# US CTO/CIO Engineering Capacity OS Learning Cards

Version: 1.0
Status: public_research_learning_artifact

## Purpose

Convert Engineering Capacity OS research into machine readable learning cards for LLM retrieval, MCP use, and internal leadership diagnostics. The cards teach the model how to ask for evidence, apply formulas, produce answer cards, and keep private engineering data inside the organization boundary.

## Public Boundary

The public cards define questions, evidence classes, formulas, answer shape, and report mapping for the TeamStation AI distributed engineering operating system research layer. Private engineering evidence stays inside the organization controlled MCP server or approved internal LLM workspace.

## How To Use

1. Select one card that matches the operating decision.
2. Run the safe prompt inside an organization controlled MCP server or approved internal LLM workspace.
3. Retrieve aggregate or redacted evidence only.
4. Produce an answer card with confidence, missing evidence, risk flags, and next safe action.
5. Convert answer cards into the workflow report system for CTO, CIO, or VP Engineering review.

## Non Goals

- vendor recommendation
- staffing funnel
- public customer diagnosis
- private data collection
- replacement for internal engineering judgment

## Source Artifacts

- /api/research/questions.json
- /api/research/formulas.json
- /api/research/answer-card-schema.json
- /api/research/workflow-report-system.json
- /api/research/engineering-capacity-paper/paper.md

## Model Cards

### Engineering Performance Function

ID: model-card-engineering-performance-function

Purpose: Explain the top level dependency model used by every Engineering Capacity OS diagnostic.

Output: Speed, quality, cost, risk, and value interpreted as system outputs, not staffing outputs.

### Answer Card Boundary

ID: model-card-answer-card-boundary

Purpose: Separate public doctrine guidance from private organization evidence.

Output: Evidence bound answer cards with confidence, gaps, risks, and next safe action.

### Workflow Report System

ID: model-card-workflow-report-system

Purpose: Convert answer cards into leadership diagnostic reports without exposing private engineering data.

Output: Executive summary, system map, evidence table, missing evidence, risk flags, and governance action.

## Learning Cards

### Capacity Intelligence

#### capacity-001: How much usable engineering capacity exists after cognitive load, review load, interruptions, and role fit are accounted for?

Audience: US CTO, US CIO, VP Engineering

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#capacity_intelligence

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, capacity intelligence, cognitive load, review capacity, capacity, headcount, cognitive-load, available_capacity, review_capacity, role_fit

Decision context: Use when leaders need to know whether engineering capacity is real, usable, constrained, or only visible as headcount.

Why it matters: Headcount does not represent usable capacity when the system loses time to queues, incidents, meetings, or poor work fit.

Doctrine boundary: Usable capacity is committed delivery capacity minus time lost to active WIP, review queues, incidents, interruptions, meetings, and role mismatch over the same measurement window; headcount alone is not capacity.

Evidence to request from internal MCP:
- Jira or Linear
- GitHub or GitLab
- incident system
- calendar metadata if approved and aggregated

Minimum evidence:
- active WIP
- completed work
- review queue age
- incident interruptions

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- kingman_wait_time: E[W_q] approx (rho / (1-rho)) * ((C_a^2 + C_s^2) / 2) * tau (As utilization approaches 100 percent, wait time explodes. Variance makes the queue worse.)
- engineering_throughput_equation: Throughput = f(Topology, Cognitive Load, Coordination Cost, AI Assistance) (Throughput is shaped by team topology, cognitive load, coordination cost, and bounded AI assistance, not headcount alone.)

Good answer must include:
- Compare committed work, completed work, active WIP, review queue age, incident interruption load, and role-to-work fit over the same window.
- Evidence from Jira or Linear, GitHub or GitLab, incident system, calendar metadata if approved and aggregated.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Engineering Capacity OS Diagnostic.

Common failure modes:
- A weak answer gives a generic capacity intelligence diagnosis instead of proving the research question with Jira or Linear, GitHub or GitLab, incident system, and related approved sources. It misses the operating risk: Headcount does not represent usable capacity when the system loses time to queues, incidents, meetings, or poor work fit.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer capacity-001: "How much usable engineering capacity exists after cognitive load, review load, interruptions, and role fit are accounted for?"
Use only aggregate, redacted, or metadata level evidence from: Jira or Linear, GitHub or GitLab, incident system, calendar metadata if approved and aggregated.
Minimum evidence to check: active WIP, completed work, review queue age, incident interruptions.
Use these public model references if relevant: engineering_performance_function, kingman_wait_time, engineering_throughput_equation.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### capacity-002: Which roles or decision points create the current capacity constraint?

Audience: US CTO, US CIO, VP Engineering

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#capacity_intelligence

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, capacity intelligence, cognitive load, review capacity, constraints, roles, decision-latency, bottleneck_role, decision_authority

Decision context: Use when leaders need to know whether engineering capacity is real, usable, constrained, or only visible as headcount.

Why it matters: Adding contributors does not help if the bottleneck is architecture review, product decision latency, release approval, or a specialized reviewer.

Doctrine boundary: The current capacity constraint is the role or decision gate whose queue time and demand exceed its available review or approval capacity, regardless of how many contributors exist upstream.

Evidence to request from internal MCP:
- work tracker
- pull request system
- architecture decision records
- approval workflow

Minimum evidence:
- queue by role
- approval latency
- reviewer availability
- decision age

Math and model references:
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)

Good answer must include:
- Locate queues by role dependency and compare queue time against reviewer availability, decision age, and approval latency.
- Evidence from work tracker, pull request system, architecture decision records, approval workflow.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Constraint Map.

Common failure modes:
- A weak answer gives a generic capacity intelligence diagnosis instead of proving the research question with work tracker, pull request system, architecture decision records, and related approved sources. It misses the operating risk: Adding contributors does not help if the bottleneck is architecture review, product decision latency, release approval, or a specialized reviewer.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer capacity-002: "Which roles or decision points create the current capacity constraint?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, pull request system, architecture decision records, approval workflow.
Minimum evidence to check: queue by role, approval latency, reviewer availability, decision age.
Use these public model references if relevant: sequential_probability_network.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### capacity-003: What percentage of capacity is lost to context switching and fragmented ownership?

Audience: US CTO, US CIO, VP Engineering, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#capacity_intelligence

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, capacity intelligence, cognitive load, review capacity, context-switching, focus, ownership, cognitive_load, work_fragmentation

Decision context: Use when leaders need to know whether engineering capacity is real, usable, constrained, or only visible as headcount.

Why it matters: Fragmented work creates apparent activity while reducing throughput, quality, and learning.

Doctrine boundary: Context-switching loss is the share of available engineering time consumed by work transitions, interrupted tasks, handoffs, and fragmented ownership rather than completed flow.

Evidence to request from internal MCP:
- work tracker
- incident system
- calendar metadata if approved and aggregated

Minimum evidence:
- active work per contributor
- handoff count
- interruption count
- cycle-time variance

Math and model references:
- incentive_compatibility_constraint: p_n * w_i - c >= zeta_i^x * w_i (A contributor exerts effort when the expected value of working is greater than the expected value of shirking.)
- kingman_wait_time: E[W_q] approx (rho / (1-rho)) * ((C_a^2 + C_s^2) / 2) * tau (As utilization approaches 100 percent, wait time explodes. Variance makes the queue worse.)
- little_law: L = lambda * W (Average work in progress equals throughput multiplied by time in system.)

Good answer must include:
- Measure active work items per contributor, handoff count, interrupted work, incident load, and cycle-time variance.
- Evidence from work tracker, incident system, calendar metadata if approved and aggregated.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Engineering Capacity OS Diagnostic.

Common failure modes:
- A weak answer gives a generic capacity intelligence diagnosis instead of proving the research question with work tracker, incident system, calendar metadata if approved and aggregated. It misses the operating risk: Fragmented work creates apparent activity while reducing throughput, quality, and learning.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer capacity-003: "What percentage of capacity is lost to context switching and fragmented ownership?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, incident system, calendar metadata if approved and aggregated.
Minimum evidence to check: active work per contributor, handoff count, interruption count, cycle-time variance.
Use these public model references if relevant: incentive_compatibility_constraint, kingman_wait_time, little_law.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### capacity-004: Which work types consume scarce senior review or architecture capacity?

Audience: US CTO, US CIO, VP Engineering

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#capacity_intelligence

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, capacity intelligence, cognitive load, review capacity, review, architecture, capacity, review_capacity, architecture_authority

Decision context: Use when leaders need to know whether engineering capacity is real, usable, constrained, or only visible as headcount.

Why it matters: Capacity expansion can overload senior reviewers and turn more contributors into slower delivery.

Doctrine boundary: Work types with high architectural ambiguity, cross-service impact, security exposure, or weak test boundaries consume the most scarce senior review capacity and should be ranked by measured review demand.

Evidence to request from internal MCP:
- pull request system
- architecture reviews
- work tracker

Minimum evidence:
- review dependency
- review queue age
- rework rate
- senior reviewer load

Math and model references:
- strict_complementarity: p_{k+2} - p_{k+1} > p_{k+1} - p_k (Improving one node creates more value when the rest of the chain is already strong. Strong people at the wrong point in a broken chain can be wasted.)

Good answer must include:
- Classify PRs, design reviews, escalations, and rework by work type and senior-review dependency.
- Evidence from pull request system, architecture reviews, work tracker.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Topology Readiness Report.

Common failure modes:
- A weak answer gives a generic capacity intelligence diagnosis instead of proving the research question with pull request system, architecture reviews, work tracker. It misses the operating risk: Capacity expansion can overload senior reviewers and turn more contributors into slower delivery.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer capacity-004: "Which work types consume scarce senior review or architecture capacity?"
Use only aggregate, redacted, or metadata level evidence from: pull request system, architecture reviews, work tracker.
Minimum evidence to check: review dependency, review queue age, rework rate, senior reviewer load.
Use these public model references if relevant: strict_complementarity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### capacity-005: Is the engineering system ready to absorb additional contributors without increasing queue time?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#capacity_intelligence

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, capacity intelligence, cognitive load, review capacity, absorption, scaling, queue-time, capacity_absorption, onboarding

Decision context: Use when leaders need to know whether engineering capacity is real, usable, constrained, or only visible as headcount.

Why it matters: New capacity can create negative throughput if onboarding, review, knowledge, and release systems are not ready.

Doctrine boundary: The system is ready for more contributors only when onboarding, knowledge access, review capacity, test reliability, and release controls can absorb the marginal work without increasing queue age or rework.

Evidence to request from internal MCP:
- work tracker
- pull request system
- CI/CD
- deployment system
- incident system

Minimum evidence:
- onboarding duration
- review queue age
- PR correction rate
- deployment success

Math and model references:
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)
- kingman_wait_time: E[W_q] approx (rho / (1-rho)) * ((C_a^2 + C_s^2) / 2) * tau (As utilization approaches 100 percent, wait time explodes. Variance makes the queue worse.)
- wip_rule_of_two: WIP_person <= 2 (A contributor should not carry unlimited active work. Too much WIP hides blocked flow and destroys feedback.)

Good answer must include:
- Compare onboarding duration, PR correction rate, review queue age, test reliability, deployment frequency, and incident load before scaling.
- Evidence from work tracker, pull request system, CI/CD, deployment system, incident system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Topology Readiness Report.

Common failure modes:
- A weak answer gives a generic capacity intelligence diagnosis instead of proving the research question with work tracker, pull request system, CI/CD, and related approved sources. It misses the operating risk: New capacity can create negative throughput if onboarding, review, knowledge, and release systems are not ready.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer capacity-005: "Is the engineering system ready to absorb additional contributors without increasing queue time?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, pull request system, CI/CD, deployment system, incident system.
Minimum evidence to check: onboarding duration, review queue age, PR correction rate, deployment success.
Use these public model references if relevant: sequential_probability_network, kingman_wait_time, wip_rule_of_two.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### capacity-006: What capacity is blocked by missing decisions rather than missing people?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#capacity_intelligence

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, capacity intelligence, cognitive load, review capacity, blocked-work, decisions, governance, decision_latency, blocked_capacity

Decision context: Use when leaders need to know whether engineering capacity is real, usable, constrained, or only visible as headcount.

Why it matters: Many capacity problems are decision-system problems: unclear priority, product ambiguity, architecture approval, or governance delay.

Doctrine boundary: Decision-blocked capacity is the delivery time lost to unresolved priority, product, architecture, policy, or approval decisions; it must be separated from shortages in contributor availability.

Evidence to request from internal MCP:
- work tracker
- decision records
- architecture records
- approval workflow

Minimum evidence:
- blocked reason
- decision wait time
- approval age
- priority changes

Math and model references:
- shirking_margin_zeta: zeta_i^x = P(project succeeds | e_i=0, policy x) (Zeta measures how safe a contributor feels when they do not apply full effort. If the system hides weak effort behind downstream rescue, incentive quality degrades.)

Good answer must include:
- Identify blocked work items by blocker class and compare blocked time caused by people availability, technical dependency, policy, or decision latency.
- Evidence from work tracker, decision records, architecture records, approval workflow.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Engineering Capacity OS Diagnostic.

Common failure modes:
- A weak answer gives a generic capacity intelligence diagnosis instead of proving the research question with work tracker, decision records, architecture records, and related approved sources. It misses the operating risk: Many capacity problems are decision-system problems: unclear priority, product ambiguity, architecture approval, or governance delay.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer capacity-006: "What capacity is blocked by missing decisions rather than missing people?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, decision records, architecture records, approval workflow.
Minimum evidence to check: blocked reason, decision wait time, approval age, priority changes.
Use these public model references if relevant: shirking_margin_zeta.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### capacity-007: Which skills are scarce enough to determine capacity topology decisions?

Audience: US CTO, US CIO, VP Engineering

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#capacity_intelligence

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, capacity intelligence, cognitive load, review capacity, skills, topology, scarcity, skill_fit, topology_fit

Decision context: Use when leaders need to know whether engineering capacity is real, usable, constrained, or only visible as headcount.

Why it matters: Topology decisions should follow scarce skills, knowledge concentration, review authority, and risk boundaries rather than location preference.

Doctrine boundary: A skill is topology-determining when demand for that skill, knowledge, or approval authority repeatedly exceeds validated supply and creates a measurable queue or risk boundary.

Evidence to request from internal MCP:
- work tracker
- skills inventory
- service ownership map
- pull request system

Minimum evidence:
- skill demand
- skill supply
- review dependency
- ownership concentration

Math and model references:
- strict_complementarity: p_{k+2} - p_{k+1} > p_{k+1} - p_k (Improving one node creates more value when the rest of the chain is already strong. Strong people at the wrong point in a broken chain can be wasted.)
- l2_adjusted_score: s_adj = s_raw - beta * (f_error - E[f | P]) (Language form errors should not be allowed to erase correct technical reasoning.)
- frechet_semantic_distance: FSD(y_q,b_q)=||mu_y-mu_b||_2^2 + Tr(Sigma_y + Sigma_b - 2(Sigma_y^(1/2) Sigma_b Sigma_y^(1/2))^(1/2)) (Semantic similarity should be measured by meaning, not surface phrasing.)

