📖 GRC Master Operations Manual & Technical Feature Glossary
Standardized Sovereign Command Deck Training Playbook for Independent Learners
Target Audience: High School Lab Technicians (Grade 11/12) & Independent Compliance Auditors
System Architecture: Control-First Modular Agent Coordination Framework
Operational Date: 2026-06-27
Delta Source: daily_code_diff.txt (24-hour git window ending 2026-06-27 — Writer Narrative Architect mandate)
🕮 Chapter 1: Foundations of Enterprise GRC & Liability Mitigation
Welcome to the Ironframe Command Console. When multi-billion-dollar corporations operate global software networks, an untrained employee clicking the wrong button or entering unverified numbers can cause catastrophic real-world damage. A single mathematical error or security mistake can result in massive government fines, total network shutdowns, or devastating legal lawsuits.
This platform uses a structured architecture model called Governance, Risk, and Compliance (GRC) to prevent those disasters. Because you are training independently online without a live teacher, you must memorize the three core concepts of GRC and obey the safety limits written below to protect our system and client assets from harm:
+----------------------------------------+
| GOVERNANCE (The Constitutional Law) |
+-------------------+--------------------+
|
v
+----------------------------------------+
| RISK MANAGEMENT (The Defense Deck) |
+-------------------+--------------------+
|
v
+----------------------------------------+
| COMPLIANCE (The Bulletproof Proof) |
+-------------------+--------------------+
🏛️ 1. Governance (The Corporate Constitution)
- Plain-English Definition: Governance represents the unchangeable, absolute rules and system limits established by company executives or international law.
- The App Reality: In our platform, these rules are hardcoded into an electronic constitution known as the TAS (Tenant Architecture Specifications) file at
docs/TAS.md. The software code is physically blocked from ever breaking these rules. Today's delta compacts.cursorrulesfrom the legacy 204-line governance protocol into a 43-line auto-completion constraint sheet — Prisma import discipline (import prisma from "@/lib/prisma"), test file locations (tests/unit/*.test.tsfor Next.js,Ironboard/src/tests/*.test.tsfor workforce queues), CRM field alignment (fullName, interactionchannel), BigInt cent mandate,@google/genaitemperature 0.0, prospect pool tenant isolation, and customer service LEVEL_1 doc grounding remain constitutionally locked. The IronBoard Core Telemetry Bridge requires everyPOST /api/queryon port 8082 to hydrate live Ironframe shared context fromGET /api/board/shared-contexton port 3000 before LLM synthesis — fail-closed HTTP 502 withCORE_TELEMETRY_DISCONNECTEDwhen the bridge cannot reach tenant-scoped telemetry. Founding board personas (CEO, CFO, Compliance, Legal) now delegate synthesis togenerateBoardAgentAssessmentinboardAgentLlm.tswithformatBoardStateSummaryanchoringfinancialProjectionsCentsas whole-integer cent strings andassertWholeIntegerCentson every CFO turn. The June 26 OSINT manifest (ironintel-osint-2026-06-26-live) remains the active Strategic Intel corpus through operational date 2026-06-27 with LiteLLM five-day post-deadline triage, Splunk day-seven forensic hunt, and FortiBleed credential harvesting vectors — all peer ALE baselines remain BigInt cent strings in manifest JSON. The Hardened Governance Layers prompt block (buildHardenedGovernanceLayers) enforces a unidirectional read-only diode: the 19-agent boardroom advises from live JSON but holds zero write permissions to production databases. Public Governance Frame briefings must citefinancials.display.*.baselineFormattedstrings verbatim — never raw internal BigInt cent integers. Today's delta wires the Documentation Brief one-way ingress and boardroom author isolation: Ironframe emitsdocumentationBriefinsideGET /api/board/shared-context; IronBoard Trainer (board-trainer) and Writer (board-writer) consume it via expandedknowledge.ts(buildTrainerDashboardGuideDraft,buildWriterArchitectureDraft,buildWriterSecurityComplianceDraft,publishTrainerCorpus,publishWriterCorpus,pushAppDocumentToIronframe) — zero write-back except bearer-gatedPOST /api/documentation/execute. Both personas are excluded from liveBOARDROOM_QUERY_ROSTERon port 8082; operators invoke isolated synthesis viaPOST /api/agents/trainerandPOST /api/agents/writeron Ironframe port 3000 (trainerAgentConsoleCore.ts,writerAgentConsoleCore.ts).safeDocsWriter.tsrejectsbriefing-queue/andpublished-briefings/placement for Trainer/Writer. Executive documentation chapter loop (runExecutiveDocumentationCommand) fails closed whenfetchIronframeDocumentationBriefreturns no brief.
⚠️ 2. Risk Management (The Defense System)
- Plain-English Definition: Identifying potential technology failures or external hacks before they happen, and calculating exactly how much cash the company would lose (the Asset Loss Expectancy or ALE).
- The App Reality: Our system uses automated security monitors to calculate these risks instantly, displaying them as a System Maturity Score out of ten. The Irontrust math engine (Agent 3) stores all ALE baselines as BigInt integer cents — never floating-point dollars.
📜 3. Compliance (The Verifiable Proof)
- Plain-English Definition: Providing 100% accurate, un-tamperable data records to an independent government inspector to prove your business has never broken a law.
- The App Reality: Every mouse click, system test, and transaction you perform is logged into a locked, cryptographically signed ledger file that cannot be erased or edited by anyone. Shadow-plane diagnostics (
SimulationDiagnosticLog) remain isolated from productionAuditLogper TAS Section 4.3.
🛑 Chapter 2: Core Regulatory Guardrails & Forbidden Actions
To completely eliminate operational risk, protect multi-tenant cloud client assets, and shield your training program from liability, you must strictly adhere to the following Four Corporate Compliance Mandates. Any violation will automatically cause the security tracking systems to flag your active session context and quarantine your workspace:
-
Mandate 1: Strict Whole-Integer Financial Integrity: All monetary paths must use a variable type called
BigInt(Big Integer) representing raw cents exclusively. One United States dollar equals 100 cents. Decimals and floating-point values are completely forbidden in financial modules to eliminate computational rounding drift during audits. Constitutionally frozen ALE baselines perdocs/TAS.md:- Medshield: 1110000000 cents (eleven million one hundred thousand United States dollars)
- Vaultbank NA: 590000000 cents (five million nine hundred thousand United States dollars)
- Gridcore Infrastructure: 470000000 cents (four million seven hundred thousand United States dollars)
- Defense (CMMC L3 anchor): 1600000000 cents (sixteen million United States dollars)
- Display conversion only:
const dollars = Number(aleBaselineCents) / 100— never persist floats. - Today's de-classification mandate: IronBoard public briefing synthesis must never emit raw BigInt cent integers in Governance Frame copy. Internal storage remains BIGINT cents exclusively; external-facing text uses Ironframe-precomputed
financials.display.sovereignPool.*.baselineFormattedandcurrentExposureFormattedstrings. Grounded sales outreach (generateGroundedPitch) may cite BigInt numeric precision as a value proposition in engineer-to-engineer copy — that is marketing language, not a persistence path. Market prospectaiFitnessScoreis an integer ICP tier score (region + compliance pressure + funding + compliance-hire signals) — not USD cents. - Ironbloom physical telemetry gate (2026-06-26 delta):
recordSustainabilityImpactno longer assigns synthetic kWh from severity tiers (isHighSeverityremoved). Mitigated value cents derive exclusively fromparseThreatIngestionTelemetry(threat.ingestionDetails)— unresolved physical payloads returnno_physical_telemetrywithout persisting float or guessed kWh.resolveDashboardMitigatedValueCentsremovedIRONBLOOM_PULSE_REFERENCE_KWHforensic fallback — dashboard hero reads sealed tenant physical ledger viaaggregateTenantKwhAvertedandfindLatestThreatPhysicalTelemetrybefore reporting 0 cents. Admin onboarding supervisor grid displaysallocatedBaselineviaformatCentsToAccountingUSD— display conversion only; PostgreSQLtenants.ale_baselineremains BigInt integer cents. - Constitutional seed baselines unchanged: Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000, Defense 1600000000 cents remain the Irontrust verification anchors in
financialIngressInvariant.test.tsandverifyCanonicalEnterpriseBaseline. - Constitutional tenant anchor guard (2026-06-26 delta):
formatAleEngineManifestLineinbaselineDriftManifest.tsbinds ALE_ENGINE footer anchors only whenisConstitutionalTenantKey(activeTenantKey)returns true — dynamically provisioned slugs (for exampleacmecorp) emit ANCHOR UNBOUND until mapped to seed tenant keys inTENANT_UUIDS. Drift delta computation routes throughindustryBaselineAleCents()helper — subtraction remains BigInt cents end-to-end.
-
Mandate 2: Controlled Structural Amendments: You are strictly forbidden from modifying layout parameters, data ingestion targets, or background agent structures silently. Any alteration requires a formal TAS Amendment Proposal routed to the Product Owner. The Dynamic Discovery Mandate on IronBoard now permits only registered canonical responses in
orchestrator/routing.ts(for example sales-lead domain boundary text). All other boardroom answers must cite tool receipts. -
Mandate 3: Verifiable Sustainability Unit Ingress: Environmental footprint data must be logged using raw, physical units exclusively (such as kWh electricity, Liters water, or Kilometers logistics transport). The platform automatically rejects any sustainability telemetry packets containing purely monetary approximations to protect audit validity.
Ironwatchsystem health columns (sustainability_live_api_degraded,sustainability_api_heartbeat_failures) now useIF NOT EXISTSguards for shadow-database replay safety. -
Mandate 4: Absolute Tenant Isolation Enforcement: Cross-tenant memory bleed is a critical security failure. Row-Level Security (RLS) constraints strictly isolate customer boundaries. You are completely forbidden from attempting to extract database rows from a separate company profile while logged into another. The dashboard gate (
resolveDashboardAccess) binds workspace UUIDs exclusively from cookie scope or the operator's ownuser_role_assignmentsrow — never from guessed tenant IDs. -
Mandate 5: Public Conversion Perimeter & Customer Service Documentation Grounding: All unauthenticated landing traffic (sales slide-over gateway,
/sales-agent-portal,POST /api/agents/sales) must route to the prospect pool tenant UUID viaprocess.env.IRONFRAME_PROSPECT_POOL_TENANT_UUIDor fallbacktenant_prospect_pool_01— never into authenticated customer workspaces. The customer service agent (POST /api/agents/customer-service) must ground exclusively againstapp_documentsrows wherereadingLevel: "LEVEL_1". Ironguard tenant validation runs before any documentation pull; fail closed with HTTP 403 when perimeter validation drops. All automated GRC reasoning nodes, sales plays, and customer service workers run attemperature: 0.0with no emojis or creative flourishes in production copy.
🎨 Chapter 3: True Screen Grid Coordinates & Panel Layout Proportions
The platform interface scales fluidly in sync with your window size using a fixed fractional grid. It divides your display monitor into three permanent vertical panel columns, each operating with independent vertical scrolling:
- The Left Panel (Data Deck) [22% Screen Width]: Houses active system security metric graphs, system maturity nodes, target asset profiles, and framework selection matrices.
- The Center Panel (Workspace Canvas) [48% Screen Width]: Contains the primary navigation path tabs, the horizontal GRC metric rows, and the large workflow control blocks.
- The Right Panel (Audit Column) [30% Screen Width]: Houses the Sustainability Pulse panel widget and the long, vertically extending Live Audit Ledger Stream terminal layout box.
Layout Refactor Notes (2026-06-26 Delta)
Today's delta consolidates role-based dashboards under app/(dashboard)/dashboard/* — the legacy app/roles/* tree is deleted (audit, board, cfo, ciso, cro, insurance, itsm, legal, ops, product stakeholder_metrics stubs removed). Configuration moves from /config to /settings/config; simulationNavFocus.resolveSettingsConfigHref falls back to /settings/config when no tenant key is bound. Tenant topology and logs placeholder pages (app/*/topology, app/*/logs) are removed. Authenticated support console lands at /dashboard/support with tripane chat UI posting to /api/agents/customer-service. Design-partner Get Started hub lands at /get-started with five-step progressive checklist referencing the 24-chapter Level 1 curriculum (post-activation copy — invite steps live in workspace email only), guided step focus panel with Level 1 training corpus screenshots via GET_STARTED_STEP_VISUALS, per-step narration audio from /docs/training/assets/get-started-orientation/steps/{stepId}.mp3 through getStartedStepAudioSrc, auto-play toggle (ironframe-get-started-step-audio-autoplay localStorage key), embedded TrainerAgentSessionForm sandbox (POST /api/agents/trainer), inline documentation reader drawer fetching GET /api/docs/reader?slug= without leaving the checklist (fixed bottom overlay with simulation-aware top offset), GetStartedOrientationFallback companion for quickstart hash #orientation, orientation walkthrough popout via openOrientationWalkthroughWindow() for crossfade screenshots with narration, OperatorActivationBanner for credential-state guidance, optional overview audio/video via NEXT_PUBLIC_GET_STARTED_VIDEO_URL (supports .mp3, .m4a, .wav, .ogg or video), localStorage progress mirror (ironframe-get-started-v1), keepalive: true on progress POST, benign runtime emission swallow via isBenignRuntimeEmissionError, and TRAINING_ONBOARDING audit receipts via POST /api/get-started/progress — route exempt from billing hold and listed in isScrollableStandalonePath / isDashboardRouteGroupPath in grcRouteMatch.ts. Global Trainer drawer: TrainerAgentDrawer mounted in AppShell.tsx on all workspace routes — opened from Header #1 Ask Trainer chip via useTrainerAgentDrawerStore; portal slide-over at min(100vw, 420px) width with Escape dismiss. AppShell.tsx disables useIronwatchTelemetryFeed on /get-started to reduce onboarding noise. TopNav exposes data-testid="topnav-get-started-link". Ironquery export scope UX: /dashboard/exports renders ExportScopeRequiredPanel in-page when entitlement missing (replaces redirect to /?exportScope=required); authenticated Command Post mounts ExportScopeRequiredBanner when export scope query param present. Admin onboarding supervisor UI refactors /admin/onboarding into deployment inventory grid (AdminOnboardingDeployments) plus #onboarding-controls provisioning shell — fetchTenantDeploymentRows() surfaces ALE allocation via formatCentsToAccountingUSD(tenant.ale_baseline) (BigInt cents in DB, formatted USD display only), infrastructure badges PROVISIONED vs STAGED, legal posture COMPLETE / PENDING_SIGNATURE / AWAITING_INITIALIZATION, and per-tenant workspace URLs from buildTenantSubdomainOrigin. Middleware auth landing refactor: buildLoginRedirectUrl preserves next return path on unauthenticated redirects; Rule B uses resolveAuthNextPathForHost instead of hardcoded /integrity; finalizeMiddlewareResponse wraps every middleware exit with applySubdomainTenancy. Docs routing hardening: next.config.ts rewrites legacy hub assets to .html suffix only — markdown slugs route to app/docs/[[...slug]]; Windows dev webpack cache switched to in-memory (prevents layout.css 404 from cache: false). Public /docs renders from PostgreSQL app_documents via CompilationIngressPortal when slug resolution fails — filesystem-only generateStaticParams removed; /docs/hub redirects to /docs/README; /docs/user-guide redirects to /docs/user-manuals/user-guide. Trust Center procurement pages mount at /trust/* inside the dashboard route group. Registration surface deletion: app/(marketing)/register/setup/page.tsx removed entirely; /register/demo server-redirects to /register/contact?reason=sales_assisted_only. Corporate provision form now parses dollar ALE input through parseDollarAleToBigIntCents in provisionCorporateTenant.ts — persisted as whole-integer cent strings only. Master purge guard: purgeAllDataAction returns failure outside NODE_ENV=development. Training screenshot corpus: twenty-four PNG assets under public/docs/training/assets/ plus supplemental capture get-started-dashboard-exports-stack.png at /dashboard/exports per training-corpus-manifest.json supplementalCaptures; Level 1 chapter 03 capture route updated to / (Main Ops Command Center tripane). WCAG touch targets: app/globals.css adds ironframe-interactive rules — coarse pointer devices enforce 2.75rem (44px) minimum height on buttons and rounded anchors per dark cockpit aesthetic mandate. Tailwind: fadeIn keyframe animation added for support console, docs shell, and Trainer drawer transitions.
Narrow public ingress funnel (2026-06-26 delta): Cloud hosts without IRONFRAME_ALLOW_PUBLIC_INGRESS=1 permit only the narrow public funnel — not a full-host 403 on every path. Allowed cloud paths include /, /terms, /privacy, /pricing, /marketing, /register/*, /sales-agent-portal, /governance-frame, auth surfaces, /account/billing-hold, /docs, /api/auth/callback, and /api/auth/session-bootstrap. Private workspace surfaces (/integrity, /dashboard/*, /cockpit) remain 403 blocked until full ingress opt-in. Dual Stripe webhooks bypass quarantine: /api/webhooks/stripe and /api/billing/webhook. Token-gated API paths bypass quarantine — route handlers enforce Bearer secrets. Staging apex: IRONFRAME_STAGING_APEX_DOMAIN in tenantSubdomain.ts resolves tenant slug from staging Vercel host patterns.
| Surface | Route examples | Chrome mounted | Scroll behavior |
|---|---|---|---|
| Public marketing landing | / (guest), /marketing | MarketingHomepage — no TopNav | Full-page vertical scroll |
| Public legal and pricing | /terms, /privacy, /pricing, /register/contact | Theme tokens only | Full-page scroll |
| Sales agent portal | /sales-agent-portal | MarketingSalesPortalTrigger + SalesAgentSlideOver | Full-page scroll |
| App docs reader | /docs, /docs/[slug] | DocsChrome — DB-backed AppDocument | Full-page scroll |
| Governance Frame reader | /governance-frame, /governance-frame/[slug] | GovernanceFrameLayout | Full-page scroll; robots: index false |
| Auth public paths | /login, /forgot-password, /reset-password, /unauthorized, /legal/accept | Themed forms | Full-page scroll |
| Dashboard command center | /, /integrity (authenticated), /dashboard/*, /dashboard/support | DashboardCommandCenterLayout → AppShell → TopNav | Tripane columns scroll independently |
| Design-partner Get Started hub | /get-started | GetStartedPortalClient — checklist + Trainer sandbox | standaloneScroll on AppShell; billing-hold exempt |
| Trust Center | /trust, /trust/dpa, /trust/subprocessors, /trust/data-residency | Dashboard chrome — TrustProcurementDocument | Standalone scroll |
| Tenant subdomain workspace | http://{slug}.lvh.me:3000/integrity | Host-bound tenant switcher lock | Tripane or standalone |
| Platform admin onboarding | /admin/onboarding, /admin/onboarding/test-assets | AdminOnboardingDashboardHeader + AdminOnboardingDeployments + #onboarding-controls | Standalone scroll within GLOBAL_ADMIN gate |
| Standalone dashboard pages | /evidence, /board-report, /reports/audit-trail | TopNav chrome | standaloneScroll on AppShell |
Layout separation mandate (2026-06-18): Root app/layout.tsx mounts IronframeThemeProvider only — it does not mount AppShell or TopNav. Authenticated workspace chrome is confined to app/(dashboard)/layout.tsx, which calls ensureDashboardTenantSession, resolves billing entitlement, wraps children in DashboardCommandCenterLayout → DashboardGroupShell → DashboardBillingGate. Public /login, /pricing, /register/contact, /docs, and /governance-frame never inherit command-center chrome. AppShellRouter and ConditionalAppShell route chrome by pathname class. Tenant subdomain hosts receive host-bound scope via applySubdomainTenancy on every middleware response.
The DashboardGroupShell component writes data-dashboard-left-rail, data-dashboard-right-rail, and data-dashboard-rail-floor-lock attributes so CSS enforces the constitutional 22/48/30 geometry on tripane routes only. When initialTenantUuid arrives from the server RBAC gate and no client cookie exists, the shell writes ironframe-tenant (180-day max-age, SameSite=Lax) and dispatches ironframe-tenant-changed.
⚙️ Chapter 4: Component-by-Component GRC Feature Dictionary
Every visible component on your monitor screen is mapped below using industry-standard GRC nomenclature. Use this glossary to cross-reference elements during your self-paced online laboratories. Each entry cites the agent boundary implicated by today's code delta.
<a id="ingress-001"></a>
🚧 Feature 0: Production Deployment Quarantine Perimeter (Narrow Public Funnel)
- GRC Function ID:
INGRESS-001 - Exact Screen Coordinates: No visible UI on blocked responses — browser displays monospace IRONFRAME SYSTEM ARCHITECTURE 403 page with message LOCAL DEVELOPMENT ONLY · Public ingress is disabled. Public funnel routes (
/terms,/docs,/marketing, etc.) render normally on cloud hosts without full ingress opt-in. - Operational Purpose: Blocks private workspace HTTP ingress to Ironframe on cloud-hosted domains (Vercel preview, production apex, tenant subdomains) during closed Phase 1 development while preserving a narrow public funnel for legal, marketing, registration, documentation, Governance Frame, and sales-agent surfaces. Forces operators to bind dev servers to 127.0.0.1 and use localhost, 127.0.0.1, or *.lvh.me tenant workspaces locally. Stripe signed webhooks and token-gated cron/API paths remain reachable so commerce provisioning and headless automation can run while the command center stays dark on cloud hosts.
- Technical Mechanics: Implemented in
app/lib/security/deploymentQuarantine.tsandapp/utils/grcRouteMatch.ts, invoked as middleware step 1 before Supabase session refresh. Middleware executes ordered phases:- Production quarantine perimeter —
shouldBlockProductionIngress(local dev hosts always continue) - Prospect ingress gate —
shouldBlockProspectIngressredirects self-serve registration to/register/contactwhenIRONFRAME_PUBLIC_REGISTRATION_ENABLEDis false - Supabase session + platform gates —
updateSession, tenant isolation, stale lockdown - Auth entrance codes — Rule A0 (
assertGlobalAdminForOnboardingfor/admin/onboardingGLOBAL_ADMIN), Rule A (unauthenticated/integrity→/login), Rule B (authenticated/login→ tenant Command Post or Integrity Hub viaresolvePostAuthLandingPath), public marketing/legal/pricing/demo passthrough for guests - Subdomain tenancy finish —
applySubdomainTenancystamps host-bound tenant headers and cookies on every response
- Production quarantine perimeter —
shouldBlockProductionIngress returns true when:
- Hostname is not a local development host (
localhost,127.0.0.1,[::1],*.localhost,*.lvh.me,*.localtest.me) - Pathname is not a Stripe webhook (
/api/webhooks/stripeor/api/billing/webhookperSTRIPE_WEBHOOK_PATHSinconfig/stripe.ts) - Pathname is not token-gated API ingress (
isTokenGatedApiIngressPath:/api/internal/cron/*,/api/cron/narrate,/api/board/feed,/api/internal/ironquery/export) - Pathname is not a narrow public funnel path (
isPublicCloudIngressPath:/,/terms,/privacy,/pricing,/marketing,/sales-agent-portal,/register/*, auth surfaces,/legal/accept,/account/billing-hold,/docs,/governance-frame,/api/auth/callback) IRONFRAME_ALLOW_PUBLIC_INGRESSis not set to1,true, oryes
isPrivateWorkspaceIngressPath classifies /integrity, /dashboard/*, /cockpit, and other command-center surfaces as blocked on cloud hosts until full ingress opt-in. Local development whitelist includes vaultbank.lvh.me and acmecorp.lvh.me style tenant subdomains — wildcard *.lvh.me resolves to 127.0.0.1 without OS hosts file edits. IronBoard engine binds 127.0.0.1 only (not 0.0.0.0) — startup log reads your provisioned workspace URL.
- Agent Boundary: Ironguard (Agent 12) perimeter enforcement; Ironlock (Agent 6) coordinates with constitutional freeze when combined with stale lockdown.
- Step-by-Step Lab Validation:
- Deploy to
ironframegrc.comor a Vercel preview host withoutIRONFRAME_ALLOW_PUBLIC_INGRESS=1. - Navigate to
/terms,/privacy,/marketing,/docs,/pricing,/sales-agent-portal, and/governance-frame— verify HTTP 200 (narrow funnel allowed). - Navigate to
/integrity,/dashboard/cfo, and authenticated tripane/— verify HTTP 403 monospace quarantine page. - POST to
/api/webhooks/stripeand/api/billing/webhookon the same cloud host — verify requests are not quarantined. - POST to
/api/internal/cron/industry-scoutwith validIRONFRAME_CRON_SECRETBearer — verify route handler executes (middleware passthrough). - On
your provisioned workspace URLandyour provisioned workspace URL, confirm all dashboard routes remain accessible. - Set
IRONFRAME_ALLOW_PUBLIC_INGRESS=1in environment — confirm cloud preview allows full workspace ingress for stakeholder demos. - Run
tests/unit/deploymentQuarantine.test.ts— verify narrow funnel paths, localhost whitelist, dual Stripe webhook bypass, token-gated API bypass, and private workspace block semantics.
- Deploy to
<a id="auth-001"></a>
🔐 Feature 0b: Zero-Trust Dashboard RBAC Gate
- GRC Function ID:
AUTH-001 - Exact Screen Coordinates: Invisible server gate — manifests as redirect to
/loginor/unauthorizedbefore any dashboard chrome paints. - Operational Purpose: Ensures authenticated Supabase users without a matching
user_role_assignmentsrow cannot mount workspace shells, preventing privilege escalation into tenant telemetry grids. - Technical Mechanics:
app/(dashboard)/layout.tsxcallsensureDashboardTenantSession(await resolveDashboardAccess()):unauthenticated→redirect("/login")pending(no valid assignment) →redirect("/unauthorized")allowed→ passestenantUuidintoDashboardGroupShell
- Constitutional authority bypass: Dev constitutional authority users may fall back to Medshield UUID
5c420f5a-8f1f-4bbf-b42d-7f8dd4bb6a01when no assignment exists — logged astenantFallbackApplied: true. - Agent Boundary: Ironguard (Agent 12) token and context validation.
- Step-by-Step Lab Validation:
- Sign in with a Supabase user that has no
user_role_assignmentsrow. - Attempt
/integrity— verify redirect to/unauthorizedandAccessPendingsurface. - Assign a role row for Medshield tenant — reload — verify dashboard chrome mounts with tenant cookie written.
- Trigger digest
1041080224class server error — verifyapp/(dashboard)/error.tsxrendersAccessPendinginstead of blank error page.
- Sign in with a Supabase user that has no
<a id="auth-002"></a>
🔑 Feature 0c: Public Homepage vs Command Center Split
- GRC Function ID:
AUTH-002 - Exact Screen Coordinates: Root URL
/— marketing hero for guests; tripane Command Center for authenticated operators with RBAC clearance. - Operational Purpose: Exposes a Seed-to-Series-A marketing narrative to prospects while preserving the full 19-agent workforce grid for credentialed operators on the same route.
- Technical Mechanics:
app/page.tsxresolvesresolveDashboardAccess():- Guest →
MarketingHomepagewith regulatory brief cards (DORA, EU AI Act, NIS2) and CONSOLE INGRESS ──► link to/login - Allowed →
DashboardHomeClientinsideDashboardGroupShellwithcarbonMitigatedValueCentspassed as BigInt fromresolveDashboardMitigatedValueCents
- Guest →
- Agent Boundary: Ironcore orchestration; Ironbloom (Agent 17) supplies mitigated value cents; Irontrust (Agent 3) validates financial display via
formatCentsToUSD. - Step-by-Step Lab Validation:
- Open
/in a private browser window — verify marketing hero title Ironframe: The Immutable Standard for AI-Driven GRC. - Click CONSOLE INGRESS — verify navigation to
/login. - Sign in with RBAC-cleared operator — verify tripane Command Center replaces marketing layout on
/. - Inspect network payload for mitigated value — confirm raw cents integer, not float.
- Open
<a id="theme-001"></a>
🎨 Feature 0d: Ironframe UI Theme Palette Selector
- GRC Function ID:
THEME-001 - Exact Screen Coordinates: TopNav master header — operator profile dropdown (
TopNavUserProfileMenu) → Appearance section. - Operational Purpose: Allows operators to select a visual palette without altering tenant data context — UI-only scope per TAS.
- Technical Mechanics: Three registered themes in
app/lib/ironframeTheme.ts:- Standard System — follows OS light/dark via
next-themesvaluesystem - Executive Light — high-contrast paper palette (
data-ironframe-palette="executive-light") - Cyber Command Dark — midnight command deck (
data-ironframe-palette="cyber-command-dark") Persistence key:ironframe-ui-theme. Body attributes:data-ironframe-themeanddata-ironframe-palettesynced byIronframeThemeBodySync.
- Standard System — follows OS light/dark via
- Agent Boundary: None — pure presentation layer; does not touch LangGraph state or financial stores.
- Step-by-Step Lab Validation:
- Open profile menu in TopNav — verify email and role label render.
- Select Executive Light — verify
document.bodygainsdata-ironframe-theme="executive-light". - Navigate to
/login— verify login page respects--bg-primaryand--login-borderCSS variables. - Select Cyber Command Dark — verify TopNav classes
ironframe-topnav-masterandironframe-topnav-subnavpick up dark palette tokens. - Reload browser — verify theme persists from
localStoragevianext-themes.
<a id="auth-003"></a>
📧 Feature 0e: Corporate B2B Tenant Invite Provisioning
- GRC Function ID:
AUTH-003 - Exact Screen Coordinates: Admin server action — no default UI chip; invoked from platform administrator tooling.
- Operational Purpose: Provisions corporate users into Medshield, Vaultbank, Gridcore, or Defense tenants via Supabase Admin invite API with tenant-scoped metadata.
