Evidence Model
Eleven evidence categories
The evidence model defines eleven categories (audit_and_evidence_model.md §5):
| Category | What it captures |
|---|---|
| Control-plane decision evidence (§5.1) | Policy decisions, approval decisions, routing decisions |
| Prompt/input evidence (§5.2) | Context fragments, prompt construction, truncation decisions |
| Authorization evidence (§5.3) | Permit issuance and permit validation |
| Execution evidence (§5.4) | Tool invocation, tool results, file mutations |
| External/unverified evidence (§5.5) | Model output and external API responses |
| Temporal/ordering evidence (§5.6) | Event sequencing and timing relationships |
| Identity/provenance evidence (§5.7) | Actor identity, specialist identity, workflow lineage |
| Integrity/tamper evidence (§5.8) | Event hashes and chain verification results |
| Negative/absence evidence (§5.9) | Expected events that did not occur, denied actions |
| Dependency/environment evidence (§5.10) | Sanitized environment context, tool versions, system configuration |
| HITL evidence (§5.11) | Operator approvals, operator overrides, operator interactions |
Model output is recorded as external/unverified evidence and is non-authoritative for governance decisions (audit_and_evidence_model.md §5.5, product_system_definition.md §5).
Multi-specialist evidence requirements
Multi-specialist workflows must preserve attribution to concrete graph nodes (audit_and_evidence_model.md §6):
- specialist identity for each action
- parent-child delegation relationships
- delegation depth
- inter-specialist message handoff evidence
- initiator identity for each action
Redaction model
Sensitive data is not persisted in raw form. Redaction retains structure and traceability while closing data exfiltration paths (audit_and_evidence_model.md §7):
- pattern-based regex redaction specifically targeting API keys, authorization tokens (e.g.,
x-api-key,authorization,sk-) - captured sensitive values are explicitly replaced with
[REDACTED] - per-redaction metadata: data type, event location, redaction method
This preserves reconstructability without exposing protected values.
Replay model
Replay is authoritative and must reconstruct (audit_and_evidence_model.md §8):
- proposals
- canonicalization
- policy decisions
- approvals
- permits
- context composition
- execution attempts
- delegation chains
This is inspectability and auditability in operation (per G3, G4).