HR

HR is not a payroll bolt-on. It is the Member-id authority for the whole platform. Strip it out and every downstream module gets a slightly different roster, drift accumulates, compliance breaks. The Vietnamese labour-law discipline matters too — Decree 145 / 152 / 13 / PDPL are not "compliance things"; they're the operating constraints under which the entire team works.

HR as Member-id spine across modules

Auto vs human-in-loop operations matrix

HR is the single source of truth for who is a Member of the company and what their employment relationship is. Without that single source of truth, every downstream module reinvents a partial picture: REW imagines a payroll roster, TIME imagines a list of timesheet-enabled people, ESOP imagines a list of grantees. They drift; data inconsistency follows; compliance violations follow shortly after. HR centralises the answer to a deceptively hard question — "is this person currently employed by this tenant, in what capacity, since when, and with what statutory entitlements?" — and makes that answer a row, not a query across five systems.

The bet is the same bet AUTH makes about identity: pay the cost once at the canonical layer, and every module inherits the property for free. Without HR as the canonical Member directory, "who can take leave?" becomes a search across mailing lists, Slack channels, and Excel files. With HR as the canonical Member directory, the answer is a JOIN against member and leave_balance, scoped by tenant_id, audited in BRAIN, and provable to a Decree 13/2023 auditor.

A structured decomposition of HR's scope. Every cell traces back to and.

HR is one Rust service with four surfaces (GraphQL subgraph, REST admin, NATS event publisher, MCP tool catalogue), three stores (Postgres for relational state, S3 for contract PDFs + CCCD images, KMS for per-column encryption keys), and an audit sink to BRAIN. The diagram below shows the canonical request flow for the onboarding orchestrator.

Internal components

The schema is normalised around the Member as the canonical entity. Contracts are append-only with supersession. Leave is a state-machine row with a balance side-table. CCCD lives in its own table with its own KMS key handle, so a developer cannot accidentally over-fetch by joining the Member table.

Leave-type catalogue (Vietnamese labour law context)

Three surfaces: a federated GraphQL subgraph for cross-module Member queries, a REST admin API for the orchestrators (onboarding, offboarding, contract issuance), and an MCP tool catalogue for the CUO/CHRO-skill agent. Compensation routes are never exposed here — those live on REW behind a CFO + CHRO co-sign predicate.

GraphQL subgraph (federated)

HR publishes Member + Profile + LeaveBalance to Apollo Router. CCCD and contract PDF URIs are never resolvable through the subgraph — admin REST only.

extend schema
 @link(url: "https://specs.apollo.dev/federation/v2.5", import: ["@key", "@external", "@shareable", "@requiresScopes"])

type Member @key(fields: "id") {
 id: ID!
 tenantId: ID!
 email: String!
 displayName: String!
 roleCode: String!
 level: String!
 startDate: Date!
 endDate: Date
 managerId: ID
 status: MemberStatus!
 profile: Profile @requiresScopes(scopes: [["hr.profile_read"]])
 leaveBalance: LeaveBalance @requiresScopes(scopes: [["hr.leave_read"]])
 reports: [Member!]! @requiresScopes(scopes: [["hr.read"]])
}

type Profile @requiresScopes(scopes: [["hr.profile_read"]]) {
 dob: Date
 bhxhNumber: String
 bhytNumber: String
 bhtnNumber: String
 nationality: String!
}

type LeaveBalance {
 annualRemaining: Float!
 sickRemaining: Float!
 sabbaticalAccruedDays: Float!
 serviceYears: Int!
 lastAccrualAt: DateTime!
}

type LeaveRequest @key(fields: "id") {
 id: ID!
 memberId: ID!
 kind: LeaveKind!
 startDate: Date!
 endDate: Date!
 days: Float!
 status: LeaveStatus!
 approvedBy: ID
 reason: String
 submittedAt: DateTime!
}

enum MemberStatus { ACTIVE ON_LEAVE TERMINATED }
enum LeaveKind { ANNUAL SICK MATERNITY PATERNITY SABBATICAL UNPAID BEREAVEMENT PUBLIC_HOLIDAY }
enum LeaveStatus { DRAFT SUBMITTED APPROVED REJECTED CONSUMED CANCELLED }

type Query {
 me: Member!
 member(id: ID!): Member
 membersByManager(managerId: ID!): [Member!]!
 leaveRequests(memberId: ID, status: LeaveStatus, since: DateTime): [LeaveRequest!]!
 @requiresScopes(scopes: [["hr.leave_read"]])
 orgChart(rootId: ID): OrgChartNode!
}

type Mutation {
 requestLeave(input: LeaveRequestInput!): LeaveRequest!
 approveLeave(id: ID!, reason: String): LeaveRequest!
 @requiresScopes(scopes: [["hr.leave_approve"]])
 rejectLeave(id: ID!, reason: String!): LeaveRequest!
 @requiresScopes(scopes: [["hr.leave_approve"]])
 cancelLeave(id: ID!): LeaveRequest!
}

REST admin surface (planned)

MCP tool catalogue (CUO/CHRO-skill)

Flow 1 — Onboarding orchestrator (new Member join)

Flow 2 — Leave request + approval

Flow 3 — Contract renewal + e-sign via DOC

Flow 4 — Performance review cycle (HR initiates · LEARN executes)

Flow 5 — Termination + offboarding orchestrator

A Member traverses five states from offer to terminated, with three special branches (probation pass/fail, leave-of-absence, sabbatical). Every transition writes a BRAIN audit row and emits a NATS event.

