diff --git a/next-app/app/api/chat/stream/route.ts b/next-app/app/api/chat/stream/route.ts
index a983cd7..1e7bf8b 100644
--- a/next-app/app/api/chat/stream/route.ts
+++ b/next-app/app/api/chat/stream/route.ts
@@ -8,13 +8,18 @@ function* fakeStream(text: string) {
   }
 }
 
+import { preFilter, steerPrompt, postModerate } from '@/lib/safety/pipeline';
+
 function streamForMessage(message: string) {
   const ctrl = new AbortController();
   const stream = new ReadableStream<Uint8Array>({
     async start(controller) {
       try {
-        const reply = `Echo: ${message}`;
-        const meta = { layer: 'surface', model: 'mock', version: '0.0.1', latencyMs: 42 };
+        const pre = preFilter(message);
+        const safePrompt = steerPrompt(message);
+        const reply = `Echo: ${safePrompt}`;
+        const post = postModerate(reply);
+        const meta = { layer: 'surface', model: 'mock', version: '0.0.1', latencyMs: 42, pre, post };
         controller.enqueue(encode(`event: meta\ndata: ${JSON.stringify(meta)}\n\n`));
         for (const chunk of fakeStream(reply)) {
           await new Promise(r => setTimeout(r, 10));
diff --git a/next-app/app/api/consent/route.ts b/next-app/app/api/consent/route.ts
new file mode 100644
index 0000000..704ba53
--- /dev/null
+++ b/next-app/app/api/consent/route.ts
@@ -0,0 +1,18 @@
+import { NextRequest } from 'next/server';
+import { appendConsentEvent, exportConsent } from '@/lib/privacy/consentLedger';
+
+export const runtime = 'nodejs';
+
+export async function POST(req: NextRequest) {
+  const { userId = 'demo', sessionId, action } = await req.json();
+  if (!['persist_on','persist_off','export'].includes(action)) return new Response('bad action', { status: 400 });
+  const ev = await appendConsentEvent({ userId, sessionId, action, ts: new Date().toISOString() as any });
+  return Response.json(ev);
+}
+
+export async function GET(req: NextRequest) {
+  const { searchParams } = new URL(req.url);
+  const userId = searchParams.get('userId') ?? 'demo';
+  const data = await exportConsent(userId);
+  return Response.json(data);
+}
diff --git a/next-app/app/api/risk/scores/route.ts b/next-app/app/api/risk/scores/route.ts
new file mode 100644
index 0000000..e160a18
--- /dev/null
+++ b/next-app/app/api/risk/scores/route.ts
@@ -0,0 +1,11 @@
+export const runtime = 'nodejs';
+export async function GET() {
+  // Mock time-series risk per layer: core/operational/context
+  const now = Date.now();
+  const series = ['core','operational','context'].map((k, i) => ({
+    key: k,
+    points: Array.from({ length: 12 }, (_, j) => ({ t: now - (11 - j) * 3600_000, v: clamp(0, 100, 30 + i*20 + Math.sin(j/2+i)*15 + Math.random()*10) }))
+  }));
+  return Response.json({ series });
+}
+function clamp(min:number,max:number,v:number){return Math.max(min,Math.min(max,v));}
diff --git a/next-app/app/chat/page.tsx b/next-app/app/chat/page.tsx
index 4c47988..9427427 100644
--- a/next-app/app/chat/page.tsx
+++ b/next-app/app/chat/page.tsx
@@ -49,7 +49,7 @@ export default function ChatPage() {
 
   return (
     <div className="space-y-4">
-      <h1 className="text-2xl font-semibold">Chat</h1>
+      <h1 className="text-2xl font-semibold">Chat <span className="text-xs align-middle text-slate-500">(ephemeral by default)</span></h1>
       <div className="rounded border bg-white p-3">
         <div className="space-y-3" role="log" aria-live="polite">
           {messages.map((m, i) => (
@@ -63,10 +63,11 @@ export default function ChatPage() {
             </div>
