordVariables(recordId, envelope.tenantId, variables);
  // ... required-variable gate elided ...
 
  const canonicalMarkdown = envelope.source
    ? await canonicalizeToMarkdown(envelope.source.kind, envelope.source.content ?? envelope.source.pointer)
    : '';
  await writeRecordVersion(recordId, envelope.tenantId, canonicalMarkdown);
 
  const flywheelContext = await loadFlywheelContext(envelope.tenantId, envelope.command);
  const riskSummary = diffAgainstRiskRecords(canonicalMarkdown, flywheelContext);
  await insertRiskRecord(recordId, envelope.tenantId, riskSummary);
 
  return { recordId, envelope, variables, canonicalMarkdown, flywheelContext, riskSummary };
}

That single shared middleware is the design choice that lets a lawyer-led practice run AI-native work without losing the audit trail or the privilege posture. Anything that skips it cannot exist.⁴

The Markdown Substrate

Every source format — .docx, PDF, Google Doc, plaintext — is normalized into canonical Markdown before it touches a model or a diff engine. Canonicalization is what makes deterministic diffing possible: a /review on a counterparty’s MSA produces a Markdown document that can be diffed against the last eight versions of that MSA inside the client’s own file, and the diff is stable across Word’s invisible formatting and the counterparty’s PDF pagination. The corpus a /review runs against is the client’s own; cross-tenant learnings are not in the MVP.

export async function canonicalizeToMarkdown(kind: 'docx' | 'pdf' | 'gdoc' | 'text', input: Buffer | string): Promise<string> {
  if (kind === 'text') return String(input).trim();
  if (kind === 'docx') {
    const { value } = await mammoth.convertToMarkdown({ buffer: Buffer.isBuffer(input) ? input : Buffer.from(input) });
    return normalizeMarkdown(value);
  }
  if (kind === 'pdf') {
    const parsed = await pdf(Buffer.isBuffer(input) ? input : Buffer.from(input));
    return normalizeMarkdown(parsed.text);
  }
  return normalizeMarkdown(String(input));
}

Markdown is not just the internal substrate. It is also the export format, and that choice is deliberate. Every export the system produces is a signed, manifested Markdown bundle: a SHA-256 manifest, an ed25519 signature, and an attestation that travels inside the bundle. If the engagement ends — for any reason — the client walks with the full privileged corpus, cryptographically attested, and hands it to substitute counsel who can read Markdown.⁵ No mailbox archaeology. No vendor export fee. No lock-in.

Privilege as Architecture

This is the section a General Counsel will linger on longest. The architectural claim is that an AI system designed, configured, and operated by an attorney as part of the attorney’s own practice — prompts, retrieval, middleware, audit trail, export format — is an agent of counsel in the sense the doctrine has long recognized, and the privilege and work-product protection that cover the attorney cover the system.⁶

Tenant isolation is enforced at the database. Every primary table carries a row-level-security policy keyed to the tenant ID in the caller’s JWT; on every read and every write, Postgres checks that ID against the row and returns or rejects accordingly.

create policy tenant_isolation_records on public.records
for all using (tenant_id = public.current_tenant_id())
with check (tenant_id = public.current_tenant_id());

Every AI call runs under attorney direction as an agent in furtherance of legal advice. Every integration pull is logged as an attorney-directed legal-support action, not a generic business retrieval. Every outbound /send is routed through attorney review and BCCs the audit log so chain of custody and classification survive any later challenge. Every /help advice note is marked ATTORNEY-CLIENT PRIVILEGED and/or ATTORNEY WORK PRODUCT with explicit audience scope before it is written anywhere.

This design answers ABA Formal Opinion 512 directly rather than gesturing at it.⁷ Competence is satisfied because the attorney configures the model calls, the prompts, the retrieval, and the diff engine. Confidentiality is satisfied by tenant-scoped RLS, encrypted transit and rest, and a no-training posture. Supervision is satisfied because every AI call runs inside attorney-directed middleware with an audit event on each step.

To be clear: no court has yet held that an AI under attorney-directed middleware is a Kovel agent on these specific facts.⁸ The doctrinal posture is a considered bet on where existing case law points when synthesized, and ACS is built to be the clean test case if the question is ever litigated.

