# ============================================================================= # source_tiers.yaml — disclosure rules for evidence sources # ============================================================================= # Disclosure tier: TIER_0_PUBLIC # Schema version: 0.1.0 # Sealed: 2026-05-13 # ============================================================================= # # Every piece of evidence inside a governed-AI artifact has a source # attribution. The source category determines what may be disclosed at # which tier. This file is the canonical mapping. # ============================================================================= schema_version: "0.1.0" policy_id: "GOVERNEDAI_SOURCE_TIERS_v0.1" sealed_at: "2026-05-13" source_categories: direct_incident: description: "A production incident that was paid for in customer trust or engineer time" evidentiary_weight: "strongest" public_disclosure: "summary only; no incident-specific identifiers, dates, or affected accounts on public surfaces" partner_disclosure: "incident summary with redacted identifiers" nda_disclosure: "full incident detail under executed NDA" postmortem: description: "A structured analysis of a past incident or near-miss" evidentiary_weight: "strong" public_disclosure: "the lesson learned, abstracted; not the postmortem document" partner_disclosure: "postmortem in redacted form" nda_disclosure: "full postmortem under executed NDA" design_decision: description: "An explicit, sealed architectural choice" evidentiary_weight: "moderate" public_disclosure: "the principle, not the rationale at depth" partner_disclosure: "principle plus partner-relevant rationale" nda_disclosure: "full decision rationale under executed NDA" architectural_principle: description: "A stated principle without a specific incident or sealed decision" evidentiary_weight: "weakest" public_disclosure: "the principle, named as principle (not as proven)" partner_disclosure: "same as public" nda_disclosure: "same as public; principle category does not gain depth under NDA" regulatory_requirement: description: "An external regulatory obligation" evidentiary_weight: "external" public_disclosure: "the regulation cited; the obligation summarized" partner_disclosure: "the obligation mapped to specific compliance posture" nda_disclosure: "the obligation mapped to internal control evidence" external_evidence: description: "An external citation (peer-reviewed paper, public report, regulator advisory)" evidentiary_weight: "external" public_disclosure: "direct citation with URL" partner_disclosure: "same as public" nda_disclosure: "same as public" attribution_requirements: on_every_invariant: > Every CONSTITUTIO-tier invariant must declare its source category in the apprenticeship_note.scar_confidence field. Invariants whose source category is `architectural_principle` may not be promoted to P0 severity without an additional sealed decision. on_every_receipt: > Every RDL receipt declares the source category of the evidence it anchors. Receipts anchoring `direct_incident` sources are not redacted at the source-category level (the fact of the incident is disclosable; specifics follow per-tier rules above). on_every_evidence_packet: > Every evidence packet emitted to a counterparty declares the source category for each piece of evidence it contains. Mixed-source packets are emitted at the tier of the most-restricted source. review_cadence_days: 180 next_review_due_at: "2026-11-09" status: active version: "0.1.0"