- Technical Mechanics:
app/actions/admin/inviteCorporateTenantUser.tsdelegates toinviteCorporateTenantUserCoreincorporateTenantProvisionCore.tsafterrequirePlatformAdministrator():- Requires GLOBAL_ADMIN role, constitutional authority, or remote-access toggle per
platformAdminAccess.ts - Uses
SUPABASE_SERVICE_ROLE_KEY(server-only — documented in.env.example) - Redirect URL built from
resolveTenantAuthRedirectOriginandbuildAuthCallbackUrl— may target tenant subdomain after invite - Supports role selection: GRC_MANAGER or CISO on invite form
- Writes
auditLogCreateLoosereceipt on success
- Requires GLOBAL_ADMIN role, constitutional authority, or remote-access toggle per
- Agent Boundary: Ironguard (Agent 12) identity; Ironwatch (Agent 13) audit trail.
- Step-by-Step Lab Validation:
- As GLOBAL_ADMIN, submit invite form with email and
tenantSlug=medshield. - Verify Supabase invite email contains callback to
NEXT_PUBLIC_APP_URL. - Confirm
user_role_assignmentsrow created for target tenant UUID. - Attempt invite as non-admin — verify error GLOBAL_ADMIN role required.
- As GLOBAL_ADMIN, submit invite form with email and
<a id="tenant-001"></a>
🔄 Feature 1: Multi-Tenant Context Switcher
- GRC Function ID:
TENANT-001 - Exact Screen Coordinates: Pinned to the far left edge of the global sub-header toolline (TopNav subnav row), sitting directly above the Left Panel.
- Operational Purpose: Swaps your complete display dashboard between separate corporate profiles. On apex hosts, GLOBAL_ADMIN operators see every provisioned tenant plus the aggregate Global Command Center lane. Non-admin operators see only tenants bound to their
user_role_assignmentsrows. On tenant subdomain hosts (e.g.vaultbank.lvh.me:3000orvaultbank.ironframegrc.com), the switcher locks to the host-bound workspace — cross-tenant switching is forbidden to prevent subdomain scope bleed. - Technical Mechanics:
app/lib/auth/commandCenterTenantAccess.tsexportsresolveCommandCenterTenantScope()— RBAC-scoped tenant listing replaces the prior unscopedprisma.tenant.findMany.TenantSwitcherconsumeslistCommandCenterTenantScope()server action.DashboardGroupShellseedsironframe-tenantcookie from server-resolvedinitialTenantUuidwhen client cookie is missing, then callssetIronguardEffectiveTenant.applySubdomainTenancyin middleware stampsx-ironframe-host-tenant-slugandx-ironframe-host-tenant-uuidheaders and rewrites conflicting path-prefix tenant slugs. Dynamic tenant slugs resolve via internal gate/api/internal/tenant-slug-resolvewhen not in seedTENANT_UUIDSmap. - Financial Baselines on Switch (BigInt cents only):
- Medshield → 1110000000
- Vaultbank → 590000000
- Gridcore → 470000000
- Defense → 1600000000
- Dynamically provisioned tenants →
tenants.ale_baseline BIGINTset at provision time (Stripe checkout passesamountTotalCentsas BigInt)
- Step-by-Step Lab Validation:
- Sign in as GRC_MANAGER assigned to Vaultbank only — verify switcher lists Vaultbank row exclusively.
- Sign in as GLOBAL_ADMIN on apex host — verify all seed tenants plus any provisioned corporate tenants appear; Global lane permitted.
- Open
your provisioned workspace URL— verify switcher shows Vaultbank only andcanAccessGlobalis false. - Click tenant dropdown — observe ECG progress sweep until financial cells paint.
- Open browser cookies — verify
ironframe-tenantmatches host-bound UUID on subdomain routes.
<a id="ux-005"></a>
📊 Feature 2: Operational Maturity Tracker
- GRC Function ID:
UX-005 - Exact Screen Coordinates: Positioned inside the upper section of the Center Panel (48% Screen Width), sitting right next to the active operational tabs.
- Operational Purpose: Provides an absolute, real-time numeric grade of the selected corporate entity's cybersecurity health and regulatory posture.
- Technical Mechanics: Calculated dynamically by the
Irontrustmath engine (Agent 3) based on passed vulnerability scans, unpatched dependencies, and active compliance metrics./api/grc/tas-integritynow returnssystemMaturityScorefromreadGovernanceMaturityStateinside a consolidatedbuildIntegrityPayloadhelper that survives partial subsystem failures. - Step-by-Step Lab Validation:
- Look at the Operational Maturity Tracker block located at the crown of your center console canvas.
- Read the white numeric fraction value outputting the current grade (e.g.,
4.5 / 10). - Verify the Trend Metric: Locate and verify the small green trend indicator text tracking your Month-Over-Month performance curve (
+1.2 MoM). - Change corporate profile using the tenant switcher — observe the 8-second EKG sweep until new tenant scores paint.
- Call
GET /api/grc/tas-integrity— verify JSON includessystemMaturityScore,chaosSimulationActive, andsha256Shortwithout 500 error when Prisma slice read fails (degraded mode).
<a id="sim-001"></a>
🕹️ Feature 3: Chaos Engineering Simulation Injector
- GRC Function ID:
SIM-001 - Exact Screen Coordinates: Positioned directly within the middle section of the Left Panel (22% Screen Width).
- Operational Purpose: Injects simulated infrastructure disasters and security threats to validate background agent detection, boundary isolation, and self-healing response playbooks without risking production infrastructure.
- Technical Mechanics: Simulates distinct cyber-threat profiles by triggering temporary network or state disruptions, forcing monitoring agents like
Ironlock(Agent 6) orIronwatch(Agent 13) to execute automated containment and quarantine playbooks. Shadow-plane rows land inSimThreatEventwithmitigated_value_cents BIGINT— never productionThreatEventfor self-test noise.
⚠️ CRITICAL CYBERSECURITY TAXONOMY NOTE FOR AUDITORS: Cloud Exfiltration and Ransomware are two entirely distinct cybersecurity threats that require completely different mitigation strategies.
- Ransomware is a malicious payload that encrypts local or network files to break resource availability in exchange for an extortion payment.
- Cloud Exfiltration is the unauthorized, often silent transfer of sensitive datasets outside of an organization's cloud perimeter, targeting a breach of data confidentiality.
- Step-by-Step Lab Validation:
- Enable simulation mode (
ironframe-simulation-mode=1cookie) — verify self-test bar renders per TAS 4.3. - Locate the Chaos Engineering Simulation Injector block inside the middle tier of the Left Panel (22% screen width).
- Click the simulation scenario selector dropdown menu, which reads
SELECT IRONTECH CHAOS DRILL.... - Select the Ransomware Drill Scenario: Scroll down and click
6 — IRONTECH CHAOS L6 · CRYPTOGRAPHIC RANSOMWARE (EXTORTION). - Click
GENERATE CHAOS THREAT. - Observe the Right Panel audit logs — verify
Irongatesignature interception throughIrontrustzero-variance math verification without BigInt drift on mitigated cents columns.
- Enable simulation mode (
<a id="sim-002"></a>
🕹️ Feature 3b: Chaos Engineering Simulation — Ransomware Protocol Addendum
- GRC Function ID:
SIM-002 - Exact Screen Coordinates: Triggered via the Chaos Drill Selector Dropdown inside the middle tier of the Left Panel (22% Screen Width).
- Operational Purpose: Simulates a localized cryptographic extortion attack to explicitly validate the multi-agent detection, mitigation, and recovery speed of the 19-agent workforce without introducing technical risk or financial calculation errors to the environment.
- Technical Mechanics: Mimics a high-volume encryption hazard. The system proves operational resilience by forcing a hardware state freeze, isolating the tenant perimeter, and testing the
Irontrustwhole-integer asset verification engine.tenants.is_under_targeted_siegeandquarantine_ledger.primary_target_tenant_uuidcolumns support forensic targeting per migration20260516120000_tenant_siege_quarantine_target. - Step-by-Step Lab Validation:
- Access the dropdown titled
SELECT IRONTECH CHAOS DRILL...in the Left Panel. - Select
6 — IRONTECH CHAOS L6 · CRYPTOGRAPHIC RANSOMWARE (EXTORTION). - Click
GENERATE CHAOS THREAT. - Verify System Feedback Lifecycle:
- Confirm emerald EKG line sweeps for the full 8-second processing block.
- Verify Center Panel status
ALL MODULES SECURE · STATE FROZEN. - Review Live Audit Ledger Feed — confirm six tracking steps print without execution failures.
- Query
SimThreatEvent.mitigated_value_cents— confirm BIGINT type, never float.
- Access the dropdown titled
<a id="sync-001"></a>
⚡ Feature 4: Core Architecture Alignment Synchronizer
- GRC Function ID:
SYNC-001 - Exact Screen Coordinates: Pinned inside the top horizontal container of the Center Panel (48% Screen Width), reading
ALL MODULES SECURE · ZERO DRIFT ENFORCED. - Operational Purpose: Gives compliance inspectors instantaneous visual validation that zero unauthorized file mutations have occurred across the codebase.
- Technical Mechanics: Continuously computed by the
Ironwatchshadow tracking agent (Agent 13), which validates real-time system file snapshots against a cryptographically secured master repository hash.system_health_logtable records service heartbeat rows withservice_keyindexing per migration20260515220000_ironwatch_system_health. - Step-by-Step Lab Validation:
- Locate the horizontal synchronizer bar resting above your center workspace.
- Confirm that the status indicator circle is glowing bright teal, giving visual proof that all 19 micro-agents are checking in securely without system drift.
- Inspect
system_health_logfor recentservice_keyentries after sustainability API heartbeat.
<a id="grc-002"></a>
🕵️ Feature 5: Automated Compliance Workforce Grid Array
- GRC Function ID:
GRC-002 - Exact Screen Coordinates: Stretched across the middle tier of your Center Panel (48% Screen Width), sitting directly beneath the horizontal metric rows.
- Operational Purpose: Provides a centralized management dashboard to monitor, audit, and trace the live operational states of your 19 specialized background automation agents.
- Technical Mechanics: Displays check-in times and statuses of specialized micro-workers. Today's delta explicitly documents the platform application boundary in
lib/platformApplicationBoundary.ts:- Ironframe (default port 3000) — security, risk, and technical compliance engine hosting the 19-agent GRC production workforce (Ironcore, Irongate, Irontally, Ironlogic, etc.)
- IronBoard (default port 8082) — executive boardroom conversation plane with CRM discovery tools; zero cross-contamination with Ironframe port 3000 per
ZERO_CROSS_CONTAMINATION_DIRECTIVE
- Step-by-Step Lab Validation:
- Scan the automated workforce table grid rows to verify all agents output green
ACTIVEstatus lights. - Left-click directly on any specific agent row (such as
IronlockorIronguard). - Verify that the GRC Meta Specification Drawer slides open from the right side, displaying that agent's core unchangeable technical directives.
- Run
tests/unit/platformApplicationBoundary.test.ts— confirm port constants match environment documentation.
- Scan the automated workforce table grid rows to verify all agents output green
<a id="log-001"></a>
📋 Feature 6: Immutable Audit Ledger Feed
- GRC Function ID:
LOG-001 - Exact Screen Coordinates: Placed inside the Right Panel (30% Screen Width) column track, extending directly beneath the base of the Sustainability Pulse widget down to the bottom monitor frame. Standalone mode available on
/reports/audit-trailviaAuditIntelligence layout="standalone". - Operational Purpose: Serves as a transparent, cryptographically signed, and append-only execution log tracking every system call, user access check, and automated policy remediation for external compliance inspectors.
- Technical Mechanics: Implements a strict append-only format within the data tier.
quarantine_ledgernow includesforensic_justification TEXTandprimary_target_tenant_uuid UUIDwith idempotent migration guards for shadow DB replay order. - Step-by-Step Lab Validation:
- Scroll the right-hand logging panel independently through historical entries.
- Verify every logged event contains an absolute timestamp and a distinct cryptographic validation string (e.g.,
[AGENT-14] SANITIZATION PURGE RESOLVED). - Navigate to
/reports/audit-trail— verify standalone layout scrolls within AppShell main track without tripane overflow clipping.
<a id="carbon-001"></a>
🔋 Feature 7: Sustainability Pulse Widget
- GRC Function ID:
CARBON-001 - Exact Screen Coordinates: Positioned inside the upper half section of the Right Panel (30% Screen Width) column track, marked by a green leaf icon.
- Operational Purpose: Tracks real-time emissions intensity and hardware consumption data to fulfill global climate reporting requirements (such as Europe's CSRD or US SEC Climate Disclosures).
- Technical Mechanics: Powered by the
Ironbloomagent (Agent 17), which mandates physical hardware metrics (kWh electricity, Liters water, Kilometers logistics transport) and completely rejects flat monetary data. Today's delta hardens the physical ingress path inlib/sustainability/ironbloomDashboardTelemetry.ts:parseThreatIngestionTelemetry— extracts kWh or alternate physical units fromThreatEvent.ingestionDetailsJSONbuildCarbonTraceFromStream— computescarbonGramsCo2eand routesmitigatedValueCentsas BigInt throughcomputeSustainabilityAleForTenantUuid(kWh path) ormitigatedValueCentsFromCarbonTrace(non-kWh path)recordSustainabilityImpact— returns{ reason: "no_physical_telemetry" }when ingestionDetails lacks sealed physical payload (severity-based 2500/500 kWh fallback removed)productionCarbonLedger.ts— priority chain: (1) aggregate production ledger cents, (2)aggregateTenantKwhAvertedphysical aggregate, (3)findLatestThreatPhysicalTelemetrystream trace, (4) 0 cents with forensic intensity flag — no reference kWh env fallbacksustainabilityAnalyticsActions.ts—physicalKwhLabelreplacesreferenceKwhLabel; displays"No sealed physical kWh yet — ingest utility telemetry on resolved threats"when aggregate is zerotenantPhysicalTelemetry.ts— tenant-scoped kWh aggregation for dashboard and analytics planekwhAvertedpersisted as BigInt onSustainabilityMetricupsert — never JavaScript float
- Step-by-Step Lab Validation:
- Read the active footprint calculation line (e.g.,
382 gCO₂eq/kWh) and confirm the orangeFALLBACK ACTIVEbadge when Electricity Maps API offline. - Resolve a threat with kWh in
ingestionDetails— verifymitigated_value_centsBIGINT row and dashboard hero updates. - Resolve a threat without physical telemetry — verify
no_physical_telemetryreason and hero remains 0 cents (not synthetic reference kWh). - Swap tenant context from Vaultbank (590000000 cent baseline) to Gridcore (470000000 cent baseline) — verify graph cache flush.
- Run
lib/sustainability/ironbloomDashboardTelemetry.test.ts— kWh parse and cent output pass.
- Read the active footprint calculation line (e.g.,
<a id="export-001"></a>
💰 Feature 8: Whole-Integer Financial Integrity Ledger Matrix
- GRC Function ID:
EXPORT-001 - Exact Screen Coordinates: Placed inside the upper section of the Center Panel (48% Screen Width), positioned side-by-side as three distinct horizontal card components directly beneath your primary workspace tabs.
- Operational Purpose: Displays critical financial metrics and houses tabular data extraction tools required to lock in corporate insurance premium discounts.
- Technical Mechanics: Integrates with the
Irontrustmath engine (Agent 3), pulling whole numbers stored as raw cents from the data tier. Migration20260515180000_ale_mitigated_value_bigintaddsmitigated_value_cents BIGINTtoThreatEvent(production) andSimThreatEvent(shadow), backfilling fromSustainabilityMetricand legacy JSON without precision loss. - Step-by-Step Lab Validation:
- Verify uniform alignment and identical border heights across the three metric containers.
- Click
Export Tabular Ledger Data (CSV). - Open the downloaded CSV — confirm all financial numbers display as raw whole integers with zero decimal places (e.g., 500000 cents for five thousand dollars display).
- Run Irontrust unit tests — confirm Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000 cent baselines match snapshots.
<a id="board-001"></a>
🏛️ Feature 9: IronBoard Executive Boardroom Plane
- GRC Function ID:
BOARD-001 - Exact Screen Coordinates: Accessed via IronBoard dashboard at
your provisioned workspace URL(center pane board chat) andPOST /api/queryAPI ingress on port 8082. - Operational Purpose: Provides C-suite persona routing (CEO, CFO, CISO, Sales Lead) with mandatory dynamic discovery before synthesis — no invented CRM metrics. Every boardroom turn now requires live Ironframe telemetry hydration before Gemini synthesis begins.
- Technical Mechanics: Conversation plane header
x-ironframe-conversation-plane: ironboard-boardroomgates boardroom-specific orchestration on IronBoard port 8082.POST /api/queryexecution order (2026-06-26 delta):- Core telemetry bridge prefetch —
fetchIronframeSharedContext({ incomingRequest, tenantId })performs server-to-serverGET {IRONFRAME_CORE_ORIGIN}/api/board/shared-contextwith forwardedironframe-tenantcookie or injected tenant UUID/slug headers (x-ironboard-telemetry-bridge: 1). Timeout 12000 ms. On failure → HTTP 502 JSON{ ok: false, error: "CORE_TELEMETRY_DISCONNECTED", detail }— no LLM stream starts. - SSE tool receipt —
coreTelemetryBridgecomplete with byte count logged before link scraper phase. - Hardened governance layers —
buildHardenedGovernanceLayers(liveSystemTelemetryJson)prepended to system instruction viabuildBoardroomSystemInstruction. Layers include unidirectional diode, live metric hydration JSON block, de-classification matrix, Governance Frame triad scaffold, executive persona ratios, mandatory Sources & Citations,BOARD_DOCUMENTATION_AUTHORSHIP_MANDATE, andBOARD_GTM_MARKET_AUTHENTICITY_MANDATE(synthetic{Region} Ledger/{Region} Vaultscaffolding must never be cited as live market research). - Multi-region workspace prefetch — when
shouldPrefetchProspects(query)matches (including newGTM_MARKET_SIGNALregex for "target market", "go-to-market", "who are our potential customers"),inferRegionsFromQueryresolves countries;verifyAndOptimizeMarketDataruns per region before flywheel context assembly. - Founding agent LLM path — CEO/CFO/Compliance/Legal in
founding.tscallgenerateBoardAgentAssessmentfromboardAgentLlm.tswithformatBoardStateSummaryincludingfinancialProjectionsCentswhole-integer cent string and constitutional baseline anchors;assertWholeIntegerCentsgates every CFO and Compliance turn before synthesis begins. - Panel routing —
routeExecutivePanelattaches aBoardroomOrchestrationReceipt:
linkScraperComplete,linkScraperOk,linkScraperTraceIdvideoTimelineInjected,telemetryVerifiedblocksExtractedUnits(BigInt string)crmTelemetryInteractionIdpreRoutingValidation:PASSED|SKIPPED|FAILED
- Core telemetry bridge prefetch —
- Agent Boundary: Ironlogic (Agent 9) synthesis; Irontally (Agent 5) governance memo cron phase; Ironwatch (Agent 13) receives shared-context telemetry; board personas are advisory only — Layer 1 diode forbids direct DB writes without human operator execution on port 3000.
- Step-by-Step Lab Validation:
- Start Ironframe on
your provisioned workspace URLand IronBoard onyour provisioned workspace URL. - Submit boardroom query without Ironframe running — verify HTTP 502 and
CORE_TELEMETRY_DISCONNECTEDin response body. - With both engines running, submit CRM intent query ("show deal pipeline") — verify SSE shows
coreTelemetryBridgecomplete before synthesis tokens. - Set target countries to
Germany, Australiain flywheel input, ask "Are there companies in Germany that fit our ICP criteria?" — verifyqueryLocalWorkspaceprefetch usesregions: ["Germany"]or multi-region args per query inference. - Poll
GET /api/board/shared-context— verify JSON includesdocumentationBriefwith dual-plane matrix and Trainer/Writer placement targets. - Inspect server logs for
[LAYER 2: LIVE METRIC HYDRATION]block presence in system instruction assembly. - Run
Ironboard/src/services/coreTelemetryBridge.test.ts— all pass including cookie forwarding and fail-closed 401 handling.
- Start Ironframe on
<a id="board-002"></a>
🎬 Feature 10: Irongate Video Intelligence Ingress (Agent 14)
- GRC Function ID:
BOARD-002 - Exact Screen Coordinates: No direct UI — API endpoint
POST /api/ingress/videoon IronBoard service (port 8082 default). - Operational Purpose: Sanitizes external video transcripts and asset links through the Level 2 DMZ air-gap before persisting markdown intelligence documents into
ironboard_crm_interactionswithmetricTag=video_intelligence. - Technical Mechanics: Pipeline stages:
processVideoIrongateIngress— Zod schema validation (irongateVideoEnvelopeSchema), injection vector stripping viastripIrongateInjectionVectors- Quarantine path returns HTTP 422 with
agent: 'Irongate-Agent-14' parseVideoIntelligencePayload— multimodal parse (transcript_direct,asset_link_gemini, orasset_link_skeleton)persistVideoIntelligenceDocument— CRM envelope withsanitizedBy: 'Irongate-Agent-14'linkScraper.tsSTREAMING_MEDIA_URL_PATTERNnow matches YouTube Shorts (youtube.com/shorts/) and uses[A-Za-z0-9_-]{11}video ID captureboardResponseLibrary.tsexportsYOUTUBE_URL_SIGNAL,YOUTUBE_VIDEO_DENIAL_REWRITE, and expandedBANNED_CAPABILITY_DENIAL_PATTERNS— when a video-linked query triggers denial stripping and response length < 160 chars,finalizeSanitizedBoardCompletion(accumulatedText, sanitizeDenials, { query })appends the canonical rewrite instructing the board to cite VIDEO INTELLIGENCE timeline blocksboardroomQueryIntent.tsshouldPrefetchWebreturns false whenpayloadSignalsVideoIntelligence(query)— video links skip live web grounding to preserve timeline injection path
- Environment Variables (
.env.example):IRONBOARD_BOARD_ORG_TENANT_UUID— defaults to Medshield seed5c420f5a-8f1f-4bbf-b42d-7f8dd4bb6a01IRONBOARD_GRC_ANALYST_VIDEO_URL— canonical YouTube URL for GRC Analyst day-in-the-life briefings
- Agent Boundary: Irongate (Agent 14) exclusive perimeter — bypass forbidden per TAS DMZ mandate.
- Step-by-Step Lab Validation:
- POST valid payload with
tenant_idUUID and transcript array — expect HTTP 201status: CLEANwithblockCount,durationMs,parserMode. - POST payload with script injection in transcript text — verify stripping and CLEAN or QUARANTINED outcome.
- POST without
asset_linkor transcript — expect QUARANTINED 422. - Run
tests/unit/videoIngress.test.ts,tests/unit/videoBoardPrefetch.test.ts, andtests/unit/linkScraper.test.ts— all pass including Shorts URL extraction. - Confirm CRM row
metricTagequalsvideo_intelligence.
- POST valid payload with
<a id="board-003"></a>
📚 Feature 11: Strategic Intel Research Ingress
- GRC Function ID:
BOARD-003 - Exact Screen Coordinates: IronBoard Strategic Intel dashboard view (populated from
ironboard_crm_interactionsresearch rows). - Operational Purpose: Ingests external GRC research artifacts (manifest-driven) into tenant-scoped CRM interactions for board briefings, with mandatory Agent 14 sanitization before persistence.
- Technical Mechanics: Modules added in today's delta:
strategicIntelIngress.ts— DMZ persistence pathstrategicIntelSanitizer.ts—stripIrongateInjectionVectorsfor research JSONstrategicIntelManifestLoader.ts— loadsgrcProfessionalResearch.manifest.jsonstrategicIntelResearchQuery.ts— query binding for board prefetchdocsMatrixIngress.ts— documentation matrix rows withdocsMatchedUnitsas BigIntlinkScraper.tsmiddleware — URL extraction withlinksMatchedUnitsandpipelineDurationMsUnitsas BigInt
- Manifest Entry Example: "Enterprise buyers require Irongate DMZ sanitization on all external research ingress. Strategic Intel updates must pass Agent 14 schema validation before CRM persistence."
- Agent Boundary: Irongate (Agent 14) sanitization; Ironintel (Agent 16) OSINT cron phase consumes refreshed intel.
- Step-by-Step Lab Validation:
- Run
tests/unit/strategicIntelIngress.test.ts— verify sanitization and tenant binding. - Run
tests/unit/docsMatrixIngress.test.ts— verify BigInt unit counters in pipeline statistics. - Trigger link scraper with known Ironframe docs URL — verify
blocksExtractedUnitsincrements as BigInt string in orchestration receipt. - Confirm
ironboard_crm_rls.sqlscript enforces tenant isolation on CRM interaction reads.
- Run
<a id="board-004"></a>
📖 Feature 12: GRC Analyst Day-in-the-Life Video Seed
- GRC Function ID:
BOARD-004 - Exact Screen Coordinates: Board knowledge context — injected into IronBoard static knowledge vault.
- Operational Purpose: Seeds the canonical "Cybersecurity Reality: A Day in the Life of a GRC Analyst" video briefing for executive education tracks.
- Technical Mechanics:
Ironboard/src/knowledge/grcAnalystDayVideoSeed.tsexports structured transcript cues compatible withTranscriptCueInputfromvideoIngress.ts. Board prefetch (videoBoardPrefetch.ts) can hydrate timeline blocks before panel routing. - Step-by-Step Lab Validation:
- Set
IRONBOARD_GRC_ANALYST_VIDEO_URLin environment to a valid YouTube URL. - Invoke boardroom query referencing GRC analyst video — verify timeline injection flag
videoTimelineInjected: trueon orchestration receipt. - Verify markdown document output contains timecoded speaker blocks.
- Set
<a id="integrity-001"></a>
🛡️ Feature 13: Integrity Hub Resilience Fallback
- GRC Function ID:
INTEGRITY-001 - Exact Screen Coordinates:
/integrityroute — Integrity Hub center canvas with ALE hero card and chaos ledger panel. - Operational Purpose: Provides workforce registry verification and chaos ledger forensics even when the expanded registry read path fails.
- Technical Mechanics:
app/(dashboard)/integrity/page.tsxwrapsreadIntegrityVaultSnapshotWithRegistry()in try/catch — on failure, falls back toreadIntegrityVaultSnapshot()withok: falseanderror: "Workforce registry unavailable"rather than throwing a blank 500 page. - Agent Boundary: Irontrust (Agent 3) ALE hero; Ironwatch (Agent 13) registry manifest; Irontech (Agent 04) repair priority when
healthBarPercent< 50%. - Step-by-Step Lab Validation:
- Navigate to
/integrityas authenticated operator — verify page renders even if registry endpoint degrades. - Confirm ALE hero displays cents-derived values for active tenant baseline.
- Authenticated user visiting
/login— verify middleware redirect to/integrity(Rule B). - Unauthenticated user visiting
/integrity— verify redirect to/login(Rule A).
- Navigate to
<a id="constitution-001"></a>
📜 Feature 14: Constitutional Rebaseline Operator Script
- GRC Function ID:
CONSTITUTION-001 - Exact Screen Coordinates: No UI — DBA/operator script execution against preview or production Postgres.
- Operational Purpose: Clears stuck Ironlock latch fields on
SystemConfigwhenTAS.mdis valid but UI still shows CONSTITUTIONAL VOID. - Technical Mechanics:
prisma/scripts/constitutional_rebaseline_reset.sql— safe to re-run; does not deletesecurity_posture. Complementsapp/lib/constitutionalRebaseline.tsAPI route at/api/grc/constitutional-restoration(now traced innext.config.tswithdocs/TAS.mdandstorage/constitutional/TAS.md.gold). - Agent Boundary: Ironlock (Agent 6) freeze latch; Ironlogic (Agent 9) constitutional parsing.
- Step-by-Step Lab Validation:
- Induce constitutional void display in staging environment.
- Execute rebaseline SQL script against
SystemConfig. - Poll
/api/grc/tas-integrity— verifyconstitutionalRebaselinePendingclears andironlockFreezeAppliedreflects true state. - Confirm
ironlockFreezeAppliedandchaosSimulationActivefields present in integrity payload.
<a id="nav-001"></a>
🧭 Feature 15: Unified Header Route Matrix
- GRC Function ID:
NAV-001 - Exact Screen Coordinates: TopNav master header and HeaderTwo sub-navigation strip.
- Operational Purpose: Eliminates divergent route-matching logic between HeaderOne and HeaderTwo — single
buildHeaderRouteMatrix(pathname)pass per navigation event. - Technical Mechanics:
app/utils/grcRouteMatch.tsexports:HEADER_TENANT_SLUGS: medshield, vaultbank, gridcore, defenseHeaderRouteMatrixflags:isAuditTrailRoute,isEvidenceRoute,isFrameworksRoute,isIntegrityHubRoute,isBoardReportRoute,isOpSupportRoute,isPlaybookRoute,playbookEntityisAuthPublicPath— classifies routes that must not mount workspace chromeisPublicCloudIngressPath— narrow cloud funnel paths bypass production quarantineisPrivateWorkspaceIngressPath— command-center surfaces blocked on cloud until full ingressisPublicProspectOnboardingPath— includes/sales-agent-portaland/api/agents/salesisScrollableStandalonePath— drivesDashboardGroupShelloverflow behavior; includes/docs,/settings/config
- Step-by-Step Lab Validation:
- Navigate to
/medshield/playbooks— verifyplaybookEntityequalsMEDSHIELDand playbook tab highlights. - Navigate to
/reports/audit-trail— verify audit trail route flag true with standalone scroll. - Run
tests/unit/grcRouteMatch.test.ts— all matrix combinations pass. - Confirm
/loginreturns true forisAuthPublicPath— no TopNav tenant switcher on login page.
- Navigate to
<a id="auth-004"></a>
🔒 Feature 16: Hardened Login & Password Recovery Surfaces
- GRC Function ID:
AUTH-004 - Exact Screen Coordinates:
/login,/forgot-password,/reset-password— full-page themed forms outside dashboard chrome. - Operational Purpose: Provides accessible authentication with project-ref-aware error messages and password visibility toggle, routing successful sign-in to host-aware landing via middleware Rule B.
