Per-tenant boolean (and small-enum) toggles read at the start of each protected route. Flags never replace authorisation; they shape the surface area a tenant can see and act on.

Feature flags

The boundary between Govula and a target system. Each adapter declares the targets it accepts, validates them, runs a simulation pass, and returns a rollback handle alongside the action result.

Execution adapters

The recorded sequence of named human approvers required for a binding state change. The chain shape is policy-defined; the gate refuses to mutate state without the configured approvers on the row.

Approval chains

A single switch that halts all new state-changing routes across the estate. Read paths and the audit ledger remain reachable; in-flight work completes on its existing path.

SAFE_MODE — global kill switch

Every enforcement action carries a rollback handle. Reversal invokes the stored handle and writes a new ledger row that links to the original action.

Reversible controls

Approval Chain Gate

Hash-Chained Audit Ledger

SAFE_MODE Global Kill Switch

Bounded reversible enforcement layer. Carries out human-approved governance actions inside declared policy budgets; every action is simulation-first with an explicit rollback handle.

CEAL-2 Operational Enforcement Layer

Records the named human actor who authorised every binding governance state change. AI may draft and recommend; the gate refuses to mutate state without a human approver on the chain.

Single switch that halts all new state-changing routes across the estate. Read paths and the audit ledger remain available; in-flight actions complete on their existing path.

Append-only forensic ledger using SHA-256 integrity hashing across three distinct logs (audit_log, tenant_operation_log, operator_audit_events). Each ledger is made immutable by Postgres DO INSTEAD NOTHING rules.

Recomputes the hash chain end-to-end and writes the outcome of the replay back into the audit ledger. Establishes that the historical record has not been tampered with since the last verified row.

Audit Replay Verifier

Step-up elevation for internal operators. Combines an operators row, time-boxed sessions, recent-auth step-up, one-active-session-per-operator supersede, and per-capability gates orthogonal to the role-based authorize() gate.

Operator Elevation (Phase A + B)

Postgres Row-Level Security in STRICT mode plus a single hardened repository module whose raw client accessor is hard-thrown. Tenant isolation is structural, not advisory.

Tenant Row-Level Security (STRICT mode)

AI in Govula is recommendation-only. The intelligence layer may analyse, suggest, and draft. It may not approve, sign, publish, or mutate governance state. Recommendation pipelines that produce governance artefacts are audited.

AI Recommendation Layer

Investor Response Engine alerts the founder exactly once per session via an atomic UPDATE … WHERE alerted_at IS NULL claim. Missing transport configuration releases the claim so a later configuration heals retroactively.

Founder Alerts (one-shot atomic claim)

Per-tenant adoption mode (Observation / Guided / Enforced) that adjusts the friction of the approval gate without changing the underlying authority boundary. AI remains recommendation-only in every mode.

Tenant Governance Modes (Adoption Foundations)

What is DIL?

What is DTEL?

What is FIL?

What is GSCL?

What is SSIAL?

One organisation using Govula. Data, users, and decisions belong to a tenant; tenants never see each other. A row-level-security boundary in PostgreSQL. Application access flows through a single repository (src/repositories/database.ts) that sets app.tenant_id on every query; cross-tenant reads return zero rows by design.

one organisation using govula. data, users, and decisions belong to a tenant; tenants never see each other. a row-level-security boundary in postgresql. application access flows through a single repository (src/repositories/database.ts) that sets app.tenant_id on every query; cross-tenant reads return zero rows by design.

Tenant

tenant

A compliance scope inside a tenant. Typically aligns to one framework (e.g. ISO 27001). A logical partition inside a tenant carrying exactly one authoritative framework. Evidence, controls, and SoA decisions are scoped to the workspace.

a compliance scope inside a tenant. typically aligns to one framework (e.g. iso 27001). a logical partition inside a tenant carrying exactly one authoritative framework. evidence, controls, and soa decisions are scoped to the workspace.

Workspace

workspace

A platform-side user (Govula employee) who can elevate into a time-boxed session to act across tenants. A row in the operators table. Operator authority is separate from authentication — every internal-ops action requires both a logged-in operator AND an active elevated session AND a per-capability grant.

a platform-side user (govula employee) who can elevate into a time-boxed session to act across tenants. a row in the operators table. operator authority is separate from authentication — every internal-ops action requires both a logged-in operator and an active elevated session and a per-capability grant.

