Server-derived brand

innovate PCI shell

Users & roles

Read-only server-derived roles, action visibility, and route implications from the permission matrix.

Organization: Innovate Lab Tenant
Entity: ent_innovate_platform_lab
Scope: server-derived registry scope
Role: pci_operator
Stage: lab
Active theme: Pay Theory

Technical details

brand_pointer: partner://innovate/brand/lab/v2026-05-01
asset_pointer: https://assets.innovate.test/pci/
brand_reasons: none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API: /api/session/brand
Boundary: No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source: api_server_derived_from_session_registry_context
Primary role lane: pci_operator from server matrix metadata
Visible actions: 8
Suppressed actions: 1 action(s) withheld without client-side disabled controls.
Viewer role accepted: false
Signer input accepted: false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.

Step-up initiate: /api/session/step-up
Callback boundary: /api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint: sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.

Visible server-allowed actions
Action	Category	Step-up	Reason
Review tenant	tenant	server authorized	role_allows_tenant_review
Review evidence package	evidence	server authorized	role_allows_evidence_review
Create evidence metadata intake	evidence	server authorized	role_allows_evidence_upload_metadata
Answer questionnaire	assessment	server authorized	role_allows_answer
Override inherited answer	assessment	server step-up required	operator_step_up_required
Invite submerchant	onboarding	server authorized	operator_scope_review_required
Save workflow state	workflow	server authorized	role_allows_workflow_metadata_save
Queue audit export	audit	server step-up required	role_allows_operator_audit_export_metadata

auth.session_refreshed

Module status

Data Collection enabled / primary Data Collection is enabled by trusted session context.
Monitoring enabled / integrated Monitoring is enabled by trusted session context.

Server authorityRead-only

Server-derived role map

Users & roles renders the server permission matrix already issued for this session. The browser cannot create users, change roles, invite principals, or choose tenant/entity scope.

Accepted

pci_operator

Primary role lane

Accepted

Server roles

Accepted

Entity scope refs

Accepted

Action visibility8 of 9

Visible actions are mounted from server metadata. Hidden actions are summarized by category and never become browser controls.

89%

Roles: pci_operator
Entity scope: ent_innovate_platform_lab
Source path: /api/permissions/matrix

Matrix authority

matrix_source: api_server_derived_from_session_registry_context
primary_role: pci_operator
server_roles: pci_operator
server_entity_scope: ent_innovate_platform_lab
viewer_role_input_accepted: false
viewer_entity_input_accepted: false
browser_authority: none

Who can do whathidden_not_disabled

Visible server actions

This screen lists only actions exposed as visible, allowed, and enabled by the server-derived matrix. It does not create invite, user, role, auditor, QSA, queue, or notification controls in the browser.

Ready for review

Visible actions from the server permission matrix
Action	Category	Status	Browser implication
Review tenant Action refs `action` `tenant.review` `server_authority` `api_session_registry_roles_entity_scope` `reason_codes` `role_allows_tenant_review` `source_refs` `role-ref://pci_operator`	tenant	Accepted	Server-authorized display metadata.
Review evidence package Action refs `action` `evidence.review` `server_authority` `api_session_registry_roles_entity_scope` `reason_codes` `role_allows_evidence_review` `source_refs` `role-ref://pci_operator`	evidence	Accepted	Server-authorized display metadata.
Create evidence metadata intake Action refs `action` `evidence.upload` `server_authority` `api_session_registry_roles_entity_scope` `reason_codes` `role_allows_evidence_upload_metadata` `source_refs` `role-ref://pci_operator`	evidence	Accepted	Server-authorized display metadata.
Answer questionnaire Action refs `action` `questionnaire.answer` `server_authority` `api_session_registry_roles_entity_scope` `reason_codes` `role_allows_answer` `source_refs` `role-ref://pci_operator`	assessment	Accepted	Server-authorized display metadata.
Override inherited answer Action refs `action` `answer.override` `server_authority` `api_session_registry_roles_entity_scope` `reason_codes` `operator_step_up_required` `source_refs` `role-ref://pci_operator`	assessment	Ready for review	Server step-up required before service mutation.
Invite submerchant Action refs `action` `submerchant.invite` `server_authority` `api_session_registry_roles_entity_scope` `reason_codes` `operator_scope_review_required` `source_refs` `role-ref://pci_operator`	onboarding	Accepted	Server-authorized display metadata.
Save workflow state Action refs `action` `workflow.save` `server_authority` `api_session_registry_roles_entity_scope` `reason_codes` `role_allows_workflow_metadata_save` `source_refs` `role-ref://pci_operator`	workflow	Accepted	Server-authorized display metadata.
Queue audit export Action refs `action` `operator.audit_export` `server_authority` `api_session_registry_roles_entity_scope` `reason_codes` `role_allows_operator_audit_export_metadata` `source_refs` `role-ref://pci_operator`	audit	Ready for review	Server step-up required before service mutation.

document action(s) not mounted

Fail-closed — locked

Hidden action summary

hidden_action_count: 1
hidden_categories: document:1
never_allowed_behavior: hidden_not_disabled
cross_scope_actions_emitted: false

Per-screen implicationsDerived

Route visibility projection

Hidden routes are removed from the shell instead of becoming browser-side controls. This table is derived with the same route visibility function used by navigation.

