# Technical Reading Path For technical reviewers evaluating SuiteCentral 2.0's architecture, engineering quality, governance posture, and failure behavior. > This is a curated reading order — not the full catalog. The [meta-index](index.md) lists every page. > **Tone**: precise, falsifiable, source-code-backed. This path assumes the reader will actually open the named files. > **Structure**: watch the demo → verify the claims → walk the architecture → inspect the governance surface → then decide. This path mirrors the **Path C (Deep Proof, 50 minutes)** reading flow from the live demo site's [[pages/concepts/three-review-paths|three review paths]], with links to the reconciled Brain1 wiki pages rather than the external URLs. --- ## If you only have 5 minutes — the technical TL;DR Read **[[pages/synthesis/executive-reading-guide|the Executive Reading Guide]]** section 3 ("What's been verified") for the canonical test numbers, AI provider stack, and SOC 2 mapping summary. Every detail below hangs off that section. --- ## Path C: Deep Proof (50 min, technical due diligence) ### Step 1: See the product actually run *(20 min)* Start with the live demos. These are the evidence a CTO should actually watch, not take on faith. 1. **[[pages/modules/context-sidecar|Context Sidecar]]** — the killer app. The Watch track has two variants: a full cut (~72 seconds of narration) that walks the full NetSuite AP workflow with vendor/customer/invoice/PO contexts and pause-payments mitigation, and a highlight cut (~24 seconds) for fast review. Both are narrated per [[sources/narration-scripts]]. 2. **[[pages/concepts/three-review-paths|The Three Review Paths]]** — the 7-scene storyboard (Problem → Intro → AI Field Mapping → Governance → Context Sidecar → NL Action Gate → Opportunity) and the 19-card Watch playlist structure. 3. **[[pages/modules/mdm-central|MDM Central]]** — golden-record operating model, duplicate detection, stewardship queues, built into the core (not a standalone product). ### Step 2: Verify the module footprint by function area *(5 min)* 4. **[[pages/concepts/module-library|The 16-Module Library]]** — the definitive 12 core + 4 extension/platform split. Every module has a one-line description from Watch-track narration. Installer Central uses a native `` VTT rather than Web Speech synthesis, which is why it was briefly flagged as a gap (now resolved). ### Step 3: Inspect the technical proof *(10 min)* 5. **[[pages/concepts/production-proof|Production Proof]]** — the canonical numbers: - **100% suite pass rate** (419 suites) - **9,476 tests passing** (34 skipped) = 9,286 unit + 170 integration + 20 E2E portal - **64.59% line coverage** across 45,757 lines of production TypeScript - **~854K text LOC** across 2,282 tracked files (362,598 TypeScript total, 210,856 Markdown, 182,416 HTML) - **Architecture signals** (grep-based): ~1,035 route definitions, ~242 service files, ~378 DI bindings, ~147 AI-related files, ~38 connector files - **Squire's actual NetSuite sandbox**: `TSTDRV2698307` — full CRUD verified across customer / vendor / transaction / custom record / saved search 6. **[[sources/04-technical-proof]]** — the 4-tier feature inventory. **Only Predictive Ops is on the roadmap**; every other feature (AI Field Mapping v2.5, Context Sidecar v3.2, NL Action Gate v3.3 with 6 live actions, Schema Drift Shield v3.3, Golden Record MDM v3.4, Governance Pacer v2.4, Approve-to-Apply v2.4, etc.) is shipping. 7. **[[sources/23-engineering-scale-quality]]** — the full benchmark narrative with LOC-by-area, language footprint, methodology (uses `git ls-files`, `wc -l`, `npm run test:coverage:ci`, `npm run test:e2e`), and executive comparability benchmarks (Workiva, AuditBoard, Thomson Reuters/CCH, Celigo, Boomi, MuleSoft). ### Step 4: Walk the architecture — AI providers, MCP gateway, and the governance pipeline *(10 min)* 8. **[[sources/ai-provider-system]]** — the multi-provider AI architecture: - **7 total providers**: 4 Real (OpenAI, Claude, OpenRouter, LMStudio) + 2 Experimental (Gemini, Grok) + 1 Fallback (Rule-Based 78% accuracy) - **3 routing layers**: AIConfigurationService + TaskAwareProviderFactory (primary path), ProviderFactory Week 9 tier-based routing (premium/default/economy/local), IntelligentProviderRouter (6-dimensional scoring with session budget guard and `reroutedFrom` metadata) - **4 task types**: field_mapping, quality_assessment, data_validation, transformation_suggestion - **AES-256 encrypted API keys** at rest 9. **[[sources/mcp-gateway-architecture]]** — the MCP gateway architecture: - Single JSON-RPC entrypoint: `POST /api/ai/proxy/mcp` - **3 base tools** always available: `suitecentral.field_mapping_suggest`, `suitecentral.integration_status`, `suitecentral.governance_check` - **2 gateway tools** feature-flagged: `suitecentral.mcp_discover`, `suitecentral.mcp_call` - **7-step policy evaluation** (deny-by-default with multiple override paths) - **6-step governance pipeline for mcp_call**: policy decision → governance input validation → adapter execution → DLP scanning → audit event → cost tracking - OTel span `mcp.proxy.call` with tool/system/tenant/policy/governance/latency/PII attributes - Source file paths are named: `src/routes/ai-proxy/MCPRouter.ts`, `src/services/mcp/MCPAggregatorService.ts`, `src/services/mcp/MCPPolicyService.ts`, etc. — a reviewer can open these directly. 