Why This Is Different From the Big Platforms

The dominant legal-AI platforms are something else. Harvey raised $200 million at an $11 billion valuation in March 2026 and reports use across 1,300 organizations and more than 100,000 attorneys.⁹ Thomson Reuters’ CoCounsel runs as a unified agentic platform grounded in Westlaw and Practical Law content, with bulk document review across as many as 10,000 documents and customizable workflow plans.¹⁰ LexisNexis’ Protégé runs an integrated agent layer across the Lexis content stack.¹¹ These are formidable products built by serious teams, and configuring them well is a real skill.

ACS is not trying to be that product. The differences are intentional.

• Practice-specific, not horizontal. ACS is one attorney’s practice expressed in code — middleware, prompts, schema, privilege policies — for a specific kind of transactional work. The platforms are built to serve every firm and every practice area, which means the legal judgment inside them is necessarily the lowest common denominator across customers.
• Lawyer-operated, not vendor-configured. The configuration choices in ACS — what gets escalated, what gets auto-flagged, what counts as a deviation, when a /send requires a second pair of eyes — are the attorney’s professional judgment, not a vendor’s product spec. A firm that adopts a horizontal platform configures the platform; ACS is the configuration.
• Composable and lightweight, not all-in-one. ACS is four commands, one middleware, one Markdown substrate, one audit table, one signed export. It does not try to replace research, e-billing, document management, or matter management; it integrates with the systems the client already runs (Slack, Google Workspace, Notion, Salesforce, the EOR).
• Client/matter-native, not seat-licensed. The corpus accumulates inside the client’s own tenant from day one. The diff window is the client’s history, not an industry benchmark. The export is the client’s, signed and portable. There is no platform vendor between the client and their own work product.
• Sellable two ways. ACS runs as direct legal practice infrastructure — outside counsel using it to represent clients today — and as a managed service offering, deployable inside a General Counsel’s team as the legal-operating layer underneath their stack. Same codebase, same substrate, both sides of the engagement.

Pricing follows the same posture. Engagement is usage-based, per command, on a card-on-authorization basis: you authorize a card that is not charged until commands run, and each /review, /send, /template, and /help is the billable unit. No retainer. No hourly meter. No seat license that bills whether or not the work happens.¹²

What This Lets a Practice Do

A small, lawyer-led practice with this stack can do work that, in the conventional shape of outside counsel, takes four specialists at three firms billing hourly against separate silos. The substrate compounds. Every redline becomes a record. Every record sharpens the next /review. Every export is a signed Markdown bundle the client can verify themselves. The economics of usage-based pricing are only honest if the marginal cost of a command actually approaches zero, which is what running a single shared middleware against a single canonical substrate produces.

The bar for outside counsel in 2026 is no longer “do you use AI?” — it is whether the client’s own engineering team can read your code without wincing. If the answer is yes, the work is AI-native in the strict sense. If the answer is no, the work is AI-assisted, which is a different and good thing, but it should not borrow the same vocabulary.

ACS is one attempt to clear the stricter bar. The repository is source-available — public so a client’s engineers can read what the system is doing before they trust it.¹³ You can read it, criticize it, and run it locally for evaluation; using it with real stakeholders rides on an engagement with the practice or a separate license. The point is that the code is the contract. If there is a better version of this — and there will be, written by lawyers I have not met yet — the way to make the case is the same way: ship the system, hand it to the engineer, and let the work speak.

Footnotes

1. The privilege shield, named. I refer to the privilege architecture inside the codebase as the “privilege shield” — a posture, not a guarantee. Treating it as a property of the system rather than a label on an output is the move that makes it defensible. The shield is the combination of tenant isolation, attorney-directed middleware, no-training contracts, audit logging, and explicit privilege headers on outbound work product. ↩

2. What “transactional outside-counsel work” means here. Commercial agreements, employment and contractor paper, vendor and customer contracts, board and corporate memos, privacy and security exhibits, and the near-daily redline flow around them. ACS is not built today for litigation, M&A diligence, regulatory filings before federal agencies, patent prosecution, employment investigations, or bet-the-company disputes. Specialist counsel layer into the same tenant for that work; ACS does not try to replace them. ↩

3. The conversational playbook. The playbook is the tenant’s living brief — your business, your counterparties, your commercial positions, your prior decisions — that intake populates and every command updates and reads against. As integrations come online (Salesforce, Notion, Google Workspace, the EOR), the playbook is enriched automatically from those surfaces. The playbook is deliberately the primary context layer today: it is conversational, it ships on day one, and it gets sharper every time a command runs against it. ↩

