This document formalizes a deterministic execution model for runtime consent enforcement, defining a closed state machine, a total decision function, and invariant-based compliance constraints.
#Purpose and Scope
This document defines formal execution semantics for the runtime consent enforcement layer. Its purpose is to eliminate ambiguity in the execution model by specifying all permitted states, transitions, decision logic, and enforcement invariants in a binary, testable, and auditable form.
This document does not modify, override, or reinterpret any existing QODIQA specification. It provides formalization, constraint definition, and deterministic execution semantics only.
The scope of this document is strictly limited to the execution semantics layer. This document SHALL NOT be construed to alter the behavioral requirements, architectural definitions, governance structure, or certification criteria established in other QODIQA corpus documents. All normative content herein is additive and subordinate to the QODIQA Core Standard.
This document defines: execution states, state transitions, decision function constraints, enforcement invariants, and non-compliance classification. This document does not define: consent capture mechanisms, policy authoring, cryptographic protocols, certification criteria, or governance procedures.
This document does not define consent acquisition mechanisms, user interfaces, policy authoring systems, or cryptographic primitives. Its scope is strictly limited to execution semantics.
#Relationship to QODIQA Corpus
This document is a normative extension to the QODIQA corpus. It formalizes the execution semantics of enforcement logic that is defined in substantive terms across the following corpus documents. All definitions and constraints herein are derived from and consistent with those documents.
| Document | Identifier | Relationship to This Document |
|---|---|---|
| Core Standard | QODIQA-CORE-2026-001 | Primary normative authority. This document formalizes its enforcement logic. |
| Reference Architecture | QODIQA-RA-2026-001 | Defines the architectural components whose execution semantics are specified herein. |
| Implementation Playbook | QODIQA-IMPL-2026-001 | Provides implementation guidance consistent with the execution model defined herein. |
| 68-Point Enforcement Framework | QODIQA-SPEC-68P-V3-2026 | Enumerates enforcement points that SHALL conform to the execution semantics herein. |
| Conformance Test Suite | QODIQA-CTSS-2026-001 | Test criteria SHALL be derived from the invariants and constraints defined herein. |
| Security and Cryptographic Profile | QODIQA-SCP-2026-001 | Defines integrity requirements for state and audit artifacts referenced herein. |
In the event of apparent conflict between this document and any other QODIQA corpus document, the QODIQA Core Standard SHALL take precedence. All conflicts SHALL be reported to the QODIQA Governance Authority for resolution.
#Deterministic Execution Model
The enforcement layer SHALL operate as a deterministic finite-state machine. Every execution path through the enforcement layer SHALL be fully defined, fully traceable, and free of implicit or undefined behavior.
For any given input triple (Request, ConsentState, PolicySet), the enforcement layer SHALL produce exactly one output. No execution path SHALL exist that produces more than one output, no output, or a probabilistic output for identical inputs.
The enforcement layer SHALL NOT contain ambiguous execution paths. An ambiguous execution path is defined as any path whose outcome depends on factors not present in the explicit input triple (Request, ConsentState, PolicySet) at the moment of evaluation.
Implicit behavior is defined as any system behavior that is not explicitly specified by a defined state, a defined transition, or a defined constraint. Implicit behavior is prohibited. Every behavior of the enforcement layer SHALL be the direct result of an explicitly defined execution step.
The enforcement layer SHALL NOT defer evaluation to external components during the active decision path. All inputs required for evaluation SHALL be fully resolved prior to the initiation of the PolicyEvaluation state. Any failure to resolve required inputs SHALL result in an immediate transition to the Deny decision state.
#Canonical State Machine
The enforcement layer SHALL implement precisely the state machine defined in this section. No implementation SHALL add states, remove states, merge states, or reorder states relative to the canonical definition below.
