Glossary
GoSentrix is the independent security verification body for software delivery. This glossary defines the language behind evidence authority, replayability, suppression, disproval, AI signals, and policy-bound decisions.
The act of determining which security claims can become evidence and which evidence can justify authority. GoSentrix adjudicates the signals produced by scanners, AI agents, runtime systems, and workflow tools — it does not produce its own signals. The judicial weight of the term is intentional: adjudication is the verification body's defining act.
A signed proof record that binds a decision to its evidence, policy version, and replay context. Attestation is what makes a decision defensible later, in audits or in incident review. GoSentrix decisions are designed to be cryptographically attested via DSSE envelopes with deterministic content-addressed bundle IDs. Pipeline-wide signing rollout is in progress.
The constraint that GoSentrix's enforcement authority is earned per decision, by the evidence that decision can defend. GoSentrix cannot hard-block on severity, scanner confidence, or AI judgment alone. If required proof is missing, the system downgrades its own authority and records the downgrade. Authority bounds prevent overreach the same way evidence promotion prevents undersupport.
One of three independent dimensions of authority — distinct from evidence level and proof quality. Confidence is a probabilistic measure, often AI-generated; evidence level describes corroboration state; proof quality describes the rigor of the source. GoSentrix keeps these dimensions separate because collapsing them into a single risk score produces a number that looks like authority but cannot be defended.
The act of cross-source verification that promotes a claim from one evidence level to the next. Corroboration strength is a function of source diversity, not signal count. Two findings from the same scanner do not double the corroboration. Independent channels are what let a claim promote into stronger evidence.
The evidence behind a disproval. To mark a finding disproven, GoSentrix requires either an artifact reference or a reviewer attestation that evidences the finding does not apply in context. The counterfactual artifact is what distinguishes disproval from suppression. Without it, a finding can only be suppressed, not disproven.
The unit of value GoSentrix produces. A decision is the output of the verification body — readiness assessment, release decision, fix verification, override authorization — bound to its evidence, its policy version, and its replay context. Every consequential decision is designed to be reproducible against the inputs that produced it.
The immutable identifier that ties a decision to its exact inputs. The fingerprint makes a decision locatable years later, not by search but by identity. It is part of what makes audit-grade defense possible: a decision with a fingerprint can be retrieved, replayed, and defended on its own terms.
A terminal evidence state distinct from suppression. Disproval refutes a finding with evidence that it does not apply in context. Suppression dismisses a finding from view without that evidence. GoSentrix makes the distinction structurally — a finding cannot be marked disproven without a counterfactual artifact or reviewer attestation.
GoSentrix's rules of authority — the constraints the verification body enforces on itself and on the claims it adjudicates. Doctrine prevents overclaiming. It is what distinguishes a verification body from a vendor with a thesis. The eight "never" lines that anchor GoSentrix's doctrine are published openly on the Doctrine page.
The structural behavior of the verification body when required proof is missing. If a decision requests HARD_BLOCK without sufficient evidence, GoSentrix downgrades the decision to a lower level automatically and records the downgrade reason. The operator cannot reverse the downgrade without supplying the missing evidence. Downgrades are structural, not editorial.
The foundation of authority in the verification body model. Evidence is what claims become after they are promoted through governed states with corroboration from independent sources. Signals enter the system; evidence is produced. The distinction is structural: signals can be probabilistic, but evidence has earned its position on the ladder.
One of three independent dimensions of authority — distinct from confidence and proof quality. Evidence level describes corroboration state: DETECTED, OBSERVED, CORROBORATED, VALIDATED, and terminal states such as PROVEN, DISPROVEN, and ACCEPTED. Levels cannot be skipped unless the source is explicitly trusted to support the target level.
The governed process by which claims move from one evidence state to the next. Promotion happens on independent corroboration, not on signal volume. The PromotionValidator rejects illegal transitions. Promotion is what converts unverified scanner output, AI claims, and runtime signals into authoritative evidence.
