The enforcement happens at the execution boundary. If model output reaches a critical sink (shell, filesystem, credentials, etc.) with untrusted provenance, the runtime blocks the call deterministically.
The repo includes the full attack corpus and proof pack if anyone wants to test the enforcement model locally.. Cheers - Shawn