Service-period entitlement table

security + §11.2.5 usability NFRs that bind on HR. Cross-referenced at nfr-catalog.html#hr.

HR is the Member-directory primitive that every comp/learn/equity module reads from. It depends on AUTH for identity, BRAIN for audit, OBS for telemetry, and (P4) DOC for WebAuthn e-sign.

HR is the Vietnamese-labour-law front door. Every contract, every leave row, every CCCD record has to defend against a Decree 13/2023 inspector, a PDPL DSAR request, and a 10-year SI/PIT statutory audit.

HR-specific risks tracked in the risk register. The highest-impact risk is comp leakage into HR — a structural failure that would force a schema rebuild.

HR health rolls up into 9 KPIs covering lifecycle throughput, compliance posture, and orchestrator correctness.

HR is owned by the HR/Ops Lead. CEO is accountable for policy; DPO is responsible for PDPL DSAR; CFO co-signs Bad-Leaver branches.

A single admin CLI cyberos-hr for HR/Ops Lead. Every destructive command writes an audit row before exit.

1. Add a Member

$ cyberos-hr member add \
 --email mai@cyberskill.com \
 --display "Mai Nguyen" \
 --role engineer --level L2 \
 --start-date 2026-06-01 \
 --manager stephen@cyberskill.com

[member created]
 id: 01HZJ8R4M2K7QXP3F9D8YN7B2T
 email: mai@cyberskill.com
 start: 2026-06-01
[onboarding] checklist created: 8 tasks
[fanout] auth.account.create → ack
[fanout] chat.workspace.provision → ack
[fanout] time.timesheet.enrol → ack
[fanout] learn.profile.seed → ack
[audit] brain seq=14843 chain=a1c4…b8e2

2. Submit a leave request (Member-self)

$ cyberos-hr leave request \
 --kind annual \
 --start 2026-07-15 --end 2026-07-19 \
 --reason "family trip"

[leave request submitted]
 id: 01HZJ8…JTC
 days: 5
 status: submitted
 approver: stephen@cyberskill.com (manager)
[audit] brain seq=14844 chain=b2d5…c9f3

3. Issue a contract

$ cyberos-hr contract issue \
 --member mai@cyberskill.com \
 --kind indefinite \
 --effective-from 2026-06-01 \
 --template indefinite-vn-2026

[contract drafted] indefinite-vn-2026 → /tmp/contract-mai.pdf
[pdf] SHA-256: 9f3e…2a1b
[s3] contracts//.pdf (KMS contract-key)
[doc] sent for WebAuthn e-sign → notification dispatched
[status] pending_signature
[audit] brain seq=14851 chain=d4e7…f1a9

4. Render the org chart

$ cyberos-hr org-chart --format mermaid --root stephen@cyberskill.com

graph TD
 stephen[Stephen Cheng · CEO]
 stephen --> mai[Mai Nguyen · L2 Engineer]
 stephen --> hoa[Hoa Tran · L3 Engineer]
 hoa --> linh[Linh Pham · L1 Engineer]

[org-chart] 4 members; rendered in 11 ms

5. Read a leave balance

$ cyberos-hr leave balance --member mai@cyberskill.com

[balance for mai@cyberskill.com]
 annual_remaining: 11.0 / 12.0 days
 sick_remaining: 30.0 / 30.0 days
 sabbatical_accrued: 0.0 days (eligible at 5y)
 service_years: 0 (started 2026-06-01)
 last_accrual: 2026-06-30T00:00:00Z

6. Terminate a Member (Bad Leaver — requires co-sign)

$ cyberos-hr member terminate \
 --member alex@cyberskill.com \
 --kind dismissal \
 --reason "Code of Conduct violation" \
 --cosign-ceo --cosign-cfo

[terminate] dismissal · 2026-05-14
[cosign] ceo: stephen@cyberskill.com (WebAuthn)
[cosign] cfo: hoa@cyberskill.com (WebAuthn)
[auth] sessions revoked (5s SLO) → done
[rew] final pay computed; cash-out 11.0 days annual leave
[esop] branch: BAD_LEAVER → vested SP retained at 60% discount
[asset] opened: laptop, badge, github SSH (3 tasks)
[contract] superseded; effective_to = 2026-05-14
[retention] 10-year hold remains
[audit] brain seq=14862 chain=e7f1…a8b4

7. DSAR export

$ cyberos-hr dsar-export --member mai@cyberskill.com --output dsar.zip

[dsar] member: mai@cyberskill.com
[dsar] profile: 1 row
[dsar] contracts: 1 (active)
[dsar] leave: 4 rows (last P0 → P3 horizon)
[dsar] documents: 3 (offer, NDA, equipment list)
[dsar] cccd: 1 (sev-1 audit added)
[dsar] comp: — (REW DSAR separate)
[dsar] written: dsar.zip (1.8 MB, KMS-encrypted)
[audit] brain seq=14871 chain=f8a2…c4d6

HR is the system-of-record for the workforce. Of the 47 CUO personas, the people-cluster reads from and writes to HR continuously.