Server-derived brand

innovate PCI shell

Evidence library

Evidence metadata library, upload-session scan states, refusal copy, TPSP AOC refs, response links, and parent visibility.

Organization: Innovate Lab Tenant
Entity: ent_innovate_platform_lab
Scope: server-derived registry scope
Role: pci_operator
Stage: lab
Active theme: Pay Theory

Technical details

brand_pointer: partner://innovate/brand/lab/v2026-05-01
asset_pointer: https://assets.innovate.test/pci/
brand_reasons: none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API: /api/session/brand
Boundary: No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source: api_server_derived_from_session_registry_context
Primary role lane: pci_operator from server matrix metadata
Visible actions: 8
Suppressed actions: 1 action(s) withheld without client-side disabled controls.
Viewer role accepted: false
Signer input accepted: false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.

Step-up initiate: /api/session/step-up
Callback boundary: /api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint: sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.

Visible server-allowed actions
Action	Category	Step-up	Reason
Review tenant	tenant	server authorized	role_allows_tenant_review
Review evidence package	evidence	server authorized	role_allows_evidence_review
Create evidence metadata intake	evidence	server authorized	role_allows_evidence_upload_metadata
Answer questionnaire	assessment	server authorized	role_allows_answer
Override inherited answer	assessment	server step-up required	operator_step_up_required
Invite submerchant	onboarding	server authorized	operator_scope_review_required
Save workflow state	workflow	server authorized	role_allows_workflow_metadata_save
Queue audit export	audit	server step-up required	role_allows_operator_audit_export_metadata

auth.session_refreshed

Module status

Data Collection enabled / primary Data Collection is enabled by trusted session context.
Monitoring enabled / integrated Monitoring is enabled by trusted session context.

Evidence service details

Evidence services

Live evidence workspace

read-only-load

Loading the evidence library, request status, scan gate, visibility, and export package status from same-origin APIs.

Request policy

trusted-session-no-query-no-body-no-viewer-authority-evidence-library

Read APIs

/api/evidence/library-state
/api/evidence/status
/api/evidence/scan-status
/api/evidence/visibility
/api/evidence/export-package-metadata

Boundary

No browser tenant, entity, cycle, evidence, upload, scan, object, or export authority; no request bodies, endpoint values, account identifiers, physical ids, restricted text, evidence content, document content, signed artifacts, export bodies, live-data paths, or browser storage fallback.

Current evidence state
Area	State	Next signal

Upload sessions from evidence service
Request	State	Scanner	Browser upload

Evidence metadata rows from evidence service
Evidence	Lifecycle	Visibility	Linked response	Browser retrieval

TPSP AOC metadata from evidence service
Provider	Coverage	Validation	Document policy

Evidence libraryServer-owned metadata

Evidence library

Review evidence refs, scanner posture, visibility, and linked assessment responses without browser upload or retrieval authority.

Needs attentiondegraded

PAN/track data is never accepted by this app shell; trusted service scanning refuses restricted cardholder data before metadata can be linked.
Restricted classes: PAN, track_data, sensitive_authentication_data

Evidence service details

library_ref: evidence-library://cycle_lab_2026_readiness/submerchant-a
api_shape_ref: service-ref://api/evidence-library/m7.9
authority: evidence-service
display_policy: record-only-no-browser-authority
upload_render_policy: display-only-no-browser-upload
tenant_stage: pci_tnt_innovate_lab / lab
redaction_warning_code: pan_track_data_refusal_required

Evidence records

Acceptedaccepted record

Scanner pending sessions

Scan in progresspending

Scanner pass sessions

Acceptedpassed

Scanner refused sessions

Rejected — sensitive data detectedrefused

Evidence actions

Collect and link evidence metadata

safe-evidence-intake

Operators can issue an evidence intake record, record a refusal, or link/unlink the current evidence object to the assessment response. Upload URLs, file contents, quarantine objects, tenant authority, and scanner authority stay server-side.

Upload session API: /api/evidence/upload-sessions
Refusal API: /api/evidence/refusals
Response link APIs: /api/evidence/response-links / /api/evidence/response-unlinks
CSRF cookie: __Host-pt_pci_csrf double-submit session check for unsafe methods.

Evidence request workbench

Work evidence requests

request-to-response

Work each evidence request from the library screen: create the intake record, link accepted evidence to the assessment response, record refusal, or reopen the link for review. The browser never receives upload URLs or file contents.

