EnterpriseGuard
Hardened deployment, not remote control
Deploy tenant-scoped access, redacted support, backups, upgrade preflights, and offline operation while inspection authority stays local — nothing here commands the cell, centralizes control, or approves production.
Step 01
Deployment profile
A named deployment profile defines the tenant, site, and station scope, the network policy, and the allowed artifacts — a record, never a grant of physical authority.
Inputs
- Tenant
- Site
- Station scope
- Network policy
- Signed artifact allowlist
- Allowed support level
- Backup policy
- Offline policy
Proof generated
- Deployment profile receipt
- Scope hash
- Artifact allowlist hash
- Network policy hash
Where it appears in the app
- EnterpriseGuard
- Stations
- Governance
- Trust
AI Sense support
- Detects missing profile fields
- Flags unsafe defaults
- Explains scope drift from the last verified profile
Safety boundary
- A deployment profile grants no physical authority and commands no station.
Step 02
Verified access
Access requires a verified identity, role, tenant, and session proof — the dev header is never trusted for physical action in production.
Inputs
- Named identity
- Role
- Tenant scope
- Site scope
- Session receipt
- Token expiry
- MFA policy where configured
- Service-account separation
Proof generated
- Access receipt
- Session hash
- Role-scope receipt
- Denial receipt for rejected access
Where it appears in the app
- EnterpriseGuard
- CustomerTrust
- Governance
- Audit
AI Sense support
- Flags a role mismatch
- Flags stale sessions and excessive access
- Explains a rejected-access spike
Safety boundary
- Verified access authenticates a person; it never commands a station.
Step 03
Tenant isolation
Every governed action is scoped to an authorized tenant and site on the server — missing scope denies access, it never defaults open.
Inputs
- Tenant id
- Customer org id
- Site scope
- Line scope
- Station scope
- Role visibility
- Data visibility
- Export permission
Proof generated
- Tenant-scope receipt
- Authorization decision receipt
- Cross-tenant denial receipt
Where it appears in the app
- EnterpriseGuard
- CustomerTrust
- Trust
- Audit
AI Sense support
- Detects a missing scope
- Flags cross-tenant risk
- Flags an overbroad role visibility
Safety boundary
- Missing scope denies access; the tenant boundary never defaults open.
Step 04
Backup readiness
Backups preserve audit receipts, evidence indexes, and config hashes — never private keys, secrets, or raw PLC data — and a restore drill proves the path back.
Inputs
- Audit receipts
- Evidence indexes
- Station registry snapshots
- Configuration hashes
- Legal-hold state
- Retention state
- Signed-pack receipts
- Rollout decisions
Proof generated
- Backup manifest
- Backup hash
- Restore drill receipt
- Omissions list
- Retention state receipt
Where it appears in the app
- EnterpriseGuard
- Trust
- Audit
AI Sense support
- Flags a stale backup
- Flags a missing restore drill
- Flags a retention or legal-hold conflict
Safety boundary
- A restore can never delete receipts, clear recovery, or erase a legal hold.
Step 05
Redacted support bundle
Support receives summaries, references, and receipts — never raw images, evidence frames, secrets, tokens, or command surfaces — with an explicit omissions list.
Inputs
- Site summary
- Station health summary
- Evidence references
- Review summary
- Commissioning blockers
- Governance decisions
- Ops metrics
- AI Sense findings
Proof generated
- Support bundle receipt
- Redaction receipt
- Export hash
- Omissions list
Where it appears in the app
- EnterpriseGuard
- SignalOps
- CustomerTrust
- Trust
AI Sense support
- Summarizes support risk
- Detects missing proof before export
- Flags a redaction gap
Safety boundary
- A support bundle cannot expose secrets, tokens, or any command surface.
Step 06
Upgrade preflight
An upgrade preflight requires a fresh backup, signed and allowlisted artifacts, a rollback plan, and a safe inspection window — it verifies, it never applies.