Operator

operator

A short, separately-authenticated session that an operator must obtain before performing any internal action. A time-boxed operator_sessions row created via step-up auth. requireOperatorElevation() middleware gates every internal-ops route; sessions supersede on new logins (one active per operator).

a short, separately-authenticated session that an operator must obtain before performing any internal action. a time-boxed operator_sessions row created via step-up auth. requireoperatorelevation() middleware gates every internal-ops route; sessions supersede on new logins (one active per operator).

Elevation

elevation

A single named permission an operator can exercise during an elevation (e.g. "grant entitlement"). A catalogued permission key. Resolved per-operator at gate time by getOperatorCapabilities(); Phase C capabilities are flagged phase_c_locked and stripped even when granted.

a single named permission an operator can exercise during an elevation (e.g. "grant entitlement"). a catalogued permission key. resolved per-operator at gate time by getoperatorcapabilities(); phase c capabilities are flagged phase_c_locked and stripped even when granted.

Capability

capability

A tenant-scoped feature grant — what a tenant is allowed to use. Evaluated by the Entitlement Engine v2 in this resolution order: global flag → operational lifecycle → org entitlement → contract → tier + override.

a tenant-scoped feature grant — what a tenant is allowed to use. evaluated by the entitlement engine v2 in this resolution order: global flag → operational lifecycle → org entitlement → contract → tier + override.

Entitlement

entitlement

Any governed action a tenant user takes. Every decision is recorded with who took it and why. A row written to audit_log (and, for governance-class actions, to the decision tables). Carries actor_id, action, target, integrity hash, and approval lineage.

any governed action a tenant user takes. every decision is recorded with who took it and why. a row written to audit_log (and, for governance-class actions, to the decision tables). carries actor_id, action, target, integrity hash, and approval lineage.

Decision

decision

The category of a decision (informational, advisory, recommendatory, constrained, binding). Approval requirements scale with the class. One of INFORMATIONAL · ADVISORY · RECOMMENDATORY · CONSTRAINED_DECISION · BINDING_GOVERNANCE_DECISION. Service-layer checks enforce class-specific approval chains and separation of duties.

the category of a decision (informational, advisory, recommendatory, constrained, binding). approval requirements scale with the class. one of informational · advisory · recommendatory · constrained_decision · binding_governance_decision. service-layer checks enforce class-specific approval chains and separation of duties.

Decision Class

decision class

The right to initiate or approve a specific class of decision. Declared in the governance constitution and enforced by service-layer checks before any state mutation.

the right to initiate or approve a specific class of decision. declared in the governance constitution and enforced by service-layer checks before any state mutation.

Authority

authority

The rule that the person who proposes a decision cannot also approve it. Enforced in the service layer; recorded structurally on the decision row via initiated_by and approved_by fields. A null-or-equal pairing is rejected.

the rule that the person who proposes a decision cannot also approve it. enforced in the service layer; recorded structurally on the decision row via initiated_by and approved_by fields. a null-or-equal pairing is rejected.

Separation of Duties (SoD)

separation of duties (sod)

Once a decision is approved, the record and the evidence it references can no longer be edited or deleted. Enforced by Postgres DO INSTEAD NOTHING rules on the immutable tables. Corrections must be new rows that reference the prior row.

once a decision is approved, the record and the evidence it references can no longer be edited or deleted. enforced by postgres do instead nothing rules on the immutable tables. corrections must be new rows that reference the prior row.

Lock and Immutability

lock and immutability

How defensible a piece of data is. Authoritative is audit-grade; supporting is working data; contextual is informational only. AUTHORITATIVE (locked, auditor-visible) · SUPPORTING (working data) · CONTEXTUAL (metrics, AI suggestions, never audit-defensible alone). Surfaces filter reads by truth level.

how defensible a piece of data is. authoritative is audit-grade; supporting is working data; contextual is informational only. authoritative (locked, auditor-visible) · supporting (working data) · contextual (metrics, ai suggestions, never audit-defensible alone). surfaces filter reads by truth level.

Truth Level

truth level

A document or record that supports a control. Scoped to one tenant, one workspace, one control. A row in the evidence tables carrying tenant_id, workspace_id, control_id, freshness, and quality score. Never shared across tenants.

a document or record that supports a control. scoped to one tenant, one workspace, one control. a row in the evidence tables carrying tenant_id, workspace_id, control_id, freshness, and quality score. never shared across tenants.

