Playbooks
Vendor Review — ORG STANDARD
An approved path to evaluate vendors and commit compliance decisions into governed State.
State Outcome
Namespacestate/vendors
Record typevendor_review
Visibilitysecurity & compliance
Enforcementpolicy/vendor-risk-v4
Mutabilityappend-only
State Transition
Applet → Commit → State → Governed Production
Example Commit
proposed: vendor=Acmeapproved: @securitycommitted: state/vendors#acme#91
Behavior
- Collect risk inputs
- Validate evidence
- Route security approval
- Commit permanent decision
- Enforce org-wide
Preconditions
- Role: security-reviewer
- Human approval: required
- Policy: vendor-risk-v4
- Evidence: mandatory
- Audit: required
Governance
- Promotion locks schema, evidence, namespace
- Decisions irreversible (re-evaluation = new record)
State Inspector
Recordstate/vendors#acme#91
Decisionapproved
Signed by policypolicy/vendor-risk-v4
Statusenforced