Server-derived brand

innovate PCI shell

Monitoring readiness

Monitoring readiness metadata inside the shared PCI shell.

Organization: Innovate Lab Tenant
Entity: ent_innovate_platform_lab
Scope: server-derived registry scope
Role: pci_operator
Stage: lab
Active theme: Pay Theory

Technical details

brand_pointer: partner://innovate/brand/lab/v2026-05-01
asset_pointer: https://assets.innovate.test/pci/
brand_reasons: none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API: /api/session/brand
Boundary: No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source: api_server_derived_from_session_registry_context
Primary role lane: pci_operator from server matrix metadata
Visible actions: 8
Suppressed actions: 1 action(s) withheld without client-side disabled controls.
Viewer role accepted: false
Signer input accepted: false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.

Step-up initiate: /api/session/step-up
Callback boundary: /api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint: sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.

Visible server-allowed actions
Action	Category	Step-up	Reason
Review tenant	tenant	server authorized	role_allows_tenant_review
Review evidence package	evidence	server authorized	role_allows_evidence_review
Create evidence metadata intake	evidence	server authorized	role_allows_evidence_upload_metadata
Answer questionnaire	assessment	server authorized	role_allows_answer
Override inherited answer	assessment	server step-up required	operator_step_up_required
Invite submerchant	onboarding	server authorized	operator_scope_review_required
Save workflow state	workflow	server authorized	role_allows_workflow_metadata_save
Queue audit export	audit	server step-up required	role_allows_operator_audit_export_metadata

auth.session_refreshed

Module status

Data Collection enabled / primary Data Collection is enabled by trusted session context.
Monitoring enabled / integrated Monitoring is enabled by trusted session context.

Monitoring readinessRead-only route

Monitoring readiness

Monitoring readiness is visible in the shared PCI shell while the production Monitoring runtime remains outside this Data Collection slice.

Acceptedready

Module state: enabled Acceptedenabled
Mode: integrated Acceptedintegrated
Readiness render: ready Acceptedready
Production Monitoring dependency: Readiness state only; no production Monitoring runtime is required for this screen.

No additional Monitoring reason codes are open.

Monitoring refs

status_feed_ref: service-ref://monitoring-status-feed.valid-ready
evidence_manifest_ref: evidence-package://mep_innovate_lab_2026_04/manifest
render_state: available
readiness_state: ready
module_state: enabled
mode: integrated
route_enabled: true

Monitoring reason codes

reason_code_1: none

Monitoring dependency workbenchIntegrated readiness

Work monitoring readiness

Track the Monitoring dependency as part of the Data Collection cycle and jump directly to the assessment, evidence, or compliance workspace that owns the next product action.

Acceptedready

This page does not start scans, beacons, CSP changes, status-feed writes, or evidence ingestion.

Read-only Monitoring readiness dependencies
Dependency	State	Next workspace
Monitoring readiness evidence Dependency refs `evidence_manifest_ref` `evidence-package://mep_innovate_lab_2026_04/manifest` `source_state` `ready` `workspace_href` `/evidence-library`	Acceptedready	Open evidence library
SAQ monitoring control Dependency refs `requirement_ref` `requirement-ref://saq-a/record-only/monitoring` `source_state` `integrated` `workspace_href` `/assessment-workspace`	Acceptedintegrated	Open assessment workspace
Compliance cycle dependency Dependency refs `status_feed_ref` `service-ref://monitoring-status-feed.valid-ready` `source_state` `enabled` `workspace_href` `/compliance`	Acceptedenabled	Open compliance workflow

Monitoring readiness workspace

Monitoring readiness service

read-only

Loading monitoring readiness from /api/monitoring/readiness. This screen shows server-owned readiness metadata for PCI DSS monitoring dependencies without enabling browser scans, beacons, CSP changes, or evidence ingestion.

Monitoring API: /api/monitoring/readiness
Request policy: trusted-session-no-query-no-body-no-viewer-authority-no-browser-monitoring-mutation
Boundary: No browser monitoring authority, CSP mutation, scanner traffic, beacon traffic, status-feed write, evidence content, endpoint value, account identifier, physical id, live-data path, or fallback browser storage.

Server-owned readiness controls
Control	Ready

Cycle workspace

Cycle working slice

Scope, corpus, inheritance, and evidence-required metadata refs only; no evidence contents render.

Ready for reviewoperator_review

Inherited answers

Stale inherited answer(s)

Override(s)

Child re-attestation required

Cycle status: Ready for reviewoperator_review
Corpus package status: In progresscurrent
Badges: AcceptedinheritedBlocked — action neededstaleCorrection requiredoverrideNeeds attentionevidence_required

Cycle refs

cycle_ref: cycle_lab_2026_readiness
corpus_package_ref: corpus-package://pci/saq-a/v2026-05-01

Evidence-required metadata
Status and refs	Requirement summary
Missingrequired Evidence refs `evidence_ref` `evidence-required://cycle_lab_2026_readiness/aoc-ref` `requirement_ref` `requirement-ref://saq-a/record-only/aoc`	aoc
Acceptedreceived_recorded Evidence refs `evidence_ref` `evidence-required://cycle_lab_2026_readiness/monitoring-status` `requirement_ref` `requirement-ref://saq-a/record-only/monitoring`	monitoring