DenySignal — Spec Sheet
Primitive type: Denial signal emitter
Execution model: Read-time only
Hosting model: Self-hosted
Determinism: Deterministic given stored state
Inputs
- Subject identifier (user, account, token, scope, or custom key)
- Optional scope or context identifier
- Operator-defined denial flags written by your system
Outputs
- Denial present
- Denial not present
Guarantees
- Returns stored denial state as of read time
- Does not mutate state on read
- Does not execute side effects
- Deterministic for a given stored state
Non-guarantees
- Correctness of denial policy
- Timeliness of denial updates
- Consistency across distributed systems
- Authorization correctness
- Security or safety outcomes
Invariants
- Not denied ≠ permitted
- Denial state ≠ authorization
- Absence of a denial signal is not permission
- Returned state is advisory only
Failure modes
- Denial state may be stale or incorrect
- Lookups may fail or return partial data
- Network or database failures may prevent reads
- Your system must define behavior when denial state cannot be confirmed
Out of scope
- Authentication
- Authorization
- Request blocking
- Enforcement logic
- Policy definition
- Auditing or alerting
Implementation details
- Language: TypeScript (Node.js)
- Interface: HTTP or embedded service
- Database: PostgreSQL