{
  "id": "data_governance",
  "label": "Data Governance Canonical",
  "phase": "phase-08",
  "category": "security_governance",
  "status": "ACTIVE_DH_MIRROR",
  "purpose": "Define how DEVON-DEV governs technical data before the platform reads it, records it, indexes it, logs it, stores it, masks it, retains it, deletes it or reuses it in prompts, memory, evidence and learning flows.",
  "function": "Prevent logs, files, outputs, uploaded material, evidence snapshots, indexed content, model context and derived records from becoming unmanaged text by enforcing catalog, lineage, quality, sensitivity, access, retention, masking and project-scope rules.",
  "data_governance_contract": {
    "requires_data_catalog": true,
    "requires_data_lineage": true,
    "requires_data_quality_rules": true,
    "requires_sensitive_data_detector": true,
    "requires_data_access_policy": true,
    "requires_data_retention_policy": true,
    "requires_data_masking": true,
    "requires_project_data_isolation": true,
    "requires_origin_record": true,
    "requires_allowed_use": true,
    "requires_storage_class": true,
    "requires_prompt_use_policy": true,
    "requires_indexing_policy": true,
    "requires_log_policy": true,
    "requires_deletion_policy": true,
    "blocks_unknown_data_origin": true,
    "blocks_unmasked_sensitive_data": true,
    "blocks_unscoped_project_data": true,
    "blocks_unapproved_prompt_reuse": true,
    "blocks_retentionless_storage": true,
    "decision_authority": "NONE_FSM_DECIDES"
  },
  "governed_data_classes": [
    "logs",
    "command_output",
    "uploaded_files",
    "source_documents",
    "evidence_snapshots",
    "indexed_content",
    "vector_records",
    "memory_records",
    "audit_records",
    "execution_records",
    "configuration_records",
    "model_outputs",
    "prompt_context",
    "error_traces",
    "database_rows",
    "project_files"
  ],
  "technology_requirements": [
    {
      "technology": "Data Catalog",
      "required_for": "Register DEVON-DEV technical data classes, owners, origin, storage location, project scope, sensitivity, retention class and allowed use.",
      "required_by_phase": "phase-08",
      "required_by_category": "data_governance",
      "required_by_buckets": [
        "Prerequisites",
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until data class schema, owner mapping and catalog storage exist",
      "validation_command": "MISSING until catalog lookup can prove data_id, origin, owner, sensitivity, project_scope, storage_class and allowed_use",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/data_governance_canonical.json",
      "status_source": "Documentation Hub + future Data Catalog + Evidence Store + Audit Trail Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Data Catalog, DEVON-DEV cannot prove what data it has, where it came from, who owns it, how sensitive it is or how it may be used."
    },
    {
      "technology": "Data Lineage Tracker",
      "required_for": "Track how files, logs, evidence, prompt context, memory records, vector records and derived outputs are created, transformed, indexed or reused.",
      "required_by_phase": "phase-08",
      "required_by_category": "data_governance",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until lineage references and transformation records exist",
      "validation_command": "MISSING until lineage check can prove source_data_id, derived_data_id, transformation, actor, timestamp and allowed_use",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/data_governance_canonical.json",
      "status_source": "Documentation Hub + future Data Lineage Tracker + Execution Ledger Store + Evidence Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Data Lineage Tracker, DEVON-DEV cannot prove how sensitive or external data became evidence, memory, prompt context, logs or derived outputs."
    },
    {
      "technology": "Sensitive Data Detector",
      "required_for": "Detect sensitive data in files, logs, command output, prompts, evidence, uploads, memory, indexed content and model responses before exposure or reuse.",
      "required_by_phase": "phase-08",
      "required_by_category": "data_governance",
      "required_by_buckets": [
        "Installation",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery"
      ],
      "expected_version": "MISSING until detector rules and scanning path exist",
      "validation_command": "MISSING until detector can prove input class, match class, sensitivity result, masking action and audit link",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/data_governance_canonical.json",
      "status_source": "Documentation Hub + future Sensitive Data Detector + Security Monitoring + Execution Logs",
      "blocking_if_missing": true,
      "failure_impact": "Without Sensitive Data Detector, DEVON-DEV can move credentials, customer data, private project content or confidential outputs into logs, prompts or indexes without warning."
