A clean repository split is not bookkeeping. The contract for what a repository owns — and what it must not — plus a CI gate that fails closed when a change violates it, is where cross-repo authority is actually enforced.
Repository boundaries are usually treated as organization — where files happen to live. Under governance they are enforcement primitives. A boundary states what a repository owns and what it must not, and a CI gate that fails closed on violation is what makes the statement binding. Without the gate, the boundary is a comment.
The logic that governs runtime mutation governs the codebase: ambiguity at the boundary halts, it does not pass. When the repository contract is encoded and the gate refuses non-conforming changes, cross-repo authority is enforced by construction rather than by reviewer vigilance. The boundary becomes a place where authority is decided, not merely described.