Skip to main content

Embedded Runtime Modes (Enforce / Observe / Skip)

Use evaluate_execute_controlled(...) for staged rollout before strict enforcement. Modes:
  • enforce: block writes on denied decision
  • observe: allow writes but emit denied decision evidence
  • skip: bypass decision evaluation and optionally emit skipped events

Example (FastAPI-style flow)

from kernite import ObservabilityConfig, evaluate_execute_controlled

config = ObservabilityConfig.from_env()
sink = config.create_sink()

result = evaluate_execute_controlled(
    request_body,
    idempotency_key="req-001",
    mode=config.mode,
    sink=sink,
    sink_failure_policy=config.sink_failure_policy,
)

if not result["allow_write"]:
    return {"ok": False, "governance": result["governance"]}

# proceed with mutation

Environment Controls

  • KERNITE_MODE=enforce|observe|skip (default enforce)
  • KERNITE_SINK=none|jsonl|csv|sqlite (default none)
  • KERNITE_SINK_PATH=/absolute/path (required when sink enabled)
  • KERNITE_SINK_FAIL_POLICY=fail_open|fail_closed (default fail_open)

Sink Behavior

Built-in sinks:
  • JsonlDecisionSink
  • CsvDecisionSink
  • SqliteDecisionSink
Emitted event schema: kernite.decision_event.v1.