Governed execution infrastructure.

The triad

• PASSVerified
• FAILExplicitly failed
• UNKNOWNCannot yet evaluate — not failure, not pass

When the platform doesn't know, it says so. A coerced pass on an unverified gate is a lie that compounds downstream.

Why this matters

An optimistic pass on DMARC sends mail before the domain is actually verified, damaging reputation when the eventual evaluation returns fail. An honest unknown holds the send until the platform has substantively confirmed the state.

This three-state verification applies to every verification surface in Orchestrate. Audit reconstructions show what the platform honestly believed at each moment. Operator cognition stays accurate. Procurement reviewers see operational honesty as a first-class outcome, not an exception.

Execution continuity isn't measured in "uptime percentage." It is rendered as state. The continuity layer holds the window open / closed condition, the timestamp of the last execution cycle, and the timestamp of the next scheduled cycle. Operators see this state directly; the platform does not compute it into a vanity metric.

Recovery is a posture, not a transition. When pacing degrades, the platform moves into a recovering state and stays there until conditions substantively improve. There is no animation pretending recovery is faster than it is.

Run cadence

• Window openIs execution currently permitted
• Last runUTC timestamp of last execution cycle
• Next runUTC timestamp of next scheduled cycle
• Window reasonWhy open or closed — typed

The four modes

• AutonomousRuntime decides and dispatches
• SupervisedDispatches but flags for review
• Approval requiredHuman must approve before dispatch
• Draft onlyDrafts; never dispatches

Compounding

Two or more high risks compounding escalates the platform to draft-only — the runtime drafts but does not dispatch. The platform refuses to compromise this floor under any circumstance.

Tenant preference establishes the floor. Risk can only escalate above it. The runtime never relaxes the tenant's choice.

Audit log doctrine: metadata only — never credentials, never message bodies. The platform persists what was decided, when, why, with what blockers, in what governance mode — at no point does the audit log capture the substantive content of an outbound message or any authentication material.

This isn't a privacy feature retrofitted onto the audit log. It is the audit log's structural doctrine. The platform enforces it.

Operator surface

The operator workspace renders the platform state at three resolutions: per-tenant, per-source, per-decision. The same nine readiness layers visible to clients are visible to operators. The same seven dispatch decisions and the eight-question rationale persist for substantive operator review.

Operator intervention is itself structural — typed audit edges flow from the operator's resolution back into the dispatch record. The operator does not act invisibly.

Most operational systems accumulate competing truth sources — caches, denormalized read models, snapshot tables. Each becomes its own claim, eventually inconsistent with the others. We resolved this at the architectural level: one truth object, one fingerprint, one source.

Every diagnostic surface, every operator decision, every customer-facing readiness display derives from this one object. Read models and caches exist for performance — they are derived from the truth, not parallel to it.

There must be exactly one operational truth object. The fingerprint changes only when something substantively changes. Honest unknowns are first-class state.

The fingerprint enables constant-time change detection across the system. Consumers ask did the truth I care about change? If yes, recompute. If no, the previous result is still valid.