IP

Server-derived brand

innovate PCI shell

Tenant & modules

Trusted tenant, module enablement, and registry-derived context.

Organization
Innovate Lab Tenant
Entity
ent_innovate_platform_lab
Scope
server-derived registry scope
Role
pci_operator
Stage
lab
Active theme
Pay Theory
Technical details
brand_pointer
partner://innovate/brand/lab/v2026-05-01
asset_pointer
https://assets.innovate.test/pci/
brand_reasons
none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API
/api/session/brand
Boundary
No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source
api_server_derived_from_session_registry_context
Primary role lane
pci_operator from server matrix metadata
Visible actions
8
Suppressed actions
1 action(s) withheld without client-side disabled controls.
Viewer role accepted
false
Signer input accepted
false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

  • Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
  • Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.
Step-up initiate
/api/session/step-up
Callback boundary
/api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint
sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.
Visible server-allowed actions
ActionCategoryStep-upReason
Review tenant tenant server authorized role_allows_tenant_review
Review evidence package evidence server authorized role_allows_evidence_review
Create evidence metadata intake evidence server authorized role_allows_evidence_upload_metadata
Answer questionnaire assessment server authorized role_allows_answer
Override inherited answer assessment server step-up required operator_step_up_required
Invite submerchant onboarding server authorized operator_scope_review_required
Save workflow state workflow server authorized role_allows_workflow_metadata_save
Queue audit export audit server step-up required role_allows_operator_audit_export_metadata
  • auth.session_refreshed

Module status

  • Data Collection enabled / primary Data Collection is enabled by trusted session context.
  • Monitoring enabled / integrated Monitoring is enabled by trusted session context.
Tenant registryRead-only

Tenant & modules

Server-derived tenant, module, and onboarding setup state for the Data Collection shell.

Accepted
Display name
Innovate Lab Tenant
Entity ref
ent_innovate_platform_lab
Primary API source
/api/tenant/modules-state service-backed trusted view
Technical details
tenant_entity_ref
ent_innovate_platform_lab
registry_version
3
session_stage
lab
Module state table

Module enablement

Accepted
Data Collection
Accepted

Data Collection is enabled by trusted session context.

Render boundaryAccepted
Technical details
module
data_collection
registry_state
enabled
mode
primary
render_state
available
Monitoring
Accepted

Monitoring is enabled by trusted session context.

Render boundaryAccepted
Technical details
module
monitoring
registry_state
enabled
mode
integrated
render_state
available
Module state from tenant registry
ModuleStateModeRenderReason
Data Collection Accepted primary Accepted Data Collection is enabled by trusted session context.
Module refs
module
data_collection
registry_state
enabled
render_state
available
Monitoring Accepted integrated Accepted Monitoring is enabled by trusted session context.
Module refs
module
monitoring
registry_state
enabled
render_state
available

Tenant registry state

Tenant module service

In progress

Loading tenant, module, and hierarchy state from /api/tenant/modules-state. The service derives tenant and entity scope from the trusted session and registry, not from browser-provided route, query, cookie, or storage values.

Service boundary
tenant_module_api
/api/tenant/modules-state
request_policy
trusted-session-no-query-no-body-no-viewer-tenant-or-module-authority
boundary
No browser tenant authority, entity authority, module enablement authority, account identifier, endpoint value, physical id, service context input, live-data path, queue send, notification send, or fallback browser storage.
Module state from tenant registry
ModuleStateModeBoundary
Authorized hierarchy from tenant registry
Entity typeDisplay refRelationshipData CollectionMonitoring

    Onboarding workflow state

    Onboarding invitation service

    In progress

    Loading invitation review and workflow-task state from /api/onboarding/invitations/status. The service derives invitation, tenant, hierarchy, and workflow scope from the trusted session instead of browser-provided route, query, cookie, or storage values.

    Service boundary
    invitation_api
    /api/onboarding/invitations/status
    request_policy
    trusted-session-no-query-no-body-no-viewer-onboarding-authority
    boundary
    No browser tenant authority, invite target authority, onboarding authority, account identifier, endpoint value, physical id, queue send, notification send, live-data path, or fallback browser storage.
    Current invitation state
    FieldValue
      Authorized hierarchy

      Operator hierarchy

      Hierarchy is displayed only for server-derived internal operator lanes.

      Accepted
      1

      SaaS Partner account(s)

      2

      Submerchant account(s)

      2

      Operator child relationships

      Authorized hierarchy from tenant registry
      Entity typeDisplay refModuleChildrenRefs
      operatorPay Theory PCI OperatorAccepted2
      Hierarchy refs
      entity_ref
      ent_paytheory_operator_lab
      module_state
      enabled
      saas_partnerInnovate PlatformAccepted2
      Hierarchy refs
      entity_ref
      ent_innovate_platform_lab
      module_state
      enabled
      submerchantInnovate Test Merchant AAccepted0
      Hierarchy refs
      entity_ref
      ent_innovate_test_merchant_a
      module_state
      enabled
      submerchantInnovate Test Merchant BNeeds attention0
      Hierarchy refs
      entity_ref
      ent_innovate_test_merchant_b
      module_state
      pending
      Invitation review

      Invitation and onboarding review

      Invitation authority is rendered from service-shaped refs only. No invite is authorized by browser state.

      Ready for review
      Current invitation review state
      Invitation statusOperator reviewRender
      Accepted
      Invitation refs
      invitation_ref
      inv_operator_direct_submerchant_a
      mode
      operator_only
      status
      approved
      parent_entity_ref
      ent_paytheory_operator_lab
      child_entity_ref
      ent_innovate_test_merchant_a
      		AcceptedAccepted
      Ready for review
      Invitation refs
      invitation_ref
      inv_partner_submerchant_b
      mode
      partner_invites_operator_approves
      status
      awaiting_operator_review
      parent_entity_ref
      ent_innovate_platform_lab
      child_entity_ref
      ent_innovate_test_merchant_b
      		Needs attentionNeeds attention

      Onboarding actions

      Invite and approve tenant scope

      server-authorized-onboarding

      Operators can initiate the next invitation metadata record or approve the pending invitation review through the same-origin API. Browser input never supplies tenant, parent entity, child entity, account, or hierarchy authority.

      Initiate API
      /api/onboarding/invitations/initiate
      Review API
      /api/onboarding/invitations/review
      CSRF cookie
      __Host-pt_pci_csrf double-submit session check for unsafe methods.

      Invitation action

      Submits action intent record only. The server derives hierarchy, tenant, workflow task, and audit object refs.

      Last onboarding API result

      Waiting for operator action.

      PCI application shell with reviewed same-origin service-backed metadata GETs and CSRF-bound workflow actions for onboarding, scope, assessment, evidence, AOC, reporting, and acceptance review. Tenant authority remains server-derived. No deploy behavior: this screen does not run deploys, payment traffic, partner-edge changes, external queues, notifications, or sandbox/live operations.