|
| 1 | +# Company OS PROSE Overview |
| 2 | + |
| 3 | +> PROSE = **P**urpose, **R**ules & Constraints, **O**bservables, **S**cenarios, **E**xpectations |
| 4 | +> |
| 5 | +> Expectations are grounded in **SOPs** stored in the Company OS wiki. |
| 6 | +
|
| 7 | +This document describes StackMemory's Company OS behavior in plain English. Each section is intentionally testable and maps directly to integration tests in `src/__tests__/integration/company-os.test.ts`. |
| 8 | + |
| 9 | +The contract layer of PROSE is derived from SOPs: every Expectation below corresponds to a procedural guarantee that QA can validate and that can be turned into executable scripts. |
| 10 | + |
| 11 | +--- |
| 12 | + |
| 13 | +## P — Purpose |
| 14 | + |
| 15 | +Company OS is a lightweight operating system for a small team. It turns recurring company processes into documented, auditable, and testable procedures so the team can delegate, onboard, and scale without losing context. |
| 16 | + |
| 17 | +### P.1 Process discoverability |
| 18 | +Any team member can find the current version of any company process in the `wiki/` directory. |
| 19 | + |
| 20 | +### P.2 Cross-session continuity |
| 21 | +Decisions and audit records written during one session must be retrievable in subsequent sessions. |
| 22 | + |
| 23 | +--- |
| 24 | + |
| 25 | +## R — Rules & Constraints |
| 26 | + |
| 27 | +### R.1 SOP schema |
| 28 | +Every SOP in the Company OS wiki must contain Objective, Procedure, Verification, and Non-compliance sections. |
| 29 | + |
| 30 | +### R.2 PROSE reference |
| 31 | +Every SOP must reference a valid PROSE Expectation ID. |
| 32 | + |
| 33 | +### R.3 Idempotent audits |
| 34 | +Running an audit command must not mutate process state. |
| 35 | + |
| 36 | +--- |
| 37 | + |
| 38 | +## O — Observables |
| 39 | + |
| 40 | +### O.1 SOP list |
| 41 | +`stackmemory company-os list` must list all SOPs in `wiki/` with their IDs and statuses. |
| 42 | + |
| 43 | +### O.2 Audit status |
| 44 | +`stackmemory company-os audit <process>` must report the compliance status for the process. |
| 45 | + |
| 46 | +### O.3 Decision retrieval |
| 47 | +Decisions recorded against a company process must be retrievable by process name. |
| 48 | + |
| 49 | +--- |
| 50 | + |
| 51 | +## S — Scenarios |
| 52 | + |
| 53 | +### S.1 SOP creation |
| 54 | +Adding a SOP to `wiki/` makes it discoverable and subject to validation. |
| 55 | + |
| 56 | +### S.2 Audit run |
| 57 | +Running an audit evaluates the process against its SOP and records the result. |
| 58 | + |
| 59 | +### S.3 Decision record |
| 60 | +Recording a decision against a process persists it with rationale and timestamp. |
| 61 | + |
| 62 | +--- |
| 63 | + |
| 64 | +## E — Expectations |
| 65 | + |
| 66 | +### E.1 Onboarding completeness |
| 67 | +Every new hire has documented accounts, hardware, and access before their start date. |
| 68 | + |
| 69 | +**SOP basis:** `SOP-301 New Hire Onboarding` — onboarding must be complete before day one. |
| 70 | + |
| 71 | +### E.2 Expense policy compliance |
| 72 | +All reimbursed expenses have manager and finance approval. |
| 73 | + |
| 74 | +**SOP basis:** `SOP-302 Expense Approval` — reimbursement requires documented approval. |
| 75 | + |
| 76 | +### E.3 Offboarding access removal |
| 77 | +Departing employees lose access to company systems within 24 hours of termination. |
| 78 | + |
| 79 | +**SOP basis:** `SOP-303 Access Revocation` — access must be revoked within the SLA window. |
| 80 | + |
| 81 | +### E.4 Security incident response SLA |
| 82 | +Security incidents are contained within the severity-based SLA. |
| 83 | + |
| 84 | +**SOP basis:** `SOP-304 Security Incident Response` — Severity 1 incidents within 2 hours, Severity 2 within 24 hours. |
| 85 | + |
| 86 | +### E.5 PTO request approval workflow |
| 87 | +All paid time off is requested, approved, and recorded before it begins. |
| 88 | + |
| 89 | +**SOP basis:** `SOP-305 PTO Request` — reimbursement requires documented approval. |
| 90 | + |
| 91 | +### E.6 Vendor security review |
| 92 | +Vendors with data access complete a security review before onboarding. |
| 93 | + |
| 94 | +**SOP basis:** `SOP-306 Vendor Onboarding` — no data access without Security sign-off. |
| 95 | + |
| 96 | +### E.7 Data retention enforcement |
