Enforcement decisions run locally and do not depend on network availability.
- Editor or CLI host receives source content at save/evaluate time.
- Host invokes kernel evaluation (stdin or file path flow).
- Kernel parses source into AST for the selected language.
- Kernel runs deterministic rules in defined order.
- Kernel reduces rule decisions into a single allow or block decision.
- Host applies decision before write completion.
- If blocked, host surfaces structured violation output.
- Optional local log entry is written for blocked events.
- Local execution only for the critical enforcement path.
- No remote call required to determine allow or block.
- Enforce and shadow modes share the same rule evaluation path.
If network is unavailable, enforcement behavior is unchanged because the decision path is local-first and offline-capable by design.
- Editor integration path: pre-save hook invokes kernel contract.
- CLI fallback path: direct user or automation invocation for local checks.