The canonical vocabulary behind every Govula surface. Each term has one canonical home; pages elsewhere link in via inline first-mention references rather than redefining.

REFERENCE

Glossary

Visibility labels (Public · Operator · Internal) indicate target audience only — they are not access controls.

Core Concepts

Platform vocabulary and the AI authority boundary — terms every reader meets first.

AI-Assisted Recommendation

AI · Active

1× usedPublic

Plain meaning: The only sanctioned shape for AI in Govula. AI may analyse, suggest, and draft — but never approves, signs, publishes, or mutates governance state.
Technical meaning: Every binding state change is taken by a named human and recorded as such. The aiService.ts helper does not yet route prompt completions through the audit log — tracked as Beta.
First introduced in: AI Recommendation Layer(feature)
Related concepts: SoA Decision Audit Chain

OPERATIONAL SHAPE

SYSTEM

Drafts, analyses, and surfaces options — never authoritative.

YOU

Promote a recommendation to a decision by signing it.

Bounded Autonomy

AI · Active

Public

Plain meaning: Actions Govula may take on its own — strictly limited to safe, reversible, fully-logged operations inside a declared envelope.
Technical meaning: Implemented as approval-chained enforcement adapters that refuse outside their declared envelope and log every attempt (including the refusal).
First introduced: /docs/ai-safeguards
Related concepts: AI-Assisted Recommendation SAFE_MODE

Documentation Operating System(DOCOS)

Platform · Active

4× usedPublic

Plain meaning: The single canonical truth model behind every Govula documentation surface. One concept lives in one place; pages derive their content from the same registry.
Technical meaning: Five-layer composition: feature-registry · execution-model · knowledge-engine · documentation-compiler · docos-orchestrator. Read-only API at /api/v1/docos/*.
First introduced in: What is DTEL?(knowledge)
Related concepts: KSC Authority Decision DIL FIL

Knowledge System Core(KSC)

Platform · Active

Public

Plain meaning: The semantic substrate beneath DOCOS: the glossary, the terminology middleware that injects definitions consistently, and the search intelligence that understands acronyms and synonyms.
Technical meaning: Three pure modules in src/governance/docs-os/: glossary-registry · terminology-middleware · search-intelligence. All other documentation work layers on top of KSC.
Related concepts: DOCOS

Operator

Platform · Active

14× usedOperator

Plain meaning: A platform-side user (Govula employee) who can elevate into a time-boxed session to act across tenants.
Technical meaning: A row in the operators table. Operator authority is separate from authentication — every internal-ops action requires both a logged-in operator AND an active elevated session AND a per-capability grant.
First introduced in: Operator Elevation (Phase A + B)(feature)
Related concepts: Elevation Capability DIL Tenant Audit Chain

Recording Mode

Platform · Active

Public

Plain meaning: A frontend mode that freezes relative timestamps so demo recordings do not drift.
Technical meaning: Activated via the ?recording=true query parameter on any public surface. Pure presentation; no governance behaviour changes.

Tenant

Platform · Active

16× usedPublic

Plain meaning: One organisation using Govula. Data, users, and decisions belong to a tenant; tenants never see each other.
Technical meaning: A row-level-security boundary in PostgreSQL. Application access flows through a single repository (src/repositories/database.ts) that sets app.tenant_id on every query; cross-tenant reads return zero rows by design.
First introduced in: Tenant Row-Level Security (STRICT mode)(feature)
Related concepts: Workspace Operator Capability Authority

Workspace

Platform · Active

Public

Plain meaning: A compliance scope inside a tenant. Typically aligns to one framework (e.g. ISO 27001).
Technical meaning: A logical partition inside a tenant carrying exactly one authoritative framework. Evidence, controls, and SoA decisions are scoped to the workspace.
First introduced: /docs/platform-overview
Related concepts: Tenant SoA

Deployment Terms

Activation, environments, licensing, and how Govula gets stood up in real organisations.

