{"success":true,"filters":{"layer":null,"visibility":null,"search":null},"summary":{"profiles":6,"layers":6,"visibilityModes":4,"roles":5,"apiScopes":14,"evidenceItems":18},"profiles":[{"id":"access-identity","layer":"identity","name":"Identity-bound learning evidence","purpose":"Tie readiness scores, attempts, credentials, manager reports, and exports to authenticated learners and organizations.","enforcementPoint":"getCurrentUser, getCurrentContentUser, SSO/SCIM provisioning, and enterprise user imports","failClosedRule":"If a learner or API principal cannot be resolved, readiness writes and private reads stop.","visibilityModes":[{"mode":"public","learnerAccess":"Active global content can be browsed without tenant context.","managerAccess":"Managers can use public content as academy defaults.","adminAccess":"Only platform admins can publish true public content."},{"mode":"org-only","learnerAccess":"Learners can read active content assigned to their organization.","managerAccess":"Managers can inspect team evidence inside their organization.","adminAccess":"Tenant admins and instructors can manage content inside their organization."},{"mode":"private","learnerAccess":"Only the creator or permitted manager can inspect the artifact.","managerAccess":"Managers use private evidence for coaching, not broad publishing.","adminAccess":"Admins can manage private content only inside their allowed tenant boundary."},{"mode":"draft","learnerAccess":"Learners cannot use drafts as readiness evidence.","managerAccess":"Managers can review drafts only when they are content managers.","adminAccess":"Admins and instructors review drafts before publishing."}],"roles":[{"role":"owner","permissions":["billing","branding","identity","all academy settings"],"boundary":"Own organization or platform scope when explicitly platform-admin."},{"role":"admin","permissions":["content approval","integration setup","org reports"],"boundary":"Own organization and assigned academy surfaces."},{"role":"manager","permissions":["team dashboards","coaching reports","export readiness evidence"],"boundary":"Own organization and assigned academy surfaces."},{"role":"instructor","permissions":["scenario drafts","rubric drafts","learner feedback"],"boundary":"Own organization and assigned academy surfaces."},{"role":"viewer","permissions":["read-only dashboards","credential registry"],"boundary":"Own organization and assigned academy surfaces."}],"apiScopes":["users:read","users:write","all:read"],"evidence":["Readiness artifacts carry learner and org identifiers","Credential registry entries can be traced to an identity-managed learner","SSO/SCIM keeps user access aligned with company identity"],"implementationRefs":["src/lib/auth.ts","src/lib/content-access.ts","src/lib/enterprise-access.ts","src/app/api/enterprise/sso/route.ts"]},{"id":"access-tenant","layer":"tenant","name":"Tenant isolation","purpose":"Keep company academies, custom scenarios, manager reports, and private evidence inside the owning organization.","enforcementPoint":"resolveEnterpriseOrgId, assertEnterpriseOrgAccess, orgId-scoped content reads and writes","failClosedRule":"Tenant admins cannot request or mutate another org's resources; platform admins need explicit org context.","visibilityModes":[{"mode":"public","learnerAccess":"Active global content can be browsed without tenant context.","managerAccess":"Managers can use public content as academy defaults.","adminAccess":"Only platform admins can publish true public content."},{"mode":"org-only","learnerAccess":"Learners can read active content assigned to their organization.","managerAccess":"Managers can inspect team evidence inside their organization.","adminAccess":"Tenant admins and instructors can manage content inside their organization."},{"mode":"private","learnerAccess":"Only the creator or permitted manager can inspect the artifact.","managerAccess":"Managers use private evidence for coaching, not broad publishing.","adminAccess":"Admins can manage private content only inside their allowed tenant boundary."},{"mode":"draft","learnerAccess":"Learners cannot use drafts as readiness evidence.","managerAccess":"Managers can review drafts only when they are content managers.","adminAccess":"Admins and instructors review drafts before publishing."}],"roles":[{"role":"owner","permissions":["billing","branding","identity","all academy settings"],"boundary":"Own organization or platform scope when explicitly platform-admin."},{"role":"admin","permissions":["content approval","integration setup","org reports"],"boundary":"Own organization and assigned academy surfaces."},{"role":"manager","permissions":["team dashboards","coaching reports","export readiness evidence"],"boundary":"Own organization and assigned academy surfaces."},{"role":"instructor","permissions":["scenario drafts","rubric drafts","learner feedback"],"boundary":"Own organization and assigned academy surfaces."},{"role":"viewer","permissions":["read-only dashboards","credential registry"],"boundary":"Own organization and assigned academy surfaces."