SOC2 WS-8 evidence
Change Control Evidence
Last updated: 2026-05-10 UTC. Applies to the AI Control Plane repository.
ACP production changes are protected by GitHub branch protection, CODEOWNERS review routing, required CI checks, signed commits, linear history, semver-tagged CD, and post-deploy verification. This page is a buyer-safe evidence summary, not a SOC2 report.
Live Enforcement
| Control | Status | Evidence |
|---|---|---|
| Required pull request review | Enabled | 1 approving reviewer |
| CODEOWNERS review | Enabled | .github/CODEOWNERS |
| Required status checks | Enabled | openapi-validate, opa-tests, pdp-regression, backend, frontend |
| Signed commits | Enabled | required_signatures=true |
| Linear history | Enabled | required_linear_history=true |
| Admin enforcement | Enabled | enforce_admins=true |
| Force pushes and deletions | Blocked | allow_force_pushes=false, allow_deletions=false |
| Merge strategy | Squash only | merge commits and rebase merges disabled |
Required Checks
openapi-validate- OpenAPI schema validationopa-tests- OPA policy testspdp-regression- PDP regression packbackend- backend compile and local regression packfrontend- frontend build
Source Artifacts
.github/CODEOWNERSCONTRIBUTING.mdSECURITY_CHANGELOG.mddocs/compliance/change-control-enforcement.mddocs/compliance/soc2-gap-assessment.md
Boundary
This page records operational enforcement for change control. It does not claim a completed SOC2 examination or external audit opinion.