Skip to content
Pages in this section
FOUNDATION
ENGINE
ARCHITECTURE
ADVANCED
SECURITY
CORE CONCEPTS

Fail-Closed Behavior

How Faramesh behaves when policy is unavailable or a rule doesn't match.

The secure default in the checked-in policy engine is denial when no rule matches. The runtime and adapters also treat transport failures conservatively unless you have explicitly opted into a fail-open path for development or a constrained use case.

That is the only sane default for execution governance: if the boundary is down, nothing should quietly keep running.

See The Action Authorization Boundary and Policy Engine.