IP

Server-derived brand

innovate PCI shell

AOC review & export

AOC sign-ready checklist, signer authority, signature request, export status, corrections, and addenda from same-origin document APIs.

Organization
Innovate Lab Tenant
Entity
ent_innovate_platform_lab
Scope
server-derived registry scope
Role
pci_operator
Stage
lab
Active theme
Pay Theory
Technical details
brand_pointer
partner://innovate/brand/lab/v2026-05-01
asset_pointer
https://assets.innovate.test/pci/
brand_reasons
none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API
/api/session/brand
Boundary
No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source
api_server_derived_from_session_registry_context
Primary role lane
pci_operator from server matrix metadata
Visible actions
8
Suppressed actions
1 action(s) withheld without client-side disabled controls.
Viewer role accepted
false
Signer input accepted
false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

  • Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
  • Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.
Step-up initiate
/api/session/step-up
Callback boundary
/api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint
sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.
Visible server-allowed actions
ActionCategoryStep-upReason
Review tenant tenant server authorized role_allows_tenant_review
Review evidence package evidence server authorized role_allows_evidence_review
Create evidence metadata intake evidence server authorized role_allows_evidence_upload_metadata
Answer questionnaire assessment server authorized role_allows_answer
Override inherited answer assessment server step-up required operator_step_up_required
Invite submerchant onboarding server authorized operator_scope_review_required
Save workflow state workflow server authorized role_allows_workflow_metadata_save
Queue audit export audit server step-up required role_allows_operator_audit_export_metadata
  • auth.session_refreshed

Module status

  • Data Collection enabled / primary Data Collection is enabled by trusted session context.
  • Monitoring enabled / integrated Monitoring is enabled by trusted session context.
AOC package stateFollow-up needed

AOC follow-up needed

Needs attention
Open AOC reason codes
reason_code_1
correction_required_before_signature
reason_code_2
service_scope_addendum_pending
reason_code_3
signature_confirmation_pending
reason_code_4
assessment_not_ready_for_aoc_signature
reason_code_5
scanner_verdict_pending
reason_code_6
restricted_cardholder_data_refused
reason_code_7
parent_evidence_visibility_requires_operator_review
reason_code_8
parent_evidence_visibility_degraded
reason_code_9
evidence_scanner_pending
reason_code_10
evidence_scanner_refused
reason_code_11
pan_or_track_pattern_detected
reason_code_12
metadata_ref_withheld
reason_code_13
scanner_pending
reason_code_14
refused_metadata
reason_code_15
sign_ready_check_warning
reason_code_16
evidence_scanner_or_parent_visibility_pending
reason_code_17
sign_ready_check_blocked
reason_code_18
signer_authority_review_pending
reason_code_19
needs_correction
reason_code_20
signer_authority_pending_review
reason_code_21
signer_reauth_required
reason_code_22
signature_correction_required
reason_code_23
export_package_blocked
reason_code_24
correction_required_before_export
reason_code_25
correction_open
reason_code_26
executive_signer_legal_name_mismatch
reason_code_27
addendum_addendum_pending
AOC service details

AOC services

Live AOC review workspace

read-only-load

Loading AOC review, document preview, sign-ready, signer, signature request, correction, export package, attestation summary, and attestation export state from same-origin APIs.

Request policy
trusted-session-no-query-no-body-no-viewer-authority-aoc-review
Read APIs
  • /api/documents/aoc/review-state
  • /api/documents/aoc/preview-metadata
  • /api/documents/aoc/sign-ready
  • /api/attestations/summary
  • /api/attestations/export-metadata
Boundary
No browser tenant, entity, cycle, evidence, document, signature, signer, correction, or export authority; no request bodies, endpoint values, account identifiers, physical ids, restricted text, evidence content, document content, signed artifacts, attestation bodies, export bodies, live-data paths, or browser storage fallback.
Current AOC state
AreaStateNext signal
Sign-ready checks from document service
CheckStateSource refsSafe message
Signer and signature authority from document service
SignerRoleReviewAuthorityBrowser signature
Server-owned signature request
SignerStateRe-authBrowser material
Export package metadata from document service
ExportStateManifestBrowser download
Correction and addendum metadata from document service
CorrectionStateSafe message
Unsigned attestation and export readiness from compliance service
AreaStatusReadinessRecord refUnsafe content
    AOC package reviewServer-owned signing

    AOC review, signing, and export

    Review the service-authored AOC package, signer readiness, correction queue, and export status. Authorship remains separate from the executive signer; signing and export generation stay server-side.

