Governance
Refusal posture, dissent preservation, audit footprint for OAS.
OAS operates under the standard MAP governance posture — every dispatch checked, every refusal structured, every decision recorded.
Refusal carries reasons
When OAS declines, the response is a structured refusal — capability missing, payload tenant mismatch, budget exhausted, policy block. Refusals receive the same audit weight as success.
| Refusal | When | HTTP |
|---|---|---|
CapabilityDenied | Caller lacks map.oas.<op> | 403 |
InvalidPayload | Schema validation fails | 422 |
PolicyDenied | MAXIM-bound policy refuses | 422 |
RateLimited | Tenant token bucket exhausted | 429 |
AdapterError | Downstream dependency unreachable | 502 |
Timeout | Deadline exceeded | 504 |
Audit footprint
Every operation produces audit records in MAX:
ProtocolInvocationper call (success or refusal)AuthorizationCheckon capability evaluation (sampled in prod)SecurityViolationon missing capability- Protocol-specific events via
ctx.audit().record(...)
Reconstruct the full trace for any call with MAX::traceability_graph.
Treaty awareness
Cross-organization calls flow under an active MOAT treaty. OAS operations are only callable cross-org if the treaty includes the matching capability. See Concepts → Treaties.
Dissent preservation
When OAS produces output that contradicts prior precedent or peer service output, the disagreement is recorded alongside — not erased. MIMESIS watches this for emergent custom; MOOT may rule.
See also
- Concepts → Governance
- Operations → Governance
MAX— the audit chain