           ))}
         </div>
-        <div className="mt-3 flex gap-2">
+        <div className="mt-3 flex flex-wrap items-center gap-2">
           <input value={input} onChange={e=>setInput(e.target.value)} className="flex-1 rounded border px-3 py-2" placeholder="Type a message..." />
           <button onClick={send} disabled={streaming} className="rounded bg-amber-600 px-4 py-2 text-white disabled:opacity-50">Send</button>
           {fallback && <span className="text-xs text-slate-500">Fallback in use</span>}
+          <a href="/api/consent?userId=demo" target="_blank" className="text-xs text-amber-700 underline">Export consent ledger</a>
         </div>
       </div>
     </div>
diff --git a/next-app/app/docs/governance-terms-mapping/page.tsx b/next-app/app/docs/governance-terms-mapping/page.tsx
new file mode 100644
index 0000000..979cdbb
--- /dev/null
+++ b/next-app/app/docs/governance-terms-mapping/page.tsx
@@ -0,0 +1,7 @@
+import { readFileSync } from 'fs';
+import path from 'path';
+export const dynamic = 'force-static';
+export default function Page() {
+  const md = readFileSync(path.join(process.cwd(), 'next-app', 'docs', 'governance-terms-mapping.md'), 'utf8');
+  return <pre className="whitespace-pre-wrap text-sm">{md}</pre>;
+}
diff --git a/next-app/app/docs/readiness-checklist/page.tsx b/next-app/app/docs/readiness-checklist/page.tsx
new file mode 100644
index 0000000..b3141e6
--- /dev/null
+++ b/next-app/app/docs/readiness-checklist/page.tsx
@@ -0,0 +1,7 @@
+import { readFileSync } from 'fs';
+import path from 'path';
+export const dynamic = 'force-static';
+export default function Page() {
+  const md = readFileSync(path.join(process.cwd(), 'next-app', 'docs', 'readiness-checklist.md'), 'utf8');
+  return <pre className="whitespace-pre-wrap text-sm">{md}</pre>;
+}
diff --git a/next-app/app/docs/roadmap/page.tsx b/next-app/app/docs/roadmap/page.tsx
new file mode 100644
index 0000000..0847df7
--- /dev/null
+++ b/next-app/app/docs/roadmap/page.tsx
@@ -0,0 +1,7 @@
+import { readFileSync } from 'fs';
+import path from 'path';
+export const dynamic = 'force-static';
+export default function Page() {
+  const md = readFileSync(path.join(process.cwd(), 'next-app', 'docs', 'roadmap.md'), 'utf8');
+  return <pre className="whitespace-pre-wrap text-sm">{md}</pre>;
+}
diff --git a/next-app/app/docs/strategy-map/page.tsx b/next-app/app/docs/strategy-map/page.tsx
new file mode 100644
index 0000000..7862687
--- /dev/null
+++ b/next-app/app/docs/strategy-map/page.tsx
@@ -0,0 +1,7 @@
+import { readFileSync } from 'fs';
+import path from 'path';
+export const dynamic = 'force-static';
+export default function Page() {
+  const md = readFileSync(path.join(process.cwd(), 'next-app', 'docs', 'strategy-map.md'), 'utf8');
+  return <pre className="whitespace-pre-wrap text-sm">{md}</pre>;
+}
diff --git a/next-app/app/governance/maturity/page.tsx b/next-app/app/governance/maturity/page.tsx
new file mode 100644
index 0000000..6dfb080
--- /dev/null
+++ b/next-app/app/governance/maturity/page.tsx
@@ -0,0 +1,103 @@
+import { readFileSync } from 'fs';
+import path from 'path';
+
+export const metadata = { title: 'Governance Capability Matrix' } as const;
+export const dynamic = 'force-static';
+
+type Dimension = {
+  id: string;
+  name: string;
+  phase: string;
+  score: number; // 0-5
+  evidence: string[];
+  gaps: string[];
+  remediation: string[];
+  links?: Record<string, string>;
+};
+
+type Maturity = { dimensions: Dimension[] };
+
+function gateText(score: number) {
