Skip to content
Gestalt

Data processing posture

Status: customer boundary doc. Drives the customer-facing read of what Gestalt processes today. See contracts/production-admission.v0.json customer_boundary_lane.required_doc_topics entry data_processing_posture and the consistency_invariants that require docs to match runtime route labels and proof behaviour.

What Gestalt processes

Section titled “What Gestalt processes”

Gestalt accepts membrane operations that record:

  • Hashes and references that identify a tenant, company, package, connector, vertical, jurisdiction, and timeframe.
  • Minimal evidence references such as the evidence_ref, proof_ref, receipt_ref, and signature_ref shapes returned on receipts.
  • Hash-only artefacts for things that would otherwise be sensitive: legal name hash, register hash, credential ID hash, public verification material, signature material.

Every authentic-candidate operation passes through the central evaluator before any business logic. The evaluator emits a refusal with a stable code from contracts/refusal-codes.v0.json if any prerequisite is missing, and the matching proof bundle cites the production scope policy block even when production admission is disabled.

What Gestalt does not process

Section titled “What Gestalt does not process”

The membrane refuses, and the docs do not invite, raw payloads of any of the following classes:

  • Raw register payloads, raw legal names, or other raw company bootstrap material. company.bootstrap requires hashes only.
  • Raw credential ID, private key material, or biometric template material. The HumanAuth surface accepts a credential ID hash and public verification material only.
  • Raw connector payloads or credential secrets. Connectors deliver hash-only consent and evidence references; secrets stay at the connector.
  • Raw incident payloads. ops.incidentReceipt records hash-only alert, mitigation, and communications material.
  • Raw database content. Read models project membrane-safe summaries with explicit citations; the underlying store is not exposed to callers.

Operation maturity

Section titled “Operation maturity”

The data Gestalt actually persists is bounded by the maturity of each operation. The labels below are the truth labels from contracts/production-admission.v0.json operation_maturity:

  • shape-only — the contract and types exist; the call returns a structurally correct response and records no consequence.
  • fixture-rehearsed — the operation walks an end-to-end fixture pattern with honest receipts and refusals.
  • staging-durable — the operation can persist runtime evidence across restarts when the remote store is configured. Production admission remains false.
  • authentic-candidate — the operation calls the central evaluator and may admit production for a signed pilot record only.
  • staging-durable-refusal — the operation persists its refusal posture; today this is the limited pilot gate, which refuses until a signed admission record exists.

No operation is broadly admitted today. The pilot.admissionGate operation exists, and the refusal posture is durable; admission can only be granted per-operation in a signed pilot admission record.

Lawful basis posture

Section titled “Lawful basis posture”

A pilot admission record names tenant, company, jurisdiction, vertical, package and epoch, connector, effect class, admitted operations, excluded operations, and timeframe (see contracts/production-admission.v0.json pilot_admission_lane.signed_record_required_fields). The pilot record is the document the controller and processor agree is the basis for processing. Outside that record, Gestalt refuses.

See also

Section titled “See also”