Fail-closed by doctrine
KERN blocks ambiguous value movement. Trust posture is explicit, scoped, and auditable.
Trust boundaries
| Boundary | Meaning | Operational implication |
|---|---|---|
| RUNTIME_BOUNDARY | Missing runtime/provider attestation. | No live-provider guarantee claims. |
| MANUAL_BOUNDARY | Human-gated operations remain required. | Critical flows need explicit operator confirmations. |
| LAUNCH_BOUNDARY | Capability exists but not yet broad production posture. | Treat as controlled-release scope. |