Evidence

evidence

A formal document listing every control in a framework, whether it applies, and why. Per-workspace structured record. AI drafts the narrative; a named human approves before any state mutates.

a formal document listing every control in a framework, whether it applies, and why. per-workspace structured record. ai drafts the narrative; a named human approves before any state mutates.

Statement of Applicability (SoA)

statement of applicability (soa)

The tamper-evident log of every governed action. New rows can be added; existing rows cannot be edited or deleted. The audit_log table, made immutable by a DO INSTEAD NOTHING rule. Each row carries integrity_hash = SHA256(tenant|actor|action|target_type|target_id|created_at|after_state). request_id is recorded but not in the hash so the format is release-stable.

the tamper-evident log of every governed action. new rows can be added; existing rows cannot be edited or deleted. the audit_log table, made immutable by a do instead nothing rule. each row carries integrity_hash = sha256(tenant|actor|action|target_type|target_id|created_at|after_state). request_id is recorded but not in the hash so the format is release-stable.

Audit Chain

audit chain

The chain of integrity hashes that makes the audit log tamper-evident. Tampering with any row breaks every later hash. Govula maintains three distinct hash chains with different payloads: audit_log (general), tenant_operation_log (tenant-side governed ops), operator_audit_events (platform-side operator actions). Do not conflate payloads.

the chain of integrity hashes that makes the audit log tamper-evident. tampering with any row breaks every later hash. govula maintains three distinct hash chains with different payloads: audit_log (general), tenant_operation_log (tenant-side governed ops), operator_audit_events (platform-side operator actions). do not conflate payloads.

Hash Lineage

hash lineage

On-demand recomputation of the audit chain from scratch to confirm nothing has been tampered with. The replay itself is logged. Triggered via force_audit_replay_validation in Tenant Operations. Recomputes every integrity_hash end-to-end, compares against stored values, and writes the verdict back into the audit log.

on-demand recomputation of the audit chain from scratch to confirm nothing has been tampered with. the replay itself is logged. triggered via force_audit_replay_validation in tenant operations. recomputes every integrity_hash end-to-end, compares against stored values, and writes the verdict back into the audit log.

Replay

replay

A platform-wide switch that blocks every state-changing route. Used during incidents and operator freezes. Middleware-level guard that returns 503 on any non-read route when on. Operator surfaces remain readable; governance state cannot mutate.

a platform-wide switch that blocks every state-changing route. used during incidents and operator freezes. middleware-level guard that returns 503 on any non-read route when on. operator surfaces remain readable; governance state cannot mutate.

SAFE_MODE

safe_mode

A divergence between what governance should look like and what it actually looks like (stale evidence, missing controls). Detected by driftDetectionService; surfaces in the operator queue with a recommended remediation. The detection runs in the read path and never mutates governance state.

a divergence between what governance should look like and what it actually looks like (stale evidence, missing controls). detected by driftdetectionservice; surfaces in the operator queue with a recommended remediation. the detection runs in the read path and never mutates governance state.

Drift

drift

A frontend mode that freezes relative timestamps so demo recordings do not drift. Activated via the ?recording=true query parameter on any public surface. Pure presentation; no governance behaviour changes.

a frontend mode that freezes relative timestamps so demo recordings do not drift. activated via the ?recording=true query parameter on any public surface. pure presentation; no governance behaviour changes.

Recording Mode

recording mode

A tenant's commercial agreement record. Drives access lifecycle (trial, active, paused, suspended, expired, renewal pending). A frozen Contract record in the Enterprise Control Center FSM (TRIAL · ACTIVE · PAUSED · SUSPENDED · EXPIRED · RENEWAL_PENDING) with a deterministic transition table and append-only audit log.

a tenant's commercial agreement record. drives access lifecycle (trial, active, paused, suspended, expired, renewal pending). a frozen contract record in the enterprise control center fsm (trial · active · paused · suspended · expired · renewal_pending) with a deterministic transition table and append-only audit log.

