Buyer evidence pathScore, inspect, package, request.
  1. Score readiness firstPRISMFind the first deployment gap before a call.
  2. Inspect proofPHANTOMReplay the governed approval boundary.
  3. Verify evidenceEvidence roomChoose role and workflow proof.
  4. Build passportPassportPackage readiness signals into one artifact.
  5. Send ATLAS intakeRequestCarry context into founder review.

Evidence room

Build the evidence packet before the call.

Choose the buyer role and workflow, inspect the proof artifacts, then carry the dossier or Commerce Readiness Passport into ATLAS intake. Public proof stays synthetic; private runtime access stays locked.

Procurement pre-screen

The trust signals are useful because the claim is narrow.

HARNEXA exposes the same questions procurement will ask: what is mapped, what is only a roadmap, what data moves, which processors touch it, and where formal legal review remains required.

Governance boundaryTrust starts with what remains locked.A procurement-safe control visual for identity, audit, legal-review support, and the public/private runtime boundary.

Stakeholder proof

The same control system answers four different buyer questions.

Operations, CTO, risk, and founder review do not need separate stories. They need the same boundary shown through the artifact each stakeholder can verify.

Ask ATLAS in the evidence room

Route procurement questions to public proof, not private consoles.

Use ATLAS to route the buyer committee to the right evidence packet. It can explain public artifacts, but it cannot inspect private runtime data.

Buyer lens
READ_ONLYEvidence boundary visible

Public ATLAS can route buyers through PHANTOM, PRISM, Trust, GACO, AVO, Protocol Atlas, and diagnostic intake.

Source corpus
Explicit public manifest
Writes
Disabled
Private routes
Blocked

Buyer committee dossier

Choose the proof packet before the call.

Different stakeholders inspect different evidence. Build a lightweight dossier for the buyer role and workflow family, then carry that context into the structured ATLAS intake.

Context attached to dossier
Role
Operations
Workflow
CPG field sales
Offer
deployment
Buyer role
Workflow family
Generated evidence packet

Operations / CPG field sales

A buyer-review packet showing the proof artifact, the evidence needed, the operating boundary, and the HARNEXA deliverables before a diagnostic or deployment is proposed.

Buyer questionWill this improve the workflow without slowing the operator down?
Workflow signalRep visit preparation with account context, SKU velocity, promo compliance, and held order proposal.
Proof artifactPUBLIC-PHANTOM-SAMPLE-001
BoundaryNo CRM update or order submission before human approval.
Evidence to inspect
  • Account context source and owner
  • SKU velocity and replenishment logic
  • Promo or planogram compliance signal
  • Order proposal held at approval boundary
Buyer inputs needed
  • One named workflow owner
  • Current process friction and exception examples
  • Baseline metric such as cycle time, accuracy, conversion, or SLA
HARNEXA proof to show
  • PHANTOM visit package
  • Next-best-action list
  • Held order proposal
  • AgentOps operating review
Packet artifacts
  • Agent identity record
  • Tool and permission boundary
  • Risk classification
  • Human approval map
  • Append-only audit trail sample
  • CLEAR scorecard
  • AgentOps report section
  • Revocation and operating cadence note
  • Legal-review support boundary
Open passportSend dossier context

Evidence dossier

The public sample is inspectable before a buyer shares access.

The public evidence room uses a synthetic PHANTOM run to show what HARNEXA expects every serious deployment to produce: identity, risk class, approval boundary, audit events, CLEAR score, and a runtime boundary that keeps customer systems out of the public site.

Sample runSynthetic public PHANTOM replay
Agent identityNamed PHANTOM agent with persistent identity
Action boundaryCommercial proposal requires human review
Approval boundaryNo client-system write before approval
Audit events5 synthetic rows, 1 approval event
CLEAR average1.00 sample baseline
Data boundarySynthetic demo data only
Live-system writesDisabled on public pages

Artifact map

Four places a buyer can verify the system.

The evidence path is intentionally simple: inspect the sample, inspect the operating report, score readiness, then send a structured diagnostic request if the workflow is worth exploring.

Inspectable now

PHANTOM public proof

Synthetic CPG field-sales run with account context, velocity, promo compliance, proposed order, approval boundary, audit rows, and CLEAR scorecard.

Inspect PHANTOM proof
Inspectable now

AgentOps evidence

Inventory, risk class, audit summary, usage guardrail, CLEAR baselines, open risks, recommended actions, and markdown evidence packet.

Open AgentOps evidence
Self-service

Readiness score

PRISM scan across governance, data, human control, measurement, and organizational readiness before a deployment sprint is proposed.

Score readiness first
Founder reviewed

Diagnostic request

Structured handoff into one recommended path. ATLAS-style intake gathers workflow, stack, urgency, role, and readiness context before HARNEXA replies.

Book diagnostic sprint

Sample evidence

Audit rows and CLEAR scores are the trust material.

These excerpts are synthetic, but the structure is the point: every private run should preserve who acted, which boundary was crossed, what sensors saw, and whether the workflow stayed inside agreed operating limits.

