Server-derived brand

innovate PCI shell

Acceptance flow

End-to-end acceptance, role flows, accessibility checkpoints, closure checks, and coverage thresholds.

Organization: Innovate Lab Tenant
Entity: ent_innovate_platform_lab
Scope: server-derived registry scope
Role: pci_operator
Stage: lab
Active theme: Pay Theory

Technical details

brand_pointer: partner://innovate/brand/lab/v2026-05-01
asset_pointer: https://assets.innovate.test/pci/
brand_reasons: none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API: /api/session/brand
Boundary: No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source: api_server_derived_from_session_registry_context
Primary role lane: pci_operator from server matrix metadata
Visible actions: 8
Suppressed actions: 1 action(s) withheld without client-side disabled controls.
Viewer role accepted: false
Signer input accepted: false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.

Step-up initiate: /api/session/step-up
Callback boundary: /api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint: sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.

Visible server-allowed actions
Action	Category	Step-up	Reason
Review tenant	tenant	server authorized	role_allows_tenant_review
Review evidence package	evidence	server authorized	role_allows_evidence_review
Create evidence metadata intake	evidence	server authorized	role_allows_evidence_upload_metadata
Answer questionnaire	assessment	server authorized	role_allows_answer
Override inherited answer	assessment	server step-up required	operator_step_up_required
Invite submerchant	onboarding	server authorized	operator_scope_review_required
Save workflow state	workflow	server authorized	role_allows_workflow_metadata_save
Queue audit export	audit	server step-up required	role_allows_operator_audit_export_metadata

auth.session_refreshed

Module status

Data Collection enabled / primary Data Collection is enabled by trusted session context.
Monitoring enabled / integrated Monitoring is enabled by trusted session context.

Acceptance stateNeeds review

Acceptance flow needs review

scanner_verdict_pending
signer_authority_review_pending
report_stale_until_rebase_reviewed
acceptance_lane_degraded
scanner_verdict_required
browser_upload_not_allowed
restricted_cardholder_data_refused
server_authorized_signing_only
browser_signing_not_allowed
signed_document_body_not_rendered
acceptance_scenario_degraded
acceptance_scenario_closed
missing_session
unauthorized_session_closed
registry_partner_stage_mismatch
forbidden_session_closed

Acceptance service details

Acceptance services

Live acceptance flow workspace

read-only-load

Loading final-review, role-lane, authorized reviewer, handoff, checklist, workflow, and audit state from /api/acceptance/flow-state into the working acceptance workspace.

Acceptance API: /api/acceptance/flow-state
Action APIs: /api/acceptance/role-handoffs and /api/acceptance/final-review are mounted below as CSRF-bound review actions.
Request policy: trusted-session-no-query-no-body-no-viewer-authority-acceptance-workflow
Boundary: No browser tenant, entity, acceptance, role, handoff, final-review, queue, notification, evidence, document, endpoint, or live-data authority; no request body on the read path and no browser storage fallback.

Final review path from acceptance service
Step	Route	Expected state	Safe message

Role lanes from acceptance service
Lane	Role	State	Browser action	Authority	Source

Authorized reviewers from acceptance service
Reviewer	Role	Lane state	Review route	Allowed metadata actions	Browser/queue

Final review packet from acceptance service
Item	Reviewer	State	Workspace	Decision	Criteria

Final acceptance checklist from service
Check	State	Safe message

CSRF-bound acceptance action paths
Action	Path	Method	CSRF	Body policy

Workflow and audit backing state
Area	State	Count/status	Browser mutation

Acceptance actionsExisting CSRF seam

Record handoff review and final operator acceptance

safe-review-action

Operators can record the current role-handoff review and final acceptance decision through the same-origin API. The server derives tenant, acceptance flow, role lanes, handoff, final review, actor, audit, and workflow refs; the client supplies only action intent and reason code.

Role handoff API: /api/acceptance/role-handoffs
Final review API: /api/acceptance/final-review
CSRF cookie: __Host-pt_pci_csrf double-submit session check for unsafe methods.
Boundary: No client role authority, evidence payload, document payload, signed artifact, queue, notification, live data, endpoint value, or fallback persistence.

Acceptance review workbenchRole-lane handoff rows

Work final acceptance

role-to-final-review

Review each role lane and cross-role handoff, then record handoff or final review intent from the row. The server still derives tenant, role, handoff, acceptance, audit, workflow, and actor authority.