- Technical Mechanics:
- Login normalizes email to lowercase before
signInWithPassword - Invalid credentials message includes Supabase project ref from
supabaseProjectRefFromUrl ResetPasswordForm.tsxcallsupdateUserPasswordActionserver actionrequestResetPassword.tsusesresolvePasswordResetRedirectOrigin()frompublicAppUrl.server.ts— tenant-subdomain-aware reset links; surfaces explicit 403 guidance when Supabase rejects redirect URL with message citing exactredirectTofor allowlist configuration- Middleware Rule A (2026-06-26 delta): unauthenticated internal routes redirect to
/login?next={returnPath}viabuildLoginRedirectUrl— preserves intended destination after sign-in; appendsfresh=1when return path is/get-startedor nested get-started route - Middleware Rule B (2026-06-26 delta): authenticated users on
/loginor/forgot-passwordredirect toresolveAuthNextPathForHost(host, nextRaw)— honorsnextquery param and tenant subdomain landing paths instead of hardcoded/integrity - Middleware finalize (2026-06-26 delta): every middleware response passes through
finalizeMiddlewareResponse→applySubdomainTenancy— stamps host-bound tenant headers and cookies consistently including early-exit paths (missing Supabase env, token-gated API, public funnel passthrough)
- Login normalizes email to lowercase before
- Agent Boundary: Ironguard (Agent 12) session cookies merged on redirect via
redirectWithSupabaseCookiesin middleware. - Step-by-Step Lab Validation:
- Submit wrong password — verify error cites Supabase project ref and suggests forgot-password path.
- Toggle password visibility icon — verify
Eye/EyeOffstate changes input type. - Successful login — verify middleware Rule B lands on intended
nextpath or host-aware default (not deprecated hardcoded-only/integritywhennextparam present). - Request password reset — verify email link targets tenant-subdomain-aware origin from
resolvePasswordResetRedirectOrigin. - Unauthenticated visit to
/integrity— verify redirect to/login?next=/integritypreserving return path.
<a id="ops-001"></a>
🛠️ Feature 17: Operator Identity Context Provider
- GRC Function ID:
OPS-001 - Exact Screen Coordinates: React context consumed by TopNav, permissions hooks, and profile menu — no standalone panel.
- Operational Purpose: Centralizes Supabase operator profile resolution so TopNav does not duplicate auth subscription logic.
- Technical Mechanics:
app/context/OperatorContext.tsxpairs withuseOperatorIdentityhook.TopNavremoved inlinesupabase.auth.getUserpolling — now readsisGuestand loading state from hooks.OperatorContextsuppliesprofile.email,profile.displayRoletoTopNavUserProfileMenu. - Step-by-Step Lab Validation:
- Load dashboard — verify TopNav shows "Resolving operator…" then email address.
- Sign out via profile menu — verify redirect to
/loginand guest state on return. - Confirm no duplicate auth listeners in TopNav (network tab — single session refresh path).
<a id="cron-001"></a>
🌙 Feature 18: 03:00 Documentation Engine (Cron Narrate)
- GRC Function ID:
CRON-001 - Exact Screen Coordinates: No UI — scheduled Windows Task Scheduler or headless PowerShell invocation at 03:00 local.
- Operational Purpose: Executes three Cursor CLI agent phases nightly: Writer (this glossary), Ironintel OSINT sweep, and Ironlogic/Irontally governance memo.
- Technical Mechanics:
.cursorrulescompacted to 43-line auto-completion constraint sheet (legacy 204-line governance protocol retired from repo). Writer/Trainer mandates live in project rules,boardroomSystemPrompt.ts, and this glossary.scripts/cron_narrate.ps1delta improvements:Import-ProjectDotEnvloads.env.localand.envforCURSOR_API_KEYResolve-CursorAgentLauncherprefers directnode.exe+index.jsover failingagent.ps1shimInvoke-CursorAgentClipasses--trustflag for headless execution- Auth preflight via
agent statusbefore diff extraction - Git delta:
git diff $BaseCommit→daily_code_diff.txt(docs/ excluded)
- Agent Boundary: Writer persona → Ironcore documentation; Intel phase → Ironintel (Agent 16) + Irongate (Agent 14) sanitization; Board phase → Ironlogic (Agent 9) + Irontally (Agent 5) with BigInt ALE evaluation (1110000000, 590000000, 470000000 cent baselines).
- Step-by-Step Lab Validation:
- Set
CURSOR_API_KEYin user environment or.env.local. - Run
scripts/cron_narrate.ps1manually — verify log file records launcher mode (node vs shim). - Confirm
daily_code_diff.txtregenerated from last 24-hour commit window. - Verify Writer phase updates
docs/qa/complete-feature-glossary.mdwithout placeholder tokens. - Confirm exit code non-zero when API key missing — script refuses silent no-op.
- Set
<a id="layout-002"></a>
🏗️ Feature 19: Dashboard Command Center Layout Isolation
- GRC Function ID:
LAYOUT-002 - Exact Screen Coordinates: Wraps every route under
app/(dashboard)/— invisible structural frame between dashboard layout and page content. - Operational Purpose: Keeps TopNav, airlock banner, and telemetry polling hooks out of the root layout so public marketing and auth surfaces never mount workspace chrome accidentally.
- Technical Mechanics:
app/(dashboard)/DashboardCommandCenterLayout.tsxrenders a flex column withAppShellas the sole child. Rootapp/layout.tsxprovides fonts,IronframeThemeProvider, and global CSS only. This satisfies TAS UI separation: presentation tokens are global; tenant-scoped navigation is dashboard-group only. - Agent Boundary: Ironcore (Agent 1) orchestration shell; no financial or ingestion side effects.
- Step-by-Step Lab Validation:
- Open
/loginin a private window — verify no TopNav tenant switcher or tripane rails appear. - Sign in and land on
/integrity— verify TopNav mounts with subnav toolline. - Inspect React component tree — confirm
DashboardCommandCenterLayoutwraps dashboard routes only.
- Open
<a id="auth-005"></a>
🍪 Feature 20: Dashboard Tenant Session Cookie Hydration
- GRC Function ID:
AUTH-005 - Exact Screen Coordinates: Invisible server-side cookie write — no UI chip.
- Operational Purpose: When RBAC resolves a workspace UUID but the browser lacks a scoped
ironframe-tenantcookie, the server persists the assignment before dashboard chrome paints — preventing orphan sessions from guessing tenant scope. - Technical Mechanics:
app/lib/auth/dashboardTenantSession.ts:IRONFRAME_TENANT_COOKIE=ironframe-tenanttenantCookieValueForUuid— resolves canonical slug viatenantKeyFromUuidor Prismatenant.sluglookupapplyDashboardTenantSessionCookie— sets secure cookie in production (sameSite: lax, 180-day max-age)ensureDashboardTenantSessionindashboardRoleAccess.ts— calls apply only whentenantFallbackApplied: trueresolveDashboardActiveTenantUuid— Reactcache()wrapper; cookie scope first, then RBAC assignment, Medshield UUID fallback
- Agent Boundary: Ironguard (Agent 12) tenant isolation; never accepts guessed tenant IDs from client payloads.
- Step-by-Step Lab Validation:
- Clear
ironframe-tenantcookie after successful login. - Navigate to
/integrity— verify cookie re-written with slug or UUID matching RBAC assignment. - Confirm
access-statusAPI returns tenant scope aligned with cookie value.
- Clear
<a id="auth-006"></a>
⏳ Feature 21: Access Pending & Dashboard Error Boundary
- GRC Function ID:
AUTH-006 - Exact Screen Coordinates: Full-page center canvas on
/unauthorizedand on dashboard route errors matching digest1041080224. - Operational Purpose: Replaces blank Next.js error pages with actionable access-pending guidance when RBAC gaps cause server errors during dashboard mount.
- Operational Mechanics:
app/(dashboard)/error.tsxinspectserror.digestand message text — when digest equals1041080224or message matches role-assignment patterns, rendersAccessPendinginstead of generic failure UI. Non-RBAC errors show Retry, Command Post link to/, access-status, and sign-in links. - Agent Boundary: Ironguard (Agent 12) access enforcement UX.
- Step-by-Step Lab Validation:
- Sign in with user lacking
user_role_assignments— verify/unauthorizedshows AccessPending copy. - Simulate digest
1041080224class error on dashboard route — verify same AccessPending surface. - Trigger unrelated server error — verify generic dashboard unavailable panel with Retry button.
- Sign in with user lacking
<a id="board-005"></a>
📜 Feature 22: Board Conversational Boundary & Canonical Response Registry
- GRC Function ID:
BOARD-005 - Exact Screen Coordinates: IronBoard orchestration plane — no direct UI; governs
POST /api/boardroom/querysynthesis behavior. - Operational Purpose: Prevents LLM hallucination on CRM capability, video intelligence, and sales-lead discovery questions by routing matched queries to deterministic canonical text backed by tool receipts.
- Technical Mechanics:
Ironboard/src/orchestrator/routing.tsexports:BOARD_CONVERSATIONAL_BOUNDARY/IRONBOARD_DOMAIN_BOUNDARY— zero cross-contamination with Ironframe port 3000BOARD_CRM_TOOL_MANDATE— requiresmanageCrmPipelinetool execution before CRM claimsBOARD_VIDEO_INTELLIGENCE_MANDATE— forbids "cannot watch video" responses when[LINK SCRAPER]timeline tag presentBOARD_EXECUTION_LAYER_PERSONA— bans first-person AI disclaimer languageCANONICAL_SALES_LEADS_RESPONSE— registered answer for passive lead-generation queries viaisSalesLeadDiscoveryQuerybuildCanonicalGrcVideoBriefingResponse— timecoded transcript fromgrcAnalystDayVideoSeed.tsresolveCanonicalBoardResponse— deterministic bypass before LLM synthesisboardroomQueryIntent.ts(2026-06-18):inferRegionsFromQueryreturns country array frommatchCountriesInQuery, query London/Singapore tokens, orparseActiveTargetCountries(activeHub);shouldPrefetchProspectsmatches Germany/Australia/Canada ICP questions;shouldPrefetchWebskips whenpayloadSignalsVideoIntelligence(query)
- Agent Boundary: Ironlogic (Agent 9) synthesis guardrails; Ironquery (Agent 15) discovery receipts required for non-canonical paths.
- Step-by-Step Lab Validation:
- Run
tests/unit/boardroomOrchestrator.test.ts— verify sales-lead canonical match and video briefing builder. - Submit boardroom query "Do you actively look for sales leads?" — verify canonical CRM engine response, not external crawl claim.
- Submit GRC analyst video reference — verify timecoded findings without AI limitation disclaimer.
- Run
<a id="board-006"></a>
✍️ Feature 23: Ironscribe Markdown Outline Parser (Agent 05)
- GRC Function ID:
BOARD-006 - Exact Screen Coordinates: Backend-only — feeds docs matrix ingress and board knowledge vault parsing.
- Operational Purpose: Strips YAML metadata headers and structures markdown outlines into board-safe knowledge blocks with immutable parse attribution.
- Technical Mechanics:
Ironboard/src/services/ironscribe/markdownOutlineParser.ts:- Parses markdown headings into outline nodes
- Stamps
parsedBy: 'Ironscribe-Agent-05'on output envelope - Consumed by
docsMatrixIngress.tsalongside Irongate sanitization
- Agent Boundary: Ironscribe (Agent 05) export hash and audit citation lineage.
- Step-by-Step Lab Validation:
- Run
tests/unit/docsMatrixIngress.test.ts— verify outline blocks ingest with Ironscribe attribution. - Ingest markdown document with YAML front matter — verify header stripped from persisted CRM envelope.
- Run
<a id="board-007"></a>
🤝 Feature 24: CRM Deal ownerAgentId Attribution
- GRC Function ID:
BOARD-007 - Exact Screen Coordinates: IronBoard CRM pipeline —
DealRecordrows in board tooling (no Ironframe dashboard chip). - Operational Purpose: Binds each deal stage vector to the responsible boardroom agent ID for workforce accountability in commercial orchestration.
- Technical Mechanics:
Ironboard/src/services/crm/crmService.tsdelta adds optionalownerAgentIdon deal create/update paths — trimmed string persisted onDealRecord. Enables board reports to cite which agent owns pipeline progression without cross-tenant agent memory bleed. - Agent Boundary: IronBoard commercial plane only — Ironframe 19-agent GRC workforce remains on port 3000.
- Step-by-Step Lab Validation:
- Create deal via
manageCrmPipelinewithownerAgentIdset — verify persistence round-trip. - Confirm tenant isolation — deal query scoped to board org tenant UUID from
crmTenantContext.ts.
- Create deal via
<a id="intel-001"></a>
🛰️ Feature 25: June 26 Live Strategic Intel OSINT Manifest
- GRC Function ID:
INTEL-001 - Exact Screen Coordinates: IronBoard Strategic Intel dashboard — rows in
ironboard_crm_interactionswith manifestironintel-osint-2026-06-26-live. - Operational Purpose: Delivers fresh external OSINT for June 26, 2026 through Irongate-sanitized CRM persistence for board briefings. Operational date 2026-06-27 elevates post-deadline BOD 26-04 triage as the dominant operational mode — eight or more KEV remediation windows have elapsed. Federal contractor 24-hour KEV triage SLA guidance effective June 24, 2026 (three calendar days into enforcement on operational date 2026-06-27). Primary active threat vectors ingested in today's delta refresh:
- BerriAI LiteLLM CVE-2026-42271 (CVSS 8.8): MCP test endpoints command injection — CISA KEV June 8 with BOD 26-04 remediation deadline June 22, 2026 — five calendar days elapsed on operational date 2026-06-27. CSA and Horizon3.ai confirm chain with Starlette BadHost CVE-2026-48710 for unauthenticated RCE on AI gateway stacks. Patch to LiteLLM 1.83.7+ and Starlette 1.0.1+; rotate all provider API keys.
- Splunk CVE-2026-20253 (CVSS 9.8): Enterprise PostgreSQL sidecar missing authentication — CISA KEV June 18 with BOD 26-04 deadline June 21, 2026 — day seven post-deadline forensic triage on 2026-06-27. Splunk PSIRT confirms limited in-the-wild exploitation. Finance, Technology, and Public Sector SOC stacks must treat as active breach until triage complete.
- FortiBleed credential harvesting (June 13–26, 2026): 73932 to 86644 verified Fortinet firewall URLs across 194 countries per CISA June 18 advisory and CSA June 20 research note. Fortinet FG-IR-26-060 published June 22 characterizes activity as credential reuse plus brute force with no patchable flaw. Huntress cross-reference confirms 84 customer-impacted IPs — treat exposure as investigate-not-ignore. Immediate VPN and admin password rotation required.
- CVE-2026-48907 (CVSS 9.8): Joomla JCE improper access — CISA KEV June 16 with remediation deadline June 18, 2026 — nine calendar days elapsed on 2026-06-27.
- CVE-2026-54420: LiteSpeed cPanel symlink root escalation — CISA KEV June 15 with deadline June 19, 2026 — eight calendar days elapsed on 2026-06-27.
- CVE-2026-35273 (CVSS 9.8): Oracle PeopleSoft Environment Management Hub missing authentication — KEV June 12 deadline elapsed; ShinyHunters UNC6240 notified 100 plus orgs (68 percent higher-education); Council of Europe investigating breach claims June 16.
- CVE-2026-50751 (CVSS 9.3): Check Point Remote Access VPN IKEv1 authentication bypass — Qilin affiliates exploiting since May 7, 2026; HEAL Security confirms healthcare ransomware campaign linkage; KEV June 8 deadline elapsed.
- CVE-2026-10520 (CVSS 10.0): Ivanti Sentry OS command injection — CISA KEV June 11; first BOD 26-04 three-day mandate window closed June 14, 2026.
- Healthcare supply chain (June 2026): TriZetto Provider Solutions (3400000 individuals), QualDerm Partners (3100000), ApolloMD Business Services Qilin ransomware (626000).
- CISA BOD 26-04 (June 10, 2026): four-variable risk matrix (asset exposure, KEV status, exploit automation, technical impact) operational; federal contractor 24-hour KEV triage SLA effective June 24, 2026; agency policy update deadline August 7, 2026; full operational compliance December 7, 2026.
- FedRAMP Notice 0014 (June 2026): Vulnerability Detection and Response (VDR) and Vulnerability Evaluation and Reporting (VER) rules mandatory for FedRAMP-certified CSPs effective December 7, 2026 — aligned with BOD 26-04 KEV remediation timelines.
- CMMC Phase 2: mandatory Level 2 C3PAO certification 136 days away (November 10, 2026); assessments locked to NIST SP 800-171 Revision 2 per DoD class deviation 2024-O0013; NDIA June 24 guidance warns six-to-eighteen-month preparation windows mean Phase 2 contractors may already be behind.
- Technical Mechanics:
Ironboard/src/knowledge/grcProfessionalResearch.manifest.json:manifestId:ironintel-osint-2026-06-26-livegeneratedAt:2026-06-26T12:00:00.000Z- RAG chunks in delta:
osint-01-bod-2604,osint-02-fortibleed,osint-03-joomla-litespeed,osint-04-splunk-rce,osint-05-peoplesoft-shinyhunters,osint-06-cmmc-rev2-phase2,osint-07-healthcare-supply-chain,osint-08-checkpoint-qilin,osint-09-ivanti-sentry,osint-10-litellm-post-deadline,osint-11-fedramp-vdr, plussaas-01-dmz-ingress - Ingestion script:
npx tsx scripts/ingest-strategic-intel-manifest.ts priorityAgentsschema includes Ironwatch alongside Ironintel and Ironscribe- All industry
peerAleBaselineCentsandriskMetricsCentsvalues are string-encoded BigInt integers — never floats
- Industry Profile Peer ALE Baselines (BigInt cents only):
- Finance: 1800000000 cents —
regulatoryPressureIndex96,saasDisruptionExposureIndex83,continuousAuditPriorityCRITICAL - Healthcare: 1210000000 cents —
regulatoryPressureIndex98,saasDisruptionExposureIndex75,continuousAuditPriorityCRITICAL - Technology: 950000000 cents —
regulatoryPressureIndex88,saasDisruptionExposureIndex99,continuousAuditPriorityCRITICAL - Defense: 2500000000 cents —
regulatoryPressureIndex99,saasDisruptionExposureIndex64,continuousAuditPriorityCRITICAL - Public Sector: 1500000000 cents —
regulatoryPressureIndex95,saasDisruptionExposureIndex70,continuousAuditPriorityCRITICAL
- Finance: 1800000000 cents —
- Manifest Risk Metrics (BigInt cents only — workday analysis document):
medianAnnualGrcProgramCents: 4200000000medianAuditRemediationLagCents: 890000000saasConsolidationSavingsOpportunityCents: 680000000boardReportingOverheadCents: 125000000
- SaaS disruption memorandum risk metrics (BigInt cents only):
medianAnnualGrcProgramCents: 3850000000medianAuditRemediationLagCents: 935000000saasConsolidationSavingsOpportunityCents: 1120000000boardReportingOverheadCents: 98000000
- Constitutional tenant ALE baselines (Ironframe seed tenants — unchanged): Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000, Defense 1600000000 cents.
- Agent Boundary: Ironintel (Agent 16) OSINT correlation; Ironwatch (Agent 13) FortiBleed perimeter credential telemetry, Splunk day-four forensic hunt, and KEV deadline tracking; Irongate (Agent 14) DMZ sanitization via
validateStrategicIntelManifestbeforeingestGrcProfessionalResearchCorpus. - Step-by-Step Lab Validation:
- Run ingest script — verify manifest schema validation passes BIGINT-cent gate for
ironintel-osint-2026-06-26-live. - Re-run ingest — verify
skippedDuplicatewhen manifest already persisted. - Query Strategic Intel dashboard — confirm LiteLLM post-deadline, Splunk day-four triage, FortiBleed, Joomla, LiteSpeed, Check Point, Ivanti Sentry, PeopleSoft, BOD 26-04 contractor SLA, FedRAMP VDR, and CMMC Phase 2 countdown visible under tenant scope.
- Run
tests/unit/strategicIntelIngress.test.ts— all pass. - Verify boardroom flywheel context cites
Market authenticity audit:line withauthentic=/synthetic=/polluted=counts — never template Ledger/Vault names as real companies.
- Run ingest script — verify manifest schema validation passes BIGINT-cent gate for
<a id="ops-002"></a>
🔧 Feature 26: Operator CLI Provisioning Scripts
- GRC Function ID:
OPS-002 - Exact Screen Coordinates: Terminal-only — no UI.
- Operational Purpose: Gives platform administrators safe, auditable CLI paths for password operations and strategic intel ingestion without bypassing Supabase Auth or Irongate DMZ.
- Technical Mechanics:
scripts/admin-set-password.mjs— Supabase Admin API password set; requiresSUPABASE_SERVICE_ROLE_KEYin.env.local; minimum 8 charactersscripts/send-password-reset.mjs— triggers reset email via public auth API withNEXT_PUBLIC_APP_URLredirectscripts/ingest-strategic-intel-manifest.ts— Irongate pre-flight + CRM persistence for OSINT manifest
- Agent Boundary: Ironguard (Agent 12) identity; Irongate (Agent 14) on intel ingress only.
- Step-by-Step Lab Validation:
- Run admin-set-password with test user — verify login succeeds with new password.
- Run send-password-reset — verify email link targets
your provisioned workspace URL. - Never commit
.env.localservice role key to repository.
<a id="cron-002"></a>
⏰ Feature 27: Windows Task Scheduler Cron Wrapper
- GRC Function ID:
CRON-002 - Exact Screen Coordinates: No UI —
scripts/cron_narrate_scheduled.ps1invoked by Task Scheduler at 03:00. - Operational Purpose: Normalizes PATH, working directory, and Cursor agent root before delegating to
cron_narrate.ps1for unattended nightly documentation and OSINT phases. - Technical Mechanics: Sets
$ProjectRoot = C:\Users\Dereck\ironframe-live, prepends%LOCALAPPDATA%\cursor-agentto PATH, invokescron_narrate.ps1with-NoProfile -ExecutionPolicy Bypass, propagates exit code. - Step-by-Step Lab Validation:
- Register scheduled task pointing at
cron_narrate_scheduled.ps1. - Run wrapper manually — verify same log output as direct
cron_narrate.ps1invocation. - Confirm task exit code non-zero when
CURSOR_API_KEYmissing.
- Register scheduled task pointing at
<a id="supabase-001"></a>
🔗 Feature 28: Shared Supabase Public Env Normalization
- GRC Function ID:
SUPABASE-001 - Exact Screen Coordinates: Invisible — shared by browser client, middleware, and login error surfaces.
- Operational Purpose: Eliminates duplicated env parsing logic that caused mismatched Supabase project refs between client and middleware session refresh paths.
- Technical Mechanics:
lib/supabase/envPublic.tsexports:envPublicSupabaseUrl()— trims quotes and trailing slashes fromNEXT_PUBLIC_SUPABASE_URLenvSupabaseAnonKey()— normalizes anon key quotingsupabaseProjectRefFromUrl()— extracts project ref for login error diagnostics- Consumed by
lib/supabase/client.ts,lib/supabase/middleware.ts, andapp/login/page.tsx
- Agent Boundary: Ironguard (Agent 12) session infrastructure.
- Step-by-Step Lab Validation:
- Set quoted URL in
.env.local— verify client and middleware both connect. - Submit invalid login — verify error message includes correct project ref substring.
- Set quoted URL in
<a id="integrity-002"></a>
🛡️ Feature 29: Constitutional Integrity Sentinel Degraded Payload
- GRC Function ID:
INTEGRITY-002 - Exact Screen Coordinates: Polled by TopNav airlock banner and Integrity Hub — API route
/api/grc/tas-integrity. - Operational Purpose: Returns partial telemetry when ancillary subsystems fail instead of HTTP 500 — preserving Ironwatch and Ironlock polling during Prisma slice outages.
- Technical Mechanics: Refactored
app/api/grc/tas-integrity/route.ts:buildIntegrityPayloadconsolidates fingerprint, dead-man switch, governance maturity, sustainability stale lockdown fieldsreadSystemConfigStaleLockdownSliceSafereplaces direct Prisma read for degraded-path safetyassessTasMdIntegritySyncparticipates in TAS read validation- On ancillary failure, response includes
ancillaryWarningstring while coresha256Short,ironlockFreezeApplied, andchaosSimulationActivestill return next.config.tsaddsoutputFileTracingIncludesfordocs/TAS.mdandstorage/constitutional/TAS.md.goldon constitutional API routes
- Agent Boundary: Ironlock (Agent 6) freeze state; Ironwatch (Agent 13) maturity score; Ironlogic (Agent 9) TAS fingerprint.
- Step-by-Step Lab Validation:
- Poll
GET /api/grc/tas-integrity— verify JSON includessystemMaturityScore,chaosSimulationActive,sha256Short. - Simulate SystemConfig read failure in staging — verify HTTP 200 with
ancillaryWarningrather than 500. - Confirm Vercel deployment traces TAS.md for fingerprint routes.
- Poll
<a id="monetization-001"></a>
💳 Feature 30: Phase 1 Monetization Mandate (Sales-Assisted + Stripe)
- GRC Function ID:
MONETIZATION-001 - Exact Screen Coordinates: IronBoard static context bundle;
/pricingpublic page;/admin/onboardingplatform console; Stripe webhooks at/api/webhooks/stripe(instant checkout) and/api/billing/webhook(payment_intent.succeeded billing activation). - Operational Purpose: Establishes Phase 1 revenue architecture: sales-assisted invite only for first design-partner revenue, with Stripe instant-checkout as the async self-serve provisioning tunnel. Public self-serve multi-subdomain provisioning is hardcoded OFF in
config/registration.ts— not env-driven. - Technical Mechanics:
Ironboard/src/staticContext.tsexportsPHASE1_MONETIZATION_BOARD_MANDATEfederated at board startup alongside TAS.md, technical-requirements.md, hub.md, anddocs/stakeholder-deck/ironframe-monetization-market-blueprint-2026-q2.md. IronBoardbuildDocsFederationMatrixloads the monetization blueprint as BOARD PRIORITY context. Revenue wire path:provisionCorporateTenantCore— creates tenant withale_baseline BIGINTcents, callsensureTenantBillingPendinginviteCorporateTenantUserCore— Supabase AdmininviteUserByEmailwith tenant-scoped metadata- Stripe Checkout metadata requires
slug,companyName, plus customer email from Stripe session fulfillStripeInstantCheckoutinstripeInstantProvisionCore.ts— provisions tenant, upsertsTenantBilling.status ACTIVE, invites GRC_MANAGER, records prospect inprospectsledger withreported_ale BIGINTconfig/stripe.ts—resolveStripeCredentialMode()readsSTRIPE_CREDENTIAL_MODE(test|live) or infers fromsk_live_prefix;resolveStripeBillingWebhookSecret()andresolveStripeInstantCheckoutWebhookSecret()support split webhook secrets
- Agent Boundary: Ironlogic (Agent 9) board monetization mandate; Ironguard (Agent 12) invite identity; Ironwatch (Agent 13) audit receipts on provision and invite actions.
- Step-by-Step Lab Validation:
- Read
PHASE1_MONETIZATION_BOARD_MANDATEin IronBoard startup logs — verify monetization blueprint loaded count is 4 federation files. - Navigate to
/pricingon local host — verify static Stripe Payment Link outbound URL fromNEXT_PUBLIC_STRIPE_COMMAND_TIER_CHECKOUT_URL. - Forward Stripe webhooks locally:
stripe listen --forward-to your provisioned workspace URLfor checkout.session.completed; separate listener or--events payment_intent.succeededto/api/billing/webhook. - Complete test checkout — verify
tenant_billing.statusbecomes ACTIVE and invite email issued. - Run
tests/unit/phase1Commercial.test.tsandtests/unit/stripeCheckoutParse.test.ts— all pass.
- Read
<a id="billing-001"></a>
🚫 Feature 31: Dashboard Billing Suspension Gate
- GRC Function ID:
BILLING-001 - Exact Screen Coordinates: Full-page overlay inside dashboard route group when billing status is PENDING or PAST_DUE — renders
BillingSuspensionNoticeinstead of tripane workspace. - Operational Purpose: Blocks command-center telemetry access for tenants with unpaid or lapsed Stripe subscriptions while preserving platform-admin and billing-hold remediation paths.
- Technical Mechanics:
app/(dashboard)/layout.tsxresolvesresolveTenantBillingEntitlementByUuid(access.tenantUuid)and wraps children inDashboardBillingGate. Gate is active whenbilling.blocked === trueand operator is notcanUsePlatformAdminTools(). Exempt paths:/admin/onboarding,/account/billing-hold. Prisma modelTenantBillingmapstenant_slug,stripe_customer_id,status(PENDING, ACTIVE, PAST_DUE).isBillingGateActiveStatusreturns true for PENDING and PAST_DUE only. - Agent Boundary: Irontrust (Agent 3) financial entitlement enforcement — no float billing amounts; Stripe
amountTotalCentsstored as BigInt at provision. - Step-by-Step Lab Validation:
- Set tenant billing status to PENDING via
setTenantBillingStatusadmin action. - Sign in as GRC_MANAGER for that tenant — verify suspension notice renders instead of Integrity Hub.
- Sign in as GLOBAL_ADMIN — verify dashboard content renders (platform admin bypass).
- Navigate to
/admin/onboardingwhile billing blocked — verify exempt path renders onboarding console.
- Set tenant billing status to PENDING via
<a id="subdomain-001"></a>
🌐 Feature 32: Multi-Tenant Subdomain Routing Envelope
- GRC Function ID:
SUBDOMAIN-001 - Exact Screen Coordinates: Invisible middleware envelope — manifests as host-scoped workspace URLs like
your provisioned workspace URLoryour provisioned workspace URL. - Operational Purpose: Binds HTTP host to tenant workspace scope so operators land on tenant-branded subdomains after corporate invite or Stripe checkout without manually selecting tenant from switcher.
