Roles and responsibilities

docs.kosli.com/content/implementation_guide/_index.md

@@ -0,0 +1,5 @@
+---
+title: Implementation guide
+bookCollapseSection: true
+weight: 300
+---

docs.kosli.com/content/implementation_guide/phase_1/_index.md

@@ -0,0 +1,5 @@
+---
+title: "Phase 1: Initial Discovery"
+bookCollapseSection: true
+weight: 100
+---

docs.kosli.com/content/implementation_guide/phase_1/roles_and_responsibilities/_index.md

@@ -0,0 +1,63 @@
+---
+title: "Roles and Responsibilities"
+bookCollapseSection: true
+weight: 100
+---
+
+# Roles and Responsibilities
+
+Kosli supports multiple stakeholders across engineering, security, and compliance. Successful adoption depends on clear ownership and collaboration across roles.
+This guide provides:
+
+- A RACI matrix to define responsibilities per phase
+- Role-by-role expectations during rollout
+- Links to relevant documentation for each group
+
+## 🔄 Phases of Implementation
+
+1. **Discovery and Planning:** Understand what to track, who is involved, and which flows to start with.
+2. **Initial Setup and Pilot:** Configure Kosli for a single service or team. Validate the model and gather feedback.
+3. **Rollout and Scale:** Extend flows and policies across teams and services. Standardize and automate.
+4. **Governance and Optimization:** Measure success, refine policies, and prepare for audits with real data.
+
+## 👥 Stakeholders
+1. [**Platform Engineers and DevOps**]({{< relref "platform_engineers" >}}): Leads technical implementation and pipeline integration
+2. [**Application Developer**]({{< relref "app_developers" >}}): Builds code and produces evidence automatically
+3. [**Security and Compliance**]({{< relref "security_compliance" >}}): Defines control objectives and verifies evidence
+4. [**Sponsors**]({{< relref "sponsors" >}}): Champions adoption, aligns on outcomes, and tracks impact
+
+## 📊 RACI Matrix
+
+The RACI model helps teams and stakeholders know who to talk to, who drives a decision, and who just needs visibility. It’s especially helpful when rolling out tools like Kosli across multiple teams with different priorities and domain focus.
+
+| Task                                 | Platform Engineer  | Application Developer | Security & Compliance   | Sponsor |
+|--------------------------------------|--------------------|-----------------------|-------------------------|---------|
+| Identify key flows and services       | R                  | C                     | C                       | A       |
+| Define success criteria and metrics   | C                  | C                     | C                       | A       |
+| Select pilot team/service            | R                  | C                     | C                       | A       |
+| Set up Kosli CLI and pipelines       | A                  | I                     | C                       | C       |
+| Define attestation types              | R                  | C                     | A                       | C       |
+| Configure environment snapshots       | A                  | I                     | C                       | C       |
+| Set up environment policies          | R                  | I                     | A                       | C       |
+| Validate compliance controls         | R                  | C                     | A                       | C       |
+| Export and review audit packages     | C                  | I                     | A                       | C       |
+| Roll out to additional teams         | R                  | C                     | C                       | A       |
+| Track measures of success            | R                  | C                     | C                       | A       |
+
+- **A - Accountable**
+
+    The owner of the outcome. This is the person who ensures the task is completed successfully, even if others do the work. There should only be one "A" per task.
+
+- **R - Responsible**
+
+    The doer. This person (or team) performs the work. They are hands-on with the implementation and execution of the task.
+
+- **C - Consulted**
+
+    Someone who provides input, guidance, or subject matter expertise. This is a two-way communication role. Their feedback is important for shaping the work.
+
+- **I - Informed**
+
+    Kept in the loop. This person doesn't need to be consulted during the task but should be notified of progress or outcomes. It’s a one-way communication role.
+
+## Subpages

docs.kosli.com/content/implementation_guide/phase_1/roles_and_responsibilities/app_developers.md