Append-only audit samplePUBLIC-PHANTOM-SAMPLE-001
TimeEventRiskResult
00:01Account contextRead-onlyAccount context loaded
00:03SKU velocityRead-onlyTwo replenishment lines identified
00:06Promo complianceRead-onlyPromo compliance scored at 72%
00:09Order recommendationProposal onlyOrder proposal generated without submission
00:12Human reviewApproval requiredHuman approval boundary held
CLEAR scorecard excerptAverage 1.00
Cost1.00< EUR 0.80
Latency1.00< 30s
Efficiency1.00< 12 tool calls
Accuracy1.00>= 0.85
Reliability1.00>= 0.95

Control system

What the evidence is supposed to prove.

A demo is not enough. The operating question is whether the same control primitives can survive real deployment: identity, permission scope, approval, audit, evaluation, and review cadence.

Identity

Persistent agent identity links runs, permissions, audit rows, and inventory.

Permissions

Tool allowlists and risk classes define what each agent can access before execution.

Approval

Consequential commercial actions stay behind a human approval boundary.

Audit

Events preserve actor, risk class, tool, result summary, and sensor status.

Evaluation

CLEAR tracks cost, latency, efficiency, accuracy, and reliability from day one.

Operations

AgentOps packages inventory, risks, usage, and next actions for stakeholder review.

Agent registry proof

Agent contracts are visible before private runtime access.

The public registry translates the internal AGENTS.md contract into buyer evidence: which agents exist, what each is allowed to do, where human review is required, and how persistent identity keeps audit evidence connected across runs.

14registered agents

Core, specialist, compliance, and delivery agents are named before deployment.

2risk ceilings

READ_ONLY agents draft and inspect; FINANCIAL actions remain approval-gated.

1persistent key

Every run links back to a stable agent_id for audit, memory, and inventory review.

AgentTypePhaseRisk maxStatusIntended purpose
HERMESCore / NEXUS OSPhase 0READ_ONLYv0 CLI brief + audit

Morning intelligence brief and continuous market monitoring.

ATLASCore / NEXUS OSPhase 0READ_ONLYv0 proposal draft + audit

Founder-reviewed proposal drafts from discovery notes.

ARGOSCore / NEXUS OSPhase 0READ_ONLYv0 priorities/pre-call + audit

Delivery priorities, pre-call briefs, and proactive risk flags.

THEMISCore / NEXUS OSPhase 0READ_ONLYv0 checklist draft + audit

EU AI Act and GDPR dual-framework governance support for legal review.

PHANTOM VSASpecialist / FlagshipPhase 0FINANCIALCLI proof + Streamlit UI

CPG and retail visit packages, proposed orders, and approval-held commercial actions.

LOGOSCore / NEXUS OSPhase 1READ_ONLYv0 content drafts + audit

Founder-reviewed market content, proof assets, and publication drafts.

SCOUTCore / NEXUS OSPhase 1READ_ONLYv0 prospect queue + audit

Prospect queues and outreach drafts that never send autonomously.

LEDGERCore / NEXUS OSPhase 1READ_ONLYv0 finance + FinOps drafts + audit

Finance and FinOps drafts with no autonomous financial execution.

SAGECore / NEXUS OSPhase 1READ_ONLYv0 skill proposals + audit

Skill proposals and capability documentation for founder review.

PRISMSpecialist / DeliveryPhase 1READ_ONLYv0 diagnostic draft + audit

Readiness scoring and diagnostic evidence before a proposal path.

FORGESpecialist / DeliveryPhase 1READ_ONLYv0 architecture draft + audit

Architecture drafts and implementation boundaries for governed agents.

ORACLESpecialist / DeliveryPhase 1READ_ONLYv0 PHANTOM eval + audit

PHANTOM trajectory evaluation and CLEAR validation evidence.

BRIDGESpecialist / DeliveryPhase 2READ_ONLYv0 integration spec + audit

Integration specifications before client system connection.

AURISSpecialist / CompliancePhase 2READ_ONLYv0 dual-framework package + audit

Governance support package for dual EU AI Act and GDPR review.

Harness to obligation map

Governance is an execution architecture before it is a document.

This is the buyer-review map: HARNEXA does not claim these controls satisfy the EU AI Act by themselves. It shows which technical artifact supports each review conversation with legal, risk, security, and operations.

Persistent identity

Every agent has a stable identity record linked to permissions, inventory, memory namespace, and audit rows.

Supports deployer inventory, intended-purpose review, traceability, and Article 13 transparency support.
Permission and risk scope

Tool allowlists, READ_ONLY / FINANCIAL / DESTRUCTIVE classes, revocation, and data boundaries are set before execution.

Supports Article 9 risk-management review and narrows the technical scope counsel and security need to assess.
Budget and usage guardrails

Cost, tool-call, latency, and run-frequency limits are visible in AgentOps before a workflow expands.

Supports monitoring, operational resilience, and evidence for proportionality of the deployment.
Human approval gate

Financial and destructive actions are proposed as analysis, then held for explicit human approval before write or submission.

Maps to Article 14 human oversight review and GDPR Article 22 concerns when personal data or automated decisions are involved.
Computational sensors

CLEAR checks cost, latency, efficiency, accuracy, and reliability against a baseline before scale.

