Governance Trace Naming Standard¶
Purpose: Canonical span names, attribute keys, retention tiers, severity levels, and sampling policy for governance OTel projections. Spans are projections over typed evidence records — the authoritative audit record is always the typed evidence, not the span.
Cross-references: dsl-style.md, error-messages.md, test-style.md
1. Span Naming Pattern¶
{domain}.{operation}[.{detail}]
domain: lower-case governance subsystem.operation: lower-case verb or lifecycle noun.detail: optional qualifier for lifecycle events.- Existing two-part names are canonical when unambiguous:
gate.evaluate,evidence.emit,policy.resolve.
Allowed domains in v0:
governance gate breakglass evidence certificate charter sod registry policy permit
2. Common Required Attributes¶
Attach to every governance span where the value is known:
| Attribute | Type | Requirement |
|---|---|---|
governance.schema.version | string | Required on every governance span |
governance.retention.tier | enum | Required on every governance span |
governance.session.id | string | Required on every governance span |
governance.operation.id | string | Required except session root |
governance.flow.id | string | Required for flow spans, optional otherwise |
governance.actor.id | string | Required when actor is known |
governance.actor.role | string | Required when role affects governance |
governance.policy.version | string | Required for governed operations |
governance.charter.id | string | Required when charter is active |
governance.evidence.hash | string | Required when span projects a durable evidence record |
3. Retention Tiers¶
| Tier | Description | Sample Rate |
|---|---|---|
MUTABLE | Debug-only operational spans; not valid for required governance evidence | May be sampled |
PROTECTED | Session and flow lifecycle summaries | 100% for governed sessions |
IMMUTABLE | Gate decisions, evidence, certificates, break-glass, permits, charter events, SoD checks, registry decisions, policy resolutions | 100% always |
Spans are telemetry projections. Authoritative records live in typed evidence and tier-aware logs.
4. Span Registry¶
| Span | Tier | Required Event-Specific Attributes |
|---|---|---|
governance.session | PROTECTED | governance.session.name, governance.session.team, governance.session.branch.count |
governance.operation | IMMUTABLE | governance.operation.name, governance.operation.parent.id, governance.evidence.hash |
governance.flow | PROTECTED | governance.flow.name, governance.flow.plan.hash, governance.flow.node.count |
gate.evaluate | IMMUTABLE | gate.id, gate.tool.name, gate.verdict, gate.enforcement, gate.policy.version, gate.charter.id, gate.evidence.hash, gate.reason |
gate.justify | IMMUTABLE | gate.id, gate.verdict, gate.enforcement, gate.justification, gate.justification.actor.id, gate.evidence.hash |
gate.bypass | IMMUTABLE | gate.id, gate.tool.name, gate.bypass.reason, gate.bypass.authority, gate.bypass.expiry, gate.bypass.window.id, gate.evidence.hash |
breakglass.open | IMMUTABLE | breakglass.window.id, breakglass.activated.at, breakglass.requested.by, breakglass.approved.by, breakglass.reason, breakglass.max.duration, breakglass.evidence.hash |
breakglass.expire | IMMUTABLE | breakglass.window.id, breakglass.activated.at, breakglass.expired.at, breakglass.authority, breakglass.tools.used.count, breakglass.expiry.reason |
breakglass.close | IMMUTABLE | breakglass.window.id, breakglass.closed.at, breakglass.close.reason, breakglass.tool.call.count, breakglass.certificate.id |
breakglass.notify | IMMUTABLE | breakglass.window.id, breakglass.notification.target, breakglass.notification.kind, breakglass.notification.result |
evidence.emit | IMMUTABLE or PROTECTED | evidence.id, evidence.chain.hash, evidence.previous.hash, evidence.tier, evidence.kind, evidence.payload.hash |
evidence.verify | IMMUTABLE or PROTECTED | evidence.chain.hash, evidence.chain.length, evidence.verification.result, evidence.failure.reason |
certificate.state | IMMUTABLE | certificate.id, certificate.task.id, certificate.previous.state, certificate.state, certificate.defensibility, certificate.evidence.chain.hash |
certificate.mint | IMMUTABLE | certificate.id, certificate.task.id, certificate.gates.passed, certificate.gates.failed, certificate.grade, certificate.defensibility, certificate.evidence.chain.hash, certificate.break.glass |
certificate.verify | IMMUTABLE when trust-affecting | certificate.id, certificate.verification.result, certificate.superseded.by, certificate.evidence.chain.hash |
permit.issue | IMMUTABLE | permit.id, permit.scope, permit.tool.name, permit.issuer.id, permit.subject.id, permit.expires.at, permit.evidence.hash |
permit.consume | IMMUTABLE | permit.id, permit.tool.name, permit.subject.id, permit.consumed.at, permit.consume.result, permit.evidence.hash |
permit.revoke | IMMUTABLE | permit.id, permit.revoked.by, permit.revoked.at, permit.revoke.reason, permit.evidence.hash |
charter.load | IMMUTABLE when activating | charter.id, charter.version, charter.source.uri, charter.source.hash, charter.rule.count, charter.load.result |
charter.evaluate | IMMUTABLE | charter.id, charter.version, charter.constraint.id, charter.verdict, charter.severity, charter.evidence.hash |
charter.violation | IMMUTABLE | charter.id, charter.version, charter.constraint.id, charter.violation.severity, charter.violation.reason, charter.evidence.hash |
sod.check | IMMUTABLE | sod.role, sod.capability, sod.verdict, sod.policy.version, sod.evidence.hash |
registry.lookup | IMMUTABLE | registry.tool.name, registry.role, registry.allowed, registry.policy.version, registry.lookup.source, registry.evidence.hash |
policy.resolve | IMMUTABLE | policy.count, policy.strategy, policy.winner, policy.version, policy.conflict.count, policy.evidence.hash |
5. Value Conventions¶
- Attribute keys: dot-separated lower-case.
