Skip to article frontmatterSkip to article content
Site not loading correctly?

This may be due to an incorrect BASE_URL configuration. See the MyST Documentation for reference.

Layer 3: Rules

How Artifacts BEHAVE

Layer 3 defines operational rules—automated behaviors, policy enforcement, and governance controls that determine what happens when artifacts reach certain states. This is where knowledge management becomes automated, compliant, and scalable.

The Governance Challenge

As documentation systems scale, manual oversight becomes impossible:

Layer 3 provides the rule engine for scaled knowledge management.

Three Anthropological Axes

Layer 3 is grounded in a systematic philosophical framework with three axes of human activity:

Circular Axis (Human ↔ Human)

Domain: Collaboration, consent, authority, roles

Governance concerns:

Example rules:

rule: publication_approval
  conditions:
    - refinement >= 0.90
    - stubs.count == 0
    - audience == 'published'
  actions:
    - require_approval:
        roles: ['senior_researcher', 'pi']
        minimum: 2
    - notify: 'editorial_team'
    - audit: 'publication_request'

Radial Axis (Human ↔ World)

Domain: Tools, infrastructure, dependencies, risk

Governance concerns:

Example rules:

rule: dependency_check
  conditions:
    - network_position == 'hub'
    - health in ['poor', 'critical']
  actions:
    - block_edit: false  # allow fixes
    - notify_dependents: true
    - escalate_priority: 'critical'
    - audit: 'hub_degradation'

Angular Axis (Human ↔ Ideational)

Domain: Standards, policies, norms, compliance

Governance concerns:

Example rules:

rule: compliance_validation
  conditions:
    - audience in ['public', 'published']
    - compliance_fit != 'compliant'
  actions:
    - block_publication: true
    - notify: 'compliance_team'
    - require_review:
        roles: ['legal', 'compliance_officer']
    - audit: 'compliance_block'

Core Capabilities

1. Automation

Purpose: Reduce manual work, ensure consistency

Example: Auto-Promote Artifacts

rule: auto_promote_to_review
  trigger: 'on_save'
  conditions:
    - refinement >= 0.70
    - stubs.count <= 1
    - stage == 'develop'
    - form in ['stable', 'evergreen']
  actions:
    - set_stage: 'review'
    - notify_reviewers:
        roles: ['peer_reviewer']
        message: "Document ready for review"
    - update_metadata:
        review_requested_at: now()
    - audit: 'auto_promotion'

Effect: Documents that reach quality thresholds automatically enter review without manual tracking.

Example: Archive Stale Documents

rule: auto_archive_stale
  trigger: 'daily_scan'
  conditions:
    - drift in ['significant', 'severe']
    - days_since_access > 365
    - form == 'transient'
    - retention_value in ['low', 'disposable']
  actions:
    - set_form: 'archived'
    - move_to: 'archive/auto_archived/'
    - notify_author:
        message: "Document auto-archived due to inactivity"
    - audit: 'auto_archive'

2. Enforcement

Purpose: Block actions that violate policies

Example: Prevent Publication of Incomplete Work

policy: publication_gate
  scope: ['audience: published']
  enforcement: 'blocking'
  requirements:
    - refinement >= 0.90
    - stubs.count == 0
    - compliance_fit == 'compliant'
    - peer_reviews >= 2
  violation_action:
    - block_save: true
    - show_error: |
        Cannot publish: Requirements not met
        - Refinement: {refinement} (need 0.90+)
        - Stubs: {stubs.count} (need 0)
        - Reviews: {peer_reviews} (need 2)
    - audit: 'publication_gate_violation'

Effect: Authors cannot set audience: published unless all criteria are met.

Example: Protect Critical Infrastructure Docs

policy: hub_protection
  scope: ['network_position: hub']
  enforcement: 'blocking'
  requirements:
    - health in ['excellent', 'good']
    - review_frequency: 'monthly'
    - approvals_required: 2
  rules:
    - prevent_deletion: true
    - require_approval_for_major_changes: true
    - notify_on_any_change: ['documentation_team']
  violation_action:
    - block_action: true
    - escalate_to: ['tech_lead', 'documentation_manager']
    - audit: 'hub_protection_violation'

3. Governance

Purpose: Implement role-based controls and consent management

Example: Multi-Level Approval Workflow

workflow: external_publication
  stages:
    - name: 'draft'
      allowed_roles: ['author', 'contributor']
      exit_gate:
        refinement >= 0.70
        
    - name: 'peer_review'
      allowed_roles: ['peer_reviewer']
      required_approvals: 2
      approval_roles: ['senior_researcher']
      exit_gate:
        refinement >= 0.85
        all_reviews_complete: true
        
    - name: 'legal_review'
      allowed_roles: ['legal', 'compliance_officer']
      required_approvals: 1
      approval_roles: ['legal']
      exit_gate:
        compliance_fit == 'compliant'
        legal_clearance: true
        
    - name: 'final_approval'
      required_approvals: 1
      approval_roles: ['pi', 'director']
      exit_gate:
        refinement >= 0.90
        stubs.count == 0
        
    - name: 'published'
      immutable: true
      audit_all_access: true
policy: data_sharing_consent
  scope: ['content_type: dataset', 'audience: public']
  enforcement: 'blocking'
  requirements:
    - consent_forms: ['participant_consent', 'irb_approval']
    - anonymization_verified: true
    - data_privacy_review: 'approved'
  actions:
    - verify_consent:
        check_expiration: true
        check_revocations: true
    - audit:
        include: ['consent_ids', 'verification_timestamp']
  violation_action:
    - block_publication: true
    - notify: ['legal', 'irb_coordinator', 'pi']
    - require_review: true

