Govula Protocol Standard (GPS) — Adoption Plan
How to onboard a peer onto the Governance Protocol Standard mesh — wire format, signing, verification, and the 30-day reference integration journey.
12.1 Why a protocol, not a product
Govula's federation layer (Migration 032 / COGN) proves that two Govula deployments can exchange signed governance signals with forensic audit fidelity. GPS v1.0 generalizes that same wire format into a public, implementable standard so the network is not locked to Govula's own deployments — any system that speaks Ed25519 + JSON can join.
The strategic goal is to make GPS the default way regulated organizations exchange governance state, the way SAML became the default for identity federation. A protocol that runs on someone else's stack is more durable than a feature that runs only on ours.
12.2 Ideal customer profile (ICP) for adoption
GPS adoption is highest-value for organizations that already have:
- Distributed governance accountability. Holding companies, JV vehicles, shared-service GRC teams that own controls executed by third parties.
- Vendor risk programs with continuous evidence requirements. Banks, insurers, and hyperscalers that already pull SOC 2 / ISO evidence from suppliers and would rather receive signed real-time signals than PDFs.
- Industry consortia or regulatory networks. ISACs, SROs, central banks running supervisory data collection from member institutions.
- Multi-region / multi-entity enterprises under a single regulator (e.g. EU + UK + APAC subsidiaries) that need to prove a control failure surfaced cross-border within minutes.
A common feature: the org already pays a high coordination cost just to exchange “did this control fire / did you remediate” — usually via Slack, email threads, and quarterly attestation cycles. GPS replaces that with a typed, signed, auditable wire format.
12.3 Reference integration journey
The first 30 days from “we'd like to try this” to “we are exchanging real signals with a peer”:
| Day | Step | Owner |
|---|---|---|
| 0–3 | Generate Ed25519 keypair; set FEDERATION_* env vars; restart. | SRE |
| 3–5 | Verify /.well-known/governance-identity returns the expected node_id and public key. | SRE |
| 5–7 | Run npm run gps:test against your own node — must pass 5/5. | SRE |
| 7–10 | Pair-onboard with one trusted peer (mutual POST /onboard). | Ops + Peer |
| 10–14 | Operator on each side creates a federation_link with read_signals=true, share_policies=false, enforce=false. | GRC |
| 14–21 | Pilot: emit signal messages for a single control family (e.g., access-review failures). Watch Section J trust score. | GRC |
| 21–30 | Expand to policy traffic with share_policies=true. Continue to keep enforce=false until governance committees approve. | GRC + Risk |
12.4 Certification levels
Compliance is measured automatically by POST /api/v1/gps/verify and mirrored in the dashboard:
| Level | Name | Requirement |
|---|---|---|
| 1 | Structural | Envelope passes validateEnvelope |
| 2 | Registered | Sender resolves to an active federated_nodes row |
| 3 | Linked | At least one federation_link exists for sender |
| 4 | Sustained Trust | Sender's trust_score ≥ 0.9 over real traffic |
Level 4 is the public-facing “GPS-Certified” status. We will publish a machine-readable certification badge endpoint (/api/v1/gps/certification) in v1.1 — for v1.0, level is reported in the verify response payload.
12.5 Go-to-market
Channel mix. GPS is open spec + open SDKs (Apache-2.0). Distribution is not gated on selling Govula — anyone can implement the spec. Govula's commercial advantage is being the reference implementation with the mature audit/RBAC/enforcement workflow surrounding the protocol.
Standards posture. Submit GPS v1.0 to OpenSSF for IETF-style RFC review during 2026Q3 once we have ≥3 independent reference implementations.
Network effects. Each new peer that onboards increases the value of every existing peer's deployment. Track adoption via two public metrics:
- Total nodes published (
/.well-known/governance-identityendpoints detected by a periodic crawler). - Total federation_links created across the network (self-reported by participating Govula installs).
Anti-lock-in promise. Govula will never add a feature to GPS that requires Govula-specific extensions. If we need a private feature, it goes into Govula's/control-plane/* layer, not into /api/v1/gps/*.
12.6 Roadmap
| Version | Theme | Target |
|---|---|---|
| 1.0 | Signals, policies, enforcement | Ship now (this branch) |
| 1.1 | Certification badge endpoint | 2026Q3 |
| 1.2 | Streaming variant (NDJSON over persistent connection) | 2026Q4 — for high-volume ISACs |
| 2.0 | Pluggable signature suites (Ed25519 + Dilithium hybrid) | 2027 — post-quantum readiness |
12.7 Risk register
| Risk | Mitigation |
|---|---|
| Forked spec by a vendor with their own dialect | Register protocol_version strictly; a non-1.0 dialect becomes UNSUPPORTED rather than silently mis-routed. |
| Key leakage at a participating org | Per-peer revoke; per-peer trust score for early warning of anomalous traffic. |
| Peer masquerades as a regulator | Onboarding is operator-initiated; we do not auto-discover or auto-trust. |
| Audit storage cost grows unbounded | federation_audit follows the same retention policy as institutional memory; configurable per-deployment. |
Start here — ground the four-stage governance loop first.
No direct successor — surfacing the section entry point.
What should I do next?
Start from the platform overview
This page is a terminal reference; returning you to your starting entry so navigation continues.