IRONLAW
Seven immutable rules for distributed autonomy - published as open doctrine so the industry can inspect the text, not just the README.
IRONLAW is the governance doctrine behind Bastion-style systems: normative rules, machine-readable policy examples, and case fixtures in the bastion-ironlaw repository (Apache 2.0). It is separate from the Bastion application meta-repo on purpose - doctrine can be debated and versioned on its own schedule.
Ordered evaluation (gate model)
IRONLAW is evaluated as an ordered gate pipeline, not a flat checklist: R → I → N → L → W → O → A. Failure at a gate yields deny, hold, escalate, or execute-minimally - not a wider scope because the model is confident.
Shipped in Bastion today: a file-backed IRONLAW policy gate on ingest, reconcile, and replay paths, with readiness signals when policy refuses an operation. A full runtime evaluator that intercepts every action class through every gate in software is roadmap work - see the public security hardening roadmap and the bastion-ironlaw backlog for doctrine-side enforcement goals.
The seven rules (plain language)
| Key | Rule | What it protects |
|---|---|---|
| R | Rightful Authority | Consequential action requires lawful, in-chain, current, attributable authority - not transport success alone. |
| I | Intentional Human Impact | Human impact (including indirect, delayed, or omission harm) demands explicit objectives, active RoE, and safeguards matched to risk. |
| N | Non-Improvisation | When legality, identity, or scope is below threshold, hold or escalate - do not invent a broader mission. |
| L | Least Authority | Stay inside assigned terrain, network, data, tooling, and resource bounds; no self-granted expansion. |
| W | Within RoE | Continuity under stress or disconnect stays inside prior Mission Goals and RoE - connectivity is not permission. |
| O | Operational Consent | Trust and prior consent do not replace fresh consent where policy requires it for hazardous or privileged acts. |
| A | Accountability | Decisions and refusals must remain attributable and reviewable to the extent the environment allows. |