Acceptance item	State	Server authority
Operator acceptance Pci Operator	ready_for_review Operator sees hierarchy, provisional assignment, and report refs for review; approval remains server-owned.	`server-authority://operator-review/acceptance` `principal-ref://pci_prn_innovate_operator_001`
SaaS Partner acceptance Saas Partner Admin	accepted SaaS Partner lane renders parent TPSP and Monitoring metadata refs without copying partner-owned assets.	`server-authority://partner-parent-attestation` `principal-ref://innovate_partner_admin_metadata`
Submerchant acceptance Submerchant Admin	ready_for_review Submerchant lane shows assessment completion and readiness refs only; viewer-supplied entity IDs are ignored.	`server-authority://submerchant-assessment` `principal-ref://submerchant-admin-metadata`
Evidence Uploader acceptance Evidence Uploader	awaiting_evidence Evidence Uploader lane displays scanner states, refusal copy, and metadata hashes; the browser never uploads evidence.	`server-authority://evidence-scanner-gate` `principal-ref://evidence-uploader-metadata`
Executive Signer acceptance Executive Signer	sign_ready Executive Signer lane renders signer review and signature confirmation record only; no signing control is mounted.	`server-authority://document-signature-confirmation` `principal-ref://signer-record-only`
Saas Partner Admin to Submerchant Admin `acceptance-handoff://partner-to-submerchant/invite`	complete Invitation handoff is complete from server invitation state; no invite mutation is exposed.	`server-gate://invitation-approved`
Submerchant Admin to Evidence Uploader `acceptance-handoff://submerchant-to-evidence-uploader`	waiting_on_metadata Evidence handoff waits on scanner metadata; no evidence payload or upload form is rendered.	`server-gate://evidence-scanner-verdict`
Pci Operator to Executive Signer `acceptance-handoff://operator-to-executive-signer`	pending_server_review Signer handoff is pending server review; the browser cannot authorize or sign.	`server-gate://signer-authority-review`
Pci Operator to Saas Partner Admin `acceptance-handoff://unauthorized-viewer/closed`	blocked_closed Unauthorized viewers see closed state with no tenant or entity detail.	`server-gate://trusted-session-required`

Role lanes

Role handoffs

Entity records

Last acceptance API result

Waiting for operator action.

Final review packetWhat reviewers need to decide

Final review packet

The packet shows exactly what each reviewer is deciding and where to work it before final acceptance. What reviewers need to decide: each row names what is being reviewed, who owns the decision, where to open the work, and the acceptance criteria.

Review items

Ready

Still needs work

33%

Review item	Reviewer	State/workspace	Decision	Criteria	Supporting records
Business profile and SAQ scope `review-item-scope`	Needs attention`Submerchant Admin` Scope confirmation	Ready for review`Ready For Review` assessmentWorkspace	Confirm payment channels and SAQ path or request follow-up Review the scope workspace	`Merchant profile is complete` `Payment channel scope is recorded` `SAQ path recommendation is reviewable`	`business-profile-record` `saq-scope-record` Accepted`None` Accepted`Not Present`
Questionnaire and policy answers `review-item-questionnaire`	Needs attention`Submerchant Admin` Assessment workspace	Not started`Not Started` assessmentWorkspace	Accept control answers or return them for changes Open control answer workbench	`Required controls have answers` `Stale inherited answers are cleared or explained` `Policy exceptions have owner notes`	`control-answer-records` `policy-exception-records` Accepted`None` Accepted`Not Present`
Evidence request coverage `review-item-evidence`	Needs attention`Evidence Uploader` Evidence library	Not started`Not Started` evidenceLibrary	Accept evidence records or request corrected references Open evidence request workbench	`Required evidence records are linked` `Scanner status is recorded` `Restricted contents are absent from the browser response`	`evidence-request-records` `scanner-status-records` Accepted`None` Accepted`Not Present`
Monitoring dependency readiness `review-item-monitoring`	Needs attention`Pci Operator` Monitoring readiness	Not started`Not Started` monitoring	Confirm Monitoring dependency state or request remediation Open monitoring readiness workbench	`Monitoring dependency owner is visible` `Evidence and assessment routes are linked` `No browser scan, beacon, CSP, or status-feed mutation is available`	`monitoring-dependency-records` `script-inventory-record` Accepted`None` Accepted`Not Present`
AOC package and correction log `review-item-aoc`	Needs attention`Executive Signer` AOC review	Not started`Not Started` aocReview	Accept package readiness or record correction request Open AOC package workbench	`Sign-ready checklist is visible` `Correction/addendum rows are reviewable` `Only package status and correction rows are returned`	`aoc-package-record` `correction-log-record` Accepted`None` Accepted`Not Present`
Final operator acceptance `review-item-final-acceptance`	Needs attention`Pci Operator` Acceptance flow	Not started`Not Started` acceptanceFlow	Record final product review or request follow-up Open acceptance flow	`Authorized reviewers are visible` `Role handoff state is reviewable` `Final review action is CSRF-bound and server-derived`	`authorized-reviewer-roster` `role-handoff-records` Accepted`None` Accepted`Not Present`

