Escalations are signals for attention. They are not verdicts, ratings or approvals.
§ 01 · Boundary discipline
Institutional assurance map.
A reviewer-facing control map for the Field Evidence & Attribution route: posture, event integrity, governance spine integration, operator provisioning, rule transparency, form governance and audit replay expectations.
signal, not verdict
operator-attributed
Hub-routed
reviewer flags visible
not an approval layer
§ 02 · Posture
Institutional posture & boundary discipline
The app is narrow by design. Its strength is not decision-making; its strength is attributable field evidence that can be routed, reviewed, replayed and exported without substituting institutional authority.
Visits, evidence, tasks and reviews are tied to a named operator or reviewer, time and place.
Events produce a replayable audit trail for reconstruction, dispute resolution and export.
Field action is treated as committed only after backend acknowledgement.
Evidence files remain in private storage while manifests carry metadata and hashes.
Institutions retain statutory, fiduciary, financial, policy and MRV-methodology authority.
§ 03 · Mapping table
Governance spine event map
This is the missing reviewer table: which app events populate which governance fields, which Hub modules consume them, what reviewers see, and what becomes exportable.
| App / Hub event | Governance spine field | Minimum envelope | Hub consumer | Reviewer view | Export / audit object | Authority boundary |
|---|---|---|---|---|---|---|
operator.provisioned | Identity | auth user, operator profile, role, org scope, status | Operator context, admin control room | Named actor and role scope | Provisioning record / operator code | Provisioning does not confer institutional authority. |
task.assigned | Routing | task code, site, assignee, instructions, due date | Operator console, admin workload | Scope of expected field evidence | Task row and workload snapshot | Task assignment is operational, not approval. |
visit.opened | Identity + Evidence | visit ID, operator, site, time, location, device/app metadata | Field visits, event log | Visit envelope and operator attribution | Visit record, event chronology | Opening a visit is not a verification outcome. |
evidence.captured | Evidence | file path, type, size, hash where available, caption, capture time, location | Evidence items, protected storage | Evidence metadata and signed access route | Evidence metadata, storage ref, hash | Evidence is inspectable; interpretation remains human. |
form.submitted | MRV | form key, version, payload, operator, visit, site | Form submissions, MRV attachment | Structured observation payload | Form payload with version marker | Structured data supports MRV; it does not create certification. |
task.completed | Routing + Assurance | task ID, visit ID, completion time, evidence count | Operator workload, review queue | Completion envelope and evidence sufficiency signal | Task status + event log | Completion is operational closure, not approval. |
review.queued | Assurance | queue ID, severity, route, reason, visit, operator, site | Reviewer queue | Pending review item and reason | Queue row, audit timeline | Queueing is routing, not a decision. |
review.decision | Assurance | reviewer, decision status, notes, target visit/evidence | Reviewer console, event log | Reviewer action trail | Review row + event chronology | Reviewer action remains accountable human judgement. |
escalation.signal | Routing + Assurance | rule key, threshold, signal, entity, context, timestamp | Rules engine, reviewer queue | Signal and rule explanation | Signal event with rule reference | Signal is attention routing only. |
export.prepared | Export | manifest snapshot, package hash, version, generator, visit | Export register | Prepared manifest and hash | Export register row, SHA-256 manifest hash | Export is evidence packaging, not endorsement. |
export.issued | Export + Authority | recipient, issue time, issuer, export code, notes | Export register, audit reconstruction | Issued package record | Issued register row and event log | Recipient institution decides reliance. |
Identityno anonymous field artefacts
Evidencefile and form artefacts bound to visits
Routingoperator tasks and reviewer queues
MRVstructured observations and payload versions
Assurancereviewer actions are events
Exportmanifest hash and register row
Authorityinstitutions retain judgement
§ 04 · Integrity
Evidence architecture & event integrity
The current production route uses backend acknowledgement, private storage, metadata rows, event log entries and manifest hashing. This page avoids claiming capabilities that have not been switched on.
Current production posture
- Direct app / console route requires backend acknowledgement before committed record.
- Evidence files are stored in a private
field-evidencebucket. - Evidence metadata is attached to a visit, operator and site.
- Review queue entries are created from submitted visits.
- Exports create a manifest snapshot and SHA-256 manifest hash.
- Reviewer actions and exports are represented as replayable event records.
Reviewer questions kept open
- What exact cryptographic sealing method is required per institution?
- How should device compromise be detected and handled?
- Current posture is not offline-first; delayed sealing is not advertised.
- Which form version deprecation windows apply per programme?
- What retention period applies to the event stream and evidence storage?
- Should stream partitions be institution-, programme- or deployment-specific?
