Safe signer session path
- 01
Operator signs in
Tenant identity and authenticator guardrails stay in front of workflow access.
- 02
Workflow is started
Engine status and signer-role steps are tenant-scoped and read through protected admin views.
- 03
Session is prepared
Setup stores fingerprint-only proof with a bounded lifetime and returns a safe DTO.
- 04
Signer task is viewed
Task-session status exposes workflow and step state without session material.
- 05
Command is preflighted
Viewed, signed and declined commands are checked before execution.
- 06
State changes only
Signed and declined commands can update workflow state; document sealing remains closed.