Evalium Architectural Audit: Technical Due Diligence Summary (Feb 2026)

This table synthesises the full architectural interrogation of the Evalium Execution Ledger. It balances the "Forensic Moat" (strengths) against identified "Operational Vulnerabilities" (gaps) to provide a roadmap for Enterprise-grade hardening.

Audit Aspect	Forensic Standing	What I Like (The Implementation)	What Needs Improving (The Gap)	Critical Scrutiny / Impact
Execution Ledger (WORM)	Excellent	Submissions are immutable, append-only, and reconstructable via frozen version_snapshots.	Maintain strict RLS/GUC injection to prevent application-layer bypass.	Guarantees forensic truth and prevents spoliation of evidence.
Results Remediation	Strong	"Snap-then-Append" workflow ensures Version 1 (original) is always distinguishable from Current Score.	Ensure the "Atomic Handover" is always wrapped in a single WithinTx block.	Prevents "naive updates" that would overwrite historical proof.
Data Privacy (GDPR)	Mature	"Redaction-not-Deletion" (Hybrid Scrub) maintains the "Golden Thread" while satisfying "Right to be Forgotten."	Legal Hold (hasActiveHold) must remain a mandatory pre-condition for all privacy jobs.	Prevents accidental data destruction during active litigation/disputes.
Programme Orchestration	Excellent	Remediation-aware; certificates "self-heal" if a score correction changes a fail to a pass.	Monitor synchronous performance of OnSubmissionCreatedTx as requirement counts scale.	Certification is a "Derived Fact" backed by a specific ledger version.
Reporting Integrity	Isolated	100% snapshot-isolated; projections retrieve content from frozen snapshots, not live definition tables.	Ensure "Summary" projections are fully recomputable from raw durable sources.	Guarantees that changing a question today doesn't "break" a report from last year.
Bucket Execution	Persistent	Dynamic "Bucket Draws" are persisted at session launch and frozen in the submission.	None. The current implementation satisfies forensic reconstructability.	Allows an auditor to see exactly which questions a candidate was shown in a random draw.
Identity & Step-Up	Partial	Identity-bound (email) redemption and step-up enforcement for "Void" actions.	Ratification currently uses "Assertion" rather than mandatory in-band "Verification" of MFA/Magic Link.	Lack of in-band proof for ratification creates a "Repudiation Risk" for stakeholders.
Evidence & Integrity	At Risk	Atomic binding of answer-to-evidence in jsonb prevents orphaning.	"Forensic Dark Period": No immediate re-verification of file hashes after storage tier migration.	Migration corruption could go undetected until a file is needed for a legal case.
Taxonomy & Skills	At Risk	Taxonomy IDs are snapshotted in submissions.	"Truth Drift": Term Text and Skill Mapping are "Live Projections," not "Durable Facts."	Renaming a skill today will retroactively change the certificates awarded in the past.
Content Packs	Functional	Keyed idempotent installation with clear lineage tracking.	Lacks automated dependency validation for external taxonomy terms.	Installing a pack without its required skills results in a "Logically Broken" evaluation.
Assignment Redemption	Partial	Identity-bound via JWT email claims.	Lacks Session-Conflict detection; allows one session to redeem multiple identities.	High risk of supervisor/operator "Identity Blurring" in the same browser session.
DSAR Portability	Incomplete	Generates structured ZIP (JSON/HTML/CSV) of ledger events.	Excludes binary evidence files (photos/videos) from the export archive.	Violates "Full Portability" requirements under GDPR Art. 20.

Consultant's Top 3 Priorities for Implementation:

1. Durable Skill Facts: Persist skill outcomes and taxonomy text at submission time to stop "Truth Drift."
2. Ratification Hardening: Require mandatory step_up_proof validation inside the Ratification transaction.
3. Migration Integrity: Enqueue a mandatory evidence_integrity_check immediately following storage tier moves.