DenySignal (Artifact v1.0.0) [ID: DNY-01]
DenySignal is a self-hosted denial fact primitive.
It records whether a denial fact exists for a subject or scope and returns that fact at read time.
DenySignal keeps negative state explicit, decoupled, and auditable as a first-class primitive instead of burying it inside unrelated domain tables.
DenySignal does not authenticate users, authorize actions, block requests, or enforce outcomes.
It only emits whether a denial fact is currently present.
What it emits
- Denial present
- Denial not present
- Optional denial reason or metadata if written by your system
What it does NOT do
- Does not authenticate identity
- Does not authorize actions
- Does not block requests
- Does not enforce policy
- Does not act as a firewall, WAF, gateway, or abuse-prevention system
Typical use
Before performing a sensitive operation, your application queries DenySignal. Your application then evaluates the denial fact with its own rules and decides whether to continue, block, escalate, or record an outcome elsewhere.
Boundary rule
Not denied ≠ permitted.
It only means no denial fact is currently present.
SimpleStates emits facts. Your system implements outcomes.
Self-hosted. Signal-only. Deterministic behavior.
Failure modes
- Deny write is missing or delayed → reads can return “denial not present” while your system intended “denial present”
- Subject or scope mismatch → reads can return the wrong signal for the wrong entity
- Partial writes or database inconsistency → reads can be stale or incomplete
- Network or database failure → reads can fail, time out, or return unexpected data
- Interpreting “denial not present” as permission → unsafe application behavior