Skip to content
HoldField

EnterpriseGuard

Hardened deployment, not remote control

Deploy tenant-scoped access, redacted support, backups, upgrade preflights, and offline operation while inspection authority stays local — nothing here commands the cell, centralizes control, or approves production.

Step 01

Deployment profile

A named deployment profile defines the tenant, site, and station scope, the network policy, and the allowed artifacts — a record, never a grant of physical authority.

Inputs

  • Tenant
  • Site
  • Station scope
  • Network policy
  • Signed artifact allowlist
  • Allowed support level
  • Backup policy
  • Offline policy

Proof generated

  • Deployment profile receipt
  • Scope hash
  • Artifact allowlist hash
  • Network policy hash

Where it appears in the app

  • EnterpriseGuard
  • Stations
  • Governance
  • Trust

AI Sense support

  • Detects missing profile fields
  • Flags unsafe defaults
  • Explains scope drift from the last verified profile

Safety boundary

  • A deployment profile grants no physical authority and commands no station.

Step 02

Verified access

Access requires a verified identity, role, tenant, and session proof — the dev header is never trusted for physical action in production.

Inputs

  • Named identity
  • Role
  • Tenant scope
  • Site scope
  • Session receipt
  • Token expiry
  • MFA policy where configured
  • Service-account separation

Proof generated

  • Access receipt
  • Session hash
  • Role-scope receipt
  • Denial receipt for rejected access

Where it appears in the app

  • EnterpriseGuard
  • CustomerTrust
  • Governance
  • Audit

AI Sense support

  • Flags a role mismatch
  • Flags stale sessions and excessive access
  • Explains a rejected-access spike

Safety boundary

  • Verified access authenticates a person; it never commands a station.

Step 03

Tenant isolation

Every governed action is scoped to an authorized tenant and site on the server — missing scope denies access, it never defaults open.

Inputs

  • Tenant id
  • Customer org id
  • Site scope
  • Line scope
  • Station scope
  • Role visibility
  • Data visibility
  • Export permission

Proof generated

  • Tenant-scope receipt
  • Authorization decision receipt
  • Cross-tenant denial receipt

Where it appears in the app

  • EnterpriseGuard
  • CustomerTrust
  • Trust
  • Audit

AI Sense support

  • Detects a missing scope
  • Flags cross-tenant risk
  • Flags an overbroad role visibility

Safety boundary

  • Missing scope denies access; the tenant boundary never defaults open.

Step 04

Backup readiness

Backups preserve audit receipts, evidence indexes, and config hashes — never private keys, secrets, or raw PLC data — and a restore drill proves the path back.

Inputs

  • Audit receipts
  • Evidence indexes
  • Station registry snapshots
  • Configuration hashes
  • Legal-hold state
  • Retention state
  • Signed-pack receipts
  • Rollout decisions

Proof generated

  • Backup manifest
  • Backup hash
  • Restore drill receipt
  • Omissions list
  • Retention state receipt

Where it appears in the app

  • EnterpriseGuard
  • Trust
  • Audit

AI Sense support

  • Flags a stale backup
  • Flags a missing restore drill
  • Flags a retention or legal-hold conflict

Safety boundary

  • A restore can never delete receipts, clear recovery, or erase a legal hold.

Step 05

Redacted support bundle

Support receives summaries, references, and receipts — never raw images, evidence frames, secrets, tokens, or command surfaces — with an explicit omissions list.

Inputs

  • Site summary
  • Station health summary
  • Evidence references
  • Review summary
  • Commissioning blockers
  • Governance decisions
  • Ops metrics
  • AI Sense findings

Proof generated

  • Support bundle receipt
  • Redaction receipt
  • Export hash
  • Omissions list

Where it appears in the app

  • EnterpriseGuard
  • SignalOps
  • CustomerTrust
  • Trust

AI Sense support

  • Summarizes support risk
  • Detects missing proof before export
  • Flags a redaction gap

Safety boundary

  • A support bundle cannot expose secrets, tokens, or any command surface.

Step 06

Upgrade preflight

An upgrade preflight requires a fresh backup, signed and allowlisted artifacts, a rollback plan, and a safe inspection window — it verifies, it never applies.

Inputs

  • Backup freshness
  • Restore drill freshness
  • Signed artifact validity
  • Artifact allowlist
  • Rollback plan
  • Station inspection state
  • Recovery-lock state
  • Customer notification requirement
  • Maintenance window

Proof generated

  • Upgrade preflight receipt
  • Blocker list
  • Artifact verification receipt
  • Rollback readiness receipt

Where it appears in the app

  • EnterpriseGuard
  • SignedPacks
  • Governance
  • Ops metrics

AI Sense support

  • Explains an upgrade blocker
  • Flags stale-backup risk
  • Flags an unsafe upgrade window

Safety boundary

  • A preflight cannot activate an unsigned artifact, apply an upgrade, or clear recovery.

