IP

Server-derived brand

innovate PCI shell

Workflow tasks

Tenant-scoped workflow task board from same-origin workflow APIs.

Organization
Innovate Lab Tenant
Entity
ent_innovate_platform_lab
Scope
server-derived registry scope
Role
pci_operator
Stage
lab
Active theme
Pay Theory
Technical details
brand_pointer
partner://innovate/brand/lab/v2026-05-01
asset_pointer
https://assets.innovate.test/pci/
brand_reasons
none

Partner brand service

Loading partner-owned brand manifest from /api/session/brand.

Brand API
/api/session/brand
Boundary
No browser tenant authority, brand override authority, theme mutation, asset upload, endpoint value, account identifier, physical id, secret, live-data path, or fallback browser storage.

Trusted tenant context

Tenant authority: trusted API session

Tenant: pci_tnt_innovate_lab; partner: innovate; stage: lab; registry version: 3.

No viewer authority inputs were used.

PRD-384 permission matrix

Server-derived navigation and actions

hidden-not-disabled

Role-specific navigation and actions are projected from /api/permissions/matrix. The browser cannot supply tenant, entity, role, signer, or forwarded-header authority; never-allowed actions are omitted from the shell instead of rendered disabled.

Matrix source
api_server_derived_from_session_registry_context
Primary role lane
pci_operator from server matrix metadata
Visible actions
8
Suppressed actions
1 action(s) withheld without client-side disabled controls.
Viewer role accepted
false
Signer input accepted
false

Step-up reauthentication handoff

When the server-derived permission matrix marks an action as requiring step-up, this shell sends the operator to the same-origin PCI API/BFF step-up route. The browser never constructs Autheory authorize URLs and never supplies tenant, role, principal, subject, MFA, freshness, or permission authority.

  • Override inherited answer Reauthenticate Only sensitive_action=answer.override is sent as a non-authoritative retry hint.
  • Queue audit export Reauthenticate Only sensitive_action=operator.audit_export is sent as a non-authoritative retry hint.
Step-up initiate
/api/session/step-up
Callback boundary
/api/session/callback is API/BFF-owned after provider reauthentication.
Allowed browser hint
sensitive_action / action only; the API must re-check session, CSRF policy for unsafe service retries, tenant registry, permissions, and freshness.
Visible server-allowed actions
ActionCategoryStep-upReason
Review tenant tenant server authorized role_allows_tenant_review
Review evidence package evidence server authorized role_allows_evidence_review
Create evidence metadata intake evidence server authorized role_allows_evidence_upload_metadata
Answer questionnaire assessment server authorized role_allows_answer
Override inherited answer assessment server step-up required operator_step_up_required
Invite submerchant onboarding server authorized operator_scope_review_required
Save workflow state workflow server authorized role_allows_workflow_metadata_save
Queue audit export audit server step-up required role_allows_operator_audit_export_metadata
  • auth.session_refreshed

Module status

  • Data Collection enabled / primary Data Collection is enabled by trusted session context.
  • Monitoring enabled / integrated Monitoring is enabled by trusted session context.
Workflow operationsserver-owned-workflow

Workflow operations workspace

Route work across scope, assessment, evidence, AOC, reports, corpus, Monitoring, and acceptance without creating browser authority over tenants, tasks, queues, notifications, or live data. No browser tenant, task, actor, queue, notification authority is introduced.

Ready for review
Accepted8

Workflow lanes

In progress4

Open lanes

Blocked — action needed2

Blocked lanes

Accepted1/0

Ready / waiting

data_collectionCompliance operator

Scope and cycle ownership

In progress
COCompliance operator

Confirm Data Collection cycle owner and SAQ scope before downstream review.

Open compliance
Lane details
lane_ref
workflow-lane://scope-cycle
source
data_collection
workspace_route
complianceCycles
workspace_path
/compliance
source_state
open
assessmentReviewer

Assessment answer review

Blocked — action needed
RReviewer

1 finding row(s) still need assessment or remediation review.

Open assessment
Lane details
lane_ref
workflow-lane://assessment-review
source
assessment
workspace_route
assessmentWorkspace
workspace_path
/assessment-workspace
source_state
blocked
evidenceEvidence operator

Evidence intake

In progress
EOEvidence operator

3 evidence record row(s) remain server-owned intake work.

Open evidence library
Lane details
lane_ref
workflow-lane://evidence-intake
source
evidence
workspace_route
evidenceLibrary
workspace_path
/evidence-library
source_state
open
documentsDocument reviewer

AOC package corrections

In progress
DRDocument reviewer

AOC package, corrections, and export readiness stay document-service owned.

Open AOC review
Lane details
lane_ref
workflow-lane://aoc-package
source
documents
workspace_route
aocReview
workspace_path
/documents/aoc-review
source_state
open
reportingReporting operator

Report and export readiness

Blocked — action needed
ROReporting operator

1 export package row(s) require server-side readiness before release.

Open reports
Lane details
lane_ref
workflow-lane://report-exports
source
reporting
workspace_route
reportsExports
workspace_path
/reports/exports
source_state
blocked
corpusCorpus reviewer

Corpus package review

In progress
CRCorpus reviewer

1 corpus rebase warning row(s) affect reports or exports.

Open corpus review
Lane details
lane_ref
workflow-lane://corpus-package
source
corpus
workspace_route
corpusVersions
workspace_path
/corpus/versions
source_state
open
monitoringMonitoring reviewer

Monitoring dependency

Accepted
MRMonitoring reviewer

Monitoring status remains a dependency for evidence and acceptance lanes.

Open monitoring
Lane details
lane_ref
workflow-lane://monitoring-readiness
source
monitoring
workspace_route
monitoring
workspace_path
/monitoring-readiness
source_state
ready
acceptanceAcceptance reviewer

Final acceptance

In progress
ARAcceptance reviewer

Role handoffs and final review stay server-owned workflow decisions.