Request	Control	Intake state	Scan state	Assessment link
AOC package evidence `evidence-request://cycle_lab_2026_readiness/aoc-metadata`	`requirement-ref://saq-a/record-only/aoc`	scan_passed TPSP AOC metadata passed scanner checks and is available as refs, statuses, and hashes only.	passed Lab sample timestamp: 2026-05-07T00:10Z	Open assessment `response-group://cycle_lab_2026_readiness/submerchant-a/payment-flow`
Monitoring readiness evidence `evidence-request://cycle_lab_2026_readiness/monitoring-status-metadata`	`requirement-ref://saq-a/record-only/monitoring`	scanner_pending Scanner verdict is pending; linked response remains blocked until trusted service metadata passes.	pending Lab sample timestamp: 2026-05-07T00:15Z	Open assessment `response-group://cycle_lab_2026_readiness/submerchant-a/monitoring-readiness`
Evidence request `evidence-request://cycle_lab_2026_readiness/network-scan-metadata`	`requirement-ref://saq-a/record-only/network-scan`	scan_refused Scanner refused the attempted upload because PAN/track-like data was detected; no object ref is exposed.	refused Lab sample timestamp: 2026-05-07T00:20Z	Open assessment `response-group://cycle_lab_2026_readiness/submerchant-a/operator-review`

Last evidence API result

Waiting for operator action.

Upload-session scan statesBrowser upload disabled

Upload-session lifecycle

Upload sessions show intake state, linked response, scanner status, and refusal outcomes. This workspace does not render uploaded file contents.

Upload-session scanner states
Session/request refs	Linked response UX	Requirement ref	Session state	Scanner state	Object/manifest hashes	Refusal/safe message
Session/request refs `upload_session_ref` `evidence-upload-session://cycle_lab_2026_readiness/tpsp-aoc/pass` `request_ref` `evidence-request://cycle_lab_2026_readiness/aoc-metadata`	Open linked response workspace Linked response ref `linked_response_ref` `response-group://cycle_lab_2026_readiness/submerchant-a/payment-flow`	Requirement ref `linked_requirement_ref` `requirement-ref://saq-a/record-only/aoc`	Accepted`scan_passed` Upload policy `display_policy` `display-only-no-browser-upload`	Accepted`passed` Scanner ref `scanner_ref` `scanner-ref://cycle_lab_2026_readiness/tpsp-aoc/pass` `scanner_updated_at` `Lab sample timestamp: 2026-05-07T00:10Z` Reason codes `reason_code` `metadata_hash_recorded` `reason_code` `no_restricted_payload_found`	Refs and hashes `object_hash_ref` `sha256:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee` `manifest_sha256` `sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff`	TPSP AOC metadata passed scanner checks and is available as refs, statuses, and hashes only. Refusal metadata `refusal_code` `not_applicable` `safe_message` `TPSP AOC metadata passed scanner checks and is available as refs, statuses, and hashes only.`
Session/request refs `upload_session_ref` `evidence-upload-session://cycle_lab_2026_readiness/monitoring-status/pending` `request_ref` `evidence-request://cycle_lab_2026_readiness/monitoring-status-metadata`	Open linked response workspace Linked response ref `linked_response_ref` `response-group://cycle_lab_2026_readiness/submerchant-a/monitoring-readiness`	Requirement ref `linked_requirement_ref` `requirement-ref://saq-a/record-only/monitoring`	Scan in progress`scanner_pending` Upload policy `display_policy` `display-only-no-browser-upload`	Scan in progress`pending` Scanner ref `scanner_ref` `scanner-ref://cycle_lab_2026_readiness/monitoring-status/pending` `scanner_updated_at` `Lab sample timestamp: 2026-05-07T00:15Z` Reason codes `reason_code` `scanner_verdict_pending`	Refs and hashes `object_hash_ref` `pending` `manifest_sha256` `pending`	Scanner verdict is pending; linked response remains blocked until trusted service metadata passes. Refusal metadata `refusal_code` `not_applicable` `safe_message` `Scanner verdict is pending; linked response remains blocked until trusted service metadata passes.`
Session/request refs `upload_session_ref` `evidence-upload-session://cycle_lab_2026_readiness/network-scan/refused` `request_ref` `evidence-request://cycle_lab_2026_readiness/network-scan-metadata`	Open linked response workspace Linked response ref `linked_response_ref` `response-group://cycle_lab_2026_readiness/submerchant-a/operator-review`	Requirement ref `linked_requirement_ref` `requirement-ref://saq-a/record-only/network-scan`	Rejected — sensitive data detected`scan_refused` Upload policy `display_policy` `display-only-no-browser-upload`	Rejected — sensitive data detected`refused` Scanner ref `scanner_ref` `scanner-ref://cycle_lab_2026_readiness/network-scan/refused` `scanner_updated_at` `Lab sample timestamp: 2026-05-07T00:20Z` Reason codes `reason_code` `pan_or_track_pattern_detected` `reason_code` `metadata_ref_withheld`	Refs and hashes `object_hash_ref` `pending` `manifest_sha256` `pending`	This file looks like it contains card data, so it was rejected. Remove or redact card numbers and re-upload. Technical details `reason_code` `evidence_sensitive_data_detected` Refusal metadata `refusal_code` `restricted_cardholder_data_refused` `safe_message` `Scanner refused the attempted upload because PAN/track-like data was detected; no object ref is exposed.`

Evidence recordsRetrieval server-side only

Evidence records

Evidence rows show status, scanner result, response links, and verification refs. Browser evidence retrieval remains server-side and disabled.

