Elev8 Matrix · Labyrinth OS

Labyrinth OS

Operational User Manual

A complete, self-service manual for the execution engine — every screen (command surface, execution, governance, administration and the client portal), step-by-step task guides, manuals for all nine roles, the exact permission matrix, a code-verified field dictionary, administration and troubleshooting — so any team member can operate Labyrinth without developer help.

AudienceAll roles — Coordinators, Specialists, Managers, Advisors, Accountability, PD, Executive, Admin, Client

Covers35 screens · task guides · 9 role manuals · permission matrix · field dictionary · admin · troubleshooting · QA test plan

ScreenshotsLive dev app, freshly captured 2026-06-08, with numbered call-outs

Version / updatedv2.0 · 2026-06-08 — full-coverage rewrite: all screens, annotated, code-verified, corrected

Enums, gates, the approval chain and admin behaviour are verified against the source (Prisma schema + the state/permission engines). Where the running app and an older note disagreed, the code wins (e.g. the approval chain ends at Executive, and Labyrinth is single-tenant).

Orientation

Where Labyrinth fits — the receiver model

Labyrinth is the execution engine. It has no manual “new client” entry point — it receives hand-offs and runs delivery. A signed client becomes a contract, which holds milestones, which generate requests (the unit of delegated work).

Labyrinth receives work from two upstream sources

Upstream	Who triggers it (a person)	What Labyrinth does
ElevateCRM	A Sales Rep wins a deal (Closed-Won)	Auto-creates a contract (stage SIGNED, journey ONBOARDING) with starter milestones & requests.
Nexus	A client accepts their proposal	The client transitions from Nexus evaluation into Labyrinth execution. (Mechanism owned by the Nexus team — [confirm with dev] for the exact trigger in your environment.)

Key mental model for stories & tests: a person always starts the journey upstream (a rep in CRM, or a client in Nexus). Labyrinth is the receiver — its records are created by automation, then operated by the delivery team.

Orientation

Logging in

Navigation. Open the app URL → email + password → you're routed to your role's home automatically. Seed users share the password labyrinth123 (e.g. ayo@elev8matrix.com Admin, sarah@elev8matrix.com Accountability, lisa@elev8matrix.com Coordinator, james@elev8matrix.com Specialist).

Password policy: any password you set (reset, invite activation, admin user-create, portal activation) must be ≥ 12 characters with at least one uppercase, one lowercase and one digit. Note there is currently no login lockout / rate-limiting — flagged as a hardening gap.

Orientation

Navigation & role tiers

A left sidebar is shared across every screen; what you see depends on your role tier.

Tier	Roles	Sees / lands on
admin	ADMIN	Everything incl. System Factory, Admin & Admin Log.
operator	EXECUTIVE, PROJECT_DIRECTOR, ACCOUNTABILITY, MANAGER, COORDINATOR, ADVISOR	Full command surface: Command Center, Strategy, the Command quadrants (Vision / Role / Tools / Performance), Approvals, Rainfall. (Factory & Admin Log only with the matching grant.)
specialist	SPECIALIST, MEMBER	My Work only — no command grid.
client	CLIENT	Client Portal only.

Role-home landings: Admin/Executive → Command Center; Accountability → Accountability; Project Director / Manager / Coordinator / Advisor → Role (/command/role); Specialist → My Work; Client → Portal.

Command surface

Command Center

Purpose. Leadership cockpit — priorities, risk, deadlines and the Tree of Execution.

Navigation. Sidebar → Command Center (home for Admin/Executive).

Command Center — EnlilBar, metric tiles and the Tree of Execution.

EnlilBar — today's priorities, at-risk items, next actions, deadlines.
Metric tiles — Pipeline Value, Active Contracts, Red Tags, Overdue, Unassigned (red/amber = attention).
Tree of Execution — Campaign → Contracts → Milestones → Requests, expandable with Next to drill in.
CRM Handoff Queue — recent inbound hand-offs awaiting activation.

Command surface

Strategy

Purpose. The kickoff view — pick a strategy and see its milestones A→Z with the roles, contracts and teams inserted at each stage.

Navigation. Sidebar → Strategy.

Strategy — A→Z stage timeline (Stabilization / Foundation / Growth / Expansion).

Strategy pills switch the timeline (Foundation / Stabilization / Growth / Expansion).
Stage cards — Active Execution, Deliverable Review, Validation, Optimization — each with day range, pace badge (On pace / At risk / Behind / No work), roles (owner ★), completion %, next action.
“Validation checkpoint” markers on validation stages (visual marker, not an enforced gate).
Show contracts & teams expands a stage to its live contracts and teams.

Command surface

Vision

Purpose. The cross-client roadmap quadrant — pipeline of projects over time, with timeline / map / Gantt views and the approvals overlay.

Navigation. Sidebar → Command → Vision (/command/vision).

Vision — Pipeline Roadmap with Timeline / Command Map / Gantt views and an Approvals overlay.

View switches: Timeline, Command Map, Pipeline, Gantt.
Approvals (n) overlay surfaces items awaiting sign-off across clients.
Project cards (e.g. Apex Holdings — Full Suite, TechCorp — Web Platform) with milestone/deliverable counts, plus a Completed Projects rail.

Command surface

Role

Purpose. The team-command quadrant and the home screen for Project Director / Manager / Coordinator / Advisor — your team's org, accountability and communication in one place.

Navigation. Sidebar → Command → Role (/command/role).

Role (Command Center) — Organization / Accountability / Communication views with personal queues.

Views: Organization (authority & team load), Accountability, Communication.
Personal tiles: Assigned Requests, Board Cards To Review — your own queue at the top of the command surface.

Command surface

Tools

Purpose. Daily operating tools — the Battleplan, SOPs/training, execution engines and systems.

Navigation. Sidebar → Command → Tools (/command/tools).

Tools — Battleplan, Training, SOPs, Engines, Systems.

Sections: Battleplan, Training, SOPs, Engines (Momentum / Outcome Lock / Adaptive Strategy), Systems.
Entry tiles link to Requests, Boards and the execution engines — the launch pad for operational work.

Command surface

Performance

Purpose. The department KPI dashboard — scorecards and narrative reports by function.

Navigation. Sidebar → Command → Performance (/command/performance).

Performance — Department KPI Dashboard with function filters.

Function filters: All, Accountability, Development, HR, Marketing, Powerhouse, Sales.
Tiles: Average Score, Needs Attention, Failing KPIs, Verified (n/total).
Function goals list with current scores and verification state.

Execution

Contracts

Purpose. The contract list — the trunk records the whole funnel hangs off.