The verification body's behavior when required proof is missing: the action is denied rather than silently allowed. Fail-closed denies the action, release, promotion, or authorization — it does not "deny enforcement." The mechanism is structural; GoSentrix's authority is narrowed when evidence is insufficient, and the narrowing is recorded.
A doctrinal term reserved exclusively for claims with linked customer field evidence: a documented case, prevented outcome, replay artifact, customer attestation, and legal review. The term is never softened to "battle-tested," "production-proven," "customer-validated," or "deployed at scale." Until that evidence is on record, we do not claim field-proven status.
The industry term for a specific instance of a potential security issue produced by a scanner, AI agent, runtime tool, or threat model. In GoSentrix's terminology, a finding is an unverified claim until promoted through governed evidence states. Findings enter the verification body; evidence is what comes out the other side.
The persistent record of a consequential decision, including its fingerprint, evidence snapshot, freshness state, policy version, replay command, and downgrade ledger entry if applicable. Immutability is what makes a decision defensible later. The record is not updated when policy changes; new decisions are made against new policy versions.
A replay-grade manifest of which BOMs ran in a pipeline execution, against what artifact hashes, under what policy, with what decision. PBOM sits above the individual software bills of materials, capturing the run itself, not just the artifact. GoSentrix's v1 PBOM is a native schema; CycloneDX export is on the roadmap.
The structural property that every consequential decision is bound to the policy version active at the time it was made. Later policy edits do not retroactively change a past decision's authority. Policy binding is what enables audit-grade defense: a decision can be defended on the terms it was made under, not on terms invented later.
One of three independent dimensions of authority — distinct from evidence level and confidence. Proof quality describes the rigor of the source: a penetration test result is higher proof quality than a scanner heuristic, even if both produce the same finding. Proof quality contributes to whether evidence is sufficient to support a given action.
The operator-facing translation of "gate evaluation" — what GoSentrix produces at code, merge, and release surfaces. A readiness assessment evaluates whether the available evidence is sufficient for the action being requested and emits one of four states: PASS, WARN, SOFT_BLOCK, HARD_BLOCK. The term replaces "gate" on external surfaces because "gate" sounds like a blocking function.
The line between opinion and decision. A consequential decision is replayable when it can be reproduced against the evidence, artifacts, trust state, freshness state, and policy version active at the time it was made. Replay proves reproducibility, not correctness — but reproducibility is what distinguishes a decision from an opinion.
An independent layer between the tools that produce security signals and the systems that act on them. The verification body determines which signals can promote into evidence, whether that evidence can justify enforcement, and whether the resulting decision can be replayed, audited, and defended later. GoSentrix is the independent security verification body for software delivery.
Any output from a scanner, AI agent, runtime tool, or workflow system. Signals enter GoSentrix as unverified claims. They become evidence only after promotion through governed states with corroboration from independent sources. The distinction between signal and evidence is structural — signals can be probabilistic, but evidence has earned its position.
The dismissal of a finding from view without evidence that it does not apply. Suppression is structurally distinct from disproval — disproval requires a counterfactual artifact or reviewer attestation. GoSentrix records suppression as an operator action and treats it as an evidence input to the next verification round, not as a terminal closure.
The state any signal enters GoSentrix in. Scanner output, AI-agent judgment, runtime telemetry, and workflow status are all unverified claims until promoted into evidence. The term repositions vendor outputs as inputs to verification, not as truth. GoSentrix verifies what those claims are allowed to become.
The act of determining whether security evidence has earned the authority to support an action. Verification is distinct from prioritization, which ranks, and detection, which finds. It is a judgment function, not a ranking or finding function. The verification body is the entity that performs verification independently.
The aggregate decision GoSentrix produces at release scope — a single decision covering all services inside the release boundary, with collective evidence references and a signed bundle. The workspace decision is its own decision, not the worst per-service verdict. It is bound to one policy version and emits one of HARD_BLOCK / BLOCK / WARN / PASS.
The doctrine page states the public rules GoSentrix applies to findings, decisions, AI signals, product claims, and its own authority.
Read the Doctrine