@@ -0,0 +1,71 @@
+---
+title: "Application Developers"
+bookCollapseSection: false
+weight: 300
+summary: "How Application Developers can use Kosli to build secure, compliant software delivery pipelines."
+---
+
+# Application Developers
+
+You build and maintain services, applications, or APIs that deliver customer or business value. You write code, push changes, and expect your work to move safely from commit to production.
+
+You care about quality, security, and release velocity, but you do not want to be slowed down by compliance overhead.
+
+
+# How Kosli helps you
+
+Kosli captures the evidence that your changes have passed the right controls, like tests, code reviews, security scans, and approvals, so you can deploy with confidence and stay focused on building.
+
+With Kosli, you can:
+- Ship code without worrying about compliance gates or approval tickets
+- Get clarity on why something cannot deploy, and what needs to happen
+- Use existing CI workflows without learning new tools
+- Trace what changed, where it went, and whether it passed all required controls
+
+## Your role in using Kosli
+
+As an application developer, you are a contributor to the system of record that Kosli observes. You may:
+- Write code that passes through a Flow defined by your platform team
+- Produce build artifacts and test results that Kosli records as evidence
+- Trigger attestations through CI jobs (e.g., when tests run or scans complete)
+- Occasionally check compliance status in the UI or via pull request checks
+
+You are usually not responsible for setting up Kosli. It runs quietly underneath your normal delivery workflows.
+
+
+## What you’ll Work with
+
+You typically interact with Kosli through:
+- **Your CI/CD pipeline**, which calls Kosli CLI under the hood
+- **Pull requests or merge gates**, where Kosli may block or allow merges based on compliance
+- **The Kosli UI**, to check deployment or compliance status if needed
+- **Your platform team's guidance**, for understanding what evidence is expected
+
+You do not need to memorize Kosli commands or manage configurations. Most of it is abstracted away by your Platform team
+
+## What success looks like
+
+- You write and commit code as usual, and your changes flow smoothly through CI and into production
+- You do not need to fill out compliance tickets or wait for manual approvals
+- If something is blocked, Kosli tells you what evidence is missing and how to resolve it
+- You gain confidence that your work is secure and production-ready without extra effort
+
+
+## Common questions you might have
+
+**"Why did Kosli mark my build or deployment non-compliant?"**<br>
+Most likely a required check did not run, failed, or was not reported to Kosli. Your pipeline or platform team can help you identify what is missing.
+
+**"Do I need to learn another CLI or tool?"**<br>
+No. Kosli is used behind the scenes by your platform team. You may see its results in PR checks or dashboards, but you do not need to run it manually.
+
+**"How do I know if my change was successfully deployed?"**<br>
+You can use the Kosli UI to trace a git commit, artifact, or deployment. Kosli shows where it is running and what evidence was attached.
+
+**"Can I use Kosli in debugging or incident response?"**<br>
+Yes. Kosli helps you trace what changed and when across environments. You can see exactly what was deployed and what passed or failed.
+
+## Where to start
+- [**Getting Started**]({{< ref "/getting_started" >}}): Follow this if you're curious about how Kosli works behind the scenes
+- [**Querying Kosli**]({{< ref "/tutorials/querying_kosli/" >}}): Learn how to search for artifacts or changes
+- [**Concepts**]({{< ref "/understand_kosli/concepts" >}}): Understand what Kosli tracks and why

docs.kosli.com/content/implementation_guide/phase_1/roles_and_responsibilities/platform_engineers.md