Authorized reviewersServer-derived roster

Authorized reviewer roster

This is the actual reviewer list for the lab cycle. It is resolved from server-owned role lanes and principal refs; the browser cannot add reviewers, send notifications, enqueue work, or grant acceptance authority.

Reviewer	Role/principal	Lane	Workspaces	Allowed metadata actions	Authority boundary
Pay Theory PCI Operator `authorized-reviewer://cycle_lab_2026_readiness/pci-operator`	Needs attention`Pci Operator` `principal-ref://pci_prn_innovate_operator_001`	`acceptance-lane://operator/readiness-review` Ready for review`Ready For Review`	workflowTasks acceptanceFlow	`review_workflow_tasks` `record_role_handoff` `record_final_review`	`server-authority://operator-review/acceptance` Accepted`Not Allowed` Accepted`Not Enqueued` Accepted`Not Sent` Accepted`Not Present`
Innovate Partner Admin `authorized-reviewer://cycle_lab_2026_readiness/saas-partner-admin`	Needs attention`Saas Partner Admin` `principal-ref://innovate_partner_admin_metadata`	`acceptance-lane://saas-partner/parent-attestation` Accepted`Accepted`	tenantModules evidenceLibrary	`review_parent_attestation` `confirm_partner_scope`	`server-authority://partner-parent-attestation` Accepted`Not Allowed` Accepted`Not Enqueued` Accepted`Not Sent` Accepted`Not Present`
Submerchant Admin `authorized-reviewer://cycle_lab_2026_readiness/submerchant-admin`	Needs attention`Submerchant Admin` `principal-ref://submerchant-admin-metadata`	`acceptance-lane://submerchant/assessment-readiness` Ready for review`Ready For Review`	assessmentWorkspace complianceCycles	`review_assessment_answers` `respond_to_follow_up`	`server-authority://submerchant-assessment` Accepted`Not Allowed` Accepted`Not Enqueued` Accepted`Not Sent` Accepted`Not Present`
Evidence Coordinator `authorized-reviewer://cycle_lab_2026_readiness/evidence-coordinator`	Needs attention`Evidence Uploader` `principal-ref://evidence-uploader-metadata`	`acceptance-lane://evidence-uploader/scanner-gate` Ready for review`Awaiting Evidence`	evidenceLibrary assessmentWorkspace	`review_evidence_requests` `link_metadata_records`	`server-authority://evidence-scanner-gate` Accepted`Not Allowed` Accepted`Not Enqueued` Accepted`Not Sent` Accepted`Not Present`
Executive Signer `authorized-reviewer://cycle_lab_2026_readiness/executive-signer`	Needs attention`Executive Signer` `principal-ref://signer-record-only`	`acceptance-lane://executive-signer/aoc-confirmation` Ready for review`Sign Ready`	aocReview auditTimeline	`review_aoc_package` `confirm_signer_readiness`	`server-authority://document-signature-confirmation` Accepted`Not Allowed` Accepted`Not Enqueued` Accepted`Not Sent` Accepted`Not Present`

Acceptance overviewServer-owned

End-to-end acceptance flow

Acceptance ref: acceptance-flow://cycle_lab_2026_readiness/e2e-v1; API shape: service-ref://api/acceptance-orchestrator/m10.9/e2e-v1.

