IP

Server-derived brand

innovate PCI shell

Brand & theme

Read-only partner brand pointer review with Pay Theory v1 theme preview.

Organization
Innovate Lab Tenant
Entity
ent_innovate_platform_lab
Scope
server-derived registry scope
Role
pci_operator
Stage
lab
Active theme
Pay Theory
Technical details
brand_pointer
partner://innovate/brand/lab/v2026-05-01
asset_pointer
https://assets.innovate.test/pci/
brand_reasons
none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API
/api/session/brand
Boundary
No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source
api_server_derived_from_session_registry_context
Primary role lane
pci_operator from server matrix metadata
Visible actions
8
Suppressed actions
1 action(s) withheld without client-side disabled controls.
Viewer role accepted
false
Signer input accepted
false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

  • Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
  • Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.
Step-up initiate
/api/session/step-up
Callback boundary
/api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint
sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.
Visible server-allowed actions
ActionCategoryStep-upReason
Review tenant tenant server authorized role_allows_tenant_review
Review evidence package evidence server authorized role_allows_evidence_review
Create evidence metadata intake evidence server authorized role_allows_evidence_upload_metadata
Answer questionnaire assessment server authorized role_allows_answer
Override inherited answer assessment server step-up required operator_step_up_required
Invite submerchant onboarding server authorized operator_scope_review_required
Save workflow state workflow server authorized role_allows_workflow_metadata_save
Queue audit export audit server step-up required role_allows_operator_audit_export_metadata
  • auth.session_refreshed

Module status

  • Data Collection enabled / primary Data Collection is enabled by trusted session context.
  • Monitoring enabled / integrated Monitoring is enabled by trusted session context.
Server-derived brandRead-only

Brand manifest pointers

Brand & theme renders the sanitized brand view already derived from the trusted session. The browser cannot choose a tenant, override a brand, upload assets, or create theme state.

Accepted
innovate PCI shell

Rendered shell label

Accepted
4

Accepted pointer fields

Accepted
Pay Theory

Active v1 theme

Accepted
Safe brand pointer view from the trusted session model
Brand pointer partner://innovate/brand/lab/v2026-05-01
Asset base pointer https://assets.innovate.test/pci/
Theme tokens pointer partner://innovate/theme/lab/v2026-05-01
Manifest hash sha256:3333333333333333333333333333333333333333333333333333333333333333
  • Accepted No degraded brand reasons were returned by the trusted session model.
Session brand payload
source_path
/api/session/brand
model_state
accepted
model_label
innovate PCI shell
model_reasons
none
brand_manifest_ref
partner://innovate/brand/lab/v2026-05-01
asset_base_url
https://assets.innovate.test/pci/
theme_tokens_ref
partner://innovate/theme/lab/v2026-05-01
manifest_sha256
sha256:3333333333333333333333333333333333333333333333333333333333333333
csp_asset_sources
https://assets.innovate.test
Pay Theory v1 previewNo live switching

Theme preview

The preview uses the current Pay Theory CSS variables and component helpers only. It does not load partner assets and does not switch themes from browser state.

Accepted
Preview cardPay Theory

PCI Platform command surface

Brand tokens keep the shell neutral when the partner manifest is degraded, while the Pay Theory v1 theme remains active for this release.

PT

Brand mark

Accepted

Brand review state

Accepted
Read

Preview mode

Fail-closed — locked
100%
Preview boundary
active_theme
Pay Theory v1
partner_assets_loaded
false
browser_theme_override
false
browser_storage_fallback
false
write_controls
not mounted
Authority boundary/api/permissions/matrix

Read/preview-only admin screen

Route visibility is projected by the same server-derived permission matrix as the shell navigation. Hidden routes and actions are removed rather than becoming browser-side controls.

Fail-closed — locked
  • Accepted Brand state comes from trusted session and registry-derived pointers only.
  • Fail-closed — locked Browser brand override, asset upload, theme mutation, and local storage fallback are not mounted.
  • Accepted Same-origin /api/session/brand is the v1 brand pointer source; no new API fields are introduced.
  • Needs attention Missing or degraded manifest pointers render with the neutral PCI shell and visible reason rows.
Permission route gate
route_id
brandTheme
route_path
/brand-theme
permission_matrix_source
api_server_derived_from_session_registry_context
permission_matrix_browser_authority
none
tenant_authority
trusted-api-session-service sample

PCI application shell with reviewed same-origin service-backed metadata GETs and CSRF-bound workflow actions for onboarding, scope, assessment, evidence, AOC, reporting, and acceptance review. Tenant authority remains server-derived. No deploy behavior: this screen does not run deploys, payment traffic, partner-edge changes, external queues, notifications, or sandbox/live operations.