Assurance Layer
Platform assurance declarations covering access control, visibility governance, auditor isolation, and audit logging.
This section is intended for: Technical Team, Auditor, Management. Unauthorised access is restricted.
1. Purpose
This page provides formal, machine-readable assurance declarations that describe the platform's implemented security and governance controls. These declarations are not aspirational — they reflect the current enforced behaviour of the Govula platform.
Each declaration is verifiable through the API and enforcement code. Where applicable, the specific service or middleware responsible for enforcement is cited, enabling independent verification by auditors, security reviewers, and enterprise evaluators.
For the formal boundaries of what the platform does and does not assert, refer to the Auditor Scope & Limitations declaration.
2. RBAC Guarantees
The following role-based access control guarantees are enforced across all platform operations:
| Guarantee | Enforcement | Verifiable |
|---|---|---|
| Every API endpoint is protected by role-based middleware | middleware/auth.ts, middleware/authorize.ts | Yes |
| Separation of duties: preparers cannot approve their own decisions | governanceConstitutionService.ts | Yes |
| Admin-only operations: workspace binding, entitlement management, user provisioning | requireRole('admin') middleware | Yes |
| Auditor access is read-only; no write operations permitted | workspaceAccess.ts, projectionService.ts | Yes |
| Role assignments are immutable during active sessions | JWT-based session tokens | Yes |
| Platform operator actions are logged separately from tenant actions | operatorConsole.ts, auditLogService.ts | Yes |
3. Audience-Bound Workspace Visibility
Workspace visibility is governed by audience bindings. The following guarantees ensure that each audience type sees only the workspace content they are authorised to access:
- Each audience type is bound to exactly one authoritative workspace
- Workspace bindings require AUTHORISED status
- Binding changes are logged with full provenance (who, when, IP, user agent)
- Locked bindings cannot be modified without explicit unlock
- Report scope resolves automatically from audience binding
4. Auditor Isolation Rules
Auditor access is subject to strict isolation controls that prevent cross-workspace data leakage and ensure audit integrity:
- Auditor access requires locked workspace binding
- Auditor reports include mandatory lineage appendix
- Auditor workspace binding changes require admin authorization
- Auditor report scope validation prevents cross-workspace data leakage
- Single authoritative workspace enforced per auditor audience
5. Access Logging & Auditability
All platform operations are subject to comprehensive audit logging with tamper-detection guarantees:
- All governance actions are logged to an immutable audit stream
- Audit stream uses blockchain-style hash chaining for tamper detection
- Binding audit entries track old/new state with actor identity
- Identity attribution on all compliance operations (no anonymous actions)
- Audit log entries are append-only; no modification or deletion
6. Governance Enforcement & Integrity Controls
Governance Guardrails (Pre-flight Validation)
Govula enforces governance correctness through deterministic pre-flight validation. Before a workspace can be activated or an authoritative report generated, the platform verifies that minimum governance conditions are satisfied — including framework applicability, control mapping, and ownership assignment.
These checks exist to prevent the creation or publication of incomplete, misleading, or non-defensible compliance artefacts. They do not introduce interpretation, scoring, or automated judgement.
If a pre-flight validation fails, no existing artefacts are altered. The system provides explicit remediation guidance, and governance authority remains unchanged until requirements are met.
Pre-flight validation is enforced at the following governance checkpoints:
Workspace Activation
Framework bound, controls mapped, ownership assigned
Report Generation
Workspace authorised, framework enabled, no duplicate bindings
Auditor Access Enablement
Binding locked, single authoritative workspace
Pre-flight checks cannot be bypassed. They are enforced at the service layer, not the UI layer. These checks are protective integrity mechanisms — they do not constitute automated decision-making or policy interpretation.