Server-derived brand

innovate PCI shell

Reports & exports

Report manifests, export package state, retention anchors, and server-owned report/export actions.

Organization: Innovate Lab Tenant
Entity: ent_innovate_platform_lab
Scope: server-derived registry scope
Role: pci_operator
Stage: lab
Active theme: Pay Theory

Technical details

brand_pointer: partner://innovate/brand/lab/v2026-05-01
asset_pointer: https://assets.innovate.test/pci/
brand_reasons: none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API: /api/session/brand
Boundary: No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source: api_server_derived_from_session_registry_context
Primary role lane: pci_operator from server matrix metadata
Visible actions: 8
Suppressed actions: 1 action(s) withheld without client-side disabled controls.
Viewer role accepted: false
Signer input accepted: false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.

Step-up initiate: /api/session/step-up
Callback boundary: /api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint: sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.

Visible server-allowed actions
Action	Category	Step-up	Reason
Review tenant	tenant	server authorized	role_allows_tenant_review
Review evidence package	evidence	server authorized	role_allows_evidence_review
Create evidence metadata intake	evidence	server authorized	role_allows_evidence_upload_metadata
Answer questionnaire	assessment	server authorized	role_allows_answer
Override inherited answer	assessment	server step-up required	operator_step_up_required
Invite submerchant	onboarding	server authorized	operator_scope_review_required
Save workflow state	workflow	server authorized	role_allows_workflow_metadata_save
Queue audit export	audit	server step-up required	role_allows_operator_audit_export_metadata

auth.session_refreshed

Module status

Data Collection enabled / primary Data Collection is enabled by trusted session context.
Monitoring enabled / integrated Monitoring is enabled by trusted session context.

Reports & exportsServer-owned output

Report and export package workspace

Review report manifests, export package state, retention anchors, and CSRF-bound action seams without moving output authority into the browser.

Ready for review

Report manifests

Ready reports

1/2

Ready exports

Outputs needing service review

25%

No browser tenant, cycle, report, export, download, signed URL, queue, notification, endpoint, account, physical id, secret, PAN, PII, evidence, document, standards-text, or live-data authority.

Workspace policy

breadth_ref: compliance-breadth://cycle_lab_2026_readiness/submerchant-a/m9-reporting
api_shape_ref: service-shape://api/compliance-service/breadth-reporting/m9.9
authority: compliance-service
display_policy: record-only-no-standards-text
export_policy: server-owned-export-only
browser_export_state: not_allowed
render_state: degraded

Compliance reporting service

Service-backed compliance reporting workspace

read-only-load

Loading SSF, customized approach, compensating control, ASV, TPSP, corpus rebase, and internal-record metadata from same-origin APIs. This is the working reporting state; supporting reporting tables below are secondary.

Read APIs

/api/compliance/ssf/status
/api/compliance/customized-approach
/api/compliance/compensating-controls
/api/compliance/asv/summary
/api/compliance/tpsp/records
/api/corpus/rebase-warnings
/api/compliance/internal-records

Action APIs

/api/audit/export-requests and /api/reports/operator are mounted below as CSRF-bound record-only actions.

Request policy

trusted-session-no-query-no-body-no-viewer-authority-reporting-workspace

Boundary

No browser tenant, entity, cycle, report, export, standards-text, evidence, document, endpoint, download, signed URL, queue, notification, or live-data authority; no request bodies on read paths and no browser storage fallback.

Current service-backed compliance reporting state
Area	State	Service seam

SSF applicability from compliance service
SSF ref	Gate	Restricted text	Reason codes

Customized approach metadata from compliance service
Approach	State	Objective	Evidence bundle

Compensating controls from compliance service
Control	State	Requirement	Evidence requests

ASV metadata from compliance service
Scan	Status	Window	Remediation findings

TPSP records from compliance service
Record	Coverage	Validity	AOC metadata

Corpus rebase warnings from compliance service
Warning	State	Fail closed	Affected refs

Internal compliance records from compliance service
Record	State	Retention anchor	Browser visible

Report manifests2 service records

Report manifests

Report rows expose manifest state and source counts only. Report bodies and restricted standards text stay server-side.

Report manifestOperator Status

Operator Status

Ready for review

Service review is needed before regeneration.