Inputs
- Backup freshness
- Restore drill freshness
- Signed artifact validity
- Artifact allowlist
- Rollback plan
- Station inspection state
- Recovery-lock state
- Customer notification requirement
- Maintenance window
Proof generated
- Upgrade preflight receipt
- Blocker list
- Artifact verification receipt
- Rollback readiness receipt
Where it appears in the app
- EnterpriseGuard
- SignedPacks
- Governance
- Ops metrics
AI Sense support
- Explains an upgrade blocker
- Flags stale-backup risk
- Flags an unsafe upgrade window
Safety boundary
- A preflight cannot activate an unsigned artifact, apply an upgrade, or clear recovery.
Step 07
Offline operation
Local inspection keeps running when the cloud is unreachable — evidence, review queue, and exports are held locally and replayed after reconnect, never bypassing policy.
Inputs
- Local inspection
- Local evidence receipt
- Local review queue
- Local station registry cache
- Local signed policy cache
- Deferred export queue
- Replay after reconnect
Proof generated
- Offline mode receipt
- Queued export receipt
- Replay receipt
- Sync conflict receipt
Where it appears in the app
- EnterpriseGuard
- Ops metrics
- Stations
AI Sense support
- Detects a sync backlog
- Flags a stale policy cache
- Flags a replay conflict
Safety boundary
- Offline mode cannot bypass policy, run an unsigned artifact, or override station authority.
AI Sense explains enterprise risk, never approves
AI Sense
One reading layer across every EnterpriseGuard step
Observes evidence, finds missing proof, explains uncertainty, ranks human checks, and prepares handoffs — it never commands hardware.
Reads
- Evidence bundles
- Review events
- QA decisions
- Vision Twin drift
- Commissioning blockers
- Governance decisions
- Station registry
- Ops metrics
Produces
- Findings
- Evidence-gap warnings
- Work-package hints
- Commissioning questions
- Support summaries
Never
- No PLC writes
- No force PASS
- No recovery clear
- No robot commands
- No camera/light commands
- No production approval
- No evidence mutation
- No QA decision mutation
AI Sense observes evidence and guides humans — it records nothing and changes nothing. It does not command a station, write a PLC, clear recovery, reset safety, force a pass, approve production, sign off, or mutate any review, QA decision, commissioning, governance, evidence, or runtime state. Every recommendation is a suggestion for a human to carry out; the PLC and safety circuit remain authoritative.
Local station authority
Hardening never centralizes control
EnterpriseGuard improves deployment, access, backup, support, upgrades, and offline resilience. It never moves inspection authority out of the cell — the PLC, the machine controller, and the EdgePod runtime stay the local authority, below the policy, UI, and AI Sense guidance layers.
- AI Sense guidance
observes and explains — cannot command or approve - Human UI
people review, decide, and record - HoldField policy
fail-closed policy and receipts - EdgePod runtime
local execution, fail-closed - Machine controller
the machine’s own controller - PLC / safety
the safety layer — the ultimate local authority
Redacted support bundle
Support gets summaries by reference, never raw station data
The redacted support bundle carries a site summary, station health, evidence references, a review summary, commissioning blockers, governance decisions, AI Sense findings, and an explicit omissions list — so support can triage without any station ever handing over raw internals, secrets, or a command surface.
- site_summary
- site + station health by reference — never raw evidence
- station_health_summary
- posture and open blockers, no raw frames
- evidence_refs
- references to evidence receipts, never the images
- review_summary
- review lifecycle status by reference
- commissioning_blockers
- open FAT/SAT and readiness blockers
- governance_decisions
- recorded governance decisions by reference
- ai_sense_findings
- ranked findings + recommended human checks
- omissions
- explicit list of what was withheld
- bundle_hash
- integrity fingerprint of the redacted bundle
The bundle never contains raw images or evidence frames, raw PLC coils or registers, private keys or signing secrets, authority tokens, camera, lighting, or robot command payloads, operator personal identity or local file paths.
Signed-in teams run this operationally in the HoldField app, under EnterpriseGuard — where enterprise posture, deployment profiles, verified access, tenant isolation, backup readiness, redacted support bundles, upgrade preflights, offline operation, and the local-authority boundary are recorded as administrative proof, and where every station stays the local authority: nothing here commands, applies an upgrade, activates an artifact, clears recovery, or approves production. Open the workspace →