IP

Server-derived brand

innovate PCI shell

Review & remediation

Reviewer findings, remediation plan steps, and server-owned review actions.

Organization
Innovate Lab Tenant
Entity
ent_innovate_platform_lab
Scope
server-derived registry scope
Role
pci_operator
Stage
lab
Active theme
Pay Theory
Technical details
brand_pointer
partner://innovate/brand/lab/v2026-05-01
asset_pointer
https://assets.innovate.test/pci/
brand_reasons
none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API
/api/session/brand
Boundary
No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source
api_server_derived_from_session_registry_context
Primary role lane
pci_operator from server matrix metadata
Visible actions
8
Suppressed actions
1 action(s) withheld without client-side disabled controls.
Viewer role accepted
false
Signer input accepted
false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

  • Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
  • Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.
Step-up initiate
/api/session/step-up
Callback boundary
/api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint
sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.
Visible server-allowed actions
ActionCategoryStep-upReason
Review tenant tenant server authorized role_allows_tenant_review
Review evidence package evidence server authorized role_allows_evidence_review
Create evidence metadata intake evidence server authorized role_allows_evidence_upload_metadata
Answer questionnaire assessment server authorized role_allows_answer
Override inherited answer assessment server step-up required operator_step_up_required
Invite submerchant onboarding server authorized operator_scope_review_required
Save workflow state workflow server authorized role_allows_workflow_metadata_save
Queue audit export audit server step-up required role_allows_operator_audit_export_metadata
  • auth.session_refreshed

Module status

  • Data Collection enabled / primary Data Collection is enabled by trusted session context.
  • Monitoring enabled / integrated Monitoring is enabled by trusted session context.
Review workbenchServer-owned refs

Review findings and remediation workbench

Work reviewer findings and remediation steps from server-owned review APIs. The browser renders finding and plan metadata, but cannot choose tenant, finding, remediation, workflow task, evidence, or document authority.

Blocked — action needed
1

Findings

In progress
1

Open findings

Needs attention
1

Blockers

Blocked — action needed
blocked

Assessment readiness

Blocked — action needed
Reviewer findings and remediation plans
Finding guidanceSeverityStateRemediation planAction
Review cannot complete until the trusted evidence metadata ref is present.
Finding refs and controls
finding_ref
review-finding://cycle_lab_2026_readiness/monitoring-metadata-gap
requirement_ref
requirement-ref://saq-a/record-only/monitoring
evidence_ref
evidence-ref://cycle_lab_2026_readiness/monitoring-status-metadata
finding_status
unresolved_blocker
finding_severity
medium
Needs attentionmediumBlocked — action neededunresolved blockerIn progressplanned

pci_operator · Lab sample due date: 2026-05-15

Remediation refs
remediation_ref
remediation-plan://cycle_lab_2026_readiness/monitoring-metadata-gap
plan_status
planned
owner_role
pci_operator
due_label
Lab sample due date: 2026-05-15
evidence_ref
evidence-ref://cycle_lab_2026_readiness/monitoring-status-metadata
Open remediation actions
Review serviceRead-only load

Service-backed review findings and remediation

Loading review findings and remediation plan from same-origin APIs.

In progress
Review service seams
read_api_findings
/api/review/findings
read_api_remediation
/api/remediation/plan
finding_action_api
/api/review/findings/acknowledge
remediation_action_api
/api/remediation/plan/actions
request_policy
trusted-session-no-query-no-body-no-viewer-finding-or-remediation-authority
boundary
No browser tenant, entity, cycle, finding, remediation, workflow task, evidence, document, endpoint, account, physical id, restricted text, queue, notification, or live-data authority; no request bodies on read paths and no browser storage fallback.
Current findings from review service
Finding guidanceSeverityStateTask refsAction
Current remediation plan from workflow service
StepStatusGuidanceAction
    Review actionsCSRF-bound

    Resolve findings and move remediation

    Ready for review

    Operators can acknowledge the current review finding and queue the next remediation step through the same-origin API. The client submits action intent only; finding, plan, task, evidence, tenant, and cycle refs are server-derived.

    Review action refs
    finding_action_api
    /api/review/findings/acknowledge
    remediation_action_api
    /api/remediation/plan/actions
    csrf_cookie
    __Host-pt_pci_csrf

    Finding / remediation action

    No restricted content, evidence files, client-selected finding ref, remediation plan ref, workflow task ref, or document payload is accepted from this form.

    Last review API result

    Waiting for operator action.

    PCI application shell with reviewed same-origin service-backed metadata GETs and CSRF-bound workflow actions for onboarding, scope, assessment, evidence, AOC, reporting, and acceptance review. Tenant authority remains server-derived. No deploy behavior: this screen does not run deploys, payment traffic, partner-edge changes, external queues, notifications, or sandbox/live operations.