Skip to main content

CRI-CORE — Deterministic structural enforcement kernel for governed state transitions.

Project description


title: "CRI-CORE — Deterministic Enforcement Kernel" filetype: "documentation" type: "repository-overview" domain: "enforcement" version: "0.6.0" doi: "TBD" status: "Active" created: "2026-02-19" updated: "2026-03-02"

author: name: "Shawn C. Wright" email: "swright@waveframelabs.org" orcid: "https://orcid.org/0009-0006-6043-9295"

maintainer: name: "Waveframe Labs" url: "https://waveframelabs.org"

license: "Apache-2.0"

copyright: holder: "Waveframe Labs" year: "2026"

ai_assisted: "partial"

dependencies: []

anchors:

  • "CRI-CORE v0.6.0"
  • "Deterministic Enforcement Kernel"

CRI-CORE

CRI-CORE v0.6.0 --- Deterministic Enforcement Kernel

CRI-CORE is a deterministic structural enforcement engine for governed state transitions.

It evaluates a run directory against explicit structural, authority, integrity, binding, sealing, and publication constraints and returns a single authoritative mutation decision.

The kernel does not interpret meaning.
It evaluates structure and invariants only.


Installation

Install from PyPI:

pip install cricore

Requires Python 3.10+.


Minimal Usage

The supported public entrypoint is:

from cricore.enforcement.execution import run_enforcement_pipeline

Example:

from cricore.enforcement.execution import run_enforcement_pipeline

results, commit_allowed = run_enforcement_pipeline(
    run_path=".",
    expected_contract_version="0.3.0"
)

The function returns:

(results: List[StageResult], commit_allowed: bool)

commit_allowed is the sole commit authorization signal.


Core Model

Exploration (high velocity, non-deterministic)
    →
Deterministic structural gate (CRI-CORE)
    →
Governed state mutation

The kernel ensures that only structurally valid and cryptographically sealed runs are permitted to mutate governed state.


Enforcement Pipeline (v0.6.0)

Canonical stage order:

  1. run-structure\
  2. structure-contract-version-gate\
  3. independence\
  4. integrity (verification)\
  5. integrity-finalization\
  6. publication\
  7. publication-commit

The pipeline is deterministic and ordered.


Contract-Version Behavior

CRI-CORE enforces versioned structural guarantees:

For contract_version < 0.3.0: - Structural validation - Independence enforcement - Integrity manifest verification

For contract_version ≥ 0.3.0: - binding.json required - SEAL.json required - Strict cryptographic seal validation - Immutable artifact boundary enforcement

Enforcement meaning is isolated per declared contract version.
Historical runs are validated under their declared version.


Independence Model

The kernel enforces structural role separation:

  • Explicit actor identities
  • Optional declared role requirements (required_roles)
  • Strict prohibition on multi-role identity when roles are required
  • Explicit override pathway (recorded, never implicit)

The kernel evaluates identity structure only.
It does not evaluate competence or review quality.


Cryptographic Guarantees

Finalized runs must include:

  • Deterministic SHA256 manifest
  • Payload archive
  • Structural binding artifact
  • Deterministic SEAL.json

The seal covers:

  • All run files (deterministic ordering)
  • Binding artifact
  • Manifest hash
  • Payload hash

Any mutation changes the seal hash.

The seal provides tamper evidence.
It is not a signature.


Atomic Commit Semantics

CRI-CORE does not mutate state.

It emits a deterministic authorization decision:

commit_allowed = publication_commit_stage.passed

The caller decides whether to mutate.

The kernel centralizes the commit decision.
It does not enforce it outside its invocation boundary.


What CRI-CORE Does Not Do

CRI-CORE does not:

  • Interpret lifecycle semantics
  • Judge correctness of domain objects
  • Evaluate epistemic sufficiency
  • Enforce governance policy meaning
  • Perform distributed consensus
  • Prevent bypass outside invocation

It is a deterministic structural gate only.


Design Principles

  • Deterministic evaluation
  • No network calls
  • No model calls
  • No semantic inference
  • Opaque reference handling
  • Versioned enforcement meaning
  • Strict immutability after finalization

Intended Use

CRI-CORE is designed to sit beneath:

  • Workflow engines
  • CI pipelines
  • Agent execution runtimes
  • Domain governance systems

It provides:

  • Structural admissibility validation
  • Cryptographic immutability guarantees
  • Centralized commit authorization

It is domain-agnostic.


Status

v0.6.0 represents the first public PyPI distribution of CRI-CORE.

The enforcement interface is stable within the 0.x series but may evolve prior to 1.0.


© 2025 Waveframe Labs — Independent Open-Science Research Entity • Governed under the Aurora Research Initiative (ARI)

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cricore-0.6.0.tar.gz (23.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cricore-0.6.0-py3-none-any.whl (37.1 kB view details)

Uploaded Python 3

File details

Details for the file cricore-0.6.0.tar.gz.

File metadata

  • Download URL: cricore-0.6.0.tar.gz
  • Upload date:
  • Size: 23.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.0

File hashes

Hashes for cricore-0.6.0.tar.gz
Algorithm Hash digest
SHA256 ebd0bf4c1317db7b65ab611989efd08ae7bf91965e1204f81ebc46c7abeecdde
MD5 b83074bdf1274864052b6ebf854a48f1
BLAKE2b-256 cb3fe11846f6d2e136fad74e63bdc7f193131dbbf245e4cb55e5f2a66b98cf6f

See more details on using hashes here.

File details

Details for the file cricore-0.6.0-py3-none-any.whl.

File metadata

  • Download URL: cricore-0.6.0-py3-none-any.whl
  • Upload date:
  • Size: 37.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.0

File hashes

Hashes for cricore-0.6.0-py3-none-any.whl
Algorithm Hash digest
SHA256 6d79f553c3550e64b684c0251d72969aef7a3aee5235fb805d6a059b6c004b04
MD5 5280c8083dcdf0fa4a2609556437ff53
BLAKE2b-256 61c7ff8bdcc4f2f284440f863ccfcba30bb8328fbbf8ac3b335a55286679bb8e

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page