Navigation. Sidebar → Contracts (or Command → Contracts).

Contracts — each moves through the 10-stage lifecycle, holding milestones & requests.

Open a contract for its Tree of Execution (milestones → requests), red tags, the accountability ladder and an append-only execution log. Lifecycle: QUESTIONNAIRE → PROPOSAL → SOW → BID → SIGNED → ACTIVE → CONFIRMING → COMPLETED → PAID, with REVISED as a re-work loop and ON_HOLD / CANCELLED escape hatches. Hand-offs create contracts at SIGNED. Each contract carries a client package (BRONZE / SILVER / GOLD / BLACK) that sets its accountability SLA.

Execution

Requests

Purpose. The queue of delegated work — the unit the accountability engine watches.

Navigation. Sidebar → Requests.

Requests — Title, Contract, Tag, Priority, State, Owner, Assigned, Due.

Columns: Title · Contract · Tag · Priority · State · Owner · Assigned · Due.
State: OPEN · IN_PROGRESS · BLOCKED · COMPLETED · CANCELLED.
Priority: LOW · NORMAL · HIGH · URGENT.
Tag: TASK · DOCUMENT_REQUEST · MEETING_REQUEST · DECISION_REQUEST · DELIVERABLE · APPROVAL · BILLING · CLIENT_REQUEST.
Overdue requests drive escalation (NONE → REMINDER → WARNING → ESCALATED).

Execution

My Work

Purpose. The Specialist/Member home — a focused list of items assigned to you.

Navigation. Sidebar → My Work (also a shortcut for everyone).

My Work — your assigned requests, due dates and red tags.

Tiles: Open Requests, Assigned Cards, Overdue, Due This Week, Done (7d), Unread.
Request Queue and Red Tags panels.
Start / Cancel actions move your items along; raise a red tag if blocked.

Execution

Boards

Purpose. Kanban-style delivery boards — recurring and per-contract.

Navigation. Sidebar → Tools → Boards (/boards).

Boards — recurring boards and per-contract delivery boards.

Sections: Recurring Boards (e.g. weekly) and All Boards (per-contract delivery). Open a board for its card columns; cards link back to requests/milestones.

Execution

Rainfall

Purpose. The structured communication layer — on-record comms and commands that flow down the org and across peers.

Navigation. Sidebar → Rainfall.

Rainfall — on-record communications & commands with acknowledgement tracking.

Tiles: Total Messages, Critical Messages, Pending Acknowledgements, Messages Today, Escalated.
Filters: All Types, All Severities, Needs Ack; plus Mark All Acknowledged.
Messages carry a severity and can require acknowledgement (ack due in 12h CRITICAL / 24h HIGH / 48h NORMAL); unacknowledged criticals escalate.

Acknowledgement authorization: only the responsible entity owner or a leadership role (PD / Accountability / Executive / Admin) can satisfy an ack — visibility alone is not enough.

Execution

Approvals

Purpose. The milestone approval & enforcement queue.

Navigation. Sidebar → Approvals (roles that can approve).

Approvals & Enforcement — milestones awaiting sign-off in the chain.

Filters: All · Pending · Escalated · Rejected · Acknowledged · Approved.
Approval chain (fixed): Coordinator → Advisor → Accountability → Executive — all four are required, in order, to fully approve a milestone (out-of-order approvals are rejected with “Next required role is X”).

Execution

Documents

Purpose. The resource vault — contracts, SOPs, deliverables and imports, scoped by visibility classification.

Navigation. Sidebar → Documents.

Documents — employee/client docs, vault, and Google Docs / ClickUp imports.

Sections: Employee contracts, Client legal docs, Google Docs import, ClickUp attachments, Meeting-to-work import.
Actions: New page, Issue for signature, Store and expose to portal, Index in vault, Index attachment.
Each document is linked to a contract and classified by visibility (PUBLIC → OWNER_ONLY).

Execution

Red Tags

Purpose. The blocker registry — raise, acknowledge and resolve the flags that gate work.

Navigation. Sidebar → Red Tags (/red-tags).

Red Tags — blockers with severity, state and resolution actions.

Severity → blast radius: WARNING blocks the request; CRITICAL blocks the milestone; BLOCKER blocks the contract.
State: OPEN · ACKNOWLEDGED · RESOLVED · DISMISSED (OPEN/ACKNOWLEDGED block; RESOLVED/DISMISSED unblock).
Row actions: Acknowledge, Resolve (with notes), Dismiss. What is severity? explains the model.

Execution

Decisions

Purpose. Decision memory & governance — log key decisions and their outcomes for an auditable record.

Navigation. Sidebar → Tools → Decisions (/decisions).

Decisions — logged decisions with rationale and outcome.

Log Decision records a decision (e.g. Delay launch by 2 weeks, Switch to Next.js for the client portal); each entry tracks its rationale and an Outcome once known.

Execution

Workflows

Purpose. Repeatable templates (e.g. Web Development Pipeline) deployed to a contract/campaign to seed structured tasks.

Navigation. Sidebar → Tools → Workflows (/workflows).

Workflows — templates and active deployments.

Tabs: Deployments, Templates.
Tiles: Active Templates, Active Deployments, Tasks Completed, Tasks In Progress.
New Template (Admin only) defines a reusable pipeline; Deploy Workflow instantiates its tasks against a target. (This is where repeatable contract structure lives — not contract creation.)

Execution

Playbooks

Purpose. Structured SOPs/checklists that can be deployed to a contract or campaign.

Navigation. Sidebar → Tools → Playbooks (/playbooks).

Playbooks — choose a playbook and deploy it to a target.

Deploy Playbook: Choose playbook → Target contract (or campaign) → Deploy. Managing playbooks is Admin / Executive.

Execution

Campaigns

Purpose. The grouping above contracts — a campaign holds related contracts and scopes governance/visibility.

Navigation. Sidebar → Campaigns (/campaigns).

Campaigns — the container that groups contracts.

New Campaign creates the container; scoped (non-view-all) users can only create/see contracts inside campaigns they're granted. Open a campaign for its contracts and rollups.

Governance & system

Accountability

Purpose. The governance home & exception queue — overdue, blocked, unowned, unaudited work; also user creation.

Navigation. Sidebar → Accountability (home for the Accountability role).

Accountability — exception queue + Create & Manage Users; Run Check refreshes events.

Run Check refreshes accountability events (also runs automatically every 15 minutes).
Work the exception queue top-down (escalated/overdue first); cards include Blocked Work and Unowned Contracts.
Create & Manage Users — set role and function. User columns: Name, Email, Role, Function, Created.