+  if (score < 2) return { label: 'Do not advance', color: '#dc2626', note: 'Address gaps before proceeding' };
+  if (score < 4) return { label: 'Proceed with guardrails', color: '#f59e0b', note: 'Monitor and document mitigations' };
+  return { label: 'Clear to advance', color: '#16a34a', note: 'Maintain controls and evidence' };
+}
+
+function scoreColor(score: number) {
+  if (score <= 1) return '#b91c1c';
+  if (score === 2) return '#e11d48';
+  if (score === 3) return '#f59e0b';
+  if (score === 4) return '#10b981';
+  return '#059669';
+}
+
+export default function Page() {
+  const file = path.join(process.cwd(), 'next-app', 'data', 'maturity.json');
+  const data: Maturity = JSON.parse(readFileSync(file, 'utf8'));
+  return (
+    <main className="space-y-4">
+      <h1 className="text-2xl font-semibold">Governance Capability Matrix</h1>
+      <p className="text-sm text-slate-600">Scores (0–5), evidence, gaps, remediation and gating guidance per dimension.</p>
+
+      <div className="grid gap-4 md:grid-cols-2 xl:grid-cols-3">
+        {data.dimensions.map((d) => {
+          const gate = gateText(d.score);
+          return (
+            <section key={d.id} className="rounded border bg-white p-4 shadow-sm">
+              <header className="mb-2 flex items-center justify-between">
+                <div>
+                  <div className="text-base font-semibold text-slate-800">{d.name}</div>
+                  <div className="text-xs text-slate-500">Phase: {d.phase}</div>
+                </div>
+                <div className="text-right">
+                  <span className="inline-flex items-center gap-1 rounded border px-2 py-0.5 text-xs" style={{ borderColor: scoreColor(d.score), color: scoreColor(d.score) }}>
+                    Score <strong className="ml-1">{d.score}</strong>
+                  </span>
+                  <div className="mt-1 text-xs" style={{ color: gate.color }}>{gate.label}</div>
+                </div>
+              </header>
+
+              {d.evidence?.length ? (
+                <div className="mb-2">
+                  <div className="mb-1 text-xs font-semibold text-slate-700">Evidence</div>
+                  <ul className="list-disc pl-5 text-sm text-slate-700">
+                    {d.evidence.map((e, i) => (<li key={i}>{e}</li>))}
+                  </ul>
+                </div>
+              ) : null}
+
+              {d.gaps?.length ? (
+                <div className="mb-2">
+                  <div className="mb-1 text-xs font-semibold text-slate-700">Gaps</div>
+                  <ul className="list-disc pl-5 text-sm text-slate-700">
+                    {d.gaps.map((g, i) => (<li key={i}>{g}</li>))}
+                  </ul>
+                  <div className="mt-2 rounded bg-red-50 p-2 text-xs text-red-700">{gate.note}</div>
+                </div>
+              ) : null}
+
+              {d.remediation?.length ? (
+                <div className="mb-2">
+                  <div className="mb-1 text-xs font-semibold text-slate-700">Remediation</div>
+                  <ul className="list-disc pl-5 text-sm text-slate-700">
+                    {d.remediation.map((r, i) => (<li key={i}>{r}</li>))}
+                  </ul>
+                </div>
+              ) : null}
+
+              {d.links && Object.keys(d.links).length > 0 ? (
+                <div className="mt-3 flex flex-wrap gap-2 text-xs">
+                  {Object.entries(d.links).map(([k, v]) => (
+                    <a key={k} href={v} className="rounded border border-amber-300 bg-amber-50 px-2 py-1 text-amber-800 underline">