State Machine — Formal DefinitionStateMachine = (S, T, s0, F)
where:
S := {S1, S2, S3, S4a, S4b, S5}
T := set of allowed transitions defined in Table 3
s0 := S1 (initial state)
F := {S5} (terminal state)4.1 Defined States
The canonical state machine consists of exactly five (5) states. All five states are mandatory. No state is optional.
| State ID | State Name | Classification | Description |
|---|---|---|---|
| S1 | RequestReceived | Entry State | The enforcement layer has received a complete, well-formed execution request. No evaluation has commenced. |
| S2 | ConsentLookup | Intermediate State | The enforcement layer is resolving the current consent state for the declared subject, purpose, and scope. No policy evaluation has commenced. |
| S3 | PolicyEvaluation | Intermediate State | The enforcement layer is evaluating the applicable policy set against the resolved consent state and the declared request parameters. |
| S4a | Decision: Allow | Terminal Decision State | The enforcement layer has determined that the request satisfies all consent and policy requirements. Execution MAY proceed. |
| S4b | Decision: Deny | Terminal Decision State | The enforcement layer has determined that the request does not satisfy one or more consent or policy requirements. Execution MUST NOT proceed. |
| S5 | AuditCommit | Terminal Audit State | The enforcement layer has committed an immutable, tamper-evident audit record of the decision, its inputs, and its evaluation context. |
4.2 Allowed Transitions
The following transitions are the complete and exclusive set of permitted state transitions. No transition not listed in this section is permitted.
| From State | To State | Condition |
|---|---|---|
| S1 · RequestReceived | S2 · ConsentLookup | Request is well-formed and complete. |
| S2 · ConsentLookup | S3 · PolicyEvaluation | ConsentState resolves to Valid. |
| S2 · ConsentLookup | S4b · Deny | ConsentState resolves to Absent, Expired, Revoked, or Invalid. |
| S3 · PolicyEvaluation | S4a · Allow | All applicable policy rules evaluate to satisfied. |
| S3 · PolicyEvaluation | S4b · Deny | One or more applicable policy rules evaluate to unsatisfied. |
| S4a · Allow | S5 · AuditCommit | Unconditional. No exception is permitted. |
| S4b · Deny | S5 · AuditCommit | Unconditional. No exception is permitted. |
4.3 Prohibited Transitions
The following transition categories are explicitly and unconditionally prohibited. Any system that implements one or more of these transitions is non-compliant with this specification.
- Any transition that bypasses
ConsentLookupon the path fromRequestReceivedtoPolicyEvaluation. - Any transition from
RequestReceiveddirectly toPolicyEvaluation,Allow,Deny, orAuditCommit. - Any transition from
ConsentLookupdirectly toAlloworAuditCommit. - Any transition from
PolicyEvaluationdirectly toAuditCommitwithout passing through a terminalDecisionstate. - Any transition from
AlloworDenyto any state other thanAuditCommit. - Any cyclic transition that returns a state to a prior position in the sequence.
- Any parallel transition that places the machine in two states simultaneously.
- Any transition to an undefined state not listed in Section 4.1.
All execution paths SHALL terminate in a finite number of steps at the AuditCommit state. Infinite execution paths or non-terminating evaluations are strictly prohibited.
#Deterministic Decision Function
5.1 Formal Definition
The enforcement decision function is formally defined as follows:
Decision Function — Formal DefinitionDecision = f(Request, ConsentState, PolicySet)
where:
Request := { Subject, Purpose, Scope, DataCategory, Timestamp }
ConsentState := { Valid | Absent | Expired | Revoked | Invalid }
PolicySet := { P₁, P₂, ..., Pₙ } (immutable snapshot at evaluation time)
Decision := { Allow | Deny }The function f is a total function. For every valid combination of (Request, ConsentState, PolicySet), f SHALL produce exactly one element of the set {Allow, Deny}. The function SHALL NOT be partial, probabilistic, or undefined for any input within its specified domain.
5.2 Input Constraints
The following constraints apply to all inputs to the decision function. A request that violates any input constraint SHALL result in an immediate Deny decision without entering PolicyEvaluation.
- The
RequestSHALL be complete. A request is complete if and only if all five fields (Subject, Purpose, Scope, DataCategory, Timestamp) are present and non-null. - The
ConsentStateSHALL be resolved prior to the initiation ofPolicyEvaluation. An unresolvedConsentStateSHALL be treated asInvalid. - The
PolicySetSHALL be an immutable snapshot captured at the momentPolicyEvaluationcommences. ThePolicySetSHALL NOT change during evaluation. - The
PolicySetSHALL NOT be empty. A request evaluated against an emptyPolicySetSHALL result in aDenydecision. - All inputs SHALL be evaluated from explicit, machine-readable state. No input SHALL be inferred, assumed, or inherited from prior execution contexts.
5.3 Output Constraints
The decision function output SHALL satisfy the following constraints unconditionally.
