DOCUMENTATION HUB·LEVEL_2

📖 GRC Master Operations Manual & Technical Feature Glossary

REF_PATH: qa/complete-feature-glossarySOURCE: APP_DOCUMENTS_DB

📖 GRC Master Operations Manual & Technical Feature Glossary

Standardized Sovereign Command Deck Training Playbook for Independent Learners

Target Audience: High School Lab Technicians (Grade 11/12) & Independent Compliance Auditors

System Architecture: Control-First Modular Agent Coordination Framework

Operational Date: 2026-06-27

Delta Source: daily_code_diff.txt (24-hour git window ending 2026-06-27 — Writer Narrative Architect mandate)


🕮 Chapter 1: Foundations of Enterprise GRC & Liability Mitigation

Welcome to the Ironframe Command Console. When multi-billion-dollar corporations operate global software networks, an untrained employee clicking the wrong button or entering unverified numbers can cause catastrophic real-world damage. A single mathematical error or security mistake can result in massive government fines, total network shutdowns, or devastating legal lawsuits.

This platform uses a structured architecture model called Governance, Risk, and Compliance (GRC) to prevent those disasters. Because you are training independently online without a live teacher, you must memorize the three core concepts of GRC and obey the safety limits written below to protect our system and client assets from harm:

              +----------------------------------------+
              |    GOVERNANCE (The Constitutional Law) |
              +-------------------+--------------------+
                                  |
                                  v
              +----------------------------------------+
              |    RISK MANAGEMENT (The Defense Deck)  |
              +-------------------+--------------------+
                                  |
                                  v
              +----------------------------------------+
              |    COMPLIANCE (The Bulletproof Proof)  |
              +-------------------+--------------------+

🏛️ 1. Governance (The Corporate Constitution)

  • Plain-English Definition: Governance represents the unchangeable, absolute rules and system limits established by company executives or international law.
  • The App Reality: In our platform, these rules are hardcoded into an electronic constitution known as the TAS (Tenant Architecture Specifications) file at docs/TAS.md. The software code is physically blocked from ever breaking these rules. Today's delta compacts .cursorrules from the legacy 204-line governance protocol into a 43-line auto-completion constraint sheet — Prisma import discipline (import prisma from "@/lib/prisma"), test file locations (tests/unit/*.test.ts for Next.js, Ironboard/src/tests/*.test.ts for workforce queues), CRM field alignment (fullName, interaction channel), BigInt cent mandate, @google/genai temperature 0.0, prospect pool tenant isolation, and customer service LEVEL_1 doc grounding remain constitutionally locked. The IronBoard Core Telemetry Bridge requires every POST /api/query on port 8082 to hydrate live Ironframe shared context from GET /api/board/shared-context on port 3000 before LLM synthesis — fail-closed HTTP 502 with CORE_TELEMETRY_DISCONNECTED when the bridge cannot reach tenant-scoped telemetry. Founding board personas (CEO, CFO, Compliance, Legal) now delegate synthesis to generateBoardAgentAssessment in boardAgentLlm.ts with formatBoardStateSummary anchoring financialProjectionsCents as whole-integer cent strings and assertWholeIntegerCents on every CFO turn. The June 26 OSINT manifest (ironintel-osint-2026-06-26-live) remains the active Strategic Intel corpus through operational date 2026-06-27 with LiteLLM five-day post-deadline triage, Splunk day-seven forensic hunt, and FortiBleed credential harvesting vectors — all peer ALE baselines remain BigInt cent strings in manifest JSON. The Hardened Governance Layers prompt block (buildHardenedGovernanceLayers) enforces a unidirectional read-only diode: the 19-agent boardroom advises from live JSON but holds zero write permissions to production databases. Public Governance Frame briefings must cite financials.display.*.baselineFormatted strings verbatim — never raw internal BigInt cent integers. Today's delta wires the Documentation Brief one-way ingress and boardroom author isolation: Ironframe emits documentationBrief inside GET /api/board/shared-context; IronBoard Trainer (board-trainer) and Writer (board-writer) consume it via expanded knowledge.ts (buildTrainerDashboardGuideDraft, buildWriterArchitectureDraft, buildWriterSecurityComplianceDraft, publishTrainerCorpus, publishWriterCorpus, pushAppDocumentToIronframe) — zero write-back except bearer-gated POST /api/documentation/execute. Both personas are excluded from live BOARDROOM_QUERY_ROSTER on port 8082; operators invoke isolated synthesis via POST /api/agents/trainer and POST /api/agents/writer on Ironframe port 3000 (trainerAgentConsoleCore.ts, writerAgentConsoleCore.ts). safeDocsWriter.ts rejects briefing-queue/ and published-briefings/ placement for Trainer/Writer. Executive documentation chapter loop (runExecutiveDocumentationCommand) fails closed when fetchIronframeDocumentationBrief returns no brief.

⚠️ 2. Risk Management (The Defense System)

  • Plain-English Definition: Identifying potential technology failures or external hacks before they happen, and calculating exactly how much cash the company would lose (the Asset Loss Expectancy or ALE).
  • The App Reality: Our system uses automated security monitors to calculate these risks instantly, displaying them as a System Maturity Score out of ten. The Irontrust math engine (Agent 3) stores all ALE baselines as BigInt integer cents — never floating-point dollars.

📜 3. Compliance (The Verifiable Proof)

  • Plain-English Definition: Providing 100% accurate, un-tamperable data records to an independent government inspector to prove your business has never broken a law.
  • The App Reality: Every mouse click, system test, and transaction you perform is logged into a locked, cryptographically signed ledger file that cannot be erased or edited by anyone. Shadow-plane diagnostics (SimulationDiagnosticLog) remain isolated from production AuditLog per TAS Section 4.3.

🛑 Chapter 2: Core Regulatory Guardrails & Forbidden Actions

To completely eliminate operational risk, protect multi-tenant cloud client assets, and shield your training program from liability, you must strictly adhere to the following Four Corporate Compliance Mandates. Any violation will automatically cause the security tracking systems to flag your active session context and quarantine your workspace:

  • Mandate 1: Strict Whole-Integer Financial Integrity: All monetary paths must use a variable type called BigInt (Big Integer) representing raw cents exclusively. One United States dollar equals 100 cents. Decimals and floating-point values are completely forbidden in financial modules to eliminate computational rounding drift during audits. Constitutionally frozen ALE baselines per docs/TAS.md:

    • Medshield: 1110000000 cents (eleven million one hundred thousand United States dollars)
    • Vaultbank NA: 590000000 cents (five million nine hundred thousand United States dollars)
    • Gridcore Infrastructure: 470000000 cents (four million seven hundred thousand United States dollars)
    • Defense (CMMC L3 anchor): 1600000000 cents (sixteen million United States dollars)
    • Display conversion only: const dollars = Number(aleBaselineCents) / 100 — never persist floats.
    • Today's de-classification mandate: IronBoard public briefing synthesis must never emit raw BigInt cent integers in Governance Frame copy. Internal storage remains BIGINT cents exclusively; external-facing text uses Ironframe-precomputed financials.display.sovereignPool.*.baselineFormatted and currentExposureFormatted strings. Grounded sales outreach (generateGroundedPitch) may cite BigInt numeric precision as a value proposition in engineer-to-engineer copy — that is marketing language, not a persistence path. Market prospect aiFitnessScore is an integer ICP tier score (region + compliance pressure + funding + compliance-hire signals) — not USD cents.
    • Ironbloom physical telemetry gate (2026-06-26 delta): recordSustainabilityImpact no longer assigns synthetic kWh from severity tiers (isHighSeverity removed). Mitigated value cents derive exclusively from parseThreatIngestionTelemetry(threat.ingestionDetails) — unresolved physical payloads return no_physical_telemetry without persisting float or guessed kWh. resolveDashboardMitigatedValueCents removed IRONBLOOM_PULSE_REFERENCE_KWH forensic fallback — dashboard hero reads sealed tenant physical ledger via aggregateTenantKwhAverted and findLatestThreatPhysicalTelemetry before reporting 0 cents. Admin onboarding supervisor grid displays allocatedBaseline via formatCentsToAccountingUSD — display conversion only; PostgreSQL tenants.ale_baseline remains BigInt integer cents.
    • Constitutional seed baselines unchanged: Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000, Defense 1600000000 cents remain the Irontrust verification anchors in financialIngressInvariant.test.ts and verifyCanonicalEnterpriseBaseline.
    • Constitutional tenant anchor guard (2026-06-26 delta): formatAleEngineManifestLine in baselineDriftManifest.ts binds ALE_ENGINE footer anchors only when isConstitutionalTenantKey(activeTenantKey) returns true — dynamically provisioned slugs (for example acmecorp) emit ANCHOR UNBOUND until mapped to seed tenant keys in TENANT_UUIDS. Drift delta computation routes through industryBaselineAleCents() helper — subtraction remains BigInt cents end-to-end.
  • Mandate 2: Controlled Structural Amendments: You are strictly forbidden from modifying layout parameters, data ingestion targets, or background agent structures silently. Any alteration requires a formal TAS Amendment Proposal routed to the Product Owner. The Dynamic Discovery Mandate on IronBoard now permits only registered canonical responses in orchestrator/routing.ts (for example sales-lead domain boundary text). All other boardroom answers must cite tool receipts.

  • Mandate 3: Verifiable Sustainability Unit Ingress: Environmental footprint data must be logged using raw, physical units exclusively (such as kWh electricity, Liters water, or Kilometers logistics transport). The platform automatically rejects any sustainability telemetry packets containing purely monetary approximations to protect audit validity. Ironwatch system health columns (sustainability_live_api_degraded, sustainability_api_heartbeat_failures) now use IF NOT EXISTS guards for shadow-database replay safety.

  • Mandate 4: Absolute Tenant Isolation Enforcement: Cross-tenant memory bleed is a critical security failure. Row-Level Security (RLS) constraints strictly isolate customer boundaries. You are completely forbidden from attempting to extract database rows from a separate company profile while logged into another. The dashboard gate (resolveDashboardAccess) binds workspace UUIDs exclusively from cookie scope or the operator's own user_role_assignments row — never from guessed tenant IDs.

  • Mandate 5: Public Conversion Perimeter & Customer Service Documentation Grounding: All unauthenticated landing traffic (sales slide-over gateway, /sales-agent-portal, POST /api/agents/sales) must route to the prospect pool tenant UUID via process.env.IRONFRAME_PROSPECT_POOL_TENANT_UUID or fallback tenant_prospect_pool_01 — never into authenticated customer workspaces. The customer service agent (POST /api/agents/customer-service) must ground exclusively against app_documents rows where readingLevel: "LEVEL_1". Ironguard tenant validation runs before any documentation pull; fail closed with HTTP 403 when perimeter validation drops. All automated GRC reasoning nodes, sales plays, and customer service workers run at temperature: 0.0 with no emojis or creative flourishes in production copy.


🎨 Chapter 3: True Screen Grid Coordinates & Panel Layout Proportions

The platform interface scales fluidly in sync with your window size using a fixed fractional grid. It divides your display monitor into three permanent vertical panel columns, each operating with independent vertical scrolling:

  • The Left Panel (Data Deck) [22% Screen Width]: Houses active system security metric graphs, system maturity nodes, target asset profiles, and framework selection matrices.
  • The Center Panel (Workspace Canvas) [48% Screen Width]: Contains the primary navigation path tabs, the horizontal GRC metric rows, and the large workflow control blocks.
  • The Right Panel (Audit Column) [30% Screen Width]: Houses the Sustainability Pulse panel widget and the long, vertically extending Live Audit Ledger Stream terminal layout box.

Layout Refactor Notes (2026-06-26 Delta)

Today's delta consolidates role-based dashboards under app/(dashboard)/dashboard/* — the legacy app/roles/* tree is deleted (audit, board, cfo, ciso, cro, insurance, itsm, legal, ops, product stakeholder_metrics stubs removed). Configuration moves from /config to /settings/config; simulationNavFocus.resolveSettingsConfigHref falls back to /settings/config when no tenant key is bound. Tenant topology and logs placeholder pages (app/*/topology, app/*/logs) are removed. Authenticated support console lands at /dashboard/support with tripane chat UI posting to /api/agents/customer-service. Design-partner Get Started hub lands at /get-started with five-step progressive checklist referencing the 24-chapter Level 1 curriculum (post-activation copy — invite steps live in workspace email only), guided step focus panel with Level 1 training corpus screenshots via GET_STARTED_STEP_VISUALS, per-step narration audio from /docs/training/assets/get-started-orientation/steps/{stepId}.mp3 through getStartedStepAudioSrc, auto-play toggle (ironframe-get-started-step-audio-autoplay localStorage key), embedded TrainerAgentSessionForm sandbox (POST /api/agents/trainer), inline documentation reader drawer fetching GET /api/docs/reader?slug= without leaving the checklist (fixed bottom overlay with simulation-aware top offset), GetStartedOrientationFallback companion for quickstart hash #orientation, orientation walkthrough popout via openOrientationWalkthroughWindow() for crossfade screenshots with narration, OperatorActivationBanner for credential-state guidance, optional overview audio/video via NEXT_PUBLIC_GET_STARTED_VIDEO_URL (supports .mp3, .m4a, .wav, .ogg or video), localStorage progress mirror (ironframe-get-started-v1), keepalive: true on progress POST, benign runtime emission swallow via isBenignRuntimeEmissionError, and TRAINING_ONBOARDING audit receipts via POST /api/get-started/progress — route exempt from billing hold and listed in isScrollableStandalonePath / isDashboardRouteGroupPath in grcRouteMatch.ts. Global Trainer drawer: TrainerAgentDrawer mounted in AppShell.tsx on all workspace routes — opened from Header #1 Ask Trainer chip via useTrainerAgentDrawerStore; portal slide-over at min(100vw, 420px) width with Escape dismiss. AppShell.tsx disables useIronwatchTelemetryFeed on /get-started to reduce onboarding noise. TopNav exposes data-testid="topnav-get-started-link". Ironquery export scope UX: /dashboard/exports renders ExportScopeRequiredPanel in-page when entitlement missing (replaces redirect to /?exportScope=required); authenticated Command Post mounts ExportScopeRequiredBanner when export scope query param present. Admin onboarding supervisor UI refactors /admin/onboarding into deployment inventory grid (AdminOnboardingDeployments) plus #onboarding-controls provisioning shell — fetchTenantDeploymentRows() surfaces ALE allocation via formatCentsToAccountingUSD(tenant.ale_baseline) (BigInt cents in DB, formatted USD display only), infrastructure badges PROVISIONED vs STAGED, legal posture COMPLETE / PENDING_SIGNATURE / AWAITING_INITIALIZATION, and per-tenant workspace URLs from buildTenantSubdomainOrigin. Middleware auth landing refactor: buildLoginRedirectUrl preserves next return path on unauthenticated redirects; Rule B uses resolveAuthNextPathForHost instead of hardcoded /integrity; finalizeMiddlewareResponse wraps every middleware exit with applySubdomainTenancy. Docs routing hardening: next.config.ts rewrites legacy hub assets to .html suffix only — markdown slugs route to app/docs/[[...slug]]; Windows dev webpack cache switched to in-memory (prevents layout.css 404 from cache: false). Public /docs renders from PostgreSQL app_documents via CompilationIngressPortal when slug resolution fails — filesystem-only generateStaticParams removed; /docs/hub redirects to /docs/README; /docs/user-guide redirects to /docs/user-manuals/user-guide. Trust Center procurement pages mount at /trust/* inside the dashboard route group. Registration surface deletion: app/(marketing)/register/setup/page.tsx removed entirely; /register/demo server-redirects to /register/contact?reason=sales_assisted_only. Corporate provision form now parses dollar ALE input through parseDollarAleToBigIntCents in provisionCorporateTenant.ts — persisted as whole-integer cent strings only. Master purge guard: purgeAllDataAction returns failure outside NODE_ENV=development. Training screenshot corpus: twenty-four PNG assets under public/docs/training/assets/ plus supplemental capture get-started-dashboard-exports-stack.png at /dashboard/exports per training-corpus-manifest.json supplementalCaptures; Level 1 chapter 03 capture route updated to / (Main Ops Command Center tripane). WCAG touch targets: app/globals.css adds ironframe-interactive rules — coarse pointer devices enforce 2.75rem (44px) minimum height on buttons and rounded anchors per dark cockpit aesthetic mandate. Tailwind: fadeIn keyframe animation added for support console, docs shell, and Trainer drawer transitions.

Narrow public ingress funnel (2026-06-26 delta): Cloud hosts without IRONFRAME_ALLOW_PUBLIC_INGRESS=1 permit only the narrow public funnel — not a full-host 403 on every path. Allowed cloud paths include /, /terms, /privacy, /pricing, /marketing, /register/*, /sales-agent-portal, /governance-frame, auth surfaces, /account/billing-hold, /docs, /api/auth/callback, and /api/auth/session-bootstrap. Private workspace surfaces (/integrity, /dashboard/*, /cockpit) remain 403 blocked until full ingress opt-in. Dual Stripe webhooks bypass quarantine: /api/webhooks/stripe and /api/billing/webhook. Token-gated API paths bypass quarantine — route handlers enforce Bearer secrets. Staging apex: IRONFRAME_STAGING_APEX_DOMAIN in tenantSubdomain.ts resolves tenant slug from staging Vercel host patterns.

SurfaceRoute examplesChrome mountedScroll behavior
Public marketing landing/ (guest), /marketingMarketingHomepage — no TopNavFull-page vertical scroll
Public legal and pricing/terms, /privacy, /pricing, /register/contactTheme tokens onlyFull-page scroll
Sales agent portal/sales-agent-portalMarketingSalesPortalTrigger + SalesAgentSlideOverFull-page scroll
App docs reader/docs, /docs/[slug]DocsChrome — DB-backed AppDocumentFull-page scroll
Governance Frame reader/governance-frame, /governance-frame/[slug]GovernanceFrameLayoutFull-page scroll; robots: index false
Auth public paths/login, /forgot-password, /reset-password, /unauthorized, /legal/acceptThemed formsFull-page scroll
Dashboard command center/, /integrity (authenticated), /dashboard/*, /dashboard/supportDashboardCommandCenterLayoutAppShellTopNavTripane columns scroll independently
Design-partner Get Started hub/get-startedGetStartedPortalClient — checklist + Trainer sandboxstandaloneScroll on AppShell; billing-hold exempt
Trust Center/trust, /trust/dpa, /trust/subprocessors, /trust/data-residencyDashboard chrome — TrustProcurementDocumentStandalone scroll
Tenant subdomain workspacehttp://{slug}.lvh.me:3000/integrityHost-bound tenant switcher lockTripane or standalone
Platform admin onboarding/admin/onboarding, /admin/onboarding/test-assetsAdminOnboardingDashboardHeader + AdminOnboardingDeployments + #onboarding-controlsStandalone scroll within GLOBAL_ADMIN gate
Standalone dashboard pages/evidence, /board-report, /reports/audit-trailTopNav chromestandaloneScroll on AppShell

Layout separation mandate (2026-06-18): Root app/layout.tsx mounts IronframeThemeProvider only — it does not mount AppShell or TopNav. Authenticated workspace chrome is confined to app/(dashboard)/layout.tsx, which calls ensureDashboardTenantSession, resolves billing entitlement, wraps children in DashboardCommandCenterLayoutDashboardGroupShellDashboardBillingGate. Public /login, /pricing, /register/contact, /docs, and /governance-frame never inherit command-center chrome. AppShellRouter and ConditionalAppShell route chrome by pathname class. Tenant subdomain hosts receive host-bound scope via applySubdomainTenancy on every middleware response.

The DashboardGroupShell component writes data-dashboard-left-rail, data-dashboard-right-rail, and data-dashboard-rail-floor-lock attributes so CSS enforces the constitutional 22/48/30 geometry on tripane routes only. When initialTenantUuid arrives from the server RBAC gate and no client cookie exists, the shell writes ironframe-tenant (180-day max-age, SameSite=Lax) and dispatches ironframe-tenant-changed.

⚙️ Chapter 4: Component-by-Component GRC Feature Dictionary

Every visible component on your monitor screen is mapped below using industry-standard GRC nomenclature. Use this glossary to cross-reference elements during your self-paced online laboratories. Each entry cites the agent boundary implicated by today's code delta.


<a id="ingress-001"></a>

🚧 Feature 0: Production Deployment Quarantine Perimeter (Narrow Public Funnel)

  • GRC Function ID: INGRESS-001
  • Exact Screen Coordinates: No visible UI on blocked responses — browser displays monospace IRONFRAME SYSTEM ARCHITECTURE 403 page with message LOCAL DEVELOPMENT ONLY · Public ingress is disabled. Public funnel routes (/terms, /docs, /marketing, etc.) render normally on cloud hosts without full ingress opt-in.
  • Operational Purpose: Blocks private workspace HTTP ingress to Ironframe on cloud-hosted domains (Vercel preview, production apex, tenant subdomains) during closed Phase 1 development while preserving a narrow public funnel for legal, marketing, registration, documentation, Governance Frame, and sales-agent surfaces. Forces operators to bind dev servers to 127.0.0.1 and use localhost, 127.0.0.1, or *.lvh.me tenant workspaces locally. Stripe signed webhooks and token-gated cron/API paths remain reachable so commerce provisioning and headless automation can run while the command center stays dark on cloud hosts.
  • Technical Mechanics: Implemented in app/lib/security/deploymentQuarantine.ts and app/utils/grcRouteMatch.ts, invoked as middleware step 1 before Supabase session refresh. Middleware executes ordered phases:
    1. Production quarantine perimetershouldBlockProductionIngress (local dev hosts always continue)
    2. Prospect ingress gateshouldBlockProspectIngress redirects self-serve registration to /register/contact when IRONFRAME_PUBLIC_REGISTRATION_ENABLED is false
    3. Supabase session + platform gatesupdateSession, tenant isolation, stale lockdown
    4. Auth entrance codes — Rule A0 (assertGlobalAdminForOnboarding for /admin/onboarding GLOBAL_ADMIN), Rule A (unauthenticated /integrity/login), Rule B (authenticated /login → tenant Command Post or Integrity Hub via resolvePostAuthLandingPath), public marketing/legal/pricing/demo passthrough for guests
    5. Subdomain tenancy finishapplySubdomainTenancy stamps host-bound tenant headers and cookies on every response

shouldBlockProductionIngress returns true when:

  1. Hostname is not a local development host (localhost, 127.0.0.1, [::1], *.localhost, *.lvh.me, *.localtest.me)
  2. Pathname is not a Stripe webhook (/api/webhooks/stripe or /api/billing/webhook per STRIPE_WEBHOOK_PATHS in config/stripe.ts)
  3. Pathname is not token-gated API ingress (isTokenGatedApiIngressPath: /api/internal/cron/*, /api/cron/narrate, /api/board/feed, /api/internal/ironquery/export)
  4. Pathname is not a narrow public funnel path (isPublicCloudIngressPath: /, /terms, /privacy, /pricing, /marketing, /sales-agent-portal, /register/*, auth surfaces, /legal/accept, /account/billing-hold, /docs, /governance-frame, /api/auth/callback)
  5. IRONFRAME_ALLOW_PUBLIC_INGRESS is not set to 1, true, or yes

isPrivateWorkspaceIngressPath classifies /integrity, /dashboard/*, /cockpit, and other command-center surfaces as blocked on cloud hosts until full ingress opt-in. Local development whitelist includes vaultbank.lvh.me and acmecorp.lvh.me style tenant subdomains — wildcard *.lvh.me resolves to 127.0.0.1 without OS hosts file edits. IronBoard engine binds 127.0.0.1 only (not 0.0.0.0) — startup log reads your provisioned workspace URL.

  • Agent Boundary: Ironguard (Agent 12) perimeter enforcement; Ironlock (Agent 6) coordinates with constitutional freeze when combined with stale lockdown.
  • Step-by-Step Lab Validation:
    1. Deploy to ironframegrc.com or a Vercel preview host without IRONFRAME_ALLOW_PUBLIC_INGRESS=1.
    2. Navigate to /terms, /privacy, /marketing, /docs, /pricing, /sales-agent-portal, and /governance-frame — verify HTTP 200 (narrow funnel allowed).
    3. Navigate to /integrity, /dashboard/cfo, and authenticated tripane / — verify HTTP 403 monospace quarantine page.
    4. POST to /api/webhooks/stripe and /api/billing/webhook on the same cloud host — verify requests are not quarantined.
    5. POST to /api/internal/cron/industry-scout with valid IRONFRAME_CRON_SECRET Bearer — verify route handler executes (middleware passthrough).
    6. On your provisioned workspace URL and your provisioned workspace URL, confirm all dashboard routes remain accessible.
    7. Set IRONFRAME_ALLOW_PUBLIC_INGRESS=1 in environment — confirm cloud preview allows full workspace ingress for stakeholder demos.
    8. Run tests/unit/deploymentQuarantine.test.ts — verify narrow funnel paths, localhost whitelist, dual Stripe webhook bypass, token-gated API bypass, and private workspace block semantics.

<a id="auth-001"></a>

🔐 Feature 0b: Zero-Trust Dashboard RBAC Gate

  • GRC Function ID: AUTH-001
  • Exact Screen Coordinates: Invisible server gate — manifests as redirect to /login or /unauthorized before any dashboard chrome paints.
  • Operational Purpose: Ensures authenticated Supabase users without a matching user_role_assignments row cannot mount workspace shells, preventing privilege escalation into tenant telemetry grids.
  • Technical Mechanics: app/(dashboard)/layout.tsx calls ensureDashboardTenantSession(await resolveDashboardAccess()):
    • unauthenticatedredirect("/login")
    • pending (no valid assignment) → redirect("/unauthorized")
    • allowed → passes tenantUuid into DashboardGroupShell
  • Constitutional authority bypass: Dev constitutional authority users may fall back to Medshield UUID 5c420f5a-8f1f-4bbf-b42d-7f8dd4bb6a01 when no assignment exists — logged as tenantFallbackApplied: true.
  • Agent Boundary: Ironguard (Agent 12) token and context validation.
  • Step-by-Step Lab Validation:
    1. Sign in with a Supabase user that has no user_role_assignments row.
    2. Attempt /integrity — verify redirect to /unauthorized and AccessPending surface.
    3. Assign a role row for Medshield tenant — reload — verify dashboard chrome mounts with tenant cookie written.
    4. Trigger digest 1041080224 class server error — verify app/(dashboard)/error.tsx renders AccessPending instead of blank error page.

<a id="auth-002"></a>

🔑 Feature 0c: Public Homepage vs Command Center Split

  • GRC Function ID: AUTH-002
  • Exact Screen Coordinates: Root URL / — marketing hero for guests; tripane Command Center for authenticated operators with RBAC clearance.
  • Operational Purpose: Exposes a Seed-to-Series-A marketing narrative to prospects while preserving the full 19-agent workforce grid for credentialed operators on the same route.
  • Technical Mechanics: app/page.tsx resolves resolveDashboardAccess():
    • Guest → MarketingHomepage with regulatory brief cards (DORA, EU AI Act, NIS2) and CONSOLE INGRESS ──► link to /login
    • Allowed → DashboardHomeClient inside DashboardGroupShell with carbonMitigatedValueCents passed as BigInt from resolveDashboardMitigatedValueCents
  • Agent Boundary: Ironcore orchestration; Ironbloom (Agent 17) supplies mitigated value cents; Irontrust (Agent 3) validates financial display via formatCentsToUSD.
  • Step-by-Step Lab Validation:
    1. Open / in a private browser window — verify marketing hero title Ironframe: The Immutable Standard for AI-Driven GRC.
    2. Click CONSOLE INGRESS — verify navigation to /login.
    3. Sign in with RBAC-cleared operator — verify tripane Command Center replaces marketing layout on /.
    4. Inspect network payload for mitigated value — confirm raw cents integer, not float.

<a id="theme-001"></a>

🎨 Feature 0d: Ironframe UI Theme Palette Selector

  • GRC Function ID: THEME-001
  • Exact Screen Coordinates: TopNav master header — operator profile dropdown (TopNavUserProfileMenu) → Appearance section.
  • Operational Purpose: Allows operators to select a visual palette without altering tenant data context — UI-only scope per TAS.
  • Technical Mechanics: Three registered themes in app/lib/ironframeTheme.ts:
    1. Standard System — follows OS light/dark via next-themes value system
    2. Executive Light — high-contrast paper palette (data-ironframe-palette="executive-light")
    3. Cyber Command Dark — midnight command deck (data-ironframe-palette="cyber-command-dark") Persistence key: ironframe-ui-theme. Body attributes: data-ironframe-theme and data-ironframe-palette synced by IronframeThemeBodySync.
  • Agent Boundary: None — pure presentation layer; does not touch LangGraph state or financial stores.
  • Step-by-Step Lab Validation:
    1. Open profile menu in TopNav — verify email and role label render.
    2. Select Executive Light — verify document.body gains data-ironframe-theme="executive-light".
    3. Navigate to /login — verify login page respects --bg-primary and --login-border CSS variables.
    4. Select Cyber Command Dark — verify TopNav classes ironframe-topnav-master and ironframe-topnav-subnav pick up dark palette tokens.
    5. Reload browser — verify theme persists from localStorage via next-themes.