Authority: acceptance-orchestrator
Display policy: record-only-no-browser-authority
Client authority: AcceptedNot Allowed
Tenant/stage: pci_tnt_innovate_lab / lab

Role acceptance lanes

3/5

Available lanes

Lanes needing review

Guarded scenarios

Authorized reviewers

Entity acceptance records

1/4

Complete handoffs

Operator and entity lanesRole-lane rows

Operator and entity acceptance lanes

Role lanes are resolved by the service. Operator, partner, submerchant, uploader, signer, compliance, scan, export, and signing authority stay server-side.

Lane	Entity	State	Server authority	Source refs	Routes	Guardrails
`acceptance-lane://operator/readiness-review` Needs attention`Pci Operator`	Operator acceptance `ent_paytheory_operator_lab`	Ready for review`Ready For Review` Accepted`Available`	`server-authority://operator-review/acceptance` `principal-ref://pci_prn_innovate_operator_001`	`invitation://inv_partner_submerchant_b` `saq-assignment://innovate/lab/submerchant-a/provisional` `compliance-report://cycle_lab_2026_readiness/operator-status`	tenantModules complianceCycles workflowTasks	`trusted_session_required` `operator_review_server_owned` Operator sees hierarchy, provisional assignment, and report refs for review; approval remains server-owned.
`acceptance-lane://saas-partner/parent-attestation` Needs attention`Saas Partner Admin`	SaaS Partner acceptance `ent_innovate_platform_lab`	Accepted`Accepted` Accepted`Available`	`server-authority://partner-parent-attestation` `principal-ref://innovate_partner_admin_metadata`	`tpsp-record://innovate/path-1/payment-facilitator` `aoc-ref://innovate/path-1/record-only` `service-scope-ref://tpsp/path-1/hosted-fields`	tenantModules evidenceLibrary monitoring	`partner_assets_pointer_only` `parent_evidence_record_only` SaaS Partner lane renders parent TPSP and Monitoring metadata refs without copying partner-owned assets.
`acceptance-lane://submerchant/assessment-readiness` Needs attention`Submerchant Admin`	Submerchant acceptance `ent_innovate_test_merchant_a`	Ready for review`Ready For Review` Accepted`Available`	`server-authority://submerchant-assessment` `principal-ref://submerchant-admin-metadata`	`assessment-workspace://cycle_lab_2026_readiness/submerchant-a` `response-group://cycle_lab_2026_readiness/submerchant-a/payment-flow` `readiness-ref://cycle_lab_2026_readiness/assessment`	assessmentWorkspace complianceCycles	`response_refs_only` `tenant_authority_from_session_context` Submerchant lane shows assessment completion and readiness refs only; viewer-supplied entity IDs are ignored.
`acceptance-lane://evidence-uploader/scanner-gate` Needs attention`Evidence Uploader`	Evidence Uploader acceptance `ent_innovate_test_merchant_a`	Ready for review`Awaiting Evidence` Needs attention`Degraded`	`server-authority://evidence-scanner-gate` `principal-ref://evidence-uploader-metadata`	`evidence-upload-session://cycle_lab_2026_readiness/monitoring-status/pending` `evidence-upload-session://cycle_lab_2026_readiness/network-scan/refused` `evidence-ref://cycle_lab_2026_readiness/tpsp-aoc-metadata`	evidenceLibrary assessmentWorkspace	`scanner_verdict_required` `browser_upload_not_allowed` `restricted_cardholder_data_refused` Evidence Uploader lane displays scanner states, refusal copy, and metadata hashes; the browser never uploads evidence.
`acceptance-lane://executive-signer/aoc-confirmation` Needs attention`Executive Signer`	Executive Signer acceptance `ent_innovate_platform_lab`	Ready for review`Sign Ready` Needs attention`Degraded`	`server-authority://document-signature-confirmation` `principal-ref://signer-record-only`	`signer-ref://innovate/lab/executive-signer-primary` `signature-confirmation://cycle_lab_2026_readiness/aoc/pending-correction` `export-package://cycle_lab_2026_readiness/aoc/pending`	aocReview auditTimeline	`server_authorized_signing_only` `browser_signing_not_allowed` `signed_document_body_not_rendered` Executive Signer lane renders signer review and signature confirmation record only; no signing control is mounted.