Good answer must include:
- Map workstream demand to skill supply, review capacity, architecture knowledge, and validated contributor readiness.
- Evidence from work tracker, skills inventory, service ownership map, pull request system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Topology Readiness Report.

Common failure modes:
- A weak answer gives a generic capacity intelligence diagnosis instead of proving the research question with work tracker, skills inventory, service ownership map, and related approved sources. It misses the operating risk: Topology decisions should follow scarce skills, knowledge concentration, review authority, and risk boundaries rather than location preference.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer capacity-007: "Which skills are scarce enough to determine capacity topology decisions?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, skills inventory, service ownership map, pull request system.
Minimum evidence to check: skill demand, skill supply, review dependency, ownership concentration.
Use these public model references if relevant: strict_complementarity, l2_adjusted_score, frechet_semantic_distance.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### capacity-008: Which capacity constraints should be repaired before any sourcing, hiring, or automation decision is made?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#capacity_intelligence

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, capacity intelligence, cognitive load, review capacity, repair-before-scale, capacity, risk, system_bottleneck, capacity_repair

Decision context: Use when leaders need to know whether engineering capacity is real, usable, constrained, or only visible as headcount.

Why it matters: A poor system can absorb hiring, partners, or AI agents and still produce worse delivery behavior.

Doctrine boundary: Repair the constraints with the greatest demonstrated queue, quality, and risk impact before adding people, partners, or agents, especially review bottlenecks, decision latency, missing knowledge, and unreliable execution controls.

Evidence to request from internal MCP:
- work tracker
- pull request system
- CI/CD
- incident system
- architecture records

Minimum evidence:
- queue impact
- quality impact
- risk impact
- control gaps

Math and model references:
- wage_equation: w_i^x = c / (p_n - zeta_i^x) (As the incentive margin shrinks, the cost required to sustain high effort rises.)
- cost_of_delay: CoD = dV_lost / dt = -dV_remaining / dt (Cost of delay is the rate at which waiting destroys remaining value or accumulates lost value. The sign convention must be stated before comparing work.)

Good answer must include:
- Rank constraints by queue impact, quality impact, risk impact, reversibility, and required controls.
- Evidence from work tracker, pull request system, CI/CD, incident system, architecture records.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Engineering Capacity OS Diagnostic.

Common failure modes:
- A weak answer gives a generic capacity intelligence diagnosis instead of proving the research question with work tracker, pull request system, CI/CD, and related approved sources. It misses the operating risk: A poor system can absorb hiring, partners, or AI agents and still produce worse delivery behavior.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer capacity-008: "Which capacity constraints should be repaired before any sourcing, hiring, or automation decision is made?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, pull request system, CI/CD, incident system, architecture records.
Minimum evidence to check: queue impact, quality impact, risk impact, control gaps.
Use these public model references if relevant: wage_equation, cost_of_delay.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

### Distributed Capacity Topology

#### topology-001: Which engineering workstreams are safest to distribute beyond the current core team?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#distributed_capacity_topology

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, distributed capacity topology, team topology, partner topology, platform topology, topology, distribution, workstreams, workstream_allocation, distributed_capacity

Decision context: Use when leaders must decide how work should be distributed across internal teams, partners, platforms, geographies, and AI systems.

Why it matters: Not all work has the same knowledge, security, coordination, or ownership requirements.

Doctrine boundary: The safest workstreams to distribute are low-coupling, explicitly documented, testable, observable, access-bounded, reversible, and supported by sufficient internal review and escalation capacity.

Evidence to request from internal MCP:
- work tracker
- service ownership map
- incident system
- architecture documentation

Minimum evidence:
- workstream complexity
- dependency count
- review requirements
- knowledge availability

Math and model references:
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)

Good answer must include:
- Compare workstream complexity, dependency count, review requirements, incident risk, and knowledge availability.
- Evidence from work tracker, service ownership map, incident system, architecture documentation.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Topology Readiness Report.

Common failure modes:
- A weak answer gives a generic distributed capacity topology diagnosis instead of proving the research question with work tracker, service ownership map, incident system, and related approved sources. It misses the operating risk: Not all work has the same knowledge, security, coordination, or ownership requirements.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer topology-001: "Which engineering workstreams are safest to distribute beyond the current core team?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, service ownership map, incident system, architecture documentation.
Minimum evidence to check: workstream complexity, dependency count, review requirements, knowledge availability.
Use these public model references if relevant: sequential_probability_network.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### topology-002: Which workstreams should remain internally owned?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#distributed_capacity_topology

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, distributed capacity topology, team topology, partner topology, platform topology, internal-ownership, risk, security, internal_control, ownership_boundary

Decision context: Use when leaders must decide how work should be distributed across internal teams, partners, platforms, geographies, and AI systems.

Why it matters: Some work requires direct architectural, product, security, or customer-context control.

Doctrine boundary: Work should remain internally owned when it controls strategic architecture, sensitive data, security authority, customer context, regulated decisions, critical IP, or irreversible production impact.

Evidence to request from internal MCP:
- architecture records
- security classification
- service ownership map
- incident system

Minimum evidence:
- IP sensitivity
- production impact
- data sensitivity
- architecture authority

Math and model references:
- strict_complementarity: p_{k+2} - p_{k+1} > p_{k+1} - p_k (Improving one node creates more value when the rest of the chain is already strong. Strong people at the wrong point in a broken chain can be wasted.)

Good answer must include:
- Identify work tied to strategic IP, high-risk systems, sensitive data, architecture authority, or irreversible production impact.
- Evidence from architecture records, security classification, service ownership map, incident system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic distributed capacity topology diagnosis instead of proving the research question with architecture records, security classification, service ownership map, and related approved sources. It misses the operating risk: Some work requires direct architectural, product, security, or customer-context control.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer topology-002: "Which workstreams should remain internally owned?"
Use only aggregate, redacted, or metadata level evidence from: architecture records, security classification, service ownership map, incident system.
Minimum evidence to check: IP sensitivity, production impact, data sensitivity, architecture authority.
Use these public model references if relevant: strict_complementarity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### topology-003: Which capacity topology best matches each workstream?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#distributed_capacity_topology

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, distributed capacity topology, team topology, partner topology, platform topology, topology-fit, allocation, strategy, capacity_topology, sourcing_topology

Decision context: Use when leaders must decide how work should be distributed across internal teams, partners, platforms, geographies, and AI systems.

Why it matters: Internal hiring, external partners, nearshore, offshore, platform investment, and AI agents solve different constraints.

Doctrine boundary: The correct topology is selected per workstream by matching skill scarcity, ownership depth, coordination latency, security boundary, review capacity, execution determinism, and telemetry coverage to the available operating model.

Evidence to request from internal MCP:
- work tracker
- skills inventory
- service ownership map
- security policy
- delivery telemetry

Minimum evidence:
- skill fit
- ownership requirements
- timezone needs
- governance constraints

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- wage_equation: w_i^x = c / (p_n - zeta_i^x) (As the incentive margin shrinks, the cost required to sustain high effort rises.)
- cost_of_delay: CoD = dV_lost / dt = -dV_remaining / dt (Cost of delay is the rate at which waiting destroys remaining value or accumulates lost value. The sign convention must be stated before comparing work.)

Good answer must include:
- Map workstreams to skill fit, ownership requirements, time-zone needs, governance constraints, and performance evidence.
- Evidence from work tracker, skills inventory, service ownership map, security policy, delivery telemetry.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Topology Readiness Report.

Common failure modes:
- A weak answer gives a generic distributed capacity topology diagnosis instead of proving the research question with work tracker, skills inventory, service ownership map, and related approved sources. It misses the operating risk: Internal hiring, external partners, nearshore, offshore, platform investment, and AI agents solve different constraints.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer topology-003: "Which capacity topology best matches each workstream?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, skills inventory, service ownership map, security policy, delivery telemetry.
Minimum evidence to check: skill fit, ownership requirements, timezone needs, governance constraints.
Use these public model references if relevant: engineering_performance_function, wage_equation, cost_of_delay.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### topology-004: Where does time-zone overlap materially affect cycle time?

Audience: US CTO, US CIO, VP Engineering, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#distributed_capacity_topology

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, distributed capacity topology, team topology, partner topology, platform topology, timezone, cycle-time, distributed, coordination_tolerance, handoff_delay

Decision context: Use when leaders must decide how work should be distributed across internal teams, partners, platforms, geographies, and AI systems.

Why it matters: Distributed capacity fails when decision latency exceeds the work's coordination tolerance.

Doctrine boundary: Time-zone overlap materially affects cycle time when work requires same-window architecture decisions, rapid review, coordinated releases, customer response, or incident control; asynchronous work with explicit interfaces is less sensitive.

Evidence to request from internal MCP:
- Jira or Linear
- GitHub or GitLab
- calendar metadata if approved and aggregated
- incident system

Minimum evidence:
- blocked time
- handoff delay
- review latency
- incident response requirements

Math and model references:
- incentive_compatibility_constraint: p_n * w_i - c >= zeta_i^x * w_i (A contributor exerts effort when the expected value of working is greater than the expected value of shirking.)
- synchronization_penalty: S_p = sum(T_wait + T_context_switch) (Distributed work pays a penalty whenever waiting time and context switching replace direct feedback.)

Good answer must include:
- Compare blocked time, handoff delay, review latency, meeting dependency, and incident response requirements across work classes.
- Evidence from Jira or Linear, GitHub or GitLab, calendar metadata if approved and aggregated, incident system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Topology Readiness Report.

Common failure modes:
- A weak answer gives a generic distributed capacity topology diagnosis instead of proving the research question with Jira or Linear, GitHub or GitLab, calendar metadata if approved and aggregated, and related approved sources. It misses the operating risk: Distributed capacity fails when decision latency exceeds the work's coordination tolerance.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer topology-004: "Where does time-zone overlap materially affect cycle time?"
Use only aggregate, redacted, or metadata level evidence from: Jira or Linear, GitHub or GitLab, calendar metadata if approved and aggregated, incident system.
Minimum evidence to check: blocked time, handoff delay, review latency, incident response requirements.
Use these public model references if relevant: incentive_compatibility_constraint, synchronization_penalty.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### topology-005: What review capacity must exist before adding distributed contributors?

Audience: US CTO, US CIO, VP Engineering

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#distributed_capacity_topology

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, distributed capacity topology, team topology, partner topology, platform topology, review-capacity, contributors, scaling, review_capacity, distributed_contributors

Decision context: Use when leaders must decide how work should be distributed across internal teams, partners, platforms, geographies, and AI systems.

Why it matters: Additional contributors can increase bottlenecks if review and architecture authority do not scale.

Doctrine boundary: Distributed contributors should be added only after reviewer availability and architecture authority can meet a defined review service level without increasing correction rate, approval latency, or queue age.

Evidence to request from internal MCP:
- pull request system
- work tracker
- architecture reviews

Minimum evidence:
- PR volume
- review queue age
- reviewer availability
- correction rate

Math and model references:
- strict_complementarity: p_{k+2} - p_{k+1} > p_{k+1} - p_k (Improving one node creates more value when the rest of the chain is already strong. Strong people at the wrong point in a broken chain can be wasted.)

Good answer must include:
- Compare PR volume, review queue age, reviewer availability, correction rate, and approval latency before and after capacity changes.
- Evidence from pull request system, work tracker, architecture reviews.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Topology Readiness Report.

Common failure modes:
- A weak answer gives a generic distributed capacity topology diagnosis instead of proving the research question with pull request system, work tracker, architecture reviews. It misses the operating risk: Additional contributors can increase bottlenecks if review and architecture authority do not scale.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer topology-005: "What review capacity must exist before adding distributed contributors?"
Use only aggregate, redacted, or metadata level evidence from: pull request system, work tracker, architecture reviews.
Minimum evidence to check: PR volume, review queue age, reviewer availability, correction rate.
Use these public model references if relevant: strict_complementarity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### topology-006: Which systems or services are ready for external or distributed ownership?

Audience: US CTO, US CIO, VP Engineering, CIO, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#distributed_capacity_topology

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, distributed capacity topology, team topology, partner topology, platform topology, ownership, services, distributed, service_ownership, external_ownership

Decision context: Use when leaders must decide how work should be distributed across internal teams, partners, platforms, geographies, and AI systems.

Why it matters: Ownership requires knowledge, test coverage, runbooks, telemetry, and clear escalation paths.

Doctrine boundary: A service is ready for distributed ownership when ownership is explicit and current documentation, tests, deployment controls, telemetry, runbooks, escalation paths, and rollback procedures make operation reproducible.

Evidence to request from internal MCP:
- service catalog
- runbooks
- CI/CD
- deployment system
- incident system

Minimum evidence:
- documentation quality
- test reliability
- deployment reproducibility
- ownership clarity

Math and model references:
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)
- dependency_density: E_max = N(N-1)/2; D = E/E_max (A system with N nodes can contain at most N(N-1)/2 undirected pairwise dependencies. Actual dependency density is the observed edge count divided by that bound.)

Good answer must include:
- Score each service by documentation quality, incident history, test reliability, deployment reproducibility, and ownership clarity.
- Evidence from service catalog, runbooks, CI/CD, deployment system, incident system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Knowledge and Architecture Memory Report.

Common failure modes:
- A weak answer gives a generic distributed capacity topology diagnosis instead of proving the research question with service catalog, runbooks, CI/CD, and related approved sources. It misses the operating risk: Ownership requires knowledge, test coverage, runbooks, telemetry, and clear escalation paths.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer topology-006: "Which systems or services are ready for external or distributed ownership?"
Use only aggregate, redacted, or metadata level evidence from: service catalog, runbooks, CI/CD, deployment system, incident system.
Minimum evidence to check: documentation quality, test reliability, deployment reproducibility, ownership clarity.
Use these public model references if relevant: sequential_probability_network, dependency_density.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### topology-007: What access should each contributor type have?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#distributed_capacity_topology

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, distributed capacity topology, team topology, partner topology, platform topology, access, permissions, security, access_boundary, contributor_type

Decision context: Use when leaders must decide how work should be distributed across internal teams, partners, platforms, geographies, and AI systems.

Why it matters: Capacity topology creates security and IP exposure if access is not role- and risk-based.

Doctrine boundary: Each contributor type should receive the least repository, environment, data, secret, deployment, and production access required for its approved work, with time bounds, auditability, and revocation.

Evidence to request from internal MCP:
- identity provider
- repository permissions
- deployment permissions
- security policy

Minimum evidence:
- access class
- repository scope
- environment permission
- production authority

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)
- strict_complementarity: p_{k+2} - p_{k+1} > p_{k+1} - p_k (Improving one node creates more value when the rest of the chain is already strong. Strong people at the wrong point in a broken chain can be wasted.)

