Feature

Two-approver production flow

Waves above 100 devices require a second approver — and the operator who built the wave can't sign.

What it is

Production change is gated by cryptographic two-person rule. Every approval is an HSM signature over the canonical wave manifest. Approvals expire after 24 hours. Separation of duties is enforced in the state machine, not by hope.

How it works

WaveValidation enforces SoD between creator and approver. ApprovalService writes the signed bytes to the audit chain. The agent dispatcher refuses any command whose envelope doesn't reference a fresh, valid approval pair.

What you get

No single operator can deploy a wave alone.
SOC 2 / ISO 27001 separation-of-duties evidence is automatic.
Stale approvals can't be replayed.

See this feature running.

Request a demo All features