Governance model
How Minctrl decides when a step runs on its own and when it parks for a human — risk-tiered gates, the judge panel, calibrated confidence, and a tamper-evident audit trail.
Minctrl's governance model answers one question for every step of a run: can this proceed on its own, or must a human sign it first? Four mechanisms combine to answer it — risk-tiered gates, a compliance-judge panel, calibrated confidence, and a tamper-evident audit trail.
Risk-tiered gates
Every step in a process template carries a risk tier. The tier sets the bar the step's outcome must clear to auto-proceed:
- Low-risk steps auto-execute (reads, enrichments, reversible calls).
- High-risk steps are gates: the run parks and waits for a human verdict before continuing.
The tier is part of the template's governance decoration — the same canvas graph that drives execution also encodes where the gates are. When a run reaches a gate it parks on that gate's step-id; a human resumes it by signing that step-id (see Run a governed process).
The compliance-judge panel
At a gate, Minctrl doesn't rely on a single model. A panel of judges evaluates the step's context against the vertical's compliance rules. Each judge produces a verdict; the panel aggregates them. A seated panel for a vertical is inspectable:
curl -s "$API/process-templates/prior-auth/judges" \
-H "Authorization: Bearer $TOKEN"The panel's job is not to make the human decision — it's to decide whether the human decision is needed, and to hand the human a defensible summary when it is.
Calibrated confidence
Auto-proceed is gated on calibrated confidence, not a raw model score. A calibrated score means "0.9 confident" actually corresponds to being right ~90% of the time, so the auto-proceed threshold maps to a real, defensible error rate. When calibrated confidence falls below the tier's threshold, the step parks even if it wasn't a statically-declared gate — uncertainty itself is a reason to bring in a human.
Tamper-evident audit trail
Every decision — auto-proceed, park, and each human verdict — is written to a tamper-evident audit trail. Entries are chained so that any later edit to a past entry is detectable, which is what makes a run reconstructable and defensible after the fact. This is the record you hand a regulator or auditor: what ran, what parked, who signed which gate step-id, and why.
Durable park/resume
Parking is durable. A run's full state is persisted when it parks, so it can wait minutes or days without holding resources. Resuming is a single API call that continues from exactly where it stopped — nothing is recomputed and no context is lost. This is what lets a governed process span a real human's working schedule instead of a request timeout.
Putting it together
step reached
│
├─ low risk & calibrated-confident ─▶ auto-proceed ─▶ audit entry
│
└─ high risk OR low confidence ─▶ PARK ─▶ judge panel summary
│
human verdict (gate step-id + decision)
│
resume ─▶ audit entry ─▶ next stepChargeback representment
Turn an inbound dispute into a filed representment packet or a clean refund on the chargeback-representment vertical — a disputes manager signs every fight-vs-refund call and every network filing.
Multi-tenancy
How Minctrl isolates data by company — every resource is company-scoped, so you only ever see your own templates, connectors, runs, and audit trail.