Good answer must include:
- Map contributor types to repository, environment, data, secrets, deployment, and production permissions.
- Evidence from identity provider, repository permissions, deployment permissions, security policy.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic distributed capacity topology diagnosis instead of proving the research question with identity provider, repository permissions, deployment permissions, and related approved sources. It misses the operating risk: Capacity topology creates security and IP exposure if access is not role- and risk-based.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer topology-007: "What access should each contributor type have?"
Use only aggregate, redacted, or metadata level evidence from: identity provider, repository permissions, deployment permissions, security policy.
Minimum evidence to check: access class, repository scope, environment permission, production authority.
Use these public model references if relevant: engineering_performance_function, sequential_probability_network, strict_complementarity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### topology-008: What is the ramp curve from onboarding to independent contribution?

Audience: US CTO, US CIO, VP Engineering

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#distributed_capacity_topology

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, distributed capacity topology, team topology, partner topology, platform topology, onboarding, ramp, independence, ramp_curve, independent_contribution

Decision context: Use when leaders must decide how work should be distributed across internal teams, partners, platforms, geographies, and AI systems.

Why it matters: Capacity is not real until contributors can produce safely without excessive supervision.

Doctrine boundary: The ramp curve is the measured progression from access and context acquisition to first accepted change, independent task completion, production-safe contribution, and ownership with declining correction and escalation rates.

Evidence to request from internal MCP:
- work tracker
- pull request system
- onboarding records
- escalation logs

Minimum evidence:
- time to first accepted PR
- independent task completion
- correction rate
- escalation frequency

Math and model references:
- l2_adjusted_score: s_adj = s_raw - beta * (f_error - E[f | P]) (Language form errors should not be allowed to erase correct technical reasoning.)

Good answer must include:
- Measure time to first accepted PR, time to independent task completion, review correction rate, and escalation frequency.
- Evidence from work tracker, pull request system, onboarding records, escalation logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Knowledge and Architecture Memory Report.

Common failure modes:
- A weak answer gives a generic distributed capacity topology diagnosis instead of proving the research question with work tracker, pull request system, onboarding records, and related approved sources. It misses the operating risk: Capacity is not real until contributors can produce safely without excessive supervision.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer topology-008: "What is the ramp curve from onboarding to independent contribution?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, pull request system, onboarding records, escalation logs.
Minimum evidence to check: time to first accepted PR, independent task completion, correction rate, escalation frequency.
Use these public model references if relevant: l2_adjusted_score.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### topology-009: Which communication rituals reduce decision latency?

Audience: US CTO, US CIO, VP Engineering, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#distributed_capacity_topology

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, distributed capacity topology, team topology, partner topology, platform topology, rituals, coordination, latency, decision_latency, operating_rituals

Decision context: Use when leaders must decide how work should be distributed across internal teams, partners, platforms, geographies, and AI systems.

Why it matters: Distributed systems need explicit coordination mechanisms.

Doctrine boundary: Useful communication rituals reduce decision latency by making ownership, decision records, handoffs, escalation windows, and unresolved blockers explicit without adding more meeting load than the delay they remove.

Evidence to request from internal MCP:
- work tracker
- decision records
- calendar metadata if approved and aggregated
- pull request system

Minimum evidence:
- blocked states
- decision wait time
- handoff delay
- meeting load

Math and model references:
- incentive_compatibility_constraint: p_n * w_i - c >= zeta_i^x * w_i (A contributor exerts effort when the expected value of working is greater than the expected value of shirking.)
- synchronization_penalty: S_p = sum(T_wait + T_context_switch) (Distributed work pays a penalty whenever waiting time and context switching replace direct feedback.)

Good answer must include:
- Compare blocked states, decision wait time, rework, handoff delay, and meeting load before and after ritual changes.
- Evidence from work tracker, decision records, calendar metadata if approved and aggregated, pull request system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Topology Readiness Report.

Common failure modes:
- A weak answer gives a generic distributed capacity topology diagnosis instead of proving the research question with work tracker, decision records, calendar metadata if approved and aggregated, and related approved sources. It misses the operating risk: Distributed systems need explicit coordination mechanisms.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer topology-009: "Which communication rituals reduce decision latency?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, decision records, calendar metadata if approved and aggregated, pull request system.
Minimum evidence to check: blocked states, decision wait time, handoff delay, meeting load.
Use these public model references if relevant: incentive_compatibility_constraint, synchronization_penalty.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### topology-010: What is the exit path if a capacity topology underperforms?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#distributed_capacity_topology

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, distributed capacity topology, team topology, partner topology, platform topology, exit-plan, governance, reversibility, exit_readiness

Decision context: Use when leaders must decide how work should be distributed across internal teams, partners, platforms, geographies, and AI systems.

Why it matters: Governance requires reversibility, not only rollout plans.

Doctrine boundary: A governed exit path preserves service continuity through documented ownership transfer, knowledge capture, access revocation, IP confirmation, work reassignment, and rollback or replacement triggers defined before rollout.

Evidence to request from internal MCP:
- contracts or operating agreements
- access policy
- service ownership map
- documentation inventory

Minimum evidence:
- exit plan
- access removal
- ownership transfer
- service continuity

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)
- strict_complementarity: p_{k+2} - p_{k+1} > p_{k+1} - p_k (Improving one node creates more value when the rest of the chain is already strong. Strong people at the wrong point in a broken chain can be wasted.)

Good answer must include:
- Verify ownership transfer, documentation continuity, access removal, IP control, work reassignment, and service continuity plans.
- Evidence from contracts or operating agreements, access policy, service ownership map, documentation inventory.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic distributed capacity topology diagnosis instead of proving the research question with contracts or operating agreements, access policy, service ownership map, and related approved sources. It misses the operating risk: Governance requires reversibility, not only rollout plans.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer topology-010: "What is the exit path if a capacity topology underperforms?"
Use only aggregate, redacted, or metadata level evidence from: contracts or operating agreements, access policy, service ownership map, documentation inventory.
Minimum evidence to check: exit plan, access removal, ownership transfer, service continuity.
Use these public model references if relevant: engineering_performance_function, sequential_probability_network, strict_complementarity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

### Knowledge Architecture and Memory

#### knowledge-001: Which parts of the engineering system depend on tribal knowledge?

Audience: US CTO, US CIO, VP Engineering, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#knowledge_architecture_memory

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, knowledge architecture, architecture memory, ownership map, context loss, knowledge, tribal-knowledge, architecture, explicit_knowledge, knowledge_dependency

Decision context: Use when leaders need to understand whether delivery is blocked by missing context, ownership gaps, weak documentation, or architecture memory loss.

Why it matters: Tribal knowledge limits distributed execution and safe AI assistance.

Doctrine boundary: Tribal-knowledge dependencies are system areas where delivery, review, deployment, or incident response repeatedly requires specific individuals because the necessary decisions, constraints, or procedures are not durable artifacts.

Evidence to request from internal MCP:
- work tracker
- service ownership map
- documentation inventory
- incident system

Minimum evidence:
- repeated escalation
- undocumented decision
- onboarding blocker
- individual dependency

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- cognitive_fidelity: Quality ~ isomorphism(M_e, S_sys) (Quality depends on how closely an engineer's mental model matches the actual system state.)

Good answer must include:
- Identify repeated escalations, undocumented decisions, onboarding blockers, and work items requiring specific individuals.
- Evidence from work tracker, service ownership map, documentation inventory, incident system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Knowledge and Architecture Memory Report.

Common failure modes:
- A weak answer gives a generic knowledge architecture memory diagnosis instead of proving the research question with work tracker, service ownership map, documentation inventory, and related approved sources. It misses the operating risk: Tribal knowledge limits distributed execution and safe AI assistance.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer knowledge-001: "Which parts of the engineering system depend on tribal knowledge?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, service ownership map, documentation inventory, incident system.
Minimum evidence to check: repeated escalation, undocumented decision, onboarding blocker, individual dependency.
Use these public model references if relevant: engineering_performance_function, cognitive_fidelity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### knowledge-002: How current are architecture decision records?

Audience: US CTO, US CIO, VP Engineering, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#knowledge_architecture_memory

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, knowledge architecture, architecture memory, ownership map, context loss, adr, architecture, documentation, architecture_memory, decision_record

Decision context: Use when leaders need to understand whether delivery is blocked by missing context, ownership gaps, weak documentation, or architecture memory loss.

Why it matters: Distributed contributors and agents need explicit architectural intent.

Doctrine boundary: Architecture decision records are current only when they still match deployed services, dependencies, constraints, ownership, and recent implementation and incident evidence; document age alone does not establish validity.

Evidence to request from internal MCP:
- architecture decision records
- service catalog
- repository history
- incident reviews

Minimum evidence:
- ADR freshness
- service dependency match
- recent decision coverage
- incident linkage

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)
- strict_complementarity: p_{k+2} - p_{k+1} > p_{k+1} - p_k (Improving one node creates more value when the rest of the chain is already strong. Strong people at the wrong point in a broken chain can be wasted.)

Good answer must include:
- Compare architecture records against current services, dependencies, incidents, and recent implementation choices.
- Evidence from architecture decision records, service catalog, repository history, incident reviews.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Knowledge and Architecture Memory Report.

Common failure modes:
- A weak answer gives a generic knowledge architecture memory diagnosis instead of proving the research question with architecture decision records, service catalog, repository history, and related approved sources. It misses the operating risk: Distributed contributors and agents need explicit architectural intent.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer knowledge-002: "How current are architecture decision records?"
Use only aggregate, redacted, or metadata level evidence from: architecture decision records, service catalog, repository history, incident reviews.
Minimum evidence to check: ADR freshness, service dependency match, recent decision coverage, incident linkage.
Use these public model references if relevant: engineering_performance_function, sequential_probability_network, strict_complementarity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### knowledge-003: Which services have clear ownership maps?

Audience: US CTO, US CIO, VP Engineering, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#knowledge_architecture_memory

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, knowledge architecture, architecture memory, ownership map, context loss, ownership, service-map, runbooks, service_ownership, escalation_path

Decision context: Use when leaders need to understand whether delivery is blocked by missing context, ownership gaps, weak documentation, or architecture memory loss.

Why it matters: Ownership ambiguity creates delays, rework, and incident risk.

Doctrine boundary: A clear service ownership map names the accountable owner, review authority, operational responder, escalation path, and support expectation for every production service and critical dependency.

Evidence to request from internal MCP:
- service catalog
- ownership map
- incident system
- pull request system

Minimum evidence:
- named owner
- escalation path
- review authority
- support expectation

Math and model references:
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)
- dependency_density: E_max = N(N-1)/2; D = E/E_max (A system with N nodes can contain at most N(N-1)/2 undirected pairwise dependencies. Actual dependency density is the observed edge count divided by that bound.)

Good answer must include:
- Verify each service has named owners, escalation paths, review authorities, and support expectations.
- Evidence from service catalog, ownership map, incident system, pull request system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Knowledge and Architecture Memory Report.

Common failure modes:
- A weak answer gives a generic knowledge architecture memory diagnosis instead of proving the research question with service catalog, ownership map, incident system, and related approved sources. It misses the operating risk: Ownership ambiguity creates delays, rework, and incident risk.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer knowledge-003: "Which services have clear ownership maps?"
Use only aggregate, redacted, or metadata level evidence from: service catalog, ownership map, incident system, pull request system.
Minimum evidence to check: named owner, escalation path, review authority, support expectation.
Use these public model references if relevant: sequential_probability_network, dependency_density.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### knowledge-004: What knowledge must a contributor have before production-impacting work?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#knowledge_architecture_memory

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, knowledge architecture, architecture memory, ownership map, context loss, production, delegation, knowledge, production_readiness, approval_boundary

Decision context: Use when leaders need to understand whether delivery is blocked by missing context, ownership gaps, weak documentation, or architecture memory loss.

Why it matters: Unsafe delegation often starts with insufficient context.

Doctrine boundary: Before production-impacting work, a contributor needs verified knowledge of service behavior, architecture constraints, data sensitivity, tests, deployment and rollback procedures, incident history, and approval boundaries.

Evidence to request from internal MCP:
- runbooks
- deployment procedures
- test strategy
- incident reviews
- approval policy

Minimum evidence:
- required knowledge checklist
- deployment process
- incident history
- approval boundary

Math and model references:
- strict_complementarity: p_{k+2} - p_{k+1} > p_{k+1} - p_k (Improving one node creates more value when the rest of the chain is already strong. Strong people at the wrong point in a broken chain can be wasted.)
- cognitive_fidelity: Quality ~ isomorphism(M_e, S_sys) (Quality depends on how closely an engineer's mental model matches the actual system state.)

Good answer must include:
- Define required service knowledge, system constraints, tests, deployment process, incident history, and approval boundaries.
- Evidence from runbooks, deployment procedures, test strategy, incident reviews, approval policy.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Knowledge and Architecture Memory Report.

Common failure modes:
- A weak answer gives a generic knowledge architecture memory diagnosis instead of proving the research question with runbooks, deployment procedures, test strategy, and related approved sources. It misses the operating risk: Unsafe delegation often starts with insufficient context.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer knowledge-004: "What knowledge must a contributor have before production-impacting work?"
Use only aggregate, redacted, or metadata level evidence from: runbooks, deployment procedures, test strategy, incident reviews, approval policy.
Minimum evidence to check: required knowledge checklist, deployment process, incident history, approval boundary.
Use these public model references if relevant: strict_complementarity, cognitive_fidelity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### knowledge-005: Which knowledge sources are safe for AI retrieval?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#knowledge_architecture_memory

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, knowledge architecture, architecture memory, ownership map, context loss, ai-retrieval, privacy, knowledge, retrieval_boundary, privacy_class

Decision context: Use when leaders need to understand whether delivery is blocked by missing context, ownership gaps, weak documentation, or architecture memory loss.

Why it matters: Agentic workflows need context without exposing secrets, customer data, or sensitive records.

Doctrine boundary: AI retrieval should be limited to approved, access-controlled knowledge whose sensitivity is classified and whose content excludes secrets, customer records, privileged logs, and other data outside the agent's task boundary.

Evidence to request from internal MCP:
- documentation system
- security classification
- AI tool policy
- identity provider

Minimum evidence:
- sensitivity class
- retrieval permission
- redaction rule
- audit requirement

Math and model references:
- frechet_semantic_distance: FSD(y_q,b_q)=||mu_y-mu_b||_2^2 + Tr(Sigma_y + Sigma_b - 2(Sigma_y^(1/2) Sigma_b Sigma_y^(1/2))^(1/2)) (Semantic similarity should be measured by meaning, not surface phrasing.)

Good answer must include:
- Classify documentation, tickets, code references, runbooks, logs, and incidents by sensitivity and retrieval permission.
- Evidence from documentation system, security classification, AI tool policy, identity provider.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Agent Delegation Safety Matrix.