}],"apiScopes":["teams:read","teams:write","reports:read","analytics:read"],"evidence":["Company-generated training uses org-only visibility by default","Manager reports remain scoped to team and organization","Enterprise exports include tenant identifiers"],"implementationRefs":["src/lib/enterprise-access.ts","src/lib/content-access.ts","src/lib/readiness/service.ts","src/lib/platform/company-academy.ts"]},{"id":"access-content","layer":"content","name":"Content visibility and lifecycle","purpose":"Control whether courses, scenarios, skill atoms, scenario seeds, rubric contracts, and tool scripts are public, org-only, private, or draft.","enforcementPoint":"resolveContentVisibility, resolveRequestedVisibility, lifecycle controls, and admin publishing","failClosedRule":"Non-platform admins cannot publish public content; draft content does not become learner-facing evidence.","visibilityModes":[{"mode":"public","learnerAccess":"Active global content can be browsed without tenant context.","managerAccess":"Managers can use public content as academy defaults.","adminAccess":"Only platform admins can publish true public content."},{"mode":"org-only","learnerAccess":"Learners can read active content assigned to their organization.","managerAccess":"Managers can inspect team evidence inside their organization.","adminAccess":"Tenant admins and instructors can manage content inside their organization."},{"mode":"private","learnerAccess":"Only the creator or permitted manager can inspect the artifact.","managerAccess":"Managers use private evidence for coaching, not broad publishing.","adminAccess":"Admins can manage private content only inside their allowed tenant boundary."},{"mode":"draft","learnerAccess":"Learners cannot use drafts as readiness evidence.","managerAccess":"Managers can review drafts only when they are content managers.","adminAccess":"Admins and instructors review drafts before publishing."}],"roles":[{"role":"owner","permissions":["billing","branding","identity","all academy settings"],"boundary":"Own organization or platform scope when explicitly platform-admin."},{"role":"admin","permissions":["content approval","integration setup","org reports"],"boundary":"Own organization and assigned academy surfaces."},{"role":"manager","permissions":["team dashboards","coaching reports","export readiness evidence"],"boundary":"Own organization and assigned academy surfaces."},{"role":"instructor","permissions":["scenario drafts","rubric drafts","learner feedback"],"boundary":"Own organization and assigned academy surfaces."},{"role":"viewer","permissions":["read-only dashboards","credential registry"],"boundary":"Own organization and assigned academy surfaces."}],"apiScopes":["courses:read","courses:write","all:write"],"evidence":["Draft content requires admin or instructor review","Org-only content powers company academies without leaking source context","Public credentials can verify proof without exposing private scenario details"],"implementationRefs":["src/lib/content-access.ts","src/lib/validation.ts","src/app/(admin)/admin/components/ContentLifecycleControls.tsx","src/lib/db/schema.ts"]},{"id":"access-api","layer":"api","name":"Enterprise API scopes","purpose":"Limit training data, users, teams, reports, enrollments, analytics, and webhook access for enterprise integrations.","enforcementPoint":"Bearer or x-api-key authentication, hashed keys, scopes, expiry, IP/origin allowlists, and rate limits","failClosedRule":"Invalid, expired, inactive, out-of-scope, disallowed-origin, or rate-limited API keys are rejected.","visibilityModes":[{"mode":"public","learnerAccess":"Active global content can be browsed without tenant context.","managerAccess":"Managers can use public content as academy defaults.","adminAccess":"Only platform admins can publish true public content."},{"mode":"org-only","learnerAccess":"Learners can read active content assigned to their organization.","managerAccess":"Managers can inspect team evidence inside their organization.","adminAccess":"Tenant admins and instructors can manage content inside their organization."},{"mode":"private","learnerAccess":"Only the creator or permitted manager can inspect the artifact.","managerAccess":"Managers use private evidence for coaching, not broad publishing.","adminAccess":"Admins can manage private content only inside their allowed tenant boundary."},{"mode":"draft","learnerAccess":"Learners cannot use drafts as readiness evidence.","managerAccess":"Managers can review drafts only when they are content managers.","adminAccess":"Admins and instructors review drafts before publishing."}],"roles":[{"role":"owner","permissions":["billing","branding","identity","all academy settings"],"boundary":"Own organization or platform scope when explicitly platform-admin."},{"role":"admin","permissions":["content approval","integration setup","org reports"],"boundary":"Own organization and assigned academy surfaces."},{"role":"manager","permissions":["team dashboards","coaching reports","export readiness evidence"],"boundary":"Own organization and assigned academy surfaces."},{"role":"instructor","permissions":["scenario drafts","rubric drafts","learner feedback"],"boundary":"Own organization and assigned academy surfaces."},{"role":"viewer","permissions":["read-only dashboards","credential registry"],"boundary":"Own organization and assigned academy surfaces."