Brain1 — SuiteCentral 2.0 Wiki

index-technical

Technical Reading Path

For technical reviewers evaluating SuiteCentral 2.0’s architecture, engineering quality, governance posture, and failure behavior.

This is a curated reading order — not the full catalog. The meta-index lists every page. Tone: precise, falsifiable, source-code-backed. This path assumes the reader will actually open the named files. Structure: watch the demo → verify the claims → walk the architecture → inspect the governance surface → then decide.

This path mirrors the Path C (Deep Proof, 50 minutes) reading flow from the live demo site’s three review paths, with links to the reconciled Brain1 wiki pages rather than the external URLs.

If you only have 5 minutes — the technical TL;DR

Read the Executive Reading Guide section 3 (“What’s been verified”) for the canonical test numbers, AI provider stack, and SOC 2 mapping summary. Every detail below hangs off that section.

Path C: Deep Proof (50 min, technical due diligence)

Step 1: See the product actually run (20 min)

Start with the live demos. These are the evidence a CTO should actually watch, not take on faith.

  1. Context Sidecar — the killer app. The Watch track has two variants: a full cut (~72 seconds of narration) that walks the full NetSuite AP workflow with vendor/customer/invoice/PO contexts and pause-payments mitigation, and a highlight cut (~24 seconds) for fast review. Both are narrated per narration-scripts.
  2. The Three Review Paths — the 7-scene storyboard (Problem → Intro → AI Field Mapping → Governance → Context Sidecar → NL Action Gate → Opportunity) and the 19-card Watch playlist structure.
  3. MDM Central — golden-record operating model, duplicate detection, stewardship queues, built into the core (not a standalone product).

Step 2: Verify the module footprint by function area (5 min)

  1. The 16-Module Library — the definitive 12 core + 4 extension/platform split. Every module has a one-line description from Watch-track narration. Installer Central uses a native <track> VTT rather than Web Speech synthesis, which is why it was briefly flagged as a gap (now resolved).

Step 3: Inspect the technical proof (10 min)

  1. Production Proof — the canonical numbers:
    • 100% suite pass rate (419 suites)
    • 9,476 tests passing (34 skipped) = 9,286 unit + 170 integration + 20 E2E portal
    • 64.59% line coverage across 45,757 lines of production TypeScript
    • ~854K text LOC across 2,282 tracked files (362,598 TypeScript total, 210,856 Markdown, 182,416 HTML)
    • Architecture signals (grep-based): ~1,035 route definitions, ~242 service files, ~378 DI bindings, ~147 AI-related files, ~38 connector files
    • Squire’s actual NetSuite sandbox: TSTDRV2698307 — full CRUD verified across customer / vendor / transaction / custom record / saved search
  2. 04-technical-proof — the 4-tier feature inventory. Only Predictive Ops is on the roadmap; every other feature (AI Field Mapping v2.5, Context Sidecar v3.2, NL Action Gate v3.3 with 6 live actions, Schema Drift Shield v3.3, Golden Record MDM v3.4, Governance Pacer v2.4, Approve-to-Apply v2.4, etc.) is shipping.
  3. 23-engineering-scale-quality — the full benchmark narrative with LOC-by-area, language footprint, methodology (uses git ls-files, wc -l, npm run test:coverage:ci, npm run test:e2e), and executive comparability benchmarks (Workiva, AuditBoard, Thomson Reuters/CCH, Celigo, Boomi, MuleSoft).

Step 4: Walk the architecture — AI providers, MCP gateway, and the governance pipeline (10 min)

  1. ai-provider-system — the multi-provider AI architecture:
    • 7 total providers: 4 Real (OpenAI, Claude, OpenRouter, LMStudio) + 2 Experimental (Gemini, Grok) + 1 Fallback (Rule-Based 78% accuracy)
    • 3 routing layers: AIConfigurationService + TaskAwareProviderFactory (primary path), ProviderFactory Week 9 tier-based routing (premium/default/economy/local), IntelligentProviderRouter (6-dimensional scoring with session budget guard and reroutedFrom metadata)
    • 4 task types: field_mapping, quality_assessment, data_validation, transformation_suggestion
    • AES-256 encrypted API keys at rest
  2. mcp-gateway-architecture — the MCP gateway architecture:
    • Single JSON-RPC entrypoint: POST /api/ai/proxy/mcp
    • 3 base tools always available: suitecentral.field_mapping_suggest, suitecentral.integration_status, suitecentral.governance_check
    • 2 gateway tools feature-flagged: suitecentral.mcp_discover, suitecentral.mcp_call
    • 7-step policy evaluation (deny-by-default with multiple override paths)
    • 6-step governance pipeline for mcp_call: policy decision → governance input validation → adapter execution → DLP scanning → audit event → cost tracking
    • OTel span mcp.proxy.call with tool/system/tenant/policy/governance/latency/PII attributes
    • Source file paths are named: src/routes/ai-proxy/MCPRouter.ts, src/services/mcp/MCPAggregatorService.ts, src/services/mcp/MCPPolicyService.ts, etc. — a reviewer can open these directly.
  3. suitecentral-2-overview — the middle-intelligence-layer framing and the four enterprise safety mechanisms (Reasoning Trace Engine, Governance Pacer, DLP PII Shield, Approved To Apply) as the architectural implementation of the governance layer.
  4. Natural Language Action Gate — regex fast-path + LLM fallback + allowlist filtering. v3.3.0 shipping with 6 live actions.