Governance & system

System Factory

Purpose. The factory queue — imports, strategy intakes, proposals, draft contracts and the live CRM → Labyrinth hand-offs.

Navigation. Sidebar → More → System Factory (/command/factory).

System Factory — incoming hand-offs and intakes from every source.

Tabs: All · Imported Data · Strategies · Contracts · Proposals · Changes · Needs Review.
Source tiles: ClickUp, GHL, CyberTax, Ripple, Nexus — each showing item counts and pending changes.
Live CRM Handoffs — when a CRM deal closes, the hand-off surfaces here; View / Advance to PROPOSAL turn an intake into active execution.

Governance & system

Handoffs

Purpose. The hand-off command board — track inbound clients against onboarding/launch SLAs and team execution.

Navigation. Sidebar → More → Handoffs (/command/handoffs).

Handoffs — SLA board (48h onboarding / 72h launch) and team task queue.

Tiles: Live handoffs, New this week, SLA risks, Open tasks, Unassigned.
Columns: Contract · 48h onboarding · 72h launch · Open work · Next action.
Team Task Queue and a CEO demo script sit alongside the board.

Governance & system

Function Intakes

Purpose. Intake forms that capture a new function/department's setup as structured templates.

Navigation. Sidebar → More → Function Intakes (/command/function-intakes).

Function Intake — function templates and intake forms.

Function Templates define repeatable function setups; completing an intake seeds the related structure. Admin/operator oriented.

Governance & system

Imports

Purpose. Staged data imports — bring an external operating model in for review before it becomes live records.

Navigation. Sidebar → More → Imports (/imports).

Imports — staged import sessions awaiting review.

Tiles: Active Workspaces, Import Sessions, Completed Sessions, Needs Review.
New import starts a session; Run demo source loads sample data; review the staged Operating Model before promoting it.

Governance & system

Integrations

Purpose. Connect external platforms and sync their data into Labyrinth.

Navigation. Sidebar → More → Integrations (/integrations).

Integrations — external platform connections with optional contract link.

Connect a source, optionally link it to a contract target, and Sync. Pairs with System Factory (where synced items surface for review).

Governance & system

Analytics

Purpose. System-wide execution metrics — campaign risk, milestone mix and request throughput.

Navigation. Sidebar → More → Analytics (/analytics).

Analytics — campaign risk, milestones-by-status and requests created.

Campaign Risk Overview.
Milestones by Status (EXECUTED / IN_PROGRESS / NOT_STARTED / OPTIMIZED).
Requests Created (last 30 days) trend.

Governance & system

Payroll

Purpose. The payout queue — release contract payouts, gated by the post-completion investigation window.

Navigation. Sidebar → More → Payroll (/payroll).

Payroll Queue — eligible vs restricted payouts.

Tiles: Queued Contracts, Eligible for Full Payout, Restricted by Investigation.
A completed contract holds payout until its investigationDays window (default 7) expires; maxPayoutPercent (default 60%) caps payout before full completion.

Governance & system

Workforce

Purpose. Employee utilization & roster — headcount, role types and capacity.

Navigation. Sidebar → More → Workforce (/workforce).

Employee Utilization — headcount by department and full roster.

Tiles: Full Time, Half Time, Contract, Project-Based, On Leave.
Panels: Headcount by Department, Role Type Breakdown, Full Employee Roster.
Roster columns: #, Name, Department, Specific Title, Role Type, Status/Notes (employment type = FULL_TIME / HALF_TIME / CONTRACT / PROJECT_BASED / ON_LEAVE).

Administration

Admin

Purpose. System configuration — managed systems, access reviews and policy acknowledgements.

Navigation. Sidebar → Admin (/admin, ADMIN only).

Admin — workspaces, managed systems and policy signals.

Tiles: Users, Campaigns, Contracts, Managed Systems, Pending Access.
Actions: Add Managed System, New Access Review, Assign Policy Ack.
Admin Workspaces and Policy Signals panels. Requires the admin.system_config permission (Admin only).

Administration

Client Management

Purpose. Manage client accounts, their workspaces and portal access.

Navigation. Sidebar → Admin → Clients (/admin/clients).

Client Management — accounts, workspaces, status and portal state.

Columns: Account · Client · Primary Contact · Workspaces · Status · Portal.
New Client provisions a client account; portal access is managed per workspace (preview/activate via the portal routes).

Administration

Admin Log / Audit

Purpose. The append-only audit & events log of who did what.

Navigation. Sidebar → More → Admin Log (/command/admin-log). (/audit is an alias that lands here.)

Admin Log — Audit and Events tabs with search.

Tabs: Audit (n) and Events (n).
Each entry shows the action (e.g. CREATE on Playbook / FunctionIntake), the actor and a timestamp. Searchable. Visible to roles with command.admin_log.

Administration

Notifications

Purpose. Your notification centre — red tags, approvals and workflow events.

Navigation. Top bar → bell, or /notifications.

Notifications — filterable by type with mark-as-read.

Tabs: All · Unread · Red Tag · Approval · Workflow.
Mark all as read / per-item Mark read. Grouped by day.

Administration

Ecosystem

Purpose. The cross-product launchpad — jump between Labyrinth and the sibling platforms.

Navigation. Sidebar footer → Ecosystem (/ecosystem, Admin/Executive).

Ecosystem — entry points to Labyrinth, Nexus, Finexus, CyberTaxx, Ripple.

Cards launch each engine: Labyrinth (execution), Nexus (command & evaluation), Finexus (financial intelligence), CyberTaxx (CRM & pipeline), Ripple (acquisition).

Administration

CRM Workspace

Purpose. A live read/work bridge to the upstream CRM (CyberTaxx) from inside Labyrinth.

Navigation. Sidebar → CRM (/crm, needs command.view).

CRM Workspace — CyberTaxx clients, leads, deals and accounts, with notes.

Tiles/tabs: CyberTaxx clients, Operating funnels, Leads, Deals, Accounts, CRM handoffs.
Filter… narrows records; Add note to CyberTaxx writes back to the CRM. This is the read/write seam between the CRM and execution.

Administration

Client Portal

Purpose. The client-facing surface — what a client sees: progress, timeline, deliverables and payout status.

Navigation. /portal (role CLIENT, or portal.view/portal.manage).

Client Portal — workspace summary, timeline and reports/payout status.

Sections: Workspace Summary, Timeline, Reports & Payout Status.
Scoped to client-safe data only; the client reviews progress and gives approvals — they don't drive execution.
Governed by the FLAG_PORTAL_ENABLED kill-switch (off = maintenance page).