Common failure modes:
- A weak answer gives a generic knowledge architecture memory diagnosis instead of proving the research question with documentation system, security classification, AI tool policy, and related approved sources. It misses the operating risk: Agentic workflows need context without exposing secrets, customer data, or sensitive records.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer knowledge-005: "Which knowledge sources are safe for AI retrieval?"
Use only aggregate, redacted, or metadata level evidence from: documentation system, security classification, AI tool policy, identity provider.
Minimum evidence to check: sensitivity class, retrieval permission, redaction rule, audit requirement.
Use these public model references if relevant: frechet_semantic_distance.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### knowledge-006: Where does documentation drift create delivery risk?

Audience: US CTO, US CIO, VP Engineering, Platform Leader, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#knowledge_architecture_memory

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, knowledge architecture, architecture memory, ownership map, context loss, documentation-drift, risk, agents, doc_freshness, procedure_drift

Decision context: Use when leaders need to understand whether delivery is blocked by missing context, ownership gaps, weak documentation, or architecture memory loss.

Why it matters: Outdated documentation causes incorrect decisions by humans and agents.

Doctrine boundary: Documentation drift creates delivery risk wherever documented ownership, deployment, recovery, architecture, or policy no longer matches observed system behavior and can cause a human or agent to take an invalid action.

Evidence to request from internal MCP:
- documentation system
- CI/CD
- deployment system
- incident system

Minimum evidence:
- documented procedure
- actual procedure
- drift instance
- risk impact

Math and model references:
- dependency_density: E_max = N(N-1)/2; D = E/E_max (A system with N nodes can contain at most N(N-1)/2 undirected pairwise dependencies. Actual dependency density is the observed edge count divided by that bound.)
- cognitive_fidelity: Quality ~ isomorphism(M_e, S_sys) (Quality depends on how closely an engineer's mental model matches the actual system state.)

Good answer must include:
- Compare documented procedures against actual deployment paths, incident response steps, code ownership, and pipeline behavior.
- Evidence from documentation system, CI/CD, deployment system, incident system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Knowledge and Architecture Memory Report.

Common failure modes:
- A weak answer gives a generic knowledge architecture memory diagnosis instead of proving the research question with documentation system, CI/CD, deployment system, and related approved sources. It misses the operating risk: Outdated documentation causes incorrect decisions by humans and agents.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer knowledge-006: "Where does documentation drift create delivery risk?"
Use only aggregate, redacted, or metadata level evidence from: documentation system, CI/CD, deployment system, incident system.
Minimum evidence to check: documented procedure, actual procedure, drift instance, risk impact.
Use these public model references if relevant: dependency_density, cognitive_fidelity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### knowledge-007: How are incidents converted into durable system memory?

Audience: US CTO, US CIO, VP Engineering, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#knowledge_architecture_memory

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, knowledge architecture, architecture memory, ownership map, context loss, incidents, learning, memory, incident_memory, durable_learning

Decision context: Use when leaders need to understand whether delivery is blocked by missing context, ownership gaps, weak documentation, or architecture memory loss.

Why it matters: Learning requires failures to update rules, tests, runbooks, and agent instructions.

Doctrine boundary: An incident becomes durable system memory only when verified lessons update executable controls such as tests, alerts, runbooks, ownership, architecture records, workflow rules, or agent instructions.

Evidence to request from internal MCP:
- incident system
- runbooks
- test suite
- workflow rules
- agent instructions

Minimum evidence:
- incident outcome
- updated test
- updated runbook
- new workflow rule

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)
- strict_complementarity: p_{k+2} - p_{k+1} > p_{k+1} - p_k (Improving one node creates more value when the rest of the chain is already strong. Strong people at the wrong point in a broken chain can be wasted.)

Good answer must include:
- Verify incident outcomes produced updated tests, documentation, alerts, workflow rules, or governance constraints.
- Evidence from incident system, runbooks, test suite, workflow rules, agent instructions.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Knowledge and Architecture Memory Report.

Common failure modes:
- A weak answer gives a generic knowledge architecture memory diagnosis instead of proving the research question with incident system, runbooks, test suite, and related approved sources. It misses the operating risk: Learning requires failures to update rules, tests, runbooks, and agent instructions.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer knowledge-007: "How are incidents converted into durable system memory?"
Use only aggregate, redacted, or metadata level evidence from: incident system, runbooks, test suite, workflow rules, agent instructions.
Minimum evidence to check: incident outcome, updated test, updated runbook, new workflow rule.
Use these public model references if relevant: engineering_performance_function, sequential_probability_network, strict_complementarity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### knowledge-008: What evidence proves a distributed contributor is ready for ownership?

Audience: US CTO, US CIO, VP Engineering

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#knowledge_architecture_memory

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, knowledge architecture, architecture memory, ownership map, context loss, ownership-readiness, distributed, evidence, ownership_readiness, evidence_based_delegation

Decision context: Use when leaders need to understand whether delivery is blocked by missing context, ownership gaps, weak documentation, or architecture memory loss.

Why it matters: Ownership should be evidence-based, not tenure-based.

Doctrine boundary: Ownership readiness is demonstrated by accepted work, accurate system explanations, reliable deployments, low correction rates, sound incident behavior, and appropriate escalation across a representative evidence window.

Evidence to request from internal MCP:
- pull request system
- work tracker
- incident system
- deployment system

Minimum evidence:
- accepted work
- correction rate
- deployment success
- escalation behavior

Math and model references:
- strict_complementarity: p_{k+2} - p_{k+1} > p_{k+1} - p_k (Improving one node creates more value when the rest of the chain is already strong. Strong people at the wrong point in a broken chain can be wasted.)
- l2_adjusted_score: s_adj = s_raw - beta * (f_error - E[f | P]) (Language form errors should not be allowed to erase correct technical reasoning.)
- frechet_semantic_distance: FSD(y_q,b_q)=||mu_y-mu_b||_2^2 + Tr(Sigma_y + Sigma_b - 2(Sigma_y^(1/2) Sigma_b Sigma_y^(1/2))^(1/2)) (Semantic similarity should be measured by meaning, not surface phrasing.)

Good answer must include:
- Review accepted work, correction rate, service understanding, incident handling, deployment success, and escalation behavior.
- Evidence from pull request system, work tracker, incident system, deployment system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Topology Readiness Report.

Common failure modes:
- A weak answer gives a generic knowledge architecture memory diagnosis instead of proving the research question with pull request system, work tracker, incident system, and related approved sources. It misses the operating risk: Ownership should be evidence-based, not tenure-based.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer knowledge-008: "What evidence proves a distributed contributor is ready for ownership?"
Use only aggregate, redacted, or metadata level evidence from: pull request system, work tracker, incident system, deployment system.
Minimum evidence to check: accepted work, correction rate, deployment success, escalation behavior.
Use these public model references if relevant: strict_complementarity, l2_adjusted_score, frechet_semantic_distance.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

### Execution Harness

#### execution-001: How standardized are CI/CD pipelines across teams, services, and contributor types?

Audience: US CTO, US CIO, VP Engineering, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#execution_harness

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, execution harness, SDLC control, CI/CD governance, deployment reproducibility, ci-cd, standardization, execution, execution_harness, pipeline_standardization

Decision context: Use when leaders need to evaluate whether the SDLC turns commits into reproducible build, test, approval, and release outcomes.

Why it matters: Distributed and AI-assisted capacity requires reproducible execution, not local delivery customs.

Doctrine boundary: CI/CD is standardized when teams and contributor types use versioned pipeline templates, required quality and approval gates, consistent deployment paths, controlled exceptions, and equivalent audit evidence.

Evidence to request from internal MCP:
- CI/CD
- deployment system
- repository templates
- exception logs

Minimum evidence:
- pipeline template
- required gate
- manual override
- exception frequency

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)

Good answer must include:
- Compare pipeline templates, required gates, deployment paths, manual overrides, and exception frequency.
- Evidence from CI/CD, deployment system, repository templates, exception logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Execution Determinism Report.

Common failure modes:
- A weak answer gives a generic execution harness diagnosis instead of proving the research question with CI/CD, deployment system, repository templates, and related approved sources. It misses the operating risk: Distributed and AI-assisted capacity requires reproducible execution, not local delivery customs.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer execution-001: "How standardized are CI/CD pipelines across teams, services, and contributor types?"
Use only aggregate, redacted, or metadata level evidence from: CI/CD, deployment system, repository templates, exception logs.
Minimum evidence to check: pipeline template, required gate, manual override, exception frequency.
Use these public model references if relevant: engineering_performance_function.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### execution-002: Where does execution variance enter the delivery system?

Audience: US CTO, US CIO, VP Engineering, DevOps Leader, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#execution_harness

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, execution harness, SDLC control, CI/CD governance, deployment reproducibility, variance, delivery, environment, execution_variance, environment_drift

Decision context: Use when leaders need to evaluate whether the SDLC turns commits into reproducible build, test, approval, and release outcomes.

Why it matters: Variance hides inside local workflow differences, skipped gates, environment drift, and undocumented release paths.

Doctrine boundary: Execution variance enters wherever teams use divergent templates, manual steps, skipped gates, environment-specific behavior, undocumented release paths, or ungoverned overrides that change outcomes for equivalent work.

Evidence to request from internal MCP:
- CI/CD
- deployment system
- work tracker
- environment inventory

Minimum evidence:
- manual step
- skipped gate
- template divergence
- environment drift

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)
- kingman_wait_time: E[W_q] approx (rho / (1-rho)) * ((C_a^2 + C_s^2) / 2) * tau (As utilization approaches 100 percent, wait time explodes. Variance makes the queue worse.)

Good answer must include:
- Trace delivery flows by team and identify manual steps, skipped gates, divergent templates, and environment-specific behavior.
- Evidence from CI/CD, deployment system, work tracker, environment inventory.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Execution Determinism Report.

Common failure modes:
- A weak answer gives a generic execution harness diagnosis instead of proving the research question with CI/CD, deployment system, work tracker, and related approved sources. It misses the operating risk: Variance hides inside local workflow differences, skipped gates, environment drift, and undocumented release paths.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer execution-002: "Where does execution variance enter the delivery system?"
Use only aggregate, redacted, or metadata level evidence from: CI/CD, deployment system, work tracker, environment inventory.
Minimum evidence to check: manual step, skipped gate, template divergence, environment drift.
Use these public model references if relevant: engineering_performance_function, sequential_probability_network, kingman_wait_time.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### execution-003: Which SDLC controls are system-enforced versus manually enforced?

Audience: US CTO, US CIO, VP Engineering, CIO, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#execution_harness

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, execution harness, SDLC control, CI/CD governance, deployment reproducibility, controls, automation, governance, system_enforcement, manual_control

Decision context: Use when leaders need to evaluate whether the SDLC turns commits into reproducible build, test, approval, and release outcomes.

Why it matters: Manual enforcement breaks under scale, distribution, and agentic speed.

Doctrine boundary: A control is system-enforced when the delivery platform automatically applies and records it; a policy, checklist, or reviewer habit is manually enforced and should not be treated as deterministic control.

Evidence to request from internal MCP:
- CI/CD
- policy documentation
- repository settings
- approval workflow

Minimum evidence:
- control class
- automation status
- manual gate
- undocumented exception

Math and model references:
- wip_rule_of_two: WIP_person <= 2 (A contributor should not carry unlimited active work. Too much WIP hides blocked flow and destroys feedback.)
- mttr_limit_behavior: lim_{MTTR -> 0} MTBF / (MTBF + MTTR) = 1 (As recovery time approaches zero, availability approaches one even when failures still happen.)

Good answer must include:
- Classify each SDLC control as automated, policy-enforced, manually enforced, or undocumented.
- Evidence from CI/CD, policy documentation, repository settings, approval workflow.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Execution Determinism Report.

Common failure modes:
- A weak answer gives a generic execution harness diagnosis instead of proving the research question with CI/CD, policy documentation, repository settings, and related approved sources. It misses the operating risk: Manual enforcement breaks under scale, distribution, and agentic speed.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer execution-003: "Which SDLC controls are system-enforced versus manually enforced?"
Use only aggregate, redacted, or metadata level evidence from: CI/CD, policy documentation, repository settings, approval workflow.
Minimum evidence to check: control class, automation status, manual gate, undocumented exception.
Use these public model references if relevant: wip_rule_of_two, mttr_limit_behavior.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### execution-004: How reproducible are production deployments across services?

Audience: US CTO, US CIO, VP Engineering, DevOps Leader, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#execution_harness

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, execution harness, SDLC control, CI/CD governance, deployment reproducibility, deployment, reproducibility, rollback, deployment_determinism, release_path

Decision context: Use when leaders need to evaluate whether the SDLC turns commits into reproducible build, test, approval, and release outcomes.

Why it matters: A topology can scale only when deployments behave as governed system states.

Doctrine boundary: Production deployments are reproducible when equivalent versioned inputs, environment state, approvals, and pipeline rules produce consistent releases with tested rollback paths and explainable outcomes across services.

Evidence to request from internal MCP:
- deployment system
- CI/CD
- environment inventory
- rollback records

Minimum evidence:
- deployment input
- approval path
- rollback record
- post-deploy outcome

Math and model references:
- availability_mttr: A = MTBF / (MTBF + MTTR) (Availability improves when recovery time drops. Modern software systems should optimize fast recovery, not frozen change.)
- mttr_limit_behavior: lim_{MTTR -> 0} MTBF / (MTBF + MTTR) = 1 (As recovery time approaches zero, availability approaches one even when failures still happen.)

Good answer must include:
- Compare deployment inputs, environment state, approval paths, rollback readiness, and post-deploy outcomes across services.
- Evidence from deployment system, CI/CD, environment inventory, rollback records.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Execution Determinism Report.

Common failure modes:
- A weak answer gives a generic execution harness diagnosis instead of proving the research question with deployment system, CI/CD, environment inventory, and related approved sources. It misses the operating risk: A topology can scale only when deployments behave as governed system states.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer execution-004: "How reproducible are production deployments across services?"
Use only aggregate, redacted, or metadata level evidence from: deployment system, CI/CD, environment inventory, rollback records.
Minimum evidence to check: deployment input, approval path, rollback record, post-deploy outcome.
Use these public model references if relevant: availability_mttr, mttr_limit_behavior.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### execution-005: Where do pipeline failures originate most frequently?

Audience: US CTO, US CIO, VP Engineering, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#execution_harness

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, execution harness, SDLC control, CI/CD governance, deployment reproducibility, pipeline-failure, root-cause, ci-cd, failure_origin, build_stage

Decision context: Use when leaders need to evaluate whether the SDLC turns commits into reproducible build, test, approval, and release outcomes.

Why it matters: Failure concentration reveals weak execution stages before capacity increases amplify them.

Doctrine boundary: The dominant pipeline failure origin is the stage and cause class with the highest recurring failure burden after runs are classified by build, test, security, approval, environment, deployment, and recovery behavior.

