architecture · v0.01

Access and Governance Model

Two-layer governance architecture separating network admin governance from operator business governance, with the Create Job action as the explicit boundary between governance and execution.

private active partially_implemented qtm-os

Access and Governance Model

Governance in QTM OS happens in two layers: the admin layer (network governance) and the operator layer (business governance). These layers are separate and do not overlap.

Two-layer governance

Layer 1: Admin governance (network)

The admin layer governs the network itself. It controls:

  • Whether an operator is approved to use the system
  • Which operators are active, limited, or suspended
  • Network-level task review and assignment
  • Surface readiness and routing

The Admin Governance Desk is the control plane for this layer.

Layer 2: Operator governance (business)

The operator layer governs the operator’s own business operations. It controls:

  • Reviewing incoming requests from their own funnel
  • Approving and assigning work within their account
  • Creating jobs from their own approved requests
  • Executing work through their desk

The Operator Admin workspace is the control plane for this layer.

Routing logic

When a request enters the system, it is routed to the correct governance layer based on the funnel it came from.

Operator-owned funnel → Task goes to operator governance
Network-managed funnel → Task goes to admin governance

Operator-owned funnel: The request came from an intake surface associated with a specific operator. The operator reviews and acts on their own incoming work.

Network-managed funnel: The request came from a network-level intake surface. Admin reviews and assigns the work.

This routing is set when the intake is submitted and does not change after the fact.

The Create Job boundary

Create Job is the most important governance action in the system.

It is an explicit, deliberate action that moves a request from the governance zone into the execution zone. It cannot happen automatically.

Task (governance) → [Create Job] → Job (execution)

Before Create Job: work is in review, the operator’s desk shows nothing, no execution can happen.

After Create Job: work is queued, the operator’s desk shows the job, execution can begin.

This boundary exists to prevent work from entering execution without being deliberately approved and assigned.

Access states

Governance also controls whether an operator can use the system at all. Every operator has an access state:

StateMeaning
activeFull access to workspace and desk
limitedRestricted access — some features unavailable
suspendedBlocked from protected routes
pending_activationApproved but not yet activated
pending_reviewApplication exists, no entitlement yet

Access state is set by the admin layer. Being logged in does not automatically mean full access — authentication and access state are separate concepts.

What governance is not

Governance is not execution. The governance layer does not do the work — it decides whether work can be done, by whom.

Governance does not produce Records or trust signals. Those come from execution.

Guardrails

  • Preserve the distinction between planned, partial, and live.
  • Avoid marketing language.
  • Keep IDs, namespaces, and lifecycle terms precise.
  • Routing origin is not the same as assignment.
  • Access state and authentication are separate concepts.