Minctrl Docs
Concepts

Governance model

How Minctrl decides when a step runs on its own and when it parks for a human — risk-tiered gates, the judge panel, calibrated confidence, and a tamper-evident audit trail.

Minctrl's governance model answers one question for every step of a run: can this proceed on its own, or must a human sign it first? Four mechanisms combine to answer it — risk-tiered gates, a compliance-judge panel, calibrated confidence, and a tamper-evident audit trail.

Risk-tiered gates

Every step in a process template carries a risk tier. The tier sets the bar the step's outcome must clear to auto-proceed:

  • Low-risk steps auto-execute (reads, enrichments, reversible calls).
  • High-risk steps are gates: the run parks and waits for a human verdict before continuing.

The tier is part of the template's governance decoration — the same canvas graph that drives execution also encodes where the gates are. When a run reaches a gate it parks on that gate's step-id; a human resumes it by signing that step-id (see Run a governed process).

The compliance-judge panel

At a gate, Minctrl doesn't rely on a single model. A panel of judges evaluates the step's context against the vertical's compliance rules. Each judge produces a verdict; the panel aggregates them. A seated panel for a vertical is inspectable:

curl -s "$API/process-templates/prior-auth/judges" \
  -H "Authorization: Bearer $TOKEN"

The panel's job is not to make the human decision — it's to decide whether the human decision is needed, and to hand the human a defensible summary when it is.

Calibrated confidence

Auto-proceed is gated on calibrated confidence, not a raw model score. A calibrated score means "0.9 confident" actually corresponds to being right ~90% of the time, so the auto-proceed threshold maps to a real, defensible error rate. When calibrated confidence falls below the tier's threshold, the step parks even if it wasn't a statically-declared gate — uncertainty itself is a reason to bring in a human.

Tamper-evident audit trail

Every decision — auto-proceed, park, and each human verdict — is written to a tamper-evident audit trail. Entries are chained so that any later edit to a past entry is detectable, which is what makes a run reconstructable and defensible after the fact. This is the record you hand a regulator or auditor: what ran, what parked, who signed which gate step-id, and why.

Durable park/resume

Parking is durable. A run's full state is persisted when it parks, so it can wait minutes or days without holding resources. Resuming is a single API call that continues from exactly where it stopped — nothing is recomputed and no context is lost. This is what lets a governed process span a real human's working schedule instead of a request timeout.

Putting it together

step reached

   ├─ low risk & calibrated-confident ─▶ auto-proceed  ─▶ audit entry

   └─ high risk OR low confidence ─▶ PARK ─▶ judge panel summary

                                    human verdict (gate step-id + decision)

                                    resume ─▶ audit entry ─▶ next step

On this page