Core Principles
Fail Secure
On failure, default to DENY, not ALLOW. No action proceeds when governance cannot be evaluated.
Fail Auditable
All failures MUST be logged. No silent failures allowed in governance systems.
Fail Gracefully
Provide meaningful errors to clients with actionable information.
Fail Recoverable
Design for eventual recovery. Queue operations for retry when appropriate.
Default Behavior
When any governance component fails, the default behavior is:
Decision: DENY Reason: "governance_unavailable" Code: E1310 Retryable: true
Critical: Implementations MUST NOT allow actions to proceed when governance cannot be evaluated.
Layer Failure Modes
INTENT Layer
| ID | Failure | Behavior | Retry |
|---|---|---|---|
| F-INTENT-001 | Parse Failure | DENY | No |
| F-INTENT-002 | Risk Assessment Failure | ESCALATE | Yes |
| F-INTENT-003 | Service Timeout | DENY | Yes |
ENFORCE Layer
| ID | Failure | Behavior | Retry |
|---|---|---|---|
| F-ENFORCE-001 | Trust Score Unavailable | DENY | Yes |
| F-ENFORCE-002 | Policy Evaluation Failure | DENY | Yes |
| F-ENFORCE-003 | Escalation Target Unavailable | DENY | Yes |
PROOF Layer
| ID | Failure | Behavior | Retry |
|---|---|---|---|
| F-PROOF-001 | Proof Generation Failure | WARN (action proceeds) | Yes |
| F-PROOF-002 | Proof Storage Failure | WARN (buffered) | Yes |
| F-PROOF-003 | Chain Integrity Failure | HALT + ALERT | No |
CHAIN Layer
| ID | Failure | Behavior | Retry |
|---|---|---|---|
| F-CHAIN-001 | Blockchain Unavailable | WARN (queued) | Yes |
| F-CHAIN-002 | Anchor Transaction Failed | WARN (retry) | Yes |
Recovery Configuration
retry_config:
default:
max_attempts: 3
initial_delay_ms: 100
max_delay_ms: 5000
backoff_multiplier: 2.0
jitter: 0.1
database:
max_attempts: 5
initial_delay_ms: 50
max_delay_ms: 2000
blockchain:
max_attempts: 10
initial_delay_ms: 1000
max_delay_ms: 60000Required Monitoring
| Metric | Alert Threshold |
|---|---|
| intent_parse_failure_rate | > 5% |
| enforce_decision_latency_p99 | > 500ms |
| proof_generation_failure_rate | > 1% |
| trust_score_unavailable_rate | > 0.1% |
| circuit_breaker_open_count | > 0 |
For complete failure handling including circuit breaker patterns, chaos testing requirements, and game day scenarios, see the full document on GitHub.
View Full Failure Modes on GitHub