MPAS-7 Consolidated Brief — Round 2
Date: March 19, 2026
Snapshot: 2026-03-19-demo-w1 (35 screenshots, captured 2026-03-19T20:41:53Z)
Review type: Visual screenshot-based (first review with visual input)
Baseline: Round 1 (March 15, 2026) — code/API-only review, no visual input
Executive Summary
The platform has made meaningful structural progress since Round 1: impact scores removed (PR #89), path detail pages enriched with visual execution diagrams and "Top Risk Reducers," two strong new pages added (Data Domains, Execution Chains), and the CRITICAL security finding (JWT verification) resolved by correct production auth configuration. However, two new broken pages (scope_drift_sensitive cluster disabled, Exposure Detail "Entity not found") constitute demo-blocking regressions. The four Round 1 blockers — remediation missing specific object names, breadcrumbs showing hash IDs, no execution confidence labels, no compliance mapping — remain unresolved. Net result: marginal improvement in most dimensions, slight regression in CISO readiness due to broken pages. The platform is ready for internal demo but not yet for design partner demo.
MPAS-7 Score Table
| Role | Round 1 (Mar 15) | Round 2 (Mar 19) | Target | Delta | Met? |
|---|---|---|---|---|---|
| CISO Executive | 70% | 68% | ≥85% | -2% (regression) | No |
| SecOps Analyst | 70% | 74% | ≥80% | +4% | No |
| Product QA | 8 partial, 2 missing | 6 partial, 1 missing, 2 diverged | ≤2 partial, 0 missing | Improved | No |
| UX Critic | B- / 23 terms | B / 19 terms | A- / ≤5 terms | +1 grade / -4 terms | No |
| Security Auditor | 1 CRITICAL, 3 HIGH | 0 CRITICAL, 2 HIGH | 0 critical | CRITICAL resolved | Yes |
| Enterprise Executive | 1.8/5 | 2.1/5 | ≥3.5/5 | +0.3 | No |
| CEO Reviewer | 18/28 (64%) | ~19/28 (68%) | ≥24/28 (86%) | +1 item | No |
Targets met: 1 of 7 (Security Auditor only).
Critical Findings (Cross-Cutting)
1. Two Broken Pages — Demo Blockers (Flagged by all 7 reviewers)
Every reviewer independently flagged these as the most urgent issues:
-
/clusters/scope_drift_sensitive— Returns "Risk cluster is disabled: scope_drift_sensitive" with raw internal key in the error message. The cluster still appears in the cluster list, creating a clickable dead end. Scope drift was one of Round 1's strongest proof points — this is a significant regression. -
/exposures/EXP-322c2c81— Returns "Entity not found" with a Retry button. The Exposures list page renders correctly, but all detail links are broken. The EXP-hash format does not resolve to an entity ID in the API.
Impact: Any stakeholder clicking through the platform — CISO, analyst, partner, or prospect — will encounter a broken page within 3-4 clicks. This destroys confidence in product quality.
2. Remediation Still Missing Specific Object Names (Flagged by CISO, SecOps, QA, Enterprise, CEO)
Phase 0.1 from the consolidated action plan remains the #1 blocker across 5 of 7 reviewers. The "Top Risk Reducers" section is improved — it references risk conditions and some entity names — but actions like "Remove role granting LLM endpoint access" still do not specify:
- Which role (e.g.,
foundry_ai_executor) - Which system (e.g., Microsoft Entra ID)
- Which identity (partially addressed —
svc-foundry-ascribe-prodappears on some actions)
The gap between "partially named" and "fully actionable" is the difference between a partner demo and a partner sale.
