IP

Server-derived brand

innovate PCI shell

Dashboard

PCI Data Collection status and cross-module readiness overview.

Organization
Innovate Lab Tenant
Entity
ent_innovate_platform_lab
Scope
server-derived registry scope
Role
pci_operator
Stage
lab
Active theme
Pay Theory
Technical details
brand_pointer
partner://innovate/brand/lab/v2026-05-01
asset_pointer
https://assets.innovate.test/pci/
brand_reasons
none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API
/api/session/brand
Boundary
No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.
Set up + Assess command summaryServer-derived state
Command Center
Ready for review

Set up and assess progress

22 of 24 responses answered for the active cycle.

92%
Open compliance cycle
Work queue
In progress

Server-owned task lane

3 workflow tasks stay synced to the Command Center read model.

Control workbench
Blocked — action needed

Questionnaire and findings

2 sections and 1 reviewer findings are in scope.

92%
Evidence checklist
Needs attention

Evidence record readiness

1 of 3 evidence records are accepted records.

AOC / review package
In progress

Signer and export readiness

2 of 4 sign-ready checks have passed.

Final review packet
In progress

Reviewer decision packet

2 of 6 packet items are ready for reviewer decisioning.

Command Center technical details
read_path
/api/workflows/compliance-cycle
write_boundary
existing CSRF-bound controls only
permission_source
/api/permissions/matrix

PCI application

PCI Compliance Command Center

Interactive compliance workflow workspace

Compliance cycle loaded: 22 of 24 responses answered, 3 evidence records, and 5 review lanes. Same-origin API refresh will keep this workspace current. Tenant authority, live data, payment traffic, restricted contents, and deployment authority stay server-side.

operator review 92% Start compliance cycle
Client authority
csrf-bound-workflow-save-only
Request policy
trusted-session-csrf-no-viewer-authority-workflow-data-only
CSRF cookie
__Host-pt_pci_csrf same-origin session check for workflow saves.
Data boundary
Workflow state only; no live payment data, restricted evidence files, signed document files, export files, external queues, notifications, or partner-edge authority.

Next best action

Confirm scope

Review the business profile and SAQ path before moving questionnaire work forward.

Use a stage card to work, mark ready, or accept a section; every change goes through the same-origin workflow API.

Workflow

Run the compliance cycle

Compliance lead

Business profile & SAQ scope

SAQ_A recommended with needs review confidence.

18 inherited answers, 1 stale item, 2 evidence requirements.
Review scope
Security reviewer

Questionnaire & policy review

22 of 24 control responses answered across 2 sections.

92% complete; 1 review findings tracked.
Continue questionnaire
Evidence coordinator

Evidence collection

3 evidence metadata records and 3 upload-session states are visible.

1 accepted metadata records; browser upload remains disabled.
Review evidence
Executive reviewer

AOC package & acceptance

Export package is blocked with 5 role lanes in final review.

2 sign-ready checks passed; signing remains server-authorized only.
Review package

Controls

Control workbench

Work the concrete control answers and evidence records that move this compliance cycle toward review.

  • Payment flow scope12/12 answers completeSAQ scope and payment-channel review
    ready for reviewOpen workspace
  • Security policy review10/12 answers completeClear stale inheritance or record the reviewer answer
    blockedOpen workspace
  • Monitoring readiness evidenceMonitoring readiness evidenceRequest state: missing
    missingOpen workspace

Tasks

Work queue

  • Confirm Data Collection cycle ownerSource: data collectionTenant scoped by trusted API session
    open
  • Review Monitoring integration review itemSource: monitoringTenant scoped by trusted API session
    waiting
  • Verify corpus pointer for active cycleSource: corpusTenant scoped by trusted API session
    open
  • Finding: Review cannot complete until the trusted evidence metadata ref is present.Requirement: Monitoring readiness evidenceOwner: pci operator
    unresolved blocker

Evidence

Evidence checklist

  • TPSP AOC metadata packageType: tpsp aocVisibility: parent visible record onlyScan: passed
    accepted record
  • Monitoring status metadataType: monitoring statusVisibility: tenant visibleScan: pending
    scanner pending
  • Network scan upload refusedType: network scanVisibility: hidden refusedScan: refused
    refused metadata
  • Requirement evidence: AOC package evidenceStatus: accepted recordedLab sample expiry: 2027-05-04
    accepted recorded
  • Requirement evidence: Monitoring readiness evidenceStatus: missingNo expiry label
    missing

AOC / export

Review package

Sign-ready checks
4
Passed checks
2
Signer review
needs correction
Signature
correction required
Export package
blocked

Acceptance

Final review

Review state
degraded
Role lanes
5
Accepted entities
1
Pending handoffs
4
Browser authority
not allowed

Final review packet

What reviewers need to decide

This packet is the checklist behind final acceptance: each row names the reviewer, the workspace, the decision, and the criteria.

