Governance sits in-path at the irreversible boundary

Proposals can come from anywhere. Execution authority must be separated and mediated at runtime. Nyxi-style governance enforces invariants at execution time and fails closed when they cannot be verified.

1) Identify the irreversible sink

A sink is the point where internal intent becomes external, irreversible effect.

Governance is applied to declared sinks, not to your entire system.
The engagement begins by specifying where commit happens and what “side effect” means for each sink.

2) Define execution invariants (ALLOW conditions)

Invariants are runtime predicates that must be true for execution to proceed.
They are defined at the boundary where effects become irreversible (not upstream).
If invariants cannot be evaluated with sufficient certainty: fail-closed ⇒ VETO.

3) Enforce proposer ≠ executor

Proposal sources (humans, services, models, schedulers) are treated as non-authoritative.
The governance layer is the final authority at the irreversible boundary.
This prevents “intent confidence” from silently becoming “execution authority”.

4) Produce boundary evidence (veto/allow semantics)

VETO path: evidence that no irreversible side effects were performed through the governed path.
ALLOW path: evidence that the irreversible action did occur and correlates to the decision.
Evidence is packaged for engineering review as an Evidence Pack.

5) Scope clarity: what this does and does not do

Governs only the sinks you declare and only at their irreversible boundaries.
Not a general security system, not an “all actions” policy engine, and not compliance certification.
Specifically prevents invalid execution from crossing irreversible boundaries.

🔎 Small glossary

Irreversible sink: the boundary where effects become non-retractable
Invariant: condition that must hold at execution time to allow execution
ALLOW / VETO: final decision at the boundary (fail-closed behavior)
Evidence Pack: artifacts demonstrating veto/allow outcomes at the governed boundary