10. **[[pages/concepts/suitecentral-2-overview]]** — the middle-intelligence-layer framing and the four enterprise safety mechanisms (Reasoning Trace Engine, Governance Pacer, DLP PII Shield, Approved To Apply) as the architectural implementation of the governance layer. 11. **[[pages/concepts/nl-action-gate|Natural Language Action Gate]]** — regex fast-path + LLM fallback + allowlist filtering. v3.3.0 shipping with 6 live actions. ### Step 5: Verify the governance surface (SOC 2 + Oracle comparison) *(10 min)* 12. **[[pages/entities/compliance-dashboard|SOC 2 Compliance Dashboard]]** — **the single most important verification artifact**. All 5 Trust Services Criteria mapped to production code with specific source file paths: - **CC6 Security**: `src/middleware/auth.ts` (JWT), `src/middleware/rbac.ts` (RBAC), `crypto.timingSafeEqual` (timing attacks), rate limiting, production guards - **A1 Availability**: `/health` endpoints, circuit breakers, RTO/RPO, Kubernetes 2-10 replica auto-scaling - **PI1 Processing Integrity**: AI confidence scoring (0-100), hallucination detection, `SCHEMA_DRIFT_BLOCKED` result code, DB-persisted reasoning traces - **C1 Confidentiality**: 8 DLP/PII patterns (SSN, credit card, email, phone, DOB, passport, bank account, driver license), `maskSensitiveData()` utility, encrypted credential storage - **P1 Privacy**: GDPR/CCPA compliance, audit trail logging, 90-day default data retention The dashboard also has a **one-click Evidence Export** button that POSTs to `/api/compliance/export` and downloads a JSON evidence package — the CTO should actually click it. 13. **[[pages/concepts/oracle-comparison|Oracle NSIP vs SuiteCentral 2.0]]** — the 8-row competitive feature matrix. Oracle NSIP is missing every governance capability. Concrete demo: the same "Revenue" → "revenue_field" mapping shown through both products. Oracle NSIP is **OIC R3 rebranded**, not a new product. 14. **[[pages/concepts/competitive-landscape|The Competitive Landscape]]** — date-stamped register of Celigo, Boomi, MuleSoft, Oracle NSIP, MCP ecosystem, and the EU AI Act enforcement anchors (August 2, 2026) + Colorado AI Act (June 30, 2026). ### Step 6: The pilot decision (at the end) *(5 min)* 15. **[[pages/concepts/pilot-30-60-90|The 30/60/90 Pilot]]** — the 30-day evaluation phase + 90-day pilot with three-phase activity list (Day 1-30 Setup, Day 31-60 Controlled Execution, Day 61-90 Scale Decision). Four Gate Metrics: ≥50% time-to-integrate reduction, ≥70% error rate reduction, economics within ROI range, governance evidence exported. The **only hard gate** is end-of-phase-3; Day 30 and Day 60 are phase transitions. 16. **[[pages/role-briefs/cto|CTO Role Brief]]** — what the CTO should ask for before approval: watch clips, SOC 2 TSC mapping document, failure-path visibility, verification of the four named safety mechanisms. --- ## The Squire-specific anchor facts (for your verification notes) Facts specific to Squire's environment and adoption case that a CTO should sanity-check: - **Squire's NetSuite sandbox**: `TSTDRV2698307` (per [[sources/04-technical-proof]]) - **NetSuite API concurrency limits**: 5 concurrent / 10 RPS (per [[sources/oracle-comparison]] "For Operations" card) — this is the budget the Governance Pacer enforces - **Squire currently runs SuiteCentral 1.0 in production** (per [[sources/read-elevator-pitch]]). SC 2.0 is production-ready but NOT yet deployed in Squire production. - **The 6 named production connectors** (per [[pages/concepts/canonical-metrics]]): NetSuite, Business Central, Salesforce, HubSpot, ShipStation, Oracle — spans ERP + CRM + logistics --- ## Regulatory anchors (why this matters on a timeline) - **EU AI Act**: full enforcement August 2, 2026. High-risk AI systems in financial processes must provide reasoning traces, human oversight, and risk assessments. Black-box AI will not pass audit. - **Colorado AI Act (SB 24-205)**: enforcement June 30, 2026. Developers/deployers of high-risk AI must use reasonable care to prevent algorithmic discrimination. Both dates are tracked on the [[pages/entities/compliance-dashboard|compliance dashboard]]'s Regulatory Timeline section with live countdowns. --- ## Source file reference (if you want to read the code) Beyond the wiki, the Preston-Test repo has these file locations for direct inspection: | Subsystem | Files | |---|---| | NetSuite connector | `src/connectors/NetSuiteConnector.ts` (500+ LOC, OAuth 1.0 HMAC-SHA256) | | Business Central connector | `src/connectors/BusinessCentralConnector.ts` (400+ LOC, OAuth 2.0 + OData) | | AI Field Mapping | multi-provider + RAG, 1,500+ LOC | | MDM Engine | Golden Record + Survivorship, 800+ LOC | | Context Sidecar | PostMessage + Context Bus, 600+ LOC | | MCP Router | `src/routes/ai-proxy/MCPRouter.ts` | | MCP Aggregator | `src/services/mcp/MCPAggregatorService.ts` | | MCP Policy | `src/services/mcp/MCPPolicyService.ts`, table `mcp_tool_policies`, API `/api/mcp/policies` | | NetSuite MCP Client | `src/services/netsuite/mcp/NetSuiteOfficialMcpClient.ts` | | Business Central MCP Client | `src/services/bc/mcp/BusinessCentralMcpClient.ts` | | DI config | `src/inversify/inversify.config.ts` | | Auth middleware | `src/middleware/auth.ts` | | RBAC middleware | `src/middleware/rbac.ts` | --- *Last refreshed: 2026-04-07. Mirrors Path C from the live demo site's review flow.*