Entity acceptanceTrusted hierarchy

Entity acceptance chain

Operator, SaaS Partner, and Submerchant records show the accepted hierarchy for this cycle; tenant authority comes from trusted API/session context.

Entity	Type	Parent	Acceptance	Owner role	Source refs
`ent_paytheory_operator_lab` Pay Theory PCI Operator	Needs attention`Operator`	`root_operator`	Ready for review`Operator Review`	Needs attention`Pci Operator`	`operator-registry-ref://paytheory/lab/pci`
`ent_innovate_platform_lab` Innovate Platform	Needs attention`Saas Partner`	`ent_paytheory_operator_lab`	Accepted`Accepted`	Needs attention`Saas Partner Admin`	`partner-registry-ref://innovate/lab/platform`
`ent_innovate_test_merchant_a` Innovate Test Merchant A	Needs attention`Submerchant`	`ent_innovate_platform_lab`	Ready for review`Evidence Pending`	Needs attention`Submerchant Admin`	`submerchant-registry-ref://innovate/lab/merchant-a`
`ent_innovate_test_merchant_b` Innovate Test Merchant B	Needs attention`Submerchant`	`ent_innovate_platform_lab`	Ready for review`Operator Review`	Needs attention`Pci Operator`	`submerchant-registry-ref://innovate/lab/merchant-b`

Cross-role handoffsServer gates

Cross-role handoffs

Handoffs show the gates between roles. Queues, notifications, client-side mutations, and document bodies are not mounted here.

Handoff	Roles	State	Server gate	Source refs	Safe summary
`acceptance-handoff://partner-to-submerchant/invite`	Needs attention`Saas Partner Admin` → Needs attention`Submerchant Admin`	Accepted`Complete`	`server-gate://invitation-approved`	`invitation://inv_operator_direct_submerchant_a`	Invitation handoff is complete from server invitation state; no invite mutation is exposed.
`acceptance-handoff://submerchant-to-evidence-uploader`	Needs attention`Submerchant Admin` → Needs attention`Evidence Uploader`	Ready for review`Waiting On Metadata`	`server-gate://evidence-scanner-verdict`	`evidence-request://cycle_lab_2026_readiness/monitoring-status-metadata` `scanner-ref://cycle_lab_2026_readiness/monitoring-status/pending`	Evidence handoff waits on scanner metadata; no evidence payload or upload form is rendered.
`acceptance-handoff://operator-to-executive-signer`	Needs attention`Pci Operator` → Needs attention`Executive Signer`	Ready for review`Pending Server Review`	`server-gate://signer-authority-review`	`aoc-check://cycle_lab_2026_readiness/executive-signer-authority` `signer-ref://innovate/lab/executive-signer-primary`	Signer handoff is pending server review; the browser cannot authorize or sign.
`acceptance-handoff://unauthorized-viewer/closed`	Needs attention`Pci Operator` → Needs attention`Saas Partner Admin`	Fail-closed — locked`Blocked Closed`	`server-gate://trusted-session-required`	`app-api-session.missing-session`	Unauthorized viewers see closed state with no tenant or entity detail.

Guarded statesFail-closed

Guarded acceptance states

Scenario rows document authorized, review-needed, unauthorized, and forbidden render behavior using API/session guardrails. Closed scenarios disclose no tenant-scoped detail.

Scenario	Session	Render	Reasons	Safe summary
`acceptance-scenario://authorized/record-only` Authorized record-only acceptance	`app-api-session.authenticated` `200`	Accepted`Available` Needs attention`Metadata Only`	`trusted_session_context_present`	Trusted API/session state permits route metadata while all mutations remain server-owned.
`acceptance-scenario://degraded/evidence-scanner-pending` Degraded evidence scanner acceptance	`app-api-session.authenticated` `200`	Needs attention`Degraded` Needs attention`Metadata Only`	`scanner_verdict_pending` `restricted_cardholder_data_refused`	Evidence and signer lanes degrade until trusted service scanner and review metadata are accepted.
`acceptance-scenario://unauthorized/missing-session` Unauthorized missing session closed	`app-api-session.missing-session` `401`	Fail-closed — locked`Closed` Needs attention`Closed No Tenant Detail`	`missing_session` `unauthorized_session_closed`	Missing session renders closed and withholds role, tenant, entity, evidence, document, and export detail.
`acceptance-scenario://forbidden/registry-mismatch` Forbidden registry mismatch closed	`app-api-session.registry-mismatch` `403`	Fail-closed — locked`Closed` Needs attention`Closed No Tenant Detail`	`registry_partner_stage_mismatch` `forbidden_session_closed`	Registry mismatch renders closed without disclosing tenant-scoped acceptance state.