4. Notification

Purpose: Alert stakeholders of critical states

Example: Drift Alert for Evergreen Docs

rule: evergreen_drift_alert
  trigger: 'daily_scan'
  conditions:
    - form == 'evergreen'
    - drift in ['moderate', 'significant', 'severe']
    - network_position in ['hub', 'connector']
  actions:
    - calculate_staleness_score: true
    - notify_author:
        frequency: 'weekly'
        message: |
          Document drift detected:
          - Days since edit: {days_since_edit}
          - Current drift: {drift}
          - Network impact: {affected_docs} documents
    - escalate_if:
        condition: drift == 'severe' AND network_position == 'hub'
        notify: ['documentation_manager', 'tech_lead']
    - audit: 'drift_alert'

5. Compliance

Purpose: Validate regulatory and organizational requirements

Example: HIPAA Compliance for Medical Research

policy: hipaa_compliance
  scope: ['content_type: patient_data']
  enforcement: 'blocking'
  requirements:
    # Access controls
    - access_role in ['authorized_researcher', 'pi', 'irb_member']
    - two_factor_auth: true
    
    # Content requirements
    - phi_redacted: true
    - encryption_at_rest: true
    - audit_logging: 'enabled'
    
    # Training requirements
    - hipaa_training_current: true
    - training_expiration_date > now()
    
  rules:
    - no_external_sharing: true
    - require_secure_access: true
    - log_all_access: true
    - retention_period: '7 years'
    
  violation_action:
    - block_access: true
    - notify_immediately: ['compliance_officer', 'privacy_officer', 'pi']
    - incident_report: true
    - audit: 'hipaa_violation'

Example: FDA 21 CFR Part 11 Compliance

policy: fda_21cfr11_compliance
  scope: ['regulatory_submission: true']
  enforcement: 'strict_blocking'
  requirements:
    # Electronic signatures
    - electronic_signature_valid: true
    - signature_components:
        - signer_identity_verified: true
        - signature_timestamp: true
        - signature_meaning: 'documented'
    
    # Audit trails
    - audit_trail_complete: true
    - audit_trail_includes:
        - creation_timestamp
        - all_modifications
        - modification_authors
        - deletion_attempts
        - access_logs
    
    # Record integrity
    - content_hash_verified: true
    - tamper_detection: 'enabled'
    - version_control: 'strict'
    
    # System validation
    - system_validated: true
    - validation_documentation: 'complete'
    
  rules:
    - prevent_unaudited_changes: true
    - require_change_reason: true
    - immutable_after_signature: true
    - periodic_audit_review: 'quarterly'
    
  violation_action:
    - block_action: true
    - trigger_deviation_report: true
    - notify: ['quality_assurance', 'regulatory_affairs', 'management']
    - regulatory_incident: true

6. Audit

Purpose: Track all decisions with rationale for compliance and accountability

Example: Comprehensive Audit Trail

audit_policy: comprehensive_tracking
  track_events:
    # Creation
    - document_created:
        capture: ['author', 'timestamp', 'initial_properties']
    
    # Modifications
    - content_changed:
        capture: ['author', 'timestamp', 'diff', 'change_reason']
    - metadata_changed:
        capture: ['author', 'timestamp', 'old_values', 'new_values']
    - refinement_updated:
        capture: ['old_score', 'new_score', 'rationale']
    
    # Workflow
    - stage_transition:
        capture: ['from_stage', 'to_stage', 'trigger', 'approver']
    - approval_granted:
        capture: ['approver', 'role', 'timestamp', 'conditions_met']
    - approval_denied:
        capture: ['approver', 'role', 'timestamp', 'denial_reason']
    
    # Access
    - document_accessed:
        capture: ['user', 'timestamp', 'access_type']
    - document_exported:
        capture: ['user', 'timestamp', 'format', 'destination']
    
    # Policy violations
    - policy_violation:
        capture: ['policy', 'violation_type', 'attempted_action', 'user']
    - rule_triggered:
        capture: ['rule_name', 'conditions_met', 'actions_taken']
    
  retention:
    default: '7 years'
    regulatory_submissions: 'permanent'
    patient_data: '10 years'
  
  reporting:
    frequency: 'monthly'
    recipients: ['compliance_team', 'management']
    include_metrics: true

Governance at Scale

Layer 3 enables governance that scales with document volume:

ScaleManual FeasibilityLayer 3 Value
100 docsManual tracking feasibleConvenient automation
1,000 docsDashboards requiredTime-saving workflows
10,000 docsManual governance breaksAutomation essential
100,000+ docsImpossible manuallyOnly viable approach

Example contexts where Layer 3 provides value:

The framework provides architectural patterns for these scenarios. Implementation details vary by organization, technology stack, and regulatory requirements.

Why Layer 3 Matters

Without Layer 3: Manual governance, inconsistent enforcement, scalability limits

With Layer 3: Automated compliance, consistent policy enforcement, governance at scale

Layer 3 represents the future of knowledge governance at scale. The framework provides architectural patterns and reference specifications—implementations can use any rule engine, workflow system, or policy framework that fits your technology stack.

Next Steps