C·ONSIGLIO

Officer approval

How it works — honestly

Consiglio is the reference console for Postern Enterprise (docs/specs/POSTERN-ENTERPRISE.md): corporate identity that is not the self-custody wallet — provisioned, revocable, recoverable under a governance quorum — plus Brewer–Nash walls, lifecycle ceremonies and a tamper-evident audit chain. One static file; the only possible network call is your own optional Claude request.

Personal vs corporate — the honest trade

Personal Postern is self-sovereign: your seed, no admin, no recovery authority. Corporate Postern trades some employee self-sovereignty for company governance — the company owns the device and is the data controller. What is not traded: transparency (every power is displayed to the employee), minimization (posture, not content), dual control, and audit. The employee's personal Postern identity stays out of the org's reach.

No single silent admin — real dual control

Each user's recovery key is split with real Shamir 2-of-3 over GF(256) in this page; shares are ECIES-encrypted to officer keys (P-256 ECDH + AES-GCM). A release needs a stated purpose + two officers' passphrases, and lands in the hash chain before reconstruction. Honest limit: officers colluding at quorum scale can read corporate data — that is escrow's stated purpose (continuity, lawful access), not a backdoor; the control is that it cannot happen silently, singly, or deniably.

The wall is mandatory — and its limit is stated

Brewer–Nash: first access binds, conflicting groups go cryptographically unavailable (key never released). Hard at rest; in-session containment needs the OS MAC layer (Postern OS machine profiles); client-side enforcement — including this page — is advisory. No software stops a camera.

Not legal advice — repeated on purpose

Every control here supports a requirement area of LGPD / GDPR / CCPA; whether the org is compliant is a determination only a DPO / Encarregado + admitted counsel can make. Retention periods, lawful bases, DPIAs, transfer mechanisms, breach timelines, employee-consultation duties: all flagged LEGAL: DPO/counsel in the UI, none decided by this software.

Stand-ins, labeled (the flows are the design of record; the primitives are browser stand-ins):

In this demoIn the product
Ed25519 / P-256 via WebCryptoHybrid Falcon-1024 ‖ ML-DSA-65 per person, in each device's TEE, non-exportable
PBKDF2-SHA-256, 310,000 it.Argon2id (256 MiB, t=4) — the bloch-crypto keyfile construction
localStorage directory + audit replicaSelf-hosted Postern Directory (or OIDC/SAML federation) + dual-custody audit with compliance-officer countersignature
In-page wall check + simulated volumesThe OS volume-key broker (keys wrapped per user) + SELinux/AppArmor MAC domains per volume
Shamir 2-of-3 over GF(256), shares ECIES-sealed to officer keys (real, in-page)The same construction with officer keys in TEEs and a ceremonial, attested release path
"Kill sessions" / "wipe device" as state changesDirectory push + short-lived assertions (revocation ≤ TTL even offline) and cryptographic erase of TEE-held profile keys

What we won't claim: that any purchase makes an org LGPD/GDPR/CCPA compliant; that walls stop a determined cleared insider; that a browser can protect keys like a TEE; or that escrow is anything other than what it is — a governed, audited company recovery power over company data, never over the employee's personal space.