- Technical Mechanics:
app/lib/tenantSubdomain.tsandapp/lib/middlewareSubdomainTenancy.ts:IRONFRAME_SUBDOMAIN_TENANCYenabled by default — set0to disableIRONFRAME_TENANT_APEX_DOMAINdefaults fromNEXT_PUBLIC_APP_URLhostname (ironframegrc.com)NEXT_PUBLIC_DEVELOPMENT_DOMAINdefaults tolvh.me:3000for local wildcard tenant hosts- Reserved labels blocked:
www,api,app,admin,staging,preview,docs,login resolvePostAuthLandingPath(host)— authenticated/loginredirect targets tenant Command Post on subdomain hosts,/integrityon apex- Auth callback
route.tsresolves tenant slug from invite metadata, setsironframe-tenantcookie, redirects to tenant subdomain origin - Internal slug resolution for dynamic tenants:
GET /api/internal/tenant-slug-resolvegated byIRONFRAME_CRON_SECRETorIRONFRAME_INTERNAL_GATES_SECRET - Middleware slug-resolve recursion guard (2026-06-27 delta):
applySubdomainTenancysets request headerx-ironframe-middleware-tenant-resolve: 1when resolving dynamic host slugs — breaks middleware → slug-resolve → middleware infinite recursion on tenant subdomains IRONFRAME_STAGING_APEX_DOMAIN: staging Vercel apex pattern for tenant slug extraction on preview hosts
- Agent Boundary: Ironguard (Agent 12) host-bound tenant isolation; cross-tenant path prefix conflicts redirect to host slug canonical path.
- Step-by-Step Lab Validation:
- Provision tenant
acmecorpvia admin onboarding — openyour provisioned workspace URL. - Complete invite auth callback — verify redirect lands on
acmecorp.lvh.meworkspace, not apex. - Attempt
your provisioned workspace URL— verify middleware strips conflicting path prefix. - Add Supabase redirect URL
your provisioned workspace URLper.env.exampleguidance. - Run
tests/unit/tenantSubdomain.test.tsandtests/unit/tenantSlugRegistry.test.ts— all pass.
- Provision tenant
<a id="registration-001"></a>
📝 Feature 33: Invite-Only Registration Gate
- GRC Function ID:
REGISTRATION-001 - Exact Screen Coordinates:
/register/contact(sales-assisted intake);/register/[token](workspace invitation activation);/register/setuproute deleted;/register/demoserver-redirects to/register/contact?reason=sales_assisted_only. - Operational Purpose: Enforces Phase 1 sales-assisted onboarding — prospects cannot self-provision tenants via public registration API. Sales engineers use bearer-authenticated
POST /api/register/sales-intakeinstead. - Technical Mechanics:
config/registration.tssingle source of truth:IRONFRAME_PUBLIC_REGISTRATION_ENABLED = false(hardcoded — no env override)shouldBlockProspectIngressblocks/register/demo,/api/register/public-intake, and/demo/*whenBLOCK_DEMO_SANDBOX_WHEN_REGISTRATION_DISABLEDis true —/register/setuppage file removed (no longer a routable surface)- Public lead capture remains at
POST /api/register/public-lead(middleware passthrough for guests) - Sales intake requires
INTERNAL_SALES_PROVISION_KEYbearer token persalesIntakeAuth.ts
- Agent Boundary: Ironguard (Agent 12) ingress policy; Ironwatch (Agent 13) prospect ledger audit on successful intake.
- Step-by-Step Lab Validation:
- Navigate to
/register/setupon local host — verify 404 (route deleted, not redirect). - Navigate to
/register/demo— verify redirect to/register/contact?reason=sales_assisted_only. - POST to
/api/register/public-intake— verify 404 JSON when registration disabled. - POST to
/api/register/sales-intakewith valid bearer — verify tenant provision receipt. - Run
tests/unit/registrationGate.test.tsandtests/unit/registrationRoutes.test.ts— all pass.
- Navigate to
<a id="legal-001"></a>
📜 Feature 34: User Legal Consent Registry
- GRC Function ID:
LEGAL-001 - Exact Screen Coordinates:
/termsand/privacypublic document pages;/legal/acceptauthenticated acceptance route. - Operational Purpose: Records cryptographic proof that each Supabase user accepted the current MSA and privacy policy versions before accessing paid workspace features — SOC2-aligned consent trail.
- Technical Mechanics:
config/legal.tsimmutable versions:IRONFRAME_TERMS_VERSION:2026-06-15-msa-v1IRONFRAME_PRIVACY_VERSION:2026-06-15-privacy-v1- Prisma
UserLegalConsentmodel:userId,termsVersion,privacyVersion,acceptanceHash,acceptedAt recordLegalConsentupserts row withbuildLegalAcceptanceHash(userId, acceptedAtIso)- Middleware allows authenticated
/legal/accept; unauthenticated users redirect to/login
- Agent Boundary: Ironscribe (Agent 05) immutable acceptance hash lineage; Ironguard (Agent 12) session gate on legal accept route.
- Step-by-Step Lab Validation:
- Open
/termsand/privacyas guest on local host — verify legal document renders. - Sign in without consent row — navigate to
/legal/accept— submit acceptance. - Query
user_legal_consents— verifyterms_versionandprivacy_versionmatch config constants. - Bump version in
config/legal.ts— verifyhasCurrentLegalConsentreturns false for prior acceptances.
- Open
<a id="admin-001"></a>
🏢 Feature 35: Platform Administrator Onboarding Console
- GRC Function ID:
ADMIN-001 - Exact Screen Coordinates:
/admin/onboarding—AdminOnboardingDashboardHeader,AdminOnboardingDeployments, and#onboarding-controlsCorporateOnboardingClient; provisioning controls separated from deployment inventory panel. - Operational Purpose: Gives GLOBAL_ADMIN operators a supervisor command plane for B2B tenant provisioning, deployment posture visibility, invitation token minting, and corporate operator invites. Billing activation owned by Stripe webhook — not inline client button.
- Technical Mechanics: Middleware Rule A0 —
assertGlobalAdminForOnboardingrequires authenticated GLOBAL_ADMIN for/admin/onboardingbefore platform-admin gate probe via/api/internal/platform-admin-gate. Page server component callscanUsePlatformAdminTools()before render. Actions delegate tocorporateTenantProvisionCore.ts. Billing gate exempt — onboarding console reachable even when tenant billing is PENDING. - Agent Boundary: Ironguard (Agent 12) GLOBAL_ADMIN RBAC; Ironwatch (Agent 13) provision and invite audit receipts.
- Step-by-Step Lab Validation:
- Sign in as non-admin — attempt
/admin/onboarding— verify redirect to/unauthorized. - Sign in as GLOBAL_ADMIN — verify CorporateOnboardingClient renders provision form.
- Provision tenant with
aleBaselineCentsas whole integer string — verifytenants.ale_baselineBIGINT matches. - Issue invite with
tenantSlugand role CISO — verifyuser_role_assignmentsrow created on accept.
- Sign in as non-admin — attempt
<a id="demo-001"></a>
🧪 Feature 36: Demo Sandbox Command Post
- GRC Function ID:
DEMO-001 - Exact Screen Coordinates:
/demo/dashboard(rewritten from/dashboardwhen demo cookie active); demo hostacorp-sandbox.lvh.me; amberDemoSandboxBannerpinned above AppShell when demo session active. - Operational Purpose: Provides a client-side sandbox command post with mock threat telemetry and constitutional ALE anchors for prospect education without touching production tenant data or production API telemetry paths.
- Technical Mechanics:
app/lib/demo/demoModeConstants.ts:DEMO_WORKSPACE_SLUG:acorp-sandboxDEMO_ACTIVE_COOKIE:ironframe-demo-activeDEMO_SESSION_COOKIE:ironframe-demo-session— cross-origin cookie on.lvh.meand.localtest.meDEMO_ALE_BASELINE_CENTS: Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000 (BigInt literals)getDemoCommandCenterScope()aggregates three seed baselines into demo enclave row (2170000000 cents total display string)- Middleware rewrites
/dashboard→/demo/dashboardwhen demo cookie set on sandbox host or localhost apex - Demo API isolation (2026-06-16 delta):
applyIronguardToFetchinapiClient.tsthrowsDEMO_API_BLOCK_MESSAGEwhenisDemoModeActive()and path is not a public constitutional sentinel route — logsDEMO_MODE_ISOLATEDviaisolationSentinelLog.ts useKimbotPersistLoop.tsanduseResilienceIntelPoll.tsreturn early when demo mode active — no Kimbot persist or resilience poll against production APIsAppShell.tsxmountsDemoSandboxBannerand adjusts top padding when demo and simulation banners stack
- Agent Boundary: Demo plane uses synthetic UUIDs — zero production RLS bleed; Ironguard (Agent 12) blocks cross-tenant fetch; demo isolation is client-side perimeter only — not a substitute for shadow-plane
SimulationDiagnosticLogsemantics. - Step-by-Step Lab Validation:
- Set
ironframe-demo-active=1cookie on localhost — navigate to/dashboard— verify rewrite to demo command post. - With demo session active, trigger any
/api/grc/*fetch — verify console shows[ DEMO MODE ] | Production telemetry isolated — API call blocked. - Verify constitutional sentinel paths (
/api/grc/tas-integrity,/api/grc/tas-fingerprint) still callable from marketing shell during demo. - Run
tests/unit/demoMode.test.ts— verify demo path classification and ALE cent constants.
- Set
<a id="nav-002"></a>
🏷️ Feature 37: Staged Navigation Surface Badges
- GRC Function ID:
NAV-002 - Exact Screen Coordinates: TopNav navigation links for stub routes — badge chips STAGED DRAFT or PREVIEW.
- Operational Purpose: Signals design-partner pilots which dashboard routes are immature stubs and blocks GRC_MANAGER role from navigating to unfinished surfaces.
- Technical Mechanics:
app/config/stagedNavSurfaces.ts—/vendors/supply-chain(STAGED DRAFT),/reports/dora-eu-resilience(PREVIEW);isStagedNavBlockedForRolegates GRC_MANAGER. - Step-by-Step Lab Validation:
- Run
tests/unit/stagedNavSurfaces.test.ts— all href normalizations pass.
- Run
<a id="brand-001"></a>
🎨 Feature 38: Tenant Brand Accent Resolution
- GRC Function ID:
BRAND-001 - Exact Screen Coordinates: TopNav tenant label, login branded panel, subdomain workspace chrome.
- Operational Purpose: Applies per-tenant visual identity without altering RLS scope.
ale_baselinedisplayed as BigInt cents string throughformatTenantBrand. - Step-by-Step Lab Validation:
- Run
tests/tenantBrand.test.ts— verify accent resolution for seed tenants.
- Run
<a id="prospect-001"></a>
📇 Feature 39: Executive Prospect Ledger
- GRC Function ID:
PROSPECT-001 - Exact Screen Coordinates: Backend
prospectstable — no default UI chip. - Operational Purpose: Persists vetted sales leads with
reported_ale BIGINT NOT NULLfor executive pipeline aggregation. - Step-by-Step Lab Validation:
- Run
tests/unit/publicLeadParse.test.ts— verify lead payload parsing.
- Run
<a id="auth-007"></a>
🔐 Feature 40: Scoped Dev Constitutional Elevation
- GRC Function ID:
AUTH-007 - Operational Purpose: Restricts local constitutional authority to
IRONFRAME_DEV_SUPABASE_USER_ID,IRONFRAME_DEV_SUPABASE_EMAIL, or explicitIRONFRAME_DEV_CONSTITUTIONAL_ELEVATION=1— other dev users keep normal RBAC. - Step-by-Step Lab Validation:
- Run
tests/unit/devConstitutionalElevation.test.ts— scoped match order passes.
- Run
<a id="auth-008"></a>
🔑 Feature 41: Auth Redirect Origin Resolution
- GRC Function ID:
AUTH-008 - Operational Purpose: Builds Supabase redirect URLs from active request host including tenant subdomains. Password reset uses dedicated
resolvePasswordResetRedirectOrigin()— distinct from invite callback origin resolution — so reset emails land on the operator's current workspace host. Fail-closed 403 responses from Supabase include the exact callback URL string for Redirect URL allowlist remediation per.env.exampleglob guidance (http://*.lvh.me:3000/**). - Step-by-Step Lab Validation:
- Request password reset from tenant subdomain — verify redirect URL uses tenant host in email link.
- Trigger Supabase 403 on reset — verify error message cites full
redirectTopath for allowlist entry. - Run
tests/unit/publicAppUrl.test.tsandtests/unit/supabaseRedirectAllowlist.test.ts— origin resolution paths pass.
<a id="board-008"></a>
📊 Feature 42: IronBoard Monetization Blueprint Federation
- GRC Function ID:
BOARD-008 - Exact Screen Coordinates: No UI — injected into IronBoard static context bundle at engine startup.
- Operational Purpose: Injects Q2 2026 market blueprint and authoritative Phase 1 monetization mandate into boardroom static context so executive personas cite sales-assisted invite + Stripe wire paths instead of inventing self-serve provisioning timelines.
- Technical Mechanics:
Ironboard/src/staticContext.tsexportsPHASE1_MONETIZATION_BOARD_MANDATE(authoritative Q2 2026):- Model: SALES-ASSISTED INVITE ONLY for first revenue — not self-serve multi-subdomain provisioning
- Wire:
inviteCorporateTenantUserAction+ admin tenant UI + Stripe webhook →TenantBilling.status ACTIVE - P0 blockers before charging: Stripe rails,
/terms+/privacy, production quarantine narrowed for public routes, admin invite panel - P1 before broad sales: tier entitlements, Epic 12 WORM honesty, stub page badges, SOC2-aligned (never certified) language
- Fastest revenue path: Command tier, one price, 2–3 design partners while Phase 2 entitlements harden
- Full backlog document:
docs/stakeholder-deck/ironframe-monetization-market-blueprint-2026-q2.md
- Docs federation matrix:
buildDocsFederationMatrix()inIronboard/src/index.tsloads four markdown files at startup:TAS.md,technical-requirements.md,hub.md, and the monetization blueprint — logged as[IRONBOARD DOCS] Loaded N markdown file(s). - Agent Boundary: Ironlogic (Agent 9) and Irontally (Agent 5) board governance phases consume this mandate; no financial field mutation — Stripe
amountTotalCentsremains BigInt at fulfillment boundary. - Step-by-Step Lab Validation:
- Start IronBoard port 8082 — verify federation log shows monetization blueprint loaded (four files when all present).
- Ask boardroom "What is our Phase 1 monetization model?" — verify response cites sales-assisted invite, not self-serve checkout-only provisioning.
- Confirm
PHASE1_MONETIZATION_BOARD_MANDATEappears inbuildStaticContextBundle()output before Four Pillars blueprint block.
<a id="command-001"></a>
🏗️ Feature 43: Command Center Tenant Access Scope
- GRC Function ID:
COMMAND-001 - Operational Purpose: RBAC-scoped tenant switcher — non-GLOBAL_ADMIN users see only assigned workspaces; subdomain hosts lock to single tenant.
- Step-by-Step Lab Validation:
- Run
tests/unit/commandCenterTenantAccess.test.ts— all pass.
- Run
<a id="board-009"></a>
🎬 Feature 44: Board YouTube Shorts & Denial Rewrite Guard
- GRC Function ID:
BOARD-009 - Operational Purpose: Strips LLM video capability denials (including Shorts-specific refusal patterns) and appends canonical
YOUTUBE_VIDEO_DENIAL_REWRITEwhenpayloadSignalsVideoIntelligence(query)detects a video-linked board request with stripped denial and response under 160 characters; skips web prefetch for video queries viashouldPrefetchWebguard inboardroomQueryIntent.ts. - Step-by-Step Lab Validation:
- Run
tests/unit/boardResponseLibrary.test.tsandtests/unit/linkScraper.test.ts— all pass including Shorts URLyoutube.com/shorts/{id}extraction.
- Run
<a id="integrity-003"></a>
🛡️ Feature 45: TAS Markdown Integrity Assessment
- GRC Function ID:
INTEGRITY-003 - Operational Purpose:
assessTasMdIntegritySyncintasMdIntegrity.tsvalidates TAS.md duringbuildIntegrityPayloadwithout crashing route on partial failures. - Step-by-Step Lab Validation:
- Poll
/api/grc/tas-integrity— verifysha256Shortin JSON.
- Poll
<a id="governance-001"></a>
📰 Feature 46: The Governance Frame Published Briefing Ledger
- GRC Function ID:
GOVERNANCE-001 - Exact Screen Coordinates: Public reader at
/governance-frame(index card grid) and/governance-frame/[slug](article view). IronBoard mirror feed atyour provisioned workspace URLwhen IronBoard engine is running locally. - Operational Purpose: Serves chronological institutional governance briefings compiled exclusively from
docs/published-briefings/*.md. Draft files indocs/briefing-queue/remain quarantined and never enter the published feed — mirroring Irongate DMZ publish-before-persist semantics for executive intelligence artifacts. - Technical Mechanics:
- Next.js App Router:
app/governance-frame/layout.tsx— standalone slate chrome,GovernanceFrameBrandLockup, metadatarobots: { index: false, follow: false } app/governance-frame/page.tsx—loadPublishedBriefings()index with cent-register badge from Section II impact metricsapp/governance-frame/[slug]/page.tsx—BriefingFrameContent+BriefingMarkdownwith sanitized react-markdown compilationapp/lib/governanceFrame/briefingLoader.ts—enforceBriefingQuarantine()warns on non-allowlisted.mdfiles inbriefing-queue/with[SECURITY AUDIT] Unauthorized compilation attempt blocked for unvetted draft:prefixapp/lib/governanceFrame/parseBriefingSections.ts— splits body into zones I (Exposure Vector), II (Calculated Quantitative Impact), III (Machine-Rule Technical Translation), IV (Verification Protocol)app/lib/governanceFrame/parseCentBigInt.ts— rejects float and scientific notation cent literals; coerces whole integers to stringified BigIntapp/lib/governanceFrame/sanitizeMarkdown.ts— strips<script>, `` URIs, anddata-blocked=attributes before render- IronBoard parallel router:
Ironboard/src/governanceFrame/router.ts,briefingScanner.ts,renderBlog.ts— HTML blog renderer for direct IronBoard access next.config.tsoutputFileTracingIncludesships./docs/published-briefings/**/*on Vercel for/governance-framelambdas- Published seed briefing:
docs/published-briefings/2026-06-07-staging-boundary-check.md— provisioning tunnel test exposure 499900 cents, reported ALE delta 0 cents ConditionalAppShell.tsxexcludes governance-frame paths from dashboard AppShell mount — no TopNav bleed
- Next.js App Router:
- Agent Boundary: Ironscribe (Agent 05) briefing structure and export lineage; Irongate (Agent 14) markdown sanitization before client render; Ironlogic (Agent 9) board federation reads monetization blueprint alongside TAS for strategic context.
- Step-by-Step Lab Validation:
- Open
your provisioned workspace URL— verify index lists published briefings chronologically with cent-register badges where Section II defines(¢)metrics. - Open
/governance-frame/2026-06-07-staging-boundary-check— verify four-section frame renders without dashboard chrome. - Place
secret-draft.mdindocs/briefing-queue/— reload index — verify draft does not appear; server log emits quarantine audit warning. - Start IronBoard on port 8082 — verify startup log
[GOVERNANCE FRAME] Briefing feed at your provisioned workspace URL · published=Nwhere N equals count fromscanPublishedBriefings(resolveDocsRoot()). - Run
tests/unit/governanceFrameBriefingScanner.test.ts,tests/unit/governanceFrameSanitize.test.ts, andtests/unit/governanceFrameEmail.test.ts— all pass.
- Open
<a id="governance-002"></a>
💰 Feature 47: Unified Financial Ingress Invariant Bridge
- GRC Function ID:
GOVERNANCE-002 - Exact Screen Coordinates: No direct UI — validates cent registers at Governance Frame parse boundary, sales intake API, Stripe checkout fulfillment, and prospect ledger persistence.
- Operational Purpose: Guarantees a single whole-integer BigInt cent contract across three ingress surfaces that accept human-readable dollar input at the UI layer but must never persist floats: Governance Frame briefing Section II registers, sales-assisted
/api/register/sales-intakeALE fields, and StripeamountTotalCentsmetadata. - Technical Mechanics:
tests/unit/financialIngressInvariant.test.tsbridges:parseCentBigInt— briefing ledger rejects"49.99"and"1110000000.5"withGovernance Frame cent register must be a whole integerparseDollarAleToBigIntCents— accepts"$11,100,000.00"and emits 1110000000 asbigintparseExplicitCentAle— explicit cent string"1110000000"matches dollar-parse outputverifyCanonicalEnterpriseBaseline— Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000 cent targets- Round-trip: sales intake BigInt output must pass Governance Frame
parseCentBigIntwithout coercion loss
- Agent Boundary: Irontrust (Agent 3) canonical baseline enforcement; Irongate (Agent 14) rejects malformed cent payloads at ingress.
- Step-by-Step Lab Validation:
- Run
tests/unit/financialIngressInvariant.test.ts— all canonical profile dollar inputs resolve to TAS BigInt cents. - POST sales intake with
"$5,900,000.00"reported ALE — verifyprospects.reported_ale BIGINTequals 590000000. - Add briefing metric
"1110000000.5"— verifyparseCentBigIntthrows before publish.
- Run
<a id="governance-003"></a>
📧 Feature 48: Ironcast Governance Frame Email Newsletter
- GRC Function ID:
GOVERNANCE-003 - Exact Screen Coordinates: Backend HTML artifact —
out/governance-frame/newsletters/{slug}.htmlafter compile; outbound email via Ironcast worker. - Operational Purpose: Converts published Governance Frame briefings into table-based HTML email newsletters with deep links to the public feed origin for executive distribution.
- Technical Mechanics:
lib/agents/ironcast/templates/governanceFrameEmail.ts:GOVERNANCE_FRAME_FEED_ORIGINfromGOVERNANCE_FRAME_PUBLIC_FEED_ORIGINenv or defaultyour provisioned workspace URL- Email HTML uses table layout, inline styles, no
<button>elements — Outlook-compatible patterns per Resend email requirements lib/agents/ironcast/workers/compileNewsletter.tswrites compiled HTML underout/governance-frame/newsletters/- Link pattern:
{origin}/governance-frame/{slug}
- Agent Boundary: Ironcast outbound communications; Ironscribe (Agent 05) content attribution from published briefing frontmatter.
- Step-by-Step Lab Validation:
- Run newsletter compile worker against published briefing slug — verify HTML output contains feed deep link.
- Run
tests/unit/governanceFrameEmail.test.ts— verify origin URL and slug encoding.
<a id="governance-004"></a>
📡 Feature 49: Governance Frame RSS Feed Compiler
- GRC Function ID:
GOVERNANCE-004 - Exact Screen Coordinates: Generated RSS XML — item links target
{RSS_ITEM_LINK_ORIGIN}/governance-frame/{slug}. - Operational Purpose: Publishes machine-readable RSS items for each published briefing so external subscribers and board ingestion pipelines can poll chronological updates without scraping the HTML index.
- Technical Mechanics:
scripts/compile-rss.tsreads published briefings and emits RSS XML with governance-frame deep links. Default link origin aligns withGOVERNANCE_FRAME_PUBLIC_FEED_ORIGIN.tests/unit/compileRss.test.tsvalidates encoded slug URLs in XML output. - Agent Boundary: Ironintel (Agent 16) external feed correlation; content sourced only from published ledger — never
briefing-queue/. - Step-by-Step Lab Validation:
- Run
npx tsx scripts/compile-rss.ts— verify RSS item link contains/governance-frame/path segment. - Run
tests/unit/compileRss.test.ts— all pass.
- Run
<a id="demo-002"></a>
🔒 Feature 50: Demo Mode Production API Isolation Sentinel
- GRC Function ID:
DEMO-002 - Exact Screen Coordinates: Invisible client-side fetch interceptor — manifests as thrown error in browser console when demo session calls protected
/api/*routes. - Operational Purpose: Prevents demo sandbox operators from accidentally writing Kimbot state, resilience intel polls, or tenant-scoped GRC telemetry to production databases while exploring mock command post UI.
- Technical Mechanics:
app/utils/apiClient.tsapplyIronguardToFetch:- When
isDemoModeActive()returns true and pathname is notisPublicConstitutionalSentinelPathor tenant-optional registration path, throwsDEMO_API_BLOCK_MESSAGE logIsolationSentinelBlocked({ reasonCode: "DEMO_MODE_ISOLATED", ... })writes structured isolation log entryisolationSentinelLog.tsmapsDEMO_MODE_ISOLATEDto audit stringBLOCKED: DEMO_SANDBOX_ISOLATED- Constitutional sentinel paths remain callable so marketing shell and Governance Frame reader can poll TAS integrity without dashboard session
- When
- Agent Boundary: Ironguard (Agent 12) client fetch perimeter; complements server-side RLS — does not replace tenant isolation tests.
- Step-by-Step Lab Validation:
- Initialize demo sandbox via
/register/demo(redirects to sales contact) orinitializeDemoSandbox()on approved demo paths. - Navigate to demo command post — open browser devtools network tab — trigger GRC API poll — verify fetch rejected before network dispatch.
- Poll
/api/grc/tas-integrityfrom same session — verify request succeeds (constitutional sentinel exemption).
- Initialize demo sandbox via
<a id="market-001"></a>
🌍 Feature 51: IronBoard Market Flywheel Multi-Country Target Cockpit
- GRC Function ID:
MARKET-001 - Exact Screen Coordinates: IronBoard left rail
#market-flywheelinside#left-panel— below board persona selector onyour provisioned workspace URL. - Operational Purpose: Stages autonomous Fintech SaaS prospecting campaigns for early-stage companies (5–50 employees) across preset hubs (London, Singapore) and expansion countries (Germany, Australia, Ireland, Canada, United States, France, Netherlands, Switzerland, United Kingdom, New Zealand, India, Japan, UAE). Operators load qualified batches, generate BigInt-grounded outreach copy, and harvest interaction signals to adjust ICP scores.
- Technical Mechanics:
- React component:
Ironboard/src/components/MarketFlywheel.tsx - Legacy inline dashboard: same controls mirrored in
renderDashboard()HTML with#target-countries-input,#hub-london,#hub-singapore,#fetch-batch-btn POST /api/prospects/triggerbody accepts{ targetCountries: string[] }(preferred),{ regions: string[] }, or legacy{ region: string }GET /api/prospects?regions=Germany,AustraliaandGET /api/market/prospectsaccept comma/pipe-separated region filterslocalStoragekeyironboard_target_countriespersists operator target list across sessionsgetActiveHubPayload()encodes stream field:LONDON,SINGAPORE, orGERMANY,AUSTRALIA,...uppercase join- ICP visibility threshold:
ACTIVE_PROSPECT_MIN_SCORE = 100— sub-threshold rows stored asdealStage: REJECTEDand excluded from cockpit list - Pitch generation calls
generateGroundedPitch(domain)— outreach cites BigInt Integrity value proposition; whenfindLatestRegulatoryCatalystForDomainreturns a catalyst, value proposition becomes{authority} catalyst · {matchedFramework} · BigInt Integrityand opening hook leads with compliance deadline from Industry Scout - Harvest buttons apply
±25toaiFitnessScoreand transition deal stage toQUALIFIEDorREJECTED - GTM authenticity gate (2026-06-26 delta):
verifyAndOptimizeMarketDataruns per region before batch assembly;isSyntheticExpansionTemplateProspectdetects{Region} Ledger(24 employees),{Region} Vault(18 employees),-ledger.io/-vault.financedomains — these are SYNTHETIC_SCAFFOLDING, never real market research fetchProspectingBatchForTargets— expansion countries (non London/Singapore) no longer auto-seed template placeholders; only curated classroom seeds for London/Singapore; other regions rely ondiscoverRegionalProspectslive web groundingbuildFlywheelWorkspaceContextlabels each prospect with lineage:LIVE_WEB_GROUNDING,SYNTHETIC_SCAFFOLDING, orCURATED_DEMO_SEED
- React component:
- Agent Boundary: IronBoard commercial plane (port 8082) — Ironlogic (Agent 9) synthesis consumes
buildFlywheelWorkspaceContext; Irongate (Agent 14) sanitizes web-grounded discovery JSON before Prisma upsert; Ironintel (Agent 16) regulatory catalyst lookup feeds grounded pitches; no cross-tenant prospect bleed —marketProspectdomain key is global to board org database. - Step-by-Step Lab Validation:
- Open
your provisioned workspace URL— locate Market Flywheel panel in left rail. - Enter
Germany, Australia, Ireland, Canadain target countries field — click Load Prospecting Batch. - Verify status line shows loaded count — no
{Country} Ledgeror{Country} Vaultsynthetic rows for Germany (test:fetchProspectingBatchForTargets(['Germany'])must not return template names). - Click London Hub shortcut — verify curated London seeds load with
CURATED_DEMO_SEEDlineage. - Select a prospect with regulatory catalyst — verify pitch pane opens with authority/framework hook, not generic marketing copy.
- Click Harvest Signal (+) — verify
aiFitnessScoreincrements by 25. - Run
Ironboard/src/services/marketIntelligence.test.ts— verify multi-region merge and authenticity mocks pass.
- Open
<a id="market-002"></a>
🗺️ Feature 52: Market Target Regions Normalization Module
- GRC Function ID:
MARKET-002 - Exact Screen Coordinates: No UI — shared library consumed by flywheel UI, board router, query intent, and market intelligence services.
- Operational Purpose: Provides canonical country name normalization, alias resolution, activeHub stream encoding/decoding, and query-time country matching so boardroom tool calls and prospect filters stay consistent across London/Singapore legacy keys and multi-country expansion campaigns.