Task guides

Contracts & milestones

Create a Contract

Purpose. Create a delivery contract (most arrive via hand-off; this is the manual path).

Prerequisites. Permission contracts.create (Admin / Executive); a campaign to attach to unless org-wide.

Contracts → New Contract.
Set name, client, client package, campaign, owner.
Save — it starts at QUESTIONNAIRE.

Required fields. name, clientName, clientPackage (BRONZE/SILVER/GOLD/BLACK); campaignId unless org-wide; owner must pass canOwnWork (a leadership role).

Validation. Stage cannot be set on creation — new contracts always start at QUESTIONNAIRE (anything else → 422).

Update a Contract / Move Contract Stages

Purpose. Advance the contract lifecycle.

Prerequisites. Permission contracts.transition.

Open the contract.
Use the lifecycle control to move to the next allowed stage.
Provide any required transition info.

Validation. You can't skip stages. CONFIRMING/COMPLETED require all milestones EXECUTED; COMPLETED is blocked by any OPEN/ACKNOWLEDGED CRITICAL/BLOCKER red tag; PAID waits for the investigation window; an unacknowledged critical communication blocks progression.

Create / Edit Milestones

Purpose. Add checkpoints under a contract.

Prerequisites. Permission milestones.create / milestones.edit.

Open the contract → Add Milestone.
Set title, description, due date, order.
Save — starts at NOT_STARTED.

Required fields. contractId, title.

Validation. Status can't be set on creation (always NOT_STARTED). Lifecycle: NOT_STARTED → IN_PROGRESS → OPTIMIZED → EXECUTED (+ NEEDS_ATTENTION, ON_HOLD).

Approve a Milestone

Purpose. Sign off a milestone in the chain.

Prerequisites. Permission milestones.approve and your step in the chain.

Approvals → open the milestone.
Record your approval (with notes).

Validation. The chain is Coordinator → Advisor → Accountability → Executive, strictly in order — an out-of-order approval is rejected (“Next required role is X”).

Expected result. Once all four roles have approved within the current cycle, the milestone can become EXECUTED.

Task guides

Requests & red tags

Create a Request

Purpose. Delegate a unit of work (the ‘Golden Rule’ record).

Prerequisites. Per the authority model, official tasks are created by Accountability or automation; coordinators initiate/delegate.

Requests → New Request.
Attach to a contract (required) and optionally a milestone.
Set title, tag, priority, owner (a leadership role), due date.
Save.

Required fields. contractId, title, tag, priority, ownerId (leadership), dueAt — all required (the Golden Rule).

Validation. A request MUST have a contract, an owner who can own work, a tag, a priority and a due date. Specialists are assignees, not owners.

Assign / Reassign a Request

Purpose. Put work in someone's My Work.

Open the request → set/refresh the assignee.
Save.

Expected result. The request appears in the assignee's My Work.

Complete a Request

Open the request → set state → COMPLETED (with notes).

Expected result. Removed from active queues; counts toward milestone progress. (States: OPEN · IN_PROGRESS · BLOCKED · COMPLETED · CANCELLED.)

Raise a Red Tag

Purpose. Flag a blocker.

Red Tags → New Red Tag (or from a contract/milestone/request).
Choose severity, title, description.
Save.

Required fields. contractId, severity, title.

Validation. WARNING blocks the request · CRITICAL blocks the milestone · BLOCKER blocks the contract.

Resolve a Red Tag

Open the red tag → Acknowledge, then Resolve with resolution notes (or Dismiss).

Expected result. Unblocks the gated item; records who resolved it and when. States: OPEN · ACKNOWLEDGED · RESOLVED · DISMISSED.

Task guides

Rainfall, approvals, users, documents, templates

Create a Rainfall Message

Purpose. Send an on-record communication/command.

Rainfall → Send Message.
Pick what it's linked to (contract/campaign/etc.), write the body, set severity / require acknowledgement if needed.
Send.

Required fields. linkedEntityType, linkedEntityId, body.

Validation. Those three are required; severity sets the ack deadline (12h/24h/48h) and drives escalation.

Create Users / Assign Roles

Purpose. Onboard a team member.

Prerequisites. Permission team.manage — Accountability or Admin.

Accountability → Create & Manage Users → Add User.
Set role and function.
Save / invite (password must meet the 12-char policy).

Expected result. User can log in to their role's home; role sets their tier & permissions.

Manage Documents

Documents → New page / Index in vault / Index attachment; link to a contract; set visibility classification.
Use ‘Store and expose to portal’ to share a document with the client.

Manage Templates & Playbooks

Prerequisites. Workflow templates: Admin (workflows.edit_templates). Playbooks: Admin / Executive (playbooks.manage).

Workflows → New Template, or Playbooks → create.
Deploy to a contract/campaign to seed tasks.

Manage Accountability Events

Accountability → Run Check to refresh events → work the exception queue → escalate/reassign.

Troubleshooting. Escalation thresholds are configurable per client package via the AccountabilityPolicy (PUT /api/accountability/policies).

Role manual

Coordinator

🧭 Coordinator — Execution Command

"What does my team need to move and unblock today?"

Responsibilities

Own execution direction; delegate requests; drive contracts/milestones forward; clear blockers.

Accessible modules

Role (home), Command Center, Strategy, Contracts, Requests, Boards, Rainfall, Approvals (own step), Documents.

Daily workflow

Open Role — today's actions, blocked cards, assigned requests.
Triage blockers (red tags) first.
Delegate requests with owners & due dates (the Golden Rule).
Move milestones along; submit the Coordinator approval step.
Issue commands/updates via Rainfall.

Step-by-step procedures

See Create a Request, Assign/Reassign, Raise/Resolve a Red Tag, Approve a Milestone in the task guides.

Permissions

Owns work; transitions contracts; first step of the milestone approval chain. Cannot create users or override ownership.

Common scenarios

A request has no owner/due date → Accountability will escalate it; fix it.
A milestone is blocked → resolve the CRITICAL red tag before approving.

Best practice

Keep every request owned and due-dated — unowned/overdue work is exactly what Accountability escalates.

Role manual

Manager

🧰 Manager — Resource & Readiness

"Does my team have the resources, docs & readiness to execute?"

Responsibilities

Ensure resources/docs/readiness; watch KPIs; close communication gaps.

Accessible modules

Role (home), Documents, Tools, Performance, Requests, Rainfall, Approvals (as granted).

Daily workflow

Check readiness — missing docs, unsigned contracts, gaps.
Attach documents/resources to the work that needs them.
Watch team load & KPIs on Performance.
Close communication gaps via Rainfall.