@@ -0,0 +1,76 @@
+---
+title: "Platform Engineers"
+bookCollapseSection: false
+weight: 200
+summary: "How Platform Engineers and DevOps teams can use Kosli to build secure, compliant software delivery pipelines."
+---
+
+## Platform and DevOps Engineers
+
+You build the internal tooling, workflows, and golden paths that help developers ship software reliably and securely. You care about scaling delivery without scaling your team.
+
+If you’re supporting CI/CD pipelines, infrastructure, or compliance enablement across multiple services or teams, this page is for you.
+
+## How Kosli helps you
+
+Kosli gives you a single, unified way to track everything that moves through your delivery pipelines: code, artifacts, tests, approvals, deployments and prove it’s been done safely and correctly.
+
+With Kosli, you can:
+- Automate compliance and eliminate manual change approval processes.
+- Capture tamper-proof evidence across your SDLC (without slowing down delivery).
+- Monitor all runtime environments and deployments across teams.
+- Offer developers secure paved paths that embed governance from the start.
+
+
+## Your role in using Kosli
+
+As a platform engineer, you're typically responsible for:
+- Setting up Kosli in CI/CD and infrastructure environments.
+- Creating and maintaining **Flows**, which model how changes move through pipelines.
+- Defining and triggering **Trails** to capture each run of those pipelines.
+- Configuring **Attestations** for tests, scans, and internal checks (e.g., Jira, Snyk).
+- Capturing **Environment Snapshots** and enforcing **Policies** to govern deployments.
+- Building reusable Kosli integrations (e.g., GitHub Actions, GitLab CI templates) so your dev teams don’t have to think about it.
+
+You’ll often be the first person to integrate Kosli into your platform and roll it out to the rest of the org.
+
+## What you’ll work with
+
+You’ll primarily interact with:
+- **Kosli CLI:** integrated into your CI/CD pipelines and scripts.
+- **Flows** and **Trails:** to represent and track software delivery runs.
+- **Artifacts** and **Attestations:** to connect builds and compliance evidence.
+- **Environment Snapshots** & **Policies:** to enforce governance in prod and staging.
+- **Kosli UI:** to review deployment status, compliance views, and audits.
+
+If you're running Kubernetes, Terraform, or other infrastructure tools, Kosli also integrates easily to monitor state and changes.
+
+## What success looks like
+
+When Kosli is successfully adopted by platform engineering, you’ll see:
+
+- Your pipelines continuously produce verifiable, compliant deployments.
+- You eliminate the need for spreadsheet-driven approvals and CAB meetings.
+- Developers onboard Kosli passively via the platform, they rarely have to learn it directly.
+- Security and compliance teams get everything they need with minimal friction.
+- Audits are a non-event: you already have the evidence.
+
+## Common questions you might have
+
+**“Do I need to change our pipelines to use Kosli?”**<br>
+No major changes. Kosli integrates via CLI commands you can drop into any pipeline.
+
+**“Can I templatize this across many teams?”**<br>
+Yes. Use flow templates and reusable CI snippets to roll out a consistent setup.
+
+**“Does Kosli work with our existing tools?”**<br>
+Almost certainly. Kosli is tool-agnostic and supports GitHub Actions, GitLab, Jenkins, Kubernetes, Terraform, and more.
+
+**“How do I know it’s working?”**<br>
+Kosli automatically gives you compliance status per environment and per change. You can inspect Trails, download audit packages, and integrate with Slack or through Webhooks for alerts.
+
+## Where to start
+
+- [**Getting Started Guide**]({{< ref "/getting_started" >}}): For a complete technical setup walkthrough.
+- [**CLI Reference**]({{< ref "/client_reference" >}}): Full list of commands.
+- [**Concepts Overview**]({{< ref "/understand_kosli/concepts" >}}): Understand how Flows, Trails, and Attestations fit together.

docs.kosli.com/content/implementation_guide/phase_1/roles_and_responsibilities/security_compliance.md

@@ -0,0 +1,70 @@
+---
+title: "Security and Compliance"
+bookCollapseSection: false
+weight: 400
+summary: "How Security and Compliance teams can use Kosli to define control objectives and verify evidence."
+---
+
+# Security and Compliance
+
+You are responsible for ensuring that software delivery meets regulatory, security, or internal governance requirements. You translate frameworks like SOC 2, ISO 27001, or custom internal controls into practical expectations for teams.
+
+You may work in AppSec, GRC, risk management, or a compliance function. You care about provable controls, trustworthy evidence, and making audits repeatable and painless.
+
+## How Kosli helps you
+
+Kosli creates a continuous, tamper-proof record of how software changes move through your organization. It captures real evidence for controls like peer review, test coverage, security scanning, and approval steps, all without relying on spreadsheets or screenshots.
+
+With Kosli, you can:
+- Automatically collect and store control evidence for every change
+- Get instant visibility into which changes are compliant and which are not
+- Replace change request tickets with actual audit-ready data
+- Export audit packages in seconds for any service, environment, or release
+
+
+## Your role in using Kosli
+
+You help define what counts as compliant. Kosli helps you enforce that through policy and automation. Your responsibilities may include:
+
+- Working with platform teams to translate controls into **Attestations** and **Policies**
+- Reviewing **Environment** or **Trail** compliance reports
+- Verifying that changes meet requirements for deployment to sensitive environments
+- Preparing for or responding to internal and external audits using Kosli data
+
+You may not configure pipelines directly, but you rely on Kosli’s outputs to validate that controls are working.
+
+## What you’ll work with
+
+You interact with Kosli through:
+
+- **The Kosli UI**, where you can see compliance status per environment, service, or release
+- **Audit Packages**, which you can export to support internal reviews or formal audits
+- **Attestation** and **Policy** definitions, often managed in collaboration with platform or security engineering teams
+- **Environment Snapshots**, which show what is running and why it is or is not compliant
+
+You may also use the **CLI** or **API** if you need detailed reports or integrations.
+
+## What success looks like
+
+- You can prove to auditors or regulators that your SDLC is secure and compliant
+- Controls are codified and enforced consistently across all delivery pipelines
+- You no longer chase teams for screenshots or spreadsheets during audits
+- You have full traceability from change request to deployed artifact with supporting evidence
+
+## Common questions you might have
+
+**"How do I know a change is compliant?"**<br>
+Kosli validates Trails and Environments based on policies and recorded attestations. You can view compliant and non-compliant changes in the UI or export audit reports.
+
+**"Can we map Kosli data to our compliance framework?"**<br>
+Yes. Attestations can represent any type of control evidence, such as test results, PR approvals, vulnerability scans, or change reviews.
+
+**"How secure is the evidence?"**<br>
+Kosli stores all records immutably and securely. Attestations can include signed metadata and attachments, stored in a tamper-evident Evidence Vault.
+
+**"How do I use Kosli in an audit?"**<br>
+You can export a complete Audit Package for any Trail, Artifact, or Environment. This includes all recorded evidence and metadata for traceable, reviewable compliance.
+
+## Where to start
+
+- [**Concepts**]({{< ref "/understand_kosli/concepts" >}}): Understand how Flows, Trails, and Attestations fit together.

