EMILIA GOVGUARD · GOV-00X

Pre-execution trust for government programs.

GovGuard sits between the caseworker action and the benefits core system. Every benefit redirect, address change tied to payment, and caseworker override is bound to an authenticated actor, an exact policy hash, and an evidence trail before it executes.

How it works API reference Request pilot

WHY AUTHENTICATION IS NOT ENOUGH

Most fraud happens inside approved-looking workflows.

The caseworker is logged in. The session is valid. The form submits. Nothing in the authentication layer flags that the new bank account doesn't belong to the claimant. GovGuard is the layer that asks the question authentication doesn't: “before this executes, is the change itself permitted under policy, and who owns the outcome?”

PROTECTED ACTIONS

Initial GovGuard policy pack.

benefit_bank_account_change

Benefit bank-account change

Caseworker changes a claimant's benefit destination

benefit_address_change

Benefit mailing-address change

Address tied to physical-check delivery

caseworker_override

Caseworker override

Operator overrides automatic disqualification

HOW IT WORKS

Six stages. Six audit points.

1

Precheck

Caseworker submits the change. GovGuard receives a canonical action object with before/after state.

2

Policy decision

Money-destination changes, impossible travel, compromised devices — evaluated in one deterministic pass.

3

Accountable signoff

When required, a named supervisor approves the exact action hash. Self-approval is forbidden.

4

Trust receipt

Receipt binds actor, authority, action hash, policy hash, nonce, expiry, signoff state.

5

One-time consume

Benefits core system consumes the receipt. Replay attempts log and fail. Expired receipts log and fail.

6

Evidence packet

Full event timeline, IG/GAO-ready, exportable to JSON. Tamper-evident via append-only audit log.

ENFORCEMENT MODES

Roll out without breaking anything.

Government programs cannot move from zero to blocking overnight. GovGuard supports three modes per organization, configurable per protected action type.

observe

Evaluate every protected action. Log decisions. Never block. Generate the report that shows what would have been blocked.

warn

Return decision to the caller. Caller chooses whether to honor. Used for staged rollouts.

enforce

Fail closed. Block actions that violate policy or lack required signoff.

API

One v1 surface. Six endpoints.

POST   /api/v1/trust-receipts
GET    /api/v1/trust-receipts/{receiptId}
POST   /api/v1/trust-receipts/{receiptId}/consume
GET    /api/v1/trust-receipts/{receiptId}/evidence
POST   /api/v1/signoffs/request
POST   /api/v1/signoffs/{signoffId}/approve
POST   /api/v1/signoffs/{signoffId}/reject

Every endpoint is rate-limited and authenticated. Actor identity is derived from the authenticated session, never from the request body. Full OpenAPI spec ships in the v1.1 release.

Pilot in 30 days.

We'll wire one workflow (your choice: bank-account change, address change, or operator override) into observe mode. You get the audit trail of what would have been blocked. Then you decide if you want to flip to enforce.

Request pilot