What Bounda proves
Bounda checks whether a declared decision actually held against the downstream reality it was supposed to control.
- Declared decision: rejected, denied, cancelled or revoked.
- Provider reality: objects, jobs, URLs, credentials, mutations, captures or settlements.
- Consequence graph: what was created after the boundary should have stopped.
- Verdict: HELD, BREACHED or OPEN when proof is incomplete.
The deliverable is an artifact: certificate, ledger, manifest, hashes and replay notes.
Plain-English stop-line
A boundary is the stop-line between a software decision and a real-world consequence. If the decision says rejected, denied, cancelled or revoked, the downstream system should not create money movement, access, data exposure, jobs or tool execution.
| Decision | Consequence that must not happen |
|---|---|
| Payment rejected | No capture, fee, webhook or settlement. |
| Access denied | No credential, token, role or session. |
| AI action blocked | No tool execution, memory write or token burn. |
| Export refused | No signed URL, file, row window or blob. |
Evidence labels
| Label | Meaning |
|---|---|
| MEASURED | Directly observed in receipts, provider exports, ledgers or logs. |
| DERIVED | Calculated from measured evidence, such as exposure windows. |
| MODELLED | Estimated from agreed assumptions, such as operational cost. |
| UNKNOWN | Not claimed until the missing evidence is provided. |
Replay path
Each sample verdict pack includes commands and hashes so a reviewer can see how the artifact shape is verified. Customer packs use scoped transfer and agreed retention rules.
bounda verify --manifest evidence-manifest.sample.json sha256sum -c SHA256SUMS.txt
What Bounda does not claim
- It does not certify an entire company as compliant.
- It does not turn modelled values into measured proof.
- It does not require sensitive data in the public web form.
- It does not replace legal, audit or regulatory advice.