TrigGuard
TRIGGUARD DECISION_MODEL
Request access

Protocol > Decision model

DECISION VS ENFORCEMENT

Receipts express decisions. Runtimes express enforcement. One-line rule: Decisions DENY. Systems BLOCK.

EVALUATION FLOW

Conceptual path from caller intent to runtime outcome. Decisions live on receipts; enforcement is what the execution surface does with that evidence.

Intent (structured request)
Policy evaluation
Decision (PERMIT | DENY | SILENCE)
Signed receipt
Runtime enforcement (EXECUTED | BLOCKED)
CANONICAL ENUMS
  • Decision (receipt-safe): PERMIT | DENY | SILENCE
  • Enforcement (runtime-safe): EXECUTED | BLOCKED
  • Evaluation state: COMPLETE | INDETERMINATE, SILENCE implies INDETERMINATE.
  • Receipt status: SIGNED | UNSIGNED | INVALID
SILENCE

SILENCE means no authorization was issued. Without authorization, execution cannot proceed. Enforcement in a conformant integration is BLOCKED (fail-closed).

CONTRACT INVARIANTS
  • A.
    A receipt decision MUST be PERMIT, DENY, or SILENCE.
  • B.
    BLOCKED MUST NOT appear as a receipt decision.
  • C.
    Any decision other than PERMIT MUST yield enforcement = BLOCKED in a conformant integration (non-conformant callers are control failures).
  • D.
    SILENCE is decision-layer indeterminacy, not an enforcement label.
  • E.
    Every DENY and SILENCE MUST carry a mandatory reason_code (deterministic taxonomy).
CORRECT PAIRING 
{
  "decision": "DENY",
  "enforcement": "BLOCKED"
}

Mapping: PERMITEXECUTED or BLOCKED (only if downstream fails or operator aborts). DENYBLOCKED. SILENCEBLOCKED.

PUBLIC WORDING

Use PERMIT / DENY / SILENCE in protocol, receipts, and auditor-facing specs.

Use EXECUTED / BLOCKED in dashboards, traces, and operator records.

Do not collapse decision and enforcement into one axis (e.g. PERMIT / DENY / SILENCE for decisions; EXECUTED / BLOCKED for enforcement).

DECISION
(receipts, protocol)
PERMIT
DENY
SILENCE
ENFORCEMENT
(runtimes, systems)
EXECUTED
BLOCKED
MINIMAL EXAMPLES 
// Decision response
{
  "request_id": "req_01JXYZ",
  "decision": "DENY",
  "evaluation_state": "COMPLETE",
  "reason_code": "TG_DENY_SURFACE_FORBIDDEN",
  "reason_summary": "Requested surface is not 
    permitted under active policy.",
  "receipt_id": "rcpt_01JXY2",
  "receipt_status": "SIGNED",
  "decided_at": "2026-03-20T13:58:00Z"
}

// Enforcement event
{
  "event_id": "evt_01JXYZ",
  "request_id": "req_01JXYZ",
  "receipt_id": "rcpt_01JXY2",
  "decision": "DENY",
  "enforcement": "BLOCKED",
  "enforced_by": "trigguard-gateway",
  "execution_surface": "payments.execute",
  "occurred_at": "2026-03-20T13:58:01Z"
}
Back to Protocol Documentation hub

Authoritative source for implementers is also maintained in the repository as docs/protocol/DECISION_AND_ENFORCEMENT_MODEL.md.