Lab pilot hardening degraded

Operator completion is guided by server-owned refs, accessibility checkpoints, and review-needed state drills.

evidence_uploader_scanner_drill_pending
executive_signer_authority_drill_pending
lab_pilot_flow_needs_review

Lab pilot usability and operator script alignment

Pilot ref: lab-pilot://cycle_lab_2026_readiness/m12.10-usability-hardening; API shape: service-ref://api/lab-pilot-acceptance/m12.10/v1.

Authority: lab-pilot-acceptance-orchestrator
Display policy: role-script-record-only-no-browser-authority
Completion policy: server-gated-completion-refs-only
Client authority: not_allowed
Operator script: operator-acceptance-script://pci-platform-app/m12.10/lab-pilot-readiness

Role-specific non-engineer completion flows

Role-specific pilot completion script refs and server gates
Flow	Route	Completion gate	Script steps	Accessibility refs	Review drills and summary
`lab-pilot-flow://operator/non-engineer-review` pci_operator	Operator pilot completion `acceptanceFlow`	ready `server-gate://operator-lab-pilot-signoff`	`script-step://confirm-trusted-session-banner` `script-step://review-role-lanes-without-engineering-tools` `script-step://record-server-gate-ref`	`a11y-check://skip-link-main-landmark` `a11y-check://status-text-not-color-only`	`degraded-drill://missing-session-closed` `degraded-drill://brand-pointer-neutral-shell` Operator can complete the pilot from route copy, badges, and server gate refs without engineering console access.
`lab-pilot-flow://saas-partner-parent-scope` saas_partner_admin	SaaS Partner pilot completion `tenantModules`	ready `server-gate://partner-parent-scope-review`	`script-step://confirm-partner-pointer-copy` `script-step://confirm-monitoring-sample-copy`	`a11y-check://landmarks-and-headings` `a11y-check://table-captions-for-pilot-grids`	`degraded-drill://monitoring-revoked-closed` SaaS Partner flow explains parent scope and Monitoring coexistence with pointer-only metadata.
`lab-pilot-flow://submerchant-assessment-readiness` submerchant_admin	Submerchant pilot completion `assessmentWorkspace`	ready `server-gate://submerchant-readiness-review`	`script-step://confirm-readiness-badges` `script-step://confirm-evidence-required-copy`	`a11y-check://status-text-not-color-only` `a11y-check://focus-visible-styles`	`degraded-drill://suspended-data-collection-closed` Submerchant flow uses completion badges and readiness refs only; questionnaire authority remains server-owned.
`lab-pilot-flow://evidence-uploader-scanner-copy` evidence_uploader	Evidence Uploader pilot completion `evidenceLibrary`	needs_review `server-gate://evidence-scanner-pilot-review`	`script-step://confirm-refusal-copy` `script-step://confirm-no-upload-control-mounted`	`a11y-check://status-text-not-color-only` `a11y-check://keyboard-safe-no-mutation-controls`	`degraded-drill://evidence-scanner-pending` Evidence Uploader flow is intentionally degraded until scanner metadata is accepted; payload upload is not mounted.
`lab-pilot-flow://executive-signer-display-only` executive_signer	Executive Signer pilot completion `aocReview`	needs_review `server-gate://executive-signer-pilot-review`	`script-step://confirm-signature-copy-display-only` `script-step://confirm-export-package-status-copy`	`a11y-check://landmarks-and-headings` `a11y-check://keyboard-safe-no-mutation-controls`	`degraded-drill://signer-authority-review` Executive Signer flow renders signer and export record only; signing remains server-authorized.