<a id="auth-003"></a>

📧 Feature 0e: Corporate B2B Tenant Invite Provisioning

  • GRC Function ID: AUTH-003
  • Exact Screen Coordinates: Admin server action — no default UI chip; invoked from platform administrator tooling.
  • Operational Purpose: Provisions corporate users into Medshield, Vaultbank, Gridcore, or Defense tenants via Supabase Admin invite API with tenant-scoped metadata.
  • Technical Mechanics: app/actions/admin/inviteCorporateTenantUser.ts delegates to inviteCorporateTenantUserCore in corporateTenantProvisionCore.ts after requirePlatformAdministrator():
    • Requires GLOBAL_ADMIN role, constitutional authority, or remote-access toggle per platformAdminAccess.ts
    • Uses SUPABASE_SERVICE_ROLE_KEY (server-only — documented in .env.example)
    • Redirect URL built from resolveTenantAuthRedirectOrigin and buildAuthCallbackUrl — may target tenant subdomain after invite
    • Supports role selection: GRC_MANAGER or CISO on invite form
    • Writes auditLogCreateLoose receipt on success
  • Agent Boundary: Ironguard (Agent 12) identity; Ironwatch (Agent 13) audit trail.
  • Step-by-Step Lab Validation:
    1. As GLOBAL_ADMIN, submit invite form with email and tenantSlug=medshield.
    2. Verify Supabase invite email contains callback to NEXT_PUBLIC_APP_URL.
    3. Confirm user_role_assignments row created for target tenant UUID.
    4. Attempt invite as non-admin — verify error GLOBAL_ADMIN role required.

<a id="tenant-001"></a>

🔄 Feature 1: Multi-Tenant Context Switcher

  • GRC Function ID: TENANT-001
  • Exact Screen Coordinates: Pinned to the far left edge of the global sub-header toolline (TopNav subnav row), sitting directly above the Left Panel.
  • Operational Purpose: Swaps your complete display dashboard between separate corporate profiles. On apex hosts, GLOBAL_ADMIN operators see every provisioned tenant plus the aggregate Global Command Center lane. Non-admin operators see only tenants bound to their user_role_assignments rows. On tenant subdomain hosts (e.g. vaultbank.lvh.me:3000 or vaultbank.ironframegrc.com), the switcher locks to the host-bound workspace — cross-tenant switching is forbidden to prevent subdomain scope bleed.
  • Technical Mechanics: app/lib/auth/commandCenterTenantAccess.ts exports resolveCommandCenterTenantScope() — RBAC-scoped tenant listing replaces the prior unscoped prisma.tenant.findMany. TenantSwitcher consumes listCommandCenterTenantScope() server action. DashboardGroupShell seeds ironframe-tenant cookie from server-resolved initialTenantUuid when client cookie is missing, then calls setIronguardEffectiveTenant. applySubdomainTenancy in middleware stamps x-ironframe-host-tenant-slug and x-ironframe-host-tenant-uuid headers and rewrites conflicting path-prefix tenant slugs. Dynamic tenant slugs resolve via internal gate /api/internal/tenant-slug-resolve when not in seed TENANT_UUIDS map.
  • Financial Baselines on Switch (BigInt cents only):
    • Medshield → 1110000000
    • Vaultbank → 590000000
    • Gridcore → 470000000
    • Defense → 1600000000
    • Dynamically provisioned tenants → tenants.ale_baseline BIGINT set at provision time (Stripe checkout passes amountTotalCents as BigInt)
  • Step-by-Step Lab Validation:
    1. Sign in as GRC_MANAGER assigned to Vaultbank only — verify switcher lists Vaultbank row exclusively.
    2. Sign in as GLOBAL_ADMIN on apex host — verify all seed tenants plus any provisioned corporate tenants appear; Global lane permitted.
    3. Open your provisioned workspace URL — verify switcher shows Vaultbank only and canAccessGlobal is false.
    4. Click tenant dropdown — observe ECG progress sweep until financial cells paint.
    5. Open browser cookies — verify ironframe-tenant matches host-bound UUID on subdomain routes.

<a id="ux-005"></a>

📊 Feature 2: Operational Maturity Tracker

  • GRC Function ID: UX-005
  • Exact Screen Coordinates: Positioned inside the upper section of the Center Panel (48% Screen Width), sitting right next to the active operational tabs.
  • Operational Purpose: Provides an absolute, real-time numeric grade of the selected corporate entity's cybersecurity health and regulatory posture.
  • Technical Mechanics: Calculated dynamically by the Irontrust math engine (Agent 3) based on passed vulnerability scans, unpatched dependencies, and active compliance metrics. /api/grc/tas-integrity now returns systemMaturityScore from readGovernanceMaturityState inside a consolidated buildIntegrityPayload helper that survives partial subsystem failures.
  • Step-by-Step Lab Validation:
    1. Look at the Operational Maturity Tracker block located at the crown of your center console canvas.
    2. Read the white numeric fraction value outputting the current grade (e.g., 4.5 / 10).
    3. Verify the Trend Metric: Locate and verify the small green trend indicator text tracking your Month-Over-Month performance curve (+1.2 MoM).
    4. Change corporate profile using the tenant switcher — observe the 8-second EKG sweep until new tenant scores paint.
    5. Call GET /api/grc/tas-integrity — verify JSON includes systemMaturityScore, chaosSimulationActive, and sha256Short without 500 error when Prisma slice read fails (degraded mode).

<a id="sim-001"></a>

🕹️ Feature 3: Chaos Engineering Simulation Injector

  • GRC Function ID: SIM-001
  • Exact Screen Coordinates: Positioned directly within the middle section of the Left Panel (22% Screen Width).
  • Operational Purpose: Injects simulated infrastructure disasters and security threats to validate background agent detection, boundary isolation, and self-healing response playbooks without risking production infrastructure.
  • Technical Mechanics: Simulates distinct cyber-threat profiles by triggering temporary network or state disruptions, forcing monitoring agents like Ironlock (Agent 6) or Ironwatch (Agent 13) to execute automated containment and quarantine playbooks. Shadow-plane rows land in SimThreatEvent with mitigated_value_cents BIGINT — never production ThreatEvent for self-test noise.

⚠️ CRITICAL CYBERSECURITY TAXONOMY NOTE FOR AUDITORS: Cloud Exfiltration and Ransomware are two entirely distinct cybersecurity threats that require completely different mitigation strategies.

  • Ransomware is a malicious payload that encrypts local or network files to break resource availability in exchange for an extortion payment.
  • Cloud Exfiltration is the unauthorized, often silent transfer of sensitive datasets outside of an organization's cloud perimeter, targeting a breach of data confidentiality.
  • Step-by-Step Lab Validation:
    1. Enable simulation mode (ironframe-simulation-mode=1 cookie) — verify self-test bar renders per TAS 4.3.
    2. Locate the Chaos Engineering Simulation Injector block inside the middle tier of the Left Panel (22% screen width).
    3. Click the simulation scenario selector dropdown menu, which reads SELECT IRONTECH CHAOS DRILL....
    4. Select the Ransomware Drill Scenario: Scroll down and click 6 — IRONTECH CHAOS L6 · CRYPTOGRAPHIC RANSOMWARE (EXTORTION).
    5. Click GENERATE CHAOS THREAT.
    6. Observe the Right Panel audit logs — verify Irongate signature interception through Irontrust zero-variance math verification without BigInt drift on mitigated cents columns.

<a id="sim-002"></a>

🕹️ Feature 3b: Chaos Engineering Simulation — Ransomware Protocol Addendum

  • GRC Function ID: SIM-002
  • Exact Screen Coordinates: Triggered via the Chaos Drill Selector Dropdown inside the middle tier of the Left Panel (22% Screen Width).
  • Operational Purpose: Simulates a localized cryptographic extortion attack to explicitly validate the multi-agent detection, mitigation, and recovery speed of the 19-agent workforce without introducing technical risk or financial calculation errors to the environment.
  • Technical Mechanics: Mimics a high-volume encryption hazard. The system proves operational resilience by forcing a hardware state freeze, isolating the tenant perimeter, and testing the Irontrust whole-integer asset verification engine. tenants.is_under_targeted_siege and quarantine_ledger.primary_target_tenant_uuid columns support forensic targeting per migration 20260516120000_tenant_siege_quarantine_target.
  • Step-by-Step Lab Validation:
    1. Access the dropdown titled SELECT IRONTECH CHAOS DRILL... in the Left Panel.
    2. Select 6 — IRONTECH CHAOS L6 · CRYPTOGRAPHIC RANSOMWARE (EXTORTION).
    3. Click GENERATE CHAOS THREAT.
    4. Verify System Feedback Lifecycle:
      • Confirm emerald EKG line sweeps for the full 8-second processing block.
      • Verify Center Panel status ALL MODULES SECURE · STATE FROZEN.
      • Review Live Audit Ledger Feed — confirm six tracking steps print without execution failures.
      • Query SimThreatEvent.mitigated_value_cents — confirm BIGINT type, never float.

<a id="sync-001"></a>

⚡ Feature 4: Core Architecture Alignment Synchronizer

  • GRC Function ID: SYNC-001
  • Exact Screen Coordinates: Pinned inside the top horizontal container of the Center Panel (48% Screen Width), reading ALL MODULES SECURE · ZERO DRIFT ENFORCED.
  • Operational Purpose: Gives compliance inspectors instantaneous visual validation that zero unauthorized file mutations have occurred across the codebase.
  • Technical Mechanics: Continuously computed by the Ironwatch shadow tracking agent (Agent 13), which validates real-time system file snapshots against a cryptographically secured master repository hash. system_health_log table records service heartbeat rows with service_key indexing per migration 20260515220000_ironwatch_system_health.
  • Step-by-Step Lab Validation:
    1. Locate the horizontal synchronizer bar resting above your center workspace.
    2. Confirm that the status indicator circle is glowing bright teal, giving visual proof that all 19 micro-agents are checking in securely without system drift.
    3. Inspect system_health_log for recent service_key entries after sustainability API heartbeat.

<a id="grc-002"></a>

🕵️ Feature 5: Automated Compliance Workforce Grid Array

  • GRC Function ID: GRC-002
  • Exact Screen Coordinates: Stretched across the middle tier of your Center Panel (48% Screen Width), sitting directly beneath the horizontal metric rows.
  • Operational Purpose: Provides a centralized management dashboard to monitor, audit, and trace the live operational states of your 19 specialized background automation agents.
  • Technical Mechanics: Displays check-in times and statuses of specialized micro-workers. Today's delta explicitly documents the platform application boundary in lib/platformApplicationBoundary.ts:
    • Ironframe (default port 3000) — security, risk, and technical compliance engine hosting the 19-agent GRC production workforce (Ironcore, Irongate, Irontally, Ironlogic, etc.)
    • IronBoard (default port 8082) — executive boardroom conversation plane with CRM discovery tools; zero cross-contamination with Ironframe port 3000 per ZERO_CROSS_CONTAMINATION_DIRECTIVE
  • Step-by-Step Lab Validation:
    1. Scan the automated workforce table grid rows to verify all agents output green ACTIVE status lights.
    2. Left-click directly on any specific agent row (such as Ironlock or Ironguard).
    3. Verify that the GRC Meta Specification Drawer slides open from the right side, displaying that agent's core unchangeable technical directives.
    4. Run tests/unit/platformApplicationBoundary.test.ts — confirm port constants match environment documentation.

<a id="log-001"></a>

📋 Feature 6: Immutable Audit Ledger Feed

  • GRC Function ID: LOG-001
  • Exact Screen Coordinates: Placed inside the Right Panel (30% Screen Width) column track, extending directly beneath the base of the Sustainability Pulse widget down to the bottom monitor frame. Standalone mode available on /reports/audit-trail via AuditIntelligence layout="standalone".
  • Operational Purpose: Serves as a transparent, cryptographically signed, and append-only execution log tracking every system call, user access check, and automated policy remediation for external compliance inspectors.
  • Technical Mechanics: Implements a strict append-only format within the data tier. quarantine_ledger now includes forensic_justification TEXT and primary_target_tenant_uuid UUID with idempotent migration guards for shadow DB replay order.
  • Step-by-Step Lab Validation:
    1. Scroll the right-hand logging panel independently through historical entries.
    2. Verify every logged event contains an absolute timestamp and a distinct cryptographic validation string (e.g., [AGENT-14] SANITIZATION PURGE RESOLVED).
    3. Navigate to /reports/audit-trail — verify standalone layout scrolls within AppShell main track without tripane overflow clipping.

<a id="carbon-001"></a>

🔋 Feature 7: Sustainability Pulse Widget

  • GRC Function ID: CARBON-001
  • Exact Screen Coordinates: Positioned inside the upper half section of the Right Panel (30% Screen Width) column track, marked by a green leaf icon.
  • Operational Purpose: Tracks real-time emissions intensity and hardware consumption data to fulfill global climate reporting requirements (such as Europe's CSRD or US SEC Climate Disclosures).
  • Technical Mechanics: Powered by the Ironbloom agent (Agent 17), which mandates physical hardware metrics (kWh electricity, Liters water, Kilometers logistics transport) and completely rejects flat monetary data. Today's delta hardens the physical ingress path in lib/sustainability/ironbloomDashboardTelemetry.ts:
    • parseThreatIngestionTelemetry — extracts kWh or alternate physical units from ThreatEvent.ingestionDetails JSON
    • buildCarbonTraceFromStream — computes carbonGramsCo2e and routes mitigatedValueCents as BigInt through computeSustainabilityAleForTenantUuid (kWh path) or mitigatedValueCentsFromCarbonTrace (non-kWh path)
    • recordSustainabilityImpact — returns { reason: "no_physical_telemetry" } when ingestionDetails lacks sealed physical payload (severity-based 2500/500 kWh fallback removed)
    • productionCarbonLedger.ts — priority chain: (1) aggregate production ledger cents, (2) aggregateTenantKwhAverted physical aggregate, (3) findLatestThreatPhysicalTelemetry stream trace, (4) 0 cents with forensic intensity flag — no reference kWh env fallback
    • sustainabilityAnalyticsActions.tsphysicalKwhLabel replaces referenceKwhLabel; displays "No sealed physical kWh yet — ingest utility telemetry on resolved threats" when aggregate is zero
    • tenantPhysicalTelemetry.ts — tenant-scoped kWh aggregation for dashboard and analytics plane
    • kwhAverted persisted as BigInt on SustainabilityMetric upsert — never JavaScript float
  • Step-by-Step Lab Validation:
    1. Read the active footprint calculation line (e.g., 382 gCO₂eq/kWh) and confirm the orange FALLBACK ACTIVE badge when Electricity Maps API offline.
    2. Resolve a threat with kWh in ingestionDetails — verify mitigated_value_cents BIGINT row and dashboard hero updates.
    3. Resolve a threat without physical telemetry — verify no_physical_telemetry reason and hero remains 0 cents (not synthetic reference kWh).
    4. Swap tenant context from Vaultbank (590000000 cent baseline) to Gridcore (470000000 cent baseline) — verify graph cache flush.
    5. Run lib/sustainability/ironbloomDashboardTelemetry.test.ts — kWh parse and cent output pass.

<a id="export-001"></a>

💰 Feature 8: Whole-Integer Financial Integrity Ledger Matrix

  • GRC Function ID: EXPORT-001
  • Exact Screen Coordinates: Placed inside the upper section of the Center Panel (48% Screen Width), positioned side-by-side as three distinct horizontal card components directly beneath your primary workspace tabs.
  • Operational Purpose: Displays critical financial metrics and houses tabular data extraction tools required to lock in corporate insurance premium discounts.
  • Technical Mechanics: Integrates with the Irontrust math engine (Agent 3), pulling whole numbers stored as raw cents from the data tier. Migration 20260515180000_ale_mitigated_value_bigint adds mitigated_value_cents BIGINT to ThreatEvent (production) and SimThreatEvent (shadow), backfilling from SustainabilityMetric and legacy JSON without precision loss.
  • Step-by-Step Lab Validation:
    1. Verify uniform alignment and identical border heights across the three metric containers.
    2. Click Export Tabular Ledger Data (CSV).
    3. Open the downloaded CSV — confirm all financial numbers display as raw whole integers with zero decimal places (e.g., 500000 cents for five thousand dollars display).
    4. Run Irontrust unit tests — confirm Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000 cent baselines match snapshots.

<a id="board-001"></a>

🏛️ Feature 9: IronBoard Executive Boardroom Plane

  • GRC Function ID: BOARD-001
  • Exact Screen Coordinates: Accessed via IronBoard dashboard at your provisioned workspace URL (center pane board chat) and POST /api/query API ingress on port 8082.
  • Operational Purpose: Provides C-suite persona routing (CEO, CFO, CISO, Sales Lead) with mandatory dynamic discovery before synthesis — no invented CRM metrics. Every boardroom turn now requires live Ironframe telemetry hydration before Gemini synthesis begins.
  • Technical Mechanics: Conversation plane header x-ironframe-conversation-plane: ironboard-boardroom gates boardroom-specific orchestration on IronBoard port 8082. POST /api/query execution order (2026-06-26 delta):
    1. Core telemetry bridge prefetchfetchIronframeSharedContext({ incomingRequest, tenantId }) performs server-to-server GET {IRONFRAME_CORE_ORIGIN}/api/board/shared-context with forwarded ironframe-tenant cookie or injected tenant UUID/slug headers (x-ironboard-telemetry-bridge: 1). Timeout 12000 ms. On failure → HTTP 502 JSON { ok: false, error: "CORE_TELEMETRY_DISCONNECTED", detail } — no LLM stream starts.
    2. SSE tool receiptcoreTelemetryBridge complete with byte count logged before link scraper phase.
    3. Hardened governance layersbuildHardenedGovernanceLayers(liveSystemTelemetryJson) prepended to system instruction via buildBoardroomSystemInstruction. Layers include unidirectional diode, live metric hydration JSON block, de-classification matrix, Governance Frame triad scaffold, executive persona ratios, mandatory Sources & Citations, BOARD_DOCUMENTATION_AUTHORSHIP_MANDATE, and BOARD_GTM_MARKET_AUTHENTICITY_MANDATE (synthetic {Region} Ledger / {Region} Vault scaffolding must never be cited as live market research).
    4. Multi-region workspace prefetch — when shouldPrefetchProspects(query) matches (including new GTM_MARKET_SIGNAL regex for "target market", "go-to-market", "who are our potential customers"), inferRegionsFromQuery resolves countries; verifyAndOptimizeMarketData runs per region before flywheel context assembly.
    5. Founding agent LLM path — CEO/CFO/Compliance/Legal in founding.ts call generateBoardAgentAssessment from boardAgentLlm.ts with formatBoardStateSummary including financialProjectionsCents whole-integer cent string and constitutional baseline anchors; assertWholeIntegerCents gates every CFO and Compliance turn before synthesis begins.
    6. Panel routingrouteExecutivePanel attaches a BoardroomOrchestrationReceipt:
    • linkScraperComplete, linkScraperOk, linkScraperTraceId
    • videoTimelineInjected, telemetryVerified
    • blocksExtractedUnits (BigInt string)
    • crmTelemetryInteractionId
    • preRoutingValidation: PASSED | SKIPPED | FAILED
  • Agent Boundary: Ironlogic (Agent 9) synthesis; Irontally (Agent 5) governance memo cron phase; Ironwatch (Agent 13) receives shared-context telemetry; board personas are advisory only — Layer 1 diode forbids direct DB writes without human operator execution on port 3000.
  • Step-by-Step Lab Validation:
    1. Start Ironframe on your provisioned workspace URL and IronBoard on your provisioned workspace URL.
    2. Submit boardroom query without Ironframe running — verify HTTP 502 and CORE_TELEMETRY_DISCONNECTED in response body.
    3. With both engines running, submit CRM intent query ("show deal pipeline") — verify SSE shows coreTelemetryBridge complete before synthesis tokens.
    4. Set target countries to Germany, Australia in flywheel input, ask "Are there companies in Germany that fit our ICP criteria?" — verify queryLocalWorkspace prefetch uses regions: ["Germany"] or multi-region args per query inference.
    5. Poll GET /api/board/shared-context — verify JSON includes documentationBrief with dual-plane matrix and Trainer/Writer placement targets.
    6. Inspect server logs for [LAYER 2: LIVE METRIC HYDRATION] block presence in system instruction assembly.
    7. Run Ironboard/src/services/coreTelemetryBridge.test.ts — all pass including cookie forwarding and fail-closed 401 handling.

<a id="board-002"></a>

🎬 Feature 10: Irongate Video Intelligence Ingress (Agent 14)

  • GRC Function ID: BOARD-002
  • Exact Screen Coordinates: No direct UI — API endpoint POST /api/ingress/video on IronBoard service (port 8082 default).
  • Operational Purpose: Sanitizes external video transcripts and asset links through the Level 2 DMZ air-gap before persisting markdown intelligence documents into ironboard_crm_interactions with metricTag=video_intelligence.
  • Technical Mechanics: Pipeline stages:
    1. processVideoIrongateIngress — Zod schema validation (irongateVideoEnvelopeSchema), injection vector stripping via stripIrongateInjectionVectors
    2. Quarantine path returns HTTP 422 with agent: 'Irongate-Agent-14'
    3. parseVideoIntelligencePayload — multimodal parse (transcript_direct, asset_link_gemini, or asset_link_skeleton)
    4. persistVideoIntelligenceDocument — CRM envelope with sanitizedBy: 'Irongate-Agent-14'
    5. linkScraper.ts STREAMING_MEDIA_URL_PATTERN now matches YouTube Shorts (youtube.com/shorts/) and uses [A-Za-z0-9_-]{11} video ID capture
    6. boardResponseLibrary.ts exports YOUTUBE_URL_SIGNAL, YOUTUBE_VIDEO_DENIAL_REWRITE, and expanded BANNED_CAPABILITY_DENIAL_PATTERNS — when a video-linked query triggers denial stripping and response length < 160 chars, finalizeSanitizedBoardCompletion(accumulatedText, sanitizeDenials, { query }) appends the canonical rewrite instructing the board to cite VIDEO INTELLIGENCE timeline blocks
    7. boardroomQueryIntent.ts shouldPrefetchWeb returns false when payloadSignalsVideoIntelligence(query) — video links skip live web grounding to preserve timeline injection path
  • Environment Variables (.env.example):
    • IRONBOARD_BOARD_ORG_TENANT_UUID — defaults to Medshield seed 5c420f5a-8f1f-4bbf-b42d-7f8dd4bb6a01
    • IRONBOARD_GRC_ANALYST_VIDEO_URL — canonical YouTube URL for GRC Analyst day-in-the-life briefings
  • Agent Boundary: Irongate (Agent 14) exclusive perimeter — bypass forbidden per TAS DMZ mandate.
  • Step-by-Step Lab Validation:
    1. POST valid payload with tenant_id UUID and transcript array — expect HTTP 201 status: CLEAN with blockCount, durationMs, parserMode.
    2. POST payload with script injection in transcript text — verify stripping and CLEAN or QUARANTINED outcome.
    3. POST without asset_link or transcript — expect QUARANTINED 422.
    4. Run tests/unit/videoIngress.test.ts, tests/unit/videoBoardPrefetch.test.ts, and tests/unit/linkScraper.test.ts — all pass including Shorts URL extraction.
    5. Confirm CRM row metricTag equals video_intelligence.

<a id="board-003"></a>

📚 Feature 11: Strategic Intel Research Ingress

  • GRC Function ID: BOARD-003
  • Exact Screen Coordinates: IronBoard Strategic Intel dashboard view (populated from ironboard_crm_interactions research rows).
  • Operational Purpose: Ingests external GRC research artifacts (manifest-driven) into tenant-scoped CRM interactions for board briefings, with mandatory Agent 14 sanitization before persistence.
  • Technical Mechanics: Modules added in today's delta:
    • strategicIntelIngress.ts — DMZ persistence path
    • strategicIntelSanitizer.tsstripIrongateInjectionVectors for research JSON
    • strategicIntelManifestLoader.ts — loads grcProfessionalResearch.manifest.json
    • strategicIntelResearchQuery.ts — query binding for board prefetch
    • docsMatrixIngress.ts — documentation matrix rows with docsMatchedUnits as BigInt
    • linkScraper.ts middleware — URL extraction with linksMatchedUnits and pipelineDurationMsUnits as BigInt
  • Manifest Entry Example: "Enterprise buyers require Irongate DMZ sanitization on all external research ingress. Strategic Intel updates must pass Agent 14 schema validation before CRM persistence."
  • Agent Boundary: Irongate (Agent 14) sanitization; Ironintel (Agent 16) OSINT cron phase consumes refreshed intel.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/strategicIntelIngress.test.ts — verify sanitization and tenant binding.
    2. Run tests/unit/docsMatrixIngress.test.ts — verify BigInt unit counters in pipeline statistics.
    3. Trigger link scraper with known Ironframe docs URL — verify blocksExtractedUnits increments as BigInt string in orchestration receipt.
    4. Confirm ironboard_crm_rls.sql script enforces tenant isolation on CRM interaction reads.

<a id="board-004"></a>

📖 Feature 12: GRC Analyst Day-in-the-Life Video Seed

  • GRC Function ID: BOARD-004
  • Exact Screen Coordinates: Board knowledge context — injected into IronBoard static knowledge vault.
  • Operational Purpose: Seeds the canonical "Cybersecurity Reality: A Day in the Life of a GRC Analyst" video briefing for executive education tracks.
  • Technical Mechanics: Ironboard/src/knowledge/grcAnalystDayVideoSeed.ts exports structured transcript cues compatible with TranscriptCueInput from videoIngress.ts. Board prefetch (videoBoardPrefetch.ts) can hydrate timeline blocks before panel routing.
  • Step-by-Step Lab Validation:
    1. Set IRONBOARD_GRC_ANALYST_VIDEO_URL in environment to a valid YouTube URL.
    2. Invoke boardroom query referencing GRC analyst video — verify timeline injection flag videoTimelineInjected: true on orchestration receipt.
    3. Verify markdown document output contains timecoded speaker blocks.

<a id="integrity-001"></a>

🛡️ Feature 13: Integrity Hub Resilience Fallback

  • GRC Function ID: INTEGRITY-001
  • Exact Screen Coordinates: /integrity route — Integrity Hub center canvas with ALE hero card and chaos ledger panel.
  • Operational Purpose: Provides workforce registry verification and chaos ledger forensics even when the expanded registry read path fails.
  • Technical Mechanics: app/(dashboard)/integrity/page.tsx wraps readIntegrityVaultSnapshotWithRegistry() in try/catch — on failure, falls back to readIntegrityVaultSnapshot() with ok: false and error: "Workforce registry unavailable" rather than throwing a blank 500 page.
  • Agent Boundary: Irontrust (Agent 3) ALE hero; Ironwatch (Agent 13) registry manifest; Irontech (Agent 04) repair priority when healthBarPercent < 50%.
  • Step-by-Step Lab Validation:
    1. Navigate to /integrity as authenticated operator — verify page renders even if registry endpoint degrades.
    2. Confirm ALE hero displays cents-derived values for active tenant baseline.
    3. Authenticated user visiting /login — verify middleware redirect to /integrity (Rule B).
    4. Unauthenticated user visiting /integrity — verify redirect to /login (Rule A).

<a id="constitution-001"></a>

📜 Feature 14: Constitutional Rebaseline Operator Script

  • GRC Function ID: CONSTITUTION-001
  • Exact Screen Coordinates: No UI — DBA/operator script execution against preview or production Postgres.
  • Operational Purpose: Clears stuck Ironlock latch fields on SystemConfig when TAS.md is valid but UI still shows CONSTITUTIONAL VOID.
  • Technical Mechanics: prisma/scripts/constitutional_rebaseline_reset.sql — safe to re-run; does not delete security_posture. Complements app/lib/constitutionalRebaseline.ts API route at /api/grc/constitutional-restoration (now traced in next.config.ts with docs/TAS.md and storage/constitutional/TAS.md.gold).
  • Agent Boundary: Ironlock (Agent 6) freeze latch; Ironlogic (Agent 9) constitutional parsing.
  • Step-by-Step Lab Validation:
    1. Induce constitutional void display in staging environment.
    2. Execute rebaseline SQL script against SystemConfig.
    3. Poll /api/grc/tas-integrity — verify constitutionalRebaselinePending clears and ironlockFreezeApplied reflects true state.
    4. Confirm ironlockFreezeApplied and chaosSimulationActive fields present in integrity payload.

<a id="nav-001"></a>

🧭 Feature 15: Unified Header Route Matrix

  • GRC Function ID: NAV-001
  • Exact Screen Coordinates: TopNav master header and HeaderTwo sub-navigation strip.
  • Operational Purpose: Eliminates divergent route-matching logic between HeaderOne and HeaderTwo — single buildHeaderRouteMatrix(pathname) pass per navigation event.
  • Technical Mechanics: app/utils/grcRouteMatch.ts exports:
    • HEADER_TENANT_SLUGS: medshield, vaultbank, gridcore, defense
    • HeaderRouteMatrix flags: isAuditTrailRoute, isEvidenceRoute, isFrameworksRoute, isIntegrityHubRoute, isBoardReportRoute, isOpSupportRoute, isPlaybookRoute, playbookEntity
    • isAuthPublicPath — classifies routes that must not mount workspace chrome
    • isPublicCloudIngressPath — narrow cloud funnel paths bypass production quarantine
    • isPrivateWorkspaceIngressPath — command-center surfaces blocked on cloud until full ingress
    • isPublicProspectOnboardingPath — includes /sales-agent-portal and /api/agents/sales
    • isScrollableStandalonePath — drives DashboardGroupShell overflow behavior; includes /docs, /settings/config
  • Step-by-Step Lab Validation:
    1. Navigate to /medshield/playbooks — verify playbookEntity equals MEDSHIELD and playbook tab highlights.
    2. Navigate to /reports/audit-trail — verify audit trail route flag true with standalone scroll.
    3. Run tests/unit/grcRouteMatch.test.ts — all matrix combinations pass.
    4. Confirm /login returns true for isAuthPublicPath — no TopNav tenant switcher on login page.