- The output SHALL be exactly one of:
AlloworDeny. No other output value is permitted. - For identical inputs (Request, ConsentState, PolicySet), the function SHALL produce identical output on every invocation. Non-deterministic output for identical inputs constitutes a non-compliance condition.
- The output SHALL NOT depend on execution time, invocation count, system load, external network state, or any factor not present in the explicit input triple.
- The output SHALL NOT be null, undefined, pending, or deferred.
- The output SHALL be produced in strict sequence following completion of
PolicyEvaluation. No asynchronous decision emission is permitted.
The decision function is strictly deterministic. No entropy source, probabilistic mechanism, or external state dependency SHALL influence the output for identical inputs under any condition.
#Execution Flow Constraints
The following constraints govern the execution flow of the enforcement layer. Each constraint is absolute and admits no exception.
States SHALL be entered and exited in the sequence defined in Section 4. No state SHALL be entered before its predecessor state has been fully completed and exited.
No implementation SHALL skip, abbreviate, or combine any defined state. The ConsentLookup state SHALL NOT be skipped under any condition, including prior consent validation, cached consent state, or operator override.
Each state SHALL be fully completed before the transition to the subsequent state is initiated. Partial completion of a state is classified as an invalid execution state.
No asynchronous mechanism SHALL be used to initiate a transition before the current state has completed its defined processing. Asynchronous callbacks, deferred evaluations, and event-driven state bypasses are prohibited within the enforcement execution path.
No fallback, default-allow, best-effort, or degraded evaluation mode is permitted. When a required input is unavailable, the enforcement layer SHALL immediately produce a Deny decision and proceed to AuditCommit.
The active decision path from ConsentLookup through AuditCommit SHALL NOT initiate synchronous calls to external systems. All required state SHALL be resolved prior to entering ConsentLookup.
Any execution error, state resolution failure, or evaluation exception that occurs during the enforcement path SHALL terminate evaluation immediately and produce a Deny decision. Errors SHALL NOT be silently suppressed or deferred.
Any failure in input resolution, state transition, or evaluation SHALL result in immediate termination of execution and emission of a Deny decision. No retry, fallback, or degraded execution mode is permitted.
This section defines execution constraints in a strictly formal manner. Implementation strategies may vary, provided that all constraints, invariants, and state transition rules remain fully preserved without deviation.
#Formal Enforcement Invariants
The following invariants are absolute. Each invariant SHALL hold under all conditions, for all requests, across all deployment configurations. No invariant admits an exception, a grace period, or a configuration-dependent override.
7.1 Consent Invariants
IF ConsentState ≠ Valid THEN Decision = Deny
NO execution path SHALL exist where Decision = Allow AND ConsentState = Absent
NO execution path SHALL exist where Decision = Allow AND ConsentState = Expired
NO execution path SHALL exist where Decision = Allow AND ConsentState = Revoked
NO execution path SHALL exist where Decision = Allow AND ConsentState = Invalid
ConsentState SHALL be resolved as an explicit, machine-readable value. ConsentState SHALL NOT be inferred, assumed, or inherited.
7.2 Audit Invariants
AuditCommit SHALL occur for every Decision, regardless of Decision value.
NO execution path SHALL terminate at Decision (Allow or Deny) without subsequent AuditCommit.
The AuditCommit record SHALL include: Decision value, ConsentState value, PolicySet snapshot identifier, Request parameters, and evaluation Timestamp.
The AuditCommit record SHALL be immutable after commit. Post-commit modification of any audit field is prohibited.
AuditCommit SHALL occur synchronously within the same execution context as the Decision. Deferred or asynchronous audit commit is prohibited.
Decision SHALL precede AuditCommit in strict execution order.
Decision and AuditCommit SHALL occur within the same execution context and MUST be atomic.
Every audit record MUST be uniquely attributable to a single execution instance and MUST allow full reconstruction of the decision context without reliance on external or implicit state.
7.3 Sequencing Invariants
PolicyEvaluation SHALL NOT execute without prior completed ConsentLookup.
ConsentLookup SHALL NOT execute without prior completed RequestReceived.
Decision SHALL NOT be emitted without prior completed PolicyEvaluation, except where ConsentState ≠ Valid, in which case Decision = Deny SHALL be emitted immediately upon ConsentLookup completion.
AuditCommit SHALL NOT execute before Decision has been produced.
No state in the sequence SHALL execute more than once per request.