Step-by-step procedures

See Manage Documents, Create a Rainfall Message; readiness review uses Contracts + Documents.

Permissions

Operator tier — can own work and view the full command surface. Does not create users (that's Accountability/Admin) or override ownership.

Common scenarios

A deliverable is missing its doc → attach it from Documents before the milestone review.
KPI failing → drill in on Performance and assign corrective requests.

Best practice

Treat readiness as preventative — a resourced team rarely generates red tags.

Role manual

Advisor

🔎 Advisor — Systems & Review

"What needs my review, approval, or a system improvement?"

Responsibilities

Review deliverables; approve (Advisor step); improve templates & systems.

Accessible modules

Role (home), Approvals, Boards, Tools (Workflows/Playbooks), Documents, Requests.

Daily workflow

Clear board/deliverable reviews.
Act on milestone approvals needing the Advisor step (second in the chain).
Refine workflow templates & SOPs; address recurring failures.

Step-by-step procedures

See Approve a Milestone, Manage Templates & Playbooks.

Permissions

Reviews & approves (Advisor step); operator tier. Note: workflow-template creation is Admin-only; Advisors contribute via review and SOPs.

Common scenarios

Same failure keeps recurring → encode the fix as a workflow/playbook step.
Approval stuck before me → the Coordinator step must come first.

Best practice

Approve against the standard, not the deadline — the Advisor step is a quality gate.

Role manual

Accountability

🛡️ Accountability — the governor

"What is overdue, blocked, ownerless, or ungoverned?"

Responsibilities

Govern overdue/blocked/unowned/unaudited work; create users; keep Rainfall clean; hold the third approval step.

Accessible modules

Accountability (home), Approvals, Rainfall, Requests, Contracts, Create & Manage Users.

Daily workflow

Run the check (or rely on the 15-min cron).
Work the exception queue top-down (escalated/overdue first).
Escalate / reassign stuck work with a reason.
Create users (role + function); govern access.

Step-by-step procedures

See Create Users / Assign Roles, Manage Accountability Events, Approve a Milestone (Accountability step).

Permissions

Creates users (team.manage, shared with Admin) and governs official tasks; third step of the approval chain; overriding ownership needs Accountability + Executive. The 15-min cron escalates automatically; Accountability steps in at ESCALATED. Escalation thresholds are configurable per client package (BRONZE/SILVER/GOLD/BLACK).

Best practice

Govern by exception — if the queue is empty, the system is healthy; don't micro-manage owned, on-time work.

Role manual

Specialist

🔧 Specialist — My Work

"What do I need to complete today?"

Responsibilities

Do the work assigned to you; mark progress; flag blockers.

Accessible modules

My Work only (plus Documents/Contracts in scope, Requests owned/assigned). No command grid.

Daily workflow

Open My Work.
Work assigned requests in priority order (Start).
Mark progress / Complete.
Raise a red tag if blocked.

Step-by-step procedures

See Complete a Request, Raise a Red Tag.

Permissions

Specialists are assignees, not owners — they execute; leadership owns the outcome. Specialist tier sees My Work only.

Common scenarios

Blocked on a dependency → raise a red tag (don't sit on it); it surfaces to the owner and Accountability.
Can't see a contract → it's out of your scope; ask the owner.

Best practice

Keep states honest (Start when you start, Complete when done) — the accountability engine reads them.

Role manual

Project Director

📋 Project Director — Team Command

"What does my team need to move today, across clients?"

Responsibilities

Cross-client execution health and contract lifecycle at a team level; sits above Coordinators; owns escalations at the PD step.

Accessible modules

Role (home), Vision (cross-client roadmap), Command Center, Contracts, Requests, Approvals, Rainfall.

Daily workflow

Scan Vision for the cross-client pipeline and at-risk projects.
Review team load on Role; rebalance owners.
Clear PD-level escalations and approvals.
Deploy workflows where structure is missing.

Step-by-step procedures

See Update a Contract / Move Stages, Approve a Milestone; workflow deploy via Manage Templates & Playbooks.

Permissions

Operator/leadership — can own work, approve, deploy workflows (workflows.deploy), and is the first escalation target for communications. Does not create users.

Common scenarios

Two clients contend for the same specialist → rebalance on Role.
A campaign is drifting → drill from Vision into its contracts.

Best practice

Manage at the campaign/portfolio level; let Coordinators run the per-contract detail.

Role manual

Executive

👑 Executive — oversight

"Where are we winning, blocked, or drifting?"

Responsibilities

Org-wide oversight; final approval/override authority; strategic direction.

Accessible modules

Command Center (home), Strategy, Vision, Performance, Approvals, Ecosystem; full command surface.

Daily workflow

Read the Command Center cockpit + Performance for org health.
Act on the Executive (final) approval step.
Resolve escalations that reached the top of the ladder.
Set strategic direction via Strategy.

Step-by-step procedures

See Approve a Milestone (Executive step); override ownership jointly with Accountability.

Permissions

Top of the approval & escalation chain (final approver = Executive); can create contracts (contracts.create), deploy workflows, manage playbooks; override ownership only together with Accountability. Operator tier — full command surface.

Best practice

Reserve override for genuine exceptions — the chain exists so quality isn't bypassed casually.

Role manual

Administrator

⚙️ Administrator

"Is the system configured and healthy?"

Responsibilities

Configure the system; manage users, clients and managed systems; maintain templates and integrations; run access reviews.

Accessible modules

Everything — Admin, Client Management, Admin Log, System Factory, Workflows (templates), Integrations, plus the full command & execution surface.

Daily workflow

Run access reviews & assign policy acks (Admin).
Manage users/roles (shared with Accountability).
Maintain workflow templates and integrations.
Watch the Admin Log for anomalies.

Step-by-step procedures

See Create Users / Assign Roles, Manage Templates & Playbooks; managed systems & access reviews on the Admin screen.

Permissions

Holds all 38 permissions (admin.system_config, workflows.edit_templates, etc.). Use sparingly for day-to-day execution — that's the operating roles' job.

Best practice

Keep roles least-privilege; let Accountability run governance and Coordinators run delivery.

Role manual

Client Portal

🧑‍💼 Client — Client Portal

"What can I see, approve, or respond to?"

Responsibilities

Review progress and deliverables; give approvals; respond to requests directed at you.

Accessible modules

Client Portal only — Workspace Summary, Timeline, Reports & Payout Status.

Daily/periodic workflow

Open the Portal.
Review milestones & campaign progress on the Timeline.
Review deliverables and give approvals.
Respond to any client requests.