Supports Article 15 accuracy, robustness, and monitoring discussions without claiming legal compliance.
Append-only audit log

Events preserve actor, run id, tool, risk class, approval status, result summary, sensor state, and timestamp.

Supports Article 12 record-keeping review and the audit trail legal, risk, and operations teams inspect.

Runtime boundary

Public proof and private execution stay separate.

HARNEXA should be easy to inspect without accidentally granting runtime authority. Public pages show evidence shape; private runtime access remains token-gated and synthetic until a client scope, data boundary, and approval model are reviewed.

Public siteVercel cdg1

Crawlable marketing and evidence pages served from Paris where possible

Private runtimeRender API

Token-gated PHANTOM and AgentOps endpoints

Governance storeSupabase/PostgreSQL

Persistent identity and audit evidence for private runs

Public proofSynthetic data

No customer systems, no live writes

Execution policyDisabled publicly

No public MCP execution or autonomous financial action

Procurement packet

The evidence room now pre-answers legal, risk, and IT.

These artifacts are deliberately plain. They are the starting materials a buyer can send to counsel, security, or data protection before a diagnostic call.

ISO 42001 roadmap

Published timeline, no certification claim.

  1. Q3 2026Scope and gap analysis

    Document the HARNEXA Harness management-system scope, responsible owner, control inventory, risk register, and evidence owners.

  2. Q3-Q4 2026Control implementation pack

    Prepare policies for agent identity, risk classification, tool permissions, incident handling, evaluation, and supplier review.

  3. Q4 2026Internal audit and remediation

    Run an internal readiness review, collect non-conformities, assign remediation owners, and preserve evidence.

  4. Q1 2027External audit readiness

    Engage an accredited auditor when scope and controls are ready. Certification is not claimed until granted.

Sub-processor list

Every supplier has a role, data class, and boundary.

SupplierRoleDataBoundary
Vercel

Public website hosting, edge functions, speed insights, and privacy-preserving analytics.

Public request metadata, aggregate analytics events, and static asset delivery data.

Public site only; configured for the cdg1 Paris region where possible.

Supabase

Consented readiness packet storage and governance database infrastructure.

Only explicit PRISM packet fields when the visitor sends the result; no public readback.

Insert-only public path; service-role access stays server-side.

Render

Private token-gated runtime hosting for PHANTOM and operator workflows when enabled.

Synthetic demo telemetry by default; client data only under a signed private scope.

Not exposed as a public execution surface.

Model providers

Language-model inference for scoped private workflows when a client scope permits it.

Workflow prompts, tool summaries, and context limited by the approved data boundary.

Provider choice and data-processing terms are confirmed in the client packet.

Retention policy

Audit integrity and deletion rights are separated by data class.

Public synthetic proofStatic until replaced

Contains no customer data; sample packets can be superseded when proof formats change.

Consented PRISM submissionsFounder pipeline review; deletion available on request

Visitor can request deletion by email; public users cannot read submitted packets back.

Private runtime audit logsDefined per client scope before deployment

Default posture is preserve audit integrity; deletion/return terms are handled in the client agreement.

Inquiry and booking dataUp to 24 months unless law or active engagement requires longer

Deleted or anonymised on request unless a legal retention requirement applies.

Vercel server logsProvider operational retention, currently represented as up to 30 days on the privacy page

Handled under provider terms; HARNEXA keeps no separate public log database.

GDPR Article 28 packet

Processor materials prepared for counsel review.

  • Controller and processor roles for the scoped workflow
  • Processing subject matter, duration, nature, and purpose
  • Categories of personal data and data subjects, if any
  • Documented instructions and approved tool/data boundaries
  • Confidentiality and personnel access controls
  • Security measures tied to HARNEXA Harness controls
  • Sub-processor notice and objection mechanism
  • Assistance with rights requests, DPIA inputs, and security incidents
  • Deletion or return of personal data at end of engagement
  • Audit and inspection support through AgentOps evidence exports
Download Article 28 template

Standards and review

The roadmap is useful only when claims stay narrow.

HARNEXA can package evidence for legal, risk, and standards review. This page does not claim certification, compliance, or formal legal advice.

EU AI Act-aware support

Intended purpose, oversight, transparency, audit, and review evidence for qualified legal counsel.

ISO 42001 roadmap candidate

Management-system alignment can be documented as a roadmap only; no certification claim is made here.

NIST AI RMF mapping support

Risk identification, measurement, management, and governance evidence can be mapped for buyer review.

OWASP agentic risk review

Tool access, prompt/tool boundaries, data handling, and runtime attack surfaces are review inputs.

Reference asset

The missing trust signal is a real buyer review.

The public evidence room manufactures proof structure before a first case study exists. The next commercial milestone is one founder-approved lighthouse review: workflow problem, governed approach, measured outcome, audit proof, and buyer permission to publish.

Book diagnostic sprint

Review boundary

Trust signals are precise because the limits are explicit.

HARNEXA provides EU AI Act-aware governance foundations for client legal review — not legal compliance certification.