Accepted

Route visibility implications from the server permission matrix
Screen	Canonical path	Phase	Implication
Dashboard Route visibility source `route_id` `dashboard` `canonical_path` `/` `phase` `pinned` `visibility_function` `routeVisibleByPermissionMatrix`	`/`	Dashboard	AcceptedMounted in shell navigation for this matrix.
Tenant & modules Route visibility source `route_id` `tenantModules` `canonical_path` `/tenant-modules` `phase` `Set up` `visibility_function` `routeVisibleByPermissionMatrix`	`/tenant-modules`	Set up	AcceptedMounted in shell navigation for this matrix.
Compliance Route visibility source `route_id` `complianceCycles` `canonical_path` `/compliance` `phase` `Assess` `visibility_function` `routeVisibleByPermissionMatrix`	`/compliance`	Assess	AcceptedMounted in shell navigation for this matrix.
Assessment workspace Route visibility source `route_id` `assessmentWorkspace` `canonical_path` `/assessment-workspace` `phase` `Assess` `visibility_function` `routeVisibleByPermissionMatrix`	`/assessment-workspace`	Assess	AcceptedMounted in shell navigation for this matrix.
Review & remediation Route visibility source `route_id` `reviewRemediation` `canonical_path` `/review/remediation` `phase` `Review` `visibility_function` `routeVisibleByPermissionMatrix`	`/review/remediation`	Review	AcceptedMounted in shell navigation for this matrix.
Reports & exports Route visibility source `route_id` `reportsExports` `canonical_path` `/reports/exports` `phase` `Deliver` `visibility_function` `routeVisibleByPermissionMatrix`	`/reports/exports`	Deliver	AcceptedMounted in shell navigation for this matrix.
Evidence library Route visibility source `route_id` `evidenceLibrary` `canonical_path` `/evidence-library` `phase` `Assess` `visibility_function` `routeVisibleByPermissionMatrix`	`/evidence-library`	Assess	AcceptedMounted in shell navigation for this matrix.
AOC review & export Route visibility source `route_id` `aocReview` `canonical_path` `/documents/aoc-review` `phase` `Deliver` `visibility_function` `routeVisibleByPermissionMatrix`	`/documents/aoc-review`	Deliver	AcceptedMounted in shell navigation for this matrix.
Audit timeline Route visibility source `route_id` `auditTimeline` `canonical_path` `/audit/timeline` `phase` `Admin` `visibility_function` `routeVisibleByPermissionMatrix`	`/audit/timeline`	Admin	AcceptedMounted in shell navigation for this matrix.
Corpus versions Route visibility source `route_id` `corpusVersions` `canonical_path` `/corpus/versions` `phase` `Admin` `visibility_function` `routeVisibleByPermissionMatrix`	`/corpus/versions`	Admin	AcceptedMounted in shell navigation for this matrix.
Users & roles Route visibility source `route_id` `usersRoles` `canonical_path` `/users-roles` `phase` `Admin` `visibility_function` `routeVisibleByPermissionMatrix`	`/users-roles`	Admin	AcceptedMounted in shell navigation for this matrix.
Brand & theme Route visibility source `route_id` `brandTheme` `canonical_path` `/brand-theme` `phase` `Admin` `visibility_function` `routeVisibleByPermissionMatrix`	`/brand-theme`	Admin	AcceptedMounted in shell navigation for this matrix.
Workflow tasks Route visibility source `route_id` `workflowTasks` `canonical_path` `/workflow/tasks` `phase` `Set up` `visibility_function` `routeVisibleByPermissionMatrix`	`/workflow/tasks`	Set up	AcceptedMounted in shell navigation for this matrix.
Monitoring readiness Route visibility source `route_id` `monitoring` `canonical_path` `/monitoring-readiness` `phase` `Review` `visibility_function` `routeVisibleByPermissionMatrix`	`/monitoring-readiness`	Review	AcceptedMounted in shell navigation for this matrix.
Acceptance flow Route visibility source `route_id` `acceptanceFlow` `canonical_path` `/acceptance-flow` `phase` `Admin` `visibility_function` `routeVisibleByPermissionMatrix`	`/acceptance-flow`	Admin	AcceptedMounted in shell navigation for this matrix.

Read-mostly postureNo browser authority

Admin authority boundaries

No user creation, role editing, principal invitation, auditor/QSA enablement, queue send, notification send, or tenant/entity selection is mounted in this browser screen.

Fail-closed — locked

Accepted Server-derived session, roles, and entity scope only.
Fail-closed — locked Browser-created principals, role changes, invite creation, and user provisioning are not mounted.
Fail-closed — locked Invite authority remains server/operator-owned; visible invite metadata does not create a browser invite action.
Accepted Same-origin /api/permissions/matrix read policy; no request body, query authority, or browser storage fallback.

Boundary refs

request_policy: trusted-session-no-query-no-body-no-viewer-role-entity-signer-authority
browser_authority: none
tenant_authority: trusted-api-session-service sample
shell_route: usersRoles