    Executive signer review is display-only and signer authority remains distinct from package authorship.

    Needs attention
    Authority
    Document service Needs attention
    Display policy
    Record-only document preview
    Signature policy
    Server-authorized signing only
    Client signing
    Browser signing disabled Accepted
    Open evidence libraryOpen assessment workspace
    AOC service refs
    package_ref
    aoc-package://cycle_lab_2026_readiness/submerchant-a/m8-review
    api_shape_ref
    service-ref://api/document-service/aoc-review/m8.9
    tenant_stage
    pci_tnt_innovate_lab / lab
    authority
    document-service
    display_policy
    record-only-no-document-body
    signature_policy
    server-authorized-signing-only
    browser_signing_state
    not_allowed
    signer_ref
    signer-ref://innovate/lab/executive-signer-primary
    principal_ref
    principal-ref://pci_prn_innovate_operator_001
    signer_review_state
    needs_correction
    signer_authority_state
    pending_review
    2/4

    Sign-ready checks passed

    50%
    2

    Open correction/addendum flows

    Correction required
    Correction required

    Signature confirmation

    Signature state token
    signature_state
    correction_required
    Blocked — action needed

    Export readiness

    Export state token
    export_state
    blocked

    AOC actions

    Finalize AOC package

    server-authorized-package-action

    Operators can request server-side signature confirmation, record correction/addendum actions, and request an export package manifest. Signing, document editing, signed artifacts, and document/export identity stay server-side.

    Signature API
    /api/documents/aoc/signatures
    Correction API
    /api/documents/aoc/corrections
    Export API
    /api/documents/aoc/export-package-requests
    CSRF cookie
    __Host-pt_pci_csrf double-submit session check for unsafe methods.
    AOC package workbenchCSRF-bound actions

    Work signature and export readiness

    Sign-ready checklist, Correction and addendum flows, Export package status, and Unsigned attestation and export readiness are handled from one record-only workspace. The browser never signs, downloads, edits, or stores document/export bodies.

    AOC package workbench
    Package itemStateDetailsServer action
    Assessment readiness accepted by server state
    Check refs
    check_ref
    aoc-check://cycle_lab_2026_readiness/assessment-ready
    source_ref_1
    assessment-workspace://cycle_lab_2026_readiness/submerchant-a
    source_ref_2
    readiness-ref://cycle_lab_2026_readiness/assessment
    Accepted
    State token
    state
    passed
    Check reason codes
    reason_code_1
    assessment_readiness_server_state_present
    Evidence bundle metadata current and scanner-gated
    Check refs
    check_ref
    aoc-check://cycle_lab_2026_readiness/evidence-bundle-current
    source_ref_1
    evidence-library://cycle_lab_2026_readiness/submerchant-a
    source_ref_2
    evidence-request://cycle_lab_2026_readiness/aoc-metadata
    Needs attention
    State token
    state
    warning
    Check reason codes
    reason_code_1
    evidence_scanner_or_parent_visibility_pending
    TPSP AOC metadata has current coverage refs
    Check refs
    check_ref
    aoc-check://cycle_lab_2026_readiness/tpsp-aoc-current
    source_ref_1
    aoc-ref://innovate/path-1/record-only
    source_ref_2
    service-scope-ref://tpsp/path-1/hosted-fields
    Accepted
    State token
    state
    passed
    Check reason codes
    reason_code_1
    tpsp_aoc_metadata_current
    Executive signer authority verified by server
    Check refs
    check_ref
    aoc-check://cycle_lab_2026_readiness/executive-signer-authority
    source_ref_1
    signer-ref://innovate/lab/executive-signer-primary
    Blocked — action needed
    State token
    state
    blocked
    Check reason codes
    reason_code_1
    signer_authority_review_pending
    Correction
    Flow refs
    correction_ref
    correction-flow://cycle_lab_2026_readiness/aoc/legal-name
    source_finding_ref
    review-finding://cycle_lab_2026_readiness/aoc/name
    Correction required
    State token
    state
    open