7.4 Decision Invariants
f(Request, ConsentState, PolicySet) = f(Request, ConsentState, PolicySet) for all invocations with identical inputs.
Decision SHALL be exactly one of {Allow, Deny}. No other value is a valid decision output.
Decision SHALL NOT be null, deferred, or pending.
PolicySet SHALL be immutable during PolicyEvaluation. Any modification to PolicySet after the commencement of PolicyEvaluation SHALL constitute a non-compliance condition.
An empty PolicySet SHALL produce Decision = Deny.
A malformed or incomplete Request SHALL produce Decision = Deny without entering ConsentLookup.
#Invalid Execution States
The following execution conditions are classified as non-compliant. Any system that enters or permits any of the following states is non-compliant with this specification. Non-compliant systems SHALL NOT be certified under the QODIQA Certification Framework.
| ID | Invalid State | Classification |
|---|---|---|
| IES-01 | Undefined state transition: any transition not listed in Table 3. | NON-COMPLIANT |
| IES-02 | Missing evaluation step: any execution that reaches Decision without having completed all prior mandatory states. | NON-COMPLIANT |
| IES-03 | Partial execution path: any execution that enters a state but does not fully complete it before transitioning. | NON-COMPLIANT |
| IES-04 | Inconsistent state combination: simultaneous occupancy of two or more states. | NON-COMPLIANT |
| IES-05 | Decision without AuditCommit: any execution path that terminates at a Decision state without subsequent AuditCommit. | NON-COMPLIANT |
| IES-06 | ConsentLookup skipped: any execution that transitions from RequestReceived to PolicyEvaluation without completing ConsentLookup. | NON-COMPLIANT |
| IES-07 | PolicyEvaluation against mutable PolicySet: any evaluation where the PolicySet changes during PolicyEvaluation. | NON-COMPLIANT |
| IES-08 | Silent fallback: any execution that silently substitutes a default or degraded decision in place of a Deny upon input resolution failure. | NON-COMPLIANT |
| IES-09 | Asynchronous Decision emission: any Decision produced via asynchronous callback, deferred evaluation, or event-driven bypass of the sequential execution path. | NON-COMPLIANT |
| IES-10 | Re-entry into a completed state: any execution that re-enters a state that has already been completed within the same request lifecycle. | NON-COMPLIANT |
| Severity Level | Description |
|---|---|
| CRITICAL | Violations that compromise determinism, audit integrity, or decision correctness. Immediate non-compliance. |
| HIGH | Violations that affect execution ordering, state transitions, or enforcement guarantees. |
| NON-COMPLIANT | Any violation of defined invariants or execution constraints. |
#Non-Compliance Conditions
The following conditions constitute explicit non-compliance with this specification. The enumeration below is exhaustive within the scope defined in Section 1. Each condition is independent; satisfaction of all conditions except one does not constitute partial compliance.
A system is non-compliant if it initiates PolicyEvaluation without having completed a ConsentLookup that resolves ConsentState to an explicit value.
A system is non-compliant if its decision function produces differing outputs for identical inputs (Request, ConsentState, PolicySet) across any two invocations.
A system is non-compliant if any Decision — Allow or Deny — is produced without a subsequent, complete, and immutable AuditCommit within the same execution context.
A system is non-compliant if it executes two or more concurrent enforcement paths for the same request such that conflicting decisions could be produced or state consistency cannot be guaranteed.
A system is non-compliant if it implements any state transition not listed in Table 3, or if it fails to implement any state listed in Table 2.
A system is non-compliant if it produces Decision = Allow when ConsentState is Absent, Expired, Revoked, or Invalid, under any condition or configuration.
A system is non-compliant if the PolicySet is modified, updated, or replaced during the execution of PolicyEvaluation for any active request.
A system is non-compliant if ConsentState is not resolved from an explicit, machine-readable consent record but is instead inferred from role membership, prior authorization, or assumed context.
A system is non-compliant if it operates in any mode that reduces, approximates, or bypasses the full execution sequence defined in Section 4, regardless of the operational justification offered for such a mode.
A system is non-compliant if the AuditCommit record for any Decision does not include all fields enumerated in INV-A-03.