}],"apiScopes":["users:read","users:write","courses:read","courses:write","enrollments:read","enrollments:write","analytics:read","teams:read","teams:write","reports:read","webhooks:read","webhooks:write","all:read","all:write"],"evidence":["Enterprise API keys are hashed before lookup","Scopes must match the required resource and action","Rate limits, origins, IPs, status, and expiry are checked before access"],"implementationRefs":["src/lib/enterprise-api-auth.ts","src/app/api/enterprise/api-keys/route.ts","src/app/api/enterprise/training-data/route.ts","src/lib/rate-limit.ts"]},{"id":"access-admin","layer":"admin","name":"Role-based admin permissions","purpose":"Separate owner, admin, manager, instructor, viewer, learner, tenant admin, and platform admin responsibilities.","enforcementPoint":"Admin layout, content manager checks, company academy roles, and enterprise onboarding","failClosedRule":"Users without admin or instructor role cannot access content authoring or enterprise admin surfaces.","visibilityModes":[{"mode":"public","learnerAccess":"Active global content can be browsed without tenant context.","managerAccess":"Managers can use public content as academy defaults.","adminAccess":"Only platform admins can publish true public content."},{"mode":"org-only","learnerAccess":"Learners can read active content assigned to their organization.","managerAccess":"Managers can inspect team evidence inside their organization.","adminAccess":"Tenant admins and instructors can manage content inside their organization."},{"mode":"private","learnerAccess":"Only the creator or permitted manager can inspect the artifact.","managerAccess":"Managers use private evidence for coaching, not broad publishing.","adminAccess":"Admins can manage private content only inside their allowed tenant boundary."},{"mode":"draft","learnerAccess":"Learners cannot use drafts as readiness evidence.","managerAccess":"Managers can review drafts only when they are content managers.","adminAccess":"Admins and instructors review drafts before publishing."}],"roles":[{"role":"owner","permissions":["billing","branding","identity","all academy settings"],"boundary":"Own organization or platform scope when explicitly platform-admin."},{"role":"admin","permissions":["content approval","integration setup","org reports"],"boundary":"Own organization and assigned academy surfaces."},{"role":"manager","permissions":["team dashboards","coaching reports","export readiness evidence"],"boundary":"Own organization and assigned academy surfaces."},{"role":"instructor","permissions":["scenario drafts","rubric drafts","learner feedback"],"boundary":"Own organization and assigned academy surfaces."},{"role":"viewer","permissions":["read-only dashboards","credential registry"],"boundary":"Own organization and assigned academy surfaces."}],"apiScopes":["users:write","courses:write","teams:write","all:write"],"evidence":["Managers receive coaching reports without broad authoring rights","Instructors can draft scenarios and rubrics without org billing control","Viewers can inspect readiness dashboards without mutating content"],"implementationRefs":["src/lib/content-access.ts","src/lib/platform/company-academy.ts","src/app/(admin)/layout.tsx","src/app/(admin)/admin/enterprise/onboarding/page.tsx"]},{"id":"access-audit","layer":"audit","name":"Audit-ready access evidence","purpose":"Prove who accessed, changed, exported, or verified readiness artifacts across the enterprise rollout.","enforcementPoint":"Enterprise audit logs, evidence export center, credential registry, and report exports","failClosedRule":"Exports and credential verification should expose proof metadata, not private learner scenario contents.","visibilityModes":[{"mode":"public","learnerAccess":"Active global content can be browsed without tenant context.","managerAccess":"Managers can use public content as academy defaults.","adminAccess":"Only platform admins can publish true public content."},{"mode":"org-only","learnerAccess":"Learners can read active content assigned to their organization.","managerAccess":"Managers can inspect team evidence inside their organization.","adminAccess":"Tenant admins and instructors can manage content inside their organization."},{"mode":"private","learnerAccess":"Only the creator or permitted manager can inspect the artifact.","managerAccess":"Managers use private evidence for coaching, not broad publishing.","adminAccess":"Admins can manage private content only inside their allowed tenant boundary."},{"mode":"draft","learnerAccess":"Learners cannot use drafts as readiness evidence.","managerAccess":"Managers can review drafts only when they are content managers.","adminAccess":"Admins and instructors review drafts before publishing."}],"roles":[{"role":"owner","permissions":["billing","branding","identity","all academy settings"],"boundary":"Own organization or platform scope when explicitly platform-admin."},{"role":"admin","permissions":["content approval","integration setup","org reports"],"boundary":"Own organization and assigned academy surfaces."},{"role":"manager","permissions":["team dashboards","coaching reports","export readiness evidence"],"boundary":"Own organization and assigned academy surfaces."},{"role":"instructor","permissions":["scenario drafts","rubric drafts","learner feedback"],"boundary":"Own organization and assigned academy surfaces."},{"role":"viewer","permissions":["read-only dashboards","credential registry"],"boundary":"Own organization and assigned academy surfaces."}],"apiScopes":["reports:read","analytics:read","all:read"],"evidence":["Audit exports preserve resource type, actor, org, and timestamp","Credential verification separates public proof from private evidence","Evidence exports map to LMS, HRIS, manager dashboards, data warehouse, and webhooks"],"implementationRefs":["src/lib/platform/evidence-export-center.ts","src/lib/platform/certification-registry.ts","src/app/api/enterprise/audit/route.ts","src/app/certificates/verify/page.tsx"]}]}