Knowledge Base

Govula runs the loop that produces compliance — detect, decide, act, prove — inside a deterministic, reversible-where-it-matters, hash-chained audit ledger.

Govula is, today, a Governance Intelligence Platform (GIP) — a deterministic governance runtime for detect → decide → act → prove with hash-chained audit and recommendation-only AI. "Governance Operating System" is the architectural trajectory the platform is evolving toward as cohort-aware enforcement, the sovereign-tenant [redacted] boundary, and the full Phase C [redacted] [redacted] set ship. The distinction is held explicitly to avoid over-claiming what ships today.

[redacted] — the single read of "what currently exists" in the governance stack. Consumes upstream registries, outputs a stateCard with systemMode + health. Operators see this as a stable orientation surface; in degraded mode the layer surfaces a clearly-flagged stale state and does not fall back to silent defaults. Cannot decide, cannot enforce, cannot mutate.

[redacted] — produces the recommended-action queue ("what the system suggests"). Consumes audit + telemetry signals, outputs an ordered operatorPriorityQueue and a recommendedMode. Operators read [redacted] as guidance only; [redacted] never approves and never executes. Degraded mode returns an empty queue plus a HOLD recommendedMode rather than guessing.

[redacted] — the deterministic constraint gate ("what the system allows"). Consumes invariant declarations, outputs decision + allowedActions + blockedActions + systemInvariantState. Operators see this as the final yes/no surface. In degraded mode [redacted] collapses to BLOCK on any unknown — a safe-by-default closure rather than a fail-open permit.

System Stress & Integrity Audit Layer — the read-only stress mirror ("what is unstable"). Consumes cross-layer signals, outputs cascadeRiskLevel + failureDomains + rule-conflict matrix. Operators read [redacted] as a diagnostic, not a directive; it never influences [redacted] or [redacted]. Degraded mode returns the existing report with degradedSubsystems populated.

DOCOS Truth Enforcement Layer — observability over documentation truth ("what may be inconsistent"). Consumes feature registry + KB + endpoint inventory, outputs a driftReport. Operators read this as a freshness lens; DTEL never edits docs and never enforces. Degraded mode reports DRIFT_DETECTED with an explicit summary.

Enterprise Trust + Resilience Hardening Layer — a categorical summary of trust posture ("how trustworthy the system currently is"). Pure projection over trust-failure arrays; produces HIGH / MEDIUM / LOW. Cannot mutate trust state; cannot grant or revoke authority. Degraded mode collapses to LOW.

Governance Operations Consolidation — the primary [redacted]-readable lens ("single operational view"). Pure compositional projection of [redacted] + [redacted] + [redacted] + [redacted] + DOCOS + DTEL + ETRHL into one SystemOperationalView. No scoring, no decision authority, never mutates upstream. Degraded mode returns the spec-defined safety fallback so the [redacted] surface stays readable under every upstream failure.

Production Certification & Stress Validation — the adversarial harness ("does the system survive stress correctly?"). Runs 8 deterministic stress scenarios against the existing GOC orchestrator and reports a single certification (PASS / PASS_WITH_DEGRADATION / FAIL_SAFE / FAIL_UNSAFE). No new governance logic; no recomputation of [redacted]/[redacted]/[redacted]; cannot return 5xx. Degraded mode is reported per-scenario rather than swallowed.

Feature flags are declared in the DOCOS execution model and read by the same safe-mode kill switch every adapter consults. A flag never changes governance decisions on its own — it only enables or disables an execution adapter. When a flag is OFF the adapter behaves as if the feature is absent, not as if it failed.

A deterministic, named sequence of human approvers required before any governance state mutates. Approval chains are declared in the DOCOS execution model; they cannot be bypassed by AI, and the chain itself is part of the immutable audit record. Skipping or reordering an approver requires a new chain version.

A bounded reversible enforcer — the only path through which the platform mutates external state. Adapters are explicit, named, and individually controllable via feature flags and the [redacted] kill switch. Every adapter call is recorded in the audit ledger before, during, and after execution.

Every adapter ships a paired rollback path. A state mutation is only considered "executed" once the reversal path has been registered. Reversible controls are declared in the execution model alongside the adapter itself; an adapter without a rollback fails the [redacted] invariant gate.

A single canonical phrase for every layer: the layer is still serving requests, but with reduced upstream visibility or partial inputs. The [redacted]-facing wording is fixed by GESYNC ("Minor operational degradation detected." → "System operating in protected fail-open mode." across LOW → CRITICAL). Degraded mode never silently falls back to a fabricated value.

A handler that, on internal failure, returns a structurally-valid degraded response rather than a 5xx. Fail-open never means "permit the action" — [redacted] collapses to BLOCK on unknown. Fail-open means "keep the [redacted] surface readable while the system continues to refuse anything it cannot prove safe."

[redacted] observes upstream signals ([redacted], [redacted], [redacted], ETRHL, RRSL, GDOM) and surfaces cross-layer conflicts and fail-open propagation as a read-only mirror. PCSV exercises this propagation deterministically. Neither layer modifies decisions; both are observability surfaces operators consult, not control surfaces they configure.

No. The platform does not mutate governance state without an explicit human approval at the approval-chain gate. Within declared policy budgets, the operational enforcement layer (CEAL-2) carries out reversible actions that have been human-approved; each action carries a rollback handle and the reversal itself is audited. Anything outside the budget escalates to a human. AI is recommendation-only.

Every state-changing route rejects new traffic with a 503. Read paths, health checks, and the audit ledger remain reachable. In-flight actions finish on their existing path. Disengaging [redacted] returns the system to normal operation; no state was mutated while engaged.

Tenant isolation is enforced via PostgreSQL Row-Level Security in STRICT mode plus a single hardened repository module whose raw client accessor is hard-thrown. Every tenant-scoped query carries the current tenant_id; cross-tenant rows are invisible at the database boundary. A missing tenant context returns zero rows and is logged for forensic review rather than silently broadening the query.

Each ledger row carries a SHA-256 hash that chains to the previous row. Tampering with any historical row invalidates every subsequent hash. Postgres DO INSTEAD NOTHING rules block UPDATE and DELETE at the database boundary, so corrections must be new rows that link to the prior row. The replay verifier recomputes the chain end-to-end and writes its outcome back into the ledger.

[redacted]-mode is a hybrid step-up [redacted] model. The [redacted] must hold an operators row, have explicitly elevated, and hold the per-route [redacted]. [redacted] grants a time-boxed session; the ElevationBanner renders the time-remaining countdown on every /super-admin/* page. Sessions supersede each other (one-active-per-[redacted]) and can be revoked from the active-sessions surface.

Execution aborts at the adapter boundary. The partial result is written to the audit ledger with a FAILED outcome, and any prior side-effect is reverted via the rollback handle returned by the adapter. The reversal itself is audited so the ledger shows both the failed attempt and the rollback as linked rows.