Found the council — org bootstrap
Corporate Postern has no single silent super-admin, by refusal. Powers that touch people's data — escrow release, offboarding handover — require an M-of-N governance quorum (here: 2 of 3) plus a tamper-evident audit entry. You are creating the admin-of-record (named, fingerprinted, shown to every employee) and three officers whose keys jointly guard the escrow.
Appointing a DPO/Encarregado is a legal act, not a software feature — the role here just gives that person real technical teeth (quorum share, audit custody). Each officer key is sealed under that officer's own passphrase; in the product each officer's key lives in that officer's own device TEE.
Officer & admin keys: Ed25519 / P-256 via WebCrypto — classical stand-ins for Falcon-1024 ‖ ML-DSA-65 in each person's device TEE. Keyfiles sealed with AES-256-GCM under PBKDF2 (310k it.) — stand-in for Argon2id (256 MiB, t=4), the bloch-crypto construction. Design of record: docs/specs/POSTERN-ENTERPRISE.md.
Unlock the admin console
Org & governance
Provision a user — enrollment ceremony
Creates the directory entry, an enrollment certificate signed by the org (binding the user's device key — generated in the employee's device TEE in the product), the escrow record (recovery key split 2-of-3 to the officers with real Shamir shares, whole key destroyed), and the role's machine profile. Every step lands in the audit chain.
Directory — people & org tree
Role catalog — RBAC + per-role machine profiles
A role bundles entitlements: apps installed, volume families mountable, network egress classes. On Postern OS a machine profile is a declarative NixOS expression selected by role — reprovisioning is a rebuild, not hand-configured drift. Note it-admin has no data-volume entitlements: admin ≠ access.
Conflict-of-interest classes (Brewer–Nash)
Datasets live in per-project encrypted volumes; volumes belong to dataset groups (a client, a deal), and groups to a COI class (a market where the groups conflict). The rule is history-based and mandatory: touch one group in a class and the volume-key broker will never release keys for a conflicting group to you — no override button exists; unbinding is an audited quorum act. LEGAL: DPO/counsel cooling-off periods and wall-crossing standards are professional-conduct decisions, not engineering ones.
Simulated file view — the wall, enforced
Pick a user and open volumes. First access to a group binds (audited); conflicting groups then show as walled — the key is simply never released.
Offboard a user — termination ceremony
In order: revoke (instant), kill sessions, freeze — nobody gains read access by termination itself, dual-control escrow release (2 of 3 officers, stated purpose, employee notification on by default), handover to a successor, key rotation, wipe/reprovision, retention disposition. Every step is chained into the audit log.
Tamper-evident audit chain
Every sensitive act — provision, role change, wall binding, escrow approval, revocation, wipe — is an entry with hash = SHA-256(entry ‖ prev-hash). Honest limit: in this demo the whole chain lives in this browser's localStorage, so "Verify" catches accidental edits, not a local attacker — anyone who can edit localStorage can rewrite an entry and recompute every hash after it. The real tamper-evidence arrives in the product, where the chain head is countersigned by the compliance officer and replicated outside IT's custody, so erasing evidence means corrupting a log the watched party doesn't control. Audit logs record events, not employee content — minimization applies to the trail too. LEGAL: DPO/counsel audit-log retention: the log itself is employees' personal data under LGPD/GDPR and needs a documented basis and schedule.
What the employee sees — the transparency panel
This exact panel is permanent and unremovable on every managed device (the Sarto pattern). Corporate control is transparent, never covert — no hidden-monitoring mode exists in the product, by refusal, not by omission. Pick a user to preview their device's panel.
Signed org policy
The policy every employee sees is canonicalized and signed by the admin-of-record key (Chiave-style; the managed device pins the org key at enrollment and re-verifies on every render — tampering shows red on the employee panel).
Policy assistant — optional, your own Claude key
Ask questions about this org's policy model (e.g. "draft the employee notice for the monitoring items in this policy"). The request goes directly from your browser to api.anthropic.com under your key — the only network destination this page can reach; without a key the whole console works fully offline. Assistant output is also not legal advice — it drafts, your DPO/counsel decides.
Locking seals the key with AES-256-GCM under a key derived from your passphrase (PBKDF2-SHA-256, 310,000 it. — the same construction that already protects this console's admin and officer keys). localStorage then holds only ciphertext; you unlock once per session, and forgetting the passphrase means re-entering the key. Without a lock, the key sits readable in this browser's localStorage — any code or person with access to this browser profile can read it.
Erase
Deletes the demo org — keys, users, walls, audit chain — from this browser. There is no server copy to erase.