| 97 | +Data is retained, archived, or deleted according to policy. |
| 98 | + |
| 99 | +**SOP basis:** `SOP-307 Data Retention` — no data kept past retention without exception. |
| 100 | + |
| 101 | +### E.8 Emergency contact completeness |
| 102 | +Every active employee has a current emergency contact on file. |
| 103 | + |
| 104 | +**SOP basis:** `SOP-308 Emergency Contact Update` — contacts verified annually. |
| 105 | + |
| 106 | +### E.9 Decision-derived process documentation |
| 107 | +Recurring decisions captured in frames are reflected in derived SOPs so the team does not re-debate them. |
| 108 | + |
| 109 | +**SOP basis:** `SOP-401 Decision-derived Process` — derived from DECISION anchors in the wiki compiler. |
| 110 | + |
| 111 | +### E.10 Constraint-derived process documentation |
| 112 | +Recurring constraints captured in frames are reflected in derived SOPs so the team respects known boundaries. |
| 113 | + |
| 114 | +**SOP basis:** `SOP-402 Constraint-derived Process` — derived from CONSTRAINT anchors in the wiki compiler. |
| 115 | + |
| 116 | +### E.11 Risk-derived process documentation |
| 117 | +Recurring risks captured in frames are reflected in derived SOPs so the team mitigates them consistently. |
| 118 | + |
| 119 | +**SOP basis:** `SOP-403 Risk-derived Process` — derived from RISK anchors in the wiki compiler. |
| 120 | + |
| 121 | +### E.12 Fact-derived process documentation |
| 122 | +Recurring facts captured in frames are reflected in derived SOPs so the team operates from shared knowledge. |
| 123 | + |
| 124 | +**SOP basis:** `SOP-404 Fact-derived Process` — derived from FACT anchors in the wiki compiler. |
| 125 | + |
| 126 | +--- |
| 127 | + |
| 128 | +## SOP → PROSE → Tests workflow |
| 129 | + |
| 130 | +``` |
| 131 | +SOP (company process) |
| 132 | + │ |
| 133 | + ▼ |
| 134 | +PROSE Expectation (plain-English contract) |
| 135 | + │ |
| 136 | + ▼ |
| 137 | +Integration test (executable validation) |
| 138 | + │ |
| 139 | + ▼ |
| 140 | +Provenant decision log (audit trail) |
| 141 | +``` |
| 142 | + |
| 143 | +For example, `SOP-301 New Hire Onboarding` becomes PROSE `E.1`, which becomes the test `onboarding records are complete`. QA can run the same test suite to verify SOP compliance, and the test can be used to generate or validate automation scripts. |
| 144 | + |
| 145 | +--- |
| 146 | + |
| 147 | +## Test mapping |
| 148 | + |
| 149 | +| PROSE ID | SOP basis | Test case | |
| 150 | +|----------|-----------|-----------| |
| 151 | +| P.1 | — | `lists SOPs in the company OS wiki` | |
| 152 | +| P.2 | — | `retrieves company-os decisions across sessions` | |
| 153 | +| R.1 | — | `rejects SOPs missing required sections` | |
| 154 | +| R.2 | — | `rejects SOPs with invalid PROSE references` | |
| 155 | +| R.3 | — | `audit commands do not mutate state` | |
| 156 | +| O.1 | — | `lists SOPs with IDs and statuses` | |
| 157 | +| O.2 | — | `reports audit status for a process` | |
| 158 | +| O.3 | — | `retrieves decisions by process name` | |
| 159 | +| S.1 | — | `adding a SOP makes it discoverable` | |
| 160 | +| S.2 | — | `running an audit records the result` | |
| 161 | +| S.3 | — | `recording a decision persists rationale` | |
| 162 | +| E.1 | `SOP-301 New Hire Onboarding` | `onboarding records are complete` | |
| 163 | +| E.2 | `SOP-302 Expense Approval` | `expenses have required approvals` | |
| 164 | +| E.3 | `SOP-303 Access Revocation` | `access is revoked within SLA` | |
| 165 | +| E.4 | `SOP-304 Security Incident Response` | `incidents are contained within SLA` | |
| 166 | +| E.5 | `SOP-305 PTO Request` | `PTO is approved before it begins` | |
| 167 | +| E.6 | `SOP-306 Vendor Onboarding` | `vendors have security review` | |
| 168 | +| E.7 | `SOP-307 Data Retention` | `data retention is enforced` | |
| 169 | +| E.8 | `SOP-308 Emergency Contact Update` | `emergency contacts are current` | |
| 170 | +| E.9 | `SOP-401 Decision-derived Process` | `decision-derived SOP is generated` | |
| 171 | +| E.10 | `SOP-402 Constraint-derived Process` | `constraint-derived SOP is generated` | |
| 172 | +| E.11 | `SOP-403 Risk-derived Process` | `risk-derived SOP is generated` | |
| 173 | +| E.12 | `SOP-404 Fact-derived Process` | `fact-derived SOP is generated` | |
0 commit comments