§ 05 · Rules
Rules transparency sheet
Rules remain signal-only. Institutions should be able to inspect rule definitions, thresholds and routing consequences without allowing the rules engine to become an approval authority.
| Rule key | Trigger pattern | Signal | Reviewer display | Institution-specific? | Boundary note |
|---|---|---|---|---|---|
R-GEO-SCOPE | Location outside expected site boundary or scope metadata. | scope_mismatch | Show site, capture point, expected scope and operator. | Yes | Flag for review; not evidence rejection. |
R-EVD-REQUIRED | Required evidence type missing for a task or form. | evidence_gap | Show missing evidence class and task instruction. | Yes | Requests follow-up; does not decide sufficiency. |
R-TIME-ANOMALY | Capture time inconsistent with visit start/completion envelope. | timestamp_query | Show chronology and affected item. | Configurable | Routes a query to reviewer. |
R-DUP-CAPTURE | Similar file hash, metadata or repeated artefact pattern. | duplicate_candidate | Show candidate duplicates and source visits. | Configurable | Supports deduplication; no fraud finding. |
R-REV-DIVERGE | Reviewer decisions diverge across the same visit or evidence item. | reviewer_alignment_needed | Show decision sequence and reviewer identities. | Yes | Triggers alignment, not automatic override. |
R-EXPORT-GAP | Submitted visit lacks evidence or review trail expected for export. | export_readiness_gap | Show missing manifest fields. | Yes | Blocks packaging until a human prepares or explains limitation. |
§ 06 · Access model
Operator identity governance
Provisioning by request is correct. The institutional question is how identity, scope, device posture and revocation are controlled over time.
Access request is recorded through the public route with organisation, email, scope and note.
Institutional counterpart, role and project context are checked before operator creation.
Supabase Auth user is linked to field_operator_profiles with organisation, role and operator code.
Tasks and sites are constrained to the operator’s organisation and assignment context.
Set profile inactive, revoke auth session, remove task assignment and retain event history.
Credential and device rotation are recorded as administrative events, not silent changes.
§ 07 · Forms
Form version governance
Structured forms are institutionally useful only if their versions are governed. Payloads must remain interpretable after a form changes.
| Control | Required field | Reason | Reviewer expectation |
|---|---|---|---|
| Form identity | form_key | Separates observation types and MRV payloads. | Reviewer can filter by form family. |
| Version marker | form_version | Preserves meaning of old payloads after schema changes. | Reviewer can see which questions were active. |
| Deprecation window | valid_from / valid_until | Prevents silent drift between field teams. | Expired forms are flagged, not deleted. |
| Required evidence map | required_evidence_types | Links forms to photo/document requirements. | Evidence gaps become transparent. |
| Export transform | export_schema_version | Keeps institutional packages stable. | Manifest declares the transform used. |
§ 08 · Reviewer flags
Risk and mitigation register
These are not blockers; they are the questions a serious institution will ask before relying on the route.
| Reviewer flag | Risk | Mitigation | Priority |
|---|---|---|---|
| Operator verification | Unverified field actors can weaken attribution. | Operator governance protocol, active/inactive flag, identity-bound profile. | High |
| Scope drift | Operators may capture outside assigned sites/tasks. | Task/site scoping, geofence flags, admin workload review. | High |
| Revocation model | Former operators may retain access. | Deactivate profile, revoke auth, record admin event, keep evidence history. | High |
| Rule opacity | Escalations may be perceived as black-box decisions. | Rules transparency sheet and institution-specific routing maps. | High |
| Form drift | Payloads become incomparable across sites or time. | Form version governance and deprecation windows. | Medium |
| Escalation fatigue | Too many signals weaken reviewer attention. | Escalation analytics and calibrated thresholds by institution. | Medium |
| Device compromise | Device can misrepresent capture context. | Device binding, session rotation, anomaly flags and human reviewer queries. | Medium |
§ 09 · Reviewer recommendations
Hardening roadmap
The highest-value next work is not visual polish; it is institutional inspectability.
Governance spine mapping table, read-only rule sets, operator identity governance, onboarding protocol and audit replay interface.
Form version governance, institution-specific routing configuration and sealed evidence verification tooling.
Multi-language structured forms and offline/delayed sealing only if an institution explicitly requires it.
Institutional verdict
The Field Evidence & Attribution route is institutionally credible, architecturally disciplined and aligned with governance-first environments. Its narrowness is its strength. Its integration with the Hub governance spine is its differentiator. Its authority boundary is correctly maintained.
This is a field system that can withstand institutional review once operator provisioning, rule transparency, form versioning and evidence sealing are kept inspectable.