Contract

contract

The five-step journey from deploying Govula to the first user signing in: Activate Organization · Confirm Deployment · Grant Access · Start Using Platform. Deterministic resolveDeploymentSuccessState(hint) with frozen states READY / ACTIVE / RESTRICTED / PENDING_ACTIVATION; rendered at /enterprise/activation.

the five-step journey from deploying govula to the first user signing in: activate organization · confirm deployment · grant access · start using platform. deterministic resolvedeploymentsuccessstate(hint) with frozen states ready / active / restricted / pending_activation; rendered at /enterprise/activation.

Activation

activation

A deployment posture where a tenant runs Govula on dedicated infrastructure with its own operator boundary. Planned. Single-tenant deployment is achievable today via the deployment hub, but the dedicated sovereign-tenant operator boundary is not yet wired.

a deployment posture where a tenant runs govula on dedicated infrastructure with its own operator boundary. planned. single-tenant deployment is achievable today via the deployment hub, but the dedicated sovereign-tenant operator boundary is not yet wired.

Sovereign Tenant

sovereign tenant

A federation layer letting independent Govula deployments exchange signed governance messages. Ed25519-signed envelope exchange between deployments. Wire format is the Governance Protocol Standard.

a federation layer letting independent govula deployments exchange signed governance messages. ed25519-signed envelope exchange between deployments. wire format is the governance protocol standard.

Cross-Organization Governance Network (COGN)

cross-organization governance network (cogn)

The wire format Govula deployments use to exchange signed governance messages. Six-field Ed25519-signed envelope. Verify endpoint is intentionally public (rate-limited); onboard endpoint is currently unauthenticated by bug (tracked).

the wire format govula deployments use to exchange signed governance messages. six-field ed25519-signed envelope. verify endpoint is intentionally public (rate-limited); onboard endpoint is currently unauthenticated by bug (tracked).

Governance Protocol Standard (GPS)

governance protocol standard (gps)

The only sanctioned shape for AI in Govula. AI may analyse, suggest, and draft — but never approves, signs, publishes, or mutates governance state. Every binding state change is taken by a named human and recorded as such. The aiService.ts helper does not yet route prompt completions through the audit log — tracked as Beta.

the only sanctioned shape for ai in govula. ai may analyse, suggest, and draft — but never approves, signs, publishes, or mutates governance state. every binding state change is taken by a named human and recorded as such. the aiservice.ts helper does not yet route prompt completions through the audit log — tracked as beta.

AI-Assisted Recommendation

ai-assisted recommendation

Actions Govula may take on its own — strictly limited to safe, reversible, fully-logged operations inside a declared envelope. Implemented as approval-chained enforcement adapters that refuse outside their declared envelope and log every attempt (including the refusal).

actions govula may take on its own — strictly limited to safe, reversible, fully-logged operations inside a declared envelope. implemented as approval-chained enforcement adapters that refuse outside their declared envelope and log every attempt (including the refusal).

Bounded Autonomy

bounded autonomy

The single read of what currently exists in the governance stack. Operators see this as a stable orientation surface. Consumes upstream registries; outputs a stateCard with systemMode + health. Degraded mode surfaces a clearly-flagged stale state rather than silently defaulting. Cannot decide, cannot enforce, cannot mutate.

the single read of what currently exists in the governance stack. operators see this as a stable orientation surface. consumes upstream registries; outputs a statecard with systemmode + health. degraded mode surfaces a clearly-flagged stale state rather than silently defaulting. cannot decide, cannot enforce, cannot mutate.

Governance System Consolidation Layer (GSCL)

governance system consolidation layer (gscl)

The recommended-action queue. Tells operators what the system suggests doing next. Consumes audit + telemetry signals; outputs an ordered operatorPriorityQueue and a recommendedMode. Read-only guidance — never approves, never executes. Degraded mode returns an empty queue plus a HOLD recommendedMode.

the recommended-action queue. tells operators what the system suggests doing next. consumes audit + telemetry signals; outputs an ordered operatorpriorityqueue and a recommendedmode. read-only guidance — never approves, never executes. degraded mode returns an empty queue plus a hold recommendedmode.

Failure Intelligence Layer (FIL)

failure intelligence layer (fil)

The yes/no gate. Tells operators what the system will allow or block. Consumes invariant declarations; outputs decision + allowedActions + blockedActions + systemInvariantState. Degraded mode collapses to BLOCK on any unknown — safe-by-default closure, never fail-open.

the yes/no gate. tells operators what the system will allow or block. consumes invariant declarations; outputs decision + allowedactions + blockedactions + systeminvariantstate. degraded mode collapses to block on any unknown — safe-by-default closure, never fail-open.

