Change & Versioning Semantics

1. Purpose

Auditors and regulators need to understand how time-bound decisions are made, how reports relate to the decisions they capture, and how historical outputs remain valid after new assessments are generated.

2. Decision Timestamping

Every compliance decision records the following information:

• The exact timestamp of creation
• The identity of the actor
• The workspace and framework context
• A hash-chain linking to the previous decision

Timestamps are server-authoritative (UTC). Client-provided timestamps are recorded as metadata only.

3. Point-in-Time Assessment Model

Each SoA assessment is a snapshot of compliance posture at a specific moment.

• No overwrites — assessments do NOT overwrite previous assessments
• Distinct versioned records — each new assessment creates a distinct versioned record
• Historical queryability — previous assessments remain queryable and valid for the period they cover

4. Report Authority

Each generated report carries its own authority through the canonical document structure (Authority & Provenance section).

5. Historical Validity

Historical reports and decisions are never invalidated by new assessments.

A report generated on Date A covering Period X remains a valid record of compliance posture during Period X, even if a new report is generated on Date B.

Auditors should interpret each report within its stated assessment period.

6. Immutability Guarantees

• Once a decision is approved, it cannot be modified
• Once a report is sealed, it cannot be altered
• The audit stream uses append-only hash-chaining for tamper detection
• Governance timeline events are immutable

7. Auditor Interpretation Guide

Use the following reference to locate key information within Govula documents and governance records.