Skip to content
HoldField

CustomerTrust

Scoped proof, read-only governance, no station control

Customers see readiness, risks, handoffs, approvals, and audit trails through scoped read-only views while station control stays local — raw evidence never leaves the station and no customer role can command a station.

Step 01

Same fleet, role-scoped views

Each customer role sees only its tenant, site, line, station scope, and permission set.

Inputs

  • Authenticated tenant scope
  • Customer role
  • Allowed site / line / station ids
  • Permission set
  • Fleet readiness summaries
  • Data-visibility flags

Proof generated

  • Scoped view manifest
  • Scope hash
  • Role-visibility record
  • Last-sync timestamp

Where it appears in the app

  • CustomerTrust
  • FleetWorks
  • EvidenceWorks
  • Trust

AI Sense support

  • Summarizes only the proof and risk each role is allowed to see
  • Explains why a view is scoped the way it is
  • Flags a stale or missing scope

Safety boundary

  • A role-scoped view cannot command a station or override safety.

Step 02

Redacted evidence references

Customers see hashes, receipts, and summaries — raw station evidence stays local.

Inputs

  • Evidence bundle references
  • Coverage proof references
  • QA decision references
  • Commissioning receipt references
  • Signed-pack receipt references
  • Redaction state

Proof generated

  • Redacted reference list
  • Reference hashes
  • Omissions list
  • Redaction receipt

Where it appears in the app

  • EvidenceWorks
  • CustomerTrust evidence
  • Support handoffs
  • Trust

AI Sense support

  • Explains what proof exists and what is omitted
  • Highlights missing proof a customer should ask about
  • Names the reference behind a summary

Safety boundary

  • Raw evidence, secrets, paths, coils, registers, and command payloads never enter the portal.

Step 03

Open risk

Safety-source and quality risks stay visible to the customer until a human resolves them.

Inputs

  • Fleet risk register
  • Escape candidates
  • Known-bad miss events
  • Coverage gaps
  • Commissioning exceptions
  • Signed-pack blockers

Proof generated

  • Customer risk board
  • Risk severity + owner role
  • Evidence references
  • Cannot-accept-away marker

Where it appears in the app

  • FleetWorks risks
  • Governance
  • CustomerTrust risks
  • Trust

AI Sense support

  • Groups repeated risks across the scope
  • Flags unsupported risk acceptance
  • Explains each risk severity in customer language

Safety boundary

  • Customer visibility cannot accept, waive, or clear a safety-source risk.

Step 04

Approval request

Customer approval is a recorded governance acknowledgement, not a technical safety override.

Inputs

  • Approval request packet
  • Required role
  • Supporting evidence references
  • Open-risk references
  • Boundary statement
  • Two-person requirement where applicable

Proof generated

  • Append-only decision receipt
  • Acknowledgement record
  • Requester + role reference
  • Request hash

Where it appears in the app

  • CustomerTrust approvals
  • SignedPacks
  • Improvements
  • Governance

AI Sense support

  • Explains what evidence supports the request
  • Names the blockers that remain
  • Distinguishes an acknowledgement from a technical approval

Safety boundary

  • An approval cannot force PASS, clear recovery, write PLC outputs, activate a pack, or bypass station authority.

Step 05

Audit trail

Every view, export, acknowledgement, and decision is recorded in an append-only hash chain.

Inputs

  • View events
  • Export events
  • Acknowledgement events
  • Rejection events
  • Scope changes
  • Previous receipt hash

Proof generated

  • Append-only audit timeline
  • Receipt hash + previous hash
  • Actor identity reference
  • Chain-integrity verification

Where it appears in the app

  • CustomerTrust audit
  • Trust
  • Governance

AI Sense support

  • Flags a missing receipt
  • Flags a stale packet
  • Explains an audit-chain gap for a human to check

Safety boundary

  • Audit records identity by safe reference, never exposed personal data or authority tokens.

Step 06

No control surface

The customer portal has no machine-control surface — station authority stays local at the EdgePod.

Inputs

  • Local station authority
  • PLC boundary
  • Forbidden-capability set
  • Portal request context
  • Recovery-lock state
  • Redaction boundary

Proof generated

  • No-control attestation
  • Forbidden-capability check
  • Authority-boundary statement

Where it appears in the app

  • CustomerTrust
  • Trust
  • Stations

AI Sense support

  • Warns when a requested action would cross the authority boundary
  • Restates what the portal cannot do
  • Never issues a command itself

Safety boundary

  • No customer role can command a station, activate a pack, clear recovery, write a PLC output, or force PASS from the portal.

AI Sense explains the risk and the next human check, never approves

AI Sense

One reading layer across every CustomerTrust step

Observes evidence, finds missing proof, explains uncertainty, ranks human checks, and prepares handoffs — it never commands hardware.

Reads

  • Evidence bundles
  • Review events
  • QA decisions
  • Vision Twin drift
  • Commissioning blockers
  • Governance decisions
  • Station registry
  • Ops metrics

Produces

  • Findings
  • Evidence-gap warnings
  • Work-package hints
  • Commissioning questions
  • Support summaries

Never

  • No PLC writes
  • No force PASS
  • No recovery clear
  • No robot commands
  • No camera/light commands
  • No production approval
  • No evidence mutation
  • No QA decision mutation

AI Sense observes evidence and guides humans — it records nothing and changes nothing. It does not command a station, write a PLC, clear recovery, reset safety, force a pass, approve production, sign off, or mutate any review, QA decision, commissioning, governance, evidence, or runtime state. Every recommendation is a suggestion for a human to carry out; the PLC and safety circuit remain authoritative.

Customer-safe packet

Proof by reference, never raw data

The redacted customer packet carries the tenant scope, readiness with a go/no-go recommendation, evidence references by hash, ranked open risks, known limitations, and an explicit omissions list — so a customer team can review proof without any station ever handing over raw internals.

tenant_scope
tenant, site, line, and station scope for this role only
readiness
readiness by scope with go/no-go recommendation and blockers
evidence_refs
evidence, coverage, QA, and commissioning references by hash
open_risks
ranked risk-register entries (severity + owner role)
known_limitations
what the scoped view cannot know or control
omissions
explicit list of what was withheld
receipt_hash
append-only receipt hash + previous hash
generated_by
actor identity by safe reference, redaction state

The packet never contains raw images or evidence frames, raw PLC coils or registers, private keys or signing secrets, authority tokens, operator personal identity, local file paths or command payloads.

Signed-in customer teams open this operationally in the HoldField portal, under CustomerTrust — where a role-scoped view shows readiness, redacted evidence references, the open-risk board, recorded approval acknowledgements, and the append-only audit trail, and where station authority stays local: nothing here commands a station, activates a pack, clears recovery, writes a PLC output, or forces PASS. Open the workspace →