- Retention tiers: uppercase
MUTABLE,PROTECTED,IMMUTABLE. - Gate verdict enums (
gate.verdict): uppercaseALLOW,DENY,ADVISORY(ADR-0044 canonical values). - Gate enforcement in spans: uppercase
HARD,SOFT,ADVISORY. - DSL enforcement values are lowercase (
hard,soft,advisory) — map to uppercase in spans. - Booleans: native boolean.
- Hashes:
sha256:<64-hex-chars>. - IDs: stable strings for the duration of the operation.
- Paths and prompts: excluded unless explicitly redacted and approved by evidence policy.
trace_idandspan_id: stored in evidence records as correlation fields.- Evidence hashes: stored in span attributes as correlation pointers to authoritative records.
6. Severity¶
Use governance.severity when a generic severity field is needed:
| Value | When |
|---|---|
INFO | Expected lifecycle event or pass |
WARN | Advisory failure, soft override, partial verification, or non-blocking policy issue |
ERROR | Hard denial, parser failure, invalid charter, evidence/certificate verification failure |
CRITICAL | Break-glass activation, evidence tamper signal, certificate replay, or policy conflict that blocks a regulated run |
For charter-specific spans, use charter.severity with values INFO, WARN, BLOCK.
7. Sampling Policy¶
- Sample 100% of
IMMUTABLEspans. - Sample 100% of
PROTECTEDsession and flow lifecycle spans for governed sessions. MUTABLEdebug spans may be sampled at lower rates, but sampling must never drop the authoritative governance record.- When telemetry export is backpressured, write local evidence first and mark export failure with protected operational evidence.
- Never sample away: failures, break-glass events, permit events, certificate transitions, or policy conflicts.
8. Example A: Hard Gate Denial Span¶
{
"name": "gate.evaluate",
"parent": "governance.operation",
"attributes": {
"governance.schema.version": "2026-05-27.v1",
"governance.retention.tier": "IMMUTABLE",
"governance.session.id": "sess_01",
"governance.operation.id": "op_42",
"governance.actor.id": "agent:reader",
"governance.actor.role": "reader",
"governance.policy.version": "policy.gov.v1",
"governance.charter.id": "charter.reader.basic",
"gate.id": "verify_in_registry",
"gate.tool.name": "tool.write_file",
"gate.verdict": "DENY",
"gate.enforcement": "HARD",
"gate.reason": "Tool is not in the ratified registry snapshot.",
"gate.evidence.hash": "sha256:9ac1000000000000000000000000000000000000000000000000000000000001",
"governance.severity": "ERROR"
}
}
9. Example B: Break-Glass Open Span¶
{
"name": "breakglass.open",
"parent": "governance.session",
"attributes": {
"governance.schema.version": "2026-05-27.v1",
"governance.retention.tier": "IMMUTABLE",
"governance.session.id": "sess_02",
"governance.operation.id": "op_77",
"governance.policy.version": "policy.gov.v1",
"governance.charter.id": "charter.prod.support",
"breakglass.window.id": "bg_20260527_001",
"breakglass.activated.at": "2026-05-27T00:12:00Z",
"breakglass.requested.by": "agent:prod_support",
"breakglass.approved.by": "human:oncall_lead",
"breakglass.reason": "incident_response",
"breakglass.max.duration": "30m",
"breakglass.evidence.hash": "sha256:1b0e000000000000000000000000000000000000000000000000000000000002",
"governance.severity": "CRITICAL"
}
}