Vauban — Governance Commitment Statement
Audience: institutional-partners, investors, regulators, due-diligence
Vauban — Governance Commitment Statement
Version 1.0 — 2026-05-20
What This Document Is
A single-page reference for institutional due diligence. It points to machine-verifiable evidence — not self-reported claims.
1. Decision Governance (ADR-ECO corpus)
Every cross-product, capital-impacting, or architecture-shifting decision is recorded as a Strategic Decision Record (ADR-ECO) and must pass:
- 5-axiom check (Institutionnel · SOTA · Robuste · Anti-fragile · Profitable)
- Cedar policy validation (automated CI gate)
- Founder explicit approval (Phase 0) or council quorum (Phase 1+)
48 ADR-ECOs accepted as of 2026-05-20, covering: VPSF architecture, MCP security, EU AI Act compliance strategy, product charters, data governance, pricing, licensing, and audit cadence.
Each ADR-ECO is archived in Brain institutional memory and batch-anchored on Starknet mainnet via Poseidon-hash Merkle proof (tamper-evident, chain-verifiable).
| Verifiable artifact | Link |
|---|---|
| ADR-ECO corpus | governance/decisions/ADR-ECO-*.md (Git, public on request) |
| Brain proof chain | GET /brain/entries/{uuid}/proof — poseidon_hash + proof_tx |
| Starknet explorer | starkscan.co/tx/{proof_tx} (per ADR) |
2. Automated Enforcement (CI Gates)
Three GitHub Actions workflows run on every commit touching governance surfaces:
| Gate | What it checks | Status |
|---|---|---|
governance-self-audit | 26 check functions: rules, hooks, charters, ADR format |  |
opa-policy-test | Cost-gate OPA Rego policy tests |  |
cedar-policy-validate | Cedar policy syntax (4 policies) |  |
No governance change merges to main with a failing gate.
3. EU AI Act Positioning (Art. 26 — Deployer)
Vauban’s classification (hypothesis, pending legal confirmation):
- Role: Deployer of GPAI system (Claude, trained by Anthropic). NOT a GPAI provider (Art. 53-55).
- Applicable obligations: Art. 26 — deployer duties (usage instructions, monitoring, log retention).
- High-risk conditional (Art. 9-15, Annex III §5b): vauban-finance and bastion-solver may qualify if deployed in institutional financial decision contexts. Assessment required before first institutional partnership.
- AI Office incident reporting (Art. 55(c)): procedure documented in
rules/core/incident-response.md. Phase 0: no GPAI-classified product deployed. - Deadline: High-risk obligations applicable 2026-08-02.
Legal counsel engagement: target Q3 2026 (before first institutional partnership signed).
4. Data Governance & Privacy
- Brain institutional memory: KEK envelope encryption (HashiCorp Vault Transit, self-hosted), sensitivity labels (
public/internal/confidential), retention scheduler, crypto-shredding endpoint (RGPD Art. 17). Per ADR-ECO-018 (implemented 2026-05-18). - No PII stored without explicit sensitivity label. Presidio auto-detection at ingest.
- Sub-processors list:
governance/trust-center/sub-processors.md.
5. Verification & Due Diligence Contact
| Trust Center | trust.vauban.tech (Phase 1+ · self-hosted Astro) |
| Governance proof endpoint | GET trust.vauban.tech/verify/{adr-eco-id} (Phase 1+) |
| ADR-ECO index | governance/decisions/ — available on request |
| Compliance contact | Founder — RSO Phase 0 |
| Security disclosures | security@vauban.tech (RFC 9116) |
| Governance version | v2.6.0 (GOVERNANCE_VERSION in .claude/settings.json) |
This document is version-controlled. SHA of latest commit verifiable at github.com/vauban-org/vauban-gouvernance. Updated on each governance version bump.