Auditability and Approval Model
Use this page when you need to understand which Helpifyr actions require evidence, review, or explicit signoff before they are considered safe.
When to use this page
- You are designing or reviewing an operator workflow.
- You need to know whether a step can be automated or must remain review-gated.
- You need public-safe language for auditability without exposing operator-only controls.
Prerequisites
- You know which workflow or surface is involved.
- You can read the current readiness and signoff surfaces.
Architecture / Flow
flowchart TD
A["Candidate action"] --> B["Gather readback evidence"]
B --> C["Check security and signoff readiness"]
C --> D{"Risky or irreversible?"}
D -- "no" --> E["Proceed in bounded lane"]
D -- "yes" --> F["Require approval or signoff"]
F --> G["Re-verify after action"]
Step-by-step procedure
1. Start with evidence, not intent
Before approval or signoff, collect bounded evidence such as:
GET /api/v1/security/readiness
GET /api/v1/signoff/readiness
GET /api/v1/recovery/readiness
2. Classify the action
Typical lower-risk actions:
- read-only diagnostics
- docs-materialization verification
- non-destructive status comparisons
Typical higher-risk actions:
- rollout or apply actions
- recovery actions with live impact
- signoff or residual-risk changes
3. Keep approvals tied to the verified state
An approval should map to:
- the current source or PR head
- the verified runtime or artifact state
- the exact action being approved
4. Re-verify after the action
Approval is not the end of the workflow. Re-read the same readiness surfaces and confirm the expected effect.
Verification
The approval model is being applied correctly when:
- evidence was collected before approval
- risky actions are clearly distinguished from read-only steps
- post-action verification is part of the workflow
Common failure modes
Treating a human approval as a substitute for evidence
Problem:
- signoff becomes ceremonial instead of safety-relevant.
Better path:
- require current readback before approval
Approving a moving target
Problem:
- the approved state no longer matches the executed state.
Better path:
- bind approval to current head, current artifact, or current runtime truth