    Correction is displayed as server-owned metadata; no editable document body or signing control is mounted.

    Correction refs
    correction_ref
    correction-flow://cycle_lab_2026_readiness/aoc/legal-name
    flow_type
    correction
    source_finding_ref
    review-finding://cycle_lab_2026_readiness/aoc/name
    replacement_export_ref
    pending
    Correction reason codes
    reason_code_1
    executive_signer_legal_name_mismatch
    Addendum
    Flow refs
    correction_ref
    addendum-flow://cycle_lab_2026_readiness/aoc/service-scope-note
    source_finding_ref
    review-finding://cycle_lab_2026_readiness/aoc/service-scope
    Correction required
    State token
    state
    addendum_pending

    Addendum package state is record-only until the document service produces an immutable export ref.

    Correction refs
    correction_ref
    addendum-flow://cycle_lab_2026_readiness/aoc/service-scope-note
    flow_type
    addendum
    source_finding_ref
    review-finding://cycle_lab_2026_readiness/aoc/service-scope
    replacement_export_ref
    export-package://cycle_lab_2026_readiness/aoc/addendum-pending
    Correction reason codes
    reason_code_1
    service_scope_addendum_pending
    Export package status
    Export refs and hashes
    export_ref
    export-package://cycle_lab_2026_readiness/aoc/pending
    manifest_sha256
    sha256:9090909090909090909090909090909090909090909090909090909090909090
    package_sha256
    pending
    retention_anchor_ref
    pending
    generated_at
    not_generated
    document_ref_1
    document-ref://cycle_lab_2026_readiness/aoc/draft-record-only
    document_ref_2
    document-hash-ref://sha256:5656565656565656565656565656565656565656565656565656565656565656
    Blocked — action needed
    State token
    state
    blocked
    Export reason codes
    reason_code_1
    signature_confirmation_pending
    reason_code_2
    correction_required_before_export
    Unsigned attestation
    Signature refs and hashes
    confirmation_ref
    signature-confirmation://cycle_lab_2026_readiness/aoc/pending-correction
    signature_request_ref
    signature-request://cycle_lab_2026_readiness/aoc/server-owned
    signed_document_ref
    pending
    signed_document_sha256
    pending
    signer_event_hash
    pending
    audit_event_ref
    pending
    signed_at
    not_signed
    display_policy
    confirmation-record-only-no-browser-signing
    Correction required
    State token
    state
    correction_required
    		Unsigned attestation and export readiness are record-only; no attestation body, document body, or signer material is created in the browser.
    Signature reason codes
    reason_code_1
    signer_authority_review_pending
    reason_code_2
    correction_required_before_signature
    2/4

    Sign-ready checks passed

    50%
    2

    Open correction/addendum flows

    Correction required
    Correction required

    Signature confirmation

    Signature state token
    signature_state
    correction_required
    Blocked — action needed

    Export readiness

    Export state token
    export_state
    blocked

    AOC package action

    Submits package action intent only. No client-side signature material, document content file, download URL, or client-owned approval authority is present.

    Last AOC API result

    Waiting for operator action.

    PCI application shell with reviewed same-origin service-backed metadata GETs and CSRF-bound workflow actions for onboarding, scope, assessment, evidence, AOC, reporting, and acceptance review. Tenant authority remains server-derived. No deploy behavior: this screen does not run deploys, payment traffic, partner-edge changes, external queues, notifications, or sandbox/live operations.