    },
    {
      "technology": "Data Masking Engine",
      "required_for": "Mask sensitive technical data before it enters logs, UI, prompts, memory, reports, exports or external communication.",
      "required_by_phase": "phase-08",
      "required_by_category": "data_governance",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery"
      ],
      "expected_version": "MISSING until masking rules, field policies and output filters exist",
      "validation_command": "MISSING until masking can prove raw input class, masked output, rule applied, storage target and no raw sensitive value exposure",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/data_governance_canonical.json",
      "status_source": "Documentation Hub + future Data Masking Engine + Execution Logs + Compliance Guardrails",
      "blocking_if_missing": true,
      "failure_impact": "Without Data Masking Engine, DEVON-DEV can correctly classify data as sensitive and still expose it during debugging, UI rendering, prompt assembly or log storage."
    },
    {
      "technology": "Data Retention Policy",
      "required_for": "Control how long logs, evidence, uploads, model outputs, memory records, audit records, execution records and indexed content are kept or deleted.",
      "required_by_phase": "phase-08",
      "required_by_category": "data_governance",
      "required_by_buckets": [
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until retention classes and deletion rules exist",
      "validation_command": "MISSING until retention check can prove data_class, retention_window, protected_status, deletion_rule, deletion_result and audit record",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/data_governance_canonical.json",
      "status_source": "Documentation Hub + future Retention Policy Registry + Volume & Persistence Governance + Audit Trail Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Data Retention Policy, DEVON-DEV can delete evidence too early or keep sensitive technical data longer than allowed."
    },
    {
      "technology": "Data Access Policy",
      "required_for": "Decide who, what role, which tool, which project and which runtime flow may read, write, index, export, prompt-use or delete governed data.",
      "required_by_phase": "phase-08",
      "required_by_category": "data_governance",
      "required_by_buckets": [
        "Prerequisites",
        "Configuration",
        "Validation",
        "Observable Evidence",
        "Failure Modes & Recovery",
        "Completion & Promotion"
      ],
      "expected_version": "MISSING until access policy schema and enforcement point exist",
      "validation_command": "MISSING until data access decision can prove actor, role, project_id, data_class, operation, allow/deny result and audit record",
      "evidence_path": "/home/yeff/public_html/devon/canon/execution/state/dh_sources/data_governance_canonical.json",
      "status_source": "Documentation Hub + future RBAC Service + Data Catalog + Audit Trail Store",
      "blocking_if_missing": true,
      "failure_impact": "Without Data Access Policy, DEVON-DEV can protect tools and secrets while still letting governed data be read, indexed or reused without permission."
    }
  ],
  "depends_on": [
    "sec",
    "rbac_permissions",
    "secrets_management",
    "multi_project_isolation",
    "memory_isolation",
    "compliance_legal_guardrails",
    "evidence_store",
    "source_trust_registry",
    "execution_ledger",
    "execution_logs",
    "audit_trail",
    "volume_persistence_governance",
    "environment_registry",
    "fsm_absolute_decision",
    "decision_rule_registry",
    "architecture_source_registry"
  ],
  "used_by": [
    "compliance_legal_guardrails",
    "dependency_vulnerability_scanner",
    "license_third_party_governance",
    "memory_arch",
    "knowledge_ingestion",
    "knowledge_versioning",
    "memory_lifecycle",
    "learning_gov",
    "external_knowledge_access",
    "prompt_governance",
    "prompt_instruction_assembly",
    "security_monitoring",
    "future_execution_monitoring_panel"
  ]
}