Open acceptance
Lane details
lane_ref
workflow-lane://final-acceptance
source
acceptance
workspace_route
acceptanceFlow
workspace_path
/acceptance-flow
source_state
in_progress
Technical details
mutation_path
/api/workflow/tasks
operations_state_path
/api/workflow/operations-state
permission_source
/api/permissions/matrix
browser_authority
none
Workflow serviceread-only-lane-load

Workflow operations service

Not started

Loading owner lane state from /api/workflow/operations-state. The service derives workflow, tenant, owner, and route state from the trusted session and workflow repository.

Technical details
operations_api
/api/workflow/operations-state
mutation_path
/api/workflow/tasks
read_policy
same_origin_no_store_get
browser_queue_authority
none
Workflow owner lanes from service
LaneStateOwnerReasonWorkspace
    Workflow task boardcsrf-bound-task-updates

    Workflow task queue

    Ready for review

    Loading task state from /api/workflow/tasks. This board uses the same scoped workflow store as the Command Center so task updates are visible across routes.

    No browser tenant authority, external queue send, notification send, evidence payload, document payload, endpoint value, live-data path, or fallback browser storage.

    Technical details
    task_api
    /api/workflow/tasks
    csrf_cookie
    __Host-pt_pci_csrf
    write_boundary
    csrf_bound_same_origin_only
    browser_queue_authority
    none
    Current workflow tasks
    TaskStateOwnerDueAction

    Update task state

    Submits a task-state update. The server derives workflow, tenant, actor, activity, and summary state from the trusted session.

        Invitation review

        Invitation and onboarding review

        Invitation authority is rendered from service-shaped refs only. No invite is authorized by browser state.

        Ready for review
        Current invitation review state
        Invitation statusModeOperator reviewRender
        Acceptedapproved
        Invitation refs
        invitation_ref
        inv_operator_direct_submerchant_a
        mode
        operator_only
        parent_entity_ref
        ent_paytheory_operator_lab
        child_entity_ref
        ent_innovate_test_merchant_a
        		operator_onlyAcceptedapprovedAcceptedavailable
        Ready for reviewawaiting_operator_review
        Invitation refs
        invitation_ref
        inv_partner_submerchant_b
        mode
        partner_invites_operator_approves
        parent_entity_ref
        ent_innovate_platform_lab
        child_entity_ref
        ent_innovate_test_merchant_b
        		partner_invites_operator_approvesNeeds attentionpendingNeeds attentiondegraded

        Onboarding actions

        Invite and approve tenant scope

        server-authorized-onboarding

        Operators can initiate the next invitation metadata record or approve the pending invitation review through the same-origin API. Browser input never supplies tenant, parent entity, child entity, account, or hierarchy authority.

        Initiate API
        /api/onboarding/invitations/initiate
        Review API
        /api/onboarding/invitations/review
        CSRF cookie
        __Host-pt_pci_csrf double-submit session check for unsafe methods.

        Invitation action

        Submits action intent record only. The server derives hierarchy, tenant, workflow task, and audit object refs.

        Last onboarding API result

        Waiting for operator action.

        Eligibility scope

        Eligibility wizard

        Eligibility, recommendation, and provisional SAQ assignment remain derived from trusted service state.

        Ready for reviewneeds_review
        1. Business profileAcceptedcomplete
          Step refs
          step_ref
          business_profile
          step_state
          complete
        2. Payment flowAcceptedcomplete
          Step refs
          step_ref
          payment_flow
          step_state
          complete
        3. Monitoring readinessIn progresscurrent
          Step refs
          step_ref
          monitoring_readiness
          step_state
          current
        4. Operator reviewBlocked — action neededblocked
          Step refs
          step_ref
          operator_review
          step_state
          blocked
        Recommendation

        Recommended package

        Ready for reviewneeds_review
        Package
        SAQ_A
        Rationale
        Path 1 inherited Monitoring readiness is provisional until operator review confirms the child scope.
        Recommendation refs
        run_ref
        eligibility-run://innovate/lab/run-2026-05-06
        entity_ref
        ent_innovate_test_merchant_a
        driver_question_ref
        eligibility-question://payment-flow/tpsp-iframe
        driver_question_ref
        eligibility-question://monitoring/path-1-inheritance
        Provisional assignment

        SAQ assignment

        Ready for reviewprovisional
        Assignment state
        Ready for reviewprovisional
        Operator review
        Needs attentionpending
        Override reason
        not_applicable
        Assignment refs
        assignment_ref
        saq-assignment://innovate/lab/submerchant-a/provisional
        override_reason_ref
        not_applicable

        Eligibility actions

        Run SAQ scope and assignment

        server-derived-scope

        Operators can run the eligibility wizard, create a provisional assignment, and record operator review. The server derives corpus package, tenant, entity, cycle, workflow task, and audit refs.

        Wizard API
        /api/eligibility/wizard/run
        Assignment API
        /api/eligibility/provisional-assignment
        Review API
        /api/eligibility/operator-review
        CSRF cookie
        __Host-pt_pci_csrf double-submit session check for unsafe methods.

        Scope action

        Submits operator intent record only. No questionnaire answers, evidence bodies, document exports, tenant IDs, entity IDs, endpoint URLs, or payment traffic are accepted from the browser.

        Last eligibility API result

        Waiting for operator action.

        PCI application shell with reviewed same-origin service-backed metadata GETs and CSRF-bound workflow actions for onboarding, scope, assessment, evidence, AOC, reporting, and acceptance review. Tenant authority remains server-derived. No deploy behavior: this screen does not run deploys, payment traffic, partner-edge changes, external queues, notifications, or sandbox/live operations.