A pipeline audit finds a job with over-broad token scope. org:write on a GITHUB_TOKEN, used in a build job that only needs contents:read. The finding goes into the report. The team adds it to the runbook: 'reduce scope before next quarter.' Next quarter: nobody touched it. The audit runs again. Same finding. The taudit scan produces the same output. The over-authority is still there.
The problem isn't that detection failed. Detection worked — taudit found it both times. The problem is that observation and enforcement are completely disconnected. There's no loop. Every governance system I've built or worked with has this gap: find → report → manual action → hope. The report doesn't change what the pipeline does.
Why each tool alone isn't enough
taudit alone finds over-authority in your pipeline graph and produces findings. It doesn't change what the pipeline does at runtime. A finding stays a finding until a human acts on it.
tsafe alone enforces credential scope at exec time. It constrains what a process receives. But it can't see the pipeline graph — it doesn't know which steps are over-authorised or which findings need remediation.
CellOS alone enforces the runtime authority contract for cells. It withholds what isn't declared. But it doesn't retroactively model what was authorised versus what actually ran, and it doesn't feed that back into the audit layer.
Each tool solves one piece. Alone, each produces an artefact — a finding, a constrained exec, an isolated cell — that doesn't automatically connect to the next step in the cycle.
The composed system
The loop is: detect over-authority → constrain the credential injection → enforce at runtime → observe again to verify the constraint held. Each tool owns one step.
Detection triggers remediation. Remediation is enforced at runtime by the execution model. Runtime evidence feeds back into the next scan. The loop is closed.
What closes the loop
A governance system that produces reports is an observation system. Useful, but incomplete. A governance system that closes the loop between observation, enforcement, and verification is something qualitatively different. That's what the three tools compose into: not a security tool, but a closed-loop authority management system.