Deployment Invariant Layer (DIL)

deployment invariant layer (dil)

The read-only stress mirror. Shows operators which subsystems are unstable, without changing anything. Consumes cross-layer signals; outputs cascadeRiskLevel + failureDomains + rule-conflict matrix. Never influences FIL or DIL. Degraded mode returns the existing report with degradedSubsystems populated.

the read-only stress mirror. shows operators which subsystems are unstable, without changing anything. consumes cross-layer signals; outputs cascaderisklevel + failuredomains + rule-conflict matrix. never influences fil or dil. degraded mode returns the existing report with degradedsubsystems populated.

System Stress and Integrity Audit Layer (SSIAL)

system stress and integrity audit layer (ssial)

The single canonical truth model behind every Govula documentation surface. One concept lives in one place; pages derive their content from the same registry. Five-layer composition: feature-registry · execution-model · knowledge-engine · documentation-compiler · docos-orchestrator. Read-only API at /api/v1/docos/*.

the single canonical truth model behind every govula documentation surface. one concept lives in one place; pages derive their content from the same registry. five-layer composition: feature-registry · execution-model · knowledge-engine · documentation-compiler · docos-orchestrator. read-only api at /api/v1/docos/*.

Documentation Operating System (DOCOS)

documentation operating system (docos)

The semantic substrate beneath DOCOS: the glossary, the terminology middleware that injects definitions consistently, and the search intelligence that understands acronyms and synonyms. Three pure modules in src/governance/docs-os/: glossary-registry · terminology-middleware · search-intelligence. All other documentation work layers on top of KSC.

the semantic substrate beneath docos: the glossary, the terminology middleware that injects definitions consistently, and the search intelligence that understands acronyms and synonyms. three pure modules in src/governance/docs-os/: glossary-registry · terminology-middleware · search-intelligence. all other documentation work layers on top of ksc.

Knowledge System Core (KSC)

knowledge system core (ksc)

Governance System Consolidation Layer — the single read of "what currently exists" in the governance stack. Consumes upstream registries, outputs a stateCard with systemMode + health. Operators see this as a stable orientation surface; in degraded mode the layer surfaces a clearly-flagged stale state and does not fall back to silent defaults. Cannot decide, cannot enforce, cannot mutate.

governance system consolidation layer — the single read of "what currently exists" in the governance stack. consumes upstream registries, outputs a statecard with systemmode + health. operators see this as a stable orientation surface; in degraded mode the layer surfaces a clearly-flagged stale state and does not fall back to silent defaults. cannot decide, cannot enforce, cannot mutate.

what is gscl?

Failure Intelligence Layer — produces the recommended-action queue ("what the system suggests"). Consumes audit + telemetry signals, outputs an ordered operatorPriorityQueue and a recommendedMode. Operators read FIL as guidance only; FIL never approves and never executes. Degraded mode returns an empty queue plus a HOLD recommendedMode rather than guessing.

failure intelligence layer — produces the recommended-action queue ("what the system suggests"). consumes audit + telemetry signals, outputs an ordered operatorpriorityqueue and a recommendedmode. operators read fil as guidance only; fil never approves and never executes. degraded mode returns an empty queue plus a hold recommendedmode rather than guessing.

what is fil?

Deployment Invariant Layer — the deterministic constraint gate ("what the system allows"). Consumes invariant declarations, outputs decision + allowedActions + blockedActions + systemInvariantState. Operators see this as the final yes/no surface. In degraded mode DIL collapses to BLOCK on any unknown — a safe-by-default closure rather than a fail-open permit.

deployment invariant layer — the deterministic constraint gate ("what the system allows"). consumes invariant declarations, outputs decision + allowedactions + blockedactions + systeminvariantstate. operators see this as the final yes/no surface. in degraded mode dil collapses to block on any unknown — a safe-by-default closure rather than a fail-open permit.

what is dil?

