Every artifact is tamper-evident and independently verifiable.
Every published artifact carries an artifact_hash (SHA-256 over JCS-canonicalized content). Two artifacts with the same hash made the same decision from the same inputs.
Entries are never updated or deleted. Consumers can independently recompute and compare hashes at any time.
Artifacts may include a cryptographic signature for additional tamper evidence, verifiable with the published public key.
If upstream data is revised, a new artifact is produced — the hash change is the audit signal. The old artifact is never overwritten.
Explicit version bump rules with notification expectations.
| Schema field added/removed | schema_version |
| Field type changed | schema_version |
| Calibration update | model_version |
| Logic change | model_version |
| Bug fix (no output change) | None |
| Major changes | 7 days notice before deployment |
| Minor changes | Documented in CHANGELOG |
| Hotfixes | Immediate with post-hoc documentation |
Structured severity classification with defined response and resolution targets.
| Severity | Level | Definition | Response | Resolution |
|---|---|---|---|---|
| SEV-1 | Critical | Signal incorrect or missing | Within minutes | Same day |
| SEV-2 | High | Signal delayed beyond SLA | Within hours | Same day |
| SEV-3 | Medium | Degraded quality, signal still valid | Same day | Next business day |
| SEV-4 | Low | No client impact | Next business day | Within 5 business days |
Defined recovery objectives with backup and restore procedures.