3. Breadcrumbs Show Hash IDs / Internal Identifiers (Flagged by CISO, QA, UX, Enterprise, CEO)
All detail pages display raw IDs in breadcrumbs:
- Finding Detail:
eval:05d2c303428d60df3a7c9e9d61f8fae9(worst offender — full eval-prefixed hash) - Entity Detail:
01c9ad87... - Authority Path Detail:
009396d3...or "backstack" (placeholder text) - Chain Detail:
faf220d6... - Cluster Detail:
orphaned_sensitive(internal key, not display name)
The display names are already loaded on each page (visible in page titles). This is a presentation bug, not a data gap.
4. Compliance Mapping Absent (Flagged by Enterprise Executive as #1 gap)
Zero compliance framework references (OWASP, NIST, SOX, HIPAA) appear anywhere in the platform. This was planned as Phase 1.3 / Phase 4.1 — a static deterministic lookup table. The Enterprise Executive rates this as "the single largest drag on the score." Without it, a partner must supply 100% of the regulatory context for executive deliverables.
What Improved (Round 1 → Round 2)
| Improvement | Evidence | Impact |
|---|---|---|
| Impact scores removed (PR #89) | No score bars visible; remediation renders as ordered list | Removes the most confusing UI element from Round 1 |
| Path detail execution diagram | Visual workload → identity → destination chain with role labels | Strongest single page improvement — enables 5-second path comprehension |
| "Top Risk Reducers" section | Ordered remediation actions with risk condition references | Replaces broken impact bars with actionable prioritized list |
| Data Domains page (new) | 7 domains, 27 resources, sensitivity classifications | Best CISO-intuitive page; immediate blast radius understanding |
| Execution Chains page (new) | 6 chains with egress, ownership, sensitivity columns | New analyst investigation dimension |
| Identities table enriched | "Sensitive Domains" column shows which domains each identity touches | Cross-reference capability from identities to data impact |
| Finding triage buttons (new) | "Acknowledge" and "Mark False Positive" on finding detail | First workflow actions — enables in-platform triage state tracking |
| Ownership section names | "Maria Lopez" as departed owner, "Not assigned" for current state | Answers "who owned this?" with a real name |
| Tenant isolation enforced | requireTenant middleware on all /api/v1 routes | Round 1 HIGH finding resolved |
| Rate limiting implemented | Two-tier per-tenant rate limiting | Round 1 MEDIUM finding resolved |
| JWT CRITICAL reclassified | Bearer auth not active in production config | 0 CRITICAL security findings |
What Regressed (Round 1 → Round 2)
| Regression | Severity | Detected By |
|---|---|---|
scope_drift_sensitive cluster broken | CRITICAL (demo blocker) | All 7 reviewers |
| Exposure Detail "Entity not found" | CRITICAL (demo blocker) | All 7 reviewers |
Finding breadcrumb worse — shows full eval: prefix instead of truncation | MEDIUM | QA, UX |
| UX Critic: Cluster detail lost Exposure Brief (Sections A-D) structure | HIGH (per UX) | UX Critic |
| "backstack" placeholder text in path detail breadcrumb | LOW | UX Critic |
Pending Decisions (Carried from Round 1)
| # | Decision | Owner | Impact |
|---|---|---|---|
| 1 | Delta badges on Overview — keep, contextualize, or remove? | Sergey | Blocks Phase 1 start |
| 2 | "Authority path" terminology — understood by SIs/CISOs? | Sergey | Affects all UI text |
| 3 | Global risk ranking on Overview — top-3 absolute risks? | Sergey | Phase 1.5 scope |
| 4 | Evidence pack definition — jargon-free one-liner | Sergey | Report template language |
Top 5 Priority Actions
P0 — Fix Before Any Demo (1-2 sessions)
-
Fix broken cluster page. Either fix the
scope_drift_sensitivecluster rendering, or remove it from the cluster list if intentionally disabled. Never expose internal keys in error messages. -
Fix Exposure Detail. Resolve the EXP-hash → entity ID mapping so detail pages load. If the feature is incomplete, remove clickable links from the list page.
