| title | CRI-CORE Enforcement Contract | ||||||
|---|---|---|---|---|---|---|---|
| filetype | documentation | ||||||
| type | specification | ||||||
| domain | enforcement | ||||||
| version | 0.12.0 | ||||||
| status | Active | ||||||
| created | 2026-02-27 | ||||||
| updated | 2026-04-01 | ||||||
| license | Apache-2.0 | ||||||
| author |
|
||||||
| maintainer |
|
||||||
| ai_assisted | partial | ||||||
| anchors |
|
CRI-CORE is a deterministic enforcement kernel that determines whether a proposed state mutation is allowed to execute.
It operates at the execution boundary.
The kernel evaluates structural, authority, integrity, binding, and publication constraints over a run artifact and produces a single outcome:
- execution allowed
- execution blocked
CRI-CORE enforces:
- Run structure requirements
- Contract version gating
- Contract identity binding
- Identity independence and role separation
- Cryptographic integrity and finalization
- Publication gating
- Commit authorization
CRI-CORE does not:
- Interpret claim content
- Evaluate correctness or truth
- Enforce domain semantics
- Resolve external system state
- Perform lifecycle orchestration
Passing CRI-CORE indicates that execution is structurally admissible.
Failing CRI-CORE prevents execution.
CRI-CORE is not a validation layer.
It is an execution control mechanism.
The kernel does not produce advisory output.
It produces a deterministic authorization decision:
commit_allowed ∈ {true, false}
If commit_allowed = false, the mutation MUST NOT execute.
The kernel does not enforce execution externally.
It defines the boundary at which execution is permitted or denied.
The pipeline executes in the following deterministic order:
- run-structure
- structure-contract-version-gate
- structure-contract-hash-gate
- independence
- integrity
- integrity-finalization
- publication
- publication-commit
The stage order is fixed.
publication-commit defines the execution decision:
commit_allowed = publication_commit_stage.passed
No subsequent stage may override this decision.
CRI-CORE enforces deterministic binding between a mutation proposal and the compiled governance contract used during enforcement.
A proposal MUST reference the governing contract using:
contract.id
contract.version
contract.hash
During enforcement:
proposal.contract.hash == compiled_contract.contract_hash
If this condition fails:
- the run is rejected
- execution is blocked
This ensures that a proposal cannot be evaluated under a different contract than the one it was created against.
The kernel verifies contract identity only.
It does not interpret governance policy structure.
A valid run directory MUST contain:
contract.jsonreport.mdrandomness.jsonapproval.jsonvalidation/
These artifacts define the proposed mutation context prior to sealing.
Finalization MUST produce:
SHA256SUMS.txtpayload.tar.gz
If contract_version >= 0.3.0, finalization MUST also produce:
binding.jsonSEAL.json
A finalized run is immutable.
Any modification invalidates enforcement.
If required_roles is declared:
identitiesMUST be present- Each required role MUST be satisfied
- No identity may satisfy more than one required role
Violations result in:
- enforcement failure
- execution blocked
If required_roles is absent:
- independence passes structurally
Independence is enforced at the level of identity structure only.
The integrity stage:
- Verifies presence of integrity context
- Validates
SHA256SUMS.txtif present - Performs no writes
Finalization produces:
payload.tar.gzSHA256SUMS.txtbinding.json(>= 0.3.0)SEAL.json(>= 0.3.0)
Finalization MUST NOT execute if any prior stage has failed.
binding.json MUST:
- Hash
contract.json - Hash the artifact declared via
claim_ref - Hash
approval.json(if present) - Produce deterministic
binding_hash
If claim_ref is declared:
- the referenced artifact MUST exist
- its hash MUST be included
Binding failure results in execution being blocked.
SEAL.json MUST:
-
Hash all files recursively under the run directory
-
Exclude:
SEAL.jsonpayload.tar.gzSHA256SUMS.txt
-
Include:
sha256sums_hashpayload_hash
-
Produce deterministic
seal_hash
Any mismatch invalidates the run and blocks execution.
The seal provides tamper evidence over the entire run surface.
Enforcement fails if any stage fails.
Failure conditions include:
- Missing required artifacts
- Contract binding mismatch
- Independence violations
- Integrity verification failure
- Binding invariant violation
- Seal invariant violation
- Stage ordering violation
If enforcement fails:
commit_allowed = false
Execution MUST NOT occur.
This contract follows semantic versioning:
- MAJOR — Breaking enforcement behavior
- MINOR — Backward-compatible enforcement additions
- PATCH — Editorial or diagnostic updates
Each run is evaluated under its declared contract_version.
Enforcement behavior is version-isolated.
Silent changes to enforcement semantics are prohibited.