A governed action should leave a receipt. The receipt binds the proposed action, policy context, decision, and evidence posture so an operator or reviewer can inspect what happened without trusting a narrative summary.
Why it matters now
- Logs describe events, but receipts prove the decision boundary that allowed, denied, or escalated an action.
- Replayable evidence makes audits possible after the model session is gone.
- Private context can stay private while hashes, verdicts, and evidence references remain inspectable.
Boundary and evidence
This article describes the proof model. It does not claim every deployed environment emits every artifact today.
The public Kernel and scan workbench show the narrower receipt posture: local verification, hashes, policy overlays, and evidence packs where available.
Product map
Read models propose, HELM governs execution to connect the receipt back to the boundary decision.
The operating rule is consistent across the library: research can frame the question, but execution claims need source-owned proof. Look for policy checks, approval state, connector contracts, receipt hashes, replay evidence, or a clearly labeled product surface before treating an idea as current capability.
