Objective
Complete one controlled, synthetic, authenticated GEM Verify case on canonical production and record evidence that role separation, workflow transitions, audit history, and readiness reporting behave correctly.
Production baseline
- Canonical Vercel project:
support371-gem-enterprise
- Project ID:
prj_VDGqnA7wZt2E65LLvT94ZOpnYc2Z
- Production deployment:
dpl_H9EoHUEV7pDZCr8G1j45n6m75Lv5
- Production commit:
c35f2a85bc2dc1f5c3614a4120887122bd0de1cd
- Production domain:
https://www.gemcybersecurityassist.com
- Agent-first baseline commit contained:
217cbc89f9dfa386ef5e29a11080a49472be429e
Preflight evidence completed
Required controlled identities
Use company-controlled test mailboxes only. Do not put passwords in this issue.
- administrator account: existing production administrator or newly bootstrapped account through the approved environment-driven seed path
- analyst account: active, email-verified account designated through
/app/admin/users
- applicant/client account: active, email-verified synthetic account
All passwords must meet the production strength policy and must be delivered through an approved secret channel, never GitHub comments.
Acceptance procedure
- Sign in as administrator.
- Open
/app/admin/verification-pilot and capture the initial read-only readiness report.
- Open
/app/admin/users and confirm the three controlled identities exist, are active, and are email verified.
- Designate the reviewer account as
analyst using:
- exact target-email confirmation
- a reason of at least 10 characters
- mandatory reauthentication after the role change
- Sign out and sign back in as the analyst; confirm routing to
/review/verification.
- Sign in as the applicant and create one synthetic individual application using clearly fictional, non-sensitive data.
- Record consent and submit the application.
- Confirm the analyst can view and assign the case.
- Issue one information request; confirm the applicant can view and respond.
- Record one controlled decision and verify the applicant status page updates correctly.
- Verify append-only review and audit history for login, role change, submission, review actions, and decision.
- Confirm cross-role access is rejected:
- applicant cannot access analyst/admin routes
- analyst cannot access admin-only routes
- unauthenticated requests remain
401 or redirect to login
- Re-run
/app/admin/verification-pilot and capture the final readiness report.
- Check Vercel runtime errors and relevant route logs after the exercise.
Data rules
- Use synthetic names and non-sensitive data only.
- Do not upload identity documents while secure document upload remains disabled.
- Do not use real SSNs, passport numbers, bank details, addresses, or client records.
- Do not place passwords, session cookies, tokens, or database URLs in GitHub.
Completion criteria
Current blocker
The connected tools do not expose the canonical production PostgreSQL connection or an authenticated administrator session. Therefore test identities were not created and no production records were mutated during preflight. Resume from Step 1 using an approved administrator login or the environment-driven seed bootstrap.
Objective
Complete one controlled, synthetic, authenticated GEM Verify case on canonical production and record evidence that role separation, workflow transitions, audit history, and readiness reporting behave correctly.
Production baseline
support371-gem-enterpriseprj_VDGqnA7wZt2E65LLvT94ZOpnYc2Zdpl_H9EoHUEV7pDZCr8G1j45n6m75Lv5c35f2a85bc2dc1f5c3614a4120887122bd0de1cdhttps://www.gemcybersecurityassist.com217cbc89f9dfa386ef5e29a11080a49472be429ePreflight evidence completed
/app/admin/verification-pilotredirects unauthenticated users to/client-loginwhile preserving the destination/api/verify/pilot-readinessreturns401 Unauthorizedwithout an administrator session/api/admin/usersreturns401 Unauthorizedwithout an administrator sessionRequired controlled identities
Use company-controlled test mailboxes only. Do not put passwords in this issue.
/app/admin/usersAll passwords must meet the production strength policy and must be delivered through an approved secret channel, never GitHub comments.
Acceptance procedure
/app/admin/verification-pilotand capture the initial read-only readiness report./app/admin/usersand confirm the three controlled identities exist, are active, and are email verified.analystusing:/review/verification.401or redirect to login/app/admin/verification-pilotand capture the final readiness report.Data rules
Completion criteria
Current blocker
The connected tools do not expose the canonical production PostgreSQL connection or an authenticated administrator session. Therefore test identities were not created and no production records were mutated during preflight. Resume from Step 1 using an approved administrator login or the environment-driven seed bootstrap.