P1 — Fix This Sprint (3-5 sessions)
-
Complete remediation object naming (Phase 0.1). Every remediation action must specify: which role, which identity, which system. The entity context data exists — pipe it through
generatePathRemediation()consistently for all actions. -
Fix breadcrumbs across all detail pages (Phase 2.3). Implement a
useBreadcrumbLabel()that resolves any ID segment to its display name using already-fetched page data. One implementation pass covers all routes. -
Add compliance mapping (Phase 1.3 / 4.1). Static deterministic lookup table:
orphaned_ownership→ OWASP ASI-03, NIST AC-2;scope_drift→ ASI-10, NIST AC-6;llm_egress→ ASI-02, NIST SC-7. Low effort, highest impact for enterprise deliverable readiness.
Per-Reviewer Verdicts
| Reviewer | Verdict | Key Quote |
|---|---|---|
| CISO | NEEDS WORK (68%) | "The improvements are below the fold; the regressions are at click distance." |
| SecOps | NEEDS WORK (74%) | "A SOC team could not adopt this today — the 'what changed' gap and broken pages make that impossible." |
| Product QA | Ready for internal demo, NOT design partner | "6 partial, 1 missing, 2 diverged — the inconsistency in remediation specificity is arguably worse than uniformly generic." |
| UX Critic | Grade B (up from B-) | "The loss of the Exposure Brief structure on cluster detail pages is the most significant regression." |
| Security Auditor | 0 CRITICAL (target met) | "The JWT verification gap is correctly contained by the production auth configuration. Overall security posture has materially improved." |
| Enterprise Exec | 2.1/5 (NEEDS REWRITE) | "The data foundation remains strong. The executive wrapper is still what is missing." |
| CEO | YES WITH CHANGES | "Four sessions of focused work on 4 blocking items would move this from 'good demo' to 'partner-ready demo.'" |
Release Readiness
| Level | Ready? |
|---|---|
| Internal demo | Yes |
| Design partner demo | No — blocked by broken pages, remediation naming, breadcrumbs |
| Broader pilot | No — also needs export, compliance mapping, "what changed" filter |
Path to Targets
| Role | Current | Target | What's Needed |
|---|---|---|---|
| CISO | 68% | 85% | Fix broken pages (+2%), breadcrumbs (+3%), cluster card hierarchy (+5%), compliance tags (+3%), stat cards (+2%), what-changed filter (+2%) |
| SecOps | 74% | 80% | Fix broken pages (+2%), what-changed filter (+3%), entity names in findings (+1%) |
| Product QA | 6P/1M/2D | ≤2P/0M | Fix broken cluster (D2), complete remediation naming (D1), add sidebar nav (D5), fix breadcrumbs (D4) |
| UX Critic | B / 19 | A- / ≤5 | Restore Exposure Brief (A-D), fix broken pages, fix breadcrumbs, terminology standardization |
| Security Auditor | 0 CRITICAL | 0 CRITICAL | MET. Maintain by implementing JWT verification before enabling Bearer auth. |
| Enterprise Exec | 2.1/5 | 3.5/5 | Compliance mapping (+1.0), responsible roles (+0.5), breadcrumbs (+0.3), choke points (+0.3) |
| CEO | 19/28 | 24/28 | Remediation naming (+2), breadcrumbs (+1), confidence labels (+1), compliance tags (+1) |
Review Artifacts
All individual reviews are in this directory:
agent-ciso-reviewer.md— CISO Executive Reviewagent-secops-analyst.md— SecOps Analyst Reviewagent-product-qa.md— Product QA Reportagent-ux-critic.md— UX & Information Architecture Reviewagent-security-auditor.md— Security Audit (code + visual)agent-enterprise-executive.md— Enterprise Executive Reviewagent-ceo-reviewer.md— CEO Acceptance Review
Snapshot used: sv0-intelligence/store/snapshots/2026-03-19-demo-w1/
Previous review: Round 1 — March 15 Multi-Perspective Platform Review