Audit, Evidence, and Status/Ops Service implemented

This shared-service family is the platform memory and operator readback layer. It makes privileged actions auditable, turns CI/UAT/security/runtime results into evidence bundles, and projects component health into Status/Ops surfaces.

Why It Exists

Without this layer, every product feature would invent its own answer for:

• how a privileged mutation is recorded;
• how release or UAT proof is packaged;
• how incidents and runtime drift are summarized;
• how reviewers distinguish historical evidence from current readiness truth.

Shared-Service Boundary

Capability	Owned here	Not owned here
Audit trail	privileged action taxonomy, actor/target/result/correlation discipline, append-oriented audit writes	business-specific page wording or product-local admin UI
Evidence bundles	release, UAT, security, drill, guard, smoke, and operator evidence packaging	raw CI systems, raw provider consoles, or arbitrary attachment stores
Status/Ops	component health rows, readiness snapshots, guard summaries, reconciliation posture	underlying Prometheus, Loki, Tempo, GitLab, or provider dashboards
Runtime reconciliation evidence	drift classification, cleanup/retry evidence, release-gate integration	product business decisions about whether to retry or compensate

Data Model

The first persistent slice is platform-owned and additive:

Table	Role
platform_evidence_bundles	top-level evidence package for release, UAT, security, or incident posture
platform_evidence_items	individual evidence records within a bundle
platform_release_gate_results	pass/block posture for named release or readiness gates
platform_product_invariant_results	product-flow proof by stable invariant ID
platform_status_component_status	latest component health/readiness summary
platform_guard_report_summaries	normalized guard findings for report-only/warn/blocking gates

Read Model Shape

The platform goal is not “store every raw log.” The goal is to publish bounded, reviewable summaries tied to correlation IDs and artifact links.

Design Rules

1. Audit is append-oriented.
2. Evidence is promotable but not silently rewritten.
3. Product invariants are stable IDs, not page-load anecdotes.
4. Status/Ops can degrade on reconciliation drift, stale evidence, or blocked gates even when the UI still loads.
5. Raw secrets, raw provider bodies, tokens, and break-glass material stay out of these read models.

Reconciliation Contract

Runtime repair and reconciliation are first-class evidence producers.

Typical flow:

1. detect drift or failed invariant;
2. classify severity and owner;
3. attach correlation ID and bounded evidence;
4. record repair, cleanup, or blocked-next-action;
5. project resulting posture into Status/Ops and release gates.

That is what lets the platform say “healthy,” “degraded,” or “blocked” based on real operational evidence instead of prose or tribal knowledge.

What This Proves To Reviewers

Reviewer	What this page should make obvious
Security	privileged changes and evidence promotion have stable ownership and retention semantics
Architecture	evidence/status is a platform service, not a product-specific reporting hack
Operations	there is one place to hang release, runtime, and incident proof
Product	readiness is measured by invariant evidence, not only by manual demos

Related Pages

• Security and Production Readiness
• Release Evidence
• Operations Team Guide
• Detailed Design Index

Canonical sources

• doc/architecture/platform-foundation/Platform_Evidence_Status_Schema_v1.mdraw
• doc/architecture/platform-foundation/Platform_Runtime_Reconciliation_Evidence_Model_v1.mdraw
• doc/architecture/Observability_Architecture.mdraw
• doc/architecture/platform-foundation/Platform_Evidence_Input_Mapping_v1.mdraw
• doc/architecture/platform-foundation/Audit_Tamper_Evidence_and_WORM_Retention_v1.mdraw