Fail-Closed Governance
A governance principle where, if the system cannot evaluate a constraint, the action is blocked (fail closed) rather than allowed (fail open).
Fail-closed governance is a safety principle borrowed from security engineering. In fail-open systems, when a check fails (system is down, constraint is ambiguous, data is missing), the action is allowed by default. In fail-closed systems, the action is blocked until the check can be completed.
For governance, fail-closed means: if Constellation cannot determine whether an action violates a constraint, it blocks the action and escalates to a human. This is more conservative but safer — it prevents ungoverned action rather than permitting it by default.
This is one of Constellation's constitutional invariants (the Silence Invariant): the system must never silently allow an action it cannot evaluate. Silence is treated as a signal, not an absence.
How Constellation handles this
Constellation is fail-closed by design. If the governance gate cannot evaluate a constraint — due to system error, ambiguous rules, or missing context — the action is blocked and escalated, never silently allowed.