Activation

Deployment · Active

Public

Plain meaning: The five-step journey from deploying Govula to the first user signing in: Activate Organization · Confirm Deployment · Grant Access · Start Using Platform.
Technical meaning: Deterministic resolveDeploymentSuccessState(hint) with frozen states READY / ACTIVE / RESTRICTED / PENDING_ACTIVATION; rendered at /enterprise/activation.
First introduced: /docs/getting-started
Related concepts: Contract Tenant

Contract

Licensing · Active

Operator

Plain meaning: A tenant's commercial agreement record. Drives access lifecycle (trial, active, paused, suspended, expired, renewal pending).
Technical meaning: A frozen Contract record in the Enterprise Control Center FSM (TRIAL · ACTIVE · PAUSED · SUSPENDED · EXPIRED · RENEWAL_PENDING) with a deterministic transition table and append-only audit log.
Related concepts: Entitlement Activation

Entitlement

Licensing · Active

Public

Plain meaning: A tenant-scoped feature grant — what a tenant is allowed to use.
Technical meaning: Evaluated by the Entitlement Engine v2 in this resolution order: global flag → operational lifecycle → org entitlement → contract → tier + override.
First introduced: /docs/platform-overview
Related concepts: Tenant Contract

Sovereign Tenant

Deployment · Active

Public

Plain meaning: A deployment posture where a tenant runs Govula on dedicated infrastructure with its own operator boundary.
Technical meaning: Planned. Single-tenant deployment is achievable today via the deployment hub, but the dedicated sovereign-tenant operator boundary is not yet wired.
Related concepts: Tenant Operator

Governance Terms

Decisions, audit chains, and the trust surface that proves them.

Audit Chain

Audit · Active

14× usedPublic

Plain meaning: The tamper-evident log of every governed action. New rows can be added; existing rows cannot be edited or deleted.
Technical meaning: The audit_log table, made immutable by a DO INSTEAD NOTHING rule. Each row carries integrity_hash = SHA256(tenant|actor|action|target_type|target_id|created_at|after_state). request_id is recorded but not in the hash so the format is release-stable.
First introduced in: CEAL-2 Operational Enforcement Layer(feature)
Related concepts: Hash Lineage Replay SAFE_MODE AI-Assisted Recommendation Operator

OPERATIONAL SHAPE

SYSTEM

Hash-links every governed event into an append-only chain.

YOU

Trust the chain because you can recompute it yourself.

Authority

Governance · Active

3× usedPublic

Plain meaning: The right to initiate or approve a specific class of decision.
Technical meaning: Declared in the governance constitution and enforced by service-layer checks before any state mutation.
First introduced in: Tenant Governance Modes (Adoption Foundations)(feature)
Related concepts: Decision Class SoD Decision DIL DOCOS

Cross-Organization Governance Network(COGN)

Governance · Active

Public

Plain meaning: A federation layer letting independent Govula deployments exchange signed governance messages.
Technical meaning: Ed25519-signed envelope exchange between deployments. Wire format is the Governance Protocol Standard.
Related concepts: GPS

Decision

Governance · Active

2× usedPublic

Plain meaning: Any governed action a tenant user takes. Every decision is recorded with who took it and why.
Technical meaning: A row written to audit_log (and, for governance-class actions, to the decision tables). Carries actor_id, action, target, integrity hash, and approval lineage.
First introduced in: What is DIL?(knowledge)
Related concepts: Decision Class Audit Chain DIL Authority DOCOS

Decision Class

Governance · Active

Public

Plain meaning: The category of a decision (informational, advisory, recommendatory, constrained, binding). Approval requirements scale with the class.
Technical meaning: One of INFORMATIONAL · ADVISORY · RECOMMENDATORY · CONSTRAINED_DECISION · BINDING_GOVERNANCE_DECISION. Service-layer checks enforce class-specific approval chains and separation of duties.
First introduced: /docs/authority-model
Related concepts: Decision SoD Authority

Deployment Invariant Layer(DIL)