  • Business profile and SAQ scopeReviewer: submerchant adminDecision: Confirm payment channels and SAQ path or request follow-upCriteria: Merchant profile is complete; Payment channel scope is recorded; SAQ path recommendation is reviewable
    ready for reviewReview the scope workspace
  • Questionnaire and policy answersReviewer: submerchant adminDecision: Accept control answers or return them for changesCriteria: Required controls have answers; Stale inherited answers are cleared or explained; Policy exceptions have owner notes
    not startedOpen control answer workbench
  • Evidence request coverageReviewer: evidence uploaderDecision: Accept evidence records or request corrected referencesCriteria: Required evidence records are linked; Scanner status is recorded; Restricted contents are absent from the browser response
    not startedOpen evidence request workbench
  • Monitoring dependency readinessReviewer: pci operatorDecision: Confirm Monitoring dependency state or request remediationCriteria: Monitoring dependency owner is visible; Evidence and assessment routes are linked; No browser scan, beacon, CSP, or status-feed mutation is available
    not startedOpen monitoring readiness workbench
  • AOC package and correction logReviewer: executive signerDecision: Accept package readiness or record correction requestCriteria: Sign-ready checklist is visible; Correction/addendum rows are reviewable; Only package status and correction rows are returned
    not startedOpen AOC package workbench
  • Final operator acceptanceReviewer: pci operatorDecision: Record final product review or request follow-upCriteria: Authorized reviewers are visible; Role handoff state is reviewable; Final review action is CSRF-bound and server-derived
    not startedOpen acceptance flow

Update the selected work item

Use this to move the compliance cycle forward. Saves go through the same-origin API and reload back into the command center. No local browser copy is saved.

Activity

Recent application activity

  • Compliance cycle openedoperator review with current corpus package4 cycle badges active
    current
  • Questionnaire progress seeded22 answered / 24 total92% completion
    ready for review
  • AOC package queued for review4 sign-ready checksExport state: blocked
    needs correction
Technical boundaries
operator_review

Cycle status

92%

Completion

3

Tasks

3

Evidence records

      Workspace status service

      Current PCI workspace health

      read-only

      Loading tenant, compliance, corpus, and workflow status from same-origin services.

      Read APIs
      • /api/metadata/summary
      • /api/compliance/status
      Request policy
      trusted-session-no-query-no-body-no-viewer-authority-workspace-status
      Boundary
      No browser tenant authority, service context input, request body, endpoint value, account identifier, physical id, evidence content, document content, export body, live-data path, queue send, notification send, or fallback browser storage.
      Service-owned status signals
      AreaStateNext signal
      Compliance readiness checks
      CheckReadyReason codes
        Application routesPermission matrix

        Continue the PCI compliance workspace

        Accepted Use the route links exposed by the server-derived permission matrix for permitted assessment, evidence, AOC, Monitoring, audit, and final acceptance workspaces.

        Supporting service state
        Dashboard support references
        dashboard_bootstrap
        /api/dashboard/bootstrap
        workspace_status
        /api/compliance/status
        supporting_visibility
        collapsed until requested

        Application state

        Dashboard service summary

        read-only

        Loading the current compliance workspace from /api/dashboard/bootstrap. This replaces smoke-card status with the same server-owned tenant, module, compliance, workflow, corpus, and Monitoring state used by the working routes.

        Dashboard API
        /api/dashboard/bootstrap
        Request policy
        trusted-session-no-query-no-body-no-viewer-authority-dashboard-bootstrap
        Boundary
        No browser tenant authority, service context input, request body, endpoint value, account identifier, physical id, evidence content, document content, export body, live-data path, or fallback browser storage.
        Current workspace state
        AreaStateNext signal
        Saved workflow tasks from the command center
        TaskStateOwnerAction
          Authorized hierarchy

          Operator hierarchy

          Server-derived operator, SaaS Partner, and submerchant relationships rendered without browser tenant authority.

