HawkinsOperations is a governed AI Security Operations and detection engineering system that turns detection work into source-controlled rules, deterministic validation, platform contracts, proof records, reviewer releases, runtime candidate lanes, and human-governed promotion gates.

AI accelerates drafting, triage reasoning, case-packet support, documentation, and automation planning. Validation, platform guardrails, proof records, and human review decide what becomes operational truth.

Windows and Linux private candidate lanes produced one reviewed candidate each. The normalizer produced two append-ready candidates with zero duplicates. After explicit approval and verifier gates, both rows were appended as governed Lifetime Ledger cases, moving the strict ledger count from 4 to 6.

These are activity and reviewer-scale metrics. They are not governed cases, runtime signals, or public-safe proof.

Platform is the mechanical control layer. It turns detection work into governed, machine-checkable workflow through contracts, factory commands, ledger mechanics, case-packet schemas, runtime candidate gates, reviewer metrics state, and verifier scripts. Platform does not own proof promotion or public-safe runtime truth.

Validation is the behavior engine. It turns detection claims into reproducible checks through controlled cases, local case pipeline, registry checks, activity ledger, parity checks, blocked-claim scans, AI authority boundaries, and runner trust separation. Validation does not prove live runtime, signal-observed public proof, or production deployment.

Proof is the public trust anchor. It owns proof records, claim ceilings, Proof Pack 001, Runtime Route Proof v1, reviewer maps, release routes, and proof-boundary case studies. Proof records authorize only their stated scope.

Runtime-active public proof, signal-observed public proof, public-safe runtime proof, production SOC, production SOCaaS, customer deployment, live enterprise deployment, autonomous SOC, AI-decided disposition, AI-approved disposition, analyst-approved disposition, case closure, FortiSIEM integration proven, fleet-wide coverage, public-safe Runtime Route Proof v1, Wazuh/Cribl/Splunk public proof, broad ingestion proof, website/GitHub rendering as proof, GitHub Project metadata as proof, and green CI as approval are not claimed here.

.github is the org command center for reviewer routing, truth boundaries, and claim controls. It does not create proof authority. Proof records live in hawkinsoperations-proof, and the current public ceiling remains CONTROLLED_TEST_VALIDATED unless a specific proof record says otherwise. Runtime, signal, public-safe, production, SOCaaS, autonomous SOC, AI-approved disposition, and analyst-approved disposition claims remain blocked unless explicitly proven and approved.

The private Control Board supports internal governance and navigation. It is not proof, not public evidence, and not a public-safe approval surface.

The private org Control Board is the private Project #2 operating cockpit for current work visibility. Project #1 is not an active reviewer route and was not resolvable through the live ProjectV2 API during the current cleanup pass. The board is useful for navigation, queue review, and sprint context only; it does not mutate proof state, authorize merge, approve public wording, or promote public-safe status.

AI can accelerate security work. It cannot authorize the truth.

Without a control system, AI-generated output becomes a public claim, an analyst conclusion, an operational action, a security disposition, and an executive truth — before any evidence or human review ever authorized it.

   AI OUTPUT
       │
       ▼
   UNVERIFIED CLAIM
       │
       ▼
   OPERATIONAL ACTION
       │
       ▼
   SECURITY DISPOSITION
       │
       ▼
   EXECUTIVE TRUTH                ✕  BLOCKED  ✕

This is the failure mode HawkinsOperations is built to prevent.

AI labor enters the system. Source, validation, deterministic verification, evidence records, proof records, and human review stand between labor and any public claim.

   AI LABOR
       │  scoped: drafts, scaffolds, summaries — never authorization
       ▼
   SOURCE                         hawkinsoperations-detections
       │
       ▼
   CONTROLLED VALIDATION          hawkinsoperations-validation
       │
       ▼
   DETERMINISTIC VERIFIER         fixtures · checks · CI gates
       │
       ▼
   EVIDENCE RECORD                bounded, scoped, reviewable
       │
       ▼
   PROOF RECORD                   hawkinsoperations-proof
       │
       ▼
   HUMAN REVIEW                   required · not delegable to AI
       │
       ▼
   PUBLIC BOUNDARY                hawkinsoperations.com · .github

AI generates work. Evidence and human review authorize claims.

What this release does not prove. It is a reviewer route and a bounded ZIP. It does not promote runtime-active public proof, signal-observed public proof, public-safe runtime proof, production readiness, SOCaaS, autonomous SOC, AI-approved disposition, or analyst-approved disposition. Website/GitHub rendering is not proof.

The platform-owned Lifetime Case Ledger state manifest is the current strict governed ledger route. It records:

Runtime Case Collector v0 has separate Windows and Linux private candidate lanes. Windows and Linux each produced one reviewed candidate, normalized to two append-ready candidates with zero duplicates. After explicit approval and verifier gates, those two rows were appended as governed Lifetime Ledger cases, moving the strict ledger count from 4 to 6.

This ledger route does not prove runtime activity, signal observation, production deployment, SOCaaS availability, public-safe runtime proof, public proof, autonomous SOC authority, AI-approved final disposition, analyst-approved final disposition, or case closure authority.

Pick the route that matches your review job. The route changes how you inspect the system; it does not change the proof state.

Org-level reviewer entry point: Cyber Kill Chain coverage lives in hawkinsoperations-proof as a public route-safe reviewer map. It is not public-safe approval, runtime proof, or proof authority.

Each surface supports its own claims, nothing more. Authority does not flow between them by presentation.

flowchart LR
    A[Source] --> B[Validation]
    B --> C[Case packet]
    C --> D[Proof record]
    D --> E[Public boundary]
    F[AI support] -. labor only .-> A
    F -. labor only .-> B
    G[Human review] --> D
    H[Deterministic checks] --> D
    E -. rendering is not proof .-> I[Website / GitHub]

Six repositories. Three planes. Authority flows through scoped records, not presentation.

Detections → validation → proof feeds the authority chain. .github routes reviewers. hawkinsoperations-platform remains an internal/private runtime-contract route. The website renders receipts; it does not author them.

Public wording passes through boundary review before it ships. Blocked terms stay listed because they describe what this surface does not assert.

Blocked unless separately promoted and approved:

public-safe · production-ready · fleet-wide · live enterprise deployment · autonomous SOC · AI-approved disposition · analyst-approved disposition · runtime-active public proof · signal-observed public proof · evidence-linked public proof · live Splunk public proof · Cribl-routed public proof · Wazuh-routed public proof · AWS-live proof · customer-ready product · sold product · enterprise deployment

Allowed public boundary for this profile:

HO-DET-001 is the artifact reviewers can trace end to end without accepting a stronger public claim.

Public proof ceiling remains CONTROLLED_TEST_VALIDATED. Public-safe status remains NOT_PUBLIC_SAFE.

HawkinsOps V1 / SignalFoundry metrics are prior operating context only. They are not current HawkinsOperations proof and do not raise the current HawkinsOperations ceiling.

Current HawkinsOperations claims are bounded by source, validation, evidence, and the public-proof surface.

Repo separation creates review boundaries. Real control comes from required review, deterministic verification, CI checks, proof records, and bounded public wording. The split is necessary; it is not sufficient. Treat the boundary as the artifact, not the architecture diagram.