Governance · Active

9× usedOperator

Plain meaning: The yes/no gate. Tells operators what the system will allow or block.
Technical meaning: Consumes invariant declarations; outputs decision + allowedActions + blockedActions + systemInvariantState. Degraded mode collapses to BLOCK on any unknown — safe-by-default closure, never fail-open.
First introduced in: What is DIL?(knowledge)
Related concepts: GSCL FIL SSIAL Decision Operator

Evidence

Audit · Active

Public

Plain meaning: A document or record that supports a control. Scoped to one tenant, one workspace, one control.
Technical meaning: A row in the evidence tables carrying tenant_id, workspace_id, control_id, freshness, and quality score. Never shared across tenants.
First introduced: /docs/evidence-management
Related concepts: SoA Truth Level

Governance Protocol Standard(GPS)

Governance · Active

Public

Plain meaning: The wire format Govula deployments use to exchange signed governance messages.
Technical meaning: Six-field Ed25519-signed envelope. Verify endpoint is intentionally public (rate-limited); onboard endpoint is currently unauthenticated by bug (tracked).
Related concepts: COGN

Governance System Consolidation Layer(GSCL)

Governance · Active

4× usedOperator

Plain meaning: The single read of what currently exists in the governance stack. Operators see this as a stable orientation surface.
Technical meaning: Consumes upstream registries; outputs a stateCard with systemMode + health. Degraded mode surfaces a clearly-flagged stale state rather than silently defaulting. Cannot decide, cannot enforce, cannot mutate.
First introduced in: What is GSCL?(knowledge)
Related concepts: FIL DIL SSIAL Authority Decision

Hash Lineage

Audit · Active

Public

Plain meaning: The chain of integrity hashes that makes the audit log tamper-evident. Tampering with any row breaks every later hash.
Technical meaning: Govula maintains three distinct hash chains with different payloads: audit_log (general), tenant_operation_log (tenant-side governed ops), operator_audit_events (platform-side operator actions). Do not conflate payloads.
First introduced: /docs/audit-readiness
Related concepts: Audit Chain Replay

Lock and Immutability

Audit · Active

Public

Plain meaning: Once a decision is approved, the record and the evidence it references can no longer be edited or deleted.
Technical meaning: Enforced by Postgres DO INSTEAD NOTHING rules on the immutable tables. Corrections must be new rows that reference the prior row.
First introduced: /docs/audit-readiness
Related concepts: Audit Chain Hash Lineage

Replay

Audit · Active

6× usedPublic

Plain meaning: On-demand recomputation of the audit chain from scratch to confirm nothing has been tampered with. The replay itself is logged.
Technical meaning: Triggered via force_audit_replay_validation in Tenant Operations. Recomputes every integrity_hash end-to-end, compares against stored values, and writes the verdict back into the audit log.
First introduced in: Audit Replay Verifier(feature)
Related concepts: Audit Chain Hash Lineage

OPERATIONAL SHAPE

SYSTEM

Walks every audited row in deterministic order and recomputes the chain root.

YOU

Run replay when you need proof that the past has not moved.

SOURCEAudit Logs

DERIVED FROMNo upstream provenance · system root

CONTINUING FROMStarting new reasoning thread

Separation of Duties(SoD)

Governance · Active

Public

Plain meaning: The rule that the person who proposes a decision cannot also approve it.
Technical meaning: Enforced in the service layer; recorded structurally on the decision row via initiated_by and approved_by fields. A null-or-equal pairing is rejected.
First introduced: /docs/authority-model
Related concepts: Decision Authority

OPERATIONAL SHAPE

SYSTEM

Blocks the initiator's identity from the approval slot, in code and at the trigger.

YOU

What you propose, someone else signs.