- Technical Mechanics:
Ironboard/src/services/marketTargetRegions.ts:PRIMARY_HUB_REGIONS:['London', 'Singapore']KNOWN_TARGET_COUNTRIES: fourteen expansion markets plus hub aliasesREGION_ALIASES: mapsuk,united kingdom→London;sg→Singapore;usa,us→United States; etc.normalizeTargetRegion(input)— title-case fallback for unknown tokensparseTargetCountriesInput(raw)— splits on comma or pipe, deduplicatesparseActiveTargetCountries(activeHub)— decodesLONDON,SINGAPORE, or comma-separated uppercase listsencodeActiveTargetCountries(countries)— reverse encoder for board stream payloadsmatchCountriesInQuery(query)— substring match against known country list for intent routing
- Agent Boundary: Ironquery (Agent 15) discovery routing via
inferRegionsFromQuery; Ironlogic (Agent 9) boardplanDiscoveryExecutionpasses parsed regions toqueryLocalWorkspace. - Step-by-Step Lab Validation:
- Run
Ironboard/src/services/boardroomQueryIntent.test.ts— verifyinferRegionsFromQuery('hello', 'GERMANY,AUSTRALIA')equals['Germany', 'Australia']. - Run same suite — verify
inferRegionsFromQuery('prospects in Canada', 'LONDON')equals['Canada'](query mention wins over active hub). - Verify
shouldPrefetchProspects('Are there companies in Germany that fit our ICP criteria?')returns true. - Confirm
boardRouter.tsplanDiscoveryExecutionpasses{ regions: targetCountries }when multiple countries active.
- Run
<a id="board-010"></a>
🌉 Feature 53: IronBoard Core Telemetry Bridge
- GRC Function ID:
BOARD-010 - Exact Screen Coordinates: No UI — server-side bridge invoked at start of every
POST /api/queryon IronBoard port 8082. - Operational Purpose: Hydrates IronBoard boardroom synthesis with live Ironframe democratic shared context JSON so executive personas ground financial and sustainability assertions in tenant-scoped production cache — never stale static placeholders. Fails closed when Ironframe core is unreachable, preserving unidirectional advisory integrity.
- Technical Mechanics:
Ironboard/src/services/coreTelemetryBridge.ts:IRONFRAME_SHARED_CONTEXT_PATH=/api/board/shared-contextresolveIronframeCoreOrigin()— readsIRONFRAME_CORE_ORIGINorIRONFRAME_MARKETING_ORIGIN, defaultsyour provisioned workspace URLresolveTelemetryTenantScope()— prefersironframe-tenantcookie, then request bodytenantId, thenresolveBoardOrgTenantId()buildTelemetryFetchHeaders()— forwards cookies, setsx-ironboard-telemetry-bridge: 1, injectsx-ironframe-host-tenant-uuidorx-ironframe-host-tenant-slugfetchIronframeSharedContext()— 12000 ms abort timeout; throwsCoreTelemetryBridgeErrorwith codeCORE_TELEMETRY_DISCONNECTEDformatLiveSystemTelemetryBlock()— wraps JSON with delimiter[LIVE SYSTEM TELEMETRY - ARCHITECTURE ENFORCED]- Client SSE handler in
index.tssurfaces 502 when bridge fails before stream opens
- Financial boundary note: Shared context JSON contains raw cent integers internally; boardroom Layer 3 de-classification matrix forbids emitting those raw values in Governance Frame public copy — operators must cite
financials.display.*Formattedstrings from the hydrated block. - Agent Boundary: Ironwatch (Agent 13) telemetry source on Ironframe port 3000; Ironlogic (Agent 9) consumes hydrated JSON; Ironguard (Agent 12) tenant headers enforce isolation on bridge fetch.
- Step-by-Step Lab Validation:
- Run
Ironboard/src/services/coreTelemetryBridge.test.ts— all five cases pass. - Stop Ironframe — POST boardroom query — verify HTTP 502
{ error: "CORE_TELEMETRY_DISCONNECTED" }. - Start Ironframe with valid tenant session — POST query — verify SSE event
coreTelemetryBridgestatuscompletewith byte count. - Set
IRONFRAME_CORE_ORIGIN=your provisioned workspace URLwhen IronBoard runs in split-host dev layout.
- Run
<a id="governance-005"></a>
🛡️ Feature 54: Hardened Governance Layers & De-Classification Matrix
- GRC Function ID:
GOVERNANCE-005 - Exact Screen Coordinates: No UI — injected into IronBoard system instruction when live telemetry JSON is present.
- Operational Purpose: Enforces six-layer governance posture on every boardroom synthesis turn that receives live Ironframe telemetry: read-only diode, authoritative metric hydration, public briefing de-classification, mandatory Governance Frame triad structure, executive persona financial ratios, and Sources & Citations audit section for human promotion from
docs/briefing-queue/todocs/published-briefings/. - Technical Mechanics:
Ironboard/src/services/boardroomSystemPrompt.tsbuildHardenedGovernanceLayers(telemetryJsonString):- Layer 1 — Unidirectional diode: Board is READ-ONLY; zero write permissions to port 3000 databases; human operator holds execution keys.
- Layer 2 — Live metric hydration: Injected JSON string is absolute source of truth from Ironframe production cache.
- Layer 3 — De-classification matrix:
- Currency: never output raw BigInt cent integers in public copy; cite
financials.display.sovereignPool.*.baselineFormattedandcurrentExposureFormattedverbatim - Vulnerability hiding: no raw CVE identifiers or unpatched asset IDs in public briefings
- Sustainability: cite
financials.display.sustainability.powerUsageFormattedandfluidConsumptionFormattedexactly
- Currency: never output raw BigInt cent integers in public copy; cite
- Layer 4 — Governance Frame triad: EXPOSURE VECTOR, IMPACT, REMEDIATION headings from
financials.display.governanceTriadScaffold - Layer 5 — Executive persona ratios: CFO/board-bot anchor on sanitized USD; board-trainer owns Level 1 user manuals and training tracks under
docs/user-manuals/anddocs/training/; board-writer owns Level 2 technical corpus underdocs/technical/— both consumedocumentationBriefonly - Layer 6 — Sources & Citations: mandatory
### V. Sources & Citationswith locators includingdocs/README.md,docs/user-manuals/{file}.md,docs/technical/{file}.md,config/route-manifest.v0.1.0-ga-epic17.json - GTM Market Authenticity Mandate (2026-06-26 delta):
BOARD_GTM_MARKET_AUTHENTICITY_MANDATE— synthetic{Region} Ledger/Vaultrows and-ledger.io/-vault.financedomains are SYNTHETIC_SCAFFOLDING; board must label lineage (LIVE_WEB_GROUNDING,SYNTHETIC_SCAFFOLDING,CURATED_DEMO_SEED); whenpolluted=true, state live web discovery required — never invent company names from memory - Documentation Authorship Mandate:
BOARD_DOCUMENTATION_AUTHORSHIP_MANDATEfromdualLocationOutputMatrix.ts— Trainer/Writer placement targets enforced
- Agent Boundary: Ironscribe (Agent 05) briefing structure; Irontrust (Agent 3) internal BigInt storage vs display separation; Irongate (Agent 14) public copy sanitization semantics.
- Step-by-Step Lab Validation:
- Submit boardroom query with both engines running — inspect assembled system instruction for
[LAYER 1: UNIDIRECTIONAL DIODE POSTURE]block. - Ask board to draft Governance Frame briefing — verify response uses triad headings and ends with Sources & Citations section.
- Verify drafted briefing cites formatted USD strings — not raw 1110000000 cent literals.
- Confirm follow-on priority block: "Cite
financials.displayformatted strings verbatim — never recompute currency from raw cent integers."
- Submit boardroom query with both engines running — inspect assembled system instruction for
<a id="market-003"></a>
🔍 Feature 55: Regional Fintech Prospect Discovery Engine
- GRC Function ID:
MARKET-003 - Exact Screen Coordinates: No UI — backend invoked when target country is not London or Singapore preset hub during batch load.
- Operational Purpose: Discovers real early-stage Fintech SaaS companies in board-selected expansion countries using Gemini with Google Search grounding, scores them through the ICP tier engine, and upserts into
marketProspectwhen fewer than 3 rows exist for that region. - Technical Mechanics:
Ironboard/src/services/marketIntelligence.ts:discoverRegionalProspects(region)— Gemini with Google Search grounding; skips whenlistProspects(normalized, false).length >= 3resolveFlywheelTargetRegions(activeHub)— hub input parser with platform default campaign fallbackverifyAndOptimizeMarketData(region, { operatorTriggered })— purges synthetic scaffolding, triggers live discovery when authentic count below threshold; invoked inbuildFlywheelWorkspaceContextandfetchProspectingBatchForTargetsbefore batch assembly viawithGeminiRateLimitRetryon outreach callsassessRegionProspectAuthenticity/formatProspectLineage— authenticity audit summary in flywheel contextfetchProspectingBatchForTargets(targets)— London/Singapore use preset seed batches only when qualified authentic rows absent; expansion countries never auto-seed{Region} Ledger/VaulttemplatescalculateTierScore— region presence +50, SOC2/ISO27001 +50, SEED/SERIES_A +100, compliance hire +75regulatoryCatalystLookup.ts—findLatestRegulatoryCatalystForDomainfeeds Industry Scout catalyst block intogenerateGroundedPitch
- Agent Boundary: Irongate (Agent 14) treats discovered domains as external intel; Ironintel (Agent 16) OSINT manifest and catalyst lookup inform discovery prompt criteria and pitch hooks.
- Step-by-Step Lab Validation:
- Set
GOOGLE_API_KEYinIronboard/.env.local. - POST
{ "targetCountries": ["Germany"] }to/api/prospects/trigger— verify no synthetic Ledger/Vault rows; live discovery or zero-count honesty. - Run
tests/unit/marketProspectAuthenticity.test.tsandtests/unit/discoverRegionalProspects.test.ts— all pass. - Run
marketIntelligence.test.ts— verifyfetchProspectingBatchForTargets(['Germany'])does not auto-seed expansion templates. - Confirm sub-threshold accounts (
tierScore < 100) persist asdealStage: REJECTED.
- Set
<a id="board-011"></a>
🔧 Feature 56: Multi-Region Workspace Query Tool Extension
- GRC Function ID:
BOARD-011 - Exact Screen Coordinates: IronBoard tool plane —
queryLocalWorkspacefunction declaration surfaced in board SSE tool receipts. - Operational Purpose: Allows boardroom discovery to filter active prospects by single country or multi-country arrays when operators stage cross-border GTM campaigns — replacing London/Singapore-only hub filter from prior builds.
- Technical Mechanics:
Ironboard/src/services/queryLocalWorkspace.ts:QUERY_LOCAL_WORKSPACE_DECLARATIONaddsregionsARRAY parameter alongside legacyregionSTRINGexecuteQueryLocalWorkspacecaseactive_prospects: prefersregionsarray when present, else singleregionboardRouter.tsplanDiscoveryExecutionpasses{ regions: targetCountries }whenparseActiveTargetCountries(ctx.activeHub)returns multiple countriesprefetchBoardroomGroundTruthinindex.tsmirrors same region/regions args for SSE prefetch receipts
- Agent Boundary: Ironquery (Agent 15) tool execution receipts; data sourced from board org Prisma
marketProspecttable. - Step-by-Step Lab Validation:
- Ask board "List our London prospects" — verify prefetch SSE shows
region: "London". - Set active hub to
GERMANY,AUSTRALIA— ask flywheel question — verify prefetch shows combined region label orregionsarray in tool args. - Run boardroom query with workspace-only intent — verify
shouldPrefetchWebreturns false (no redundant web grounding).
- Ask board "List our London prospects" — verify prefetch SSE shows
<a id="docs-001"></a>
📚 Feature 57: Dual-Location Documentation Corpus Planes
- GRC Function ID:
DOCS-001 - Exact Screen Coordinates: No single UI — governs
/docs(APP_DOCS plane) vs/governance-frame(GOVERNANCE_BRIEFINGS plane). - Operational Purpose: Enforces authoritative separation between internal product documentation corpus and external GTM governance briefings — never cross-compile APP_DOCS with GOVERNANCE_BRIEFINGS.
- Technical Mechanics:
lib/documentationCorpusPlanes.ts:DOCUMENTATION_PLANE_APP_DOCS—user-manuals/,technical/,training/repository prefixes; reader at/docsDOCUMENTATION_PLANE_GOVERNANCE_BRIEFINGS—briefing-queue/,published-briefings/; reader at/governance-frame/[slug]DUAL_LOCATION_OUTPUT_MATRIX— operational rules, author agents, trigger paths per planeAPP_DOCS_EXECUTE_ENDPOINT=POST /api/documentation/execute- board-trainer and board-writer must never write to GOVERNANCE_BRIEFINGS plane
- Agent Boundary: Ironscribe (Agent 05) structure; Irongate (Agent 14) plane isolation; Ironlogic (Agent 9) board federation.
- Step-by-Step Lab Validation:
- Run
tests/unit/documentationCorpusPlanes.test.ts— verify matrix entries and prefix guards. - Confirm Trainer placement targets exclude
published-briefings/. - Confirm Writer placement targets exclude
briefing-queue/promotion without human operator.
- Run
<a id="docs-002"></a>
📖 Feature 58: App Document Store DB Reader
- GRC Function ID:
DOCS-002 - Exact Screen Coordinates:
/docsindex and/docs/[slug]article view —DocsChrome,DocsSidebar,DocsMarkdown. - Operational Purpose: Serves Level 1 and Level 2 documentation from PostgreSQL
app_documentstable withreadingLevelindexing — decoupled from static filesystem-only serving. - Technical Mechanics:
- Prisma
AppDocumentmodel:slug,title,content,readingLevel,updatedAt app/lib/server/appDocumentStore.ts—upsertAppDocument, slug lookupapp/docs/[[...slug]]/page.tsx— loads from DB;CompilationIngressPortalwhen slug unresolvedlib/appDocumentSlug.ts,lib/appDocumentSanitizer.ts— slug normalization and XSS strip- Migration
20260618120000_init_app_documents scripts/seed-app-documents.tsandprisma/seed-docs.tsseed corpus
- Prisma
- Agent Boundary: Customer service agent grounds on
readingLevel: "LEVEL_1"rows only; Ironguard (Agent 12) tenant perimeter on authenticated doc admin paths. - Step-by-Step Lab Validation:
- Run
tests/unit/appDocumentSlug.test.tsandtests/unit/docsContentDecoupling.test.ts. - Open
/docson cloud host without full ingress — verify narrow funnel allows 200. - Query
app_documents— confirmreadingLevelvaluesLEVEL_1andLEVEL_2.
- Run
<a id="docs-003"></a>
⚙️ Feature 59: Documentation Execute Pipeline
- GRC Function ID:
DOCS-003 - Exact Screen Coordinates: No UI —
POST /api/documentation/executeon Ironframe port 3000; IronBoardPOST /api/documentation/executeingress on port 8082. - Operational Purpose: Synchronizes Trainer/Writer agent output into
app_documentswith optional filesystem mirror underdocs/— bearer-gated internal gateway auth. - Technical Mechanics:
- Ironframe
app/api/documentation/execute/route.ts— Zod schema (slug,title,content,readingLevel);checkInternalGatewayBearerAuth mirrorAppDocumentToFilesystem— dual-location git-tracked mirror for APP_DOCS plane- IronBoard
documentationPipeline.ts,trainingCorpusPublisher.ts,trainingChapterGenerator.ts Ironboard/src/agents/knowledge.tsexpanded —buildTrainerDashboardGuideDraft,buildTrainerGlossaryDraft,buildWriterArchitectureDraft,buildWriterSecurityComplianceDraft,mergeCorpusWithDraft,buildTelemetryMirrorSection,buildFullAccessIngressSectionIronboard/src/config/documentationRouting.ts—TRAINER_CANONICAL_SLUGS,WRITER_CANONICAL_SLUGS- Workflow:
GET /api/board/shared-context→documentationBrief→ Trainer/Writer placement drafts →publishTrainerCorpus/publishWriterCorpus→POST /api/documentation/execute
- Ironframe
- Agent Boundary: board-trainer (Level 1 + training tracks); board-writer (Level 2 technical); temperature 0.0 on all automated nodes.
- Step-by-Step Lab Validation:
- Run
tests/unit/documentationBrief.test.tsandtests/unit/trainingCorpusPlacement.test.ts. - POST valid payload with internal gateway Bearer — verify
{ ok: true, status: "synchronized" }. - POST without Bearer — verify 401 from
internalGatewayUnauthorizedResponse. - Run
Ironboard/tests/trainingCorpus.test.ts— training corpus publisher paths pass.
- Run
<a id="docs-004"></a>
📡 Feature 60: Documentation Brief One-Way Ingress
- GRC Function ID:
DOCS-004 - Exact Screen Coordinates: No UI — embedded in
GET /api/board/shared-contextJSON payload asdocumentationBrief. - Operational Purpose: Hands IronBoard Trainer and Writer personas a serialized brief with corpus planes, dual-location matrix, placement targets, and live telemetry mirror — ONE_WAY_IRONFRAME_TO_BOARD with zero write-back.
- Technical Mechanics:
app/lib/board/documentationBrief.tsbuildIronframeDocumentationBrief(contextCore):corpusPlanes.appDocsandcorpusPlanes.governanceBriefingswith author agent listsplatformFacts.baselineTenantsCents— Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000 as stringsfullAccessbundle fromdocumentationCorpusIngress.tsIronboard/src/agents/knowledge.tsexpanded — Trainer/Writer consume brief; forbid authoring without it
- Agent Boundary: Ironwatch (Agent 13) telemetry mirror; Ironlogic (Agent 9) board synthesis guardrails.
- Step-by-Step Lab Validation:
- Poll shared-context with valid tenant session — verify
documentationBrief.communicationDirectionequalsONE_WAY_IRONFRAME_TO_BOARD. - Start IronBoard query without brief in context — verify knowledge agent refuses doc authoring per mandate.
- Run
tests/unit/documentationBrief.test.ts— all pass.
- Poll shared-context with valid tenant session — verify
<a id="sales-001"></a>
💼 Feature 61: Public Sales Agent Portal
- GRC Function ID:
SALES-001 - Exact Screen Coordinates:
/sales-agent-portal—MarketingSalesPortalTriggeron marketing homepage opensSalesAgentSlideOver. - Operational Purpose: Provides unauthenticated prospect-facing lead intake isolated to the prospect pool tenant — no customer environment bleed and no public LLM pitch rendering.
- Technical Mechanics:
app/api/agents/sales/route.ts— public POST; returns{ status: "QUEUED", interactionId, message }immediately after CRM loggingapp/lib/server/salesAgentConsoleCore.ts— Gemini synthesis at temperature 0.0 runs server-side only; output stored as[PENDING SALES DRAFT APPROVAL]in CRM- Prospect pool tenant UUID from
IRONFRAME_PROSPECT_POOL_TENANT_UUIDor Medshield fallback; CRM contact upsert usesfullNamefield isPublicProspectOnboardingPathincludes/sales-agent-portaland/api/agents/salesfor quarantine funnel bypassscripts/smoke-test-sales.mjs— sales agent smoke validation
- Agent Boundary: Ironguard (Agent 12) prospect pool isolation; Ironlogic (Agent 9) synthesis; zero authenticated tenant context required; human operator dispatch via HITL-001.
- Step-by-Step Lab Validation:
- Run
tests/unit/agentPerimeter.test.ts— verify prospect pool tenant binding and QUEUED response (nopitchfield). - Open
/sales-agent-portalon cloud preview without full ingress — verify 200 (narrow funnel). - POST to
/api/agents/sales— verify CRM interaction summary contains[PENDING SALES DRAFT APPROVAL]. - Run
scripts/smoke-test-sales.mjs— smoke pass.
- Run
<a id="support-001"></a>
🎧 Feature 62: Customer Service Console API
- GRC Function ID:
SUPPORT-001 - Exact Screen Coordinates:
/dashboard/supporttripane chat UI (SUPPORT-003) and authenticated APIPOST /api/agents/customer-service. - Operational Purpose: Grounds authenticated tenant support inquiries against
app_documentswherereadingLevel: "LEVEL_1"— fail-closed 403 when Ironguard tenant validation drops; returns queued acknowledgment to operators (not live agent reply text). - Technical Mechanics:
app/lib/server/customerServiceConsoleCore.ts:assertIronguardApiTenantOr403on every request — tenant-scoped; does not requireGLOBAL_ADMIN- Documentation rows filtered strictly to LEVEL_1 reading level
- Gemini synthesis temperature 0.0; proposed reply logged as
[PENDING DRAFT APPROVAL]via per-tenant support console CRM contact - Response payload:
{ status: "QUEUED", interactionId, reply: acknowledgmentMessage } - Prisma
ironboardCrmContact.fullName— nevernameorfirstName/lastName
- Agent Boundary: Ironguard (Agent 12) tenant perimeter; Ironscribe (Agent 05) doc citation lineage; dispatch via HITL-001.
- Step-by-Step Lab Validation:
- POST without tenant session — verify 403.
- POST with valid tenant — verify QUEUED response and CRM pending draft tag (not raw synthesis in API body).
- Confirm no LEVEL_2 technical corpus rows appear in grounded context.
<a id="auth-009"></a>
🎫 Feature 63: Workspace Invitation Token Gate
- GRC Function ID:
AUTH-009 - Exact Screen Coordinates:
/register/[token]— workspace invitation activation page; admin mint action. - Operational Purpose: Requires valid workspace invitation token before corporate tenant provisioning — prevents unauthorized tenant creation during Phase 1 sales-assisted onboarding.
- Technical Mechanics:
- Prisma
TenantWorkspaceInvitation—tokenHash,email,tenantSlug,status(ACTIVE, CONSUMED, REVOKED),expiresAt app/lib/auth/workspaceInvitationCore.ts—validateWorkspaceInvitation,getWorkspaceInvitationForRegistration,resolveWorkspaceInvitationForRegistrationcreateWorkspaceInvitationacceptsdispatchInviteEmail: true— when email and tenantSlug bound, callssendWorkspaceInviteEmailCorevia Resend (Bucket A invite); returnsregisterUrlfrombuildRegisterInvitationUrl(token)andinviteEmaildispatch receipt (sent,resendId, or deferrable error)corporateTenantProvisionCore.ts— invitation gate before tenant create;relinkExistingCorporateInvitegrantsuser_role_assignmentswhen Supabase auth account already exists (findSupabaseAuthUserByEmail,isSupabaseExistingUserError) — returnsexistingAccount: truewithout duplicate invite emailresolveSupabaseInviteRedirectOriginfor corporate operator invite callbacksapp/actions/admin/mintWorkspaceInvitation.ts— GLOBAL_ADMIN mint pathworkspaceInvitationActivationCore.ts— activation on token consume- Migration
20260618000000_crm_contact_metadata_system_agent
- Prisma
- Agent Boundary: Ironguard (Agent 12) identity; Ironwatch (Agent 13) audit on consume.
- Step-by-Step Lab Validation:
- Attempt corporate provision without invitation token — verify gate rejection.
- Mint invitation as GLOBAL_ADMIN — open
/register/{token}— complete activation. - Re-use consumed token — verify CONSUMED status blocks re-entry.
- Mint invitation with
dispatchInviteEmail: true— verify Resend dispatch receipt and/register/[token]resolves email-bound invitation view. - Invite email already registered in Supabase — verify relink path grants role without duplicate auth user create.
- Run
tests/unit/workspaceInviteEmailDelivery.test.tsandtests/unit/workspaceInviteEmailContent.test.ts— outbound invite HTML and deferrable error paths pass.
<a id="trust-001"></a>
🛡️ Feature 64: Trust Center Procurement Plane
- GRC Function ID:
TRUST-001 - Exact Screen Coordinates:
/trustindex;/trust/dpa;/trust/subprocessors;/trust/data-residency—TrustProcurementDocument.tsx. - Operational Purpose: Surfaces procurement-ready legal artifacts (DPA, subprocessors list, data residency statement) for enterprise buyers with BigInt cent references in liability exhibits.
- Technical Mechanics:
app/(dashboard)/trust/*pages inside dashboard route groupprocurement.tslegal artifacts — ALE baseline references as BigInt integer cents (Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000, Defense 1600000000)- Requires authenticated dashboard session — not in narrow public funnel
- Agent Boundary: Ironscribe (Agent 05) immutable legal version lineage; Irontrust (Agent 3) financial exhibit formatting.
- Step-by-Step Lab Validation:
- Sign in as GRC_MANAGER — navigate to
/trust/dpa— verify document renders. - Verify ALE exhibits cite whole integer cent strings — no float dollars in persistence paths.
- Attempt
/truston cloud host without full ingress — verify 403 quarantine (private workspace).
- Sign in as GRC_MANAGER — navigate to
<a id="arch-001"></a>
🏰 Feature 65: Gateway Shield Architecture Test
- GRC Function ID:
ARCH-001 - Exact Screen Coordinates: No UI — CI gate
tests/architecture/gatewayShield.test.ts. - Operational Purpose: Scans every
app/api/**/route.tsthat imports Prisma and requires Irongate DMZ marker presence — prevents raw database ingress without sanitization guards. - Technical Mechanics:
IRONGATE_DMZ_MARKERS—assertIronguardApiTenantOr403,sanitizeThreatIngressPayload,checkCronBearerAuth,assertTenantFeatureEntitled, etc.EXEMPT_ROUTE_SUFFIXES— webhooks, billing webhook, auth callbacks, internal cron, platform-admin-gate- Fails CI when Prisma-importing route lacks marker and is not exempt
- Agent Boundary: Irongate (Agent 14) DMZ enforcement at architecture layer.
- Step-by-Step Lab Validation:
- Run
npm run test -- tests/architecture/gatewayShield.test.ts— zero violations. - Add new Prisma API route without DMZ marker — verify CI failure lists file path.
- Run
<a id="billing-002"></a>
💳 Feature 66: Billing Webhook Dual Path
- GRC Function ID:
BILLING-002 - Exact Screen Coordinates: No UI —
POST /api/webhooks/stripeandPOST /api/billing/webhook. - Operational Purpose: Separates Stripe instant-checkout provisioning (
checkout.session.completed) from recurring billing activation (payment_intent.succeeded) with independent webhook secrets and operator audit identities. - Technical Mechanics:
config/stripe.ts:STRIPE_WEBHOOK_PATH=/api/webhooks/stripe;STRIPE_BILLING_WEBHOOK_PATH=/api/billing/webhookSTRIPE_INSTANT_CHECKOUT_OPERATOR_IDandSTRIPE_PAYMENT_INTENT_OPERATOR_IDresolveStripeCredentialMode()—STRIPE_CREDENTIAL_MODE=test|liveapp/api/billing/webhook/route.ts— billing activation pathparsePaymentIntent.ts— payment intent metadata BigInt cent extraction- Both paths in
STRIPE_WEBHOOK_PATHS— bypass deployment quarantine
- Agent Boundary: Irontrust (Agent 3) BigInt
amountTotalCents; Ironwatch (Agent 13) audit operator IDs. - Step-by-Step Lab Validation:
- Run
tests/unit/stripeConfig.test.ts— credential mode and dual secret resolution pass. - Forward
payment_intent.succeededto/api/billing/webhook— verifyTenantBilling.status ACTIVE. - Run
tests/unit/stripeCheckoutParse.test.ts— BigInt cent parsing unchanged.
- Run
<a id="nav-003"></a>
🧭 Feature 67: Role Route Consolidation (Dashboard Group)
- GRC Function ID:
NAV-003 - Exact Screen Coordinates:
/dashboard/cfo,/dashboard/ciso,/dashboard/board,/dashboard/audit,/dashboard/legal,/dashboard/ops,/dashboard/product,/dashboard/insurance,/dashboard/itsm,/dashboard/cro— formerly underapp/roles/*. - Operational Purpose: Consolidates role-specific dashboard surfaces under
app/(dashboard)/dashboard/*route group with sharedDashboardCommandCenterLayoutchrome — eliminates duplicate layout trees. - Technical Mechanics:
- Deleted:
app/roles/*entire tree - Added:
app/(dashboard)/dashboard/[role]/page.tsxpattern /configredirected to/settings/configgrcRouteMatch.tsisDashboardRouteGroupPathupdated — no/rolesprefix- Tenant topology/logs stubs removed (
app/gridcore/logs,app/medshield/topology, etc.)
- Deleted:
- Agent Boundary: Ironcore (Agent 1) orchestration shell unchanged per role.
- Step-by-Step Lab Validation:
- Navigate to
/dashboard/cfoas authenticated operator — verify role dashboard renders with TopNav. - Attempt legacy
/roles/cfo— verify 404. - Navigate to
/settings/config— verify config surface (formerly/config).
- Navigate to
<a id="hitl-001"></a>
✅ Feature 68: Unified Human-in-the-Loop Approval Desk
- GRC Function ID:
HITL-001 - Exact Screen Coordinates:
/dashboard/admin/approvals— admin UI;GET/POST /api/admin/approvalsAPI. - Operational Purpose: Aggregates all pending agent outputs (
draftKind: "SUPPORT" | "SALES") for GLOBAL_ADMIN review before Resend outbound dispatch — tier inference from contact metadata (Gridcore, Vaultbank, Medshield baseline alignment). - Technical Mechanics:
app/lib/server/approvalQueueCore.ts:- Support tag:
[PENDING DRAFT APPROVAL]· Sales tag:[PENDING SALES DRAFT APPROVAL] - Dispatch tags:
[DISPATCHED SUPPORT COURIER]·[DISPATCHED SALES COURIER]· purge:[PURGED DRAFT] fetchPendingApprovalDrafts— unified queue query;parsePendingDraftSummaryhandles both tag formatsapp/api/admin/approvals/[id]/route.ts— DISPATCH / PURGE viasendOutboundEmail(Ironboard Resend transport)canUsePlatformAdminTools— requiresUserRole.GLOBAL_ADMIN(distinct from Ironguard tenant scope on SUPPORT-001)
- Support tag:
- Agent Boundary: Ironwatch (Agent 13) audit on dispatch; human operator holds execution keys.