<a id="auth-004"></a>

🔒 Feature 16: Hardened Login & Password Recovery Surfaces

  • GRC Function ID: AUTH-004
  • Exact Screen Coordinates: /login, /forgot-password, /reset-password — full-page themed forms outside dashboard chrome.
  • Operational Purpose: Provides accessible authentication with project-ref-aware error messages and password visibility toggle, routing successful sign-in to host-aware landing via middleware Rule B.
  • Technical Mechanics:
    • Login normalizes email to lowercase before signInWithPassword
    • Invalid credentials message includes Supabase project ref from supabaseProjectRefFromUrl
    • ResetPasswordForm.tsx calls updateUserPasswordAction server action
    • requestResetPassword.ts uses resolvePasswordResetRedirectOrigin() from publicAppUrl.server.ts — tenant-subdomain-aware reset links; surfaces explicit 403 guidance when Supabase rejects redirect URL with message citing exact redirectTo for allowlist configuration
    • Middleware Rule A (2026-06-26 delta): unauthenticated internal routes redirect to /login?next={returnPath} via buildLoginRedirectUrl — preserves intended destination after sign-in; appends fresh=1 when return path is /get-started or nested get-started route
    • Middleware Rule B (2026-06-26 delta): authenticated users on /login or /forgot-password redirect to resolveAuthNextPathForHost(host, nextRaw) — honors next query param and tenant subdomain landing paths instead of hardcoded /integrity
    • Middleware finalize (2026-06-26 delta): every middleware response passes through finalizeMiddlewareResponseapplySubdomainTenancy — stamps host-bound tenant headers and cookies consistently including early-exit paths (missing Supabase env, token-gated API, public funnel passthrough)
  • Agent Boundary: Ironguard (Agent 12) session cookies merged on redirect via redirectWithSupabaseCookies in middleware.
  • Step-by-Step Lab Validation:
    1. Submit wrong password — verify error cites Supabase project ref and suggests forgot-password path.
    2. Toggle password visibility icon — verify Eye / EyeOff state changes input type.
    3. Successful login — verify middleware Rule B lands on intended next path or host-aware default (not deprecated hardcoded-only /integrity when next param present).
    4. Request password reset — verify email link targets tenant-subdomain-aware origin from resolvePasswordResetRedirectOrigin.
    5. Unauthenticated visit to /integrity — verify redirect to /login?next=/integrity preserving return path.

<a id="ops-001"></a>

🛠️ Feature 17: Operator Identity Context Provider

  • GRC Function ID: OPS-001
  • Exact Screen Coordinates: React context consumed by TopNav, permissions hooks, and profile menu — no standalone panel.
  • Operational Purpose: Centralizes Supabase operator profile resolution so TopNav does not duplicate auth subscription logic.
  • Technical Mechanics: app/context/OperatorContext.tsx pairs with useOperatorIdentity hook. TopNav removed inline supabase.auth.getUser polling — now reads isGuest and loading state from hooks. OperatorContext supplies profile.email, profile.displayRole to TopNavUserProfileMenu.
  • Step-by-Step Lab Validation:
    1. Load dashboard — verify TopNav shows "Resolving operator…" then email address.
    2. Sign out via profile menu — verify redirect to /login and guest state on return.
    3. Confirm no duplicate auth listeners in TopNav (network tab — single session refresh path).

<a id="cron-001"></a>

🌙 Feature 18: 03:00 Documentation Engine (Cron Narrate)

  • GRC Function ID: CRON-001
  • Exact Screen Coordinates: No UI — scheduled Windows Task Scheduler or headless PowerShell invocation at 03:00 local.
  • Operational Purpose: Executes three Cursor CLI agent phases nightly: Writer (this glossary), Ironintel OSINT sweep, and Ironlogic/Irontally governance memo.
  • Technical Mechanics: .cursorrules compacted to 43-line auto-completion constraint sheet (legacy 204-line governance protocol retired from repo). Writer/Trainer mandates live in project rules, boardroomSystemPrompt.ts, and this glossary. scripts/cron_narrate.ps1 delta improvements:
    • Import-ProjectDotEnv loads .env.local and .env for CURSOR_API_KEY
    • Resolve-CursorAgentLauncher prefers direct node.exe + index.js over failing agent.ps1 shim
    • Invoke-CursorAgentCli passes --trust flag for headless execution
    • Auth preflight via agent status before diff extraction
    • Git delta: git diff $BaseCommitdaily_code_diff.txt (docs/ excluded)
  • Agent Boundary: Writer persona → Ironcore documentation; Intel phase → Ironintel (Agent 16) + Irongate (Agent 14) sanitization; Board phase → Ironlogic (Agent 9) + Irontally (Agent 5) with BigInt ALE evaluation (1110000000, 590000000, 470000000 cent baselines).
  • Step-by-Step Lab Validation:
    1. Set CURSOR_API_KEY in user environment or .env.local.
    2. Run scripts/cron_narrate.ps1 manually — verify log file records launcher mode (node vs shim).
    3. Confirm daily_code_diff.txt regenerated from last 24-hour commit window.
    4. Verify Writer phase updates docs/qa/complete-feature-glossary.md without placeholder tokens.
    5. Confirm exit code non-zero when API key missing — script refuses silent no-op.

<a id="layout-002"></a>

🏗️ Feature 19: Dashboard Command Center Layout Isolation

  • GRC Function ID: LAYOUT-002
  • Exact Screen Coordinates: Wraps every route under app/(dashboard)/ — invisible structural frame between dashboard layout and page content.
  • Operational Purpose: Keeps TopNav, airlock banner, and telemetry polling hooks out of the root layout so public marketing and auth surfaces never mount workspace chrome accidentally.
  • Technical Mechanics: app/(dashboard)/DashboardCommandCenterLayout.tsx renders a flex column with AppShell as the sole child. Root app/layout.tsx provides fonts, IronframeThemeProvider, and global CSS only. This satisfies TAS UI separation: presentation tokens are global; tenant-scoped navigation is dashboard-group only.
  • Agent Boundary: Ironcore (Agent 1) orchestration shell; no financial or ingestion side effects.
  • Step-by-Step Lab Validation:
    1. Open /login in a private window — verify no TopNav tenant switcher or tripane rails appear.
    2. Sign in and land on /integrity — verify TopNav mounts with subnav toolline.
    3. Inspect React component tree — confirm DashboardCommandCenterLayout wraps dashboard routes only.

<a id="auth-005"></a>

🍪 Feature 20: Dashboard Tenant Session Cookie Hydration

  • GRC Function ID: AUTH-005
  • Exact Screen Coordinates: Invisible server-side cookie write — no UI chip.
  • Operational Purpose: When RBAC resolves a workspace UUID but the browser lacks a scoped ironframe-tenant cookie, the server persists the assignment before dashboard chrome paints — preventing orphan sessions from guessing tenant scope.
  • Technical Mechanics: app/lib/auth/dashboardTenantSession.ts:
    • IRONFRAME_TENANT_COOKIE = ironframe-tenant
    • tenantCookieValueForUuid — resolves canonical slug via tenantKeyFromUuid or Prisma tenant.slug lookup
    • applyDashboardTenantSessionCookie — sets secure cookie in production (sameSite: lax, 180-day max-age)
    • ensureDashboardTenantSession in dashboardRoleAccess.ts — calls apply only when tenantFallbackApplied: true
    • resolveDashboardActiveTenantUuid — React cache() wrapper; cookie scope first, then RBAC assignment, Medshield UUID fallback
  • Agent Boundary: Ironguard (Agent 12) tenant isolation; never accepts guessed tenant IDs from client payloads.
  • Step-by-Step Lab Validation:
    1. Clear ironframe-tenant cookie after successful login.
    2. Navigate to /integrity — verify cookie re-written with slug or UUID matching RBAC assignment.
    3. Confirm access-status API returns tenant scope aligned with cookie value.

<a id="auth-006"></a>

⏳ Feature 21: Access Pending & Dashboard Error Boundary

  • GRC Function ID: AUTH-006
  • Exact Screen Coordinates: Full-page center canvas on /unauthorized and on dashboard route errors matching digest 1041080224.
  • Operational Purpose: Replaces blank Next.js error pages with actionable access-pending guidance when RBAC gaps cause server errors during dashboard mount.
  • Operational Mechanics: app/(dashboard)/error.tsx inspects error.digest and message text — when digest equals 1041080224 or message matches role-assignment patterns, renders AccessPending instead of generic failure UI. Non-RBAC errors show Retry, Command Post link to /, access-status, and sign-in links.
  • Agent Boundary: Ironguard (Agent 12) access enforcement UX.
  • Step-by-Step Lab Validation:
    1. Sign in with user lacking user_role_assignments — verify /unauthorized shows AccessPending copy.
    2. Simulate digest 1041080224 class error on dashboard route — verify same AccessPending surface.
    3. Trigger unrelated server error — verify generic dashboard unavailable panel with Retry button.

<a id="board-005"></a>

📜 Feature 22: Board Conversational Boundary & Canonical Response Registry

  • GRC Function ID: BOARD-005
  • Exact Screen Coordinates: IronBoard orchestration plane — no direct UI; governs POST /api/boardroom/query synthesis behavior.
  • Operational Purpose: Prevents LLM hallucination on CRM capability, video intelligence, and sales-lead discovery questions by routing matched queries to deterministic canonical text backed by tool receipts.
  • Technical Mechanics: Ironboard/src/orchestrator/routing.ts exports:
    • BOARD_CONVERSATIONAL_BOUNDARY / IRONBOARD_DOMAIN_BOUNDARY — zero cross-contamination with Ironframe port 3000
    • BOARD_CRM_TOOL_MANDATE — requires manageCrmPipeline tool execution before CRM claims
    • BOARD_VIDEO_INTELLIGENCE_MANDATE — forbids "cannot watch video" responses when [LINK SCRAPER] timeline tag present
    • BOARD_EXECUTION_LAYER_PERSONA — bans first-person AI disclaimer language
    • CANONICAL_SALES_LEADS_RESPONSE — registered answer for passive lead-generation queries via isSalesLeadDiscoveryQuery
    • buildCanonicalGrcVideoBriefingResponse — timecoded transcript from grcAnalystDayVideoSeed.ts
    • resolveCanonicalBoardResponse — deterministic bypass before LLM synthesis
    • boardroomQueryIntent.ts (2026-06-18): inferRegionsFromQuery returns country array from matchCountriesInQuery, query London/Singapore tokens, or parseActiveTargetCountries(activeHub); shouldPrefetchProspects matches Germany/Australia/Canada ICP questions; shouldPrefetchWeb skips when payloadSignalsVideoIntelligence(query)
  • Agent Boundary: Ironlogic (Agent 9) synthesis guardrails; Ironquery (Agent 15) discovery receipts required for non-canonical paths.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/boardroomOrchestrator.test.ts — verify sales-lead canonical match and video briefing builder.
    2. Submit boardroom query "Do you actively look for sales leads?" — verify canonical CRM engine response, not external crawl claim.
    3. Submit GRC analyst video reference — verify timecoded findings without AI limitation disclaimer.

<a id="board-006"></a>

✍️ Feature 23: Ironscribe Markdown Outline Parser (Agent 05)

  • GRC Function ID: BOARD-006
  • Exact Screen Coordinates: Backend-only — feeds docs matrix ingress and board knowledge vault parsing.
  • Operational Purpose: Strips YAML metadata headers and structures markdown outlines into board-safe knowledge blocks with immutable parse attribution.
  • Technical Mechanics: Ironboard/src/services/ironscribe/markdownOutlineParser.ts:
    • Parses markdown headings into outline nodes
    • Stamps parsedBy: 'Ironscribe-Agent-05' on output envelope
    • Consumed by docsMatrixIngress.ts alongside Irongate sanitization
  • Agent Boundary: Ironscribe (Agent 05) export hash and audit citation lineage.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/docsMatrixIngress.test.ts — verify outline blocks ingest with Ironscribe attribution.
    2. Ingest markdown document with YAML front matter — verify header stripped from persisted CRM envelope.

<a id="board-007"></a>

🤝 Feature 24: CRM Deal ownerAgentId Attribution

  • GRC Function ID: BOARD-007
  • Exact Screen Coordinates: IronBoard CRM pipeline — DealRecord rows in board tooling (no Ironframe dashboard chip).
  • Operational Purpose: Binds each deal stage vector to the responsible boardroom agent ID for workforce accountability in commercial orchestration.
  • Technical Mechanics: Ironboard/src/services/crm/crmService.ts delta adds optional ownerAgentId on deal create/update paths — trimmed string persisted on DealRecord. Enables board reports to cite which agent owns pipeline progression without cross-tenant agent memory bleed.
  • Agent Boundary: IronBoard commercial plane only — Ironframe 19-agent GRC workforce remains on port 3000.
  • Step-by-Step Lab Validation:
    1. Create deal via manageCrmPipeline with ownerAgentId set — verify persistence round-trip.
    2. Confirm tenant isolation — deal query scoped to board org tenant UUID from crmTenantContext.ts.

<a id="intel-001"></a>

🛰️ Feature 25: June 26 Live Strategic Intel OSINT Manifest

  • GRC Function ID: INTEL-001
  • Exact Screen Coordinates: IronBoard Strategic Intel dashboard — rows in ironboard_crm_interactions with manifest ironintel-osint-2026-06-26-live.
  • Operational Purpose: Delivers fresh external OSINT for June 26, 2026 through Irongate-sanitized CRM persistence for board briefings. Operational date 2026-06-27 elevates post-deadline BOD 26-04 triage as the dominant operational mode — eight or more KEV remediation windows have elapsed. Federal contractor 24-hour KEV triage SLA guidance effective June 24, 2026 (three calendar days into enforcement on operational date 2026-06-27). Primary active threat vectors ingested in today's delta refresh:
    • BerriAI LiteLLM CVE-2026-42271 (CVSS 8.8): MCP test endpoints command injection — CISA KEV June 8 with BOD 26-04 remediation deadline June 22, 2026five calendar days elapsed on operational date 2026-06-27. CSA and Horizon3.ai confirm chain with Starlette BadHost CVE-2026-48710 for unauthenticated RCE on AI gateway stacks. Patch to LiteLLM 1.83.7+ and Starlette 1.0.1+; rotate all provider API keys.
    • Splunk CVE-2026-20253 (CVSS 9.8): Enterprise PostgreSQL sidecar missing authentication — CISA KEV June 18 with BOD 26-04 deadline June 21, 2026day seven post-deadline forensic triage on 2026-06-27. Splunk PSIRT confirms limited in-the-wild exploitation. Finance, Technology, and Public Sector SOC stacks must treat as active breach until triage complete.
    • FortiBleed credential harvesting (June 13–26, 2026): 73932 to 86644 verified Fortinet firewall URLs across 194 countries per CISA June 18 advisory and CSA June 20 research note. Fortinet FG-IR-26-060 published June 22 characterizes activity as credential reuse plus brute force with no patchable flaw. Huntress cross-reference confirms 84 customer-impacted IPs — treat exposure as investigate-not-ignore. Immediate VPN and admin password rotation required.
    • CVE-2026-48907 (CVSS 9.8): Joomla JCE improper access — CISA KEV June 16 with remediation deadline June 18, 2026nine calendar days elapsed on 2026-06-27.
    • CVE-2026-54420: LiteSpeed cPanel symlink root escalation — CISA KEV June 15 with deadline June 19, 2026eight calendar days elapsed on 2026-06-27.
    • CVE-2026-35273 (CVSS 9.8): Oracle PeopleSoft Environment Management Hub missing authentication — KEV June 12 deadline elapsed; ShinyHunters UNC6240 notified 100 plus orgs (68 percent higher-education); Council of Europe investigating breach claims June 16.
    • CVE-2026-50751 (CVSS 9.3): Check Point Remote Access VPN IKEv1 authentication bypass — Qilin affiliates exploiting since May 7, 2026; HEAL Security confirms healthcare ransomware campaign linkage; KEV June 8 deadline elapsed.
    • CVE-2026-10520 (CVSS 10.0): Ivanti Sentry OS command injection — CISA KEV June 11; first BOD 26-04 three-day mandate window closed June 14, 2026.
    • Healthcare supply chain (June 2026): TriZetto Provider Solutions (3400000 individuals), QualDerm Partners (3100000), ApolloMD Business Services Qilin ransomware (626000).
    • CISA BOD 26-04 (June 10, 2026): four-variable risk matrix (asset exposure, KEV status, exploit automation, technical impact) operational; federal contractor 24-hour KEV triage SLA effective June 24, 2026; agency policy update deadline August 7, 2026; full operational compliance December 7, 2026.
    • FedRAMP Notice 0014 (June 2026): Vulnerability Detection and Response (VDR) and Vulnerability Evaluation and Reporting (VER) rules mandatory for FedRAMP-certified CSPs effective December 7, 2026 — aligned with BOD 26-04 KEV remediation timelines.
    • CMMC Phase 2: mandatory Level 2 C3PAO certification 136 days away (November 10, 2026); assessments locked to NIST SP 800-171 Revision 2 per DoD class deviation 2024-O0013; NDIA June 24 guidance warns six-to-eighteen-month preparation windows mean Phase 2 contractors may already be behind.
  • Technical Mechanics: Ironboard/src/knowledge/grcProfessionalResearch.manifest.json:
    • manifestId: ironintel-osint-2026-06-26-live
    • generatedAt: 2026-06-26T12:00:00.000Z
    • RAG chunks in delta: osint-01-bod-2604, osint-02-fortibleed, osint-03-joomla-litespeed, osint-04-splunk-rce, osint-05-peoplesoft-shinyhunters, osint-06-cmmc-rev2-phase2, osint-07-healthcare-supply-chain, osint-08-checkpoint-qilin, osint-09-ivanti-sentry, osint-10-litellm-post-deadline, osint-11-fedramp-vdr, plus saas-01-dmz-ingress
    • Ingestion script: npx tsx scripts/ingest-strategic-intel-manifest.ts
    • priorityAgents schema includes Ironwatch alongside Ironintel and Ironscribe
    • All industry peerAleBaselineCents and riskMetricsCents values are string-encoded BigInt integers — never floats
  • Industry Profile Peer ALE Baselines (BigInt cents only):
    • Finance: 1800000000 cents — regulatoryPressureIndex 96, saasDisruptionExposureIndex 83, continuousAuditPriority CRITICAL
    • Healthcare: 1210000000 cents — regulatoryPressureIndex 98, saasDisruptionExposureIndex 75, continuousAuditPriority CRITICAL
    • Technology: 950000000 cents — regulatoryPressureIndex 88, saasDisruptionExposureIndex 99, continuousAuditPriority CRITICAL
    • Defense: 2500000000 cents — regulatoryPressureIndex 99, saasDisruptionExposureIndex 64, continuousAuditPriority CRITICAL
    • Public Sector: 1500000000 cents — regulatoryPressureIndex 95, saasDisruptionExposureIndex 70, continuousAuditPriority CRITICAL
  • Manifest Risk Metrics (BigInt cents only — workday analysis document):
    • medianAnnualGrcProgramCents: 4200000000
    • medianAuditRemediationLagCents: 890000000
    • saasConsolidationSavingsOpportunityCents: 680000000
    • boardReportingOverheadCents: 125000000
  • SaaS disruption memorandum risk metrics (BigInt cents only):
    • medianAnnualGrcProgramCents: 3850000000
    • medianAuditRemediationLagCents: 935000000
    • saasConsolidationSavingsOpportunityCents: 1120000000
    • boardReportingOverheadCents: 98000000
  • Constitutional tenant ALE baselines (Ironframe seed tenants — unchanged): Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000, Defense 1600000000 cents.
  • Agent Boundary: Ironintel (Agent 16) OSINT correlation; Ironwatch (Agent 13) FortiBleed perimeter credential telemetry, Splunk day-four forensic hunt, and KEV deadline tracking; Irongate (Agent 14) DMZ sanitization via validateStrategicIntelManifest before ingestGrcProfessionalResearchCorpus.
  • Step-by-Step Lab Validation:
    1. Run ingest script — verify manifest schema validation passes BIGINT-cent gate for ironintel-osint-2026-06-26-live.
    2. Re-run ingest — verify skippedDuplicate when manifest already persisted.
    3. Query Strategic Intel dashboard — confirm LiteLLM post-deadline, Splunk day-four triage, FortiBleed, Joomla, LiteSpeed, Check Point, Ivanti Sentry, PeopleSoft, BOD 26-04 contractor SLA, FedRAMP VDR, and CMMC Phase 2 countdown visible under tenant scope.
    4. Run tests/unit/strategicIntelIngress.test.ts — all pass.
    5. Verify boardroom flywheel context cites Market authenticity audit: line with authentic= / synthetic= / polluted= counts — never template Ledger/Vault names as real companies.

<a id="ops-002"></a>

🔧 Feature 26: Operator CLI Provisioning Scripts

  • GRC Function ID: OPS-002
  • Exact Screen Coordinates: Terminal-only — no UI.
  • Operational Purpose: Gives platform administrators safe, auditable CLI paths for password operations and strategic intel ingestion without bypassing Supabase Auth or Irongate DMZ.
  • Technical Mechanics:
    • scripts/admin-set-password.mjs — Supabase Admin API password set; requires SUPABASE_SERVICE_ROLE_KEY in .env.local; minimum 8 characters
    • scripts/send-password-reset.mjs — triggers reset email via public auth API with NEXT_PUBLIC_APP_URL redirect
    • scripts/ingest-strategic-intel-manifest.ts — Irongate pre-flight + CRM persistence for OSINT manifest
  • Agent Boundary: Ironguard (Agent 12) identity; Irongate (Agent 14) on intel ingress only.
  • Step-by-Step Lab Validation:
    1. Run admin-set-password with test user — verify login succeeds with new password.
    2. Run send-password-reset — verify email link targets your provisioned workspace URL.
    3. Never commit .env.local service role key to repository.

<a id="cron-002"></a>

⏰ Feature 27: Windows Task Scheduler Cron Wrapper

  • GRC Function ID: CRON-002
  • Exact Screen Coordinates: No UI — scripts/cron_narrate_scheduled.ps1 invoked by Task Scheduler at 03:00.
  • Operational Purpose: Normalizes PATH, working directory, and Cursor agent root before delegating to cron_narrate.ps1 for unattended nightly documentation and OSINT phases.
  • Technical Mechanics: Sets $ProjectRoot = C:\Users\Dereck\ironframe-live, prepends %LOCALAPPDATA%\cursor-agent to PATH, invokes cron_narrate.ps1 with -NoProfile -ExecutionPolicy Bypass, propagates exit code.
  • Step-by-Step Lab Validation:
    1. Register scheduled task pointing at cron_narrate_scheduled.ps1.
    2. Run wrapper manually — verify same log output as direct cron_narrate.ps1 invocation.
    3. Confirm task exit code non-zero when CURSOR_API_KEY missing.

<a id="supabase-001"></a>

🔗 Feature 28: Shared Supabase Public Env Normalization

  • GRC Function ID: SUPABASE-001
  • Exact Screen Coordinates: Invisible — shared by browser client, middleware, and login error surfaces.
  • Operational Purpose: Eliminates duplicated env parsing logic that caused mismatched Supabase project refs between client and middleware session refresh paths.
  • Technical Mechanics: lib/supabase/envPublic.ts exports:
    • envPublicSupabaseUrl() — trims quotes and trailing slashes from NEXT_PUBLIC_SUPABASE_URL
    • envSupabaseAnonKey() — normalizes anon key quoting
    • supabaseProjectRefFromUrl() — extracts project ref for login error diagnostics
    • Consumed by lib/supabase/client.ts, lib/supabase/middleware.ts, and app/login/page.tsx
  • Agent Boundary: Ironguard (Agent 12) session infrastructure.
  • Step-by-Step Lab Validation:
    1. Set quoted URL in .env.local — verify client and middleware both connect.
    2. Submit invalid login — verify error message includes correct project ref substring.

<a id="integrity-002"></a>

🛡️ Feature 29: Constitutional Integrity Sentinel Degraded Payload

  • GRC Function ID: INTEGRITY-002
  • Exact Screen Coordinates: Polled by TopNav airlock banner and Integrity Hub — API route /api/grc/tas-integrity.
  • Operational Purpose: Returns partial telemetry when ancillary subsystems fail instead of HTTP 500 — preserving Ironwatch and Ironlock polling during Prisma slice outages.
  • Technical Mechanics: Refactored app/api/grc/tas-integrity/route.ts:
    • buildIntegrityPayload consolidates fingerprint, dead-man switch, governance maturity, sustainability stale lockdown fields
    • readSystemConfigStaleLockdownSliceSafe replaces direct Prisma read for degraded-path safety
    • assessTasMdIntegritySync participates in TAS read validation
    • On ancillary failure, response includes ancillaryWarning string while core sha256Short, ironlockFreezeApplied, and chaosSimulationActive still return
    • next.config.ts adds outputFileTracingIncludes for docs/TAS.md and storage/constitutional/TAS.md.gold on constitutional API routes
  • Agent Boundary: Ironlock (Agent 6) freeze state; Ironwatch (Agent 13) maturity score; Ironlogic (Agent 9) TAS fingerprint.
  • Step-by-Step Lab Validation:
    1. Poll GET /api/grc/tas-integrity — verify JSON includes systemMaturityScore, chaosSimulationActive, sha256Short.
    2. Simulate SystemConfig read failure in staging — verify HTTP 200 with ancillaryWarning rather than 500.
    3. Confirm Vercel deployment traces TAS.md for fingerprint routes.

<a id="monetization-001"></a>

💳 Feature 30: Phase 1 Monetization Mandate (Sales-Assisted + Stripe)

  • GRC Function ID: MONETIZATION-001
  • Exact Screen Coordinates: IronBoard static context bundle; /pricing public page; /admin/onboarding platform console; Stripe webhooks at /api/webhooks/stripe (instant checkout) and /api/billing/webhook (payment_intent.succeeded billing activation).
  • Operational Purpose: Establishes Phase 1 revenue architecture: sales-assisted invite only for first design-partner revenue, with Stripe instant-checkout as the async self-serve provisioning tunnel. Public self-serve multi-subdomain provisioning is hardcoded OFF in config/registration.ts — not env-driven.
  • Technical Mechanics: Ironboard/src/staticContext.ts exports PHASE1_MONETIZATION_BOARD_MANDATE federated at board startup alongside TAS.md, technical-requirements.md, hub.md, and docs/stakeholder-deck/ironframe-monetization-market-blueprint-2026-q2.md. IronBoard buildDocsFederationMatrix loads the monetization blueprint as BOARD PRIORITY context. Revenue wire path:
    1. provisionCorporateTenantCore — creates tenant with ale_baseline BIGINT cents, calls ensureTenantBillingPending
    2. inviteCorporateTenantUserCore — Supabase Admin inviteUserByEmail with tenant-scoped metadata
    3. Stripe Checkout metadata requires slug, companyName, plus customer email from Stripe session
    4. fulfillStripeInstantCheckout in stripeInstantProvisionCore.ts — provisions tenant, upserts TenantBilling.status ACTIVE, invites GRC_MANAGER, records prospect in prospects ledger with reported_ale BIGINT
    5. config/stripe.tsresolveStripeCredentialMode() reads STRIPE_CREDENTIAL_MODE (test | live) or infers from sk_live_ prefix; resolveStripeBillingWebhookSecret() and resolveStripeInstantCheckoutWebhookSecret() support split webhook secrets
  • Agent Boundary: Ironlogic (Agent 9) board monetization mandate; Ironguard (Agent 12) invite identity; Ironwatch (Agent 13) audit receipts on provision and invite actions.
  • Step-by-Step Lab Validation:
    1. Read PHASE1_MONETIZATION_BOARD_MANDATE in IronBoard startup logs — verify monetization blueprint loaded count is 4 federation files.
    2. Navigate to /pricing on local host — verify static Stripe Payment Link outbound URL from NEXT_PUBLIC_STRIPE_COMMAND_TIER_CHECKOUT_URL.
    3. Forward Stripe webhooks locally: stripe listen --forward-to your provisioned workspace URL for checkout.session.completed; separate listener or --events payment_intent.succeeded to /api/billing/webhook.
    4. Complete test checkout — verify tenant_billing.status becomes ACTIVE and invite email issued.
    5. Run tests/unit/phase1Commercial.test.ts and tests/unit/stripeCheckoutParse.test.ts — all pass.

<a id="billing-001"></a>

🚫 Feature 31: Dashboard Billing Suspension Gate

  • GRC Function ID: BILLING-001
  • Exact Screen Coordinates: Full-page overlay inside dashboard route group when billing status is PENDING or PAST_DUE — renders BillingSuspensionNotice instead of tripane workspace.
  • Operational Purpose: Blocks command-center telemetry access for tenants with unpaid or lapsed Stripe subscriptions while preserving platform-admin and billing-hold remediation paths.
  • Technical Mechanics: app/(dashboard)/layout.tsx resolves resolveTenantBillingEntitlementByUuid(access.tenantUuid) and wraps children in DashboardBillingGate. Gate is active when billing.blocked === true and operator is not canUsePlatformAdminTools(). Exempt paths: /admin/onboarding, /account/billing-hold. Prisma model TenantBilling maps tenant_slug, stripe_customer_id, status (PENDING, ACTIVE, PAST_DUE). isBillingGateActiveStatus returns true for PENDING and PAST_DUE only.
  • Agent Boundary: Irontrust (Agent 3) financial entitlement enforcement — no float billing amounts; Stripe amountTotalCents stored as BigInt at provision.
  • Step-by-Step Lab Validation:
    1. Set tenant billing status to PENDING via setTenantBillingStatus admin action.
    2. Sign in as GRC_MANAGER for that tenant — verify suspension notice renders instead of Integrity Hub.
    3. Sign in as GLOBAL_ADMIN — verify dashboard content renders (platform admin bypass).
    4. Navigate to /admin/onboarding while billing blocked — verify exempt path renders onboarding console.

