Enforcement ledger | control board | map checks to control class

[raylee-hawkins]

Purpose

Track enforcement and verifier control-class mapping for HawkinsOperations control-board governance.

Current Role

This is a current private Control Board governance item. It exists to map validators, verifiers, checks, branch protections, and review gates to their actual control class.

Control Classes

• NOT_YET_CONTROL: planned or described, but not implemented as a check, review gate, branch protection, ruleset, or verifier.
• REPORT_ONLY: visible in docs, issues, reports, or dashboards, but does not block, fail, or force correction.
• SOFT_ENFORCEMENT: runs or guides review, but can be bypassed or is not required for the protected path.
• REAL_CONTROL: blocks, fails, or forces correction through CI, branch protection, required checks, deterministic verifier behavior, rulesets, or equivalent hard gate.

Control Boundary

File presence is not real control.

Docs, issues, comments, project fields, and reviewer-routing pages are report-only unless backed by a blocking check, required review, branch protection, ruleset, deterministic verifier, or equivalent hard gate.

REAL_CONTROL requires something that blocks, fails, or forces correction.

Current Proof Level

REPORT_ONLY unless a specific linked control is proven to block, fail, or force correction.

Supported Claim

HawkinsOperations can track which checks and governance surfaces are NOT_YET_CONTROL, REPORT_ONLY, SOFT_ENFORCEMENT, or REAL_CONTROL.

Blocked Claims

• runtime-active
• signal-observed
• evidence-linked public proof
• public-safe
• live Splunk firing
• production triage
• analyst-approved disposition
• HO-GPU-01 runtime-active
• Cribl-routed
• Wazuh-routed
• AWS-live
• autonomous SOC
• production-ready SOC
• fleet-wide deployment
• AI-approved disposition

Dependencies

• validators and verifiers
• CI workflows
• branch protections and rulesets
• required review gates
• proof and reviewer-routing records

Done Criteria

A row-backed enforcement ledger maps each relevant check, verifier, workflow, branch protection, ruleset, and review gate to NOT_YET_CONTROL, REPORT_ONLY, SOFT_ENFORCEMENT, or REAL_CONTROL with evidence for each classification.

Public-Safe Status

NOT_PUBLIC_SAFE

Next Gate

Map checks to NOT_YET_CONTROL / REPORT_ONLY / SOFT_ENFORCEMENT / REAL_CONTROL without promoting runtime, signal, public-safe, or production claims.

[raylee-hawkins]

Converted to a standing guardrail/control-tracking issue. Current evidence shows several controls and routing artifacts now exist, including validation proof-loop checks and org proof routing, but hard enforcement remains control-by-control and must not be inferred from file presence alone. Keep open to track NOT_YET_CONTROL, REPORT_ONLY, SOFT_ENFORCEMENT, and REAL_CONTROL status without promoting HO-DET-001 beyond TEST_VALIDATED_SYNTHETIC_SCOPE.

[raylee-hawkins]

Control artifacts exist, but an enforcement ledger mapping each check to control class is still missing.

[raylee-hawkins]

Branch protection correction receipt:

During the GitHub org profile polish, a direct update to the default branch was accepted even though the repository reported that changes are expected to go through pull requests.

Correction applied:

• Located the classic branch protection rule for the default branch in HawkinsOperations/.github.
• Confirmed organization-level rulesets were empty.
• Tightened branch protection so pull request flow is required and administrator bypass is not allowed.
• Left status checks disabled for now because no required checks are currently configured for this repo.
• Left force pushes and deletions disabled.

Boundary:
This was a governance correction for the .github profile and reviewer-routing surface only. No proof, validation, runtime, signal, or production claim was promoted.

Next:
Future .github changes should use branch to pull request to merge. Direct default-branch pushes require explicit PUSH_APPROVED and should be rare.