Evidence metadata records
Evidence	Lifecycle	Visibility	Owner/parent refs	Requirement refs	Linked response UX	Session/object refs	Received/expires	Reasons
TPSP AOC metadata package Evidence refs `evidence_ref` `evidence-ref://cycle_lab_2026_readiness/tpsp-aoc-metadata` `evidence_type` `tpsp_aoc`	Accepted`accepted record` Accepted`passed`	Accepted`parent_visible_record_only` Visibility source `source_relation` `inherited_from_parent`	Owner/parent refs `owner_entity_id` `ent_innovate_platform_lab` `parent_entity_id` `ent_innovate_platform_lab`	Requirement refs `requirement_ref_1` `requirement-ref://saq-a/record-only/aoc`	Open linked response `response-group://cycle_lab_2026_readiness/submerchant-a/payment-flow`	Refs and hashes `upload_session_ref` `evidence-upload-session://cycle_lab_2026_readiness/tpsp-aoc/pass` `object_hash_ref` `sha256:eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee` `manifest_sha256` `sha256:ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff`	Lab sample timestamp: 2026-05-07T00:10Z Lab sample expiry: 2027-05-07	Reason codes `reason_code` `none`
Monitoring status metadata Evidence refs `evidence_ref` `evidence-ref://cycle_lab_2026_readiness/monitoring-status-metadata` `evidence_type` `monitoring_status`	Scan in progress`scanner_pending` Scan in progress`pending`	Accepted`tenant_visible` Visibility source `source_relation` `direct`	Owner/parent refs `owner_entity_id` `ent_innovate_test_merchant_a` `parent_entity_id` `ent_innovate_platform_lab`	Requirement refs `requirement_ref_1` `requirement-ref://saq-a/record-only/monitoring`	Open linked response `response-group://cycle_lab_2026_readiness/submerchant-a/monitoring-readiness`	Refs and hashes `upload_session_ref` `evidence-upload-session://cycle_lab_2026_readiness/monitoring-status/pending` `object_hash_ref` `pending` `manifest_sha256` `pending`	not_received pending	Reason codes `reason_code` `scanner_verdict_pending`
Network scan upload refused Evidence refs `evidence_ref` `evidence-ref://cycle_lab_2026_readiness/network-scan-refused-metadata` `evidence_type` `network_scan`	Rejected — sensitive data detected`refused_metadata` Rejected — sensitive data detected`refused`	Rejected — sensitive data detected`hidden_refused` Visibility source `source_relation` `direct`	Owner/parent refs `owner_entity_id` `ent_innovate_test_merchant_a` `parent_entity_id` `ent_innovate_platform_lab`	Requirement refs `requirement_ref_1` `requirement-ref://saq-a/record-only/network-scan`	Open linked response `response-group://cycle_lab_2026_readiness/submerchant-a/operator-review`	Refs and hashes `upload_session_ref` `evidence-upload-session://cycle_lab_2026_readiness/network-scan/refused` `object_hash_ref` `pending` `manifest_sha256` `pending`	not_received pending	Reason codes `reason_code` `restricted_cardholder_data_refused` `reason_code` `metadata_ref_withheld`

TPSP AOC metadataDocument body disabled

TPSP AOC records

AOC rows show validation state and coverage for service review; AOC document contents and signed artifacts are not copied into the app.

TPSP AOC metadata
TPSP	AOC ref	Service scope	Coverage	Assessor ref	Validation
Innovate Platform TPSP TPSP ref `tpsp_ref` `tpsp-ref://innovate/path-1/payment-facilitator`	AOC ref `aoc_ref` `aoc-ref://innovate/path-1/record-only`	Service scope `service_scope_ref` `service-scope-ref://tpsp/path-1/hosted-fields`	Lab sample coverage: 2026 annual AOC	Assessor ref `assessor_firm_ref` `assessor-ref://record-only/qualified-reviewer`	Accepted`current` Document policy `document_render_policy` `record-only-no-document-body`

Parent visibilityMetadata only

Parent evidence visibility

Parent/child visibility stays service-owned; child operators see refs and hashes only.

Needs attentiondegradedVisibility state

parent-child-record-onlyPolicy

ent_innovate_test_merchant_aChild entities

Parent visibility refs

parent_entity_id: ent_innovate_platform_lab
visibility_policy: parent-child-record-only

Reason codes

reason_code: parent_evidence_visibility_requires_operator_review

Evidence library

Trusted tenant context

Server-derived navigation and actions

Step-up reauthentication handoff

Module status

Evidence follow-up needed

Live evidence workspace

Evidence library

Collect and link evidence metadata

Work evidence requests

Create evidence intake record

Upload-session lifecycle

Evidence records

TPSP AOC records

Parent evidence visibility