          Accepted
          1

          SaaS Partner account(s)

          2

          Submerchant account(s)

          2

          Operator child relationships

          Authorized hierarchy from tenant registry
          Entity typeDisplay refModuleChildrenRefs
          operatorPay Theory PCI OperatorAcceptedenabled2
          Hierarchy refs
          entity_ref
          ent_paytheory_operator_lab
          module_state
          enabled
          saas_partnerInnovate PlatformAcceptedenabled2
          Hierarchy refs
          entity_ref
          ent_innovate_platform_lab
          module_state
          enabled
          submerchantInnovate Test Merchant AAcceptedenabled0
          Hierarchy refs
          entity_ref
          ent_innovate_test_merchant_a
          module_state
          enabled
          submerchantInnovate Test Merchant BNeeds attentionpending0
          Hierarchy refs
          entity_ref
          ent_innovate_test_merchant_b
          module_state
          pending
          Runtime and tenant context

          PCI API auth boundary

          PCI BFF session active

          Server-derived context

          The browser is display/navigation only for auth. Tenant, role, principal, identity subject, MFA or step-up posture, and permissions are consumed from the PCI API/BFF session and same-origin service APIs, never browser storage, query strings, forwarded headers, or raw provider tokens.

          Session context
          /api/session/context established this opaque PCI session.
          Brand context
          /api/session/brand provides partner-owned brand manifest pointers.
          Permissions
          /api/permissions/matrix provides route/action visibility and step-up metadata.
          Identity provider
          autheory as mapped by the PCI tenant registry.
          Browser token state
          none; no Autheory ID, access, or refresh token is present in app code or storage.

          Local PCI logout

          Sign out of PCI by using the PCI API/BFF local logout route. Because logout revokes the opaque BFF session cookie, the unsafe POST /api/session/logout action must be mediated by the same-origin API with __Host-pt_pci_csrf bound to the x-pt-pci-csrf header. This shell renders the boundary copy only and fails closed when CSRF session check is unavailable; it does not submit a plain browser POST.

          Local logout API
          /api/session/logout
          Required CSRF cookie
          __Host-pt_pci_csrf
          Required CSRF header
          x-pt-pci-csrf
          Unavailable CSRF behavior
          csrf_unavailable; local logout remains blocked closed with no browser fallback storage.

          Provider session logout is separate. Need provider sign-out too? Use the PCI API-mediated provider sign-out guidance after local logout; do not paste provider URLs, tokens, subjects, roles, or tenant ids into this app.

          Trusted tenant context

          Tenant authority: trusted API session

          Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

          No viewer authority inputs were used.

          PRD-384 permission matrix

          Server-derived navigation and actions

          hidden-not-disabled

          Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

          Matrix source
          api_server_derived_from_session_registry_context
          Primary role lane
          pci_operator from server matrix metadata
          Visible actions
          8
          Suppressed actions
          1 action(s) withheld without client-side disabled controls.
          Viewer role accepted
          false
          Signer input accepted
          false

          Step-up reauthentication handoff

          When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

          • Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
          • Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.
          Step-up initiate
          /api/session/step-up
          Callback boundary
          /api/session/callback is API/BFF-owned after provider reauthentication.
          Allowed browser hint
          sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.
          Visible server-allowed actions
          ActionCategoryStep-upReason
          Review tenant tenant server authorized role_allows_tenant_review
          Review evidence package evidence server authorized role_allows_evidence_review
          Create evidence metadata intake evidence server authorized role_allows_evidence_upload_metadata
          Answer questionnaire assessment server authorized role_allows_answer
          Override inherited answer assessment server step-up required operator_step_up_required
          Invite submerchant onboarding server authorized operator_scope_review_required
          Save workflow state workflow server authorized role_allows_workflow_metadata_save
          Queue audit export audit server step-up required role_allows_operator_audit_export_metadata
          • auth.session_refreshed

          Module status

          • Data Collection enabled / primary Data Collection is enabled by trusted session context.
          • Monitoring enabled / integrated Monitoring is enabled by trusted session context.

          API runtime binding readiness

          The dashboard exposes the same-origin API readiness route for record-only Factory smoke. The application dashboard uses its service-backed bootstrap API; this readiness probe remains declarative and does not supply tenant, namespace, SSM, account, or service authority.

          Readiness path
          /api/runtime-config/binding-status
          Probe mode
          same-origin-record-only
          Initial state
          pending_same_origin_probe
          Browser authority
          none

          PCI application shell with reviewed same-origin service-backed metadata GETs and CSRF-bound workflow actions for onboarding, scope, assessment, evidence, AOC, reporting, and acceptance review. Tenant authority remains server-derived. No deploy behavior: this screen does not run deploys, payment traffic, partner-edge changes, external queues, notifications, or sandbox/live operations.