Step-by-step procedures

Activate the portal via the emailed activation link (12-char password); thereafter sign in to /portal.

Permissions

Scoped to client-safe data only — not a Command Center persona. The team drives execution; the client reviews it. Portal availability is governed by the FLAG_PORTAL_ENABLED kill-switch.

Best practice

Approve promptly — client approvals are part of the milestone chain and stalled approvals delay payout.

Reference

Field & data dictionary (Labyrinth)

Verified against the Prisma schema + state engines. auto = system-set. The Golden Rule marks the fields a request cannot exist without.

Contract

Field	Type	Req?	Validation / rules	Purpose
name / clientName	string	required	Non-empty	Contract & client of record
clientPackage	enum	required	BRONZE / SILVER / GOLD / BLACK (default SILVER)	Drives accountability SLA
stage	enum	required	Must be QUESTIONNAIRE on create; transitions governed	Formal lifecycle
journeyStage	enum	auto	Derived from stage	Operating ‘where are we’
ownerId	FK	optional	Owner must pass canOwnWork (leadership)	Accountable owner
campaignId	FK	optional*	Scoped users must create inside an editable campaign	Groups contracts
maxPayoutPercent	int	auto	default 60	Payout cap pre-completion
investigationDays	int	auto	default 7; gates PAID	Post-completion hold
value / startDate / endDate / notes	mixed	optional	—	Commercials & window

Milestone

Field	Type	Req?	Validation / rules	Purpose
contractId	FK	required	Cascade delete	Anchors to contract
title	string	required	Non-empty	Milestone name
status	enum	auto	NOT_STARTED → IN_PROGRESS → OPTIMIZED → EXECUTED (+NEEDS_ATTENTION, ON_HOLD)	Lifecycle
dueDate	datetime	optional	—	Target date
sortOrder	int	auto	default 0	Display order

Request (Golden Rule)

Field	Type	Req?	Validation / rules	Purpose
contractId	FK	required	Every request anchors to a contract	Golden Rule
title	string	required	Non-empty	What it is
tag	enum	required	TASK / DOCUMENT_REQUEST / MEETING_REQUEST / DECISION_REQUEST / DELIVERABLE / APPROVAL / BILLING / CLIENT_REQUEST	Kind of work
priority	enum	required	LOW / NORMAL / HIGH / URGENT (default NORMAL)	Urgency
ownerId	FK	required	Must be a leadership role (canOwnWork)	Accountable owner
dueAt	datetime	required	Not null	Due date
state	enum	auto	OPEN / IN_PROGRESS / BLOCKED / COMPLETED / CANCELLED	Lifecycle
escalationLevel	enum	auto	NONE → REMINDER → WARNING → ESCALATED	Accountability ladder
milestoneId	FK	optional	SetNull on delete	Optional branch anchor

RedTag · Communication · User

Field	Type	Req?	Validation / rules	Purpose
RedTag.severity	enum	required	WARNING (blocks request) / CRITICAL (blocks milestone) / BLOCKER (blocks contract)	Blast radius
RedTag.state	enum	required	OPEN / ACKNOWLEDGED / RESOLVED / DISMISSED	Blocker lifecycle
Communication.linkedEntityType/Id	string	required	Entity the message is about	Targeting
Communication.body	string	required	Non-empty	Message text
Communication.severity	enum	auto	NORMAL default; CRITICAL ack due 12h, HIGH 24h, NORMAL 48h	Urgency + escalation
Communication.requiresAcknowledgement	bool	auto	If true, sets ack deadline + escalation schedule	Forces a response
User.email	string	required	Unique	Login id
User.role	enum	required	One of the 10 roles (default SPECIALIST)	Authority/tier
User.password	string	on set	≥12 chars, upper+lower+digit	Credential
User.employmentType	enum	optional	FULL_TIME / HALF_TIME / CONTRACT / PROJECT_BASED / ON_LEAVE	Workforce class

Key enumerations

Enum	Values
Contract stage	QUESTIONNAIRE → PROPOSAL → SOW → BID → SIGNED → ACTIVE → CONFIRMING → COMPLETED → PAID (+ REVISED loop, ON_HOLD, CANCELLED). Hand-offs enter at SIGNED.
Operating journey	QUESTIONNAIRE · ONBOARDING · EVALUATION_STRATEGY · PROPOSAL · EXECUTION · DELIVERY · REPORTING · ENHANCEMENT · SCALING · EXIT
Milestone status	NOT_STARTED · IN_PROGRESS · OPTIMIZED · EXECUTED · NEEDS_ATTENTION (+ ON_HOLD)
Request state	OPEN · IN_PROGRESS · BLOCKED · COMPLETED · CANCELLED
Request tag	TASK · DOCUMENT_REQUEST · MEETING_REQUEST · DECISION_REQUEST · DELIVERABLE · APPROVAL · BILLING · CLIENT_REQUEST
Priority	LOW · NORMAL · HIGH · URGENT
Red-tag severity	WARNING (request) · CRITICAL (milestone) · BLOCKER (contract)
Escalation level	NONE · REMINDER · WARNING · ESCALATED
Client package	BRONZE · SILVER · GOLD · BLACK
Approval chain	Coordinator → Advisor → Accountability → Executive (fixed, in order)
Role	ADMIN · EXECUTIVE · PROJECT_DIRECTOR · ACCOUNTABILITY · MANAGER · COORDINATOR · ADVISOR · SPECIALIST · CLIENT (+ MEMBER → Specialist)

Reference

Permission matrix (exact)

The complete grant table from the live permission model — 38 permissions × 9 role columns. ADMIN holds all 38. Legend: ✓ granted · · not granted.