- Step-by-Step Lab Validation:
- Run
tests/unit/approvalQueueCore.test.ts— tier inference, sales parse, and draft kind inference pass. - Queue sales and support drafts — list via admin API — verify
draftKindbadges in UI. - DISPATCH approved reply — verify correct dispatched tag replaces pending tag.
- Run
<a id="board-012"></a>
🏛️ Feature 69: Founding Agent LLM Module Refactor
- GRC Function ID:
BOARD-012 - Exact Screen Coordinates: IronBoard boardroom — CEO, CFO, CCO, Legal founding personas on port 8082.
- Operational Purpose: Centralizes founding-agent Gemini calls in
boardAgentLlm.tswith temperature 0.0 — CEO, CFO, Compliance, and Legal personas now produce LLM assessments viagenerateBoardAgentAssessmentinstead of static length/temperature log strings. - Technical Mechanics:
Ironboard/src/agents/boardAgentLlm.ts— sharedGoogleGenAIwrapper;generateBoardAgentAssessment({ model, roleLabel, stateSummary })Ironboard/src/agents/founding.ts—formatBoardStateSummaryincludesfinancialProjectionsCents, last three executive log lines, departmental approvals, and role-specific focus string; CFO path callsassertWholeIntegerCentsbefore assessmentIronboard/src/state.ts—ironframeDocumentationBriefannotation field for one-way brief JSON from shared-contextIronboard/src/services/email/— Resend email package (resend^6.14.0) for board outboundqueryLocalWorkspace.ts—stringifyWorkspaceBigIntFieldsprevents JSON serialization drift on CRM BigInt columnsIronboard/vitest.config.ts— includestests/**/*.test.tsfor package-level integration suites
- Agent Boundary: Ironlogic (Agent 9) persona routing; Irontrust (Agent 3) BigInt stringify and
assertWholeIntegerCentsat CFO boundary. - Step-by-Step Lab Validation:
- Run
Ironboard/tests/agentValidation.test.tsandIronboard/tests/orchestratorPipeline.test.ts— founding and documentation artifact paths pass. - Run executive documentation command — verify
documentationArtifactsincludes trainer and writer slug outputs. - Inspect boardroom SSE — verify BigInt fields arrive as strings in tool receipts.
- Mock
@google/genaiwith class constructor pattern per.cursorrules— Vitest must not crash on arrow-function mocks.
- Run
<a id="carbon-002"></a>
🌿 Feature 70: Ironbloom Physical Threat Ingestion Telemetry
- GRC Function ID:
CARBON-002 - Exact Screen Coordinates: No direct UI —
recordSustainabilityImpactserver action triggered on threat RESOLVED state. - Operational Purpose: Extracts kWh physical units from
ThreatEvent.ingestionDetailsfor carbon mitigated value calculation — rejects monetary-only payloads per Mandate 3. - Technical Mechanics:
parseThreatIngestionTelemetryinironbloomDashboardTelemetry.tsbuildCarbonTraceFromStream—mitigatedValueCentsas BigIntapp/lib/ironbloom/productionCarbonLedger.ts— production ledger updatesapp/lib/ironbloom/tenantPhysicalTelemetry.ts— tenant-scoped physical unit aggregation- Idempotent upsert per
threatId
- Agent Boundary: Ironbloom (Agent 17) exclusive sustainability scoring; Irongate (Agent 14) rejects non-physical ingestion.
- Step-by-Step Lab Validation:
- Run
lib/sustainability/ironbloomDashboardTelemetry.test.ts— kWh parse and cent output pass. - Resolve threat with kWh in
ingestionDetails— verifymitigated_value_cents BIGINTrow. - Resolve threat with monetary-only payload — verify
no_physical_telemetryreason.
- Run
<a id="admin-002"></a>
🚀 Feature 71: Admin Onboarding Deployments Panel
- GRC Function ID:
ADMIN-002 - Exact Screen Coordinates:
/admin/onboarding—AdminOnboardingDashboardHeader,AdminOnboardingDeployments, and#onboarding-controlsCorporateOnboardingClientsection inside dashboard route group. - Operational Purpose: Gives GLOBAL_ADMIN operators a supervisor command plane for B2B tenant provisioning, deployment posture visibility, invitation token minting, and corporate operator invites — billing inline activation removed from client (Stripe webhook path owns activation).
- Technical Mechanics:
app/lib/server/adminOnboardingDeployments.ts—fetchTenantDeploymentRows()joinstenant,tenantBilling,tenantWorkspaceInvitation,userRoleAssignment, anduserLegalConsentfor deployment snapshotallocatedBaseline—formatCentsToAccountingUSD(tenant.ale_baseline)whereale_baselineis BigInt cents in PostgreSQL (Medshield 1110000000 →$11,100,000.00; Vaultbank 590000000 →$5,900,000.00; Gridcore 470000000 →$4,700,000.00)infrastructureStatus— PROVISIONED whentenantBilling.status === ACTIVE; STAGED otherwiselegalSignoff— COMPLETE when all tenant operators hold currentIRONFRAME_TERMS_VERSION+IRONFRAME_PRIVACY_VERSIONconsents; PENDING_SIGNATURE when active/consumed invitations or partial consents exist; AWAITING_INITIALIZATION when no operators assignedAdminOnboardingDashboardHeader.tsx— displaysdeploymentCountwith dark cockpit grid chrome (bg-[#020617])AdminOnboardingDeployments.tsx— desktop 12-column supervisor grid (Tenant ID, Organization, ALE Target Allocation, Infrastructure, Legal Posture, Actions); responsive mobile card stack; 44px action controls; workspace gear link opensbuildTenantSubdomainOrigin(slug, port)in new tabCorporateOnboardingClient.tsx— mint invitation displays secure activation URL/register/{token}; provision form usesparseDollarAleToBigIntCentsfor ALE dollar input → BigInt cent persistence; inline Activate billing button and provisioned-workspaces list removed from client (deployments panel owns workspace inventory)assertGlobalAdminForOnboardingin middleware — hard GLOBAL_ADMIN gate before page render; scroll allowlist prevents session collision on admin console routes- Page metadata: Onboarding & Tenant Deployments | Ironframe Admin
- Agent Boundary: Ironguard (Agent 12) GLOBAL_ADMIN RBAC; Ironlock (Agent 6) quarantine state display; Ironwatch (Agent 13) provision audit receipts.
- Step-by-Step Lab Validation:
- Run
tests/unit/adminOnboardingDeployments.test.ts— snapshot fields pass. - Sign in as non-admin — verify
/admin/onboardingredirect before deployments panel loads. - Sign in as GLOBAL_ADMIN — verify deployments panel and provisioning controls render.
- Mint invitation — verify
/register/{token}URL displayed in mint result panel. - Confirm billing activation occurs via
/api/billing/webhook— not manual client button.
- Run
<a id="sim-003"></a>
🎯 Feature 72: Threat Validate BigInt ActiveRisk Extraction
- GRC Function ID:
SIM-003 - Exact Screen Coordinates: No UI —
POST /api/threats/validateAPI route. - Operational Purpose: Validates pipeline card IDs against
ActiveRiskandThreatEventtables — extracts numeric ActiveRisk id from card patterns (center-risk-1,risk-1, bare integer) as BigInt-safe string for ghost card reconciliation. - Technical Mechanics:
app/api/threats/validate/route.ts:parseActiveRiskId(cardId)— regex extract numeric idassertIronguardApiTenantOr403tenant guard- Returns
{ validIds: string[] }subset existing in DB - Separates CUID threat event ids from numeric ActiveRisk ids
- Agent Boundary: Ironguard (Agent 12) tenant scope; Irontrust (Agent 3) numeric id integrity.
- Step-by-Step Lab Validation:
- POST
{ ids: ["center-risk-1", "risk-42", "ghost-999"] }— verify only existing ids invalidIds. - POST without tenant session — verify 403.
- Confirm ActiveRisk numeric ids handled as strings — never float conversion.
- POST
<a id="ingress-002"></a>
📥 Feature 73: Compilation Ingress Portal
- GRC Function ID:
INGRESS-002 - Exact Screen Coordinates:
/docs/[slug]— renders when slug not found in DB or filesystem;CompilationIngressPortal.tsx. - Operational Purpose: Provides operator-visible staging surface when documentation slug is unresolved — triggers async compilation ingress without exposing draft queue content publicly.
- Technical Mechanics:
app/docs/[[...slug]]/CompilationIngressPortal.tsx— client portal withtargetSlugprop; pairs withdocumentationPipeline.tson IronBoard.docs/error.tsxanddocs/[[...slug]]/not-found.tsxfail closed without dashboard chrome bleed. - Agent Boundary: Irongate (Agent 14) — unresolved slugs do not leak briefing-queue drafts.
- Step-by-Step Lab Validation:
- Navigate to
/docs/nonexistent-slug-xyz— verify CompilationIngressPortal renders (not dashboard 500). - Confirm portal does not display
briefing-queue/draft content. - After
POST /api/documentation/executeupsert — reload slug — verify article renders from DB.
- Navigate to
<a id="training-001"></a>
📸 Feature 74: Training Screenshot Corpus Assets
- GRC Function ID:
TRAINING-001 - Exact Screen Coordinates: Embedded in Level 1 and Level 2 training markdown served from
/docs— asset paths under/docs/training/assets/. - Operational Purpose: Supplies twenty-four canonical UI capture placeholders for Trainer corpus publisher chapters — enables visual milestone anchoring in classroom sandbox curriculum without inventing UI labels.
- Technical Mechanics: Binary PNG assets added in today's delta under
public/docs/training/assets/:- Level 1:
level-1-01-grc-foundations.pngthroughlevel-1-12-student-certification.png - Level 2:
level-2-01-architecture-topology.pngthroughlevel-2-12-practitioner-certification.pngincludinglevel-2-11-bigint-financial-integrity.png - Capture pipeline scripts:
scripts/capture-training-screenshots.mjs,scripts/ensure-training-screenshot-placeholders.mjs,scripts/training-screenshot-session.mjs config/training-corpus-manifest.json— chapter-to-asset binding fortrainingCorpusPublisher.ts
- Level 1:
- Agent Boundary: board-trainer (IronBoard) owns embedding; Ironscribe (Agent 05) citation lineage for source-file paths in generated markdown.
- Step-by-Step Lab Validation:
- Run
Ironboard/tests/trainingCorpus.test.ts— publisher references asset paths. - Open
/docs/training/chapter — verify PNG assets resolve with 200 on local host. - Confirm Trainer draft cites
source-file:paths — never invented UI label strings.
- Run
<a id="market-004"></a>
🔬 Feature 75: GTM Market Prospect Authenticity Gate
- GRC Function ID:
MARKET-004 - Exact Screen Coordinates: No UI — backend gate in
marketProspectAuthenticity.tsinvoked before flywheel batch load and boardroom prefetch. - Operational Purpose: Prevents synthetic expansion scaffolding (
{Region} Ledger,{Region} Vault,-ledger.io,-vault.finance) from polluting board GTM intelligence — board personas must never cite template rows as real market research or customer proof points. - Technical Mechanics:
verifyAndOptimizeMarketData(region, { operatorTriggered })— assesses authenticity, purges synthetic rows, triggersdiscoverRegionalProspectswhen below thresholdisSyntheticExpansionTemplateProspect({ companyName, domain, employeeCount })— detects Ledger (24 emp) and Vault (18 emp) patternsassessRegionProspectAuthenticity— returnsauthenticCount,syntheticCount,polluted,meetsAuthenticThresholdformatProspectLineage— emitsLIVE_WEB_GROUNDING,SYNTHETIC_SCAFFOLDING, orCURATED_DEMO_SEEDBOARD_GTM_MARKET_AUTHENTICITY_MANDATEinboardroomSystemPrompt.ts— constitutional boardroom directive
- Agent Boundary: Ironlogic (Agent 9) board synthesis; Ironintel (Agent 16) live discovery backfill; Irongate (Agent 14) external intel sanitization on discovered JSON.
- Step-by-Step Lab Validation:
- Run
tests/unit/marketProspectAuthenticity.test.ts— synthetic detection and purge pass. - Load Germany batch — verify zero
{Germany} Ledgerrows after authenticity gate. - Ask boardroom "Who are our potential customers in Germany?" — verify response labels lineage or states live discovery in progress — never cites scaffolding as proof.
- Run
<a id="ux-006"></a>
👆 Feature 76: WCAG Touch Target CSS Layer
- GRC Function ID:
UX-006 - Exact Screen Coordinates: Global — applies to
.ironframe-app-shell,.ironframe-public-landing, and.ironframe-docs-shellinteractive controls. - Operational Purpose: Enforces minimum 44px (2.75rem) touch targets on coarse pointer devices per
.cursorrulesdark cockpit aesthetic mandate — eliminates double-tap zoom delay on mobile lab devices. - Technical Mechanics:
app/globals.cssadditions:touch-action: manipulationand-webkit-tap-highlight-color: transparenton buttons and rounded anchors:activescale 0.98 feedback on press (excludes docs article inline links)@media (pointer: coarse)—min-height: 2.75remon public landing, docs shell, and app shell buttons (excludesdata-compact-touchand chip-bar controls)
- Agent Boundary: Presentation layer only — no financial or tenant scope side effects.
- Step-by-Step Lab Validation:
- Open marketing homepage on mobile viewport — inspect button computed height ≥ 44px.
- Tap docs shell navigation control — verify no 300ms zoom delay (
touch-action: manipulation). - Confirm article body inline links excluded from min-height rule — prose links remain natural height.
<a id="intel-002"></a>
📅 Feature 77: BOD 26-04 KEV Deadline Tracker (June 27 Operational Review)
- GRC Function ID:
INTEL-002 - Exact Screen Coordinates: IronBoard Strategic Intel RAG chunks — no dedicated countdown UI chip on Ironframe port 3000.
- Operational Purpose: Tracks live CISA KEV remediation deadlines under BOD 26-04 four-variable risk matrix for operational date 2026-06-27 — post-deadline breach-assumption review across eight or more elapsed tier-1 windows. Federal contractor 24-hour KEV triage SLA guidance effective June 24, 2026 — three calendar days into enforcement on operational date 2026-06-27.
- Technical Mechanics: Manifest chunks in
grcProfessionalResearch.manifest.json(ironintel-osint-2026-06-26-live):- CVE-2026-42271 (BerriAI LiteLLM, CVSS 8.8) — KEV June 8; BOD 26-04 deadline June 22, 2026 (elapsed five days on June 27 — post-deadline forensic triage mandatory; chain with Starlette CVE-2026-48710 for unauthenticated RCE)
- CVE-2026-20253 (Splunk Enterprise PostgreSQL sidecar, CVSS 9.8) — KEV June 18; deadline June 21, 2026 (day seven post-deadline forensic triage on June 27)
- CVE-2026-48907 (Joomla JCE, CVSS 9.8) — KEV June 16; deadline June 18, 2026 (elapsed nine days on June 27)
- CVE-2026-54420 (LiteSpeed cPanel symlink escalation) — KEV June 15; deadline June 19, 2026 (elapsed eight days on June 27)
- CVE-2026-35273 (Oracle PeopleSoft, CVSS 9.8) — KEV June 12; deadline elapsed
- CVE-2026-50751 (Check Point VPN IKEv1, CVSS 9.3) — KEV June 8; deadline elapsed
- CVE-2026-10520 (Ivanti Sentry, CVSS 10.0) — KEV June 11; BOD 26-04 three-day window closed June 14, 2026
- FortiBleed (June 13–23, 2026) — 73932 to 86644 verified Fortinet credentials across 194 countries; perimeter-wide credential rotation mandate
- Chunk
osint-01-bod-2604— four-variable matrix: asset exposure, KEV status, exploit automation, technical impact → 3-, 14-, or 60-day tiers; federal contractor 24-hour KEV triage SLA effective June 24, 2026; agency policy update August 7, 2026; full compliance December 7, 2026 - Chunk
osint-11-fedramp-vdr— FedRAMP VDR/VER rules mandatory December 7, 2026 aligned with BOD 26-04 timelines
- Financial boundary note: Industry profile
peerAleBaselineCentsin manifest are sector peer ALE anchors (Finance 1800000000, Defense 2500000000, etc.) — distinct from Ironframe seed tenant baselines (Medshield 1110000000, etc.) — all BigInt integer cents, never floats. ManifestriskMetricsCents.medianAuditRemediationLagCents= 890000000 cents. - Agent Boundary: Ironintel (Agent 16) policy monitor; Ironwatch (Agent 13) KEV deadline correlation; Irontech (Agent 04) repair priority when component
healthBarPercentbelow 50 on affected perimeter controls. - Step-by-Step Lab Validation:
- Ingest
ironintel-osint-2026-06-26-livemanifest — verify LiteLLM, Splunk, Joomla, LiteSpeed, FortiBleed, and BOD 26-04 chunks present. - Ask boardroom "What KEV deadlines have elapsed?" — verify LiteLLM June 22 five-day elapsed, Splunk day-seven, Joomla nine-day, and LiteSpeed eight-day elapsed citations with BOD 26-04 breach-assumption language on operational date June 27.
- Confirm board copy cites formatted exposure strings — not raw 890000000 cent literals from manifest risk metrics.
- Ingest
<a id="trainer-001"></a>
🎓 Feature 78: Isolated Trainer Agent Console (board-trainer)
- GRC Function ID:
TRAINER-001 - Exact Screen Coordinates: No dedicated marketing UI — authenticated operators invoke via API; training output surfaces at
/docsunderuser-manuals/andtraining/level-1/. - Operational Purpose: Provides tenant-scoped pedagogical synthesis isolated from live IronBoard boardroom chat — grounds exclusively on
app_documentsrows wherereadingLevelisLEVEL_1orTRAININGand slug starts withtraining/oruser-manuals/. - Technical Mechanics:
app/api/agents/trainer/route.ts—POSTwith{ topic, message? };assertIronguardApiTenantOr403tenant guardapp/lib/server/trainerAgentConsoleCore.ts—synthesizeTrainerSession,loadTrainerGroundingContext,buildTrainerCorpusWhereTRAINER_UNGROUNDED_RESPONSEwhen topic absent from corpus- Gemini
temperature: 0.0,topP: 0,maxOutputTokens: 2048 - Session audit via
agentLogwithTRAINER_SESSIONtag and SHA-256 output hash - Excluded from
BOARDROOM_QUERY_ROSTER; redirect mapboard-trainer→/api/agents/trainer
- Agent Boundary: board-trainer persona; Ironguard (Agent 12) tenant perimeter; Ironscribe (Agent 05) Level 1 citation lineage.
- Step-by-Step Lab Validation:
- Run
tests/unit/trainerAgentConsoleCore.test.ts— corpus filter and grounding paths pass. - Run
Ironboard/tests/boardroomDocAuthorIsolation.test.ts— trainer excluded from query roster. - POST with valid tenant session and topic
dashboard guide— verify{ sessionId, lesson, sourceSlugs }. - POST without
GOOGLE_API_KEY— verify HTTP 503 Writer engine offline equivalent for trainer.
- Run
<a id="writer-001"></a>
✍️ Feature 79: Isolated Writer Agent Console (board-writer)
- GRC Function ID:
WRITER-001 - Exact Screen Coordinates: No dedicated marketing UI — practitioner sessions via API; technical output surfaces at
/docsundertechnical/andtraining/level-2/. - Operational Purpose: Provides tenant-scoped Level 2 technical documentation synthesis isolated from live boardroom chat — grounds on
LEVEL_2andTRAININGreading levels with slug prefixtechnical/ortraining/level-2/only. - Technical Mechanics:
app/api/agents/writer/route.ts—POSTwith{ topic, message? };assertIronguardApiTenantOr403app/lib/server/writerAgentConsoleCore.ts—synthesizeWriterSession,loadWriterGroundingContext,buildWriterCorpusWhereWRITER_UNGROUNDED_RESPONSEwhen topic absent from technical corpus- Financial baselines quoted as whole-integer cent digit strings only in practitioner briefs
- Gemini
temperature: 0.0,topP: 0,maxOutputTokens: 2048 - Session audit via
agentLogwithWRITER_SESSIONtag - Excluded from
BOARDROOM_QUERY_ROSTER; redirect mapboard-writer→/api/agents/writer
- Agent Boundary: board-writer persona; Ironguard (Agent 12); Ironscribe (Agent 05) Level 2 practitioner specs.
- Step-by-Step Lab Validation:
- Run
tests/unit/writerAgentConsoleCore.test.ts— corpus filter excludesuser-manuals/. - POST topic
bigint financial integrity— verify brief cites cent strings not floats. - POST topic
nonexistent-api-endpoint-xyz— verifyWRITER_UNGROUNDED_RESPONSEtext. - Confirm Writer cannot be invoked via
POST /api/queryon port 8082.
- Run
<a id="docs-005"></a>
🔒 Feature 80: Boardroom Documentation Author Isolation Registry
- GRC Function ID:
DOCS-005 - Exact Screen Coordinates: No UI — enforced in IronBoard
staticContext.tsand boardroom query routing. - Operational Purpose: Prevents board-trainer and board-writer from participating in live executive boardroom SSE chat while retaining their roles in the offline documentation pipeline graph after legal clearance.
- Technical Mechanics:
BOARDROOM_ISOLATED_AGENT_IDS=board-trainer,board-writerBOARDROOM_QUERY_ROSTER=AGENTIC_BOARD_ROSTER.filterexcluding isolated IDs (length = roster − 2)BOARDROOM_ISOLATED_AGENT_REDIRECTSmaps personas to Ironframe :3000 agent routesDOCUMENTATION_CORPUS_BINDINGblock injected intobuildStaticContextBundle()Ironboard/tests/boardroomDocAuthorIsolation.test.ts— constitutional isolation receipts
- Agent Boundary: Ironlogic (Agent 9) routing; Ironcore (Agent 1) orchestration shell.
- Step-by-Step Lab Validation:
- Run
Ironboard/tests/boardroomDocAuthorIsolation.test.ts— all three assertions pass. - Attempt boardroom query targeting
board-writerpersona — verify redirect guidance to/api/agents/writer. - Run documentation pipeline graph — verify Trainer and Writer nodes still execute post-legal clearance.
- Run
<a id="docs-006"></a>
🛡️ Feature 81: Content Firewall Governance Briefing Path Guard
- GRC Function ID:
DOCS-006 - Exact Screen Coordinates: No UI — server-side throw in
Ironboard/src/io/safeDocsWriter.ts. - Operational Purpose: Blocks Trainer and Writer from writing into
briefing-queue/orpublished-briefings/— governance briefings must use human promotion workflow to/governance-frame, not automated APP_DOCS pipeline. - Technical Mechanics:
FORBIDDEN_BRIEFING_PREFIXES=briefing-queue/,published-briefings/assertAppDocsPlacementPathinvoked beforeresolveDocsPathALLOWED_HUB_PREFIXESexpanded to includeuser-manuals/Ironboard/tests/agentValidation.test.ts— rejectspublished-briefings/test-brief.mdfor WRITER role
- Agent Boundary: Irongate (Agent 14) plane isolation; Ironscribe (Agent 05) corpus placement.
- Step-by-Step Lab Validation:
- Run
Ironboard/tests/agentValidation.test.ts— governance briefing rejection test passes. - Attempt
writeHubAssetSafely("briefing-queue/draft.md", ...)— verifyContentFirewallRejectedError. - Confirm
publishTrainerCorpustargets only APP_DOCS plane prefixes.
- Run
<a id="support-002"></a>
📧 Feature 82: IronBoard Customer Service Email Draft Worker
- GRC Function ID:
SUPPORT-002 - Exact Screen Coordinates: No Ironframe UI — IronBoard package
Ironboard/src/agents/customerService/index.tsinvoked from Resend email ingress. - Operational Purpose: Drafts support email replies from LEVEL_1 documentation and CRM interaction history — stores
[PENDING DRAFT APPROVAL]inironboardCrmInteractionwithchannel: "EMAIL"for HITL dispatch; never auto-sends outbound mail. - Technical Mechanics:
loadLevelOneKnowledgeContext— max 12 docs, 6000 chars eachloadContactHistoryContext— last 3 interactions byoccurredAtdescrunCustomerServiceAgent(tenantId, contactId, message)— Gemini atDETERMINISTIC_GENERATION_PARAMSlogInteractionwith consolidated summary including ResendemailIdIronboard/src/api/ingress/email.ts— ingress wiringIronboard/src/agents/customerService/index.test.ts— unit coverage
- Agent Boundary: Ironlogic (Agent 9) synthesis; Ironguard (Agent 12) tenant scope on CRM writes; dispatch via HITL-001.
- Step-by-Step Lab Validation:
- Run
Ironboard/src/agents/customerService/index.test.ts— draft generation paths pass. - Ingest test Resend payload — verify interaction summary contains
[PENDING DRAFT APPROVAL]. - Confirm no outbound
sendOutboundEmailwithout GLOBAL_ADMIN DISPATCH action.
- Run
<a id="intel-003"></a>
🌉 Feature 83: Industry Scout Prospect Bridge
- GRC Function ID:
INTEL-003 - Exact Screen Coordinates: No UI —
POST /api/internal/cron/industry-scoutartifact payload. - Operational Purpose: Bridges Industry Scout OSINT crawl output into CRM prospect rows after Irongate sanitization — extends cron artifact with
prospectBridgetelemetry for board flywheel authenticity backfill. - Technical Mechanics:
runIndustryScoutProspectBridge({ tenantId })invoked afterrunIndustryScoutWorker- Cron artifact
payloadJsonincludesprospectBridgealongsidescoutanddrive - Bearer
IRONFRAME_CRON_SECRETmiddleware passthrough on cloud quarantine hosts
- Agent Boundary: Ironintel (Agent 16) discovery; Irongate (Agent 14) sanitization before CRM persistence.
- Step-by-Step Lab Validation:
- POST cron with valid Bearer — verify response JSON includes
prospectBridgeobject. - Run
tests/unit/industryScoutProspectBridge.test.ts— bridge merge paths pass. - Confirm synthetic scaffolding purged by MARKET-004 gate before board synthesis.
- POST cron with valid Bearer — verify response JSON includes
<a id="export-002"></a>
📤 Feature 84: Ironquery Export Feature Entitlement Gate
- GRC Function ID:
EXPORT-002 - Exact Screen Coordinates:
GETandPOST /api/ironquery/export(API);/dashboard/exportsrendersExportScopeRequiredPanelwhen entitlement absent; authenticated Command Post (DashboardHomeClient) mountsExportScopeRequiredBannerwhenexportScope=requiredquery param present. - Operational Purpose: Requires tenant feature flag
IRONQUERY_EXPORTbefore evidence artifact export — fail-closed 403 withTenantFeatureAccessDeniedwhen entitlement absent; surfaces in-page guidance instead of silent redirect when operator navigates export path directly. - Technical Mechanics:
assertTenantFeatureEntitled(tenantId, "IRONQUERY_EXPORT")on GET and POST handlersgetIronqueryExportDashboardContextinironqueryExportActions.ts— returns{ ok: false, error }when scope missing; page renders panel inlineapp/dashboard/exports/page.tsx— replacedredirect("/?exportScope=required")with<ExportScopeRequiredPanel message={context.error} />DashboardHomeClient.tsx—<ExportScopeRequiredBanner />for query-param surfaced scope requirement on Command Post- Listed in
IRONGATE_DMZ_MARKERSfor gateway shield architecture test - Token-gated path bypasses deployment quarantine middleware
- Agent Boundary: Ironquery (Agent 15) export signer; Ironguard (Agent 12) entitlement enforcement.
- Step-by-Step Lab Validation:
- Run
tests/unit/tenantFeatureEntitlement.test.ts— IRONQUERY_EXPORT gate passes. - Request export without entitlement — verify HTTP 403.
- Navigate
/dashboard/exportswithout entitlement — verifyExportScopeRequiredPanelrenders in-page (no redirect loop). - Run
tests/architecture/gatewayShield.test.ts— route retains DMZ marker.
- Run
<a id="support-003"></a>
💬 Feature 85: Authenticated Support Console Tripane UI
- GRC Function ID:
SUPPORT-003 - Exact Screen Coordinates:
/dashboard/support— full-height chat column inside dashboard chrome; cyan/indigo dark cockpit tokens (bg-[#020617],border-cyan-500/20). - Operational Purpose: Gives authenticated tenant operators a WCAG-compliant support chat surface that POSTs to
/api/agents/customer-serviceviatenantFetch— displaysSYSTEM_AGENTandUSERchannel messages with 44px minimum send control (h-11). - Technical Mechanics:
app/(dashboard)/dashboard/support/page.tsx— client component withuseTenantContext- Initial
SYSTEM_AGENTgreeting references Level 1 compliance manuals - Error path: "Core connection boundary disrupted" on fetch failure
- Queued acknowledgment displayed when API returns
{ reply }or{ error }
- Agent Boundary: Ironguard (Agent 12)
tenantFetchinjection; links to SUPPORT-001 API. - Step-by-Step Lab Validation:
- Sign in as scoped tenant operator — navigate
/dashboard/support— verify chat renders. - Send test message — verify QUEUED or acknowledgment response in thread.
- Inspect send button computed height ≥ 44px on coarse pointer viewport.