<a id="subdomain-001"></a>

🌐 Feature 32: Multi-Tenant Subdomain Routing Envelope

  • GRC Function ID: SUBDOMAIN-001
  • Exact Screen Coordinates: Invisible middleware envelope — manifests as host-scoped workspace URLs like your provisioned workspace URL or your provisioned workspace URL.
  • Operational Purpose: Binds HTTP host to tenant workspace scope so operators land on tenant-branded subdomains after corporate invite or Stripe checkout without manually selecting tenant from switcher.
  • Technical Mechanics: app/lib/tenantSubdomain.ts and app/lib/middlewareSubdomainTenancy.ts:
    • IRONFRAME_SUBDOMAIN_TENANCY enabled by default — set 0 to disable
    • IRONFRAME_TENANT_APEX_DOMAIN defaults from NEXT_PUBLIC_APP_URL hostname (ironframegrc.com)
    • NEXT_PUBLIC_DEVELOPMENT_DOMAIN defaults to lvh.me:3000 for local wildcard tenant hosts
    • Reserved labels blocked: www, api, app, admin, staging, preview, docs, login
    • resolvePostAuthLandingPath(host) — authenticated /login redirect targets tenant Command Post on subdomain hosts, /integrity on apex
    • Auth callback route.ts resolves tenant slug from invite metadata, sets ironframe-tenant cookie, redirects to tenant subdomain origin
    • Internal slug resolution for dynamic tenants: GET /api/internal/tenant-slug-resolve gated by IRONFRAME_CRON_SECRET or IRONFRAME_INTERNAL_GATES_SECRET
    • Middleware slug-resolve recursion guard (2026-06-27 delta): applySubdomainTenancy sets request header x-ironframe-middleware-tenant-resolve: 1 when resolving dynamic host slugs — breaks middleware → slug-resolve → middleware infinite recursion on tenant subdomains
    • IRONFRAME_STAGING_APEX_DOMAIN: staging Vercel apex pattern for tenant slug extraction on preview hosts
  • Agent Boundary: Ironguard (Agent 12) host-bound tenant isolation; cross-tenant path prefix conflicts redirect to host slug canonical path.
  • Step-by-Step Lab Validation:
    1. Provision tenant acmecorp via admin onboarding — open your provisioned workspace URL.
    2. Complete invite auth callback — verify redirect lands on acmecorp.lvh.me workspace, not apex.
    3. Attempt your provisioned workspace URL — verify middleware strips conflicting path prefix.
    4. Add Supabase redirect URL your provisioned workspace URL per .env.example guidance.
    5. Run tests/unit/tenantSubdomain.test.ts and tests/unit/tenantSlugRegistry.test.ts — all pass.

<a id="registration-001"></a>

📝 Feature 33: Invite-Only Registration Gate

  • GRC Function ID: REGISTRATION-001
  • Exact Screen Coordinates: /register/contact (sales-assisted intake); /register/[token] (workspace invitation activation); /register/setup route deleted; /register/demo server-redirects to /register/contact?reason=sales_assisted_only.
  • Operational Purpose: Enforces Phase 1 sales-assisted onboarding — prospects cannot self-provision tenants via public registration API. Sales engineers use bearer-authenticated POST /api/register/sales-intake instead.
  • Technical Mechanics: config/registration.ts single source of truth:
    • IRONFRAME_PUBLIC_REGISTRATION_ENABLED = false (hardcoded — no env override)
    • shouldBlockProspectIngress blocks /register/demo, /api/register/public-intake, and /demo/* when BLOCK_DEMO_SANDBOX_WHEN_REGISTRATION_DISABLED is true — /register/setup page file removed (no longer a routable surface)
    • Public lead capture remains at POST /api/register/public-lead (middleware passthrough for guests)
    • Sales intake requires INTERNAL_SALES_PROVISION_KEY bearer token per salesIntakeAuth.ts
  • Agent Boundary: Ironguard (Agent 12) ingress policy; Ironwatch (Agent 13) prospect ledger audit on successful intake.
  • Step-by-Step Lab Validation:
    1. Navigate to /register/setup on local host — verify 404 (route deleted, not redirect).
    2. Navigate to /register/demo — verify redirect to /register/contact?reason=sales_assisted_only.
    3. POST to /api/register/public-intake — verify 404 JSON when registration disabled.
    4. POST to /api/register/sales-intake with valid bearer — verify tenant provision receipt.
    5. Run tests/unit/registrationGate.test.ts and tests/unit/registrationRoutes.test.ts — all pass.

<a id="legal-001"></a>

📜 Feature 34: User Legal Consent Registry

  • GRC Function ID: LEGAL-001
  • Exact Screen Coordinates: /terms and /privacy public document pages; /legal/accept authenticated acceptance route.
  • Operational Purpose: Records cryptographic proof that each Supabase user accepted the current MSA and privacy policy versions before accessing paid workspace features — SOC2-aligned consent trail.
  • Technical Mechanics: config/legal.ts immutable versions:
    • IRONFRAME_TERMS_VERSION: 2026-06-15-msa-v1
    • IRONFRAME_PRIVACY_VERSION: 2026-06-15-privacy-v1
    • Prisma UserLegalConsent model: userId, termsVersion, privacyVersion, acceptanceHash, acceptedAt
    • recordLegalConsent upserts row with buildLegalAcceptanceHash(userId, acceptedAtIso)
    • Middleware allows authenticated /legal/accept; unauthenticated users redirect to /login
  • Agent Boundary: Ironscribe (Agent 05) immutable acceptance hash lineage; Ironguard (Agent 12) session gate on legal accept route.
  • Step-by-Step Lab Validation:
    1. Open /terms and /privacy as guest on local host — verify legal document renders.
    2. Sign in without consent row — navigate to /legal/accept — submit acceptance.
    3. Query user_legal_consents — verify terms_version and privacy_version match config constants.
    4. Bump version in config/legal.ts — verify hasCurrentLegalConsent returns false for prior acceptances.

<a id="admin-001"></a>

🏢 Feature 35: Platform Administrator Onboarding Console

  • GRC Function ID: ADMIN-001
  • Exact Screen Coordinates: /admin/onboardingAdminOnboardingDashboardHeader, AdminOnboardingDeployments, and #onboarding-controls CorporateOnboardingClient; provisioning controls separated from deployment inventory panel.
  • Operational Purpose: Gives GLOBAL_ADMIN operators a supervisor command plane for B2B tenant provisioning, deployment posture visibility, invitation token minting, and corporate operator invites. Billing activation owned by Stripe webhook — not inline client button.
  • Technical Mechanics: Middleware Rule A0 — assertGlobalAdminForOnboarding requires authenticated GLOBAL_ADMIN for /admin/onboarding before platform-admin gate probe via /api/internal/platform-admin-gate. Page server component calls canUsePlatformAdminTools() before render. Actions delegate to corporateTenantProvisionCore.ts. Billing gate exempt — onboarding console reachable even when tenant billing is PENDING.
  • Agent Boundary: Ironguard (Agent 12) GLOBAL_ADMIN RBAC; Ironwatch (Agent 13) provision and invite audit receipts.
  • Step-by-Step Lab Validation:
    1. Sign in as non-admin — attempt /admin/onboarding — verify redirect to /unauthorized.
    2. Sign in as GLOBAL_ADMIN — verify CorporateOnboardingClient renders provision form.
    3. Provision tenant with aleBaselineCents as whole integer string — verify tenants.ale_baseline BIGINT matches.
    4. Issue invite with tenantSlug and role CISO — verify user_role_assignments row created on accept.

<a id="demo-001"></a>

🧪 Feature 36: Demo Sandbox Command Post

  • GRC Function ID: DEMO-001
  • Exact Screen Coordinates: /demo/dashboard (rewritten from /dashboard when demo cookie active); demo host acorp-sandbox.lvh.me; amber DemoSandboxBanner pinned above AppShell when demo session active.
  • Operational Purpose: Provides a client-side sandbox command post with mock threat telemetry and constitutional ALE anchors for prospect education without touching production tenant data or production API telemetry paths.
  • Technical Mechanics: app/lib/demo/demoModeConstants.ts:
    • DEMO_WORKSPACE_SLUG: acorp-sandbox
    • DEMO_ACTIVE_COOKIE: ironframe-demo-active
    • DEMO_SESSION_COOKIE: ironframe-demo-session — cross-origin cookie on .lvh.me and .localtest.me
    • DEMO_ALE_BASELINE_CENTS: Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000 (BigInt literals)
    • getDemoCommandCenterScope() aggregates three seed baselines into demo enclave row (2170000000 cents total display string)
    • Middleware rewrites /dashboard/demo/dashboard when demo cookie set on sandbox host or localhost apex
    • Demo API isolation (2026-06-16 delta): applyIronguardToFetch in apiClient.ts throws DEMO_API_BLOCK_MESSAGE when isDemoModeActive() and path is not a public constitutional sentinel route — logs DEMO_MODE_ISOLATED via isolationSentinelLog.ts
    • useKimbotPersistLoop.ts and useResilienceIntelPoll.ts return early when demo mode active — no Kimbot persist or resilience poll against production APIs
    • AppShell.tsx mounts DemoSandboxBanner and adjusts top padding when demo and simulation banners stack
  • Agent Boundary: Demo plane uses synthetic UUIDs — zero production RLS bleed; Ironguard (Agent 12) blocks cross-tenant fetch; demo isolation is client-side perimeter only — not a substitute for shadow-plane SimulationDiagnosticLog semantics.
  • Step-by-Step Lab Validation:
    1. Set ironframe-demo-active=1 cookie on localhost — navigate to /dashboard — verify rewrite to demo command post.
    2. With demo session active, trigger any /api/grc/* fetch — verify console shows [ DEMO MODE ] | Production telemetry isolated — API call blocked.
    3. Verify constitutional sentinel paths (/api/grc/tas-integrity, /api/grc/tas-fingerprint) still callable from marketing shell during demo.
    4. Run tests/unit/demoMode.test.ts — verify demo path classification and ALE cent constants.

<a id="nav-002"></a>

🏷️ Feature 37: Staged Navigation Surface Badges

  • GRC Function ID: NAV-002
  • Exact Screen Coordinates: TopNav navigation links for stub routes — badge chips STAGED DRAFT or PREVIEW.
  • Operational Purpose: Signals design-partner pilots which dashboard routes are immature stubs and blocks GRC_MANAGER role from navigating to unfinished surfaces.
  • Technical Mechanics: app/config/stagedNavSurfaces.ts/vendors/supply-chain (STAGED DRAFT), /reports/dora-eu-resilience (PREVIEW); isStagedNavBlockedForRole gates GRC_MANAGER.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/stagedNavSurfaces.test.ts — all href normalizations pass.

<a id="brand-001"></a>

🎨 Feature 38: Tenant Brand Accent Resolution

  • GRC Function ID: BRAND-001
  • Exact Screen Coordinates: TopNav tenant label, login branded panel, subdomain workspace chrome.
  • Operational Purpose: Applies per-tenant visual identity without altering RLS scope. ale_baseline displayed as BigInt cents string through formatTenantBrand.
  • Step-by-Step Lab Validation:
    1. Run tests/tenantBrand.test.ts — verify accent resolution for seed tenants.

<a id="prospect-001"></a>

📇 Feature 39: Executive Prospect Ledger

  • GRC Function ID: PROSPECT-001
  • Exact Screen Coordinates: Backend prospects table — no default UI chip.
  • Operational Purpose: Persists vetted sales leads with reported_ale BIGINT NOT NULL for executive pipeline aggregation.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/publicLeadParse.test.ts — verify lead payload parsing.

<a id="auth-007"></a>

🔐 Feature 40: Scoped Dev Constitutional Elevation

  • GRC Function ID: AUTH-007
  • Operational Purpose: Restricts local constitutional authority to IRONFRAME_DEV_SUPABASE_USER_ID, IRONFRAME_DEV_SUPABASE_EMAIL, or explicit IRONFRAME_DEV_CONSTITUTIONAL_ELEVATION=1 — other dev users keep normal RBAC.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/devConstitutionalElevation.test.ts — scoped match order passes.

<a id="auth-008"></a>

🔑 Feature 41: Auth Redirect Origin Resolution

  • GRC Function ID: AUTH-008
  • Operational Purpose: Builds Supabase redirect URLs from active request host including tenant subdomains. Password reset uses dedicated resolvePasswordResetRedirectOrigin() — distinct from invite callback origin resolution — so reset emails land on the operator's current workspace host. Fail-closed 403 responses from Supabase include the exact callback URL string for Redirect URL allowlist remediation per .env.example glob guidance (http://*.lvh.me:3000/**).
  • Step-by-Step Lab Validation:
    1. Request password reset from tenant subdomain — verify redirect URL uses tenant host in email link.
    2. Trigger Supabase 403 on reset — verify error message cites full redirectTo path for allowlist entry.
    3. Run tests/unit/publicAppUrl.test.ts and tests/unit/supabaseRedirectAllowlist.test.ts — origin resolution paths pass.

<a id="board-008"></a>

📊 Feature 42: IronBoard Monetization Blueprint Federation

  • GRC Function ID: BOARD-008
  • Exact Screen Coordinates: No UI — injected into IronBoard static context bundle at engine startup.
  • Operational Purpose: Injects Q2 2026 market blueprint and authoritative Phase 1 monetization mandate into boardroom static context so executive personas cite sales-assisted invite + Stripe wire paths instead of inventing self-serve provisioning timelines.
  • Technical Mechanics: Ironboard/src/staticContext.ts exports PHASE1_MONETIZATION_BOARD_MANDATE (authoritative Q2 2026):
    • Model: SALES-ASSISTED INVITE ONLY for first revenue — not self-serve multi-subdomain provisioning
    • Wire: inviteCorporateTenantUserAction + admin tenant UI + Stripe webhook → TenantBilling.status ACTIVE
    • P0 blockers before charging: Stripe rails, /terms + /privacy, production quarantine narrowed for public routes, admin invite panel
    • P1 before broad sales: tier entitlements, Epic 12 WORM honesty, stub page badges, SOC2-aligned (never certified) language
    • Fastest revenue path: Command tier, one price, 2–3 design partners while Phase 2 entitlements harden
    • Full backlog document: docs/stakeholder-deck/ironframe-monetization-market-blueprint-2026-q2.md
  • Docs federation matrix: buildDocsFederationMatrix() in Ironboard/src/index.ts loads four markdown files at startup: TAS.md, technical-requirements.md, hub.md, and the monetization blueprint — logged as [IRONBOARD DOCS] Loaded N markdown file(s).
  • Agent Boundary: Ironlogic (Agent 9) and Irontally (Agent 5) board governance phases consume this mandate; no financial field mutation — Stripe amountTotalCents remains BigInt at fulfillment boundary.
  • Step-by-Step Lab Validation:
    1. Start IronBoard port 8082 — verify federation log shows monetization blueprint loaded (four files when all present).
    2. Ask boardroom "What is our Phase 1 monetization model?" — verify response cites sales-assisted invite, not self-serve checkout-only provisioning.
    3. Confirm PHASE1_MONETIZATION_BOARD_MANDATE appears in buildStaticContextBundle() output before Four Pillars blueprint block.

<a id="command-001"></a>

🏗️ Feature 43: Command Center Tenant Access Scope

  • GRC Function ID: COMMAND-001
  • Operational Purpose: RBAC-scoped tenant switcher — non-GLOBAL_ADMIN users see only assigned workspaces; subdomain hosts lock to single tenant.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/commandCenterTenantAccess.test.ts — all pass.

<a id="board-009"></a>

🎬 Feature 44: Board YouTube Shorts & Denial Rewrite Guard

  • GRC Function ID: BOARD-009
  • Operational Purpose: Strips LLM video capability denials (including Shorts-specific refusal patterns) and appends canonical YOUTUBE_VIDEO_DENIAL_REWRITE when payloadSignalsVideoIntelligence(query) detects a video-linked board request with stripped denial and response under 160 characters; skips web prefetch for video queries via shouldPrefetchWeb guard in boardroomQueryIntent.ts.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/boardResponseLibrary.test.ts and tests/unit/linkScraper.test.ts — all pass including Shorts URL youtube.com/shorts/{id} extraction.

<a id="integrity-003"></a>

🛡️ Feature 45: TAS Markdown Integrity Assessment

  • GRC Function ID: INTEGRITY-003
  • Operational Purpose: assessTasMdIntegritySync in tasMdIntegrity.ts validates TAS.md during buildIntegrityPayload without crashing route on partial failures.
  • Step-by-Step Lab Validation:
    1. Poll /api/grc/tas-integrity — verify sha256Short in JSON.

<a id="governance-001"></a>

📰 Feature 46: The Governance Frame Published Briefing Ledger

  • GRC Function ID: GOVERNANCE-001
  • Exact Screen Coordinates: Public reader at /governance-frame (index card grid) and /governance-frame/[slug] (article view). IronBoard mirror feed at your provisioned workspace URL when IronBoard engine is running locally.
  • Operational Purpose: Serves chronological institutional governance briefings compiled exclusively from docs/published-briefings/*.md. Draft files in docs/briefing-queue/ remain quarantined and never enter the published feed — mirroring Irongate DMZ publish-before-persist semantics for executive intelligence artifacts.
  • Technical Mechanics:
    • Next.js App Router: app/governance-frame/layout.tsx — standalone slate chrome, GovernanceFrameBrandLockup, metadata robots: { index: false, follow: false }
    • app/governance-frame/page.tsxloadPublishedBriefings() index with cent-register badge from Section II impact metrics
    • app/governance-frame/[slug]/page.tsxBriefingFrameContent + BriefingMarkdown with sanitized react-markdown compilation
    • app/lib/governanceFrame/briefingLoader.tsenforceBriefingQuarantine() warns on non-allowlisted .md files in briefing-queue/ with [SECURITY AUDIT] Unauthorized compilation attempt blocked for unvetted draft: prefix
    • app/lib/governanceFrame/parseBriefingSections.ts — splits body into zones I (Exposure Vector), II (Calculated Quantitative Impact), III (Machine-Rule Technical Translation), IV (Verification Protocol)
    • app/lib/governanceFrame/parseCentBigInt.ts — rejects float and scientific notation cent literals; coerces whole integers to stringified BigInt
    • app/lib/governanceFrame/sanitizeMarkdown.ts — strips <script>, `` URIs, and data-blocked= attributes before render
    • IronBoard parallel router: Ironboard/src/governanceFrame/router.ts, briefingScanner.ts, renderBlog.ts — HTML blog renderer for direct IronBoard access
    • next.config.ts outputFileTracingIncludes ships ./docs/published-briefings/**/* on Vercel for /governance-frame lambdas
    • Published seed briefing: docs/published-briefings/2026-06-07-staging-boundary-check.md — provisioning tunnel test exposure 499900 cents, reported ALE delta 0 cents
    • ConditionalAppShell.tsx excludes governance-frame paths from dashboard AppShell mount — no TopNav bleed
  • Agent Boundary: Ironscribe (Agent 05) briefing structure and export lineage; Irongate (Agent 14) markdown sanitization before client render; Ironlogic (Agent 9) board federation reads monetization blueprint alongside TAS for strategic context.
  • Step-by-Step Lab Validation:
    1. Open your provisioned workspace URL — verify index lists published briefings chronologically with cent-register badges where Section II defines (¢) metrics.
    2. Open /governance-frame/2026-06-07-staging-boundary-check — verify four-section frame renders without dashboard chrome.
    3. Place secret-draft.md in docs/briefing-queue/ — reload index — verify draft does not appear; server log emits quarantine audit warning.
    4. Start IronBoard on port 8082 — verify startup log [GOVERNANCE FRAME] Briefing feed at your provisioned workspace URL · published=N where N equals count from scanPublishedBriefings(resolveDocsRoot()).
    5. Run tests/unit/governanceFrameBriefingScanner.test.ts, tests/unit/governanceFrameSanitize.test.ts, and tests/unit/governanceFrameEmail.test.ts — all pass.

<a id="governance-002"></a>

💰 Feature 47: Unified Financial Ingress Invariant Bridge

  • GRC Function ID: GOVERNANCE-002
  • Exact Screen Coordinates: No direct UI — validates cent registers at Governance Frame parse boundary, sales intake API, Stripe checkout fulfillment, and prospect ledger persistence.
  • Operational Purpose: Guarantees a single whole-integer BigInt cent contract across three ingress surfaces that accept human-readable dollar input at the UI layer but must never persist floats: Governance Frame briefing Section II registers, sales-assisted /api/register/sales-intake ALE fields, and Stripe amountTotalCents metadata.
  • Technical Mechanics: tests/unit/financialIngressInvariant.test.ts bridges:
    • parseCentBigInt — briefing ledger rejects "49.99" and "1110000000.5" with Governance Frame cent register must be a whole integer
    • parseDollarAleToBigIntCents — accepts "$11,100,000.00" and emits 1110000000 as bigint
    • parseExplicitCentAle — explicit cent string "1110000000" matches dollar-parse output
    • verifyCanonicalEnterpriseBaseline — Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000 cent targets
    • Round-trip: sales intake BigInt output must pass Governance Frame parseCentBigInt without coercion loss
  • Agent Boundary: Irontrust (Agent 3) canonical baseline enforcement; Irongate (Agent 14) rejects malformed cent payloads at ingress.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/financialIngressInvariant.test.ts — all canonical profile dollar inputs resolve to TAS BigInt cents.
    2. POST sales intake with "$5,900,000.00" reported ALE — verify prospects.reported_ale BIGINT equals 590000000.
    3. Add briefing metric "1110000000.5" — verify parseCentBigInt throws before publish.

<a id="governance-003"></a>

📧 Feature 48: Ironcast Governance Frame Email Newsletter

  • GRC Function ID: GOVERNANCE-003
  • Exact Screen Coordinates: Backend HTML artifact — out/governance-frame/newsletters/{slug}.html after compile; outbound email via Ironcast worker.
  • Operational Purpose: Converts published Governance Frame briefings into table-based HTML email newsletters with deep links to the public feed origin for executive distribution.
  • Technical Mechanics: lib/agents/ironcast/templates/governanceFrameEmail.ts:
    • GOVERNANCE_FRAME_FEED_ORIGIN from GOVERNANCE_FRAME_PUBLIC_FEED_ORIGIN env or default your provisioned workspace URL
    • Email HTML uses table layout, inline styles, no <button> elements — Outlook-compatible patterns per Resend email requirements
    • lib/agents/ironcast/workers/compileNewsletter.ts writes compiled HTML under out/governance-frame/newsletters/
    • Link pattern: {origin}/governance-frame/{slug}
  • Agent Boundary: Ironcast outbound communications; Ironscribe (Agent 05) content attribution from published briefing frontmatter.
  • Step-by-Step Lab Validation:
    1. Run newsletter compile worker against published briefing slug — verify HTML output contains feed deep link.
    2. Run tests/unit/governanceFrameEmail.test.ts — verify origin URL and slug encoding.

<a id="governance-004"></a>

📡 Feature 49: Governance Frame RSS Feed Compiler

  • GRC Function ID: GOVERNANCE-004
  • Exact Screen Coordinates: Generated RSS XML — item links target {RSS_ITEM_LINK_ORIGIN}/governance-frame/{slug}.
  • Operational Purpose: Publishes machine-readable RSS items for each published briefing so external subscribers and board ingestion pipelines can poll chronological updates without scraping the HTML index.
  • Technical Mechanics: scripts/compile-rss.ts reads published briefings and emits RSS XML with governance-frame deep links. Default link origin aligns with GOVERNANCE_FRAME_PUBLIC_FEED_ORIGIN. tests/unit/compileRss.test.ts validates encoded slug URLs in XML output.
  • Agent Boundary: Ironintel (Agent 16) external feed correlation; content sourced only from published ledger — never briefing-queue/.
  • Step-by-Step Lab Validation:
    1. Run npx tsx scripts/compile-rss.ts — verify RSS item link contains /governance-frame/ path segment.
    2. Run tests/unit/compileRss.test.ts — all pass.

<a id="demo-002"></a>

🔒 Feature 50: Demo Mode Production API Isolation Sentinel

  • GRC Function ID: DEMO-002
  • Exact Screen Coordinates: Invisible client-side fetch interceptor — manifests as thrown error in browser console when demo session calls protected /api/* routes.
  • Operational Purpose: Prevents demo sandbox operators from accidentally writing Kimbot state, resilience intel polls, or tenant-scoped GRC telemetry to production databases while exploring mock command post UI.
  • Technical Mechanics: app/utils/apiClient.ts applyIronguardToFetch:
    • When isDemoModeActive() returns true and pathname is not isPublicConstitutionalSentinelPath or tenant-optional registration path, throws DEMO_API_BLOCK_MESSAGE
    • logIsolationSentinelBlocked({ reasonCode: "DEMO_MODE_ISOLATED", ... }) writes structured isolation log entry
    • isolationSentinelLog.ts maps DEMO_MODE_ISOLATED to audit string BLOCKED: DEMO_SANDBOX_ISOLATED
    • Constitutional sentinel paths remain callable so marketing shell and Governance Frame reader can poll TAS integrity without dashboard session
  • Agent Boundary: Ironguard (Agent 12) client fetch perimeter; complements server-side RLS — does not replace tenant isolation tests.
  • Step-by-Step Lab Validation:
    1. Initialize demo sandbox via /register/demo (redirects to sales contact) or initializeDemoSandbox() on approved demo paths.
    2. Navigate to demo command post — open browser devtools network tab — trigger GRC API poll — verify fetch rejected before network dispatch.
    3. Poll /api/grc/tas-integrity from same session — verify request succeeds (constitutional sentinel exemption).

<a id="market-001"></a>

🌍 Feature 51: IronBoard Market Flywheel Multi-Country Target Cockpit

  • GRC Function ID: MARKET-001
  • Exact Screen Coordinates: IronBoard left rail #market-flywheel inside #left-panel — below board persona selector on your provisioned workspace URL.
  • Operational Purpose: Stages autonomous Fintech SaaS prospecting campaigns for early-stage companies (5–50 employees) across preset hubs (London, Singapore) and expansion countries (Germany, Australia, Ireland, Canada, United States, France, Netherlands, Switzerland, United Kingdom, New Zealand, India, Japan, UAE). Operators load qualified batches, generate BigInt-grounded outreach copy, and harvest interaction signals to adjust ICP scores.
  • Technical Mechanics:
    • React component: Ironboard/src/components/MarketFlywheel.tsx
    • Legacy inline dashboard: same controls mirrored in renderDashboard() HTML with #target-countries-input, #hub-london, #hub-singapore, #fetch-batch-btn
    • POST /api/prospects/trigger body accepts { targetCountries: string[] } (preferred), { regions: string[] }, or legacy { region: string }
    • GET /api/prospects?regions=Germany,Australia and GET /api/market/prospects accept comma/pipe-separated region filters
    • localStorage key ironboard_target_countries persists operator target list across sessions
    • getActiveHubPayload() encodes stream field: LONDON, SINGAPORE, or GERMANY,AUSTRALIA,... uppercase join
    • ICP visibility threshold: ACTIVE_PROSPECT_MIN_SCORE = 100 — sub-threshold rows stored as dealStage: REJECTED and excluded from cockpit list
    • Pitch generation calls generateGroundedPitch(domain) — outreach cites BigInt Integrity value proposition; when findLatestRegulatoryCatalystForDomain returns a catalyst, value proposition becomes {authority} catalyst · {matchedFramework} · BigInt Integrity and opening hook leads with compliance deadline from Industry Scout
    • Harvest buttons apply ±25 to aiFitnessScore and transition deal stage to QUALIFIED or REJECTED
    • GTM authenticity gate (2026-06-26 delta): verifyAndOptimizeMarketData runs per region before batch assembly; isSyntheticExpansionTemplateProspect detects {Region} Ledger (24 employees), {Region} Vault (18 employees), -ledger.io / -vault.finance domains — these are SYNTHETIC_SCAFFOLDING, never real market research
    • fetchProspectingBatchForTargets — expansion countries (non London/Singapore) no longer auto-seed template placeholders; only curated classroom seeds for London/Singapore; other regions rely on discoverRegionalProspects live web grounding
    • buildFlywheelWorkspaceContext labels each prospect with lineage: LIVE_WEB_GROUNDING, SYNTHETIC_SCAFFOLDING, or CURATED_DEMO_SEED
  • Agent Boundary: IronBoard commercial plane (port 8082) — Ironlogic (Agent 9) synthesis consumes buildFlywheelWorkspaceContext; Irongate (Agent 14) sanitizes web-grounded discovery JSON before Prisma upsert; Ironintel (Agent 16) regulatory catalyst lookup feeds grounded pitches; no cross-tenant prospect bleed — marketProspect domain key is global to board org database.
  • Step-by-Step Lab Validation:
    1. Open your provisioned workspace URL — locate Market Flywheel panel in left rail.
    2. Enter Germany, Australia, Ireland, Canada in target countries field — click Load Prospecting Batch.
    3. Verify status line shows loaded count — no {Country} Ledger or {Country} Vault synthetic rows for Germany (test: fetchProspectingBatchForTargets(['Germany']) must not return template names).
    4. Click London Hub shortcut — verify curated London seeds load with CURATED_DEMO_SEED lineage.
    5. Select a prospect with regulatory catalyst — verify pitch pane opens with authority/framework hook, not generic marketing copy.
    6. Click Harvest Signal (+) — verify aiFitnessScore increments by 25.
    7. Run Ironboard/src/services/marketIntelligence.test.ts — verify multi-region merge and authenticity mocks pass.

