01
Workspace identity
Every request carries the active user, role, organization, and project context.
Security and governance
Governed controls for automotive engineering evidence.
AurigaTrace keeps project data, user access, upload evidence, parser outputs, AI-assisted drafting, and report approvals inside explicit engineering control boundaries.
RBAC
project access
AI-safe
controlled context
audit
evidence trail
Governance architecture
Trust boundary map
01
User and role
identity headers, future SSO/Cognito path
02
Project evidence
uploads, jobs, statistics, findings
03
Report review
drafts, approvals, artifact references
04
AI context
stored summaries, prompt metadata, request log
Governance model
Separate who can act, what data they can see, and which evidence supports each decision.
Security is part of the analysis workflow. A finding or report should show the project boundary, source file, parser run, statistics, rules, AI draft metadata, and reviewer action that produced it.
02
Project boundary
Vehicle programs and validation campaigns keep uploads, rules, findings, and reports separate.
03
Signed intake
Upload sessions register file metadata before raw test evidence enters object storage.
04
Parser provenance
Processing jobs preserve parser identity, format capability, state, and generated statistics.
05
Review gates
Findings, reports, and AI drafts move through explicit engineering review states.
06
Audit trail
Operational actions, report generation, and AI requests stay traceable for governance.
Control surfaces
Built for governed vehicle validation and diagnostic workflows.
Role-based project access
Scope work by organization, project, and role so validation, diagnostics, calibration, and platform users operate inside the right boundary.
- Engineer workspace roles
- Project-specific visibility
- Admin operations area
Evidence data separation
Keep raw files, registered log records, processed statistics, rules, findings, reports, and AI request logs in distinct system records.
- Raw object metadata
- Processed statistics tables
- Report artifact records
Controlled AI context
AI narrative drafting uses stored statistics, findings, and reviewed context rather than unrestricted raw log files.
- Prompt version metadata
- Context hash logging
- Human review before attachment
Signed upload intake
The upload workflow creates traceable sessions and file registry rows before analysis jobs process the evidence.
- Session status
- Source filename
- Checksum-ready metadata
AWS-backed operations
Deployment controls separate application runtime, image publishing, database credentials, upload storage, and operational observability.
- OIDC deployment path
- ECS service boundary
- S3 and RDS separation
Report governance
Reports are generated from approved evidence and can be tied back to project, log file, parser run, findings, and AI draft metadata.
- HTML report previews
- Finding references
- Export artifact history
Evidence lineage
Every report should explain how the conclusion was produced.
The platform records the relationship between projects, uploads, parsers, signal statistics, rule results, AI context, and generated report artifacts so engineers can re-check decisions after a test campaign changes.
Governance principle
Raw evidence is preserved, AI sees controlled summaries, and reviewers approve conclusions before they become report evidence.
Audit console
Engineering event chain
org: validation-lab
report evidence locked
| Event | Actor | Evidence | State |
|---|---|---|---|
| project.created | Validation Engineer | program boundary | approved |
| upload.registered | Upload Center | source file + size | traceable |
| parser.completed | Processing Job | parser id + version | stored |
| rules.evaluated | Rule Engine | threshold evidence | review |
| ai.draft.created | AI Assistant | context hash | controlled |
| report.generated | Reports | findings + narrative | attached |
AWS-backed operating controls
Cloud deployment paths stay separate from engineering evidence.
The deployment model separates image promotion, application runtime, object storage, relational metadata, secrets, and AI provider access so the platform can mature without mixing operational privileges with test evidence.
| Control | Implementation | Evidence |
|---|---|---|
| Identity | User and role headers now; SSO/Cognito-ready contract later | identity log |
| Deployment | GitHub Actions OIDC promotes container images to AWS | OIDC path |
| Runtime | FastAPI service boundary with environment-scoped configuration | health/version |
| Storage | S3 raw object storage separated from relational metadata | file lineage |
| Database | RDS PostgreSQL holds tenant-scoped engineering records | tenant keys |
| Secrets | Application secrets isolated from UI and report artifacts | secret scope |
| AI | Provider requests built from approved stored context | AI request log |
AI provenance
AI assists the narrative, but review ownership stays with the engineer.
Claude draft requests are governed by stored platform context. Prompt metadata and request logs make the draft explainable before it is attached to an engineering report.
01
Project metadata
02
Processed statistics
03
Rule findings
04
Prompt version
05
Context hash
06
Draft review
07
Report reference
Open the governed engineering workspace
Inspect projects, uploaded logs, parser jobs, rules, findings, reports, AI drafts, and operational status from one controlled workspace.