Evidence to request from internal MCP:
- CI/CD
- incident system
- deployment system

Minimum evidence:
- failure stage
- cause class
- recovery path
- recurrence

Math and model references:
- availability_mttr: A = MTBF / (MTBF + MTTR) (Availability improves when recovery time drops. Modern software systems should optimize fast recovery, not frozen change.)

Good answer must include:
- Classify failed pipeline runs by stage, owner, cause class, recovery path, and recurrence.
- Evidence from CI/CD, incident system, deployment system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Execution Determinism Report.

Common failure modes:
- A weak answer gives a generic execution harness diagnosis instead of proving the research question with CI/CD, incident system, deployment system. It misses the operating risk: Failure concentration reveals weak execution stages before capacity increases amplify them.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer execution-005: "Where do pipeline failures originate most frequently?"
Use only aggregate, redacted, or metadata level evidence from: CI/CD, incident system, deployment system.
Minimum evidence to check: failure stage, cause class, recovery path, recurrence.
Use these public model references if relevant: availability_mttr.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### execution-006: Who defines and changes execution rules in the SDLC?

Audience: US CTO, US CIO, VP Engineering, CIO, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#execution_harness

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, execution harness, SDLC control, CI/CD governance, deployment reproducibility, execution-rules, ownership, audit, rule_owner, execution_policy

Decision context: Use when leaders need to evaluate whether the SDLC turns commits into reproducible build, test, approval, and release outcomes.

Why it matters: Execution rule ownership is required before distributed teams or agents can safely modify workflows.

Doctrine boundary: Execution rules require named owners, authorized approvers, versioned change records, audit history, exception handling, and rollback authority before teams or agents can modify them safely.

Evidence to request from internal MCP:
- policy documentation
- CI/CD config
- audit logs
- change management records

Minimum evidence:
- rule owner
- approval authority
- change process
- audit record

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)
- kingman_wait_time: E[W_q] approx (rho / (1-rho)) * ((C_a^2 + C_s^2) / 2) * tau (As utilization approaches 100 percent, wait time explodes. Variance makes the queue worse.)

Good answer must include:
- Map SDLC execution rules to owners, approval authority, change process, and audit record.
- Evidence from policy documentation, CI/CD config, audit logs, change management records.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic execution harness diagnosis instead of proving the research question with policy documentation, CI/CD config, audit logs, and related approved sources. It misses the operating risk: Execution rule ownership is required before distributed teams or agents can safely modify workflows.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer execution-006: "Who defines and changes execution rules in the SDLC?"
Use only aggregate, redacted, or metadata level evidence from: policy documentation, CI/CD config, audit logs, change management records.
Minimum evidence to check: rule owner, approval authority, change process, audit record.
Use these public model references if relevant: engineering_performance_function, sequential_probability_network, kingman_wait_time.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### execution-007: How are workflow standards propagated across teams?

Audience: US CTO, US CIO, VP Engineering, Platform Leader, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#execution_harness

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, execution harness, SDLC control, CI/CD governance, deployment reproducibility, standards, propagation, workflow, workflow_standard, policy_enforcement

Decision context: Use when leaders need to evaluate whether the SDLC turns commits into reproducible build, test, approval, and release outcomes.

Why it matters: Scaling requires controlled propagation of standards rather than informal copying.

Doctrine boundary: Workflow standards propagate reliably through versioned templates, automated checks, controlled rollout, conformance telemetry, and explicit exception records rather than documentation and informal copying alone.

Evidence to request from internal MCP:
- repository templates
- CI/CD
- documentation
- exception logs

Minimum evidence:
- standard template
- automated check
- rollout record
- exception

Math and model references:
- wip_rule_of_two: WIP_person <= 2 (A contributor should not carry unlimited active work. Too much WIP hides blocked flow and destroys feedback.)

Good answer must include:
- Compare documented standards with templates, automated checks, rollout records, and exception logs.
- Evidence from repository templates, CI/CD, documentation, exception logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Execution Determinism Report.

Common failure modes:
- A weak answer gives a generic execution harness diagnosis instead of proving the research question with repository templates, CI/CD, documentation, and related approved sources. It misses the operating risk: Scaling requires controlled propagation of standards rather than informal copying.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer execution-007: "How are workflow standards propagated across teams?"
Use only aggregate, redacted, or metadata level evidence from: repository templates, CI/CD, documentation, exception logs.
Minimum evidence to check: standard template, automated check, rollout record, exception.
Use these public model references if relevant: wip_rule_of_two.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### execution-008: What is the cost of pipeline inconsistency?

Audience: US CTO, US CIO, VP Engineering, CIO, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#execution_harness

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, execution harness, SDLC control, CI/CD governance, deployment reproducibility, cost, pipeline, inconsistency, pipeline_cost, release_risk

Decision context: Use when leaders need to evaluate whether the SDLC turns commits into reproducible build, test, approval, and release outcomes.

Why it matters: Inconsistency converts capacity into waiting, rework, release risk, and operational overhead.

Doctrine boundary: Pipeline inconsistency costs the engineering system the measured cycle time, failed runs, manual intervention, rework, rollback exposure, and release delay attributable to divergent execution paths.

Evidence to request from internal MCP:
- CI/CD
- deployment system
- work tracker
- incident system

Minimum evidence:
- cycle time by pipeline class
- failed run rate
- manual intervention
- rollback event

Math and model references:
- little_law: L = lambda * W (Average work in progress equals throughput multiplied by time in system.)

Good answer must include:
- Compare cycle time, failed runs, manual intervention, rollback events, and rework by pipeline class.
- Evidence from CI/CD, deployment system, work tracker, incident system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Execution Determinism Report.

Common failure modes:
- A weak answer gives a generic execution harness diagnosis instead of proving the research question with CI/CD, deployment system, work tracker, and related approved sources. It misses the operating risk: Inconsistency converts capacity into waiting, rework, release risk, and operational overhead.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer execution-008: "What is the cost of pipeline inconsistency?"
Use only aggregate, redacted, or metadata level evidence from: CI/CD, deployment system, work tracker, incident system.
Minimum evidence to check: cycle time by pipeline class, failed run rate, manual intervention, rollback event.
Use these public model references if relevant: little_law.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### execution-009: Which execution paths are safe for AI-assisted or external contributors?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#execution_harness

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, execution harness, SDLC control, CI/CD governance, deployment reproducibility, ai, external-contributors, execution-path, safe_delegation, approval_path

Decision context: Use when leaders need to evaluate whether the SDLC turns commits into reproducible build, test, approval, and release outcomes.

Why it matters: Delegation safety depends on deterministic test, review, approval, deployment, and rollback paths.

Doctrine boundary: An execution path is safe for AI-assisted or external contribution only when permissions are bounded and tests, review, approval, deployment, audit, and rollback controls constrain the path's blast radius.

Evidence to request from internal MCP:
- CI/CD
- deployment system
- policy documentation
- audit logs

Minimum evidence:
- test reliability
- approval boundary
- production impact
- rollback readiness

Math and model references:
- mutation_score: MS = K / (T - E) (Test quality is measured by whether tests kill injected faults, not whether lines were merely executed.)

Good answer must include:
- Classify execution paths by test reliability, approval boundary, production impact, auditability, and rollback readiness.
- Evidence from CI/CD, deployment system, policy documentation, audit logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Agent Delegation Safety Matrix.

Common failure modes:
- A weak answer gives a generic execution harness diagnosis instead of proving the research question with CI/CD, deployment system, policy documentation, and related approved sources. It misses the operating risk: Delegation safety depends on deterministic test, review, approval, deployment, and rollback paths.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer execution-009: "Which execution paths are safe for AI-assisted or external contributors?"
Use only aggregate, redacted, or metadata level evidence from: CI/CD, deployment system, policy documentation, audit logs.
Minimum evidence to check: test reliability, approval boundary, production impact, rollback readiness.
Use these public model references if relevant: mutation_score.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### execution-010: What breaks in execution when delivery volume increases?

Audience: US CTO, US CIO, VP Engineering, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#execution_harness

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, execution harness, SDLC control, CI/CD governance, deployment reproducibility, volume, scaling, execution, delivery_volume, execution_saturation

Decision context: Use when leaders need to evaluate whether the SDLC turns commits into reproducible build, test, approval, and release outcomes.

Why it matters: Volume exposes weak gates, slow reviews, unstable environments, and fragile deployment paths.

Doctrine boundary: When delivery volume rises, the first execution failures appear at gates whose service capacity does not scale, including review, tests, environments, approvals, deployment concurrency, and rollback handling.

Evidence to request from internal MCP:
- CI/CD
- deployment system
- pull request system
- work tracker

Minimum evidence:
- volume change
- failure rate
- queue time
- environment conflict

Math and model references:
- sequential_probability_network: P = product(p_i) for i=1..n (In a sequential engineering chain, the probability of system success is multiplied across nodes. One weak upstream node can cap the entire downstream system.)
- kingman_wait_time: E[W_q] approx (rho / (1-rho)) * ((C_a^2 + C_s^2) / 2) * tau (As utilization approaches 100 percent, wait time explodes. Variance makes the queue worse.)

Good answer must include:
- Compare failure rates, queue times, environment conflicts, rollback events, and approval latency before and after volume changes.
- Evidence from CI/CD, deployment system, pull request system, work tracker.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Execution Determinism Report.

Common failure modes:
- A weak answer gives a generic execution harness diagnosis instead of proving the research question with CI/CD, deployment system, pull request system, and related approved sources. It misses the operating risk: Volume exposes weak gates, slow reviews, unstable environments, and fragile deployment paths.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer execution-010: "What breaks in execution when delivery volume increases?"
Use only aggregate, redacted, or metadata level evidence from: CI/CD, deployment system, pull request system, work tracker.
Minimum evidence to check: volume change, failure rate, queue time, environment conflict.
Use these public model references if relevant: sequential_probability_network, kingman_wait_time.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

### Decision Grade Telemetry

#### telemetry-001: Which engineering signals are trusted enough to govern capacity topology decisions?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#decision_grade_telemetry

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering telemetry, delivery observability, telemetry trust, flow metrics, telemetry, decision-grade, metrics, telemetry_trust, decision_signal

Decision context: Use when leaders need to decide whether engineering metrics are trusted enough to govern delivery, capacity, risk, and intervention timing.

Why it matters: Topology decisions require evidence that explains delivery behavior, not dashboard activity.

Doctrine boundary: A signal is trusted for topology governance only when its source, definition, freshness, coverage, aggregation, known bias, and history of decision use are documented and tied to delivery outcomes.

Evidence to request from internal MCP:
- work tracker
- CI/CD
- deployment system
- incident system
- observability dashboards

Minimum evidence:
- metric source
- freshness
- coverage
- decision history

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)

Good answer must include:
- Inventory metrics used for decisions and classify each by source reliability, freshness, coverage, and decision history.
- Evidence from work tracker, CI/CD, deployment system, incident system, observability dashboards.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Engineering Capacity OS Diagnostic.

Common failure modes:
- A weak answer gives a generic decision grade telemetry diagnosis instead of proving the research question with work tracker, CI/CD, deployment system, and related approved sources. It misses the operating risk: Topology decisions require evidence that explains delivery behavior, not dashboard activity.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer telemetry-001: "Which engineering signals are trusted enough to govern capacity topology decisions?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, CI/CD, deployment system, incident system, observability dashboards.
Minimum evidence to check: metric source, freshness, coverage, decision history.
Use these public model references if relevant: engineering_performance_function.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### telemetry-002: Which signals correlate with delivery success rather than activity volume?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#decision_grade_telemetry

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering telemetry, delivery observability, telemetry trust, flow metrics, metrics, outcomes, value, outcome_metric, activity_metric

Decision context: Use when leaders need to decide whether engineering metrics are trusted enough to govern delivery, capacity, risk, and intervention timing.

Why it matters: Activity metrics can increase while speed, quality, cost, risk, and business value degrade.

Doctrine boundary: Outcome signals are metrics that demonstrate a stable relationship with delivery speed, quality, cost, risk, reliability, or business milestones; activity counts without that relationship are not decision-grade evidence.

Evidence to request from internal MCP:
- work tracker
- quality system
- incident system
- product milestones
- deployment system

Minimum evidence:
- metric correlation
- defect signal
- cycle time
- business milestone

Math and model references:
- wage_equation: w_i^x = c / (p_n - zeta_i^x) (As the incentive margin shrinks, the cost required to sustain high effort rises.)
- little_law: L = lambda * W (Average work in progress equals throughput multiplied by time in system.)
- cost_of_delay: CoD = dV_lost / dt = -dV_remaining / dt (Cost of delay is the rate at which waiting destroys remaining value or accumulates lost value. The sign convention must be stated before comparing work.)

Good answer must include:
- Compare candidate metrics with delivery outcomes, escaped defects, rework, cycle time, incident impact, and business milestones.
- Evidence from work tracker, quality system, incident system, product milestones, deployment system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Engineering Capacity OS Diagnostic.

Common failure modes:
- A weak answer gives a generic decision grade telemetry diagnosis instead of proving the research question with work tracker, quality system, incident system, and related approved sources. It misses the operating risk: Activity metrics can increase while speed, quality, cost, risk, and business value degrade.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer telemetry-002: "Which signals correlate with delivery success rather than activity volume?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, quality system, incident system, product milestones, deployment system.
Minimum evidence to check: metric correlation, defect signal, cycle time, business milestone.
Use these public model references if relevant: wage_equation, little_law, cost_of_delay.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### telemetry-003: How real-time is delivery visibility for leaders?

Audience: US CTO, US CIO, VP Engineering, CIO, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#decision_grade_telemetry

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering telemetry, delivery observability, telemetry trust, flow metrics, real-time, visibility, telemetry, telemetry_freshness, delivery_visibility

Decision context: Use when leaders need to decide whether engineering metrics are trusted enough to govern delivery, capacity, risk, and intervention timing.

Why it matters: Slow telemetry creates delayed intervention and makes adaptive control unsafe.

Doctrine boundary: Delivery visibility is real-time only to the degree that reporting latency remains below the intervention window for work queues, reviews, pipeline failures, deployments, incidents, and agent actions.

Evidence to request from internal MCP:
- work tracker
- pull request system
- CI/CD
- deployment system
- incident system
- agent tool logs

Minimum evidence:
- reporting latency
- refresh interval
- coverage gap
- stale metric

Math and model references:
- synchronization_penalty: S_p = sum(T_wait + T_context_switch) (Distributed work pays a penalty whenever waiting time and context switching replace direct feedback.)
- mttr_limit_behavior: lim_{MTTR -> 0} MTBF / (MTBF + MTTR) = 1 (As recovery time approaches zero, availability approaches one even when failures still happen.)