Step 07

Offline operation

Local inspection keeps running when the cloud is unreachable — evidence, review queue, and exports are held locally and replayed after reconnect, never bypassing policy.

Inputs

  • Local inspection
  • Local evidence receipt
  • Local review queue
  • Local station registry cache
  • Local signed policy cache
  • Deferred export queue
  • Replay after reconnect

Proof generated

  • Offline mode receipt
  • Queued export receipt
  • Replay receipt
  • Sync conflict receipt

Where it appears in the app

  • EnterpriseGuard
  • Ops metrics
  • Stations

AI Sense support

  • Detects a sync backlog
  • Flags a stale policy cache
  • Flags a replay conflict

Safety boundary

  • Offline mode cannot bypass policy, run an unsigned artifact, or override station authority.

Step 08

Local station authority

Enterprise hardening improves deployment and support; it never centralizes control — PLC, machine controller, and EdgePod stay the local authority above the policy and UI layers.

Inputs

  • PLC / safety authority
  • Machine controller authority
  • EdgePod runtime authority
  • HoldField policy layer
  • Human UI
  • AI Sense guidance layer

Proof generated

  • Local-authority statement
  • No-control receipt
  • Forbidden-capability receipt
  • Station boundary receipt

Where it appears in the app

  • EnterpriseGuard
  • Stations
  • Trust
  • Governance

AI Sense support

  • Warns when a request crosses a physical-authority boundary
  • Explains the authority ladder
  • Flags a forbidden-capability drift

Safety boundary

  • EnterpriseGuard never moves inspection authority out of the cell.

AI Sense explains enterprise risk, never approves

AI Sense

One reading layer across every EnterpriseGuard step

Observes evidence, finds missing proof, explains uncertainty, ranks human checks, and prepares handoffs — it never commands hardware.

Reads

  • Evidence bundles
  • Review events
  • QA decisions
  • Vision Twin drift
  • Commissioning blockers
  • Governance decisions
  • Station registry
  • Ops metrics

Produces

  • Findings
  • Evidence-gap warnings
  • Work-package hints
  • Commissioning questions
  • Support summaries

Never

  • No PLC writes
  • No force PASS
  • No recovery clear
  • No robot commands
  • No camera/light commands
  • No production approval
  • No evidence mutation
  • No QA decision mutation

AI Sense observes evidence and guides humans — it records nothing and changes nothing. It does not command a station, write a PLC, clear recovery, reset safety, force a pass, approve production, sign off, or mutate any review, QA decision, commissioning, governance, evidence, or runtime state. Every recommendation is a suggestion for a human to carry out; the PLC and safety circuit remain authoritative.

Local station authority

Hardening never centralizes control

EnterpriseGuard improves deployment, access, backup, support, upgrades, and offline resilience. It never moves inspection authority out of the cell — the PLC, the machine controller, and the EdgePod runtime stay the local authority, below the policy, UI, and AI Sense guidance layers.

  1. AI Sense guidance
    observes and explains — cannot command or approve
  2. Human UI
    people review, decide, and record
  3. HoldField policy
    fail-closed policy and receipts
  4. EdgePod runtime
    local execution, fail-closed
  5. Machine controller
    the machine’s own controller
  6. PLC / safety
    the safety layer — the ultimate local authority

Redacted support bundle

Support gets summaries by reference, never raw station data

The redacted support bundle carries a site summary, station health, evidence references, a review summary, commissioning blockers, governance decisions, AI Sense findings, and an explicit omissions list — so support can triage without any station ever handing over raw internals, secrets, or a command surface.

site_summary
site + station health by reference — never raw evidence
station_health_summary
posture and open blockers, no raw frames
evidence_refs
references to evidence receipts, never the images
review_summary
review lifecycle status by reference
commissioning_blockers
open FAT/SAT and readiness blockers
governance_decisions
recorded governance decisions by reference
ai_sense_findings
ranked findings + recommended human checks
omissions
explicit list of what was withheld
bundle_hash
integrity fingerprint of the redacted bundle

The bundle never contains raw images or evidence frames, raw PLC coils or registers, private keys or signing secrets, authority tokens, camera, lighting, or robot command payloads, operator personal identity or local file paths.

Signed-in teams run this operationally in the HoldField app, under EnterpriseGuard — where enterprise posture, deployment profiles, verified access, tenant isolation, backup readiness, redacted support bundles, upgrade preflights, offline operation, and the local-authority boundary are recorded as administrative proof, and where every station stays the local authority: nothing here commands, applies an upgrade, activates an artifact, clears recovery, or approves production. Open the workspace →