CustomerTrust
Scoped proof, read-only governance, no station control
Customers see readiness, risks, handoffs, approvals, and audit trails through scoped read-only views while station control stays local — raw evidence never leaves the station and no customer role can command a station.
Step 01
Same fleet, role-scoped views
Each customer role sees only its tenant, site, line, station scope, and permission set.
Inputs
- Authenticated tenant scope
- Customer role
- Allowed site / line / station ids
- Permission set
- Fleet readiness summaries
- Data-visibility flags
Proof generated
- Scoped view manifest
- Scope hash
- Role-visibility record
- Last-sync timestamp
Where it appears in the app
- CustomerTrust
- FleetWorks
- EvidenceWorks
- Trust
AI Sense support
- Summarizes only the proof and risk each role is allowed to see
- Explains why a view is scoped the way it is
- Flags a stale or missing scope
Safety boundary
- A role-scoped view cannot command a station or override safety.
Step 02
Redacted evidence references
Customers see hashes, receipts, and summaries — raw station evidence stays local.
Inputs
- Evidence bundle references
- Coverage proof references
- QA decision references
- Commissioning receipt references
- Signed-pack receipt references
- Redaction state
Proof generated
- Redacted reference list
- Reference hashes
- Omissions list
- Redaction receipt
Where it appears in the app
- EvidenceWorks
- CustomerTrust evidence
- Support handoffs
- Trust
AI Sense support
- Explains what proof exists and what is omitted
- Highlights missing proof a customer should ask about
- Names the reference behind a summary
Safety boundary
- Raw evidence, secrets, paths, coils, registers, and command payloads never enter the portal.
Step 03
Open risk
Safety-source and quality risks stay visible to the customer until a human resolves them.
Inputs
- Fleet risk register
- Escape candidates
- Known-bad miss events
- Coverage gaps
- Commissioning exceptions
- Signed-pack blockers
Proof generated
- Customer risk board
- Risk severity + owner role
- Evidence references
- Cannot-accept-away marker
Where it appears in the app
- FleetWorks risks
- Governance
- CustomerTrust risks
- Trust
AI Sense support
- Groups repeated risks across the scope
- Flags unsupported risk acceptance
- Explains each risk severity in customer language
Safety boundary
- Customer visibility cannot accept, waive, or clear a safety-source risk.
Step 04
Approval request
Customer approval is a recorded governance acknowledgement, not a technical safety override.
Inputs
- Approval request packet
- Required role
- Supporting evidence references
- Open-risk references
- Boundary statement
- Two-person requirement where applicable
Proof generated
- Append-only decision receipt
- Acknowledgement record
- Requester + role reference
- Request hash
Where it appears in the app
- CustomerTrust approvals
- SignedPacks
- Improvements
- Governance
AI Sense support
- Explains what evidence supports the request
- Names the blockers that remain
- Distinguishes an acknowledgement from a technical approval
Safety boundary
- An approval cannot force PASS, clear recovery, write PLC outputs, activate a pack, or bypass station authority.
Step 05
Audit trail
Every view, export, acknowledgement, and decision is recorded in an append-only hash chain.
Inputs
- View events
- Export events
- Acknowledgement events
- Rejection events
- Scope changes
- Previous receipt hash
Proof generated
- Append-only audit timeline
- Receipt hash + previous hash
- Actor identity reference
- Chain-integrity verification
Where it appears in the app
- CustomerTrust audit
- Trust
- Governance
AI Sense support
- Flags a missing receipt
- Flags a stale packet
- Explains an audit-chain gap for a human to check
Safety boundary
- Audit records identity by safe reference, never exposed personal data or authority tokens.
Step 06
No control surface
The customer portal has no machine-control surface — station authority stays local at the EdgePod.
Inputs
- Local station authority
- PLC boundary
- Forbidden-capability set
- Portal request context
- Recovery-lock state
- Redaction boundary
Proof generated
- No-control attestation
- Forbidden-capability check
- Authority-boundary statement
Where it appears in the app
- CustomerTrust
- Trust
- Stations
AI Sense support
- Warns when a requested action would cross the authority boundary
- Restates what the portal cannot do
- Never issues a command itself
Safety boundary
- No customer role can command a station, activate a pack, clear recovery, write a PLC output, or force PASS from the portal.
AI Sense explains the risk and the next human check, never approves
AI Sense
One reading layer across every CustomerTrust step
Observes evidence, finds missing proof, explains uncertainty, ranks human checks, and prepares handoffs — it never commands hardware.
Reads
- Evidence bundles
- Review events
- QA decisions
- Vision Twin drift
- Commissioning blockers
- Governance decisions
- Station registry
- Ops metrics
Produces
- Findings
- Evidence-gap warnings
- Work-package hints
- Commissioning questions
- Support summaries
Never
- No PLC writes
- No force PASS
- No recovery clear
- No robot commands
- No camera/light commands
- No production approval
- No evidence mutation
- No QA decision mutation
AI Sense observes evidence and guides humans — it records nothing and changes nothing. It does not command a station, write a PLC, clear recovery, reset safety, force a pass, approve production, sign off, or mutate any review, QA decision, commissioning, governance, evidence, or runtime state. Every recommendation is a suggestion for a human to carry out; the PLC and safety circuit remain authoritative.
Customer-safe packet
Proof by reference, never raw data
The redacted customer packet carries the tenant scope, readiness with a go/no-go recommendation, evidence references by hash, ranked open risks, known limitations, and an explicit omissions list — so a customer team can review proof without any station ever handing over raw internals.
- tenant_scope
- tenant, site, line, and station scope for this role only
- readiness
- readiness by scope with go/no-go recommendation and blockers
- evidence_refs
- evidence, coverage, QA, and commissioning references by hash
- open_risks
- ranked risk-register entries (severity + owner role)
- known_limitations
- what the scoped view cannot know or control
- omissions
- explicit list of what was withheld
- receipt_hash
- append-only receipt hash + previous hash
- generated_by
- actor identity by safe reference, redaction state
The packet never contains raw images or evidence frames, raw PLC coils or registers, private keys or signing secrets, authority tokens, operator personal identity, local file paths or command payloads.
Signed-in customer teams open this operationally in the HoldField portal, under CustomerTrust — where a role-scoped view shows readiness, redacted evidence references, the open-risk board, recorded approval acknowledgements, and the append-only audit trail, and where station authority stays local: nothing here commands a station, activates a pack, clears recovery, writes a PLC output, or forces PASS. Open the workspace →