{
  "schemaVersion": "imladri.enterprise-controls-status.v1",
  "status": "active",
  "updatedAt": "2026-06-10",
  "claimBoundary": "Runtime controls, operator governance, proof export, and admin/customer readback are implemented. Full enterprise identity federation, SCIM, customer-owned SIEM export, retention automation, and approval routing are planned next.",
  "implemented": [
    {
      "id": "workspace-bindings",
      "name": "Workspace account bindings",
      "evidence": "Customer Profile and Admin routes bind users, workspaces, agents, SDK-key metadata, activity, proof shares, and proof readiness per customer."
    },
    {
      "id": "admin-rbac",
      "name": "Admin role gates",
      "evidence": "Admin routes gate read, mutate, proof-run, export, cleanup, customer readback, and operational surfaces."
    },
    {
      "id": "admin-login-throttle",
      "name": "Admin login throttling",
      "evidence": "Worker public rate limits include admin and customer authentication protections."
    },
    {
      "id": "audit-events",
      "name": "Append-only audit events",
      "evidence": "Admin login and control-plane mutations write audit records for operator review."
    },
    {
      "id": "customer-readback",
      "name": "Customer workspace readback",
      "evidence": "Production buyer-flow smoke verifies Admin can see customer activity, active SDK-key counts, and proof readiness without raw SDK secrets."
    },
    {
      "id": "proof-exports",
      "name": "Proof exports and public shares",
      "evidence": "Profile exports JSON, Markdown, PDF, redacted, and auditor proof packets; public shares are verifier-readable and redacted."
    },
    {
      "id": "operator-alerts",
      "name": "Operator alert routing",
      "evidence": "Worker dead-letter and operator-alert paths route to configured webhook and fallback email channels."
    }
  ],
  "plannedNext": [
    {
      "id": "sso-oidc-saml",
      "name": "SSO/OIDC/SAML",
      "positioning": "Do not claim complete yet."
    },
    {
      "id": "scim",
      "name": "SCIM directory sync",
      "positioning": "Planned after identity federation."
    },
    {
      "id": "customer-siem-export",
      "name": "Customer-owned SIEM export",
      "positioning": "Planned beyond current operator alert webhook."
    },
    {
      "id": "retention-automation",
      "name": "Retention controls",
      "positioning": "Planned beyond current redacted-share and export behavior."
    },
    {
      "id": "approval-routing",
      "name": "Team approval routing",
      "positioning": "Planned for review-required actions across customer teams."
    }
  ],
  "verification": {
    "evidenceMatrix": "/evidence",
    "enterprisePage": "/enterprise",
    "productionBuyerFlowWorkflow": "https://github.com/MAdArab872/imladri/actions/workflows/production-buyer-flow-smoke.yml",
    "productionUiSmokeWorkflow": "https://github.com/MAdArab872/imladri/actions/workflows/production-ui-smoke.yml"
  }
}