- Sign in as scoped tenant operator — navigate
<a id="onboard-001"></a>
🎓 Feature 86: Design-Partner Get Started Onboarding Portal
- GRC Function ID:
ONBOARD-001 - Exact Screen Coordinates:
/get-started— three-column grid inside dashboard chrome: left guided step panel (Level 1 screenshot + step narration controls), center interactive checklist (click-to-focus rows with indigo ring on active step), right Trainer sandbox (TrainerAgentSessionForm); TopNav link withdata-testid="topnav-get-started-link"; fixed bottom inline doc reader drawer when docs step opens. - Operational Purpose: Gives authenticated design-partner operators a progressive five-step initialization hub — Command Post orientation, Integrity Hub ALE review, Level 1 curriculum index, isolated Trainer sandbox question, and audit export path — without requiring GLOBAL_ADMIN provisioning access. Copy explicitly scopes invite and credential steps to workspace email (post-activation only). Progress persists client-side and emits immutable
TRAINING_ONBOARDINGaudit receipts toagent_logsfor compliance traceability. - Technical Mechanics:
app/lib/getStartedSteps.ts— canonical step registry:quickstart→/docs/user-manuals/quickstart— title Command Post orientation; hash anchor#orientationviaGET_STARTED_ORIENTATION_HASHintegrity-hub→/integrity(ALE baselines displayed as formatted USD; stored as BigInt integer cents)level1-index→/docs/training/LEVEL1-STUDENT-INDEXtrainer-session→/get-started#trainer-sandbox(completed via successfulPOST /api/agents/trainerthroughTrainerAgentSessionForm)export-path→/dashboard/exports
app/lib/getStartedStepVisuals.ts— per-stepscreenshotSrc,screenshotAlt, andactionCuebound to Level 1 training corpus PNG assetsapp/lib/getStartedStepAudio.ts—getStartedStepAudioSrc(stepId)resolves/docs/training/assets/get-started-orientation/steps/{stepId}.mp3GetStartedPortalClient.tsx— localStorage keysironframe-get-started-v1(progress map),ironframe-get-started-dismissed(banner suppression),ironframe-get-started-step-audio-autoplay(default on); percent-complete bar; 44px minimum controls (h-11);OperatorActivationBannerfor activation-state guidance;guidedStepIdfocus state with checklist row keyboard activation (Enter/Space)- Guided step panel: left aside shows current step index, corpus screenshot, Play step narration / Auto-play On|Off toggles, hidden
<audio>element withonEnded/onPlaystate sync - Inline documentation reader drawer: docs checklist steps call
openInlineGuide(href, stepId)— setsuseGetStartedReaderStorehref, updates URL hash to#orientation, fetchesGET /api/docs/reader?slug=viatenantFetch, rendersDocsMarkdownwithinlineDocPathResolver(in-portal/get-startedlinks resolve to#orientation); quickstart opensGetStartedOrientationFallbackcompanion mode; fixed bottom overlay (z-[25]) with simulation-aware top offset classes; Escape closes drawer and restores body scroll - Orientation walkthrough popout: optional
NEXT_PUBLIC_GET_STARTED_VIDEO_URL— audio URLs (.mp3,.m4a,.wav,.ogg) invokeopenOrientationWalkthroughWindow()for separate-window crossfade walkthrough; video URLs open full-screen orientation window; pauses inline step audio before popout TrainerAgentSessionForm— shared component posting toPOST /api/agents/trainer;onLessonReceivedcallback markstrainer-sessioncomplete; also mounted globally in Feature 87 drawer- Footer deep-links:
/docs/user-manuals/dashboard-guide,/docs/user-manuals/glossary,/docs/end-users/onboarding POST /api/get-started/progress—assertIronguardApiTenantOr403fail-closed 403; body{ stepId, completed, allComplete }; returns{ status: "LOGGED" }; useskeepalive: truefor unload-safe persistence; benign abort errors swallowed viaisBenignRuntimeEmissionErrorgetStartedOnboardingCore.ts—logGetStartedProgresswritesagentLog.messageJSON with tagTRAINING_ONBOARDING, SHA-256outputHash(16 hex chars), ISOoccurredAtAppShell.tsx—useIronwatchTelemetryFeed(false)whenpathnameis/get-started(onboarding portal isolation from live Ironwatch poll noise)DashboardBillingGate.tsx—/get-startedadded toBILLING_EXEMPT_PREFIXESalongside/admin/onboardingand/account/billing-holdgrcRouteMatch.ts—/get-startedregistered inisDashboardRouteGroupPathandisScrollableStandalonePathfor standalone scroll behavior
- Agent Boundary: Ironguard (Agent 12) tenant-scoped
tenantFetchand API guard; Ironscribe (Agent 05) Trainer corpus grounding via isolated Trainer console (DOCS-005); Ironwatch (Agent 13) audit log persistence on step completion — telemetry feed intentionally suppressed on this route during onboarding. - Step-by-Step Lab Validation:
- Sign in as scoped tenant operator — navigate
/get-started— verify five checklist rows render with progress bar at 0%, guided step panel shows step 1 screenshot, andOperatorActivationBannervisible when applicable. - Click checklist row — verify indigo focus ring moves and guided panel updates screenshot and narration target.
- Click Open orientation guide on quickstart step — verify bottom drawer opens with
GetStartedOrientationFallbackcompanion or/api/docs/readercontent without navigation away from checklist. - Press Escape — verify drawer closes and checklist remains scrollable.
- Toggle Auto-play Off — verify step narration does not auto-start on step focus change.
- Mark
quickstartcomplete — verify localStorage updates andPOST /api/get-started/progressreturns{ status: "LOGGED" }. - Submit Trainer sandbox question via
TrainerAgentSessionForm— verifyPOST /api/agents/trainerreturns{ lesson }andtrainer-sessionstep auto-completes. - POST progress without tenant session — verify HTTP 403 from Ironguard guard.
- With tenant billing PAST_DUE, navigate
/get-started— verify billing hold overlay does not block (exempt prefix). - Confirm Ironwatch poll does not fire on
/get-started(network tab — no resilience intel requests during onboarding session). - Run
tests/unit/getStartedOnboarding.test.ts— guard failure, missing stepId, and TRAINING_ONBOARDING persistence paths pass. - Run
tests/e2e/docs-public.spec.ts— public docs reader narrow funnel remains reachable on cloud hosts.
- Sign in as scoped tenant operator — navigate
<a id="trainer-002"></a>
🎓 Feature 87: Global Trainer Agent Drawer (Ask Trainer)
- GRC Function ID:
TRAINER-002 - Exact Screen Coordinates: Slide-over panel from right edge on any authenticated workspace route — opened via Header #1 Ask Trainer control; portal id
trainer-agent-drawer; widthmin(100vw, 420px); backdropbg-black/45. - Operational Purpose: Gives operators corpus-locked Level 1 Trainer access from any tripane workspace surface without navigating to
/get-started— same isolated synthesis path as ONBOARD-001 sandbox but globally available during live operations. - Technical Mechanics:
app/components/trainer/TrainerAgentDrawer.tsx— React portal withcreatePortal;useTrainerAgentDrawerStoreopen/close state; simulation-aware top offset (LAYOUT_AGENT_INSPECT_DRAWER_TOP_CLASSvs_SIM_CLASS); slide-in animation viatranslate-xtransition; Escape and backdrop click dismiss; body scroll lock while openapp/components/trainer/TrainerAgentSessionForm.tsx— shared form component with preset prompts; posts toPOST /api/agents/trainerviatenantFetchAppShell.tsx— mounts<TrainerAgentDrawer />on both standalone scroll and tripane layout branches alongsideAgentInspectShell- Cross-link in Get Started portal: "Also available from Ask Trainer in Header #1 on any workspace route"
- Agent Boundary: board-trainer persona via TRAINER-001 console; Ironguard (Agent 12) tenant-scoped fetch; excluded from IronBoard live boardroom roster per DOCS-005.
- Step-by-Step Lab Validation:
- From
/integrity, open Header #1 Ask Trainer — verify drawer slides in from right with backdrop. - Submit training topic — verify
{ lesson, sourceSlugs }response renders in drawer. - Press Escape — verify drawer closes and tripane scroll restores.
- Confirm drawer top offset adjusts when simulation mode banner active (demo sandbox + simulation mode →
top-[13.5rem]).
- From
<a id="board-012"></a>
🧠 Feature 88: Founding Board Agent LLM Assessment Engine
- GRC Function ID:
BOARD-012 - Exact Screen Coordinates: No UI — LangGraph founding nodes in
Ironboard/src/agents/founding.ts(CEO, CFO, Compliance, Legal). - Operational Purpose: Replaces static template assessment log strings with deterministic Gemini synthesis for founding board personas while preserving BigInt cent validation gates on every financial turn.
- Technical Mechanics:
Ironboard/src/agents/boardAgentLlm.tsexportsgenerateBoardAgentAssessment({ model, roleLabel, stateSummary })— temperature 0.0 viainstantiateBoardAgentModelformatBoardStateSummaryinfounding.tsanchorsfinancialProjectionsCentsas whole-integer cent string in state summary passed to LLMassertWholeIntegerCentsinagentCFOandagentCompliancebefore assessment — rejects non-integer cent strings- CFO focus string cites constitutional baselines: Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000 cents
Ironboard/src/lib/geminiRetry.tsexportswithGeminiRateLimitRetry— wraps market intelligence outreach and other Gemini calls with rate-limit backoff (label: 'market-intelligence-outreach')Ironboard/src/services/marketIntelligence.tsgenerateGroundedPitchuseswithGeminiRateLimitRetryandregulatoryCatalystLookup.findLatestRegulatoryCatalystForDomainfor catalyst-aware value propositions
- Agent Boundary: Ironlogic (Agent 9) founding synthesis; Irontrust (Agent 3) BigInt cent assertion; Ironintel (Agent 16) regulatory catalyst hooks in grounded pitch path.
- Step-by-Step Lab Validation:
- Run IronBoard documentation pipeline — verify CEO/CFO/Compliance/Legal nodes emit non-empty
executiveSummaryLogentries from LLM assessment. - Inject invalid
financialProjectionsCentsfloat string — verifyassertWholeIntegerCentsthrows before CFO synthesis. - Run
Ironboard/src/lib/geminiRetry.test.ts— rate-limit retry paths pass. - Run
Ironboard/tests/agentValidation.test.ts— founding agent validation suite passes with new assessment path.
- Run IronBoard documentation pipeline — verify CEO/CFO/Compliance/Legal nodes emit non-empty
<a id="market-004"></a>
🔬 Feature 89: Flywheel Target Region Resolver & Market Authenticity Gate
- GRC Function ID:
MARKET-004 - Exact Screen Coordinates: No UI — consumed by
buildFlywheelWorkspaceContext,fetchProspectingBatchForTargets, and boardroom prefetch. - Operational Purpose: Normalizes active hub country lists, purges synthetic
{Region} Ledger/Vaultscaffolding before board synthesis, and runs live web discovery only when authentic prospect count falls below threshold — preventing GTM hallucination in executive board packets. - Technical Mechanics:
Ironboard/src/lib/flywheelTargetCountries.tsexportsresolveFlywheelTargetRegions(activeHub)— parses hub input or falls back toreadDefaultTargetCountriesText()Ironboard/src/services/marketProspectAuthenticity.ts—verifyAndOptimizeMarketData,assessRegionProspectAuthenticity,isSyntheticExpansionTemplateProspect,formatProspectLineagebuildFlywheelWorkspaceContextinvokesverifyAndOptimizeMarketDataper region before batch assembly; flywheel context includesMarket authenticity audit: {region}: authentic=N synthetic=N polluted=boolfetchProspectingBatchForTargets— London/Singapore curated seeds only when qualified authentic rows absent; expansion regions rely on live web discovery viadiscoverRegionalProspects.tsgenerateGroundedPitchvalue proposition uses catalyst string when Industry Scout catalyst found:{authority} catalyst · {matchedFramework} · BigInt Integrity
- Agent Boundary: Irongate (Agent 14) external intel sanitization; Ironintel (Agent 16) catalyst lookup; Ironquery (Agent 15) workspace tool receipts.
- Step-by-Step Lab Validation:
- Run
tests/unit/marketProspectAuthenticity.test.ts— synthetic detection and purge paths pass. - Run
tests/unit/discoverRegionalProspects.test.ts— regional discovery engine paths pass. - Run
Ironboard/src/services/marketIntelligence.test.ts— expansion batch does not auto-seed synthetic templates. - Submit boardroom GTM query — verify flywheel context includes authenticity summary and
SYNTHETIC_SCAFFOLDINGwarning mandate.
- Run
🧬 Chapter 5: Nineteen-Agent Architecture Cross-Reference (Delta Verification)
Today's code delta touches the following agents. Use this matrix during audits to confirm boundary integrity for operational date 2026-06-27:
| Agent # | Codename | Today's Delta Touchpoints |
|---|---|---|
| 1 | Ironcore | Route consolidation under app/(dashboard)/dashboard/*; /get-started design-partner hub with guided step panel, per-step audio, inline doc reader drawer, orientation popout, and global TrainerAgentDrawer; AppShellRouter; documentation execute pipeline; shared-context documentationBrief emission; /docs DB reader with .html-only legacy rewrites; grcRouteMatch scroll allowlist for admin and get-started |
| 3 | Irontrust | BigInt cent storage unchanged; dual Stripe webhook cent parsing; threat validate ActiveRisk id extraction; corporate provision parseDollarAleToBigIntCents; admin deployment formatCentsToAccountingUSD display-only conversion; Ironbloom physical telemetry gate — no severity kWh fallback; procurement trust exhibits |
| 4 | Irontech | triageRouter.ts / freezeEngine.ts / healthPostureMonitor.ts identity correction to Agent 04 (TAS §4.3); unifies Agents 06 (Ironlock), 04 (Irontech), 13 (Ironwatch) under PostgresSaver authority; healthBarPercent < 50 repair priority on shadow diagnostics |
| 5 | Ironscribe | Dual-location output matrix; DOCUMENTATION_CORPUS_BINDING in staticContext.ts; Trainer/Writer placement via publishTrainerCorpus/publishWriterCorpus; Get Started Trainer sandbox and global drawer invoke isolated Trainer console on LEVEL_1 corpus; safeDocsWriter governance briefing path rejection; training screenshot corpus asset binding including supplemental export-path capture |
| 6 | Ironlock | Narrow funnel quarantine — private workspace blocked, public funnel open on cloud; admin deployments panel infrastructure posture badges; triage freeze coordination with Irontech Agent 04 |
| 9 | Ironlogic | generateBoardAgentAssessment in boardAgentLlm.ts founding refactor; BOARD_GTM_MARKET_AUTHENTICITY_MANDATE; boardroom author isolation (BOARDROOM_ISOLATED_AGENT_IDS); sales/customer service at temperature 0.0; knowledge.ts placement draft matrix with telemetry mirror sections; withGeminiRateLimitRetry on market outreach |
| 11 | Irontally | Board governance memo cron; documentation brief mandate consumption |
| 12 | Ironguard | assertGlobalAdminForOnboarding; assertIronguardApiTenantOr403 on /api/get-started/progress and /api/docs/reader; prospect pool sales isolation; customer service fail-closed 403; gateway shield architecture test; Get Started billing-hold exemption; workspace invitation Resend dispatch perimeter |
| 13 | Ironwatch | Shared-context + documentationBrief hydration; admin deployment snapshots; Get Started TRAINING_ONBOARDING agent log receipts; FortiBleed OSINT telemetry correlation; Ironwatch feed suppressed on /get-started onboarding portal |
| 14 | Irongate | Gateway shield DMZ markers; CompilationIngressPortal guard; documentation corpus plane isolation; web discovery JSON sanitization |
| 15 | Ironquery | stringifyWorkspaceBigIntFields; multi-region queryLocalWorkspace regions array; IRONQUERY_EXPORT feature entitlement gate on /api/ironquery/export; ExportScopeRequiredPanel and ExportScopeRequiredBanner in-page scope UX |
| 16 | Ironintel | June 26 OSINT manifest refresh (ironintel-osint-2026-06-26-live); LiteLLM CVE-2026-42271 post-deadline triage (June 22 — five days elapsed on June 27); Splunk CVE-2026-20253 day-seven post-deadline forensic hunt; FortiBleed 73932 to 86644 verified Fortinet URLs with Huntress 84 customer-impacted IPs; BOD 26-04 federal contractor 24-hour KEV triage SLA effective June 24 (three days into enforcement on June 27); FedRAMP Notice 0014 VDR alignment December 7, 2026; CMMC Phase 2 136 days to November 10, 2026; regulatoryCatalystLookup for grounded pitches; Industry Scout cron runIndustryScoutProspectBridge |
| 17 | Ironbloom | Physical telemetry hardening — parseThreatIngestionTelemetry, no_physical_telemetry, aggregateTenantKwhAverted, removed reference kWh fallback |
| 18 | Ironcast | Resend email package in IronBoard services/email/ (emailConfig, emailParser, emailCrmBridge, emailSender); workspace invitation Bucket A dispatch via workspaceInviteEmailDelivery.ts |
IronBoard commercial plane note: Sales agent (/api/agents/sales) and customer service agent (/api/agents/customer-service) operate on distinct tenancy boundaries — sales uses prospect pool UUID; customer service requires authenticated tenant with LEVEL_1 doc grounding. board-trainer and board-writer are isolated from live POST /api/query on port 8082 — BOARDROOM_QUERY_ROSTER excludes both; BOARDROOM_ISOLATED_AGENT_REDIRECTS maps them to POST /api/agents/trainer and POST /api/agents/writer on Ironframe port 3000. Documentation pipeline authoring still runs on IronBoard after legal clearance; published output syncs via bearer-gated POST /api/documentation/execute (upsert app_documents + mirror docs/). IronBoard runCustomerServiceAgent drafts email replies for HITL approval via Resend ingress — never auto-sends.
Documentation corpus plane note: APP_DOCS (/docs, app_documents table) and GOVERNANCE_BRIEFINGS (/governance-frame, published-briefings/) must never cross-write. board-trainer owns docs/user-manuals/ and docs/training/level-1/; board-writer owns docs/technical/ and docs/training/level-2/. Isolated live synthesis APIs on Ironframe :3000 ground on the same corpus planes — Trainer on LEVEL_1/TRAINING user-manual slugs; Writer on LEVEL_2/TRAINING technical slugs.
Agents not directly modified in today's delta remain governed by their existing TAS core directives. Absence from the diff is not absence from the workforce — verify their ACTIVE status lights in Feature 5 grid before each lab session.
🧯 Chapter 6: Self-Healing Troubleshooting & Error Diagnostic Steps
Because you are completing your GRC auditing labs independently online without an instructor, you must know how to clear security alerts yourself using our automated self-healing loops:
🚨 Alert 1: Display Elements Freeze and Read "GOVERNANCE DRIFT DETECTED"
- The Root Cause: You accidentally violated Mandate 2 by trying to manually modify a configuration baseline or alter a data row directly on screen without an approved amendment proposal. The
Ironwatchagent detected a structural hash discrepancy and locked the display to secure the system. - How to Resolve It Yourself:
- Locate the bold, amber control button labeled
FREEZE COMMAND POSTsitting in the top sub-header toolline and click it once. - This triggers the
Irontechself-healing agent to immediately freeze system states and run a deep structural integrity check against your local files. - Wait exactly three seconds. The background automation will auto-wipe your unsanctioned change, reload your company's official database baseline, clear out the red alert text, and restore your interface to a safe green tracking message.
- If void persists, execute
prisma/scripts/constitutional_rebaseline_reset.sqland poll/api/grc/tas-integrity.
- Locate the bold, amber control button labeled
🚨 Alert 2: Primary Panels Suddenly Clear and Flash Empty Gray Boxes
- The Root Cause: This is an intentional visual system safety state known as a Skeleton Loading Frame. It occurs when you use the top-left dropdown switcher to change corporate profiles. The platform purposefully purges short-term memory to guarantee that confidential database entries never bleed or leak across tenant boundaries.
- How to Resolve It Yourself:
- Maintain system isolation; do not click any components and leave your mouse still for 1 to 2 seconds.
- The background security warden
Ironguardwill automatically complete an access handshake to verify your user badge credentials have the legal permission rights to view the new corporation's records. - Once verified, the gray placeholder frames will instantly slide away, and your fresh rows of clean, verified client records will paint your screen beautifully.
🚨 Alert 3: Production Ingress Block (HTTP 403 on Private Workspace Only)
- The Root Cause: You are hitting a private workspace path (
/integrity,/dashboard/*,/cockpit, authenticated tripane/) on a cloud-hosted URL while production quarantine is active withoutIRONFRAME_ALLOW_PUBLIC_INGRESS=1. Today's narrow funnel allows public paths (/terms,/privacy,/marketing,/docs,/pricing,/register/*,/sales-agent-portal,/governance-frame, auth surfaces) on cloud hosts — only private workspace surfaces return 403. - How to Resolve It Yourself:
- Develop on
your provisioned workspace URLor tenant workspacehttp://{slug}.lvh.me:3000where quarantine is automatically whitelisted. - For cloud Stripe webhook testing, POST to
/api/webhooks/stripeor/api/billing/webhook— both bypass quarantine by design. - For headless cron, use Bearer
IRONFRAME_CRON_SECRETon/api/internal/cron/*— middleware passthrough. - Set
IRONFRAME_ALLOW_PUBLIC_INGRESS=1on the preview deployment for full workspace stakeholder demos (document the temporary change in your audit log). - If
/docsworks but/integrityreturns 403 on cloud — expected narrow funnel behavior, not a regression.
- Develop on
🚨 Alert 4: Dashboard Redirects to /unauthorized After Login
- The Root Cause: Your Supabase user authenticated successfully but has no valid row in
user_role_assignmentsfor any tenant UUID. - How to Resolve It Yourself:
- Platform administrator runs
inviteCorporateTenantUserActionwith correcttenantSlug. - Or insert a valid
user_role_assignmentsrow bound to Medshield5c420f5a-8f1f-4bbf-b42d-7f8dd4bb6a01, Vaultbank, Gridcore, or Defense UUID. - Reload
/integrity— verifyensureDashboardTenantSessionwrites tenant session cookie.
- Platform administrator runs
🚨 Alert 5: Financial Display Shows Decimal Drift
- The Root Cause: A module converted BigInt cents to float before persistence or export — Mandate 1 violation.
- How to Resolve It Yourself:
- Reject the hotfix. Identify the offending cast (
Number()on aggregated cents without integer guard). - Verify database column type is
BIGINTformitigated_value_cents,ale_baseline_cents, andfinancialRisk_cents. - Re-run Irontrust unit snapshots against constitutional baselines: 1110000000, 590000000, 470000000, 1600000000 cents.
- Export CSV again — confirm zero decimal places in raw file cells.
- Reject the hotfix. Identify the offending cast (
🚨 Alert 6: Billing Suspension Overlay After Login
- The Root Cause: Tenant
tenant_billing.statusis PENDING or PAST_DUE and operator is not GLOBAL_ADMIN. - How to Resolve It Yourself:
- Platform administrator sets billing status to ACTIVE via
setTenantBillingStatusActionor Stripe webhook fulfillment. - Or navigate to exempt path
/account/billing-holdto complete payment remediation. - GLOBAL_ADMIN operators bypass gate for onboarding and support — use
/admin/onboardingto verify tenant state.
- Platform administrator sets billing status to ACTIVE via
🚨 Alert 7: Self-Serve Registration Surfaces Removed or Redirected
- The Root Cause: Phase 1 invite-only gate —
app/(marketing)/register/setup/page.tsxdeleted;/register/demoredirects to sales contact;IRONFRAME_PUBLIC_REGISTRATION_ENABLEDhardcoded false. - How to Resolve It Yourself:
- Direct prospects to
/register/contactfor sales-assisted intake. - GLOBAL_ADMIN mints invitation token — direct invitee to
/register/{token}. - Sales engineers POST to
/api/register/sales-intakewithINTERNAL_SALES_PROVISION_KEYbearer token. - Do not attempt env-var override — registration gate is constitutionally hardcoded for Phase 1.
- Direct prospects to
🚨 Alert 8: Password Reset Email Link Rejected by Supabase
- The Root Cause: Supabase Authentication → URL Configuration lacks the exact callback URL built from tenant subdomain origin.
- How to Resolve It Yourself:
- Read error message from
requestResetPasswordAction— copy the cited redirect URL verbatim. - Add URL to Supabase Redirect URLs list (include
http://{slug}.lvh.me:3000/**for local tenant workspaces). - Retry reset from the same host you intend users to land on after callback.
- Read error message from
🚨 Alert 9: Demo Sandbox Blocks Production API Calls
- The Root Cause: Demo mode is active (
ironframe-demo-active=1cookie or valid demo session inlocalStorage) and the client attempted a tenant-scoped/api/*fetch.applyIronguardToFetchenforcesDEMO_MODE_ISOLATEDisolation — production telemetry must not bleed from sandbox UI exploration. - How to Resolve It Yourself:
- Expected behavior during demo command post labs — mock UI uses
seedDemoClientState()client fixtures, not live API polls. - To test production API paths, call
clearDemoSession()or deleteironframe-demo-activeandironframe-demo-sessioncookies, then sign in with a real Supabase RBAC session. - Constitutional sentinel routes (
/api/grc/tas-integrity,/api/grc/tas-fingerprint) remain callable during demo for marketing integrity badges — do not treat those blocks as regressions.
- Expected behavior during demo command post labs — mock UI uses
🚨 Alert 10: Governance Frame Shows Empty Index
- The Root Cause: No markdown files exist in
docs/published-briefings/or draft-only files remain indocs/briefing-queue/without promotion. - How to Resolve It Yourself:
- Copy reviewed briefing from
docs/briefing-queue/todocs/published-briefings/{slug}.mdwith YAML frontmatter includingpublishedAt. - Ensure Section II impact metrics use whole-cent BigInt string literals in
(¢)labeled bullets — floats are rejected byparseCentBigInt. - Reload
/governance-frame— verify index card grid lists briefing with chronological sort key.
- Copy reviewed briefing from
🚨 Alert 11: Boardroom Query Returns HTTP 502 CORE_TELEMETRY_DISCONNECTED
- The Root Cause: IronBoard port 8082 could not fetch live tenant telemetry from Ironframe
GET /api/board/shared-contextbefore starting LLM synthesis. Common triggers: Ironframe not running on port 3000, missing or invalidironframe-tenantcookie scope, tenant isolation rejection (UNAUTHORIZED_ACCESS), orIRONFRAME_CORE_ORIGINpointing at wrong host. - How to Resolve It Yourself:
- Start Ironframe dev server on
your provisioned workspace URLand confirm/api/board/shared-contextreturns JSON when called with valid tenant session headers. - Start IronBoard on
your provisioned workspace URL— both engines must bind 127.0.0.1 only per today's delta. - Set
IRONFRAME_CORE_ORIGIN=your provisioned workspace URLin IronBoard environment if using non-default core host. - Sign in to Ironframe dashboard first so
ironframe-tenantcookie exists — or passtenantIdUUID in board query request body (Medshield seed:5c420f5a-8f1f-4bbf-b42d-7f8dd4bb6a01). - Read
detailfield in 502 JSON — timeout after 12000 ms indicates core unreachable; 401 indicates tenant isolation boundary breach. - Run
Ironboard/src/services/coreTelemetryBridge.test.tsto verify header forwarding logic locally.
- Start Ironframe dev server on
🚨 Alert 12: Boardroom Documentation Brief Missing
- The Root Cause: IronBoard Trainer or Writer agent attempted to author documentation without
documentationBriefin shared-context payload — one-way ingress mandate violation.runExecutiveDocumentationCommandnow throws whenfetchIronframeDocumentationBrieffails. - How to Resolve It Yourself:
- Confirm Ironframe
GET /api/board/shared-contextreturnsdocumentationBriefwithcommunicationDirection: ONE_WAY_IRONFRAME_TO_BOARD. - Restart IronBoard after Ironframe core is healthy — bridge must hydrate before doc authoring phases.
- Run
tests/unit/documentationBrief.test.ts— verify brief builder includes dual-plane matrix and telemetry mirror.
- Confirm Ironframe
🚨 Alert 13: App Document DB Read Failure
- The Root Cause:
/docs/[slug]slug not found inapp_documentstable —CompilationIngressPortalshows staging state (filesystem-only fallback removed). - How to Resolve It Yourself:
- Run
npx tsx scripts/seed-app-documents.tsagainst development database. - POST
POST /api/documentation/executewith internal gateway Bearer to upsert missing slug. - Verify migration
20260618120000_init_app_documentsapplied:npx prisma migrate status. - Run
tests/unit/docsContentDecoupling.test.ts— decoupling paths pass.
- Run
🚨 Alert 14: Workspace Invitation Token Required
- The Root Cause: Corporate tenant provision attempted without valid
TenantWorkspaceInvitationtoken — Phase 1 invitation gate enforced incorporateTenantProvisionCore.ts. - How to Resolve It Yourself:
- GLOBAL_ADMIN runs
mintWorkspaceInvitationadmin action with target email and tenant slug. - Direct invitee to
/register/{token}before provision flow — mint panel displays secure activation URL. - Verify invitation
statusis ACTIVE andexpiresAtis in the future. - After consumption, confirm
statusbecomes CONSUMED — token cannot be reused.
- GLOBAL_ADMIN runs
🚨 Alert 15: Ironbloom Returns no_physical_telemetry
- The Root Cause: Threat was marked RESOLVED but
ThreatEvent.ingestionDetailslacks sealed physical unit payload (kWh, L, km). Severity-based synthetic kWh fallback removed in today's delta — Ironbloom (Agent 17) rejects monetary-only approximations. - How to Resolve It Yourself:
- Inspect threat row
ingestionDetailsJSON — verifyphysicalQuantityand unit fields perparseThreatIngestionTelemetryschema. - Re-ingest utility telemetry through Irongate-sanitized threat ingress before marking RESOLVED.
- Call
recordSustainabilityImpactagain — verifymitigated_value_cents BIGINTpersists only after valid physical trace. - Run
lib/sustainability/ironbloomDashboardTelemetry.test.ts— parse paths pass.
- Inspect threat row
🚨 Alert 16: Boardroom Cites Synthetic Ledger/Vault Prospects
- The Root Cause: Board persona presented
{Region} Ledgeror{Region} Vaulttemplate rows as real market research — BOARD_GTM_MARKET_AUTHENTICITY_MANDATE violation.verifyAndOptimizeMarketDatamay not have run before flywheel context assembly. - How to Resolve It Yourself:
- Click Load Prospecting Batch to trigger
verifyAndOptimizeMarketDatawithoperatorTriggered: true. - Verify
marketProspectAuthenticitypurged synthetic rows — authenticity summary showspolluted=false. - Re-ask boardroom query — verify prospects labeled
LIVE_WEB_GROUNDINGorCURATED_DEMO_SEED(London/Singapore only). - Run
tests/unit/marketProspectAuthenticity.test.ts— synthetic detection passes.