<a id="market-002"></a>

🗺️ Feature 52: Market Target Regions Normalization Module

  • GRC Function ID: MARKET-002
  • Exact Screen Coordinates: No UI — shared library consumed by flywheel UI, board router, query intent, and market intelligence services.
  • Operational Purpose: Provides canonical country name normalization, alias resolution, activeHub stream encoding/decoding, and query-time country matching so boardroom tool calls and prospect filters stay consistent across London/Singapore legacy keys and multi-country expansion campaigns.
  • Technical Mechanics: Ironboard/src/services/marketTargetRegions.ts:
    • PRIMARY_HUB_REGIONS: ['London', 'Singapore']
    • KNOWN_TARGET_COUNTRIES: fourteen expansion markets plus hub aliases
    • REGION_ALIASES: maps uk, united kingdomLondon; sgSingapore; usa, usUnited States; etc.
    • normalizeTargetRegion(input) — title-case fallback for unknown tokens
    • parseTargetCountriesInput(raw) — splits on comma or pipe, deduplicates
    • parseActiveTargetCountries(activeHub) — decodes LONDON, SINGAPORE, or comma-separated uppercase lists
    • encodeActiveTargetCountries(countries) — reverse encoder for board stream payloads
    • matchCountriesInQuery(query) — substring match against known country list for intent routing
  • Agent Boundary: Ironquery (Agent 15) discovery routing via inferRegionsFromQuery; Ironlogic (Agent 9) board planDiscoveryExecution passes parsed regions to queryLocalWorkspace.
  • Step-by-Step Lab Validation:
    1. Run Ironboard/src/services/boardroomQueryIntent.test.ts — verify inferRegionsFromQuery('hello', 'GERMANY,AUSTRALIA') equals ['Germany', 'Australia'].
    2. Run same suite — verify inferRegionsFromQuery('prospects in Canada', 'LONDON') equals ['Canada'] (query mention wins over active hub).
    3. Verify shouldPrefetchProspects('Are there companies in Germany that fit our ICP criteria?') returns true.
    4. Confirm boardRouter.ts planDiscoveryExecution passes { regions: targetCountries } when multiple countries active.

<a id="board-010"></a>

🌉 Feature 53: IronBoard Core Telemetry Bridge

  • GRC Function ID: BOARD-010
  • Exact Screen Coordinates: No UI — server-side bridge invoked at start of every POST /api/query on IronBoard port 8082.
  • Operational Purpose: Hydrates IronBoard boardroom synthesis with live Ironframe democratic shared context JSON so executive personas ground financial and sustainability assertions in tenant-scoped production cache — never stale static placeholders. Fails closed when Ironframe core is unreachable, preserving unidirectional advisory integrity.
  • Technical Mechanics: Ironboard/src/services/coreTelemetryBridge.ts:
    • IRONFRAME_SHARED_CONTEXT_PATH = /api/board/shared-context
    • resolveIronframeCoreOrigin() — reads IRONFRAME_CORE_ORIGIN or IRONFRAME_MARKETING_ORIGIN, defaults your provisioned workspace URL
    • resolveTelemetryTenantScope() — prefers ironframe-tenant cookie, then request body tenantId, then resolveBoardOrgTenantId()
    • buildTelemetryFetchHeaders() — forwards cookies, sets x-ironboard-telemetry-bridge: 1, injects x-ironframe-host-tenant-uuid or x-ironframe-host-tenant-slug
    • fetchIronframeSharedContext()12000 ms abort timeout; throws CoreTelemetryBridgeError with code CORE_TELEMETRY_DISCONNECTED
    • formatLiveSystemTelemetryBlock() — wraps JSON with delimiter [LIVE SYSTEM TELEMETRY - ARCHITECTURE ENFORCED]
    • Client SSE handler in index.ts surfaces 502 when bridge fails before stream opens
  • Financial boundary note: Shared context JSON contains raw cent integers internally; boardroom Layer 3 de-classification matrix forbids emitting those raw values in Governance Frame public copy — operators must cite financials.display.*Formatted strings from the hydrated block.
  • Agent Boundary: Ironwatch (Agent 13) telemetry source on Ironframe port 3000; Ironlogic (Agent 9) consumes hydrated JSON; Ironguard (Agent 12) tenant headers enforce isolation on bridge fetch.
  • Step-by-Step Lab Validation:
    1. Run Ironboard/src/services/coreTelemetryBridge.test.ts — all five cases pass.
    2. Stop Ironframe — POST boardroom query — verify HTTP 502 { error: "CORE_TELEMETRY_DISCONNECTED" }.
    3. Start Ironframe with valid tenant session — POST query — verify SSE event coreTelemetryBridge status complete with byte count.
    4. Set IRONFRAME_CORE_ORIGIN=your provisioned workspace URL when IronBoard runs in split-host dev layout.

<a id="governance-005"></a>

🛡️ Feature 54: Hardened Governance Layers & De-Classification Matrix

  • GRC Function ID: GOVERNANCE-005
  • Exact Screen Coordinates: No UI — injected into IronBoard system instruction when live telemetry JSON is present.
  • Operational Purpose: Enforces six-layer governance posture on every boardroom synthesis turn that receives live Ironframe telemetry: read-only diode, authoritative metric hydration, public briefing de-classification, mandatory Governance Frame triad structure, executive persona financial ratios, and Sources & Citations audit section for human promotion from docs/briefing-queue/ to docs/published-briefings/.
  • Technical Mechanics: Ironboard/src/services/boardroomSystemPrompt.ts buildHardenedGovernanceLayers(telemetryJsonString):
    • Layer 1 — Unidirectional diode: Board is READ-ONLY; zero write permissions to port 3000 databases; human operator holds execution keys.
    • Layer 2 — Live metric hydration: Injected JSON string is absolute source of truth from Ironframe production cache.
    • Layer 3 — De-classification matrix:
      • Currency: never output raw BigInt cent integers in public copy; cite financials.display.sovereignPool.*.baselineFormatted and currentExposureFormatted verbatim
      • Vulnerability hiding: no raw CVE identifiers or unpatched asset IDs in public briefings
      • Sustainability: cite financials.display.sustainability.powerUsageFormatted and fluidConsumptionFormatted exactly
    • Layer 4 — Governance Frame triad: EXPOSURE VECTOR, IMPACT, REMEDIATION headings from financials.display.governanceTriadScaffold
    • Layer 5 — Executive persona ratios: CFO/board-bot anchor on sanitized USD; board-trainer owns Level 1 user manuals and training tracks under docs/user-manuals/ and docs/training/; board-writer owns Level 2 technical corpus under docs/technical/ — both consume documentationBrief only
    • Layer 6 — Sources & Citations: mandatory ### V. Sources & Citations with locators including docs/README.md, docs/user-manuals/{file}.md, docs/technical/{file}.md, config/route-manifest.v0.1.0-ga-epic17.json
    • GTM Market Authenticity Mandate (2026-06-26 delta): BOARD_GTM_MARKET_AUTHENTICITY_MANDATE — synthetic {Region} Ledger/Vault rows and -ledger.io / -vault.finance domains are SYNTHETIC_SCAFFOLDING; board must label lineage (LIVE_WEB_GROUNDING, SYNTHETIC_SCAFFOLDING, CURATED_DEMO_SEED); when polluted=true, state live web discovery required — never invent company names from memory
    • Documentation Authorship Mandate: BOARD_DOCUMENTATION_AUTHORSHIP_MANDATE from dualLocationOutputMatrix.ts — Trainer/Writer placement targets enforced
  • Agent Boundary: Ironscribe (Agent 05) briefing structure; Irontrust (Agent 3) internal BigInt storage vs display separation; Irongate (Agent 14) public copy sanitization semantics.
  • Step-by-Step Lab Validation:
    1. Submit boardroom query with both engines running — inspect assembled system instruction for [LAYER 1: UNIDIRECTIONAL DIODE POSTURE] block.
    2. Ask board to draft Governance Frame briefing — verify response uses triad headings and ends with Sources & Citations section.
    3. Verify drafted briefing cites formatted USD strings — not raw 1110000000 cent literals.
    4. Confirm follow-on priority block: "Cite financials.display formatted strings verbatim — never recompute currency from raw cent integers."

<a id="market-003"></a>

🔍 Feature 55: Regional Fintech Prospect Discovery Engine

  • GRC Function ID: MARKET-003
  • Exact Screen Coordinates: No UI — backend invoked when target country is not London or Singapore preset hub during batch load.
  • Operational Purpose: Discovers real early-stage Fintech SaaS companies in board-selected expansion countries using Gemini with Google Search grounding, scores them through the ICP tier engine, and upserts into marketProspect when fewer than 3 rows exist for that region.
  • Technical Mechanics: Ironboard/src/services/marketIntelligence.ts:
    • discoverRegionalProspects(region) — Gemini with Google Search grounding; skips when listProspects(normalized, false).length >= 3
    • resolveFlywheelTargetRegions(activeHub) — hub input parser with platform default campaign fallback
    • verifyAndOptimizeMarketData(region, { operatorTriggered }) — purges synthetic scaffolding, triggers live discovery when authentic count below threshold; invoked in buildFlywheelWorkspaceContext and fetchProspectingBatchForTargets before batch assembly via withGeminiRateLimitRetry on outreach calls
    • assessRegionProspectAuthenticity / formatProspectLineage — authenticity audit summary in flywheel context
    • fetchProspectingBatchForTargets(targets) — London/Singapore use preset seed batches only when qualified authentic rows absent; expansion countries never auto-seed {Region} Ledger/Vault templates
    • calculateTierScore — region presence +50, SOC2/ISO27001 +50, SEED/SERIES_A +100, compliance hire +75
    • regulatoryCatalystLookup.tsfindLatestRegulatoryCatalystForDomain feeds Industry Scout catalyst block into generateGroundedPitch
  • Agent Boundary: Irongate (Agent 14) treats discovered domains as external intel; Ironintel (Agent 16) OSINT manifest and catalyst lookup inform discovery prompt criteria and pitch hooks.
  • Step-by-Step Lab Validation:
    1. Set GOOGLE_API_KEY in Ironboard/.env.local.
    2. POST { "targetCountries": ["Germany"] } to /api/prospects/trigger — verify no synthetic Ledger/Vault rows; live discovery or zero-count honesty.
    3. Run tests/unit/marketProspectAuthenticity.test.ts and tests/unit/discoverRegionalProspects.test.ts — all pass.
    4. Run marketIntelligence.test.ts — verify fetchProspectingBatchForTargets(['Germany']) does not auto-seed expansion templates.
    5. Confirm sub-threshold accounts (tierScore < 100) persist as dealStage: REJECTED.

<a id="board-011"></a>

🔧 Feature 56: Multi-Region Workspace Query Tool Extension

  • GRC Function ID: BOARD-011
  • Exact Screen Coordinates: IronBoard tool plane — queryLocalWorkspace function declaration surfaced in board SSE tool receipts.
  • Operational Purpose: Allows boardroom discovery to filter active prospects by single country or multi-country arrays when operators stage cross-border GTM campaigns — replacing London/Singapore-only hub filter from prior builds.
  • Technical Mechanics: Ironboard/src/services/queryLocalWorkspace.ts:
    • QUERY_LOCAL_WORKSPACE_DECLARATION adds regions ARRAY parameter alongside legacy region STRING
    • executeQueryLocalWorkspace case active_prospects: prefers regions array when present, else single region
    • boardRouter.ts planDiscoveryExecution passes { regions: targetCountries } when parseActiveTargetCountries(ctx.activeHub) returns multiple countries
    • prefetchBoardroomGroundTruth in index.ts mirrors same region/regions args for SSE prefetch receipts
  • Agent Boundary: Ironquery (Agent 15) tool execution receipts; data sourced from board org Prisma marketProspect table.
  • Step-by-Step Lab Validation:
    1. Ask board "List our London prospects" — verify prefetch SSE shows region: "London".
    2. Set active hub to GERMANY,AUSTRALIA — ask flywheel question — verify prefetch shows combined region label or regions array in tool args.
    3. Run boardroom query with workspace-only intent — verify shouldPrefetchWeb returns false (no redundant web grounding).

<a id="docs-001"></a>

📚 Feature 57: Dual-Location Documentation Corpus Planes

  • GRC Function ID: DOCS-001
  • Exact Screen Coordinates: No single UI — governs /docs (APP_DOCS plane) vs /governance-frame (GOVERNANCE_BRIEFINGS plane).
  • Operational Purpose: Enforces authoritative separation between internal product documentation corpus and external GTM governance briefings — never cross-compile APP_DOCS with GOVERNANCE_BRIEFINGS.
  • Technical Mechanics: lib/documentationCorpusPlanes.ts:
    • DOCUMENTATION_PLANE_APP_DOCSuser-manuals/, technical/, training/ repository prefixes; reader at /docs
    • DOCUMENTATION_PLANE_GOVERNANCE_BRIEFINGSbriefing-queue/, published-briefings/; reader at /governance-frame/[slug]
    • DUAL_LOCATION_OUTPUT_MATRIX — operational rules, author agents, trigger paths per plane
    • APP_DOCS_EXECUTE_ENDPOINT = POST /api/documentation/execute
    • board-trainer and board-writer must never write to GOVERNANCE_BRIEFINGS plane
  • Agent Boundary: Ironscribe (Agent 05) structure; Irongate (Agent 14) plane isolation; Ironlogic (Agent 9) board federation.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/documentationCorpusPlanes.test.ts — verify matrix entries and prefix guards.
    2. Confirm Trainer placement targets exclude published-briefings/.
    3. Confirm Writer placement targets exclude briefing-queue/ promotion without human operator.

<a id="docs-002"></a>

📖 Feature 58: App Document Store DB Reader

  • GRC Function ID: DOCS-002
  • Exact Screen Coordinates: /docs index and /docs/[slug] article view — DocsChrome, DocsSidebar, DocsMarkdown.
  • Operational Purpose: Serves Level 1 and Level 2 documentation from PostgreSQL app_documents table with readingLevel indexing — decoupled from static filesystem-only serving.
  • Technical Mechanics:
    • Prisma AppDocument model: slug, title, content, readingLevel, updatedAt
    • app/lib/server/appDocumentStore.tsupsertAppDocument, slug lookup
    • app/docs/[[...slug]]/page.tsx — loads from DB; CompilationIngressPortal when slug unresolved
    • lib/appDocumentSlug.ts, lib/appDocumentSanitizer.ts — slug normalization and XSS strip
    • Migration 20260618120000_init_app_documents
    • scripts/seed-app-documents.ts and prisma/seed-docs.ts seed corpus
  • Agent Boundary: Customer service agent grounds on readingLevel: "LEVEL_1" rows only; Ironguard (Agent 12) tenant perimeter on authenticated doc admin paths.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/appDocumentSlug.test.ts and tests/unit/docsContentDecoupling.test.ts.
    2. Open /docs on cloud host without full ingress — verify narrow funnel allows 200.
    3. Query app_documents — confirm readingLevel values LEVEL_1 and LEVEL_2.

<a id="docs-003"></a>

⚙️ Feature 59: Documentation Execute Pipeline

  • GRC Function ID: DOCS-003
  • Exact Screen Coordinates: No UI — POST /api/documentation/execute on Ironframe port 3000; IronBoard POST /api/documentation/execute ingress on port 8082.
  • Operational Purpose: Synchronizes Trainer/Writer agent output into app_documents with optional filesystem mirror under docs/ — bearer-gated internal gateway auth.
  • Technical Mechanics:
    • Ironframe app/api/documentation/execute/route.ts — Zod schema (slug, title, content, readingLevel); checkInternalGatewayBearerAuth
    • mirrorAppDocumentToFilesystem — dual-location git-tracked mirror for APP_DOCS plane
    • IronBoard documentationPipeline.ts, trainingCorpusPublisher.ts, trainingChapterGenerator.ts
    • Ironboard/src/agents/knowledge.ts expanded — buildTrainerDashboardGuideDraft, buildTrainerGlossaryDraft, buildWriterArchitectureDraft, buildWriterSecurityComplianceDraft, mergeCorpusWithDraft, buildTelemetryMirrorSection, buildFullAccessIngressSection
    • Ironboard/src/config/documentationRouting.tsTRAINER_CANONICAL_SLUGS, WRITER_CANONICAL_SLUGS
    • Workflow: GET /api/board/shared-contextdocumentationBrief → Trainer/Writer placement drafts → publishTrainerCorpus / publishWriterCorpusPOST /api/documentation/execute
  • Agent Boundary: board-trainer (Level 1 + training tracks); board-writer (Level 2 technical); temperature 0.0 on all automated nodes.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/documentationBrief.test.ts and tests/unit/trainingCorpusPlacement.test.ts.
    2. POST valid payload with internal gateway Bearer — verify { ok: true, status: "synchronized" }.
    3. POST without Bearer — verify 401 from internalGatewayUnauthorizedResponse.
    4. Run Ironboard/tests/trainingCorpus.test.ts — training corpus publisher paths pass.

<a id="docs-004"></a>

📡 Feature 60: Documentation Brief One-Way Ingress

  • GRC Function ID: DOCS-004
  • Exact Screen Coordinates: No UI — embedded in GET /api/board/shared-context JSON payload as documentationBrief.
  • Operational Purpose: Hands IronBoard Trainer and Writer personas a serialized brief with corpus planes, dual-location matrix, placement targets, and live telemetry mirror — ONE_WAY_IRONFRAME_TO_BOARD with zero write-back.
  • Technical Mechanics: app/lib/board/documentationBrief.ts buildIronframeDocumentationBrief(contextCore):
    • corpusPlanes.appDocs and corpusPlanes.governanceBriefings with author agent lists
    • platformFacts.baselineTenantsCents — Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000 as strings
    • fullAccess bundle from documentationCorpusIngress.ts
    • Ironboard/src/agents/knowledge.ts expanded — Trainer/Writer consume brief; forbid authoring without it
  • Agent Boundary: Ironwatch (Agent 13) telemetry mirror; Ironlogic (Agent 9) board synthesis guardrails.
  • Step-by-Step Lab Validation:
    1. Poll shared-context with valid tenant session — verify documentationBrief.communicationDirection equals ONE_WAY_IRONFRAME_TO_BOARD.
    2. Start IronBoard query without brief in context — verify knowledge agent refuses doc authoring per mandate.
    3. Run tests/unit/documentationBrief.test.ts — all pass.

<a id="sales-001"></a>

💼 Feature 61: Public Sales Agent Portal

  • GRC Function ID: SALES-001
  • Exact Screen Coordinates: /sales-agent-portalMarketingSalesPortalTrigger on marketing homepage opens SalesAgentSlideOver.
  • Operational Purpose: Provides unauthenticated prospect-facing lead intake isolated to the prospect pool tenant — no customer environment bleed and no public LLM pitch rendering.
  • Technical Mechanics:
    • app/api/agents/sales/route.ts — public POST; returns { status: "QUEUED", interactionId, message } immediately after CRM logging
    • app/lib/server/salesAgentConsoleCore.ts — Gemini synthesis at temperature 0.0 runs server-side only; output stored as [PENDING SALES DRAFT APPROVAL] in CRM
    • Prospect pool tenant UUID from IRONFRAME_PROSPECT_POOL_TENANT_UUID or Medshield fallback; CRM contact upsert uses fullName field
    • isPublicProspectOnboardingPath includes /sales-agent-portal and /api/agents/sales for quarantine funnel bypass
    • scripts/smoke-test-sales.mjs — sales agent smoke validation
  • Agent Boundary: Ironguard (Agent 12) prospect pool isolation; Ironlogic (Agent 9) synthesis; zero authenticated tenant context required; human operator dispatch via HITL-001.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/agentPerimeter.test.ts — verify prospect pool tenant binding and QUEUED response (no pitch field).
    2. Open /sales-agent-portal on cloud preview without full ingress — verify 200 (narrow funnel).
    3. POST to /api/agents/sales — verify CRM interaction summary contains [PENDING SALES DRAFT APPROVAL].
    4. Run scripts/smoke-test-sales.mjs — smoke pass.

<a id="support-001"></a>

🎧 Feature 62: Customer Service Console API

  • GRC Function ID: SUPPORT-001
  • Exact Screen Coordinates: /dashboard/support tripane chat UI (SUPPORT-003) and authenticated API POST /api/agents/customer-service.
  • Operational Purpose: Grounds authenticated tenant support inquiries against app_documents where readingLevel: "LEVEL_1" — fail-closed 403 when Ironguard tenant validation drops; returns queued acknowledgment to operators (not live agent reply text).
  • Technical Mechanics: app/lib/server/customerServiceConsoleCore.ts:
    • assertIronguardApiTenantOr403 on every request — tenant-scoped; does not require GLOBAL_ADMIN
    • Documentation rows filtered strictly to LEVEL_1 reading level
    • Gemini synthesis temperature 0.0; proposed reply logged as [PENDING DRAFT APPROVAL] via per-tenant support console CRM contact
    • Response payload: { status: "QUEUED", interactionId, reply: acknowledgmentMessage }
    • Prisma ironboardCrmContact.fullName — never name or firstName/lastName
  • Agent Boundary: Ironguard (Agent 12) tenant perimeter; Ironscribe (Agent 05) doc citation lineage; dispatch via HITL-001.
  • Step-by-Step Lab Validation:
    1. POST without tenant session — verify 403.
    2. POST with valid tenant — verify QUEUED response and CRM pending draft tag (not raw synthesis in API body).
    3. Confirm no LEVEL_2 technical corpus rows appear in grounded context.

<a id="auth-009"></a>

🎫 Feature 63: Workspace Invitation Token Gate

  • GRC Function ID: AUTH-009
  • Exact Screen Coordinates: /register/[token] — workspace invitation activation page; admin mint action.
  • Operational Purpose: Requires valid workspace invitation token before corporate tenant provisioning — prevents unauthorized tenant creation during Phase 1 sales-assisted onboarding.
  • Technical Mechanics:
    • Prisma TenantWorkspaceInvitationtokenHash, email, tenantSlug, status (ACTIVE, CONSUMED, REVOKED), expiresAt
    • app/lib/auth/workspaceInvitationCore.tsvalidateWorkspaceInvitation, getWorkspaceInvitationForRegistration, resolveWorkspaceInvitationForRegistration
    • createWorkspaceInvitation accepts dispatchInviteEmail: true — when email and tenantSlug bound, calls sendWorkspaceInviteEmailCore via Resend (Bucket A invite); returns registerUrl from buildRegisterInvitationUrl(token) and inviteEmail dispatch receipt (sent, resendId, or deferrable error)
    • corporateTenantProvisionCore.ts — invitation gate before tenant create; relinkExistingCorporateInvite grants user_role_assignments when Supabase auth account already exists (findSupabaseAuthUserByEmail, isSupabaseExistingUserError) — returns existingAccount: true without duplicate invite email
    • resolveSupabaseInviteRedirectOrigin for corporate operator invite callbacks
    • app/actions/admin/mintWorkspaceInvitation.ts — GLOBAL_ADMIN mint path
    • workspaceInvitationActivationCore.ts — activation on token consume
    • Migration 20260618000000_crm_contact_metadata_system_agent
  • Agent Boundary: Ironguard (Agent 12) identity; Ironwatch (Agent 13) audit on consume.
  • Step-by-Step Lab Validation:
    1. Attempt corporate provision without invitation token — verify gate rejection.
    2. Mint invitation as GLOBAL_ADMIN — open /register/{token} — complete activation.
    3. Re-use consumed token — verify CONSUMED status blocks re-entry.
    4. Mint invitation with dispatchInviteEmail: true — verify Resend dispatch receipt and /register/[token] resolves email-bound invitation view.
    5. Invite email already registered in Supabase — verify relink path grants role without duplicate auth user create.
    6. Run tests/unit/workspaceInviteEmailDelivery.test.ts and tests/unit/workspaceInviteEmailContent.test.ts — outbound invite HTML and deferrable error paths pass.

<a id="trust-001"></a>

🛡️ Feature 64: Trust Center Procurement Plane

  • GRC Function ID: TRUST-001
  • Exact Screen Coordinates: /trust index; /trust/dpa; /trust/subprocessors; /trust/data-residencyTrustProcurementDocument.tsx.
  • Operational Purpose: Surfaces procurement-ready legal artifacts (DPA, subprocessors list, data residency statement) for enterprise buyers with BigInt cent references in liability exhibits.
  • Technical Mechanics:
    • app/(dashboard)/trust/* pages inside dashboard route group
    • procurement.ts legal artifacts — ALE baseline references as BigInt integer cents (Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000, Defense 1600000000)
    • Requires authenticated dashboard session — not in narrow public funnel
  • Agent Boundary: Ironscribe (Agent 05) immutable legal version lineage; Irontrust (Agent 3) financial exhibit formatting.
  • Step-by-Step Lab Validation:
    1. Sign in as GRC_MANAGER — navigate to /trust/dpa — verify document renders.
    2. Verify ALE exhibits cite whole integer cent strings — no float dollars in persistence paths.
    3. Attempt /trust on cloud host without full ingress — verify 403 quarantine (private workspace).

<a id="arch-001"></a>

🏰 Feature 65: Gateway Shield Architecture Test

  • GRC Function ID: ARCH-001
  • Exact Screen Coordinates: No UI — CI gate tests/architecture/gatewayShield.test.ts.
  • Operational Purpose: Scans every app/api/**/route.ts that imports Prisma and requires Irongate DMZ marker presence — prevents raw database ingress without sanitization guards.
  • Technical Mechanics:
    • IRONGATE_DMZ_MARKERSassertIronguardApiTenantOr403, sanitizeThreatIngressPayload, checkCronBearerAuth, assertTenantFeatureEntitled, etc.
    • EXEMPT_ROUTE_SUFFIXES — webhooks, billing webhook, auth callbacks, internal cron, platform-admin-gate
    • Fails CI when Prisma-importing route lacks marker and is not exempt
  • Agent Boundary: Irongate (Agent 14) DMZ enforcement at architecture layer.
  • Step-by-Step Lab Validation:
    1. Run npm run test -- tests/architecture/gatewayShield.test.ts — zero violations.
    2. Add new Prisma API route without DMZ marker — verify CI failure lists file path.

<a id="billing-002"></a>

💳 Feature 66: Billing Webhook Dual Path

  • GRC Function ID: BILLING-002
  • Exact Screen Coordinates: No UI — POST /api/webhooks/stripe and POST /api/billing/webhook.
  • Operational Purpose: Separates Stripe instant-checkout provisioning (checkout.session.completed) from recurring billing activation (payment_intent.succeeded) with independent webhook secrets and operator audit identities.
  • Technical Mechanics: config/stripe.ts:
    • STRIPE_WEBHOOK_PATH = /api/webhooks/stripe; STRIPE_BILLING_WEBHOOK_PATH = /api/billing/webhook
    • STRIPE_INSTANT_CHECKOUT_OPERATOR_ID and STRIPE_PAYMENT_INTENT_OPERATOR_ID
    • resolveStripeCredentialMode()STRIPE_CREDENTIAL_MODE=test|live
    • app/api/billing/webhook/route.ts — billing activation path
    • parsePaymentIntent.ts — payment intent metadata BigInt cent extraction
    • Both paths in STRIPE_WEBHOOK_PATHS — bypass deployment quarantine
  • Agent Boundary: Irontrust (Agent 3) BigInt amountTotalCents; Ironwatch (Agent 13) audit operator IDs.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/stripeConfig.test.ts — credential mode and dual secret resolution pass.
    2. Forward payment_intent.succeeded to /api/billing/webhook — verify TenantBilling.status ACTIVE.
    3. Run tests/unit/stripeCheckoutParse.test.ts — BigInt cent parsing unchanged.

<a id="nav-003"></a>

🧭 Feature 67: Role Route Consolidation (Dashboard Group)

  • GRC Function ID: NAV-003
  • Exact Screen Coordinates: /dashboard/cfo, /dashboard/ciso, /dashboard/board, /dashboard/audit, /dashboard/legal, /dashboard/ops, /dashboard/product, /dashboard/insurance, /dashboard/itsm, /dashboard/cro — formerly under app/roles/*.
  • Operational Purpose: Consolidates role-specific dashboard surfaces under app/(dashboard)/dashboard/* route group with shared DashboardCommandCenterLayout chrome — eliminates duplicate layout trees.
  • Technical Mechanics:
    • Deleted: app/roles/* entire tree
    • Added: app/(dashboard)/dashboard/[role]/page.tsx pattern
    • /config redirected to /settings/config
    • grcRouteMatch.ts isDashboardRouteGroupPath updated — no /roles prefix
    • Tenant topology/logs stubs removed (app/gridcore/logs, app/medshield/topology, etc.)
  • Agent Boundary: Ironcore (Agent 1) orchestration shell unchanged per role.
  • Step-by-Step Lab Validation:
    1. Navigate to /dashboard/cfo as authenticated operator — verify role dashboard renders with TopNav.
    2. Attempt legacy /roles/cfo — verify 404.
    3. Navigate to /settings/config — verify config surface (formerly /config).