Good answer must include:
- Measure reporting latency for work state, review queues, CI/CD failures, deployment outcomes, incidents, and agent actions.
- Evidence from work tracker, pull request system, CI/CD, deployment system, incident system, agent tool logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Engineering Capacity OS Diagnostic.

Common failure modes:
- A weak answer gives a generic decision grade telemetry diagnosis instead of proving the research question with work tracker, pull request system, CI/CD, and related approved sources. It misses the operating risk: Slow telemetry creates delayed intervention and makes adaptive control unsafe.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer telemetry-003: "How real-time is delivery visibility for leaders?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, pull request system, CI/CD, deployment system, incident system, agent tool logs.
Minimum evidence to check: reporting latency, refresh interval, coverage gap, stale metric.
Use these public model references if relevant: synchronization_penalty, mttr_limit_behavior.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### telemetry-004: Where are queues invisible to current dashboards?

Audience: US CTO, US CIO, VP Engineering, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#decision_grade_telemetry

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering telemetry, delivery observability, telemetry trust, flow metrics, queues, dashboard, visibility, hidden_queue, queue_time

Decision context: Use when leaders need to decide whether engineering metrics are trusted enough to govern delivery, capacity, risk, and intervention timing.

Why it matters: Hidden queues are a common cause of false capacity conclusions.

Doctrine boundary: A queue is invisible when work waits for review, approval, dependencies, decisions, environments, or incident recovery without a distinct timestamped state in the leadership telemetry model.

Evidence to request from internal MCP:
- work tracker
- pull request system
- approval workflow
- incident system

Minimum evidence:
- hidden wait
- approval wait
- dependency wait
- dashboard coverage

Math and model references:
- kingman_wait_time: E[W_q] approx (rho / (1-rho)) * ((C_a^2 + C_s^2) / 2) * tau (As utilization approaches 100 percent, wait time explodes. Variance makes the queue worse.)
- little_law: L = lambda * W (Average work in progress equals throughput multiplied by time in system.)
- synchronization_penalty: S_p = sum(T_wait + T_context_switch) (Distributed work pays a penalty whenever waiting time and context switching replace direct feedback.)

Good answer must include:
- Compare work tracker states, PR waiting time, approval wait, dependency wait, incident interruption, and blocked comments against dashboard coverage.
- Evidence from work tracker, pull request system, approval workflow, incident system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Engineering Capacity OS Diagnostic.

Common failure modes:
- A weak answer gives a generic decision grade telemetry diagnosis instead of proving the research question with work tracker, pull request system, approval workflow, and related approved sources. It misses the operating risk: Hidden queues are a common cause of false capacity conclusions.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer telemetry-004: "Where are queues invisible to current dashboards?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, pull request system, approval workflow, incident system.
Minimum evidence to check: hidden wait, approval wait, dependency wait, dashboard coverage.
Use these public model references if relevant: kingman_wait_time, little_law, synchronization_penalty.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### telemetry-005: Which telemetry detects quality degradation after capacity, topology, or AI changes?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#decision_grade_telemetry

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering telemetry, delivery observability, telemetry trust, flow metrics, quality, degradation, ai, quality_signal, degradation_detection

Decision context: Use when leaders need to decide whether engineering metrics are trusted enough to govern delivery, capacity, risk, and intervention timing.

Why it matters: A capacity intervention is weak if it increases speed while degrading quality or risk.

Doctrine boundary: Quality degradation after a capacity or AI change is detected through changes in failed tests, review corrections, reverts, escaped defects, incidents, rollback events, and customer impact against a pre-change baseline.

Evidence to request from internal MCP:
- quality system
- pull request system
- CI/CD
- incident system
- deployment system

Minimum evidence:
- defect escape
- review correction
- revert
- rollback
- incident

Math and model references:
- availability_mttr: A = MTBF / (MTBF + MTTR) (Availability improves when recovery time drops. Modern software systems should optimize fast recovery, not frozen change.)
- mttr_limit_behavior: lim_{MTTR -> 0} MTBF / (MTBF + MTTR) = 1 (As recovery time approaches zero, availability approaches one even when failures still happen.)
- mutation_score: MS = K / (T - E) (Test quality is measured by whether tests kill injected faults, not whether lines were merely executed.)

Good answer must include:
- Track defect escape, failed tests, review correction rate, reverts, incidents, rollback events, and customer-impacting defects after change.
- Evidence from quality system, pull request system, CI/CD, incident system, deployment system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Agent Delegation Safety Matrix.

Common failure modes:
- A weak answer gives a generic decision grade telemetry diagnosis instead of proving the research question with quality system, pull request system, CI/CD, and related approved sources. It misses the operating risk: A capacity intervention is weak if it increases speed while degrading quality or risk.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer telemetry-005: "Which telemetry detects quality degradation after capacity, topology, or AI changes?"
Use only aggregate, redacted, or metadata level evidence from: quality system, pull request system, CI/CD, incident system, deployment system.
Minimum evidence to check: defect escape, review correction, revert, rollback, incident.
Use these public model references if relevant: availability_mttr, mttr_limit_behavior, mutation_score.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### telemetry-006: What telemetry compares topology performance without exposing individual employee data?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#decision_grade_telemetry

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering telemetry, delivery observability, telemetry trust, flow metrics, privacy, topology, benchmark, aggregate_telemetry, privacy_boundary

Decision context: Use when leaders need to decide whether engineering metrics are trusted enough to govern delivery, capacity, risk, and intervention timing.

Why it matters: Leaders need topology evidence while avoiding surveillance and individual performance misuse.

Doctrine boundary: Topology performance should be compared with aggregated workstream or team-level flow, quality, deployment, incident, and rework signals, never individual surveillance or employee ranking.

Evidence to request from internal MCP:
- work tracker
- CI/CD
- deployment system
- incident system

Minimum evidence:
- aggregate cycle time
- team-level queue time
- topology class
- defect rate

Math and model references:
- wage_equation: w_i^x = c / (p_n - zeta_i^x) (As the incentive margin shrinks, the cost required to sustain high effort rises.)
- kingman_wait_time: E[W_q] approx (rho / (1-rho)) * ((C_a^2 + C_s^2) / 2) * tau (As utilization approaches 100 percent, wait time explodes. Variance makes the queue worse.)
- engineering_throughput_equation: Throughput = f(Topology, Cognitive Load, Coordination Cost, AI Assistance) (Throughput is shaped by team topology, cognitive load, coordination cost, and bounded AI assistance, not headcount alone.)

Good answer must include:
- Aggregate cycle time, queue time, deployment success, defect rate, incident interruption, and rework by workstream or team-level topology.
- Evidence from work tracker, CI/CD, deployment system, incident system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Capacity Topology Readiness Report.

Common failure modes:
- A weak answer gives a generic decision grade telemetry diagnosis instead of proving the research question with work tracker, CI/CD, deployment system, and related approved sources. It misses the operating risk: Leaders need topology evidence while avoiding surveillance and individual performance misuse.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer telemetry-006: "What telemetry compares topology performance without exposing individual employee data?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, CI/CD, deployment system, incident system.
Minimum evidence to check: aggregate cycle time, team-level queue time, topology class, defect rate.
Use these public model references if relevant: wage_equation, kingman_wait_time, engineering_throughput_equation.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### telemetry-007: Which metrics should trigger governance review before scaling automation?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#decision_grade_telemetry

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering telemetry, delivery observability, telemetry trust, flow metrics, governance, automation, stop-condition, stop_condition, governance_trigger

Decision context: Use when leaders need to decide whether engineering metrics are trusted enough to govern delivery, capacity, risk, and intervention timing.

Why it matters: Agentic and adaptive systems need stop conditions before local optimizations harm global performance.

Doctrine boundary: Governance review should trigger when agent or automation telemetry crosses predefined limits for failed validation, reverts, policy exceptions, human overrides, quality drift, incident correlation, or unbounded actions.

Evidence to request from internal MCP:
- agent tool logs
- CI/CD
- policy exception logs
- incident system
- pull request system

Minimum evidence:
- validation failure threshold
- human override rate
- policy exception
- quality drift

Math and model references:
- agentic_intervention_load: Intervention Load Hours = Agent Execution Volume * Error Rate * Mean Human Repair Time + Context Switching Hours (Agent speed is not free. Convert agent errors and context switching into the same human-time unit before comparing agent execution volume with orchestration capacity.)

Good answer must include:
- Define thresholds for failed validations, reverted changes, policy exceptions, human overrides, incident correlation, and quality drift.
- Evidence from agent tool logs, CI/CD, policy exception logs, incident system, pull request system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic decision grade telemetry diagnosis instead of proving the research question with agent tool logs, CI/CD, policy exception logs, and related approved sources. It misses the operating risk: Agentic and adaptive systems need stop conditions before local optimizations harm global performance.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer telemetry-007: "Which metrics should trigger governance review before scaling automation?"
Use only aggregate, redacted, or metadata level evidence from: agent tool logs, CI/CD, policy exception logs, incident system, pull request system.
Minimum evidence to check: validation failure threshold, human override rate, policy exception, quality drift.
Use these public model references if relevant: agentic_intervention_load.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### telemetry-008: Which signals are missing but necessary for the next operating decision?

Audience: US CTO, US CIO, VP Engineering, CIO

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#decision_grade_telemetry

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering telemetry, delivery observability, telemetry trust, flow metrics, missing-data, confidence, instrumentation, unknown_evidence, confidence_tier

Decision context: Use when leaders need to decide whether engineering metrics are trusted enough to govern delivery, capacity, risk, and intervention timing.

Why it matters: A responsible model should mark unknowns instead of inventing certainty.

Doctrine boundary: A necessary signal is missing when the pending decision requires an evidence class that has no reliable source, insufficient coverage, excessive latency, or an unknown definition; the correct result is an instrumentation gap, not an inferred fact.

Evidence to request from internal MCP:
- research question evidence inventory
- metric catalog
- source-system inventory

Minimum evidence:
- required evidence
- available evidence
- missing instrumentation
- confidence tier

Math and model references:
- cost_of_delay: CoD = dV_lost / dt = -dV_remaining / dt (Cost of delay is the rate at which waiting destroys remaining value or accumulates lost value. The sign convention must be stated before comparing work.)

Good answer must include:
- Compare the decision to required sources, available evidence, confidence tier, and missing instrumentation.
- Evidence from research question evidence inventory, metric catalog, source-system inventory.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Engineering Capacity OS Diagnostic.

Common failure modes:
- A weak answer gives a generic decision grade telemetry diagnosis instead of proving the research question with research question evidence inventory, metric catalog, source-system inventory. It misses the operating risk: A responsible model should mark unknowns instead of inventing certainty.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer telemetry-008: "Which signals are missing but necessary for the next operating decision?"
Use only aggregate, redacted, or metadata level evidence from: research question evidence inventory, metric catalog, source-system inventory.
Minimum evidence to check: required evidence, available evidence, missing instrumentation, confidence tier.
Use these public model references if relevant: cost_of_delay.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

### Governed Agentic SDLC

#### agent-001: Which agentic workflows reduce onboarding time for distributed contributors?

Audience: US CTO, US CIO, VP Engineering, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governed_agentic_sdlc

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, AI-governed software delivery, agent workflow safety, human approval, agents, onboarding, distributed, agentic_onboarding, context_acquisition

Decision context: Use when leaders need to decide which engineering workflows AI agents can safely execute under human, technical, and policy constraints.

Why it matters: AI can improve capacity only if it reduces context acquisition cost without increasing rework.

Doctrine boundary: Agentic workflows reduce onboarding time when they accelerate safe context retrieval, environment setup, task decomposition, and feedback while first accepted work arrives sooner without higher correction or escalation rates.

Evidence to request from internal MCP:
- work tracker
- pull request system
- documentation analytics
- agent tool logs

Minimum evidence:
- onboarding duration
- first accepted PR
- documentation usage
- correction rate

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- replacement_kinetics_derivative: partial C / partial x_i = Direct Savings - Incentive Distortion (Replacing or automating a position creates direct savings only if it does not distort incentives and coordination around the rest of the chain.)
- agentic_intervention_load: Intervention Load Hours = Agent Execution Volume * Error Rate * Mean Human Repair Time + Context Switching Hours (Agent speed is not free. Convert agent errors and context switching into the same human-time unit before comparing agent execution volume with orchestration capacity.)

Good answer must include:
- Compare onboarding duration, first accepted PR, documentation usage, correction rate, and escalation frequency.
- Evidence from work tracker, pull request system, documentation analytics, agent tool logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Agent Delegation Safety Matrix.

Common failure modes:
- A weak answer gives a generic governed agentic sdlc diagnosis instead of proving the research question with work tracker, pull request system, documentation analytics, and related approved sources. It misses the operating risk: AI can improve capacity only if it reduces context acquisition cost without increasing rework.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer agent-001: "Which agentic workflows reduce onboarding time for distributed contributors?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, pull request system, documentation analytics, agent tool logs.
Minimum evidence to check: onboarding duration, first accepted PR, documentation usage, correction rate.
Use these public model references if relevant: engineering_performance_function, replacement_kinetics_derivative, agentic_intervention_load.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### agent-002: Which AI-generated outputs can distributed teams safely validate?

Audience: US CTO, US CIO, VP Engineering, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governed_agentic_sdlc

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, AI-governed software delivery, agent workflow safety, human approval, ai-output, validation, distributed, validation_authority, blast_radius

Decision context: Use when leaders need to decide which engineering workflows AI agents can safely execute under human, technical, and policy constraints.

Why it matters: Validation authority must match skill, context, and risk.

Doctrine boundary: AI-generated output is safely validatable when the reviewer has the required domain context and the output is reversible, testable, provenance-marked, bounded in blast radius, and subject to an explicit approval path.

Evidence to request from internal MCP:
- agent tool logs
- pull request system
- CI/CD
- approval workflow

Minimum evidence:
- output type
- reversibility
- test coverage
- approval path

Math and model references:
- replacement_kinetics_derivative: partial C / partial x_i = Direct Savings - Incentive Distortion (Replacing or automating a position creates direct savings only if it does not distort incentives and coordination around the rest of the chain.)
- mutation_score: MS = K / (T - E) (Test quality is measured by whether tests kill injected faults, not whether lines were merely executed.)
- cognitive_fidelity: Quality ~ isomorphism(M_e, S_sys) (Quality depends on how closely an engineer's mental model matches the actual system state.)

Good answer must include:
- Classify outputs by reversibility, test coverage, blast radius, required domain knowledge, and approval path.
- Evidence from agent tool logs, pull request system, CI/CD, approval workflow.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Agent Delegation Safety Matrix.

