The First Enforced Action: Why We Chose GDPR Erase

Most governance systems describe what happened. We decided to build one that controls what can happen. That distinction sounds subtle. It isn't.

Why irreversible mutation

If you want to test whether governance is real, point it at something that can't be undone. A reversible action is forgiving — you can always roll back, fix the mistake, pretend governance wasn't needed. An irreversible action is honest. Once personal data is deleted under GDPR Article 17, it's gone. There is no undo.

That's why our first enforced action is data subject erasure. Not because GDPR is trendy. Because it's the purest test: can the governance layer prove what the system knew when it decided to permanently destroy data?

Why we rejected payments

The obvious demo would be payment authorization. Dramatic. Easy to understand. But it requires financial domain modeling, external APIs, PCI scope, and regulatory overreach we haven't earned. We chose the domain that is high-stakes, regulator-relevant, and implementable with zero external dependencies. A local database. Synthetic records. One delete operation. One enforcement gate.

Why enforcement must be token-bound

Our governance gateway issues a signed execution token — Ed25519, 5-second TTL, with a SHA-256 hash of the exact parameters being authorized. The execution broker validates the token before any state mutation occurs. No token, no execution.

This isn't monitoring. This isn't logging. The orchestrator cannot call the execution broker directly. It doesn't hold the tool credentials. The governance gateway is the only authority that can issue execution authorization.

Existing control systems — firewalls, IAM, OPA — evaluate what the caller declares. We evaluate what the system actually knew. The governance layer assembles context independently, not from the agent's self-report. That trust model shift is what autonomous systems require.

Why replay must reconstruct governed knowledge state

Six months after a deletion, a regulator asks: "Why did your AI delete this person's data?" The answer can't be "the logs say it happened." The answer must be: "At 09:50:00, the system saw no legal hold, policy v1.2 was active, retention check passed, and the governance root authorized deletion. Here is the deterministic reconstruction."

That reconstruction runs with zero network calls. Zero side effects. The exact governed knowledge state — what was visible, admissible, and binding at decision time — is replayed from an immutable snapshot. Run it twice, get identical output. That's evidence, not logging.

What is implemented vs. what is spec

Honest accounting. The Persistent Context Kernel — context mounting, relevance filtering, immutable snapshots, deterministic replay — is implemented and tested. Thousands of lines of core code, a continuously expanding test suite, and 18 enforced invariants, zero violations.

The enforcement primitive — token issuance, Ed25519 signing, broker validation, credential separation, fail-closed hardening — is specified and designed. The architecture is sound. The code doesn't exist yet.

We're not claiming enforcement today. We're claiming governance with a credible, concrete path to enforcement. That honesty matters more than premature claims.

What ships in 30 days

One irreversible action. Token-enforced. Fail-closed. Deterministically replayable. Running in a terminal.

No slides. No control panel. No second tool. No SDK. Just the primitive that proves governance is real.

"Your AI agent deleted personal data. Can you prove why?"

In 30 days, we answer that question from a terminal. That's when governance stops being philosophy and starts being infrastructure.