<a id="hitl-001"></a>

✅ Feature 68: Unified Human-in-the-Loop Approval Desk

  • GRC Function ID: HITL-001
  • Exact Screen Coordinates: /dashboard/admin/approvals — admin UI; GET/POST /api/admin/approvals API.
  • Operational Purpose: Aggregates all pending agent outputs (draftKind: "SUPPORT" | "SALES") for GLOBAL_ADMIN review before Resend outbound dispatch — tier inference from contact metadata (Gridcore, Vaultbank, Medshield baseline alignment).
  • Technical Mechanics: app/lib/server/approvalQueueCore.ts:
    • Support tag: [PENDING DRAFT APPROVAL] · Sales tag: [PENDING SALES DRAFT APPROVAL]
    • Dispatch tags: [DISPATCHED SUPPORT COURIER] · [DISPATCHED SALES COURIER] · purge: [PURGED DRAFT]
    • fetchPendingApprovalDrafts — unified queue query; parsePendingDraftSummary handles both tag formats
    • app/api/admin/approvals/[id]/route.ts — DISPATCH / PURGE via sendOutboundEmail (Ironboard Resend transport)
    • canUsePlatformAdminTools — requires UserRole.GLOBAL_ADMIN (distinct from Ironguard tenant scope on SUPPORT-001)
  • Agent Boundary: Ironwatch (Agent 13) audit on dispatch; human operator holds execution keys.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/approvalQueueCore.test.ts — tier inference, sales parse, and draft kind inference pass.
    2. Queue sales and support drafts — list via admin API — verify draftKind badges in UI.
    3. DISPATCH approved reply — verify correct dispatched tag replaces pending tag.

<a id="board-012"></a>

🏛️ Feature 69: Founding Agent LLM Module Refactor

  • GRC Function ID: BOARD-012
  • Exact Screen Coordinates: IronBoard boardroom — CEO, CFO, CCO, Legal founding personas on port 8082.
  • Operational Purpose: Centralizes founding-agent Gemini calls in boardAgentLlm.ts with temperature 0.0 — CEO, CFO, Compliance, and Legal personas now produce LLM assessments via generateBoardAgentAssessment instead of static length/temperature log strings.
  • Technical Mechanics:
    • Ironboard/src/agents/boardAgentLlm.ts — shared GoogleGenAI wrapper; generateBoardAgentAssessment({ model, roleLabel, stateSummary })
    • Ironboard/src/agents/founding.tsformatBoardStateSummary includes financialProjectionsCents, last three executive log lines, departmental approvals, and role-specific focus string; CFO path calls assertWholeIntegerCents before assessment
    • Ironboard/src/state.tsironframeDocumentationBrief annotation field for one-way brief JSON from shared-context
    • Ironboard/src/services/email/ — Resend email package (resend ^6.14.0) for board outbound
    • queryLocalWorkspace.tsstringifyWorkspaceBigIntFields prevents JSON serialization drift on CRM BigInt columns
    • Ironboard/vitest.config.ts — includes tests/**/*.test.ts for package-level integration suites
  • Agent Boundary: Ironlogic (Agent 9) persona routing; Irontrust (Agent 3) BigInt stringify and assertWholeIntegerCents at CFO boundary.
  • Step-by-Step Lab Validation:
    1. Run Ironboard/tests/agentValidation.test.ts and Ironboard/tests/orchestratorPipeline.test.ts — founding and documentation artifact paths pass.
    2. Run executive documentation command — verify documentationArtifacts includes trainer and writer slug outputs.
    3. Inspect boardroom SSE — verify BigInt fields arrive as strings in tool receipts.
    4. Mock @google/genai with class constructor pattern per .cursorrules — Vitest must not crash on arrow-function mocks.

<a id="carbon-002"></a>

🌿 Feature 70: Ironbloom Physical Threat Ingestion Telemetry

  • GRC Function ID: CARBON-002
  • Exact Screen Coordinates: No direct UI — recordSustainabilityImpact server action triggered on threat RESOLVED state.
  • Operational Purpose: Extracts kWh physical units from ThreatEvent.ingestionDetails for carbon mitigated value calculation — rejects monetary-only payloads per Mandate 3.
  • Technical Mechanics:
    • parseThreatIngestionTelemetry in ironbloomDashboardTelemetry.ts
    • buildCarbonTraceFromStreammitigatedValueCents as BigInt
    • app/lib/ironbloom/productionCarbonLedger.ts — production ledger updates
    • app/lib/ironbloom/tenantPhysicalTelemetry.ts — tenant-scoped physical unit aggregation
    • Idempotent upsert per threatId
  • Agent Boundary: Ironbloom (Agent 17) exclusive sustainability scoring; Irongate (Agent 14) rejects non-physical ingestion.
  • Step-by-Step Lab Validation:
    1. Run lib/sustainability/ironbloomDashboardTelemetry.test.ts — kWh parse and cent output pass.
    2. Resolve threat with kWh in ingestionDetails — verify mitigated_value_cents BIGINT row.
    3. Resolve threat with monetary-only payload — verify no_physical_telemetry reason.

<a id="admin-002"></a>

🚀 Feature 71: Admin Onboarding Deployments Panel

  • GRC Function ID: ADMIN-002
  • Exact Screen Coordinates: /admin/onboardingAdminOnboardingDashboardHeader, AdminOnboardingDeployments, and #onboarding-controls CorporateOnboardingClient section inside dashboard route group.
  • Operational Purpose: Gives GLOBAL_ADMIN operators a supervisor command plane for B2B tenant provisioning, deployment posture visibility, invitation token minting, and corporate operator invites — billing inline activation removed from client (Stripe webhook path owns activation).
  • Technical Mechanics:
    • app/lib/server/adminOnboardingDeployments.tsfetchTenantDeploymentRows() joins tenant, tenantBilling, tenantWorkspaceInvitation, userRoleAssignment, and userLegalConsent for deployment snapshot
    • allocatedBaselineformatCentsToAccountingUSD(tenant.ale_baseline) where ale_baseline is BigInt cents in PostgreSQL (Medshield 1110000000$11,100,000.00; Vaultbank 590000000$5,900,000.00; Gridcore 470000000$4,700,000.00)
    • infrastructureStatusPROVISIONED when tenantBilling.status === ACTIVE; STAGED otherwise
    • legalSignoffCOMPLETE when all tenant operators hold current IRONFRAME_TERMS_VERSION + IRONFRAME_PRIVACY_VERSION consents; PENDING_SIGNATURE when active/consumed invitations or partial consents exist; AWAITING_INITIALIZATION when no operators assigned
    • AdminOnboardingDashboardHeader.tsx — displays deploymentCount with dark cockpit grid chrome (bg-[#020617])
    • AdminOnboardingDeployments.tsx — desktop 12-column supervisor grid (Tenant ID, Organization, ALE Target Allocation, Infrastructure, Legal Posture, Actions); responsive mobile card stack; 44px action controls; workspace gear link opens buildTenantSubdomainOrigin(slug, port) in new tab
    • CorporateOnboardingClient.tsx — mint invitation displays secure activation URL /register/{token}; provision form uses parseDollarAleToBigIntCents for ALE dollar input → BigInt cent persistence; inline Activate billing button and provisioned-workspaces list removed from client (deployments panel owns workspace inventory)
    • assertGlobalAdminForOnboarding in middleware — hard GLOBAL_ADMIN gate before page render; scroll allowlist prevents session collision on admin console routes
    • Page metadata: Onboarding & Tenant Deployments | Ironframe Admin
  • Agent Boundary: Ironguard (Agent 12) GLOBAL_ADMIN RBAC; Ironlock (Agent 6) quarantine state display; Ironwatch (Agent 13) provision audit receipts.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/adminOnboardingDeployments.test.ts — snapshot fields pass.
    2. Sign in as non-admin — verify /admin/onboarding redirect before deployments panel loads.
    3. Sign in as GLOBAL_ADMIN — verify deployments panel and provisioning controls render.
    4. Mint invitation — verify /register/{token} URL displayed in mint result panel.
    5. Confirm billing activation occurs via /api/billing/webhook — not manual client button.

<a id="sim-003"></a>

🎯 Feature 72: Threat Validate BigInt ActiveRisk Extraction

  • GRC Function ID: SIM-003
  • Exact Screen Coordinates: No UI — POST /api/threats/validate API route.
  • Operational Purpose: Validates pipeline card IDs against ActiveRisk and ThreatEvent tables — extracts numeric ActiveRisk id from card patterns (center-risk-1, risk-1, bare integer) as BigInt-safe string for ghost card reconciliation.
  • Technical Mechanics: app/api/threats/validate/route.ts:
    • parseActiveRiskId(cardId) — regex extract numeric id
    • assertIronguardApiTenantOr403 tenant guard
    • Returns { validIds: string[] } subset existing in DB
    • Separates CUID threat event ids from numeric ActiveRisk ids
  • Agent Boundary: Ironguard (Agent 12) tenant scope; Irontrust (Agent 3) numeric id integrity.
  • Step-by-Step Lab Validation:
    1. POST { ids: ["center-risk-1", "risk-42", "ghost-999"] } — verify only existing ids in validIds.
    2. POST without tenant session — verify 403.
    3. Confirm ActiveRisk numeric ids handled as strings — never float conversion.

<a id="ingress-002"></a>

📥 Feature 73: Compilation Ingress Portal

  • GRC Function ID: INGRESS-002
  • Exact Screen Coordinates: /docs/[slug] — renders when slug not found in DB or filesystem; CompilationIngressPortal.tsx.
  • Operational Purpose: Provides operator-visible staging surface when documentation slug is unresolved — triggers async compilation ingress without exposing draft queue content publicly.
  • Technical Mechanics: app/docs/[[...slug]]/CompilationIngressPortal.tsx — client portal with targetSlug prop; pairs with documentationPipeline.ts on IronBoard. docs/error.tsx and docs/[[...slug]]/not-found.tsx fail closed without dashboard chrome bleed.
  • Agent Boundary: Irongate (Agent 14) — unresolved slugs do not leak briefing-queue drafts.
  • Step-by-Step Lab Validation:
    1. Navigate to /docs/nonexistent-slug-xyz — verify CompilationIngressPortal renders (not dashboard 500).
    2. Confirm portal does not display briefing-queue/ draft content.
    3. After POST /api/documentation/execute upsert — reload slug — verify article renders from DB.

<a id="training-001"></a>

📸 Feature 74: Training Screenshot Corpus Assets

  • GRC Function ID: TRAINING-001
  • Exact Screen Coordinates: Embedded in Level 1 and Level 2 training markdown served from /docs — asset paths under /docs/training/assets/.
  • Operational Purpose: Supplies twenty-four canonical UI capture placeholders for Trainer corpus publisher chapters — enables visual milestone anchoring in classroom sandbox curriculum without inventing UI labels.
  • Technical Mechanics: Binary PNG assets added in today's delta under public/docs/training/assets/:
    • Level 1: level-1-01-grc-foundations.png through level-1-12-student-certification.png
    • Level 2: level-2-01-architecture-topology.png through level-2-12-practitioner-certification.png including level-2-11-bigint-financial-integrity.png
    • Capture pipeline scripts: scripts/capture-training-screenshots.mjs, scripts/ensure-training-screenshot-placeholders.mjs, scripts/training-screenshot-session.mjs
    • config/training-corpus-manifest.json — chapter-to-asset binding for trainingCorpusPublisher.ts
  • Agent Boundary: board-trainer (IronBoard) owns embedding; Ironscribe (Agent 05) citation lineage for source-file paths in generated markdown.
  • Step-by-Step Lab Validation:
    1. Run Ironboard/tests/trainingCorpus.test.ts — publisher references asset paths.
    2. Open /docs/training/ chapter — verify PNG assets resolve with 200 on local host.
    3. Confirm Trainer draft cites source-file: paths — never invented UI label strings.

<a id="market-004"></a>

🔬 Feature 75: GTM Market Prospect Authenticity Gate

  • GRC Function ID: MARKET-004
  • Exact Screen Coordinates: No UI — backend gate in marketProspectAuthenticity.ts invoked before flywheel batch load and boardroom prefetch.
  • Operational Purpose: Prevents synthetic expansion scaffolding ({Region} Ledger, {Region} Vault, -ledger.io, -vault.finance) from polluting board GTM intelligence — board personas must never cite template rows as real market research or customer proof points.
  • Technical Mechanics:
    • verifyAndOptimizeMarketData(region, { operatorTriggered }) — assesses authenticity, purges synthetic rows, triggers discoverRegionalProspects when below threshold
    • isSyntheticExpansionTemplateProspect({ companyName, domain, employeeCount }) — detects Ledger (24 emp) and Vault (18 emp) patterns
    • assessRegionProspectAuthenticity — returns authenticCount, syntheticCount, polluted, meetsAuthenticThreshold
    • formatProspectLineage — emits LIVE_WEB_GROUNDING, SYNTHETIC_SCAFFOLDING, or CURATED_DEMO_SEED
    • BOARD_GTM_MARKET_AUTHENTICITY_MANDATE in boardroomSystemPrompt.ts — constitutional boardroom directive
  • Agent Boundary: Ironlogic (Agent 9) board synthesis; Ironintel (Agent 16) live discovery backfill; Irongate (Agent 14) external intel sanitization on discovered JSON.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/marketProspectAuthenticity.test.ts — synthetic detection and purge pass.
    2. Load Germany batch — verify zero {Germany} Ledger rows after authenticity gate.
    3. Ask boardroom "Who are our potential customers in Germany?" — verify response labels lineage or states live discovery in progress — never cites scaffolding as proof.

<a id="ux-006"></a>

👆 Feature 76: WCAG Touch Target CSS Layer

  • GRC Function ID: UX-006
  • Exact Screen Coordinates: Global — applies to .ironframe-app-shell, .ironframe-public-landing, and .ironframe-docs-shell interactive controls.
  • Operational Purpose: Enforces minimum 44px (2.75rem) touch targets on coarse pointer devices per .cursorrules dark cockpit aesthetic mandate — eliminates double-tap zoom delay on mobile lab devices.
  • Technical Mechanics: app/globals.css additions:
    • touch-action: manipulation and -webkit-tap-highlight-color: transparent on buttons and rounded anchors
    • :active scale 0.98 feedback on press (excludes docs article inline links)
    • @media (pointer: coarse)min-height: 2.75rem on public landing, docs shell, and app shell buttons (excludes data-compact-touch and chip-bar controls)
  • Agent Boundary: Presentation layer only — no financial or tenant scope side effects.
  • Step-by-Step Lab Validation:
    1. Open marketing homepage on mobile viewport — inspect button computed height ≥ 44px.
    2. Tap docs shell navigation control — verify no 300ms zoom delay (touch-action: manipulation).
    3. Confirm article body inline links excluded from min-height rule — prose links remain natural height.

<a id="intel-002"></a>

📅 Feature 77: BOD 26-04 KEV Deadline Tracker (June 27 Operational Review)

  • GRC Function ID: INTEL-002
  • Exact Screen Coordinates: IronBoard Strategic Intel RAG chunks — no dedicated countdown UI chip on Ironframe port 3000.
  • Operational Purpose: Tracks live CISA KEV remediation deadlines under BOD 26-04 four-variable risk matrix for operational date 2026-06-27 — post-deadline breach-assumption review across eight or more elapsed tier-1 windows. Federal contractor 24-hour KEV triage SLA guidance effective June 24, 2026three calendar days into enforcement on operational date 2026-06-27.
  • Technical Mechanics: Manifest chunks in grcProfessionalResearch.manifest.json (ironintel-osint-2026-06-26-live):
    • CVE-2026-42271 (BerriAI LiteLLM, CVSS 8.8) — KEV June 8; BOD 26-04 deadline June 22, 2026 (elapsed five days on June 27 — post-deadline forensic triage mandatory; chain with Starlette CVE-2026-48710 for unauthenticated RCE)
    • CVE-2026-20253 (Splunk Enterprise PostgreSQL sidecar, CVSS 9.8) — KEV June 18; deadline June 21, 2026 (day seven post-deadline forensic triage on June 27)
    • CVE-2026-48907 (Joomla JCE, CVSS 9.8) — KEV June 16; deadline June 18, 2026 (elapsed nine days on June 27)
    • CVE-2026-54420 (LiteSpeed cPanel symlink escalation) — KEV June 15; deadline June 19, 2026 (elapsed eight days on June 27)
    • CVE-2026-35273 (Oracle PeopleSoft, CVSS 9.8) — KEV June 12; deadline elapsed
    • CVE-2026-50751 (Check Point VPN IKEv1, CVSS 9.3) — KEV June 8; deadline elapsed
    • CVE-2026-10520 (Ivanti Sentry, CVSS 10.0) — KEV June 11; BOD 26-04 three-day window closed June 14, 2026
    • FortiBleed (June 13–23, 2026) — 73932 to 86644 verified Fortinet credentials across 194 countries; perimeter-wide credential rotation mandate
    • Chunk osint-01-bod-2604 — four-variable matrix: asset exposure, KEV status, exploit automation, technical impact → 3-, 14-, or 60-day tiers; federal contractor 24-hour KEV triage SLA effective June 24, 2026; agency policy update August 7, 2026; full compliance December 7, 2026
    • Chunk osint-11-fedramp-vdr — FedRAMP VDR/VER rules mandatory December 7, 2026 aligned with BOD 26-04 timelines
  • Financial boundary note: Industry profile peerAleBaselineCents in manifest are sector peer ALE anchors (Finance 1800000000, Defense 2500000000, etc.) — distinct from Ironframe seed tenant baselines (Medshield 1110000000, etc.) — all BigInt integer cents, never floats. Manifest riskMetricsCents.medianAuditRemediationLagCents = 890000000 cents.
  • Agent Boundary: Ironintel (Agent 16) policy monitor; Ironwatch (Agent 13) KEV deadline correlation; Irontech (Agent 04) repair priority when component healthBarPercent below 50 on affected perimeter controls.
  • Step-by-Step Lab Validation:
    1. Ingest ironintel-osint-2026-06-26-live manifest — verify LiteLLM, Splunk, Joomla, LiteSpeed, FortiBleed, and BOD 26-04 chunks present.
    2. Ask boardroom "What KEV deadlines have elapsed?" — verify LiteLLM June 22 five-day elapsed, Splunk day-seven, Joomla nine-day, and LiteSpeed eight-day elapsed citations with BOD 26-04 breach-assumption language on operational date June 27.
    3. Confirm board copy cites formatted exposure strings — not raw 890000000 cent literals from manifest risk metrics.

<a id="trainer-001"></a>

🎓 Feature 78: Isolated Trainer Agent Console (board-trainer)

  • GRC Function ID: TRAINER-001
  • Exact Screen Coordinates: No dedicated marketing UI — authenticated operators invoke via API; training output surfaces at /docs under user-manuals/ and training/level-1/.
  • Operational Purpose: Provides tenant-scoped pedagogical synthesis isolated from live IronBoard boardroom chat — grounds exclusively on app_documents rows where readingLevel is LEVEL_1 or TRAINING and slug starts with training/ or user-manuals/.
  • Technical Mechanics:
    • app/api/agents/trainer/route.tsPOST with { topic, message? }; assertIronguardApiTenantOr403 tenant guard
    • app/lib/server/trainerAgentConsoleCore.tssynthesizeTrainerSession, loadTrainerGroundingContext, buildTrainerCorpusWhere
    • TRAINER_UNGROUNDED_RESPONSE when topic absent from corpus
    • Gemini temperature: 0.0, topP: 0, maxOutputTokens: 2048
    • Session audit via agentLog with TRAINER_SESSION tag and SHA-256 output hash
    • Excluded from BOARDROOM_QUERY_ROSTER; redirect map board-trainer/api/agents/trainer
  • Agent Boundary: board-trainer persona; Ironguard (Agent 12) tenant perimeter; Ironscribe (Agent 05) Level 1 citation lineage.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/trainerAgentConsoleCore.test.ts — corpus filter and grounding paths pass.
    2. Run Ironboard/tests/boardroomDocAuthorIsolation.test.ts — trainer excluded from query roster.
    3. POST with valid tenant session and topic dashboard guide — verify { sessionId, lesson, sourceSlugs }.
    4. POST without GOOGLE_API_KEY — verify HTTP 503 Writer engine offline equivalent for trainer.

<a id="writer-001"></a>

✍️ Feature 79: Isolated Writer Agent Console (board-writer)

  • GRC Function ID: WRITER-001
  • Exact Screen Coordinates: No dedicated marketing UI — practitioner sessions via API; technical output surfaces at /docs under technical/ and training/level-2/.
  • Operational Purpose: Provides tenant-scoped Level 2 technical documentation synthesis isolated from live boardroom chat — grounds on LEVEL_2 and TRAINING reading levels with slug prefix technical/ or training/level-2/ only.
  • Technical Mechanics:
    • app/api/agents/writer/route.tsPOST with { topic, message? }; assertIronguardApiTenantOr403
    • app/lib/server/writerAgentConsoleCore.tssynthesizeWriterSession, loadWriterGroundingContext, buildWriterCorpusWhere
    • WRITER_UNGROUNDED_RESPONSE when topic absent from technical corpus
    • Financial baselines quoted as whole-integer cent digit strings only in practitioner briefs
    • Gemini temperature: 0.0, topP: 0, maxOutputTokens: 2048
    • Session audit via agentLog with WRITER_SESSION tag
    • Excluded from BOARDROOM_QUERY_ROSTER; redirect map board-writer/api/agents/writer
  • Agent Boundary: board-writer persona; Ironguard (Agent 12); Ironscribe (Agent 05) Level 2 practitioner specs.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/writerAgentConsoleCore.test.ts — corpus filter excludes user-manuals/.
    2. POST topic bigint financial integrity — verify brief cites cent strings not floats.
    3. POST topic nonexistent-api-endpoint-xyz — verify WRITER_UNGROUNDED_RESPONSE text.
    4. Confirm Writer cannot be invoked via POST /api/query on port 8082.

<a id="docs-005"></a>

🔒 Feature 80: Boardroom Documentation Author Isolation Registry

  • GRC Function ID: DOCS-005
  • Exact Screen Coordinates: No UI — enforced in IronBoard staticContext.ts and boardroom query routing.
  • Operational Purpose: Prevents board-trainer and board-writer from participating in live executive boardroom SSE chat while retaining their roles in the offline documentation pipeline graph after legal clearance.
  • Technical Mechanics:
    • BOARDROOM_ISOLATED_AGENT_IDS = board-trainer, board-writer
    • BOARDROOM_QUERY_ROSTER = AGENTIC_BOARD_ROSTER.filter excluding isolated IDs (length = roster − 2)
    • BOARDROOM_ISOLATED_AGENT_REDIRECTS maps personas to Ironframe :3000 agent routes
    • DOCUMENTATION_CORPUS_BINDING block injected into buildStaticContextBundle()
    • Ironboard/tests/boardroomDocAuthorIsolation.test.ts — constitutional isolation receipts
  • Agent Boundary: Ironlogic (Agent 9) routing; Ironcore (Agent 1) orchestration shell.
  • Step-by-Step Lab Validation:
    1. Run Ironboard/tests/boardroomDocAuthorIsolation.test.ts — all three assertions pass.
    2. Attempt boardroom query targeting board-writer persona — verify redirect guidance to /api/agents/writer.
    3. Run documentation pipeline graph — verify Trainer and Writer nodes still execute post-legal clearance.

<a id="docs-006"></a>

🛡️ Feature 81: Content Firewall Governance Briefing Path Guard

  • GRC Function ID: DOCS-006
  • Exact Screen Coordinates: No UI — server-side throw in Ironboard/src/io/safeDocsWriter.ts.
  • Operational Purpose: Blocks Trainer and Writer from writing into briefing-queue/ or published-briefings/ — governance briefings must use human promotion workflow to /governance-frame, not automated APP_DOCS pipeline.
  • Technical Mechanics:
    • FORBIDDEN_BRIEFING_PREFIXES = briefing-queue/, published-briefings/
    • assertAppDocsPlacementPath invoked before resolveDocsPath
    • ALLOWED_HUB_PREFIXES expanded to include user-manuals/
    • Ironboard/tests/agentValidation.test.ts — rejects published-briefings/test-brief.md for WRITER role
  • Agent Boundary: Irongate (Agent 14) plane isolation; Ironscribe (Agent 05) corpus placement.
  • Step-by-Step Lab Validation:
    1. Run Ironboard/tests/agentValidation.test.ts — governance briefing rejection test passes.
    2. Attempt writeHubAssetSafely("briefing-queue/draft.md", ...) — verify ContentFirewallRejectedError.
    3. Confirm publishTrainerCorpus targets only APP_DOCS plane prefixes.

<a id="support-002"></a>

📧 Feature 82: IronBoard Customer Service Email Draft Worker

  • GRC Function ID: SUPPORT-002
  • Exact Screen Coordinates: No Ironframe UI — IronBoard package Ironboard/src/agents/customerService/index.ts invoked from Resend email ingress.
  • Operational Purpose: Drafts support email replies from LEVEL_1 documentation and CRM interaction history — stores [PENDING DRAFT APPROVAL] in ironboardCrmInteraction with channel: "EMAIL" for HITL dispatch; never auto-sends outbound mail.
  • Technical Mechanics:
    • loadLevelOneKnowledgeContext — max 12 docs, 6000 chars each
    • loadContactHistoryContext — last 3 interactions by occurredAt desc
    • runCustomerServiceAgent(tenantId, contactId, message) — Gemini at DETERMINISTIC_GENERATION_PARAMS
    • logInteraction with consolidated summary including Resend emailId
    • Ironboard/src/api/ingress/email.ts — ingress wiring
    • Ironboard/src/agents/customerService/index.test.ts — unit coverage
  • Agent Boundary: Ironlogic (Agent 9) synthesis; Ironguard (Agent 12) tenant scope on CRM writes; dispatch via HITL-001.
  • Step-by-Step Lab Validation:
    1. Run Ironboard/src/agents/customerService/index.test.ts — draft generation paths pass.
    2. Ingest test Resend payload — verify interaction summary contains [PENDING DRAFT APPROVAL].
    3. Confirm no outbound sendOutboundEmail without GLOBAL_ADMIN DISPATCH action.

<a id="intel-003"></a>

🌉 Feature 83: Industry Scout Prospect Bridge

  • GRC Function ID: INTEL-003
  • Exact Screen Coordinates: No UI — POST /api/internal/cron/industry-scout artifact payload.
  • Operational Purpose: Bridges Industry Scout OSINT crawl output into CRM prospect rows after Irongate sanitization — extends cron artifact with prospectBridge telemetry for board flywheel authenticity backfill.
  • Technical Mechanics:
    • runIndustryScoutProspectBridge({ tenantId }) invoked after runIndustryScoutWorker
    • Cron artifact payloadJson includes prospectBridge alongside scout and drive
    • Bearer IRONFRAME_CRON_SECRET middleware passthrough on cloud quarantine hosts
  • Agent Boundary: Ironintel (Agent 16) discovery; Irongate (Agent 14) sanitization before CRM persistence.
  • Step-by-Step Lab Validation:
    1. POST cron with valid Bearer — verify response JSON includes prospectBridge object.
    2. Run tests/unit/industryScoutProspectBridge.test.ts — bridge merge paths pass.
    3. Confirm synthetic scaffolding purged by MARKET-004 gate before board synthesis.

<a id="export-002"></a>

📤 Feature 84: Ironquery Export Feature Entitlement Gate

  • GRC Function ID: EXPORT-002
  • Exact Screen Coordinates: GET and POST /api/ironquery/export (API); /dashboard/exports renders ExportScopeRequiredPanel when entitlement absent; authenticated Command Post (DashboardHomeClient) mounts ExportScopeRequiredBanner when exportScope=required query param present.
  • Operational Purpose: Requires tenant feature flag IRONQUERY_EXPORT before evidence artifact export — fail-closed 403 with TenantFeatureAccessDenied when entitlement absent; surfaces in-page guidance instead of silent redirect when operator navigates export path directly.
  • Technical Mechanics:
    • assertTenantFeatureEntitled(tenantId, "IRONQUERY_EXPORT") on GET and POST handlers
    • getIronqueryExportDashboardContext in ironqueryExportActions.ts — returns { ok: false, error } when scope missing; page renders panel inline
    • app/dashboard/exports/page.tsx — replaced redirect("/?exportScope=required") with <ExportScopeRequiredPanel message={context.error} />
    • DashboardHomeClient.tsx<ExportScopeRequiredBanner /> for query-param surfaced scope requirement on Command Post
    • Listed in IRONGATE_DMZ_MARKERS for gateway shield architecture test
    • Token-gated path bypasses deployment quarantine middleware
  • Agent Boundary: Ironquery (Agent 15) export signer; Ironguard (Agent 12) entitlement enforcement.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/tenantFeatureEntitlement.test.ts — IRONQUERY_EXPORT gate passes.
    2. Request export without entitlement — verify HTTP 403.
    3. Navigate /dashboard/exports without entitlement — verify ExportScopeRequiredPanel renders in-page (no redirect loop).
    4. Run tests/architecture/gatewayShield.test.ts — route retains DMZ marker.

<a id="support-003"></a>

💬 Feature 85: Authenticated Support Console Tripane UI

  • GRC Function ID: SUPPORT-003
  • Exact Screen Coordinates: /dashboard/support — full-height chat column inside dashboard chrome; cyan/indigo dark cockpit tokens (bg-[#020617], border-cyan-500/20).
  • Operational Purpose: Gives authenticated tenant operators a WCAG-compliant support chat surface that POSTs to /api/agents/customer-service via tenantFetch — displays SYSTEM_AGENT and USER channel messages with 44px minimum send control (h-11).
  • Technical Mechanics:
    • app/(dashboard)/dashboard/support/page.tsx — client component with useTenantContext
    • Initial SYSTEM_AGENT greeting references Level 1 compliance manuals
    • Error path: "Core connection boundary disrupted" on fetch failure
    • Queued acknowledgment displayed when API returns { reply } or { error }
  • Agent Boundary: Ironguard (Agent 12) tenantFetch injection; links to SUPPORT-001 API.
  • Step-by-Step Lab Validation:
    1. Sign in as scoped tenant operator — navigate /dashboard/support — verify chat renders.
    2. Send test message — verify QUEUED or acknowledgment response in thread.
    3. Inspect send button computed height ≥ 44px on coarse pointer viewport.

