Enforcement Modes
Enforcement mode controls how strictly a SLAW instance is gated by its enrollment with the Botfather tower. It is set per instance, typically pre-provisioned by IT or MDM.
enforce (default)
A hard startup gate. A SLAW instance shows a blocking gate until it reaches active enrollment.
The critical safety property is fail-open for already-enrolled instances: if an instance was previously enrolled and active, but the tower is temporarily unreachable, the instance continues to run. It does not lock its operator out because of a network blip.
Instances that have never enrolled stay gated until they complete enrollment. This prevents an unmanaged instance from bypassing governance, while ensuring a managed instance is never bricked by tower downtime.
advisory
A soft gate. The instance surfaces its enrollment state but does not block startup. Use advisory mode during rollout, or where you want fleet visibility without hard enforcement.
The startup gate states
Until an instance is active, the SLAW UI shows a gate reflecting the current state:
| State | Meaning |
|---|---|
connecting | Reaching the tower |
pending | Enrolled, awaiting Operator approval in the tower |
rejected | Enrollment was rejected |
active | Approved and running normally |
unreachable | Tower not reachable (enrolled instances fail-open) |
revoked | API key invalidated by the tower |
Locked fields
A locked flag marks configuration fields as MDM read-only, so a pre-provisioned policy can't be changed locally. Enforcement settings are managed in SLAW → Settings → Control Tower.
Next steps
- Self-Hosting — run the tower
- Approvals & Admin — the approval queue
- Reporting Protocol — how instances report in