CQC + DSP inspection leads
Inspection packs assembled from sealed posture artefacts — verifiable, auditable, supersession-aware. The work shifts from 'collect evidence' to 'prove the evidence is what it says'.
01.4 — Beacon
Beacon reads Cadence, Relay, and Quorum's operational state and mechanically computes assurance posture — no narrative claims, no retrospective evidence assembly. Postures are sealed into integrity-protected packs; supersession checks tell you when an earlier pack has been overtaken.
A — Who Beacon is for
Beacon is built for the people who answer the inspector's questions, prepare the assurance pack, and stand behind the claim that 'we do X'. It produces evidence with the integrity properties of a sealed institutional document, not a marketing PDF.
Inspection packs assembled from sealed posture artefacts — verifiable, auditable, supersession-aware. The work shifts from 'collect evidence' to 'prove the evidence is what it says'.
Continuous assurance posture across incidents, audits, complaints, and meetings — computed from Cadence's operational state rather than hand-curated for the next governance meeting.
Discharge-evidence for obligations on the Quorum side: did the committee actually discharge what it was bound to discharge? Beacon answers that mechanically, not narratively.
B — How it works
Beacon's pillars are commitments about what it does and what it refuses to do. The vocabulary, the integrity properties, and the linter are each load-bearing — remove any one and the rest stops being defensible.
01
Posture is computed from real operational state, not authored as a narrative claim. Each evaluator reads upstream evidence (Relay's audit log, Cadence's event_log, Quorum's chronology) and derives the posture from the facts.
02
Every assurance pack carries a sha-256 integrity hash over its canonical form (keys sorted, no whitespace variance). A pack that has been altered since sealing fails verification — proof that the evidence presented is the evidence captured.
03
Verifying integrity is not the same as verifying currency. The supersession check re-runs the evaluator and diffs against the sealed state, reporting one of four outcomes: aligned, drifted, tampered, unverifiable. Drift is informational; materiality is operator concern.
04
A forbidden vocabulary catches the assurance-theatre words that turn posture into marketing — 'world-class', 'best-in-class', 'comprehensive', 'cutting-edge'. If the chain or claim uses them, the linter refuses.
C — Components
Beacon is composed of substrate elements (vocabularies, contracts, dependency declarations) and executable elements (evaluators, sealers, verifiers, supersession checkers). The substrate is what's defensible; the executables are how it gets enforced.
Closed set of posture states (`well-evidenced`, `partially-evidenced`, `chain-incomplete`, etc.) — each grounded in observable evidence counts.
Closed set of weakness signals (`staleness`, `accountability-orphan`, `chain-break`, `claim-without-chain`) — each maps to a specific upstream failure mode.
Operational / documentary / attestational — distinct evidence weights for distinct verification capacities.
Three live evaluators (Relay pathology, Cadence incidents, Quorum obligations) compute posture from the substrate's real data.
Pack = chain + facts + posture, hashed with sha-256 over canonical form. Verifiable, auditable, transportable.
Re-runs the evaluator against current upstream state; reports aligned / drifted / tampered / unverifiable with per-field deltas.
Closed list of assurance-theatre terms the linter refuses — turns posture into evidence, not marketing.
Cross-system contracts (e.g. Cadence vocabulary stability, Quorum substrate snapshot) that fail closed if upstream drifts.
D — What Beacon shows
Beacon has no UI. Its artefacts are CLI outputs and sealed-pack JSON, captured against the real Relay + Cadence operational corpora. Each output below is verbatim from a recent run — posture computed mechanically, integrity proven cryptographically, supersession reported state-by-state.
$ pnpm beacon:evaluate-live chain: CHAIN-RELAY-PATHOLOGY-REVIEW-001 claim: CLAIM-RELAY-PATH-ORG-MEADOWVIEW-2026-05-15 org: ORG-MEADOWVIEW upstream: 15 results · 1 acknowledged · 10 actioned · 1 distinct reviewer(s) postures: challenge-absent links covered: 3/3 weakness signals: absent-challenge
$ pnpm beacon:verify-pack beacon/packs/example-cadence-incident-lifecycle.json [beacon-verify-pack] ok — PACK-87d8642b verified (cadence-incidents, chain=CHAIN-CADENCE-INCIDENT-LIFECYCLE-001)
$ pnpm beacon:check-pack-supersession beacon/packs/example-cadence-incident-lifecycle.json
[beacon-check-pack-supersession] aligned — PACK-87d8642b
(cadence-incidents); integrity ok; 0 delta(s).
{
"supersession_status": "aligned",
"upstream_at_sealing": { "incidentCount": 2, "reviewedCount": 1, ... },
"upstream_now": { "incidentCount": 2, "reviewedCount": 1, ... },
"deltas": [],
"posture_at_sealing": [ "challenge-absent" ],
"posture_now": [ "challenge-absent" ]
}E — Honest notes
It makes the evidence of safe practice mechanically defensible. The substance is the underlying clinical and governance practice; Beacon ensures the evidence of that practice can hold up to scrutiny.
It computes posture from upstream state, seals it, and verifies it. Dashboards summarise; Beacon proves. The two are different operations, and proof is the harder one.
A chain that doesn't reach the claim it makes fails the evaluator. A pack with stale evidence reports `superseded`. The system is engineered to refuse, not to perform.
Engineering-verified (28 acceptance tests across three live evaluators, sealed-pack roundtrip, supersession four-state outcome); not yet partner-deployed. Pilot access is by application.
F — Access
Beacon — pilot access
By application
Pricing follows pilot validation.
G — Common questions