Accessibility acceptance checkpoints

Accessibility metadata checkpoints for the lab pilot
Checkpoint	State	Evidence ref	Safe summary
`a11y-check://skip-link-main-landmark` Skip link reaches main content	pass `wcag-2.2-aa-metadata`	`a11y-evidence://render-shell/skip-link-main`	Shell renders a skip link and labelled main landmark for keyboard users.
`a11y-check://landmarks-and-headings` Landmarks and headings are labelled	pass `wcag-2.2-aa-metadata`	`a11y-evidence://render-shell/landmark-heading-order`	Navigation, brand, trust, module, and route sections expose text headings and labels.
`a11y-check://table-captions-for-pilot-grids` Pilot grids include captions	pass `wcag-2.2-aa-metadata`	`a11y-evidence://lab-pilot/tables-captioned`	Role-flow, accessibility, degraded-state, unsafe-closure, and coverage grids include captions.
`a11y-check://status-text-not-color-only` Statuses render as text, not color alone	pass `wcag-2.2-aa-metadata`	`a11y-evidence://lab-pilot/status-badges-text`	Every pilot status appears as visible text plus data attributes for automated checks.
`a11y-check://focus-visible-styles` Keyboard focus remains visible	pass `wcag-2.2-aa-metadata`	`a11y-evidence://shell-css/focus-visible`	Shell CSS includes visible focus treatment for links and focusable landmarks.
`a11y-check://keyboard-safe-no-mutation-controls` Keyboard path does not expose mutation controls	pass `wcag-2.2-aa-metadata`	`a11y-evidence://lab-pilot/no-controls-mounted`	Pilot flow remains display-only and does not mount forms, uploads, signing, queues, or notifications.

Review-needed and closed-state drills

Operator review-state drill script
Drill	Route and session	Expected state	Reason codes	Operator instruction
`degraded-drill://missing-session-closed` Missing session closes route	`acceptanceFlow` `app-api-session.missing-session`	closed `401`	`missing_session` `trusted_session_unavailable`	Confirm closed copy appears without tenant, entity, role, evidence, document, or export detail.
`degraded-drill://suspended-data-collection-closed` Suspended Data Collection closes dependent flows	`assessmentWorkspace` `app-api-session.data-collection-suspended`	closed `200`	`data_collection_module_pending`	Confirm assessment, evidence, document, compliance, and pilot details render closed when Data Collection is unavailable.
`degraded-drill://brand-pointer-neutral-shell` Degraded brand pointer falls back neutrally	`dashboard` `app-api-session.degraded-brand`	degraded `200`	`brand_manifest_degraded`	Confirm neutral PCI shell copy renders without central partner asset duplication.
`degraded-drill://monitoring-revoked-closed` Revoked Monitoring readiness closes Monitoring view	`monitoring` `session://monitoring.readiness-revoked`	closed `200`	`monitoring_inherited_path_revoked`	Confirm Monitoring remains a shell review item and does not assume production Monitoring behavior.
`degraded-drill://evidence-scanner-pending` Pending scanner keeps evidence flow degraded	`evidenceLibrary` `session://evidence.scanner-pending`	degraded `200`	`scanner_verdict_pending`	Confirm evidence metadata and refusal copy render while upload and payload controls remain absent.
`degraded-drill://signer-authority-review` Signer authority review keeps signing display-only	`aocReview` `session://aoc.signer-review-pending`	degraded `200`	`signer_authority_review_pending`	Confirm signer review and export status metadata render without browser signing authority.

Unsafe-state closure checks

Unsafe lab pilot closure and ignored viewer-input checks
Check	Viewer input or session	Gate	Reason codes	Safe summary
`unsafe-check://viewer-tenant-role-ignored` Viewer tenant and role inputs are ignored	`query://tenant_id-role_ref-acceptance_ref`	ignored available	`auth.viewer_tenant_spoofed`	Viewer-supplied tenant, role, and acceptance refs are counted for audit and never become authority.
`unsafe-check://missing-session-closed` Missing session closes pilot	`app-api-session.missing-session`	closed closed	`trusted_session_unavailable`	Pilot completion details remain withheld without trusted API/session context.
`unsafe-check://unsafe-browser-authority-closed` Unsafe browser authority closes pilot service sample	`session://lab-pilot.browser-authority-allowed`	closed closed	`lab_pilot_browser_authority_not_allowed`	Pilot service sample closes if any browser-owned completion, signing, upload, queue, or notification authority is advertised.

Coverage threshold alignment

Lab pilot validation coverage thresholds
Command	Lines	Functions	Branches	Enforcement
`npm run coverage`	90%	90%	90%	local-and-gov-rubric