Permission	ADM	EXEC	PD	ACC	MGR	CRD	ADV	SPC	CLI
contracts.create	✓	✓	·	·	·	·	·	·	·
contracts.edit	✓	✓	✓	·	·	·	·	·	·
contracts.transition	✓	✓	·	✓	·	·	·	·	·
milestones.create	✓	·	✓	·	·	✓	·	·	·
milestones.edit	✓	·	✓	·	·	✓	·	·	·
milestones.transition	✓	✓	✓	✓	·	✓	·	·	·
milestones.approve	✓	✓	✓	✓	·	✓	✓	·	·
requests.create	✓	·	✓	✓	✓	✓	·	✓	·
requests.edit	✓	·	✓	✓	✓	✓	·	✓	·
requests.assign	✓	·	✓	✓	✓	✓	·	·	·
red_tags.create	✓	✓	✓	✓	✓	✓	✓	·	·
red_tags.resolve	✓	✓	✓	✓	·	·	·	·	·
decisions.create	✓	✓	✓	✓	✓	✓	✓	·	·
decisions.edit	✓	✓	✓	✓	·	·	✓	·	·
workflows.deploy	✓	✓	✓	·	·	·	·	·	·
workflows.edit_templates	✓	·	·	·	·	·	·	·	·
playbooks.view	✓	✓	✓	✓	✓	✓	✓	·	·
playbooks.manage	✓	✓	·	·	·	·	·	·	·
team.manage	✓	·	·	✓	·	·	·	·	·
team.view_all	✓	✓	✓	✓	✓	·	·	·	·
admin.system_config	✓	·	·	·	·	·	·	·	·
admin.view_logs	✓	✓	·	✓	·	·	·	·	·
command.view	✓	✓	✓	✓	✓	✓	✓	✓	·
command.override	✓	✓	·	✓	·	·	·	·	·
command.factory	✓	✓	✓	✓	·	·	·	·	·
command.admin_log	✓	✓	·	✓	·	·	·	·	·
communications.send	✓	✓	✓	✓	✓	✓	✓	✓	·
communications.view_all	✓	✓	✓	✓	✓	·	·	·	·
client.communicate	✓	✓	✓	·	·	·	·	·	·
portal.view	✓	·	✓	·	·	·	·	·	✓
portal.manage	✓	·	✓	·	·	·	·	·	·
payroll.view	✓	✓	·	✓	·	·	·	·	·
integrations.manage_external	✓	·	·	·	·	·	·	·	·
boards.create	✓	✓	✓	✓	·	·	·	·	·
boards.edit	✓	✓	✓	✓	·	·	·	·	·
boards.view_all	✓	✓	✓	✓	✓	·	·	·	·
boards.review	✓	✓	✓	✓	✓	·	✓	·	·
boards.upload	✓	✓	✓	✓	✓	✓	✓	✓	·

ADM Admin · EXEC Executive · PD Project Director · ACC Accountability · MGR Manager · CRD Coordinator · ADV Advisor · SPC Specialist · CLI Client. MEMBER mirrors SPECIALIST. 38 permissions × 9 roles. Source: labyrinth-os/src/lib/permissions.ts.

Reference

Permissions in practice

Practical access scenarios — view / create / edit / delete / approve / manage.

Action	Coord	Mgr	Adv	Acc	PD	Exec	Spec	Client	Admin
View command surface	✅	✅	✅	✅	✅	✅	❌	❌	✅
Own a request/contract	✅	✅	✅	✅	✅	✅	❌	❌	✅
Create a contract	❌	❌	❌	❌	❌	✅	❌	❌	✅
Create official task / user	init.	❌	❌	✅	❌	❌	❌	❌	✅
Create/edit workflow templates	❌	❌	❌	❌	❌	❌	❌	❌	✅
Deploy workflows / playbooks	❌	❌	❌	❌	✅	✅	❌	❌	✅
Approve a milestone (chain step)	1	—	2	3	—	4	❌	❌	any
Delete / cancel work	limited	limited	limited	✅	limited	✅	❌	❌	✅
Override ownership	❌	❌	❌	✅¹	❌	✅¹	❌	❌	✅
System config / integrations	❌	❌	❌	❌	❌	❌	❌	❌	✅
See client-safe portal	—	—	—	—	—	—	—	✅	—

¹ Overriding ownership requires Accountability together with Executive. Examples: Can a Specialist own a contract? No — they're an assignee. Who creates users? Accountability or Admin. Who creates workflow templates? Admin only. Who gives the final milestone approval? Executive (step 4).

Reference

Reporting & analytics

Where the numbers live

Command Center — Pipeline Value, Active Contracts, Red Tags, Overdue, Unassigned.
Performance — department KPI scorecards (Average Score, Needs Attention, Failing KPIs, Verified) with function filters.
Analytics — Campaign Risk, Milestones by Status, Requests Created (30-day).
Handoffs — SLA board (48h onboarding / 72h launch, SLA risks).
Payroll — Queued / Eligible / Restricted payouts.
Workforce — headcount by department, role-type breakdown, utilization.

Common reporting uses

Spot drift: Command Center + Analytics campaign risk.
Quality: Performance failing KPIs + Verified ratio.
Throughput: Requests Created trend + Boards.
Cash: Payroll eligibility vs investigation holds.

Reference

Administration & configuration

Resolved from code — the items the older manual marked “[confirm with dev]” now have answers.

Area	Who	What & how (code-verified)
User management	Accountability / Admin (`team.manage`)	Create users; assign role + function on the Accountability screen.
Role management	Accountability / Admin	Role sets tier + the 38-permission grant (permissions.ts).
Workflow templates	Admin only (`workflows.edit_templates`)	Create/maintain reusable pipelines; deploy to contracts/campaigns.
Playbooks	Admin / Executive (`playbooks.manage`)	Create/deploy SOP checklists.
System Factory	Admin / permitted	Incoming imports, intakes, CRM hand-offs.
Accountability config	Accountability	Escalation thresholds are configurable per client package via AccountabilityPolicy (reminderHours / warningHours / escalationHours). Seed defaults — BRONZE 24/0/24, SILVER 24/0/24, GOLD 24/0/12, BLACK 12/0/12. A 15-min cron runs the sweep.
Approval config	(fixed in code)	The chain Coordinator → Advisor → Accountability → Executive is hard-coded and not configurable.
Contract config	(fixed in code)	Stage lifecycle & transitions are hard-coded; creation defaults clientPackage=SILVER, stage=QUESTIONNAIRE, maxPayout 60%, investigation 7d. Repeatable structure comes from Workflow templates, not a contract blueprint.
Security	Admin	Password policy ≥12 chars, mixed case + digit; bcrypt hashing; JWT sessions. No login lockout/rate-limiting (gap). Labyrinth is single-tenant — data is segregated by campaign-scope + classification, not tenancy.
Kill-switches	Admin / ops (env)	FLAG_ESCALATION_ENABLED (pauses comms escalation sweep), FLAG_HANDOFF_ENABLED (pauses CRM→Labyrinth receiver; closes roll back), FLAG_PORTAL_ENABLED (portal maintenance). All default ON; read live each call.