Common failure modes:
- A weak answer gives a generic governed agentic sdlc diagnosis instead of proving the research question with agent tool logs, pull request system, CI/CD, and related approved sources. It misses the operating risk: Validation authority must match skill, context, and risk.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer agent-002: "Which AI-generated outputs can distributed teams safely validate?"
Use only aggregate, redacted, or metadata level evidence from: agent tool logs, pull request system, CI/CD, approval workflow.
Minimum evidence to check: output type, reversibility, test coverage, approval path.
Use these public model references if relevant: replacement_kinetics_derivative, mutation_score, cognitive_fidelity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### agent-003: Which AI tools are allowed for each contributor type?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governed_agentic_sdlc

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, AI-governed software delivery, agent workflow safety, human approval, ai-tools, contributors, policy, tool_permission, prompt_policy

Decision context: Use when leaders need to decide which engineering workflows AI agents can safely execute under human, technical, and policy constraints.

Why it matters: AI usage creates data exposure, IP, and governance risk.

Doctrine boundary: Allowed AI tools must be assigned by contributor role, task, data classification, repository boundary, retention policy, permission scope, and audit requirement rather than made universally available.

Evidence to request from internal MCP:
- AI tool policy
- identity provider
- repository permissions
- audit logs

Minimum evidence:
- approved tool
- data class
- access class
- audit requirement

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- shirking_margin_zeta: zeta_i^x = P(project succeeds | e_i=0, policy x) (Zeta measures how safe a contributor feels when they do not apply full effort. If the system hides weak effort behind downstream rescue, incentive quality degrades.)
- replacement_kinetics_derivative: partial C / partial x_i = Direct Savings - Incentive Distortion (Replacing or automating a position creates direct savings only if it does not distort incentives and coordination around the rest of the chain.)

Good answer must include:
- Map contributor type to approved tools, data classes, repository access, prompt policy, and audit requirements.
- Evidence from AI tool policy, identity provider, repository permissions, audit logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic governed agentic sdlc diagnosis instead of proving the research question with AI tool policy, identity provider, repository permissions, and related approved sources. It misses the operating risk: AI usage creates data exposure, IP, and governance risk.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer agent-003: "Which AI tools are allowed for each contributor type?"
Use only aggregate, redacted, or metadata level evidence from: AI tool policy, identity provider, repository permissions, audit logs.
Minimum evidence to check: approved tool, data class, access class, audit requirement.
Use these public model references if relevant: engineering_performance_function, shirking_margin_zeta, replacement_kinetics_derivative.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### agent-004: How are AI-generated PRs reviewed across distributed teams?

Audience: US CTO, US CIO, VP Engineering, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governed_agentic_sdlc

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, AI-governed software delivery, agent workflow safety, human approval, ai-pr, review, provenance, pr_provenance, review_policy

Decision context: Use when leaders need to decide which engineering workflows AI agents can safely execute under human, technical, and policy constraints.

Why it matters: AI can increase review burden if review policy is unclear.

Doctrine boundary: AI-generated pull requests require recorded provenance, automated test evidence, risk-based human review, correction tracking, approval authority, and rollback readiness equivalent to or stronger than human-generated changes.

Evidence to request from internal MCP:
- pull request system
- agent tool logs
- CI/CD
- approval workflow

Minimum evidence:
- PR provenance
- review path
- correction rate
- test evidence

Math and model references:
- shirking_margin_zeta: zeta_i^x = P(project succeeds | e_i=0, policy x) (Zeta measures how safe a contributor feels when they do not apply full effort. If the system hides weak effort behind downstream rescue, incentive quality degrades.)
- mutation_score: MS = K / (T - E) (Test quality is measured by whether tests kill injected faults, not whether lines were merely executed.)
- agentic_intervention_load: Intervention Load Hours = Agent Execution Volume * Error Rate * Mean Human Repair Time + Context Switching Hours (Agent speed is not free. Convert agent errors and context switching into the same human-time unit before comparing agent execution volume with orchestration capacity.)

Good answer must include:
- Track PR provenance, review path, correction rate, test evidence, approval authority, and rollback evidence.
- Evidence from pull request system, agent tool logs, CI/CD, approval workflow.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Agent Delegation Safety Matrix.

Common failure modes:
- A weak answer gives a generic governed agentic sdlc diagnosis instead of proving the research question with pull request system, agent tool logs, CI/CD, and related approved sources. It misses the operating risk: AI can increase review burden if review policy is unclear.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer agent-004: "How are AI-generated PRs reviewed across distributed teams?"
Use only aggregate, redacted, or metadata level evidence from: pull request system, agent tool logs, CI/CD, approval workflow.
Minimum evidence to check: PR provenance, review path, correction rate, test evidence.
Use these public model references if relevant: shirking_margin_zeta, mutation_score, agentic_intervention_load.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### agent-005: What telemetry detects agent-generated rework?

Audience: US CTO, US CIO, VP Engineering, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governed_agentic_sdlc

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, AI-governed software delivery, agent workflow safety, human approval, agent-rework, telemetry, quality, rework_signal, ai_productivity

Decision context: Use when leaders need to decide which engineering workflows AI agents can safely execute under human, technical, and policy constraints.

Why it matters: AI productivity claims are weak unless rework is measured.

Doctrine boundary: Agent-generated rework is detected by linking AI provenance to review corrections, reopened work, failed tests, reverted changes, escaped defects, and downstream cycle-time impact.

Evidence to request from internal MCP:
- work tracker
- pull request system
- CI/CD
- quality system
- deployment system

Minimum evidence:
- reopened ticket
- review correction
- failed test
- reverted commit

Math and model references:
- shirking_margin_zeta: zeta_i^x = P(project succeeds | e_i=0, policy x) (Zeta measures how safe a contributor feels when they do not apply full effort. If the system hides weak effort behind downstream rescue, incentive quality degrades.)
- agentic_intervention_load: Intervention Load Hours = Agent Execution Volume * Error Rate * Mean Human Repair Time + Context Switching Hours (Agent speed is not free. Convert agent errors and context switching into the same human-time unit before comparing agent execution volume with orchestration capacity.)

Good answer must include:
- Compare reopened tickets, review corrections, failed tests, reverted commits, escaped defects, and cycle-time impact.
- Evidence from work tracker, pull request system, CI/CD, quality system, deployment system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Agent Delegation Safety Matrix.

Common failure modes:
- A weak answer gives a generic governed agentic sdlc diagnosis instead of proving the research question with work tracker, pull request system, CI/CD, and related approved sources. It misses the operating risk: AI productivity claims are weak unless rework is measured.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer agent-005: "What telemetry detects agent-generated rework?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, pull request system, CI/CD, quality system, deployment system.
Minimum evidence to check: reopened ticket, review correction, failed test, reverted commit.
Use these public model references if relevant: shirking_margin_zeta, agentic_intervention_load.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### agent-006: Which workflows should remain human-gated until trust improves?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governed_agentic_sdlc

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, AI-governed software delivery, agent workflow safety, human approval, human-gated, agents, risk, human_gate, trust_boundary

Decision context: Use when leaders need to decide which engineering workflows AI agents can safely execute under human, technical, and policy constraints.

Why it matters: Agentic delegation should expand only when validation and governance mature.

Doctrine boundary: Workflows with high ambiguity, sensitive data, architecture authority, customer or production impact, weak validation, or irreversible consequences should remain human-gated until evidence demonstrates bounded agent reliability.

Evidence to request from internal MCP:
- workflow catalog
- security classification
- incident system
- approval policy

Minimum evidence:
- ambiguity class
- data sensitivity
- production impact
- approval requirement

Math and model references:
- shirking_margin_zeta: zeta_i^x = P(project succeeds | e_i=0, policy x) (Zeta measures how safe a contributor feels when they do not apply full effort. If the system hides weak effort behind downstream rescue, incentive quality degrades.)
- replacement_kinetics_derivative: partial C / partial x_i = Direct Savings - Incentive Distortion (Replacing or automating a position creates direct savings only if it does not distort incentives and coordination around the rest of the chain.)
- cognitive_fidelity: Quality ~ isomorphism(M_e, S_sys) (Quality depends on how closely an engineer's mental model matches the actual system state.)

Good answer must include:
- Identify workflows with high ambiguity, sensitive data, customer impact, production impact, or irreversible consequences.
- Evidence from workflow catalog, security classification, incident system, approval policy.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Agent Delegation Safety Matrix.

Common failure modes:
- A weak answer gives a generic governed agentic sdlc diagnosis instead of proving the research question with workflow catalog, security classification, incident system, and related approved sources. It misses the operating risk: Agentic delegation should expand only when validation and governance mature.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer agent-006: "Which workflows should remain human-gated until trust improves?"
Use only aggregate, redacted, or metadata level evidence from: workflow catalog, security classification, incident system, approval policy.
Minimum evidence to check: ambiguity class, data sensitivity, production impact, approval requirement.
Use these public model references if relevant: shirking_margin_zeta, replacement_kinetics_derivative, cognitive_fidelity.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

### Governed Adaptive Control Loops

#### adaptive-001: Can the engineering system recommend workflow changes from telemetry without automatically applying them?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governed_adaptive_control_loops

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, adaptive control loops, meta agent loop, learning loop, workflow optimization, adaptive, recommendation, governance, adaptive_control, governed_recommendation

Decision context: Use when leaders need to decide whether the engineering system can improve workflow behavior from evidence without uncontrolled automation risk.

Why it matters: Adaptive control should begin with governed recommendations before self-modifying execution.

Doctrine boundary: The system may generate evidence-backed workflow recommendations without applying them; each recommendation must expose its source signals, assumptions, expected effect, approval path, measurement plan, and rollback condition.

Evidence to request from internal MCP:
- telemetry platform
- workflow rules
- approval workflow
- audit logs

Minimum evidence:
- recommendation
- evidence trail
- approval path
- rollback path

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)

Good answer must include:
- Verify recommendation source, evidence trail, approval path, rollback path, and post-change measurement.
- Evidence from telemetry platform, workflow rules, approval workflow, audit logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governed Adaptive Control Loop Review.

Common failure modes:
- A weak answer gives a generic governed adaptive control loops diagnosis instead of proving the research question with telemetry platform, workflow rules, approval workflow, and related approved sources. It misses the operating risk: Adaptive control should begin with governed recommendations before self-modifying execution.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer adaptive-001: "Can the engineering system recommend workflow changes from telemetry without automatically applying them?"
Use only aggregate, redacted, or metadata level evidence from: telemetry platform, workflow rules, approval workflow, audit logs.
Minimum evidence to check: recommendation, evidence trail, approval path, rollback path.
Use these public model references if relevant: engineering_performance_function.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### adaptive-002: Which workflow rules can be safely modified under governance?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governed_adaptive_control_loops

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, adaptive control loops, meta agent loop, learning loop, workflow optimization, workflow-rules, adaptive, policy, rule_class, workflow_modification

Decision context: Use when leaders need to decide whether the engineering system can improve workflow behavior from evidence without uncontrolled automation risk.

Why it matters: Not every execution rule should be adaptive; some rules encode security, compliance, or architecture constraints.

Doctrine boundary: Only reversible, observable, low-blast-radius workflow rules may be adaptive by default; security, compliance, architecture, data, and production authority rules require explicit human governance.

Evidence to request from internal MCP:
- workflow rules
- CI/CD config
- policy documentation
- audit logs

Minimum evidence:
- rule class
- blast radius
- reversibility
- approval requirement

Math and model references:
- replacement_kinetics_derivative: partial C / partial x_i = Direct Savings - Incentive Distortion (Replacing or automating a position creates direct savings only if it does not distort incentives and coordination around the rest of the chain.)

Good answer must include:
- Classify rules by blast radius, reversibility, policy class, source-system owner, and required approval.
- Evidence from workflow rules, CI/CD config, policy documentation, audit logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governed Adaptive Control Loop Review.

Common failure modes:
- A weak answer gives a generic governed adaptive control loops diagnosis instead of proving the research question with workflow rules, CI/CD config, policy documentation, and related approved sources. It misses the operating risk: Not every execution rule should be adaptive; some rules encode security, compliance, or architecture constraints.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer adaptive-002: "Which workflow rules can be safely modified under governance?"
Use only aggregate, redacted, or metadata level evidence from: workflow rules, CI/CD config, policy documentation, audit logs.
Minimum evidence to check: rule class, blast radius, reversibility, approval requirement.
Use these public model references if relevant: replacement_kinetics_derivative.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### adaptive-003: How does the system detect when adaptive changes degrade performance?

Audience: US CTO, US CIO, VP Engineering, AI Governance Leader, Platform Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governed_adaptive_control_loops

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, adaptive control loops, meta agent loop, learning loop, workflow optimization, degradation, feedback, adaptive, negative_feedback, post_change_delta

Decision context: Use when leaders need to decide whether the engineering system can improve workflow behavior from evidence without uncontrolled automation risk.

Why it matters: Learning loops need negative feedback and stop conditions.

Doctrine boundary: Adaptive degradation is detected by comparing post-change quality, cycle time, failed validation, override, incident, and rollback signals against baselines and predefined stop conditions.

Evidence to request from internal MCP:
- telemetry platform
- agent tool logs
- CI/CD
- incident system
- rollback records

Minimum evidence:
- post-change delta
- quality drift
- override rate
- rollback trigger

Math and model references:
- agentic_intervention_load: Intervention Load Hours = Agent Execution Volume * Error Rate * Mean Human Repair Time + Context Switching Hours (Agent speed is not free. Convert agent errors and context switching into the same human-time unit before comparing agent execution volume with orchestration capacity.)

Good answer must include:
- Monitor quality drift, cycle-time degradation, failed validations, human override rate, incident correlation, and rollback triggers after adaptive changes.
- Evidence from telemetry platform, agent tool logs, CI/CD, incident system, rollback records.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governed Adaptive Control Loop Review.

Common failure modes:
- A weak answer gives a generic governed adaptive control loops diagnosis instead of proving the research question with telemetry platform, agent tool logs, CI/CD, and related approved sources. It misses the operating risk: Learning loops need negative feedback and stop conditions.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer adaptive-003: "How does the system detect when adaptive changes degrade performance?"
Use only aggregate, redacted, or metadata level evidence from: telemetry platform, agent tool logs, CI/CD, incident system, rollback records.
Minimum evidence to check: post-change delta, quality drift, override rate, rollback trigger.
Use these public model references if relevant: agentic_intervention_load.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### adaptive-004: Who can approve, audit, and reverse adaptive changes to the SDLC?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governed_adaptive_control_loops

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, adaptive control loops, meta agent loop, learning loop, workflow optimization, approval, audit, adaptive, adaptive_authority, rollback_authority

Decision context: Use when leaders need to decide whether the engineering system can improve workflow behavior from evidence without uncontrolled automation risk.

Why it matters: Self-improving systems require explicit authority and reversibility.

Doctrine boundary: Every adaptive change class must have named approval authority, immutable audit evidence, an accountable system owner, independent rollback authority, and defined emergency stop conditions.