<a id="onboard-001"></a>

🎓 Feature 86: Design-Partner Get Started Onboarding Portal

  • GRC Function ID: ONBOARD-001
  • Exact Screen Coordinates: /get-started — three-column grid inside dashboard chrome: left guided step panel (Level 1 screenshot + step narration controls), center interactive checklist (click-to-focus rows with indigo ring on active step), right Trainer sandbox (TrainerAgentSessionForm); TopNav link with data-testid="topnav-get-started-link"; fixed bottom inline doc reader drawer when docs step opens.
  • Operational Purpose: Gives authenticated design-partner operators a progressive five-step initialization hub — Command Post orientation, Integrity Hub ALE review, Level 1 curriculum index, isolated Trainer sandbox question, and audit export path — without requiring GLOBAL_ADMIN provisioning access. Copy explicitly scopes invite and credential steps to workspace email (post-activation only). Progress persists client-side and emits immutable TRAINING_ONBOARDING audit receipts to agent_logs for compliance traceability.
  • Technical Mechanics:
    • app/lib/getStartedSteps.ts — canonical step registry:
      1. quickstart/docs/user-manuals/quickstart — title Command Post orientation; hash anchor #orientation via GET_STARTED_ORIENTATION_HASH
      2. integrity-hub/integrity (ALE baselines displayed as formatted USD; stored as BigInt integer cents)
      3. level1-index/docs/training/LEVEL1-STUDENT-INDEX
      4. trainer-session/get-started#trainer-sandbox (completed via successful POST /api/agents/trainer through TrainerAgentSessionForm)
      5. export-path/dashboard/exports
    • app/lib/getStartedStepVisuals.ts — per-step screenshotSrc, screenshotAlt, and actionCue bound to Level 1 training corpus PNG assets
    • app/lib/getStartedStepAudio.tsgetStartedStepAudioSrc(stepId) resolves /docs/training/assets/get-started-orientation/steps/{stepId}.mp3
    • GetStartedPortalClient.tsx — localStorage keys ironframe-get-started-v1 (progress map), ironframe-get-started-dismissed (banner suppression), ironframe-get-started-step-audio-autoplay (default on); percent-complete bar; 44px minimum controls (h-11); OperatorActivationBanner for activation-state guidance; guidedStepId focus state with checklist row keyboard activation (Enter/Space)
    • Guided step panel: left aside shows current step index, corpus screenshot, Play step narration / Auto-play On|Off toggles, hidden <audio> element with onEnded/onPlay state sync
    • Inline documentation reader drawer: docs checklist steps call openInlineGuide(href, stepId) — sets useGetStartedReaderStore href, updates URL hash to #orientation, fetches GET /api/docs/reader?slug= via tenantFetch, renders DocsMarkdown with inlineDocPathResolver (in-portal /get-started links resolve to #orientation); quickstart opens GetStartedOrientationFallback companion mode; fixed bottom overlay (z-[25]) with simulation-aware top offset classes; Escape closes drawer and restores body scroll
    • Orientation walkthrough popout: optional NEXT_PUBLIC_GET_STARTED_VIDEO_URL — audio URLs (.mp3, .m4a, .wav, .ogg) invoke openOrientationWalkthroughWindow() for separate-window crossfade walkthrough; video URLs open full-screen orientation window; pauses inline step audio before popout
    • TrainerAgentSessionForm — shared component posting to POST /api/agents/trainer; onLessonReceived callback marks trainer-session complete; also mounted globally in Feature 87 drawer
    • Footer deep-links: /docs/user-manuals/dashboard-guide, /docs/user-manuals/glossary, /docs/end-users/onboarding
    • POST /api/get-started/progressassertIronguardApiTenantOr403 fail-closed 403; body { stepId, completed, allComplete }; returns { status: "LOGGED" }; uses keepalive: true for unload-safe persistence; benign abort errors swallowed via isBenignRuntimeEmissionError
    • getStartedOnboardingCore.tslogGetStartedProgress writes agentLog.message JSON with tag TRAINING_ONBOARDING, SHA-256 outputHash (16 hex chars), ISO occurredAt
    • AppShell.tsxuseIronwatchTelemetryFeed(false) when pathname is /get-started (onboarding portal isolation from live Ironwatch poll noise)
    • DashboardBillingGate.tsx/get-started added to BILLING_EXEMPT_PREFIXES alongside /admin/onboarding and /account/billing-hold
    • grcRouteMatch.ts/get-started registered in isDashboardRouteGroupPath and isScrollableStandalonePath for standalone scroll behavior
  • Agent Boundary: Ironguard (Agent 12) tenant-scoped tenantFetch and API guard; Ironscribe (Agent 05) Trainer corpus grounding via isolated Trainer console (DOCS-005); Ironwatch (Agent 13) audit log persistence on step completion — telemetry feed intentionally suppressed on this route during onboarding.
  • Step-by-Step Lab Validation:
    1. Sign in as scoped tenant operator — navigate /get-started — verify five checklist rows render with progress bar at 0%, guided step panel shows step 1 screenshot, and OperatorActivationBanner visible when applicable.
    2. Click checklist row — verify indigo focus ring moves and guided panel updates screenshot and narration target.
    3. Click Open orientation guide on quickstart step — verify bottom drawer opens with GetStartedOrientationFallback companion or /api/docs/reader content without navigation away from checklist.
    4. Press Escape — verify drawer closes and checklist remains scrollable.
    5. Toggle Auto-play Off — verify step narration does not auto-start on step focus change.
    6. Mark quickstart complete — verify localStorage updates and POST /api/get-started/progress returns { status: "LOGGED" }.
    7. Submit Trainer sandbox question via TrainerAgentSessionForm — verify POST /api/agents/trainer returns { lesson } and trainer-session step auto-completes.
    8. POST progress without tenant session — verify HTTP 403 from Ironguard guard.
    9. With tenant billing PAST_DUE, navigate /get-started — verify billing hold overlay does not block (exempt prefix).
    10. Confirm Ironwatch poll does not fire on /get-started (network tab — no resilience intel requests during onboarding session).
    11. Run tests/unit/getStartedOnboarding.test.ts — guard failure, missing stepId, and TRAINING_ONBOARDING persistence paths pass.
    12. Run tests/e2e/docs-public.spec.ts — public docs reader narrow funnel remains reachable on cloud hosts.

<a id="trainer-002"></a>

🎓 Feature 87: Global Trainer Agent Drawer (Ask Trainer)

  • GRC Function ID: TRAINER-002
  • Exact Screen Coordinates: Slide-over panel from right edge on any authenticated workspace route — opened via Header #1 Ask Trainer control; portal id trainer-agent-drawer; width min(100vw, 420px); backdrop bg-black/45.
  • Operational Purpose: Gives operators corpus-locked Level 1 Trainer access from any tripane workspace surface without navigating to /get-started — same isolated synthesis path as ONBOARD-001 sandbox but globally available during live operations.
  • Technical Mechanics:
    • app/components/trainer/TrainerAgentDrawer.tsx — React portal with createPortal; useTrainerAgentDrawerStore open/close state; simulation-aware top offset (LAYOUT_AGENT_INSPECT_DRAWER_TOP_CLASS vs _SIM_CLASS); slide-in animation via translate-x transition; Escape and backdrop click dismiss; body scroll lock while open
    • app/components/trainer/TrainerAgentSessionForm.tsx — shared form component with preset prompts; posts to POST /api/agents/trainer via tenantFetch
    • AppShell.tsx — mounts <TrainerAgentDrawer /> on both standalone scroll and tripane layout branches alongside AgentInspectShell
    • Cross-link in Get Started portal: "Also available from Ask Trainer in Header #1 on any workspace route"
  • Agent Boundary: board-trainer persona via TRAINER-001 console; Ironguard (Agent 12) tenant-scoped fetch; excluded from IronBoard live boardroom roster per DOCS-005.
  • Step-by-Step Lab Validation:
    1. From /integrity, open Header #1 Ask Trainer — verify drawer slides in from right with backdrop.
    2. Submit training topic — verify { lesson, sourceSlugs } response renders in drawer.
    3. Press Escape — verify drawer closes and tripane scroll restores.
    4. Confirm drawer top offset adjusts when simulation mode banner active (demo sandbox + simulation mode → top-[13.5rem]).

<a id="board-012"></a>

🧠 Feature 88: Founding Board Agent LLM Assessment Engine

  • GRC Function ID: BOARD-012
  • Exact Screen Coordinates: No UI — LangGraph founding nodes in Ironboard/src/agents/founding.ts (CEO, CFO, Compliance, Legal).
  • Operational Purpose: Replaces static template assessment log strings with deterministic Gemini synthesis for founding board personas while preserving BigInt cent validation gates on every financial turn.
  • Technical Mechanics:
    • Ironboard/src/agents/boardAgentLlm.ts exports generateBoardAgentAssessment({ model, roleLabel, stateSummary }) — temperature 0.0 via instantiateBoardAgentModel
    • formatBoardStateSummary in founding.ts anchors financialProjectionsCents as whole-integer cent string in state summary passed to LLM
    • assertWholeIntegerCents in agentCFO and agentCompliance before assessment — rejects non-integer cent strings
    • CFO focus string cites constitutional baselines: Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000 cents
    • Ironboard/src/lib/geminiRetry.ts exports withGeminiRateLimitRetry — wraps market intelligence outreach and other Gemini calls with rate-limit backoff (label: 'market-intelligence-outreach')
    • Ironboard/src/services/marketIntelligence.ts generateGroundedPitch uses withGeminiRateLimitRetry and regulatoryCatalystLookup.findLatestRegulatoryCatalystForDomain for catalyst-aware value propositions
  • Agent Boundary: Ironlogic (Agent 9) founding synthesis; Irontrust (Agent 3) BigInt cent assertion; Ironintel (Agent 16) regulatory catalyst hooks in grounded pitch path.
  • Step-by-Step Lab Validation:
    1. Run IronBoard documentation pipeline — verify CEO/CFO/Compliance/Legal nodes emit non-empty executiveSummaryLog entries from LLM assessment.
    2. Inject invalid financialProjectionsCents float string — verify assertWholeIntegerCents throws before CFO synthesis.
    3. Run Ironboard/src/lib/geminiRetry.test.ts — rate-limit retry paths pass.
    4. Run Ironboard/tests/agentValidation.test.ts — founding agent validation suite passes with new assessment path.

<a id="market-004"></a>

🔬 Feature 89: Flywheel Target Region Resolver & Market Authenticity Gate

  • GRC Function ID: MARKET-004
  • Exact Screen Coordinates: No UI — consumed by buildFlywheelWorkspaceContext, fetchProspectingBatchForTargets, and boardroom prefetch.
  • Operational Purpose: Normalizes active hub country lists, purges synthetic {Region} Ledger/Vault scaffolding before board synthesis, and runs live web discovery only when authentic prospect count falls below threshold — preventing GTM hallucination in executive board packets.
  • Technical Mechanics:
    • Ironboard/src/lib/flywheelTargetCountries.ts exports resolveFlywheelTargetRegions(activeHub) — parses hub input or falls back to readDefaultTargetCountriesText()
    • Ironboard/src/services/marketProspectAuthenticity.tsverifyAndOptimizeMarketData, assessRegionProspectAuthenticity, isSyntheticExpansionTemplateProspect, formatProspectLineage
    • buildFlywheelWorkspaceContext invokes verifyAndOptimizeMarketData per region before batch assembly; flywheel context includes Market authenticity audit: {region}: authentic=N synthetic=N polluted=bool
    • fetchProspectingBatchForTargets — London/Singapore curated seeds only when qualified authentic rows absent; expansion regions rely on live web discovery via discoverRegionalProspects.ts
    • generateGroundedPitch value proposition uses catalyst string when Industry Scout catalyst found: {authority} catalyst · {matchedFramework} · BigInt Integrity
  • Agent Boundary: Irongate (Agent 14) external intel sanitization; Ironintel (Agent 16) catalyst lookup; Ironquery (Agent 15) workspace tool receipts.
  • Step-by-Step Lab Validation:
    1. Run tests/unit/marketProspectAuthenticity.test.ts — synthetic detection and purge paths pass.
    2. Run tests/unit/discoverRegionalProspects.test.ts — regional discovery engine paths pass.
    3. Run Ironboard/src/services/marketIntelligence.test.ts — expansion batch does not auto-seed synthetic templates.
    4. Submit boardroom GTM query — verify flywheel context includes authenticity summary and SYNTHETIC_SCAFFOLDING warning mandate.

🧬 Chapter 5: Nineteen-Agent Architecture Cross-Reference (Delta Verification)

Today's code delta touches the following agents. Use this matrix during audits to confirm boundary integrity for operational date 2026-06-27:

Agent #CodenameToday's Delta Touchpoints
1IroncoreRoute consolidation under app/(dashboard)/dashboard/*; /get-started design-partner hub with guided step panel, per-step audio, inline doc reader drawer, orientation popout, and global TrainerAgentDrawer; AppShellRouter; documentation execute pipeline; shared-context documentationBrief emission; /docs DB reader with .html-only legacy rewrites; grcRouteMatch scroll allowlist for admin and get-started
3IrontrustBigInt cent storage unchanged; dual Stripe webhook cent parsing; threat validate ActiveRisk id extraction; corporate provision parseDollarAleToBigIntCents; admin deployment formatCentsToAccountingUSD display-only conversion; Ironbloom physical telemetry gate — no severity kWh fallback; procurement trust exhibits
4IrontechtriageRouter.ts / freezeEngine.ts / healthPostureMonitor.ts identity correction to Agent 04 (TAS §4.3); unifies Agents 06 (Ironlock), 04 (Irontech), 13 (Ironwatch) under PostgresSaver authority; healthBarPercent < 50 repair priority on shadow diagnostics
5IronscribeDual-location output matrix; DOCUMENTATION_CORPUS_BINDING in staticContext.ts; Trainer/Writer placement via publishTrainerCorpus/publishWriterCorpus; Get Started Trainer sandbox and global drawer invoke isolated Trainer console on LEVEL_1 corpus; safeDocsWriter governance briefing path rejection; training screenshot corpus asset binding including supplemental export-path capture
6IronlockNarrow funnel quarantine — private workspace blocked, public funnel open on cloud; admin deployments panel infrastructure posture badges; triage freeze coordination with Irontech Agent 04
9IronlogicgenerateBoardAgentAssessment in boardAgentLlm.ts founding refactor; BOARD_GTM_MARKET_AUTHENTICITY_MANDATE; boardroom author isolation (BOARDROOM_ISOLATED_AGENT_IDS); sales/customer service at temperature 0.0; knowledge.ts placement draft matrix with telemetry mirror sections; withGeminiRateLimitRetry on market outreach
11IrontallyBoard governance memo cron; documentation brief mandate consumption
12IronguardassertGlobalAdminForOnboarding; assertIronguardApiTenantOr403 on /api/get-started/progress and /api/docs/reader; prospect pool sales isolation; customer service fail-closed 403; gateway shield architecture test; Get Started billing-hold exemption; workspace invitation Resend dispatch perimeter
13IronwatchShared-context + documentationBrief hydration; admin deployment snapshots; Get Started TRAINING_ONBOARDING agent log receipts; FortiBleed OSINT telemetry correlation; Ironwatch feed suppressed on /get-started onboarding portal
14IrongateGateway shield DMZ markers; CompilationIngressPortal guard; documentation corpus plane isolation; web discovery JSON sanitization
15IronquerystringifyWorkspaceBigIntFields; multi-region queryLocalWorkspace regions array; IRONQUERY_EXPORT feature entitlement gate on /api/ironquery/export; ExportScopeRequiredPanel and ExportScopeRequiredBanner in-page scope UX
16IronintelJune 26 OSINT manifest refresh (ironintel-osint-2026-06-26-live); LiteLLM CVE-2026-42271 post-deadline triage (June 22 — five days elapsed on June 27); Splunk CVE-2026-20253 day-seven post-deadline forensic hunt; FortiBleed 73932 to 86644 verified Fortinet URLs with Huntress 84 customer-impacted IPs; BOD 26-04 federal contractor 24-hour KEV triage SLA effective June 24 (three days into enforcement on June 27); FedRAMP Notice 0014 VDR alignment December 7, 2026; CMMC Phase 2 136 days to November 10, 2026; regulatoryCatalystLookup for grounded pitches; Industry Scout cron runIndustryScoutProspectBridge
17IronbloomPhysical telemetry hardeningparseThreatIngestionTelemetry, no_physical_telemetry, aggregateTenantKwhAverted, removed reference kWh fallback
18IroncastResend email package in IronBoard services/email/ (emailConfig, emailParser, emailCrmBridge, emailSender); workspace invitation Bucket A dispatch via workspaceInviteEmailDelivery.ts

IronBoard commercial plane note: Sales agent (/api/agents/sales) and customer service agent (/api/agents/customer-service) operate on distinct tenancy boundaries — sales uses prospect pool UUID; customer service requires authenticated tenant with LEVEL_1 doc grounding. board-trainer and board-writer are isolated from live POST /api/query on port 8082BOARDROOM_QUERY_ROSTER excludes both; BOARDROOM_ISOLATED_AGENT_REDIRECTS maps them to POST /api/agents/trainer and POST /api/agents/writer on Ironframe port 3000. Documentation pipeline authoring still runs on IronBoard after legal clearance; published output syncs via bearer-gated POST /api/documentation/execute (upsert app_documents + mirror docs/). IronBoard runCustomerServiceAgent drafts email replies for HITL approval via Resend ingress — never auto-sends.

Documentation corpus plane note: APP_DOCS (/docs, app_documents table) and GOVERNANCE_BRIEFINGS (/governance-frame, published-briefings/) must never cross-write. board-trainer owns docs/user-manuals/ and docs/training/level-1/; board-writer owns docs/technical/ and docs/training/level-2/. Isolated live synthesis APIs on Ironframe :3000 ground on the same corpus planes — Trainer on LEVEL_1/TRAINING user-manual slugs; Writer on LEVEL_2/TRAINING technical slugs.

Agents not directly modified in today's delta remain governed by their existing TAS core directives. Absence from the diff is not absence from the workforce — verify their ACTIVE status lights in Feature 5 grid before each lab session.


🧯 Chapter 6: Self-Healing Troubleshooting & Error Diagnostic Steps

Because you are completing your GRC auditing labs independently online without an instructor, you must know how to clear security alerts yourself using our automated self-healing loops:

🚨 Alert 1: Display Elements Freeze and Read "GOVERNANCE DRIFT DETECTED"

  • The Root Cause: You accidentally violated Mandate 2 by trying to manually modify a configuration baseline or alter a data row directly on screen without an approved amendment proposal. The Ironwatch agent detected a structural hash discrepancy and locked the display to secure the system.
  • How to Resolve It Yourself:
    1. Locate the bold, amber control button labeled FREEZE COMMAND POST sitting in the top sub-header toolline and click it once.
    2. This triggers the Irontech self-healing agent to immediately freeze system states and run a deep structural integrity check against your local files.
    3. Wait exactly three seconds. The background automation will auto-wipe your unsanctioned change, reload your company's official database baseline, clear out the red alert text, and restore your interface to a safe green tracking message.
    4. If void persists, execute prisma/scripts/constitutional_rebaseline_reset.sql and poll /api/grc/tas-integrity.

🚨 Alert 2: Primary Panels Suddenly Clear and Flash Empty Gray Boxes

  • The Root Cause: This is an intentional visual system safety state known as a Skeleton Loading Frame. It occurs when you use the top-left dropdown switcher to change corporate profiles. The platform purposefully purges short-term memory to guarantee that confidential database entries never bleed or leak across tenant boundaries.
  • How to Resolve It Yourself:
    1. Maintain system isolation; do not click any components and leave your mouse still for 1 to 2 seconds.
    2. The background security warden Ironguard will automatically complete an access handshake to verify your user badge credentials have the legal permission rights to view the new corporation's records.
    3. Once verified, the gray placeholder frames will instantly slide away, and your fresh rows of clean, verified client records will paint your screen beautifully.

🚨 Alert 3: Production Ingress Block (HTTP 403 on Private Workspace Only)

  • The Root Cause: You are hitting a private workspace path (/integrity, /dashboard/*, /cockpit, authenticated tripane /) on a cloud-hosted URL while production quarantine is active without IRONFRAME_ALLOW_PUBLIC_INGRESS=1. Today's narrow funnel allows public paths (/terms, /privacy, /marketing, /docs, /pricing, /register/*, /sales-agent-portal, /governance-frame, auth surfaces) on cloud hosts — only private workspace surfaces return 403.
  • How to Resolve It Yourself:
    1. Develop on your provisioned workspace URL or tenant workspace http://{slug}.lvh.me:3000 where quarantine is automatically whitelisted.
    2. For cloud Stripe webhook testing, POST to /api/webhooks/stripe or /api/billing/webhook — both bypass quarantine by design.
    3. For headless cron, use Bearer IRONFRAME_CRON_SECRET on /api/internal/cron/* — middleware passthrough.
    4. Set IRONFRAME_ALLOW_PUBLIC_INGRESS=1 on the preview deployment for full workspace stakeholder demos (document the temporary change in your audit log).
    5. If /docs works but /integrity returns 403 on cloud — expected narrow funnel behavior, not a regression.

🚨 Alert 4: Dashboard Redirects to /unauthorized After Login

  • The Root Cause: Your Supabase user authenticated successfully but has no valid row in user_role_assignments for any tenant UUID.
  • How to Resolve It Yourself:
    1. Platform administrator runs inviteCorporateTenantUserAction with correct tenantSlug.
    2. Or insert a valid user_role_assignments row bound to Medshield 5c420f5a-8f1f-4bbf-b42d-7f8dd4bb6a01, Vaultbank, Gridcore, or Defense UUID.
    3. Reload /integrity — verify ensureDashboardTenantSession writes tenant session cookie.

🚨 Alert 5: Financial Display Shows Decimal Drift

  • The Root Cause: A module converted BigInt cents to float before persistence or export — Mandate 1 violation.
  • How to Resolve It Yourself:
    1. Reject the hotfix. Identify the offending cast (Number() on aggregated cents without integer guard).
    2. Verify database column type is BIGINT for mitigated_value_cents, ale_baseline_cents, and financialRisk_cents.
    3. Re-run Irontrust unit snapshots against constitutional baselines: 1110000000, 590000000, 470000000, 1600000000 cents.
    4. Export CSV again — confirm zero decimal places in raw file cells.

🚨 Alert 6: Billing Suspension Overlay After Login

  • The Root Cause: Tenant tenant_billing.status is PENDING or PAST_DUE and operator is not GLOBAL_ADMIN.
  • How to Resolve It Yourself:
    1. Platform administrator sets billing status to ACTIVE via setTenantBillingStatusAction or Stripe webhook fulfillment.
    2. Or navigate to exempt path /account/billing-hold to complete payment remediation.
    3. GLOBAL_ADMIN operators bypass gate for onboarding and support — use /admin/onboarding to verify tenant state.

🚨 Alert 7: Self-Serve Registration Surfaces Removed or Redirected

  • The Root Cause: Phase 1 invite-only gate — app/(marketing)/register/setup/page.tsx deleted; /register/demo redirects to sales contact; IRONFRAME_PUBLIC_REGISTRATION_ENABLED hardcoded false.
  • How to Resolve It Yourself:
    1. Direct prospects to /register/contact for sales-assisted intake.
    2. GLOBAL_ADMIN mints invitation token — direct invitee to /register/{token}.
    3. Sales engineers POST to /api/register/sales-intake with INTERNAL_SALES_PROVISION_KEY bearer token.
    4. Do not attempt env-var override — registration gate is constitutionally hardcoded for Phase 1.

🚨 Alert 8: Password Reset Email Link Rejected by Supabase

  • The Root Cause: Supabase Authentication → URL Configuration lacks the exact callback URL built from tenant subdomain origin.
  • How to Resolve It Yourself:
    1. Read error message from requestResetPasswordAction — copy the cited redirect URL verbatim.
    2. Add URL to Supabase Redirect URLs list (include http://{slug}.lvh.me:3000/** for local tenant workspaces).
    3. Retry reset from the same host you intend users to land on after callback.

🚨 Alert 9: Demo Sandbox Blocks Production API Calls

  • The Root Cause: Demo mode is active (ironframe-demo-active=1 cookie or valid demo session in localStorage) and the client attempted a tenant-scoped /api/* fetch. applyIronguardToFetch enforces DEMO_MODE_ISOLATED isolation — production telemetry must not bleed from sandbox UI exploration.
  • How to Resolve It Yourself:
    1. Expected behavior during demo command post labs — mock UI uses seedDemoClientState() client fixtures, not live API polls.
    2. To test production API paths, call clearDemoSession() or delete ironframe-demo-active and ironframe-demo-session cookies, then sign in with a real Supabase RBAC session.
    3. Constitutional sentinel routes (/api/grc/tas-integrity, /api/grc/tas-fingerprint) remain callable during demo for marketing integrity badges — do not treat those blocks as regressions.

🚨 Alert 10: Governance Frame Shows Empty Index

  • The Root Cause: No markdown files exist in docs/published-briefings/ or draft-only files remain in docs/briefing-queue/ without promotion.
  • How to Resolve It Yourself:
    1. Copy reviewed briefing from docs/briefing-queue/ to docs/published-briefings/{slug}.md with YAML frontmatter including publishedAt.
    2. Ensure Section II impact metrics use whole-cent BigInt string literals in (¢) labeled bullets — floats are rejected by parseCentBigInt.
    3. Reload /governance-frame — verify index card grid lists briefing with chronological sort key.

🚨 Alert 11: Boardroom Query Returns HTTP 502 CORE_TELEMETRY_DISCONNECTED

  • The Root Cause: IronBoard port 8082 could not fetch live tenant telemetry from Ironframe GET /api/board/shared-context before starting LLM synthesis. Common triggers: Ironframe not running on port 3000, missing or invalid ironframe-tenant cookie scope, tenant isolation rejection (UNAUTHORIZED_ACCESS), or IRONFRAME_CORE_ORIGIN pointing at wrong host.
  • How to Resolve It Yourself:
    1. Start Ironframe dev server on your provisioned workspace URL and confirm /api/board/shared-context returns JSON when called with valid tenant session headers.
    2. Start IronBoard on your provisioned workspace URL — both engines must bind 127.0.0.1 only per today's delta.
    3. Set IRONFRAME_CORE_ORIGIN=your provisioned workspace URL in IronBoard environment if using non-default core host.
    4. Sign in to Ironframe dashboard first so ironframe-tenant cookie exists — or pass tenantId UUID in board query request body (Medshield seed: 5c420f5a-8f1f-4bbf-b42d-7f8dd4bb6a01).
    5. Read detail field in 502 JSON — timeout after 12000 ms indicates core unreachable; 401 indicates tenant isolation boundary breach.
    6. Run Ironboard/src/services/coreTelemetryBridge.test.ts to verify header forwarding logic locally.

🚨 Alert 12: Boardroom Documentation Brief Missing

  • The Root Cause: IronBoard Trainer or Writer agent attempted to author documentation without documentationBrief in shared-context payload — one-way ingress mandate violation. runExecutiveDocumentationCommand now throws when fetchIronframeDocumentationBrief fails.
  • How to Resolve It Yourself:
    1. Confirm Ironframe GET /api/board/shared-context returns documentationBrief with communicationDirection: ONE_WAY_IRONFRAME_TO_BOARD.
    2. Restart IronBoard after Ironframe core is healthy — bridge must hydrate before doc authoring phases.
    3. Run tests/unit/documentationBrief.test.ts — verify brief builder includes dual-plane matrix and telemetry mirror.

🚨 Alert 13: App Document DB Read Failure

  • The Root Cause: /docs/[slug] slug not found in app_documents table — CompilationIngressPortal shows staging state (filesystem-only fallback removed).
  • How to Resolve It Yourself:
    1. Run npx tsx scripts/seed-app-documents.ts against development database.
    2. POST POST /api/documentation/execute with internal gateway Bearer to upsert missing slug.
    3. Verify migration 20260618120000_init_app_documents applied: npx prisma migrate status.
    4. Run tests/unit/docsContentDecoupling.test.ts — decoupling paths pass.

🚨 Alert 14: Workspace Invitation Token Required

  • The Root Cause: Corporate tenant provision attempted without valid TenantWorkspaceInvitation token — Phase 1 invitation gate enforced in corporateTenantProvisionCore.ts.
  • How to Resolve It Yourself:
    1. GLOBAL_ADMIN runs mintWorkspaceInvitation admin action with target email and tenant slug.
    2. Direct invitee to /register/{token} before provision flow — mint panel displays secure activation URL.
    3. Verify invitation status is ACTIVE and expiresAt is in the future.
    4. After consumption, confirm status becomes CONSUMED — token cannot be reused.

🚨 Alert 15: Ironbloom Returns no_physical_telemetry

  • The Root Cause: Threat was marked RESOLVED but ThreatEvent.ingestionDetails lacks sealed physical unit payload (kWh, L, km). Severity-based synthetic kWh fallback removed in today's delta — Ironbloom (Agent 17) rejects monetary-only approximations.
  • How to Resolve It Yourself:
    1. Inspect threat row ingestionDetails JSON — verify physicalQuantity and unit fields per parseThreatIngestionTelemetry schema.
    2. Re-ingest utility telemetry through Irongate-sanitized threat ingress before marking RESOLVED.
    3. Call recordSustainabilityImpact again — verify mitigated_value_cents BIGINT persists only after valid physical trace.
    4. Run lib/sustainability/ironbloomDashboardTelemetry.test.ts — parse paths pass.