#Cross-Document Traceability
Each major rule and invariant defined in this document is traceable to one or more normative sources within the QODIQA corpus. The following table establishes the primary traceability mappings. Implementors and auditors SHALL use these mappings to verify consistency between this document and the broader corpus.
| This Document | Core Standard | Reference Architecture | 68-Point Framework | Conformance Test Suite |
|---|---|---|---|---|
| State Machine (4) | 3 — Enforcement Model | 4 — Enforcement Layer | Points 1–12 | TC-SM-001 – TC-SM-012 |
| Decision Function (5) | 4 — Decision Logic | 5 — Decision Engine | Points 13–24 | TC-DF-001 – TC-DF-012 |
| Execution Flow Constraints (6) | 5 — Execution Requirements | 6 — Execution Path | Points 25–36 | TC-EF-001 – TC-EF-012 |
| Consent Invariants (7.1) | 2 — Consent Requirements | 3 — Consent Resolution | Points 1–6, 37–42 | TC-CI-001 – TC-CI-006 |
| Audit Invariants (7.2) | 6 — Audit Requirements | 7 — Audit Subsystem | Points 43–52 | TC-AI-001 – TC-AI-005 |
| Non-Compliance Conditions (9) | 7 — Compliance Criteria | 8 — Failure Semantics | Points 53–68 | TC-NC-001 – TC-NC-010 |
Where a corpus document has been amended subsequent to the publication date of this specification, the traceability mappings in Table 6 SHALL be reviewed against the amended version. In the event of traceability gaps introduced by amendment, the QODIQA Governance Authority SHALL be notified in accordance with the Change Log and Version Control Protocol (QODIQA-CL-2026-001).
#Enforcement Implications
The following enforcement implications are derived directly from the constraints and invariants defined in this document. Each implication is stated as a binding requirement.
The enforcement layer SHALL fail closed. A fail-closed system is defined as a system that produces Decision = Deny upon any failure to resolve required inputs, complete any mandatory state, or satisfy any defined invariant. Fail-open behavior — producing Decision = Allow upon failure — is prohibited.
Upon detection of any invalid execution state enumerated in Section 8, the enforcement layer SHALL immediately terminate evaluation and produce Decision = Deny. Continued evaluation after detection of an invalid state is prohibited.
No degraded execution mode is permitted. A degraded execution mode is defined as any mode in which one or more mandatory states are abbreviated, skipped, or combined, or in which one or more defined invariants are suspended. Systems SHALL operate in full compliance or SHALL NOT operate.
Silent fallback is defined as any mechanism that substitutes a default decision for a properly evaluated decision without producing an explicit error, a non-compliance record, and an audit entry. Silent fallback is prohibited in all configurations and deployment modes.
AuditCommit is mandatory on all execution paths, including paths that terminate at Decision = Deny due to input failure, state resolution failure, or invariant violation. No execution outcome is exempt from the audit requirement.
No configuration, operator instruction, runtime parameter, or deployment-time override SHALL suspend, modify, or disable any invariant defined in Section 7. Invariants are not configurable. They are structural properties of the enforcement layer.
This section does not introduce new architectural components. Its purpose is to state the operational consequences of the invariants and constraints defined in preceding sections. These implications are derived, not additive.
#Conclusion
This document has specified the canonical state machine, deterministic decision function, execution flow constraints, enforcement invariants, invalid execution states, non-compliance conditions, cross-document traceability, and enforcement implications of the runtime consent enforcement layer.
This document does not modify, override, or reinterpret any existing QODIQA specification. It provides formalization, constraint definition, and deterministic execution semantics only.
All implementations claiming conformance with the QODIQA Core Standard SHALL satisfy the constraints and invariants defined herein. Conformance verification SHALL be performed in accordance with the QODIQA Conformance Test Suite (QODIQA-CTSS-2026-001).
#Document Status and Identity
Document Status
| Document Type | Formal Specification |
| Version | 1.0 |
| Status | Normative Extension |
| Scope | Deterministic Execution Semantics Layer |
| Publication Date | April 2026 |
| Supersedes | None. Initial release. |
This document is a normative extension to the QODIQA corpus. It does not supersede, replace, or modify any existing corpus document. The corpus documents to which this specification provides formal execution semantics are listed in Section 2.
This specification is authored and maintained by the QODIQA principal architect. Inquiries regarding this document SHALL be directed to the QODIQA Governance Authority.
This document represents a formal deterministic specification intended for high-assurance environments, including enterprise deployment, regulatory alignment, and independent audit evaluation.