Sources: 3 service refs
Manifest: SHA-256 recorded by service
Generated: Lab sample timestamp: 2026-05-07T01:10Z

Ready for review

Report manifest details

report_ref: compliance-report://cycle_lab_2026_readiness/operator-status
report_type: operator_status
state: stale
manifest_sha256: sha256:bcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbc
display_policy: record-only-no-standards-text
generated_at: Lab sample timestamp: 2026-05-07T01:10Z
source_ref_1: assessment-workspace://cycle_lab_2026_readiness/submerchant-a
source_ref_2: evidence-library://cycle_lab_2026_readiness/submerchant-a
source_ref_3: audit-timeline://cycle_lab_2026_readiness/compliance

Report reason codes

reason_code_1: corpus_rebase_preview_required

Report manifestSsf Readiness

Ssf Readiness

Blocked — action needed

Blocked until the service clears the guardrail.

Sources: 2 service refs
Manifest: SHA-256 recorded by service
Generated: Awaiting server generation

Blocked — action needed

Report manifest details

report_ref: compliance-report://cycle_lab_2026_readiness/ssf-readiness
report_type: ssf_readiness
state: blocked
manifest_sha256: sha256:bcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbcbc
display_policy: record-only-no-standards-text
generated_at: not_generated
source_ref_1: ssf-scope://innovate/lab/platform-core/module-core
source_ref_2: corpus-package://pci/ssf/v2026-05-01

Report reason codes

reason_code_1: ssf_guidance_text_blocked_until_extractor_validated

Export packages2 service records

Export package state and retention anchors

Export cards show package readiness and retention-anchor presence only. The browser cannot generate, sign, send, download, authorize, or store export packages.

Export packageReport Bundle

Report Bundle

Blocked — action needed

Package generation is blocked by service guardrails.

Package: Package hash pending Blocked — action needed
Retention: Retention anchor pending Blocked — action needed
Generated: Awaiting server generation

Export package details

export_ref: report-export://cycle_lab_2026_readiness/operator-status/bundle
export_type: report_bundle
state: blocked
manifest_sha256: sha256:dededededededededededededededededededededededededededededededede
package_sha256: pending
retention_anchor_ref: pending
export_policy: server-owned-export-only
generated_at: not_generated

Export reason codes

reason_code_1: report_stale_until_rebase_reviewed

Export packageEvidence Index

Evidence Index

Accepted

Server package metadata is ready.

Package: Package hash recorded Accepted
Retention: Retention anchor recorded Accepted
Generated: Lab sample timestamp: 2026-05-07T01:15Z

Export package details

export_ref: report-export://cycle_lab_2026_readiness/evidence-index/current
export_type: evidence_index
state: ready
manifest_sha256: sha256:fafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafa
package_sha256: sha256:fafafafafafafafafafafafafafafafafafafafafafafafafafafafafafafa
retention_anchor_ref: anchor-manifest://cycle_lab_2026_readiness/evidence-index
export_policy: server-owned-export-only
generated_at: Lab sample timestamp: 2026-05-07T01:15Z

Export reason codes

reason_code_1: server_export_package_ready

Reporting actionsExisting CSRF seam

Server-owned reporting action controls

server-owned-reporting

Operators can queue record-only audit exports and operator reports through the same-origin API. The browser never receives document bodies, standards text, evidence contents, download URLs, signed URLs, tenant authority, cycle authority, or live compliance data.

Audit export API: /api/audit/export-requests
Operator report API: /api/reports/operator
CSRF cookie: __Host-pt_pci_csrf double-submit session check for unsafe methods.

Last reporting API result

Waiting for operator action.

Reporting workspace reason codes

reason_code_1: corpus_rebase_preview_required
reason_code_2: asv_scan_window_missing_metadata
reason_code_3: new_tpsp_requires_aoc_metadata
reason_code_4: ssf_guidance_text_blocked_until_extractor_validated
reason_code_5: report_stale_until_rebase_reviewed
reason_code_6: report_stale
reason_code_7: report_blocked
reason_code_8: export_blocked

Trusted tenant context

Server-derived navigation and actions

Step-up reauthentication handoff

Module status

Report and export package workspace

Service-backed compliance reporting workspace

Report manifests

Operator Status

Ssf Readiness

Export package state and retention anchors

Report Bundle

Evidence Index

Server-owned reporting action controls

Reporting queue action