Reference

Troubleshooting

Validation & state errors

Symptom	Cause	Resolution / escalation
Milestone won't progress	An open CRITICAL red tag blocks the milestone	Resolve the red tag (CRITICAL blocks the milestone; BLOCKER blocks the whole contract).
Request won't progress	A WARNING red tag on it	Resolve the warning.
Contract won't reach COMPLETED	Milestones not all EXECUTED, or an open CRITICAL/BLOCKER red tag, or an unacked critical message	Execute milestones, resolve red tags, acknowledge the critical message.
“Can't create a request”	Missing contract/owner/tag/priority/dueAt (Golden Rule), or owner isn't leadership	Provide all Golden-Rule fields; set a leadership owner (specialists can't own).
“Contract must start at QUESTIONNAIRE” (422)	Tried to create at a later stage	Create it, then transition through the lifecycle.

Permission & approval errors

Symptom	Cause	Resolution / escalation
“Next required role is X”	Approving out of order	Approvals must go Coordinator → Advisor → Accountability → Executive.
Milestone approval stuck	Not all four chain roles have approved this cycle	Get all four; editing the milestone restarts the cycle.
“Not authorized to acknowledge this message”	Acker isn't the owner or a leadership role	The responsible owner or PD/Accountability/Executive/Admin must ack.
Permission denied	Role lacks the grant (see matrix)	Use a role with the grant, or ask Accountability/Admin.

Accountability, hand-off & access

Symptom	Cause	Resolution / escalation
Overdue work keeps escalating	The 15-min cron walks the ladder per the client-package policy	Accountability reassigns/extends with a reason at ESCALATED; adjust the package policy if needed.
Hand-off didn't create a contract	FLAG_HANDOFF_ENABLED off (close rolls back) or a config issue	Config matter — raise with eng; see Receiving the hand-off.
Portal shows a maintenance page	FLAG_PORTAL_ENABLED off	Re-enable the flag (ops).
Locked out after wrong password	Not possible — there is no lockout	Reset the password (12-char policy); flag the missing lockout as a hardening item.

Reference

End-to-end walkthroughs

Delivery: Contract → Milestones → Requests → Approval → Completion

Arrive (System Factory). A CRM close lands a contract at SIGNED/ONBOARDING; Accountability confirms ownership. (System Factory / Handoffs.)
Plan (Contracts). The Coordinator seeds milestones (NOT_STARTED) and delegates requests (Golden Rule: contract + title + tag + priority + owner + due). (Contracts / Requests.)
Execute (My Work). Specialists Start and Complete their requests; blockers become red tags. (My Work / Red Tags.)
Review (Approvals). Milestone moves to OPTIMIZED, then the chain signs off: Coordinator → Advisor → Accountability → Executive → EXECUTED. (Approvals.)
Complete & pay (Contracts → Payroll). All milestones EXECUTED, red tags clear → CONFIRMING → COMPLETED; after the investigation window → PAID. (Contracts / Payroll.)

Approval flow: Submission → Review → Approval → Escalation

Milestone reaches OPTIMIZED → enters the Approvals queue.
Each chain role reviews and approves in order (or rejects with notes).
All four approved → EXECUTED.
If a step stalls past its window, the linked owner is notified and the communications escalation advances PD → Accountability → Executive.

Accountability flow: Request → Overdue → Escalation → Resolution

A request passes its dueAt.
The 15-min cron sets REMINDER (before due) → WARNING (at +warningHours) → ESCALATED (at +escalationHours), per the contract's client-package policy.
It surfaces on the Accountability exception queue.
Accountability reassigns/extends with a reason, or the owner completes it — clearing the escalation.

Reference

Receiving the hand-off (for users)

What the delivery team sees when a new client arrives — and how to verify it.

What arrives

A new contract at stage SIGNED / journey ONBOARDING named “<Client> Operating Launch”, with three starter milestones (handoff, campaign readiness, first campaign) and operational requests (schedule kickoff, confirm onboarding access, publish first plan), plus a Rainfall message and a system event.

Where to find it

System Factory (the live hand-off queue), Handoffs (SLA board) and Contracts. Accountability confirms ownership; the Coordinator seeds milestones and delegates.

Prerequisites & post-conditions

Pre: the upstream deal/proposal completed (CRM Closed-Won, or Nexus proposal acceptance).
Post: an owned, governed contract ready for execution — requests appear in owners' My Work.

If a hand-off doesn't appear, it's typically the FLAG_HANDOFF_ENABLED kill-switch being off (the CRM close rolls back rather than losing data) or a config matter — raise with eng. [confirm with dev] for the exact Nexus→Labyrinth trigger in your environment.

Reference

QA verification — test plan

Turn-key checks a QA tester can run to prove the behaviours, not just read about them. Items 1–6 were verified live on the dev environment; expected results are exact.

Core flows

#	Test	Steps	Expected result
1	Sales handoff (e2e)	In ElevateCRM set a deal's contract value + payment terms, complete the handoff form, then move it to Closed Won.	A Labyrinth contract appears at SIGNED / ONBOARDING named “<Client> Operating Launch” with 3 milestones + 3 requests; the CRM deal records spiced.labyrinth_light = {status:'synced', created:true, contract_id}.
2	Accountability — Blocked Work	Open Accountability (block a request via a CRITICAL/BLOCKER red tag first).	A “Blocked Work” card + “Blocked” tile list the blocked requests with how long each has been blocked.
3	Accountability — Unowned Contracts	Open Accountability with ≥1 active contract that has no owner.	An “Unowned Contracts” card + tile list them, each linking to the contract.
4	Rainfall ack (allowed)	As the responsible owner or a leadership role, acknowledge a pending ack-required message.	Acknowledgement recorded; the message's escalation state becomes CLOSED.
5	Rainfall ack (refused)	As a non-owner, non-leadership user, try to acknowledge it.	Refused — “Not authorized to acknowledge this message”. The wrong person can never satisfy someone else's ack.
6	Password policy	On any set-password path submit a password under 12 chars or missing upper/lower/digit.	Rejected (“Password must be at least 12 characters.”). A compliant password is accepted.
7	Approval chain order	Try to record the Advisor approval before the Coordinator step.	Rejected — “Next required role is COORDINATOR”. Only the in-order step is accepted; all four (Coordinator→Advisor→Accountability→Executive) are needed for EXECUTED.
8	Kill-switches	Set FLAG_ESCALATION_ENABLED / FLAG_HANDOFF_ENABLED / FLAG_PORTAL_ENABLED = off and exercise that subsystem.	Comms escalation sweep skips (logged); handoff returns a failure so the CRM close rolls back (never silently lost); portal shows a maintenance page. Unset = normal.

Scope note: the Nexus → Labyrinth trigger is owned by the Nexus team — [confirm with dev]. Login lockout and multi-tenant isolation are not implemented — Labyrinth is single-tenant with campaign-scope + classification segregation; treat lockout as a known hardening gap.