🚨 Alert 16: Boardroom Cites Synthetic Ledger/Vault Prospects

  • The Root Cause: Board persona presented {Region} Ledger or {Region} Vault template rows as real market research — BOARD_GTM_MARKET_AUTHENTICITY_MANDATE violation. verifyAndOptimizeMarketData may not have run before flywheel context assembly.
  • How to Resolve It Yourself:
    1. Click Load Prospecting Batch to trigger verifyAndOptimizeMarketData with operatorTriggered: true.
    2. Verify marketProspectAuthenticity purged synthetic rows — authenticity summary shows polluted=false.
    3. Re-ask boardroom query — verify prospects labeled LIVE_WEB_GROUNDING or CURATED_DEMO_SEED (London/Singapore only).
    4. Run tests/unit/marketProspectAuthenticity.test.ts — synthetic detection passes.

🚨 Alert 17: Post-Deadline KEV Triage Cluster (June 27 Operational Review)

  • The Root Cause: CISA BOD 26-04 tier-1 remediation windows have elapsed across multiple active vectors on operational date 2026-06-27. CVE-2026-42271 (BerriAI LiteLLM command injection) deadline June 22, 2026 is five calendar days past. CVE-2026-20253 (Splunk Enterprise PostgreSQL sidecar RCE) deadline June 21, 2026 enters day seven post-deadline forensic triage. CVE-2026-48907 (Joomla JCE) deadline June 18, 2026 is nine calendar days past. CVE-2026-54420 (LiteSpeed cPanel symlink escalation) deadline June 19, 2026 is eight calendar days past. Federal contractor 24-hour KEV triage SLA guidance effective June 24, 2026 is three calendar days into enforcement on 2026-06-27 — board packets must elevate to CRITICAL continuous-audit posture.
  • How to Resolve It Yourself:
    1. Ingest Strategic Intel manifest ironintel-osint-2026-06-26-live — confirm chunks osint-03-joomla-litespeed, osint-04-splunk-rce, and osint-10-litellm-post-deadline in CRM.
    2. For LiteLLM deployments: patch to 1.83.7+, Starlette 1.0.1+, rotate all provider API keys, execute assume-breach hunt on AI gateway stacks.
    3. For Splunk SOC stacks: patch to 10.2.4+ or 10.0.7+ or disable postgres sidecar; run day-seven forensic triage before declaring clean.
    4. For Joomla and LiteSpeed shared hosting: assume compromise on unpatched CMS and CloudLinux stacks; forensic triage before patch verification under BOD 26-04 four-variable matrix.
    5. Document remediation in board packet using formatted ALE strings — internal ledger remains BigInt cents only (Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000, Defense 1600000000 cent anchors unchanged).

🚨 Alert 18: FortiBleed Perimeter Credential Compromise

  • The Root Cause: FortiBleed campaign verified 73932 to 86644 Fortinet firewall admin credentials across 194 countries per CISA June 18 advisory. Fortinet FG-IR-26-060 published June 22 confirms credential reuse from prior incidents plus brute force — not a zero-day and no patch closes exposure. Huntress cross-reference confirms 84 customer-impacted IPs — perimeter password assumptions are structurally invalid regardless of complexity policy.
  • How to Resolve It Yourself:
    1. Rotate all FortiGate VPN and admin passwords immediately; enforce MFA on management interfaces.
    2. Restrict management interface to trusted admin IP ranges; upgrade FortiOS to 7.4, 7.6, or 8.0 per PSIRT guidance.
    3. Execute assume-breach hunting on all internet-exposed FortiGate instances under BOD 26-04 triage protocol.
    4. Ingest manifest chunk osint-02-fortibleed — verify Ironwatch correlation in Strategic Intel dashboard.

🚨 Alert 19: Writer or Trainer Invoked via Boardroom Query (Wrong Surface)

  • The Root Cause: Operator attempted to reach board-trainer or board-writer through live POST /api/query on IronBoard port 8082 — both personas are isolated per DOCS-005.
  • How to Resolve It Yourself:
    1. Use POST /api/agents/trainer or POST /api/agents/writer on Ironframe port 3000 with valid tenant session.
    2. Run Ironboard/tests/boardroomDocAuthorIsolation.test.ts — confirm BOARDROOM_QUERY_ROSTER excludes both IDs.
    3. For batch corpus refresh, run IronBoard POST /api/documentation/execute after legal clearance in documentation pipeline.

🚨 Alert 20: Ironquery Export Returns HTTP 403 Feature Denied

  • The Root Cause: Tenant lacks IRONQUERY_EXPORT feature entitlement — EXPORT-002 gate enforced on API; direct navigation to /dashboard/exports renders ExportScopeRequiredPanel instead of export console.
  • How to Resolve It Yourself:
    1. Platform administrator enables entitlement on tenant feature matrix.
    2. Run tests/unit/tenantFeatureEntitlement.test.ts — verify gate semantics.
    3. Retry export with scoped tenant session and valid x-tenant-id header alignment.
    4. Confirm Command Post shows ExportScopeRequiredBanner when redirected with exportScope=required query param.

🚨 Alert 21: Get Started Progress Not Audited

  • The Root Cause: POST /api/get-started/progress failed silently or returned 403 — step completion stored only in localStorage without TRAINING_ONBOARDING agent log receipt. Common triggers: missing tenant cookie, Ironguard perimeter rejection, or agentLog.create persistence error swallowed by catch handler.
  • How to Resolve It Yourself:
    1. Confirm operator signed in with valid user_role_assignments row and ironframe-tenant cookie scope.
    2. Open browser network tab — verify POST /api/get-started/progress returns { status: "LOGGED" } with HTTP 200.
    3. Query agent_logs for tenant UUID — verify message JSON contains "tag":"TRAINING_ONBOARDING" and matching stepId.
    4. Run tests/unit/getStartedOnboarding.test.ts — guard and persistence paths pass.
    5. If Trainer sandbox step stuck incomplete — verify POST /api/agents/trainer succeeded before expecting trainer-session auto-completion.

🚨 Alert 22: Master Purge Blocked Outside Development

  • The Root Cause: purgeAllDataAction in app/actions/purgeSimulation.ts now returns { ok: false, message: "Master purge is disabled outside development." } when NODE_ENV !== "development" — production and staging hosts cannot invoke tenant-wide simulation purge from UI controls.
  • How to Resolve It Yourself:
    1. Confirm you are on your provisioned workspace URL or *.lvh.me:3000 with NODE_ENV=development.
    2. Use scoped tenant purge via simulation plane tools — not master purge — on shared environments.
    3. For onboarding test record cleanup, run scripts/purge-onboarding-test-records.ts with explicit operator confirmation.

🚨 Alert 23: Dashboard Fetch Aborted During Navigation

  • The Root Cause: DashboardHomeClient fetch aborted during route transition or component unmount — previously surfaced as hard error; now classified as benign via isBenignRuntimeEmissionError and resolveDashboardFetchErrorMessage.
  • How to Resolve It Yourself:
    1. Retry dashboard load — transient abort during navigation is expected and recoverable.
    2. Verify message reads "Dashboard request timed out or was interrupted. Retry in a moment." — not raw AbortError stack.
    3. Confirm mount-level AbortSignal propagates to tenantFetch retry loop without duplicate concurrent requests.

📋 Chapter 7: Unit Test Verification Checklist (Today's Delta)

Independent learners and compliance auditors must confirm the following Vitest suites pass before signing a daily lab receipt:

Test fileValidates
tests/unit/deploymentQuarantine.test.tsNarrow funnel public paths, private workspace block, localhost and lvh.me whitelist, dual Stripe webhook bypass, token-gated API bypass, IRONFRAME_ALLOW_PUBLIC_INGRESS
tests/unit/dashboardRoleAccess.test.tsRBAC gate states, ensureDashboardTenantSession cookie hydration
tests/unit/commandCenterTenantAccess.test.tsGLOBAL_ADMIN vs scoped tenant switcher, subdomain host lock
tests/unit/grcRouteMatch.test.tsHeader route matrix, auth public path, constitutional sentinel paths
tests/unit/registrationGate.test.tsInvite-only prospect ingress blocking
tests/unit/registrationRoutes.test.tsPublic registration route classification
tests/unit/phase1Commercial.test.tsPhase 1 monetization wire paths
tests/unit/stripeCheckoutParse.test.tsStripe checkout metadata BigInt cent parsing
tests/unit/tenantSubdomain.test.tsSubdomain slug resolution, post-auth landing paths
tests/unit/tenantSlugRegistry.test.tsDynamic tenant slug cache and lookup
tests/unit/demoMode.test.tsDemo sandbox paths and ALE cent constants
tests/unit/stagedNavSurfaces.test.tsStaged nav badge and role block matrix
tests/unit/boardResponseLibrary.test.tsYouTube denial strip and rewrite append
tests/unit/platformApplicationBoundary.test.tsIronframe port 3000 vs IronBoard port 8082
tests/unit/boardroomOrchestrator.test.tsPanel routing receipts and sales-lead canonical boundary
tests/unit/videoIngress.test.tsIrongate Zod schema quarantine and CLEAN path
tests/unit/videoBoardPrefetch.test.tsTimeline injection into boardroom orchestration
tests/unit/strategicIntelIngress.test.tsAgent 14 sanitization before CRM persistence
tests/unit/docsMatrixIngress.test.tsBigInt docsMatchedUnits pipeline counters
tests/unit/linkScraper.test.tsYouTube and YouTube Shorts URL extraction
tests/unit/ironframeTheme.test.tsTheme ID resolution and body attribute mapping
tests/unit/devConstitutionalElevation.test.tsScoped dev authority match order
tests/unit/publicLeadParse.test.tsProspect lead payload parsing
tests/tenantBrand.test.tsTenant brand accent resolution
tests/unit/governanceFrameBriefingScanner.test.tsPublished ledger ingest and briefing-queue quarantine warnings
tests/unit/governanceFrameSanitize.test.tsCent register rejection, section II parse, markdown XSS strip
tests/unit/governanceFrameEmail.test.tsIroncast newsletter feed origin and slug deep links
tests/unit/financialIngressInvariant.test.tsUnified BigInt cent bridge across Governance Frame, sales intake, canonical baselines
tests/unit/compileRss.test.tsGovernance Frame RSS item URL encoding
Ironboard/src/services/coreTelemetryBridge.test.tsTelemetry bridge cookie forwarding, fail-closed disconnect, successful JSON hydration
Ironboard/src/services/boardroomQueryIntent.test.tsMulti-country prefetch intent, inferRegionsFromQuery, Germany ICP criteria match
Ironboard/src/services/marketIntelligence.test.tsMulti-region listProspects filter, fetchProspectingBatchForTargets merge, tier score REJECTED path
tests/architecture/gatewayShield.test.tsIrongate DMZ markers on all Prisma-importing API routes
tests/unit/agentPerimeter.test.tsSales agent prospect pool tenant isolation
tests/unit/approvalQueueCore.test.tsPending draft tier inference and dispatch tags
tests/unit/documentationBrief.test.tsOne-way documentationBrief builder and plane separation
tests/unit/docsContentDecoupling.test.tsAPP_DOCS vs GOVERNANCE_BRIEFINGS decoupling
tests/unit/documentationCorpusPlanes.test.tsDual-location output matrix authoritative entries
tests/unit/tenantFeatureEntitlement.test.tsTenant feature entitlement gate on API routes
tests/unit/trainingCorpusPlacement.test.tsTrainer/Writer placement target resolution
tests/unit/adminOnboardingDeployments.test.tsAdmin onboarding deployment snapshot, PROVISIONED/STAGED mapping, legal signoff posture, BigInt ALE USD display formatting
tests/unit/getStartedOnboarding.test.tsGet Started progress API Ironguard guard, TRAINING_ONBOARDING agent log persistence
tests/unit/stripeConfig.test.tsSTRIPE_CREDENTIAL_MODE and dual webhook secret resolution
tests/unit/supabaseRedirectAllowlist.test.tsAuth redirect origin allowlist
tests/unit/supabaseAuthAdminHelpers.test.tsExisting Supabase user lookup and corporate invite relink paths
tests/unit/workspaceInviteEmailDelivery.test.tsResend workspace invitation dispatch and deferrable error paths
tests/unit/workspaceInviteEmailContent.test.tsInvite email HTML table layout and register URL binding
tests/unit/industryScoutProspectBridge.test.tsIndustry scout cron prospect bridge
tests/unit/marketProspectAuthenticity.test.tsRegional prospect authenticity scoring
tests/unit/discoverRegionalProspects.test.tsRegional fintech discovery engine
tests/unit/serialization.test.tsBigInt JSON serialization guards
tests/e2e/docs-public.spec.tsPlaywright E2E public /docs narrow funnel
Ironboard/tests/trainingCorpus.test.tsTraining corpus publisher IronBoard package
Ironboard/src/lib/geminiRetry.test.tsGemini rate-limit retry backoff for market intelligence outreach
Ironboard/tests/boardroomDocAuthorIsolation.test.tsTrainer/Writer excluded from live boardroom query roster
lib/sustainability/ironbloomDashboardTelemetry.test.tskWh threat ingestion telemetry parse
tests/unit/sharedBoardContext.test.tsShared-context documentationBrief one-way ingress attachment and BigInt baseline serialization
tests/unit/simulationNavFocus.test.tsSettings config href resolution to /settings/config; dashboard home path focus
tests/unit/governanceTriadExport.test.tsGovernance Frame triad export BigInt cent register formatting
tests/unit/docsNavigation.test.tsDocs sidebar chapter routing including BigInt data schema contracts link
tests/unit/tenantIndustryBaselineSweep.test.tsConstitutional industry baseline ALE cent sweep across seed tenants
tests/integration/cron-storage-gates.test.tsCron storage gate perimeter for headless automation
tests/integration/epic16-exports.test.tsEpic 16 export pipeline entitlement and BigInt field encoding

Run command: npm run test (root Vitest) plus cd Ironboard && npm test (IronBoard package suite per .github/workflows/ci.yml). CI also runs Stryker mutation on configured modules and Playwright E2E. All suites must pass before GCP deploy readiness per project rules Warden gate.


📎 Chapter 8: Environment Variable Reference (Delta Additions)

The following .env.example entries were added or clarified in today's delta. Never commit live secrets — placeholders only:

VariablePurpose
IRONBOARD_BOARD_ORG_TENANT_UUIDBoard-level Strategic Intel tenant UUID (default Medshield seed)
IRONBOARD_GRC_ANALYST_VIDEO_URLCanonical YouTube URL for GRC Analyst briefing video
IRONFRAME_ALLOW_PUBLIC_INGRESSSet 1 to open all cloud ingress paths (default blocked on non-local hosts)
IRONFRAME_SUBDOMAIN_TENANCYSet 0 to disable host → tenant binding (enabled by default)
IRONFRAME_TENANT_APEX_DOMAINProduction apex for *.ironframegrc.com tenant hosts
NEXT_PUBLIC_DEVELOPMENT_DOMAINLocal dev tenant suffix (default lvh.me:3000)
INTERNAL_SALES_PROVISION_KEYBearer token for POST /api/register/sales-intake
NEXT_PUBLIC_STRIPE_COMMAND_TIER_CHECKOUT_URLHosted Stripe Payment Link on /pricing
STRIPE_SECRET_KEYServer-only Stripe API key
STRIPE_WEBHOOK_SECRETStripe webhook signature verification
CURSOR_API_KEYHeadless Cursor CLI auth for scripts/cron_narrate.ps1
SUPABASE_SERVICE_ROLE_KEYServer-only corporate invite and admin password provisioning
NEXT_PUBLIC_APP_URLProduction your provisioned workspace URL — auth redirects and apex routing
IRONFRAME_DEV_SUPABASE_EMAILScoped dev constitutional authority email match
IRONFRAME_DEV_SUPABASE_USER_IDScoped dev constitutional authority user id match
IRONFRAME_CRON_SECRET / IRONFRAME_INTERNAL_GATES_SECRETInternal gates for slug resolve and platform admin probe
GOVERNANCE_FRAME_UPSTREAMOptional IronBoard upstream for local proxy (your provisioned workspace URL)
GOVERNANCE_FRAME_PUBLIC_FEED_ORIGINPublic feed origin for RSS and Ironcast email deep links (default your provisioned workspace URL)
IRONFRAME_CORE_ORIGINIronframe core origin for IronBoard telemetry bridge (default your provisioned workspace URL)
IRONFRAME_MARKETING_ORIGINFallback origin when IRONFRAME_CORE_ORIGIN unset
GOOGLE_API_KEYIronBoard Gemini + Google Search grounding for regional prospect discovery, sales agent, customer service console
IRONFRAME_PROSPECT_POOL_TENANT_UUIDProspect pool tenant for unauthenticated sales agent (fallback tenant_prospect_pool_01)
INTERNAL_GATEWAY_SECRET_KEY / IRONFRAME_INTERNAL_GATES_SECRETBearer token for POST /api/documentation/execute internal gateway
STRIPE_CREDENTIAL_MODEExplicit test or live Stripe credential selection
STRIPE_SECRET_KEY_TEST / STRIPE_SECRET_KEY_LIVEMode-specific Stripe API keys
STRIPE_INSTANT_CHECKOUT_WEBHOOK_SECRETWebhook secret for /api/webhooks/stripe (checkout.session.completed)
STRIPE_BILLING_WEBHOOK_SECRETWebhook secret for /api/billing/webhook (payment_intent.succeeded)
IRONFRAME_STAGING_APEX_DOMAINStaging Vercel apex for tenant subdomain slug resolution
IRONBOARD_SEMI_AUTONOMOUS_MODESet 1 for rate-limited background web-grounded prospect discovery
RESEND_API_KEYIronBoard Resend email package outbound; workspace invitation Bucket A dispatch
NEXT_PUBLIC_GET_STARTED_VIDEO_URLOrientation audio or screencast URL embedded in Get Started portal walkthrough panel

✅ Chapter 9: Daily Writer Receipt (2026-06-27)

Delta classification: Structural (Prisma AppDocument model, IronboardCrmContact.metadata JSON, SYSTEM_AGENT interaction channel enum, twenty-four training screenshot PNG assets plus supplemental export-path capture, app/roles/* tree deletion, /get-started route group pages, orientation popout route group, admin onboarding supervisor components, GET /api/docs/reader inline doc ingress, per-step audio assets under get-started-orientation/steps/, Ironboard/src/agents/boardAgentLlm.ts founding assessment engine) + Backend Logic (.cursorrules compaction to 43 lines; IronBoard generateBoardAgentAssessment founding LLM refactor in boardAgentLlm.ts; knowledge.ts full documentation pipeline; safeDocsWriter governance briefing path guard; staticContext.ts BOARDROOM_ISOLATED_AGENT_IDS; isolated Trainer/Writer APIs on Ironframe :3000; getStartedStepAudio.ts, getStartedStepVisuals.ts, openOrientationWalkthroughWindow.ts; Ironbloom physical telemetry hardening removing isHighSeverity; Ironquery IRONQUERY_EXPORT with ExportScopeRequiredPanel; Irontech Agent 04 identity correction; threat validate assertIronguardApiTenantOr403; dual Stripe webhook secrets with STRIPE_CREDENTIAL_MODE; middleware buildLoginRedirectUrl, finalizeMiddlewareResponse; next.config.ts .html-only docs rewrites and in-memory webpack cache; industry scout prospect bridge; register/setup deletion; June 26 OSINT manifest (ironintel-osint-2026-06-26-live) with LiteLLM, Splunk, FortiBleed, FedRAMP VDR chunks; marketProspectAuthenticity.ts and regulatoryCatalystLookup.ts; geminiRetry.ts rate-limit wrapper; resolveFlywheelTargetRegions; CI gateway shield + Stryker + Playwright + Ironboard test gates) + UI (/get-started guided step panel with per-step narration and bottom doc reader drawer, orientation walkthrough popout, TrainerAgentSessionForm, global TrainerAgentDrawer, ExportScopeRequiredBanner/ExportScopeRequiredPanel, OperatorActivationBanner, /dashboard/support chat console, AdminOnboardingDeployments supervisor grid, DocsChrome decoupled link rendering, DashboardHomeClient benign abort recovery).

Financial boundary verification: All ALE references in this document use BigInt integer cents exclusively for persistence and internal telemetry. Constitutional Ironframe seed tenant baselines unchanged: Medshield 1110000000, Vaultbank 590000000, Gridcore 470000000, Defense 1600000000 cents. Manifest industry peer ALE baselines (Finance 1800000000, Healthcare 1210000000, Technology 950000000, Defense 2500000000, Public Sector 1500000000 cents) and risk metrics (medianAnnualGrcProgramCents 4200000000, medianAuditRemediationLagCents 890000000, saasConsolidationSavingsOpportunityCents 680000000, boardReportingOverheadCents 125000000 cents for primary manifest; alternate regional manifest medianAnnualGrcProgramCents 3850000000, medianAuditRemediationLagCents 935000000, saasConsolidationSavingsOpportunityCents 1120000000, boardReportingOverheadCents 98000000 cents) are manifest-scoped BigInt strings — never floats. Dual Stripe webhook paths parse amountTotalCents as BigInt at fulfillment. Ironbloom kwhAverted and mitigatedValueCents persist as BigInt — severity-tier synthetic kWh path eliminated; sustainabilityActions.ts uses parseThreatIngestionTelemetry and returns no_physical_telemetry without ledger write when physical units absent; resolveDashboardMitigatedValueCents reads sealed tenant physical ledger via aggregateTenantKwhAverted and findLatestThreatPhysicalTelemetry before reporting 0 cents. Corporate provision and admin deployment display use formatCentsToAccountingUSD / parseDollarAleToBigIntCents — display and ingress conversion only; PostgreSQL columns remain BIGINT cents. Writer and Trainer consoles quote financial baselines as whole-integer cent digit strings in synthesized markdown — never float dollars. De-classification matrix mandates Governance Frame public copy cites financials.display.*Formatted strings — never raw cent literals. Market prospect aiFitnessScore remains integer ICP tier composite — not monetary. Founding board CFO node calls assertWholeIntegerCents before generateBoardAgentAssessment — allocation strings must be whole-integer cent digit sequences.

Threat simulation verification: POST /api/threats/validate requires assertIronguardApiTenantOr403 — extracts ActiveRisk numeric ids as BigInt-safe strings for ghost card reconciliation. Ironbloom requires sealed physical telemetry in ingestionDetails — monetary-only or severity-inferred payloads return no_physical_telemetry without ledger write. Shadow-plane SimThreatEvent.mitigated_value_cents BIGINT isolation from production ThreatEvent unchanged. June 26 OSINT manifest ingested with active vectors on operational date 2026-06-27: BerriAI LiteLLM CVE-2026-42271 (KEV deadline June 22five days elapsed), Splunk CVE-2026-20253 (KEV deadline June 21day seven post-deadline forensic triage), FortiBleed (73932 to 86644 verified Fortinet credentials, 194 countries, Huntress 84 customer-impacted IPs), Joomla CVE-2026-48907 (KEV deadline June 18nine days elapsed), LiteSpeed CVE-2026-54420 (KEV deadline June 19eight days elapsed), Check Point CVE-2026-50751, Oracle PeopleSoft CVE-2026-35273, Ivanti Sentry CVE-2026-10520, CISA BOD 26-04 federal contractor 24-hour KEV triage SLA effective June 24, 2026 (three days into enforcement), FedRAMP Notice 0014 VDR mandatory December 7, 2026, CMMC Phase 2 136 days to November 10, 2026. Board packets must cite formatted ALE display strings while internal ledger retains BigInt cent integers only.

Module refactor verification: app/roles/* legacy stakeholder_metrics dashboards deleted — role surfaces consolidated under app/(dashboard)/dashboard/*. knowledge.ts expanded from stub drafts to full placement matrix with telemetry mirror and full-access ingress sections; Trainer and Writer now publish through pushAppDocumentToIronframe / publishAppDocument with validateOutboundContent firewall instead of filesystem-only writeHubAssetSafely. IronBoard documentation authors isolated from live query roster (BOARDROOM_QUERY_ROSTER replaces full roster filter) while retaining pipeline graph nodes. Ironboard/vitest.config.ts includes tests/**/*.test.ts for package-level suites including boardroomDocAuthorIsolation.test.ts. Get Started portal introduces post-activation design-partner initialization — five-step checklist with guided step focus panel, per-step audio narration, bottom inline doc reader drawer, orientation walkthrough popout, TrainerAgentSessionForm sandbox, and Ironwatch telemetry poll suppressed during onboarding. Global Trainer drawer (TrainerAgentDrawer) mounts on all workspace routes via AppShell. Admin onboarding supervisor UI separates deployment inventory (AdminOnboardingDeployments) from provisioning controls (CorporateOnboardingClient at #onboarding-controls) — billing activation owned exclusively by Stripe webhook path; ALE input field renamed to aleBaselineDollars with parseDollarAleToBigIntCents persistence. Corporate invite relink grants workspace access to existing Supabase accounts without duplicate user creation. Middleware auth landing preserves next return paths via buildLoginRedirectUrl (appends fresh=1 for /get-started destinations) and applies subdomain tenancy on every response through finalizeMiddlewareResponse. Middleware tenant slug-resolve recursion guard: middlewareSubdomainTenancy.ts sets x-ironframe-middleware-tenant-resolve: 1 when calling /api/internal/tenant-slug-resolve — prevents middleware → slug-resolve → middleware infinite loop on dynamic tenant hosts. Founding board agents delegate to boardAgentLlm.ts with formatBoardStateSummary — static template logs retired. chapterLoop.ts binds sequential documentation passes to training-corpus-manifest.json via publishCompleteTrainingManual.

Irongate DMZ verification: tests/architecture/gatewayShield.test.ts enforces DMZ markers on all Prisma-importing API routes (CI gate). CompilationIngressPortal fails closed on unresolved doc slugs. Documentation corpus planes forbid cross-write between APP_DOCS and GOVERNANCE_BRIEFINGS via assertAppDocsPlacementPath. GTM synthetic scaffolding must not enter CRM as live OSINT — verifyAndOptimizeMarketData and marketProspectAuthenticity gate purges before board synthesis. Get Started progress API and docs reader API pass Ironguard tenant guard before any persistence.

Platform boundary verification: Ironframe port 3000 emits documentationBrief in shared-context and hosts isolated Trainer/Writer agent APIs plus Get Started progress ingress and inline docs reader. IronBoard port 8082 consumes via core telemetry bridge; runExecutiveDocumentationCommand throws when brief ingress fails. platformApplicationBoundary.ts adds /api/documentation/execute and /settings/config. Both engines bind 127.0.0.1 only. Narrow funnel permits public GTM surfaces on cloud without opening command center. /get-started and /admin/onboarding registered as dashboard route group paths with standalone scroll — billing hold exempt for design-partner and GLOBAL_ADMIN onboarding flows.

Documentation corpus verification: knowledge.ts expanded — Trainer publishes via publishTrainerCorpus, Writer via publishWriterCorpus, push through appDocsGateway. Training screenshot corpus (24 PNG assets) binds to training-corpus-manifest.json with supplemental export-path capture; Level 1 chapter 03 capture route corrected to / tripane Command Post. board-trainer owns docs/user-manuals/ and docs/training/level-1/; board-writer owns docs/technical/ and docs/training/level-2/. Content firewall rejects briefing-queue/ and published-briefings/ writes from Trainer/Writer. Get Started quickstart step opens orientation guide via inline drawer backed by /api/docs/reader on APP_DOCS plane with #orientation hash deep-link.

Phase 1 commercial verification: Dual webhook billing activation at /api/billing/webhook with resolveStripeBillingWebhookSecret. Instant checkout provisioning at /api/webhooks/stripe with resolveStripeInstantCheckoutWebhookSecret. Sales agent isolated to IRONFRAME_PROSPECT_POOL_TENANT_UUID. Customer service and email draft worker require authenticated tenant with LEVEL_1 grounding. Workspace invitation Resend dispatch optional at mint time (dispatchInviteEmail: true). Register setup page deleted; demo redirects to sales contact. Admin deployment grid shows STAGED vs PROVISIONED from billing status — no manual client-side billing activation button. purgeAllDataAction disabled outside NODE_ENV=development.

CI verification: .github/workflows/ci.yml adds architecture gateway shield test, Stryker mutation gate, Playwright E2E install/run, and Ironboard npm test step. All unit suites listed in Chapter 7 must pass before deploy.

Empty-diff pivot: Not applicable — daily_code_diff.txt contains substantial deltas across 145 changed tracked file paths (excluding self-referential diff artifact recursion, binary PNG assets, and lockfile noise) spanning Ironframe and IronBoard packages including Get Started guided step panel with per-step audio and orientation popout, global TrainerAgentDrawer, ExportScopeRequired in-page UX, workspace invitation Resend dispatch, corporate invite relink, master purge dev-only guard, admin onboarding supervisor deployment ledger, boardroom author isolation, isolated Trainer/Writer agent consoles, customer service email worker, content firewall governance path guard, industry scout prospect bridge, Ironquery export entitlement, Irontech Agent 04 identity correction, role route deletion, June 26 OSINT manifest refresh (ironintel-osint-2026-06-26-live) with LiteLLM five-day post-deadline and Splunk day-seven triage vectors, physical telemetry hardening, founding board boardAgentLlm.ts assessment path, market authenticity gate, middleware auth landing refactor with subdomain finalize wrapper and slug-resolve recursion header, password reset redirect origin fix, next.config .html-only docs rewrites and nodemailer serverExternalPackages, DashboardHomeClient benign abort recovery, isConstitutionalTenantKey baseline drift anchor guard, /api/auth/session-bootstrap narrow funnel passthrough, resolveSettingsConfigHref /settings/config fallback, Get Started 24-chapter curriculum copy, csvEncoder tenantKey string typing for export rows, and sharedBoardContext.test.ts documentationBrief attachment receipts.


End of GRC Master Operations Manual & Technical Feature Glossary — Writer Narrative Architect complete mandate execution for operational date 2026-06-27.