Evidence to request from internal MCP:
- policy documentation
- approval workflow
- audit logs
- rollback records

Minimum evidence:
- approver
- audit log
- rollback authority
- stop condition

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- replacement_kinetics_derivative: partial C / partial x_i = Direct Savings - Incentive Distortion (Replacing or automating a position creates direct savings only if it does not distort incentives and coordination around the rest of the chain.)
- agentic_intervention_load: Intervention Load Hours = Agent Execution Volume * Error Rate * Mean Human Repair Time + Context Switching Hours (Agent speed is not free. Convert agent errors and context switching into the same human-time unit before comparing agent execution volume with orchestration capacity.)

Good answer must include:
- Map adaptive change classes to approvers, audit logs, rollback authority, exception handling, and stop conditions.
- Evidence from policy documentation, approval workflow, audit logs, rollback records.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic governed adaptive control loops diagnosis instead of proving the research question with policy documentation, approval workflow, audit logs, and related approved sources. It misses the operating risk: Self-improving systems require explicit authority and reversibility.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer adaptive-004: "Who can approve, audit, and reverse adaptive changes to the SDLC?"
Use only aggregate, redacted, or metadata level evidence from: policy documentation, approval workflow, audit logs, rollback records.
Minimum evidence to check: approver, audit log, rollback authority, stop condition.
Use these public model references if relevant: engineering_performance_function, replacement_kinetics_derivative, agentic_intervention_load.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

### Governance, Security, and Failure Modes

#### gov-001: Who owns delivery risk for externally or agent-produced work?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governance_security_failure_modes

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering governance, security boundary, failure modes, rollback, accountability, risk, external-work, delivery_risk_owner

Decision context: Use when leaders need to define authority, auditability, approval, rollback, and stop conditions across deterministic and agentic systems.

Why it matters: Distributed and AI-assisted delivery require clear accountability.

Doctrine boundary: Delivery risk remains owned by the accountable internal leader who authorizes the work and controls acceptance, production approval, and incident response, even when execution is external or agent-assisted.

Evidence to request from internal MCP:
- ownership map
- approval workflow
- incident system
- contracts or operating agreements

Minimum evidence:
- accountable owner
- review authority
- approval path
- incident responsibility

Math and model references:
- shirking_margin_zeta: zeta_i^x = P(project succeeds | e_i=0, policy x) (Zeta measures how safe a contributor feels when they do not apply full effort. If the system hides weak effort behind downstream rescue, incentive quality degrades.)
- incentive_compatibility_constraint: p_n * w_i - c >= zeta_i^x * w_i (A contributor exerts effort when the expected value of working is greater than the expected value of shirking.)

Good answer must include:
- Map work ownership to accountable leaders, review authority, approval paths, and incident responsibility.
- Evidence from ownership map, approval workflow, incident system, contracts or operating agreements.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic governance security failure modes diagnosis instead of proving the research question with ownership map, approval workflow, incident system, and related approved sources. It misses the operating risk: Distributed and AI-assisted delivery require clear accountability.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer gov-001: "Who owns delivery risk for externally or agent-produced work?"
Use only aggregate, redacted, or metadata level evidence from: ownership map, approval workflow, incident system, contracts or operating agreements.
Minimum evidence to check: accountable owner, review authority, approval path, incident responsibility.
Use these public model references if relevant: shirking_margin_zeta, incentive_compatibility_constraint.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### gov-002: Which production actions require internal approval?

Audience: US CTO, US CIO, VP Engineering, CIO, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governance_security_failure_modes

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering governance, security boundary, failure modes, rollback, production, approval, governance, production_authority, approval_requirement

Decision context: Use when leaders need to define authority, auditability, approval, rollback, and stop conditions across deterministic and agentic systems.

Why it matters: Production authority must be explicit in distributed systems.

Doctrine boundary: Internal approval is required for production actions whose blast radius, data impact, customer effect, irreversibility, or regulatory significance exceeds the organization's predefined authority threshold.

Evidence to request from internal MCP:
- deployment system
- approval workflow
- policy documentation
- audit logs

Minimum evidence:
- production action
- approval requirement
- approver
- audit record

Math and model references:
- replacement_kinetics_derivative: partial C / partial x_i = Direct Savings - Incentive Distortion (Replacing or automating a position creates direct savings only if it does not distort incentives and coordination around the rest of the chain.)
- availability_mttr: A = MTBF / (MTBF + MTTR) (Availability improves when recovery time drops. Modern software systems should optimize fast recovery, not frozen change.)
- mttr_limit_behavior: lim_{MTTR -> 0} MTBF / (MTBF + MTTR) = 1 (As recovery time approaches zero, availability approaches one even when failures still happen.)

Good answer must include:
- Classify deployment, rollback, data migration, configuration, and incident actions by approval requirement.
- Evidence from deployment system, approval workflow, policy documentation, audit logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic governance security failure modes diagnosis instead of proving the research question with deployment system, approval workflow, policy documentation, and related approved sources. It misses the operating risk: Production authority must be explicit in distributed systems.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer gov-002: "Which production actions require internal approval?"
Use only aggregate, redacted, or metadata level evidence from: deployment system, approval workflow, policy documentation, audit logs.
Minimum evidence to check: production action, approval requirement, approver, audit record.
Use these public model references if relevant: replacement_kinetics_derivative, availability_mttr, mttr_limit_behavior.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### gov-003: Which systems are off-limits to external contributors or agents?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governance_security_failure_modes

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering governance, security boundary, failure modes, rollback, security, off-limits, access, security_boundary, restricted_system

Decision context: Use when leaders need to define authority, auditability, approval, rollback, and stop conditions across deterministic and agentic systems.

Why it matters: Security boundaries must be defined before capacity is distributed.

Doctrine boundary: External contributors and agents must be excluded from systems whose data sensitivity, privilege level, regulatory boundary, strategic IP, or production blast radius cannot be contained by least-privilege controls.

Evidence to request from internal MCP:
- security policy
- repository permissions
- identity provider
- data classification

Minimum evidence:
- restricted system
- access boundary
- data class
- privileged tool

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- shirking_margin_zeta: zeta_i^x = P(project succeeds | e_i=0, policy x) (Zeta measures how safe a contributor feels when they do not apply full effort. If the system hides weak effort behind downstream rescue, incentive quality degrades.)
- incentive_compatibility_constraint: p_n * w_i - c >= zeta_i^x * w_i (A contributor exerts effort when the expected value of working is greater than the expected value of shirking.)

Good answer must include:
- Verify restrictions for sensitive repositories, customer data, secrets, regulated systems, production environments, and privileged tools.
- Evidence from security policy, repository permissions, identity provider, data classification.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic governance security failure modes diagnosis instead of proving the research question with security policy, repository permissions, identity provider, and related approved sources. It misses the operating risk: Security boundaries must be defined before capacity is distributed.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer gov-003: "Which systems are off-limits to external contributors or agents?"
Use only aggregate, redacted, or metadata level evidence from: security policy, repository permissions, identity provider, data classification.
Minimum evidence to check: restricted system, access boundary, data class, privileged tool.
Use these public model references if relevant: engineering_performance_function, shirking_margin_zeta, incentive_compatibility_constraint.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### gov-004: How is IP assignment and contribution provenance verified?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governance_security_failure_modes

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering governance, security boundary, failure modes, rollback, ip, provenance, contributions, ip_assignment, contribution_provenance

Decision context: Use when leaders need to define authority, auditability, approval, rollback, and stop conditions across deterministic and agentic systems.

Why it matters: External and AI-assisted work creates IP and ownership questions.

Doctrine boundary: IP assignment and contribution provenance are verified through enforceable agreements, authenticated contributor identity, commit and PR provenance, AI-tool disclosure, review records, and acceptance history.

Evidence to request from internal MCP:
- contracts or operating agreements
- repository metadata
- agent tool logs
- approval records

Minimum evidence:
- IP assignment
- commit provenance
- tool usage log
- approval record

Math and model references:
- l2_adjusted_score: s_adj = s_raw - beta * (f_error - E[f | P]) (Language form errors should not be allowed to erase correct technical reasoning.)
- frechet_semantic_distance: FSD(y_q,b_q)=||mu_y-mu_b||_2^2 + Tr(Sigma_y + Sigma_b - 2(Sigma_y^(1/2) Sigma_b Sigma_y^(1/2))^(1/2)) (Semantic similarity should be measured by meaning, not surface phrasing.)
- optimal_transport_code_switch: s_q^OT = psi(W_2(P_q,Q_q; C o (1 - lambda M))) (Code switching should not be treated as technical weakness when meaning is preserved.)

Good answer must include:
- Review contracts, contributor agreements, commit provenance, PR metadata, tool usage logs, and approval records.
- Evidence from contracts or operating agreements, repository metadata, agent tool logs, approval records.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic governance security failure modes diagnosis instead of proving the research question with contracts or operating agreements, repository metadata, agent tool logs, and related approved sources. It misses the operating risk: External and AI-assisted work creates IP and ownership questions.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer gov-004: "How is IP assignment and contribution provenance verified?"
Use only aggregate, redacted, or metadata level evidence from: contracts or operating agreements, repository metadata, agent tool logs, approval records.
Minimum evidence to check: IP assignment, commit provenance, tool usage log, approval record.
Use these public model references if relevant: l2_adjusted_score, frechet_semantic_distance, optimal_transport_code_switch.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### gov-005: How are policy exceptions logged and reviewed?

Audience: US CTO, US CIO, VP Engineering, CIO, DevOps Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governance_security_failure_modes

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering governance, security boundary, failure modes, rollback, policy-exception, audit, governance, policy_exception, remediation

Decision context: Use when leaders need to define authority, auditability, approval, rollback, and stop conditions across deterministic and agentic systems.

Why it matters: Exceptions reveal where governance is weak or misaligned with reality.

Doctrine boundary: Policy exceptions require a timestamped request, business justification, accountable approver, bounded duration, affected assets, compensating controls, remediation owner, recurrence review, and closure evidence.

Evidence to request from internal MCP:
- policy exception logs
- approval workflow
- audit logs
- incident system

Minimum evidence:
- exception record
- approval path
- recurrence
- remediation action

Math and model references:
- integrity_l2: Integrity_L2 = w1*ICC_band + w2*avg(s_OT) + w3*avg(c_q) + w4*R2_Phase2_to_Phase3 + w5*GC - w6*Delta_trans (Integrity combines consistency, semantic fidelity, conceptual content, phase coherence, grounding, and translation drift.)
- counterfactual_esl_stability: |c_q - c_q_prime| <= tau_trans (A score should remain stable when the same technical meaning is expressed in standardized English.)
- adversarial_indistinguishability: AUC_protected_prediction compared with the 0.5 random-classification baseline (An adversary that performs near the random-classification baseline has not demonstrated useful prediction of the protected attribute. That result is one diagnostic, not proof of fairness or zero leakage.)

Good answer must include:
- Compare exception records, approval paths, recurrence, business justification, and remediation actions.
- Evidence from policy exception logs, approval workflow, audit logs, incident system.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Governance, Security, and IP Control Report.

Common failure modes:
- A weak answer gives a generic governance security failure modes diagnosis instead of proving the research question with policy exception logs, approval workflow, audit logs, and related approved sources. It misses the operating risk: Exceptions reveal where governance is weak or misaligned with reality.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer gov-005: "How are policy exceptions logged and reviewed?"
Use only aggregate, redacted, or metadata level evidence from: policy exception logs, approval workflow, audit logs, incident system.
Minimum evidence to check: exception record, approval path, recurrence, remediation action.
Use these public model references if relevant: integrity_l2, counterfactual_esl_stability, adversarial_indistinguishability.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

#### gov-006: What breaks first when capacity, distribution, or automation increases?

Audience: US CTO, US CIO, VP Engineering, CIO, AI Governance Leader

Canonical URL: https://engineering.teamstation.dev/research/engineering-operating-system/questions/#governance_security_failure_modes

Source URL: https://engineering.teamstation.dev/api/research/cto-cio-learning-cards.json

Parent site: https://teamstation.dev

Related TeamStation concept URL: https://teamstation.dev

Topics: engineering systems, engineering capacity, agentic SDLC, telemetry-driven engineering, engineering governance, security boundary, failure modes, rollback, failure-mode, scaling, risk, failure_mode_register, scaling_risk

Decision context: Use when leaders need to define authority, auditability, approval, rollback, and stop conditions across deterministic and agentic systems.

Why it matters: Failure-mode analysis turns scaling plans into testable risk hypotheses.

Doctrine boundary: The first scaling failure is the constraint whose demand grows faster than its control capacity; test this across review queues, architecture decisions, knowledge transfer, pipeline consistency, agent rework, access control, and governance latency.

Evidence to request from internal MCP:
- work tracker
- pull request system
- CI/CD
- incident system
- audit logs

Minimum evidence:
- hidden queue
- review bottleneck
- pipeline drift
- governance lag

Math and model references:
- engineering_performance_function: P(t)=f(C,T,K,D,O,A,L,G) -> {Speed, Quality, Cost, Risk, Value} (Engineering performance at time t is a system output, not a headcount output. It depends on capacity, topology, knowledge, execution, telemetry, agentic action, adaptive learning, and governance.)
- shirking_margin_zeta: zeta_i^x = P(project succeeds | e_i=0, policy x) (Zeta measures how safe a contributor feels when they do not apply full effort. If the system hides weak effort behind downstream rescue, incentive quality degrades.)
- incentive_compatibility_constraint: p_n * w_i - c >= zeta_i^x * w_i (A contributor exerts effort when the expected value of working is greater than the expected value of shirking.)

Good answer must include:
- Inspect hidden queues, review bottlenecks, architecture latency, pipeline drift, context loss, agent rework, security access, and governance lag.
- Evidence from work tracker, pull request system, CI/CD, incident system, audit logs.
- Explicit confidence using high, medium, directional, or unknown.
- Decision implication for Engineering Capacity OS Diagnostic.

Common failure modes:
- A weak answer gives a generic governance security failure modes diagnosis instead of proving the research question with work tracker, pull request system, CI/CD, and related approved sources. It misses the operating risk: Failure-mode analysis turns scaling plans into testable risk hypotheses.
- Treating headcount, vendor claims, or opinion as proof.
- Treating missing evidence as confidence.
- Exporting private records instead of using aggregate or redacted signals.

Safe prompt template:

```text
Inside the organization controlled MCP server, answer gov-006: "What breaks first when capacity, distribution, or automation increases?"
Use only aggregate, redacted, or metadata level evidence from: work tracker, pull request system, CI/CD, incident system, audit logs.
Minimum evidence to check: hidden queue, review bottleneck, pipeline drift, governance lag.
Use these public model references if relevant: engineering_performance_function, shirking_margin_zeta, incentive_compatibility_constraint.
Return an answer card with observed_state, evidence_summary, confidence, missing_evidence, risk_flags, decision_implication, and next_safe_action.
If evidence is missing, say unknown or directional. Do not infer private operating state from the public model.
Do not collect or export: source code, secrets, credentials, customer records, raw logs containing identifiers, private messages, HR records, individual employee performance records, payroll data, legal records.
```

