CohOS

A refusal-first admissibility kernel.

CohOS is a deterministic trust kernel that decides whether a system state is admissible before any downstream action occurs. It outputs one of two outcomes: ALLOW or REFUSE. Every outcome is accompanied by an evidence bundle.

ALLOW | REFUSE · reason-coded · deterministic policy-explicit envelopes · artifact-first proof

Kernel invariant

False refusal is acceptable. False trust is not.

CohOS fails closed under uncertainty. If any invariant is violated or ambiguous, it refuses and emits evidence. If all checks pass, it allows and emits the same evidence bundle.

Deterministic Same inputs and policy yield same decision

Policy-explicit Thresholds declared and versioned before execution

Artifact-first Evidence bundle emitted for every run

The primitive

CohOS decides admissibility, not correctness.

CohOS does not judge whether a model is “accurate.” It determines whether the inputs, instrumentation, timing, and coherence conditions are admissible for action under declared envelopes.

Decision

ALLOW or REFUSE. Binary. Unambiguous.

Policy

Explicit envelopes and thresholds. Versioned. No runtime learning.

Evidence

Artifacts emitted every run so trust is verifiable and replay-detectable.

ALLOW

decision.json
{
  "decision": "ALLOW",
  "reason": "ALLOW_ALL_CHECKS_PASS",
  "artifacts": ["policy.json","manifest.json","hashes.json","metrics.json"]
}

REFUSE

decision.json
{
  "decision": "REFUSE",
  "reason": "INSTRUMENT_NOT_IN_SPEC",
  "artifacts": ["policy.json","manifest.json","hashes.json","metrics.json"]
}

Why refusal exists

Most high-stakes failures are not loud. They are silent.

The dominant risk in critical systems is not that outputs are “wrong.” It is that systems keep operating when the state is inadmissible: misconfigured sampling, timing uncertainty, replayed telemetry, substituted inputs, or drifted instrumentation. CohOS makes inadmissibility explicit.

Silent degradation Pipelines continue producing plausible outputs while assumptions are violated.
Invalid composition Models and data streams are combined without a shared admissibility boundary.
Unverifiable trust Decisions cannot be audited because the chain of evidence was never emitted.

Refusal semantics

Refusal is a designed success state.

CohOS treats uncertainty as a reason to refuse. The goal is not maximum throughput. The goal is refusal correctness: avoid allowing action on inadmissible state.

Common refusal reason codes

COHERENCE_ENVELOPE_FAIL INSTRUMENT_NOT_IN_SPEC REPLAY_DETECTED INTERNAL_ERROR_STEP_FAIL ROUNDTRIP_FAIL

Admissibility envelopes

Policy is declared before the run. There are no hidden heuristics.

CohOS enforces explicit envelopes over coherence metrics, instrument health, and timing constraints. Policies are versioned and immutable during execution. If a condition is out of bounds, CohOS refuses.

Instrumentation

Sampling rate, gain lock, sensor health, and configuration invariants.

Timing

Time uncertainty tracked; out-of-envelope timing triggers refusal.

Coherence

Ξ-family metrics compared to thresholds; coherence drift triggers refusal.

Integrity

Hashes and fingerprints prevent silent modification and replay.

Policy snapshot (illustrative)

policy.json
{
  "policy_id": "cohos_v0_2_example",
  "thresholds": {
    "xi_min": 0.98,
    "timing_uncertainty_max_ms": 2.0
  },
  "refusal_codes": [
    "COHERENCE_ENVELOPE_FAIL",
    "INSTRUMENT_NOT_IN_SPEC",
    "REPLAY_DETECTED"
  ]
}

Evidence bundles

Trust is emitted as files, not asserted as language.

CohOS produces a complete bundle for every decision. This makes third-party verification straightforward: recompute hashes, inspect policy, verify decision evidence, and confirm determinism under replay.

Canonical artifact set

decision.json policy.json manifest.json hashes.json metrics.json

Verifier path

An evaluator can verify a CohOS decision in minutes.

The verifier recomputes file hashes from hashes.json, confirms policy thresholds, checks decision evidence, and ensures refusal reasons match the measured metrics. If anything is missing or inconsistent, the run is invalid.

Guardrails

What CohOS is not.

This negative space is essential. CohOS is a kernel with strict scope. It does not become a prediction engine, an orchestrator, or an AI agent. Those are downstream clients.

Not an optimizer

CohOS does not search for better answers. It gates whether action may occur.

Not a model

CohOS can evaluate black-box outputs without access to model internals.

Not an AI guardrail

No preference alignment, no subjective scoring. Only admissibility under policy.

Not optional

Clients cannot override REFUSE. Authority is centralized by design.