Six stages, one audit log.
Between 'a supplier sent us a PDF' and 'the auditor saw the proof' are six deterministic stages. Every stage is observable, retry-safe, and writes a row to the audit log.
- 01
Capture
S3 direct upload from the portal · tokenised no-login URL the supplier opens from email · inbound SES (P1) · CSV / ZIP bulk import (P1).
POST /documents · POST /public/supplier-upload/<token> - 02
Classify & extract
AWS Textract pulls forms + tables. Vertex AI Gemini decides the document type and pulls structured fields. Confidence-band routing: ≥0.85 auto-accept, <0.60 reject, in-between → human queue.
apps/pipeline/textract.py · apps/pipeline/bedrock.py - 03
Validate
Five rule types built in -
required_fields,field_pattern,expiry_in_future,signed,rag_check. RAG retrieves top-K rulebook chunks and asks Gemini to cite the failing clause.apps/validation/engine.py · apps/rag/validator.py - 04
Decide
Sequential or parallel approvals. Every action HMAC-signed and chained so a single tampered row breaks the whole chain at audit time.
apps/workflows/services.py - 05
Score
Tenant compliance score (0–100) recomputed on every status change. History kept as snapshots so you can answer "what was our score last March?".
apps/scoring/services.py - 06
Audit
Append-only audit log with a Postgres trigger that physically blocks
UPDATE/DELETE. CSV export, Object Lock retention on Enterprise.apps/audit_log/views.py
Try it on your own document.
Spin up a tenant, upload a CoA, watch the engine cite the failing clause.