Governed execution infrastructure.

The triad

• PASSVerified — substrate-confirmed
• FAILExplicitly failed
• UNKNOWNSubstrate cannot yet evaluate — not failure, not pass

When the substrate doesn't know, it says so. A coerced pass on an unverified gate is a lie that compounds downstream.

Why this matters

An optimistic pass on DMARC sends mail before the domain is actually verified, damaging reputation when the eventual evaluation returns fail. An honest unknown holds the send until the substrate has substantively confirmed the state.

The substrate's CanonicalDnsCheck = 'pass' | 'fail' | 'unknown' triad applies to every verification surface in Orchestrate. Audit reconstructions show what the substrate honestly believed at each moment. Operator cognition stays accurate. Procurement reviewers see substrate honesty in the type itself.

Execution continuity isn't measured in "uptime percentage." It is rendered as substrate state. The continuity layer holds window.open as a typed boolean, lastRun as a UTC timestamp, nextRun as a scheduled UTC timestamp. Operators see this state directly; the substrate doesn't compute it into a vanity metric.

Recovery is a posture, not a transition. When pacing degrades, the substrate transitions to the recovering bucket and stays there until conditions substantively improve. There is no animation pretending recovery is faster than it is.

Run cadence

• window.openBoolean — is execution currently permitted
• lastRunUTC timestamp of last execution cycle
• nextRunUTC timestamp of next scheduled cycle
• windowReasonWhy open or closed — typed

The four modes

• autonomousRuntime decides and dispatches
• supervisedDispatches but flags for review
• approval_requiredHuman must approve before dispatch
• draft_onlyDrafts; never dispatches

Compounding

Two or more high risks compounding escalates the substrate to draft_only — the runtime drafts but does not dispatch. The substrate refuses to compromise this floor under any circumstance.

Tenant preference establishes the floor. Risk can only escalate above it. The runtime never relaxes the tenant's choice.

Audit log doctrine: metadata only — never credentials, never message bodies. The substrate persists what decided, when, why, with what blockers, in what governance mode — at no point does the audit log capture the substantive content of an outbound message or any authentication material.

This isn't a privacy feature retrofitted onto the audit log. It is the audit log's substrate doctrine. The schema enforces it. The procurement reviewer who reads this section verifies it by grepping the codebase.

Operator surface

The operator workspace renders the substrate state at three resolutions: per-tenant, per-source, per-decision. The same nine readiness layers visible to clients are visible to operators. The same seven dispatch decisions and the eight-question rationale persist for substantive operator review.

Operator intervention is itself substrate — typed audit edges flow from the operator's resolution back into the dispatch record. The operator does not act invisibly.

Most operational systems accumulate competing truth sources — caches, denormalized read models, snapshot tables. Each becomes its own claim, eventually inconsistent with the others. We resolved this at the architectural level: one truth object, one fingerprint, one source.

Every diagnostic surface, every operator decision, every customer-facing readiness display derives from this one object. Read models and caches exist for performance — they are derived from the truth, not parallel to it.

There must be exactly one operational truth object. The fingerprint changes only when something substantively changes. Honest unknowns are first-class state.

The fingerprint enables O(1) change detection across the system. Consumers ask did the truth I care about change? If yes, recompute. If no, the previous result is still valid. The fingerprint is the substrate's epoch counter.