4. Execution Model

The execution model defines how chkpt applies certified workflows. It establishes the rules that ensure each execution is deterministic, remains within its authorised behavioural boundaries, and produces complete evidence suitable for institutional review. The execution model is independent of workflow content and governance processes; it specifies how chkpt behaves when executing a certified workflow version.

4.1 Deterministic Execution

chkpt requires that execution be deterministic. Given the same certified workflow version and the same declared inputs, chkpt must produce the same declared results and the same evidence. Determinism ensures predictability, prevents unauthorised variation, and enables institutions to rely on chkpt as a stable execution substrate. Deterministic behaviour is foundational to the Evidence Model.

4.2 Execution Boundaries

Execution boundaries define the limits within which chkpt must operate. These boundaries are derived from the certified workflow and enforced by chkpt. Execution must not introduce additional behaviour, omit required behaviour, or deviate from the workflow’s authorised structure. Any deviation constitutes a failure condition under this specification. Structural requirements are defined in the Structural Model.

4.3 Admissible Behaviour

Admissible behaviour represents the set of actions, transformations, and state transitions that are permitted during execution. These are defined by the certified workflow and enforced by chkpt. Behaviour outside this set is inadmissible and invalidates the execution. chkpt must detect and prevent inadmissible behaviour at runtime. Admissible behaviour is introduced in the Conceptual Model.

4.4 Intermediate State Validity

Intermediate states produced during execution must remain valid under the workflow’s specification. chkpt must ensure that each intermediate state is structurally sound, consistent with the workflow’s requirements, and capable of producing valid declared results. Invalid intermediate states constitute a failure condition and must be recorded in the evidence record.

4.5 Drift Prevention

Drift occurs when execution diverges from the authorised workflow version. chkpt prevents drift by enforcing strict version alignment, validating admissible behaviour, and ensuring that execution behaviour matches the workflow’s defined structure. Drift prevention is a core requirement for maintaining institutional trust in deterministic execution and is supported by the versioning rules defined in Versioning.

4.6 Failure Conditions

An execution fails under this specification if it violates determinism, exceeds execution boundaries, produces inadmissible behaviour, generates invalid intermediate states, or deviates from the authorised workflow version. Failed executions must not produce declared results and must generate evidence sufficient to support institutional review of the failure.

4.7 Recognition of Execution

An execution is recognised under this specification only if it satisfies all structural and behavioural requirements, binds to a certified workflow version, and produces complete evidence. Recognised executions form the basis for institutional oversight, auditability, and long‑term accountability. Evidence obligations are defined in the Evidence Model.