RULEGovernance Constitution

DERIVED FROMNo upstream provenance · system root

CONTINUING FROMStarting new reasoning thread

Statement of Applicability(SoA)

Governance · Active

Public

Plain meaning: A formal document listing every control in a framework, whether it applies, and why.
Technical meaning: Per-workspace structured record. AI drafts the narrative; a named human approves before any state mutates.
First introduced: /docs/soa-engine
Related concepts: Evidence AI-Assisted Recommendation

Truth Level

Audit · Active

Public

Plain meaning: How defensible a piece of data is. Authoritative is audit-grade; supporting is working data; contextual is informational only.
Technical meaning: AUTHORITATIVE (locked, auditor-visible) · SUPPORTING (working data) · CONTEXTUAL (metrics, AI suggestions, never audit-defensible alone). Surfaces filter reads by truth level.
First introduced: /docs/evidence-semantics
Related concepts: Evidence Audit Chain

System Internals

Operator-facing mechanics: observability, runtime, and the moving parts behind the curtain.

Capability

Operations · Active

4× usedOperator

Plain meaning: A single named permission an operator can exercise during an elevation (e.g. "grant entitlement").
Technical meaning: A catalogued permission key. Resolved per-operator at gate time by getOperatorCapabilities(); Phase C capabilities are flagged phase_c_locked and stripped even when granted.
First introduced in: Operator Elevation (Phase A + B)(feature)
Related concepts: Operator Elevation Tenant

Drift

Observability · Active

Operator

Plain meaning: A divergence between what governance should look like and what it actually looks like (stale evidence, missing controls).
Technical meaning: Detected by driftDetectionService; surfaces in the operator queue with a recommended remediation. The detection runs in the read path and never mutates governance state.
First introduced: /docs/operations
Related concepts: SAFE_MODE Evidence

Elevation

Operations · Active

6× usedOperator

Plain meaning: A short, separately-authenticated session that an operator must obtain before performing any internal action.
Technical meaning: A time-boxed operator_sessions row created via step-up auth. requireOperatorElevation() middleware gates every internal-ops route; sessions supersede on new logins (one active per operator).
First introduced in: Operator Elevation (Phase A + B)(feature)
Related concepts: Operator Capability

OPERATIONAL SHAPE

SYSTEM

Issues a time-bounded, capability-scoped session on a named tenant.

YOU

State why before you cross the tenant boundary.

RULEAuthority Model

DERIVED FROMNo upstream provenance · system root

CONTINUING FROMStarting new reasoning thread

Failure Intelligence Layer(FIL)

Observability · Active

8× usedOperator

Plain meaning: The recommended-action queue. Tells operators what the system suggests doing next.
Technical meaning: Consumes audit + telemetry signals; outputs an ordered operatorPriorityQueue and a recommendedMode. Read-only guidance — never approves, never executes. Degraded mode returns an empty queue plus a HOLD recommendedMode.
First introduced in: What is FIL?(knowledge)
Related concepts: GSCL DIL SSIAL Authority Decision

SAFE_MODE

Operations · Active

8× usedOperator

Plain meaning: A platform-wide switch that blocks every state-changing route. Used during incidents and operator freezes.
Technical meaning: Middleware-level guard that returns 503 on any non-read route when on. Operator surfaces remain readable; governance state cannot mutate.
First introduced in: Approval Chain Gate(feature)
Related concepts: Drift Audit Chain Operator

OPERATIONAL SHAPE

SYSTEM

Halts all new state-changing routes across the estate with one switch.

YOU

Engage it when you cannot trust the next decision.

SOURCESystem Boundaries

DERIVED FROMNo upstream provenance · system root

CONTINUING FROMStarting new reasoning thread

System Stress and Integrity Audit Layer(SSIAL)

Observability · Active

5× usedOperator

Plain meaning: The read-only stress mirror. Shows operators which subsystems are unstable, without changing anything.
Technical meaning: Consumes cross-layer signals; outputs cascadeRiskLevel + failureDomains + rule-conflict matrix. Never influences FIL or DIL. Degraded mode returns the existing report with degradedSubsystems populated.
First introduced in: What is SSIAL?(knowledge)
Related concepts: GSCL FIL DIL Authority Decision

Showing 33 of 33 terms. Source: DOCOS Glossary Registry · single canonical definition per concept · semantic overlay computed deterministically at build time.

Glossary

Core Concepts

Deployment Terms

Governance Terms

System Internals

What should I do next?