Decide Before Execute
Experience Keon Decide Before Execute
Watch a governed request move from intent to policy decision to receipt-backed outcome. No trust theater. No post-hoc logging. Keon shows whether an effect was authorized before execution is allowed.
Scenario
Unauthorized mailbox summary request
Capability requested
mailbox.read.protected
Decision
denied
Execution
not attempted
Outcome
failed closed
Receipts
directive, intent, decision, outcome
Execution receipt
absent by design
Artifact type
static deterministic fixture
Input artifact
Directive envelope
Output artifact
Intent anchor (append-only)
Boundary rule
All requests are captured before any effect is attempted.
Receipt implication
Intent receipt issued regardless of outcome.
Why this stage matters
Every incoming request is captured as an intent anchor before any decision is made.
Deterministic artifact shape for the default denied scenario. UUIDs are opaque identifiers. Human-readable labels use *_name fields.
{
"correlation_id": "crr-7f2e9a01-3b44-4c8d-a1f0-9e6d2b5c8f07",
"tenant_id": "tnt-4a1b2c3d-e5f6-7890-abcd-ef1234567890",
"tenant_name": "OpenClaw / Acme Corp",
"actor_id": "act-9e8d7c6b-5a49-4381-b2c1-d0e9f8a7b6c5",
"actor_name": "OpenClaw Collective Agent",
"requested_capability": "mailbox.read.protected",
"decision": {
"status": "denied",
"policy_id": "keon-policy-mcp-mailbox-access-v1",
"denial_reason": "capability not authorized under active policy binding"
},
"execution": {
"status": "not_attempted"
},
"receipts": {
"directive": "rcpt-d-a1b2c3d4-e5f6-7890-abcd-ef1234567890",
"intent": "rcpt-i-b2c3d4e5-f6a7-8901-bcde-f12345678901",
"decision": "rcpt-dec-c3d4e5f6-a7b8-9012-cdef-123456789012",
"execution": null,
"outcome": "rcpt-out-d4e5f6a7-b8c9-0123-def0-234567890123"
},
"outcome": {
"status": "failed_closed",
"causal_record": "crs-e5f6a7b8-c9d0-1234-ef01-345678901234"
}
}Ready to inspect the full evidence chain?
View Evidence Pack TourExplore PlatformExplore governed proof scenarios