docs.kosli.com/content/implementation_guide/phase_1/roles_and_responsibilities/sponsors.md

@@ -0,0 +1,67 @@
+---
+title: "Sponsors"
+bookCollapseSection: false
+weight: 500
+summary: "How Sponsors can use Kosli to ensure secure, compliant software delivery across their organization."
+---
+
+# Sponsors
+
+You’re responsible for making sure your organization delivers software quickly, safely, and in a way that satisfies regulatory, customer, or internal compliance expectations.
+
+You might lead an engineering org, oversee platform strategy, or be responsible for DevSecOps or governance transformation. You care about reducing lead time without sacrificing control or trust.
+
+## How Kosli helps you
+
+Kosli gives your teams the ability to automate governance across the entire software delivery lifecycle (SDLC). It makes it easy to verify that changes have passed the right checks and policies without slowing down releases.
+
+With Kosli, you can:
+
+- Replace manual approvals and change control boards with real-time, automated evidence
+- Give your platform and product teams compliant workflows by default
+- Get instant answers to “what changed, where, and why” across all environments
+- Demonstrate governance and audit readiness without adding burden to developers
+
+## Your role in using Kosli
+As a sponsor, you are the enabler. You set the strategic direction and ensure the right people are equipped to succeed. Your key responsibilities include:
+
+- Aligning Kosli adoption with organizational goals around speed, safety, and compliance
+- Supporting platform teams in rolling out Kosli at scale
+- Communicating the value of automated governance across the organization
+- Using Kosli dashboards or reports to track adoption, policy health, and delivery confidence
+
+## What you’ll work with
+
+You won’t typically use the CLI. Instead, your interaction with Kosli will focus on:
+
+- The Kosli UI to view environment compliance, trail status, and audit readiness
+- Dashboards to understand where controls are working or missing
+- Audit Packages and Evidence Vault exports to support reporting or audits
+- Occasional reference to Kosli’s terminology or data model when aligning internal processes
+
+## What success looks like
+
+- You have visibility into delivery health and compliance posture across the org
+- Product and platform teams operate with fewer manual gates or surprises
+- You can demonstrate governance to stakeholders without relying on ad hoc processes
+- Audits are predictable and repeatable
+- Kosli becomes a quiet enabler. Developers deliver, compliance is provable, and your platform team scales without friction
+
+## Common questions you might have
+
+**“Can we remove manual approvals without increasing risk?”**<br>
+Yes. Kosli replaces them with clear, automated evidence. Every change has a traceable chain of custody.
+
+**“Does this help us with [SOC 2 / ISO / internal controls]?”**<br>
+Yes. Kosli maps technical events to audit-friendly records, with downloadable audit packages and policy enforcement.
+
+**“Will this add overhead for my teams?”**<br>
+No. Platform engineers handle setup and integration. Developers rarely need to interact with Kosli directly.
+
+**“How can I measure success?”**<br>
+You’ll see reduced lead times, fewer compliance exceptions, and improved audit efficiency. Kosli makes this visible through environment compliance views and evidence tracking.
+
+## Where to Start
+- [**What is Kosli?**]({{< ref "/understand_kosli/what_is_kosli/">}}): Understand the value and core ideas
+- [**Implementing Kosli**]({{< ref "/implementation_guide">}}): A rollout guide aligned to business and technical outcomes
+- [**Concepts**]({{< ref "/understand_kosli/concepts" >}}): Understand how Flows, Trails, and Attestations fit together.