System Stress & Integrity Audit Layer — the read-only stress mirror ("what is unstable"). Consumes cross-layer signals, outputs cascadeRiskLevel + failureDomains + rule-conflict matrix. Operators read SSIAL as a diagnostic, not a directive; it never influences FIL or DIL. Degraded mode returns the existing report with degradedSubsystems populated.

system stress & integrity audit layer — the read-only stress mirror ("what is unstable"). consumes cross-layer signals, outputs cascaderisklevel + failuredomains + rule-conflict matrix. operators read ssial as a diagnostic, not a directive; it never influences fil or dil. degraded mode returns the existing report with degradedsubsystems populated.

what is ssial?

DOCOS Truth Enforcement Layer — observability over documentation truth ("what may be inconsistent"). Consumes feature registry + KB + endpoint inventory, outputs a driftReport. Operators read this as a freshness lens; DTEL never edits docs and never enforces. Degraded mode reports DRIFT_DETECTED with an explicit summary.

docos truth enforcement layer — observability over documentation truth ("what may be inconsistent"). consumes feature registry + kb + endpoint inventory, outputs a driftreport. operators read this as a freshness lens; dtel never edits docs and never enforces. degraded mode reports drift_detected with an explicit summary.

what is dtel?

Enterprise Trust + Resilience Hardening Layer — a categorical summary of trust posture ("how trustworthy the system currently is"). Pure projection over trust-failure arrays; produces HIGH / MEDIUM / LOW. Cannot mutate trust state; cannot grant or revoke authority. Degraded mode collapses to LOW.

enterprise trust + resilience hardening layer — a categorical summary of trust posture ("how trustworthy the system currently is"). pure projection over trust-failure arrays; produces high / medium / low. cannot mutate trust state; cannot grant or revoke authority. degraded mode collapses to low.

What is ETRHL?

what is etrhl?

Governance Operations Consolidation — the primary operator-readable lens ("single operational view"). Pure compositional projection of GSCL + FIL + DIL + SSIAL + DOCOS + DTEL + ETRHL into one SystemOperationalView. No scoring, no decision authority, never mutates upstream. Degraded mode returns the spec-defined safety fallback so the operator surface stays readable under every upstream failure.

governance operations consolidation — the primary operator-readable lens ("single operational view"). pure compositional projection of gscl + fil + dil + ssial + docos + dtel + etrhl into one systemoperationalview. no scoring, no decision authority, never mutates upstream. degraded mode returns the spec-defined safety fallback so the operator surface stays readable under every upstream failure.

What is GOC?

what is goc?

Production Certification & Stress Validation — the adversarial harness ("does the system survive stress correctly?"). Runs 8 deterministic stress scenarios against the existing GOC orchestrator and reports a single certification (PASS / PASS_WITH_DEGRADATION / FAIL_SAFE / FAIL_UNSAFE). No new governance logic; no recomputation of FIL/DIL/SSIAL; cannot return 5xx. Degraded mode is reported per-scenario rather than swallowed.

production certification & stress validation — the adversarial harness ("does the system survive stress correctly?"). runs 8 deterministic stress scenarios against the existing goc orchestrator and reports a single certification (pass / pass_with_degradation / fail_safe / fail_unsafe). no new governance logic; no recomputation of fil/dil/ssial; cannot return 5xx. degraded mode is reported per-scenario rather than swallowed.

What is PCSV?

what is pcsv?

Feature flags are declared in the DOCOS execution model and read by the same safe-mode kill switch every adapter consults. A flag never changes governance decisions on its own — it only enables or disables an execution adapter. When a flag is OFF the adapter behaves as if the feature is absent, not as if it failed.

feature flags are declared in the docos execution model and read by the same safe-mode kill switch every adapter consults. a flag never changes governance decisions on its own — it only enables or disables an execution adapter. when a flag is off the adapter behaves as if the feature is absent, not as if it failed.

How do feature flags work in Govula?

how do feature flags work in govula?

A deterministic, named sequence of human approvers required before any governance state mutates. Approval chains are declared in the DOCOS execution model; they cannot be bypassed by AI, and the chain itself is part of the immutable audit record. Skipping or reordering an approver requires a new chain version.

a deterministic, named sequence of human approvers required before any governance state mutates. approval chains are declared in the docos execution model; they cannot be bypassed by ai, and the chain itself is part of the immutable audit record. skipping or reordering an approver requires a new chain version.

Execution Model

Feature flags

Execution adapters

Approval chains

SAFE_MODE — global kill switch

Reversible controls

What should I do next?