- Click Load Prospecting Batch to trigger
🚨 Alert 17: Post-Deadline KEV Triage Cluster (June 27 Operational Review)
- The Root Cause: CISA BOD 26-04 tier-1 remediation windows have elapsed across multiple active vectors on operational date 2026-06-27. CVE-2026-42271 (BerriAI LiteLLM command injection) deadline June 22, 2026 is five calendar days past. CVE-2026-20253 (Splunk Enterprise PostgreSQL sidecar RCE) deadline June 21, 2026 enters day seven post-deadline forensic triage. CVE-2026-48907 (Joomla JCE) deadline June 18, 2026 is nine calendar days past. CVE-2026-54420 (LiteSpeed cPanel symlink escalation) deadline June 19, 2026 is eight calendar days past. Federal contractor 24-hour KEV triage SLA guidance effective June 24, 2026 is three calendar days into enforcement on 2026-06-27 — board packets must elevate to CRITICAL continuous-audit posture.
- How to Resolve It Yourself:
- Ingest Strategic Intel manifest
ironintel-osint-2026-06-26-live— confirm chunksosint-03-joomla-litespeed,osint-04-splunk-rce, andosint-10-litellm-post-deadlinein CRM. - For LiteLLM deployments: patch to 1.83.7+, Starlette 1.0.1+, rotate all provider API keys, execute assume-breach hunt on AI gateway stacks.
- For Splunk SOC stacks: patch to 10.2.4+ or 10.0.7+ or disable postgres sidecar; run day-seven forensic triage before declaring clean.
- For Joomla and LiteSpeed shared hosting: assume compromise on unpatched CMS and CloudLinux stacks; forensic triage before patch verification under BOD 26-04 four-variable matrix.
- Document remediation in board packet using formatted ALE strings — internal ledger remains BigInt cents only (Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000, Defense 1600000000 cent anchors unchanged).
- Ingest Strategic Intel manifest
🚨 Alert 18: FortiBleed Perimeter Credential Compromise
- The Root Cause: FortiBleed campaign verified 73932 to 86644 Fortinet firewall admin credentials across 194 countries per CISA June 18 advisory. Fortinet FG-IR-26-060 published June 22 confirms credential reuse from prior incidents plus brute force — not a zero-day and no patch closes exposure. Huntress cross-reference confirms 84 customer-impacted IPs — perimeter password assumptions are structurally invalid regardless of complexity policy.
- How to Resolve It Yourself:
- Rotate all FortiGate VPN and admin passwords immediately; enforce MFA on management interfaces.
- Restrict management interface to trusted admin IP ranges; upgrade FortiOS to 7.4, 7.6, or 8.0 per PSIRT guidance.
- Execute assume-breach hunting on all internet-exposed FortiGate instances under BOD 26-04 triage protocol.
- Ingest manifest chunk
osint-02-fortibleed— verify Ironwatch correlation in Strategic Intel dashboard.
🚨 Alert 19: Writer or Trainer Invoked via Boardroom Query (Wrong Surface)
- The Root Cause: Operator attempted to reach board-trainer or board-writer through live
POST /api/queryon IronBoard port 8082 — both personas are isolated per DOCS-005. - How to Resolve It Yourself:
- Use
POST /api/agents/trainerorPOST /api/agents/writeron Ironframe port 3000 with valid tenant session. - Run
Ironboard/tests/boardroomDocAuthorIsolation.test.ts— confirmBOARDROOM_QUERY_ROSTERexcludes both IDs. - For batch corpus refresh, run IronBoard
POST /api/documentation/executeafter legal clearance in documentation pipeline.
- Use
🚨 Alert 20: Ironquery Export Returns HTTP 403 Feature Denied
- The Root Cause: Tenant lacks
IRONQUERY_EXPORTfeature entitlement — EXPORT-002 gate enforced on API; direct navigation to/dashboard/exportsrendersExportScopeRequiredPanelinstead of export console. - How to Resolve It Yourself:
- Platform administrator enables entitlement on tenant feature matrix.
- Run
tests/unit/tenantFeatureEntitlement.test.ts— verify gate semantics. - Retry export with scoped tenant session and valid
x-tenant-idheader alignment. - Confirm Command Post shows
ExportScopeRequiredBannerwhen redirected withexportScope=requiredquery param.
🚨 Alert 21: Get Started Progress Not Audited
- The Root Cause:
POST /api/get-started/progressfailed silently or returned 403 — step completion stored only in localStorage withoutTRAINING_ONBOARDINGagent log receipt. Common triggers: missing tenant cookie, Ironguard perimeter rejection, oragentLog.createpersistence error swallowed by catch handler. - How to Resolve It Yourself:
- Confirm operator signed in with valid
user_role_assignmentsrow andironframe-tenantcookie scope. - Open browser network tab — verify
POST /api/get-started/progressreturns{ status: "LOGGED" }with HTTP 200. - Query
agent_logsfor tenant UUID — verify message JSON contains"tag":"TRAINING_ONBOARDING"and matchingstepId. - Run
tests/unit/getStartedOnboarding.test.ts— guard and persistence paths pass. - If Trainer sandbox step stuck incomplete — verify
POST /api/agents/trainersucceeded before expectingtrainer-sessionauto-completion.
- Confirm operator signed in with valid
🚨 Alert 22: Master Purge Blocked Outside Development
- The Root Cause:
purgeAllDataActioninapp/actions/purgeSimulation.tsnow returns{ ok: false, message: "Master purge is disabled outside development." }whenNODE_ENV !== "development"— production and staging hosts cannot invoke tenant-wide simulation purge from UI controls. - How to Resolve It Yourself:
- Confirm you are on
your provisioned workspace URLor*.lvh.me:3000withNODE_ENV=development. - Use scoped tenant purge via simulation plane tools — not master purge — on shared environments.
- For onboarding test record cleanup, run
scripts/purge-onboarding-test-records.tswith explicit operator confirmation.
- Confirm you are on
🚨 Alert 23: Dashboard Fetch Aborted During Navigation
- The Root Cause:
DashboardHomeClientfetch aborted during route transition or component unmount — previously surfaced as hard error; now classified as benign viaisBenignRuntimeEmissionErrorandresolveDashboardFetchErrorMessage. - How to Resolve It Yourself:
- Retry dashboard load — transient abort during navigation is expected and recoverable.
- Verify message reads "Dashboard request timed out or was interrupted. Retry in a moment." — not raw AbortError stack.
- Confirm mount-level
AbortSignalpropagates totenantFetchretry loop without duplicate concurrent requests.
📋 Chapter 7: Unit Test Verification Checklist (Today's Delta)
Independent learners and compliance auditors must confirm the following Vitest suites pass before signing a daily lab receipt:
| Test file | Validates |
|---|---|
tests/unit/deploymentQuarantine.test.ts | Narrow funnel public paths, private workspace block, localhost and lvh.me whitelist, dual Stripe webhook bypass, token-gated API bypass, IRONFRAME_ALLOW_PUBLIC_INGRESS |
tests/unit/dashboardRoleAccess.test.ts | RBAC gate states, ensureDashboardTenantSession cookie hydration |
tests/unit/commandCenterTenantAccess.test.ts | GLOBAL_ADMIN vs scoped tenant switcher, subdomain host lock |
tests/unit/grcRouteMatch.test.ts | Header route matrix, auth public path, constitutional sentinel paths |
tests/unit/registrationGate.test.ts | Invite-only prospect ingress blocking |
tests/unit/registrationRoutes.test.ts | Public registration route classification |
tests/unit/phase1Commercial.test.ts | Phase 1 monetization wire paths |
tests/unit/stripeCheckoutParse.test.ts | Stripe checkout metadata BigInt cent parsing |
tests/unit/tenantSubdomain.test.ts | Subdomain slug resolution, post-auth landing paths |
tests/unit/tenantSlugRegistry.test.ts | Dynamic tenant slug cache and lookup |
tests/unit/demoMode.test.ts | Demo sandbox paths and ALE cent constants |
tests/unit/stagedNavSurfaces.test.ts | Staged nav badge and role block matrix |
tests/unit/boardResponseLibrary.test.ts | YouTube denial strip and rewrite append |
tests/unit/platformApplicationBoundary.test.ts | Ironframe port 3000 vs IronBoard port 8082 |
tests/unit/boardroomOrchestrator.test.ts | Panel routing receipts and sales-lead canonical boundary |
tests/unit/videoIngress.test.ts | Irongate Zod schema quarantine and CLEAN path |
tests/unit/videoBoardPrefetch.test.ts | Timeline injection into boardroom orchestration |
tests/unit/strategicIntelIngress.test.ts | Agent 14 sanitization before CRM persistence |
tests/unit/docsMatrixIngress.test.ts | BigInt docsMatchedUnits pipeline counters |
tests/unit/linkScraper.test.ts | YouTube and YouTube Shorts URL extraction |
tests/unit/ironframeTheme.test.ts | Theme ID resolution and body attribute mapping |
tests/unit/devConstitutionalElevation.test.ts | Scoped dev authority match order |
tests/unit/publicLeadParse.test.ts | Prospect lead payload parsing |
tests/tenantBrand.test.ts | Tenant brand accent resolution |
tests/unit/governanceFrameBriefingScanner.test.ts | Published ledger ingest and briefing-queue quarantine warnings |
tests/unit/governanceFrameSanitize.test.ts | Cent register rejection, section II parse, markdown XSS strip |
tests/unit/governanceFrameEmail.test.ts | Ironcast newsletter feed origin and slug deep links |
tests/unit/financialIngressInvariant.test.ts | Unified BigInt cent bridge across Governance Frame, sales intake, canonical baselines |
tests/unit/compileRss.test.ts | Governance Frame RSS item URL encoding |
Ironboard/src/services/coreTelemetryBridge.test.ts | Telemetry bridge cookie forwarding, fail-closed disconnect, successful JSON hydration |
Ironboard/src/services/boardroomQueryIntent.test.ts | Multi-country prefetch intent, inferRegionsFromQuery, Germany ICP criteria match |
Ironboard/src/services/marketIntelligence.test.ts | Multi-region listProspects filter, fetchProspectingBatchForTargets merge, tier score REJECTED path |
tests/architecture/gatewayShield.test.ts | Irongate DMZ markers on all Prisma-importing API routes |
tests/unit/agentPerimeter.test.ts | Sales agent prospect pool tenant isolation |
tests/unit/approvalQueueCore.test.ts | Pending draft tier inference and dispatch tags |
tests/unit/documentationBrief.test.ts | One-way documentationBrief builder and plane separation |
tests/unit/docsContentDecoupling.test.ts | APP_DOCS vs GOVERNANCE_BRIEFINGS decoupling |
tests/unit/documentationCorpusPlanes.test.ts | Dual-location output matrix authoritative entries |
tests/unit/tenantFeatureEntitlement.test.ts | Tenant feature entitlement gate on API routes |
tests/unit/trainingCorpusPlacement.test.ts | Trainer/Writer placement target resolution |
tests/unit/adminOnboardingDeployments.test.ts | Admin onboarding deployment snapshot, PROVISIONED/STAGED mapping, legal signoff posture, BigInt ALE USD display formatting |
tests/unit/getStartedOnboarding.test.ts | Get Started progress API Ironguard guard, TRAINING_ONBOARDING agent log persistence |
tests/unit/stripeConfig.test.ts | STRIPE_CREDENTIAL_MODE and dual webhook secret resolution |
tests/unit/supabaseRedirectAllowlist.test.ts | Auth redirect origin allowlist |
tests/unit/supabaseAuthAdminHelpers.test.ts | Existing Supabase user lookup and corporate invite relink paths |
tests/unit/workspaceInviteEmailDelivery.test.ts | Resend workspace invitation dispatch and deferrable error paths |
tests/unit/workspaceInviteEmailContent.test.ts | Invite email HTML table layout and register URL binding |
tests/unit/industryScoutProspectBridge.test.ts | Industry scout cron prospect bridge |
tests/unit/marketProspectAuthenticity.test.ts | Regional prospect authenticity scoring |
tests/unit/discoverRegionalProspects.test.ts | Regional fintech discovery engine |
tests/unit/serialization.test.ts | BigInt JSON serialization guards |
tests/e2e/docs-public.spec.ts | Playwright E2E public /docs narrow funnel |
Ironboard/tests/trainingCorpus.test.ts | Training corpus publisher IronBoard package |
Ironboard/src/lib/geminiRetry.test.ts | Gemini rate-limit retry backoff for market intelligence outreach |
Ironboard/tests/boardroomDocAuthorIsolation.test.ts | Trainer/Writer excluded from live boardroom query roster |
lib/sustainability/ironbloomDashboardTelemetry.test.ts | kWh threat ingestion telemetry parse |
tests/unit/sharedBoardContext.test.ts | Shared-context documentationBrief one-way ingress attachment and BigInt baseline serialization |
tests/unit/simulationNavFocus.test.ts | Settings config href resolution to /settings/config; dashboard home path focus |
tests/unit/governanceTriadExport.test.ts | Governance Frame triad export BigInt cent register formatting |
tests/unit/docsNavigation.test.ts | Docs sidebar chapter routing including BigInt data schema contracts link |
tests/unit/tenantIndustryBaselineSweep.test.ts | Constitutional industry baseline ALE cent sweep across seed tenants |
tests/integration/cron-storage-gates.test.ts | Cron storage gate perimeter for headless automation |
tests/integration/epic16-exports.test.ts | Epic 16 export pipeline entitlement and BigInt field encoding |
Run command: npm run test (root Vitest) plus cd Ironboard && npm test (IronBoard package suite per .github/workflows/ci.yml). CI also runs Stryker mutation on configured modules and Playwright E2E. All suites must pass before GCP deploy readiness per project rules Warden gate.
📎 Chapter 8: Environment Variable Reference (Delta Additions)
The following .env.example entries were added or clarified in today's delta. Never commit live secrets — placeholders only:
| Variable | Purpose |
|---|---|
IRONBOARD_BOARD_ORG_TENANT_UUID | Board-level Strategic Intel tenant UUID (default Medshield seed) |
IRONBOARD_GRC_ANALYST_VIDEO_URL | Canonical YouTube URL for GRC Analyst briefing video |
IRONFRAME_ALLOW_PUBLIC_INGRESS | Set 1 to open all cloud ingress paths (default blocked on non-local hosts) |
IRONFRAME_SUBDOMAIN_TENANCY | Set 0 to disable host → tenant binding (enabled by default) |
IRONFRAME_TENANT_APEX_DOMAIN | Production apex for *.ironframegrc.com tenant hosts |
NEXT_PUBLIC_DEVELOPMENT_DOMAIN | Local dev tenant suffix (default lvh.me:3000) |
INTERNAL_SALES_PROVISION_KEY | Bearer token for POST /api/register/sales-intake |
NEXT_PUBLIC_STRIPE_COMMAND_TIER_CHECKOUT_URL | Hosted Stripe Payment Link on /pricing |
STRIPE_SECRET_KEY | Server-only Stripe API key |
STRIPE_WEBHOOK_SECRET | Stripe webhook signature verification |
CURSOR_API_KEY | Headless Cursor CLI auth for scripts/cron_narrate.ps1 |
SUPABASE_SERVICE_ROLE_KEY | Server-only corporate invite and admin password provisioning |
NEXT_PUBLIC_APP_URL | Production your provisioned workspace URL — auth redirects and apex routing |
IRONFRAME_DEV_SUPABASE_EMAIL | Scoped dev constitutional authority email match |
IRONFRAME_DEV_SUPABASE_USER_ID | Scoped dev constitutional authority user id match |
IRONFRAME_CRON_SECRET / IRONFRAME_INTERNAL_GATES_SECRET | Internal gates for slug resolve and platform admin probe |
GOVERNANCE_FRAME_UPSTREAM | Optional IronBoard upstream for local proxy (your provisioned workspace URL) |
GOVERNANCE_FRAME_PUBLIC_FEED_ORIGIN | Public feed origin for RSS and Ironcast email deep links (default your provisioned workspace URL) |
IRONFRAME_CORE_ORIGIN | Ironframe core origin for IronBoard telemetry bridge (default your provisioned workspace URL) |
IRONFRAME_MARKETING_ORIGIN | Fallback origin when IRONFRAME_CORE_ORIGIN unset |
GOOGLE_API_KEY | IronBoard Gemini + Google Search grounding for regional prospect discovery, sales agent, customer service console |
IRONFRAME_PROSPECT_POOL_TENANT_UUID | Prospect pool tenant for unauthenticated sales agent (fallback tenant_prospect_pool_01) |
INTERNAL_GATEWAY_SECRET_KEY / IRONFRAME_INTERNAL_GATES_SECRET | Bearer token for POST /api/documentation/execute internal gateway |
STRIPE_CREDENTIAL_MODE | Explicit test or live Stripe credential selection |
STRIPE_SECRET_KEY_TEST / STRIPE_SECRET_KEY_LIVE | Mode-specific Stripe API keys |
STRIPE_INSTANT_CHECKOUT_WEBHOOK_SECRET | Webhook secret for /api/webhooks/stripe (checkout.session.completed) |
STRIPE_BILLING_WEBHOOK_SECRET | Webhook secret for /api/billing/webhook (payment_intent.succeeded) |
IRONFRAME_STAGING_APEX_DOMAIN | Staging Vercel apex for tenant subdomain slug resolution |
IRONBOARD_SEMI_AUTONOMOUS_MODE | Set 1 for rate-limited background web-grounded prospect discovery |
RESEND_API_KEY | IronBoard Resend email package outbound; workspace invitation Bucket A dispatch |
NEXT_PUBLIC_GET_STARTED_VIDEO_URL | Orientation audio or screencast URL embedded in Get Started portal walkthrough panel |
✅ Chapter 9: Daily Writer Receipt (2026-06-27)
Delta classification: Structural (Prisma AppDocument model, IronboardCrmContact.metadata JSON, SYSTEM_AGENT interaction channel enum, twenty-four training screenshot PNG assets plus supplemental export-path capture, app/roles/* tree deletion, /get-started route group pages, orientation popout route group, admin onboarding supervisor components, GET /api/docs/reader inline doc ingress, per-step audio assets under get-started-orientation/steps/, Ironboard/src/agents/boardAgentLlm.ts founding assessment engine) + Backend Logic (.cursorrules compaction to 43 lines; IronBoard generateBoardAgentAssessment founding LLM refactor in boardAgentLlm.ts; knowledge.ts full documentation pipeline; safeDocsWriter governance briefing path guard; staticContext.ts BOARDROOM_ISOLATED_AGENT_IDS; isolated Trainer/Writer APIs on Ironframe :3000; getStartedStepAudio.ts, getStartedStepVisuals.ts, openOrientationWalkthroughWindow.ts; Ironbloom physical telemetry hardening removing isHighSeverity; Ironquery IRONQUERY_EXPORT with ExportScopeRequiredPanel; Irontech Agent 04 identity correction; threat validate assertIronguardApiTenantOr403; dual Stripe webhook secrets with STRIPE_CREDENTIAL_MODE; middleware buildLoginRedirectUrl, finalizeMiddlewareResponse; next.config.ts .html-only docs rewrites and in-memory webpack cache; industry scout prospect bridge; register/setup deletion; June 26 OSINT manifest (ironintel-osint-2026-06-26-live) with LiteLLM, Splunk, FortiBleed, FedRAMP VDR chunks; marketProspectAuthenticity.ts and regulatoryCatalystLookup.ts; geminiRetry.ts rate-limit wrapper; resolveFlywheelTargetRegions; CI gateway shield + Stryker + Playwright + Ironboard test gates) + UI (/get-started guided step panel with per-step narration and bottom doc reader drawer, orientation walkthrough popout, TrainerAgentSessionForm, global TrainerAgentDrawer, ExportScopeRequiredBanner/ExportScopeRequiredPanel, OperatorActivationBanner, /dashboard/support chat console, AdminOnboardingDeployments supervisor grid, DocsChrome decoupled link rendering, DashboardHomeClient benign abort recovery).
Financial boundary verification: All ALE references in this document use BigInt integer cents exclusively for persistence and internal telemetry. Constitutional Ironframe seed tenant baselines unchanged: Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000, Defense 1600000000 cents. Manifest industry peer ALE baselines (Finance 1800000000, Healthcare 1210000000, Technology 950000000, Defense 2500000000, Public Sector 1500000000 cents) and risk metrics (medianAnnualGrcProgramCents 4200000000, medianAuditRemediationLagCents 890000000, saasConsolidationSavingsOpportunityCents 680000000, boardReportingOverheadCents 125000000 cents for primary manifest; alternate regional manifest medianAnnualGrcProgramCents 3850000000, medianAuditRemediationLagCents 935000000, saasConsolidationSavingsOpportunityCents 1120000000, boardReportingOverheadCents 98000000 cents) are manifest-scoped BigInt strings — never floats. Dual Stripe webhook paths parse amountTotalCents as BigInt at fulfillment. Ironbloom kwhAverted and mitigatedValueCents persist as BigInt — severity-tier synthetic kWh path eliminated; sustainabilityActions.ts uses parseThreatIngestionTelemetry and returns no_physical_telemetry without ledger write when physical units absent; resolveDashboardMitigatedValueCents reads sealed tenant physical ledger via aggregateTenantKwhAverted and findLatestThreatPhysicalTelemetry before reporting 0 cents. Corporate provision and admin deployment display use formatCentsToAccountingUSD / parseDollarAleToBigIntCents — display and ingress conversion only; PostgreSQL columns remain BIGINT cents. Writer and Trainer consoles quote financial baselines as whole-integer cent digit strings in synthesized markdown — never float dollars. De-classification matrix mandates Governance Frame public copy cites financials.display.*Formatted strings — never raw cent literals. Market prospect aiFitnessScore remains integer ICP tier composite — not monetary. Founding board CFO node calls assertWholeIntegerCents before generateBoardAgentAssessment — allocation strings must be whole-integer cent digit sequences.
Threat simulation verification: POST /api/threats/validate requires assertIronguardApiTenantOr403 — extracts ActiveRisk numeric ids as BigInt-safe strings for ghost card reconciliation. Ironbloom requires sealed physical telemetry in ingestionDetails — monetary-only or severity-inferred payloads return no_physical_telemetry without ledger write. Shadow-plane SimThreatEvent.mitigated_value_cents BIGINT isolation from production ThreatEvent unchanged. June 26 OSINT manifest ingested with active vectors on operational date 2026-06-27: BerriAI LiteLLM CVE-2026-42271 (KEV deadline June 22 — five days elapsed), Splunk CVE-2026-20253 (KEV deadline June 21 — day seven post-deadline forensic triage), FortiBleed (73932 to 86644 verified Fortinet credentials, 194 countries, Huntress 84 customer-impacted IPs), Joomla CVE-2026-48907 (KEV deadline June 18 — nine days elapsed), LiteSpeed CVE-2026-54420 (KEV deadline June 19 — eight days elapsed), Check Point CVE-2026-50751, Oracle PeopleSoft CVE-2026-35273, Ivanti Sentry CVE-2026-10520, CISA BOD 26-04 federal contractor 24-hour KEV triage SLA effective June 24, 2026 (three days into enforcement), FedRAMP Notice 0014 VDR mandatory December 7, 2026, CMMC Phase 2 136 days to November 10, 2026. Board packets must cite formatted ALE display strings while internal ledger retains BigInt cent integers only.
Module refactor verification: app/roles/* legacy stakeholder_metrics dashboards deleted — role surfaces consolidated under app/(dashboard)/dashboard/*. knowledge.ts expanded from stub drafts to full placement matrix with telemetry mirror and full-access ingress sections; Trainer and Writer now publish through pushAppDocumentToIronframe / publishAppDocument with validateOutboundContent firewall instead of filesystem-only writeHubAssetSafely. IronBoard documentation authors isolated from live query roster (BOARDROOM_QUERY_ROSTER replaces full roster filter) while retaining pipeline graph nodes. Ironboard/vitest.config.ts includes tests/**/*.test.ts for package-level suites including boardroomDocAuthorIsolation.test.ts. Get Started portal introduces post-activation design-partner initialization — five-step checklist with guided step focus panel, per-step audio narration, bottom inline doc reader drawer, orientation walkthrough popout, TrainerAgentSessionForm sandbox, and Ironwatch telemetry poll suppressed during onboarding. Global Trainer drawer (TrainerAgentDrawer) mounts on all workspace routes via AppShell. Admin onboarding supervisor UI separates deployment inventory (AdminOnboardingDeployments) from provisioning controls (CorporateOnboardingClient at #onboarding-controls) — billing activation owned exclusively by Stripe webhook path; ALE input field renamed to aleBaselineDollars with parseDollarAleToBigIntCents persistence. Corporate invite relink grants workspace access to existing Supabase accounts without duplicate user creation. Middleware auth landing preserves next return paths via buildLoginRedirectUrl (appends fresh=1 for /get-started destinations) and applies subdomain tenancy on every response through finalizeMiddlewareResponse. Middleware tenant slug-resolve recursion guard: middlewareSubdomainTenancy.ts sets x-ironframe-middleware-tenant-resolve: 1 when calling /api/internal/tenant-slug-resolve — prevents middleware → slug-resolve → middleware infinite loop on dynamic tenant hosts. Founding board agents delegate to boardAgentLlm.ts with formatBoardStateSummary — static template logs retired. chapterLoop.ts binds sequential documentation passes to training-corpus-manifest.json via publishCompleteTrainingManual.
Irongate DMZ verification: tests/architecture/gatewayShield.test.ts enforces DMZ markers on all Prisma-importing API routes (CI gate). CompilationIngressPortal fails closed on unresolved doc slugs. Documentation corpus planes forbid cross-write between APP_DOCS and GOVERNANCE_BRIEFINGS via assertAppDocsPlacementPath. GTM synthetic scaffolding must not enter CRM as live OSINT — verifyAndOptimizeMarketData and marketProspectAuthenticity gate purges before board synthesis. Get Started progress API and docs reader API pass Ironguard tenant guard before any persistence.
Platform boundary verification: Ironframe port 3000 emits documentationBrief in shared-context and hosts isolated Trainer/Writer agent APIs plus Get Started progress ingress and inline docs reader. IronBoard port 8082 consumes via core telemetry bridge; runExecutiveDocumentationCommand throws when brief ingress fails. platformApplicationBoundary.ts adds /api/documentation/execute and /settings/config. Both engines bind 127.0.0.1 only. Narrow funnel permits public GTM surfaces on cloud without opening command center. /get-started and /admin/onboarding registered as dashboard route group paths with standalone scroll — billing hold exempt for design-partner and GLOBAL_ADMIN onboarding flows.
Documentation corpus verification: knowledge.ts expanded — Trainer publishes via publishTrainerCorpus, Writer via publishWriterCorpus, push through appDocsGateway. Training screenshot corpus (24 PNG assets) binds to training-corpus-manifest.json with supplemental export-path capture; Level 1 chapter 03 capture route corrected to / tripane Command Post. board-trainer owns docs/user-manuals/ and docs/training/level-1/; board-writer owns docs/technical/ and docs/training/level-2/. Content firewall rejects briefing-queue/ and published-briefings/ writes from Trainer/Writer. Get Started quickstart step opens orientation guide via inline drawer backed by /api/docs/reader on APP_DOCS plane with #orientation hash deep-link.
Phase 1 commercial verification: Dual webhook billing activation at /api/billing/webhook with resolveStripeBillingWebhookSecret. Instant checkout provisioning at /api/webhooks/stripe with resolveStripeInstantCheckoutWebhookSecret. Sales agent isolated to IRONFRAME_PROSPECT_POOL_TENANT_UUID. Customer service and email draft worker require authenticated tenant with LEVEL_1 grounding. Workspace invitation Resend dispatch optional at mint time (dispatchInviteEmail: true). Register setup page deleted; demo redirects to sales contact. Admin deployment grid shows STAGED vs PROVISIONED from billing status — no manual client-side billing activation button. purgeAllDataAction disabled outside NODE_ENV=development.
CI verification: .github/workflows/ci.yml adds architecture gateway shield test, Stryker mutation gate, Playwright E2E install/run, and Ironboard npm test step. All unit suites listed in Chapter 7 must pass before deploy.
Empty-diff pivot: Not applicable — daily_code_diff.txt contains substantial deltas across 145 changed tracked file paths (excluding self-referential diff artifact recursion, binary PNG assets, and lockfile noise) spanning Ironframe and IronBoard packages including Get Started guided step panel with per-step audio and orientation popout, global TrainerAgentDrawer, ExportScopeRequired in-page UX, workspace invitation Resend dispatch, corporate invite relink, master purge dev-only guard, admin onboarding supervisor deployment ledger, boardroom author isolation, isolated Trainer/Writer agent consoles, customer service email worker, content firewall governance path guard, industry scout prospect bridge, Ironquery export entitlement, Irontech Agent 04 identity correction, role route deletion, June 26 OSINT manifest refresh (ironintel-osint-2026-06-26-live) with LiteLLM five-day post-deadline and Splunk day-seven triage vectors, physical telemetry hardening, founding board boardAgentLlm.ts assessment path, market authenticity gate, middleware auth landing refactor with subdomain finalize wrapper and slug-resolve recursion header, password reset redirect origin fix, next.config .html-only docs rewrites and nodemailer serverExternalPackages, DashboardHomeClient benign abort recovery, isConstitutionalTenantKey baseline drift anchor guard, /api/auth/session-bootstrap narrow funnel passthrough, resolveSettingsConfigHref /settings/config fallback, Get Started 24-chapter curriculum copy, csvEncoder tenantKey string typing for export rows, and sharedBoardContext.test.ts documentationBrief attachment receipts.
End of GRC Master Operations Manual & Technical Feature Glossary — Writer Narrative Architect complete mandate execution for operational date 2026-06-27.