fail-closed means: on any unrecoverable condition the orchestrator stops merging rather than risk a bad commit. budget exceeded -> drain mode (finish in-flight, start nothing new). quality gate fails after max retries -> task goes to the dead-letter queue, not main. agent heartbeat lost -> reaped, work-in-progress preserved in its worktree for inspection. audit chain broken -> bernstein refuses to start. policy-engine denies a tool call -> agent gets a denial, not a workaround. the default posture is to halt and surface the problem rather than auto-recover by guessing. config under .sdd/config.yaml controls thresholds; defaults live in src/bernstein/core/defaults.py.
canonical answer