Step 5: Verify the governance surface (SOC 2 + Oracle comparison) (10 min)

  1. SOC 2 Compliance Dashboardthe single most important verification artifact. All 5 Trust Services Criteria mapped to production code with specific source file paths:
    • CC6 Security: src/middleware/auth.ts (JWT), src/middleware/rbac.ts (RBAC), crypto.timingSafeEqual (timing attacks), rate limiting, production guards
    • A1 Availability: /health endpoints, circuit breakers, RTO/RPO, Kubernetes 2-10 replica auto-scaling
    • PI1 Processing Integrity: AI confidence scoring (0-100), hallucination detection, SCHEMA_DRIFT_BLOCKED result code, DB-persisted reasoning traces
    • C1 Confidentiality: 8 DLP/PII patterns (SSN, credit card, email, phone, DOB, passport, bank account, driver license), maskSensitiveData() utility, encrypted credential storage
    • P1 Privacy: GDPR/CCPA compliance, audit trail logging, 90-day default data retention The dashboard also has a one-click Evidence Export button that POSTs to /api/compliance/export and downloads a JSON evidence package — the CTO should actually click it.
  2. Oracle NSIP vs SuiteCentral 2.0 — the 8-row competitive feature matrix. Oracle NSIP is missing every governance capability. Concrete demo: the same “Revenue” → “revenue_field” mapping shown through both products. Oracle NSIP is OIC R3 rebranded, not a new product.
  3. The Competitive Landscape — date-stamped register of Celigo, Boomi, MuleSoft, Oracle NSIP, MCP ecosystem, and the EU AI Act enforcement anchors (August 2, 2026) + Colorado AI Act (June 30, 2026).

Step 6: The pilot decision (at the end) (5 min)

  1. 90 Pilot — the 30-day evaluation phase + 90-day pilot with three-phase activity list (Day 1-30 Setup, Day 31-60 Controlled Execution, Day 61-90 Scale Decision). Four Gate Metrics: ≥50% time-to-integrate reduction, ≥70% error rate reduction, economics within ROI range, governance evidence exported. The only hard gate is end-of-phase-3; Day 30 and Day 60 are phase transitions.
  2. CTO Role Brief — what the CTO should ask for before approval: watch clips, SOC 2 TSC mapping document, failure-path visibility, verification of the four named safety mechanisms.

The Squire-specific anchor facts (for your verification notes)

Facts specific to Squire’s environment and adoption case that a CTO should sanity-check:

  • Squire’s NetSuite sandbox: TSTDRV2698307 (per 04-technical-proof)
  • NetSuite API concurrency limits: 5 concurrent / 10 RPS (per oracle-comparison “For Operations” card) — this is the budget the Governance Pacer enforces
  • Squire currently runs SuiteCentral 1.0 in production (per read-elevator-pitch). SC 2.0 is production-ready but NOT yet deployed in Squire production.
  • The 6 named production connectors (per canonical-metrics): NetSuite, Business Central, Salesforce, HubSpot, ShipStation, Oracle — spans ERP + CRM + logistics

Regulatory anchors (why this matters on a timeline)

  • EU AI Act: full enforcement August 2, 2026. High-risk AI systems in financial processes must provide reasoning traces, human oversight, and risk assessments. Black-box AI will not pass audit.
  • Colorado AI Act (SB 24-205): enforcement June 30, 2026. Developers/deployers of high-risk AI must use reasonable care to prevent algorithmic discrimination.

Both dates are tracked on the compliance dashboard’s Regulatory Timeline section with live countdowns.

Source file reference (if you want to read the code)

Beyond the wiki, the Preston-Test repo has these file locations for direct inspection:

SubsystemFiles
NetSuite connectorsrc/connectors/NetSuiteConnector.ts (500+ LOC, OAuth 1.0 HMAC-SHA256)
Business Central connectorsrc/connectors/BusinessCentralConnector.ts (400+ LOC, OAuth 2.0 + OData)
AI Field Mappingmulti-provider + RAG, 1,500+ LOC
MDM EngineGolden Record + Survivorship, 800+ LOC
Context SidecarPostMessage + Context Bus, 600+ LOC
MCP Routersrc/routes/ai-proxy/MCPRouter.ts
MCP Aggregatorsrc/services/mcp/MCPAggregatorService.ts
MCP Policysrc/services/mcp/MCPPolicyService.ts, table mcp_tool_policies, API /api/mcp/policies
NetSuite MCP Clientsrc/services/netsuite/mcp/NetSuiteOfficialMcpClient.ts
Business Central MCP Clientsrc/services/bc/mcp/BusinessCentralMcpClient.ts
DI configsrc/inversify/inversify.config.ts
Auth middlewaresrc/middleware/auth.ts
RBAC middlewaresrc/middleware/rbac.ts

Last refreshed: 2026-04-07. Mirrors Path C from the live demo site’s review flow.

Graph View

7 min read

💬 Ask the full corpus →

Backlinks