4. The “no command skips the middleware” rule, honestly stated. Today the rule is enforced at the dispatcher and by code review — a second entry point that bypassed the middleware would fail review, not fail at runtime. The hosted deployment path moves the rule into the database through WITH CHECK row-level-security on audit_events and an edge-function-only write path, so the infrastructure itself refuses writes that did not come through the middleware. Until then, the rule is required by design and enforced by review. ↩

5. Signing modes. The default mode is HMAC-SHA256 with a key the practice holds — fast, and the right tool when the only person who needs to verify a bundle is us. For anything leaving our control — a bundle going to a client, a court, or an adverse party — the CLI switches to ed25519, a public-key signature: we sign with a private key we hold, and the recipient verifies with the matching public key. They do not need our secret, which is the point. Both modes are round-trip tested. ↩

6. The doctrinal line. Two recent decisions sharpen the rule. United States v. Heppner (S.D.N.Y. 2026) held that materials a litigant generated using a public AI tool — without counsel’s direction and without the confidentiality the privilege requires — were not protected by either the attorney-client privilege or the work-product doctrine. The rule the court applied is the oldest in the privilege book: confidence cannot survive deliberate disclosure to a third party that is free to use and share what was said. Warner v. Gilbarco, Inc. (E.D. Mich. 2026) reached the opposite result on adjacent facts: the litigant was a licensed attorney appearing pro se on his own matter, and the AI-assisted outputs survived as work product because a lawyer was supervising the system at the moment the communications were made. The axis is supervision: AI is a Kovel agent of counsel when an attorney configures, directs, and supervises it under the duties of competence, confidentiality, and oversight; it is a third-party recipient when no such attorney is in the loop. United States v. Kovel, 296 F.2d 918 (2d Cir. 1961), is the agent-of-counsel doctrine the analysis descends from. ACS is built to fall on the Warner/Kovel side of that line by design. ↩

7. ABA Formal Opinion 512. The ABA Standing Committee on Ethics and Professional Responsibility’s Formal Opinion 512 (July 2024) addresses the duties of competence, confidentiality, communication, candor, supervision, and reasonable fees in the context of generative AI. It does not bless any particular technology; it sets the duties an attorney must satisfy when using one. ACS is designed to map onto each of those duties at an architectural level rather than at the level of a disclaimer. ↩

8. The honest state of the doctrine. No court has held — yet — that an AI system operated under attorney-directed middleware satisfies Kovel on its specific facts. The doctrine points that way, Warner gestures that way, and the structural arguments are strong. A client adopting ACS is adopting a posture with strong doctrinal support that has not yet been specifically litigated. That is the honest framing in 2026, and pretending otherwise would be the failure mode worth avoiding. ↩

9. Harvey, March 2026. Harvey announced a $200 million Series F at an $11 billion valuation; CNBC reported the company described use across more than 100,000 attorneys at 1,300 organizations. See CNBC’s coverage of the round. The point of citing the figures is not to disparage the platform — it is to mark how different the customer footprint and the configuration model are from a single attorney shipping their own system. ↩

10. Thomson Reuters CoCounsel. Thomson Reuters’ November 2025 release describes an agentic CoCounsel Legal platform with bulk document review across up to 10,000 documents and customizable workflow plans grounded in Westlaw and Practical Law content. See Thomson Reuters CoCounsel. The platform is excellent for what it is built to be — a research-and-workflow stack across an established content corpus. It is not a practice-specific lawyer-operated system, and that is the difference ACS turns on. ↩

11. Lexis Protégé. LexisNexis’ Protégé is the agent layer across the Lexis stack, integrating drafting, research, and document analysis. Product information at LexisNexis Protégé. Same observation as for CoCounsel: a different product category for a different buyer, and a different theory of where legal judgment lives. ↩

12. Pricing, plainly. Per-command billing exists because the marginal cost of a /review is effectively zero once the substrate is built. Hourly billing for that work is not a description of cost; it is a description of a status quo the AI-native model is allowed to leave behind. A flat-fee band for clients whose volume stabilizes is the natural next step. ↩

13. Source-available, not open source. The seed of the architecture lives at github.com/stephenratner/ai-native-lawyer. Public so a client’s engineers or GC can read and locally evaluate the system; not open source, and production or client-facing use rides on a separate engagement or commercial license. ↩