Automated program synthesis lowers the cost of producing implementations but introduces a harder governance problem: determining which generated artifacts are admissible. Natural-language specifications are ambiguous, and example-based tests sample only part of the behavioral space. Used alone, neither provides a sufficient control boundary. We introduce Protocol-Driven Development (PDD), where the primary software artifact is a machine-enforceable protocol rather than code. We define a protocol as the triplet P = (S, B, O), specifying structural, behavioral, and operational invariants. Their conjunction defines the admissible implementation space of a software component. Under PDD, implementations are replaceable realizations discovered through constrained search. An implementation is admitted only if it satisfies the protocol and produces a verifiable Evidence Chain of compliance. Admission is grounded in protocol satisfaction and recorded evidence rather than trust in the generator. For deployed systems, we extend the Evidence Chain into a Dynamic Evidence Ledger. Runtime verifiers append signed observations, invariant checks, and violations to the ledger, allowing monitorable obligations to be continuously attested. This connects live failures back to the generation loop without granting the generator runtime authority. Combining formal methods, property testing, runtime verification, policy-as-code, and software provenance, PDD defines a governance model for automated software engineering. Its organizing principle is that code is transient, while the protocol carries durable authority.

翻译：自动程序合成降低了实现代码的生产成本，却引入了更棘手的治理难题：如何判定哪些生成产物是可接受的。自然语言规约存在歧义性，基于示例的测试仅能覆盖部分行为空间。单独使用任何一种方法都无法提供充分的控制边界。我们提出协议驱动开发范式，其中核心软件制品是可机器执行的协议，而非代码。我们将协议定义为三元组P=(S，B，O)，分别指定结构不变量、行为不变量和运行不变量。三者合取定义了软件组件的可接受实现空间。在PDD范式下，实现是通过约束搜索发现的可置换的具体化方案。仅当实现满足协议且能生成可验证的合规证据链时，方可被接纳。其接纳基础是协议满足性与可追溯证据，而非对生成器的信任。对于已部署系统，我们将证据链扩展为动态证据账本。运行时验证器将签名观测值、不变量检查结果及违规记录追加至账本，使可监控义务得到持续证明。这实现了将运行时故障回连至生成循环，同时不授予生成器运行时权限。PDD融合形式化方法、属性测试、运行时验证、策略即代码与软件溯源，定义了自动化软件工程的治理模型。其核心理念是：代码具有瞬时性，而协议承载持久权威。