+                      {k}
+                    </a>
+                  ))}
+                </div>
+              ) : null}
+            </section>
+          );
+        })}
+      </div>
+    </main>
+  );
+}
diff --git a/next-app/app/governance/page.tsx b/next-app/app/governance/page.tsx
new file mode 100644
index 0000000..bd64241
--- /dev/null
+++ b/next-app/app/governance/page.tsx
@@ -0,0 +1,19 @@
+import Link from 'next/link';
+
+export const metadata = { title: 'Governance Cockpit' };
+export default function GovernancePage() {
+  return (
+    <main className="space-y-4">
+      <h1 className="text-2xl font-semibold">Governance Cockpit</h1>
+      <p className="text-sm text-slate-600">Board-ready artifact hub with live roadmap, mappings, and templates.</p>
+      <ul className="list-disc pl-6 text-amber-800">
+        <li><Link href="/docs/roadmap" className="underline">Roadmap (capacity-aware)</Link></li>
+        <li><Link href="/docs/governance-terms-mapping" className="underline">Integrated 18‑Point Mapping</Link></li>
+        <li><Link href="/docs/readiness-checklist" className="underline">Implementation Readiness Checklist</Link></li>
+        <li><Link href="/templates/artefact-templates" className="underline">Governance Artefact Templates</Link></li>
+        <li><Link href="/governance/maturity" className="underline">Governance Capability Matrix</Link></li>
+        <li><Link href="/risk" className="underline">Interactive Risk & Governance Demos</Link></li>
+      </ul>
+    </main>
+  );
+}
diff --git a/next-app/app/risk/page.tsx b/next-app/app/risk/page.tsx
new file mode 100644
index 0000000..89ec60a
--- /dev/null
+++ b/next-app/app/risk/page.tsx
@@ -0,0 +1,106 @@
+export const metadata = { title: 'AI Risk Navigator' } as const;
+import { PULSE_SCRIPT } from './pulse-script';
+
+export default function RiskPage() {
+  return (
+    <main className="space-y-4">
+      <h1 className="text-2xl font-semibold">Interactive 10-Stage AI Risk Matrix <span id="pulse" className="ml-2 text-xs text-slate-500"></span></h1>
+      <p className="text-sm text-slate-600">Filterable matrix and governance dashboard demos.</p>
+      <iframe id="riskFrame" srcDoc={RISK_HTML} className="h-[80vh] w-full rounded border" />
+      <script dangerouslySetInnerHTML={{__html: PULSE_SCRIPT}} />
+    </main>
+  );
+}
+
+const RISK_HTML = `<!DOCTYPE html>
+<html lang="en"><head><meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0">
+<style>html,body{margin:0;padding:0}</style>
+</head><body>
+${MATRIX_SECTION}
+${GOV_DASHBOARD}
+<script>window.addEventListener('message',e=>{if(e.data&&e.data.type==='risk-pulse'){document.body.style.boxShadow='inset 0 0 0 3px rgba(234,179,8,.6)';setTimeout(()=>{document.body.style.boxShadow='none';},300);}})</script>
+</body></html>`;
+
+const MATRIX_SECTION = `
+<div style="padding:16px;font-family:Segoe UI,Tahoma,Geneva,Verdana,sans-serif;background:linear-gradient(135deg,#667eea 0%,#764ba2 100%);">
+  <div style="background:rgba(255,255,255,0.95);backdrop-filter:blur(10px);border-radius:16px;padding:16px;max-width:1400px;margin:0 auto;">
+    <h2 style="margin:0 0 8px 0;color:#2c3e50;font-size:20px;font-weight:600;text-align:center">Interactive Cross-Stage AI Risk Matrix</h2>
+    <div style="text-align:center;margin-bottom:8px">
+      <button onclick="toggleColumn('persistent')" style="margin:0 4px;padding:6px 10px;border:none;border-radius:6px;background:#4a5568;color:#fff;cursor:pointer;font-size:12px">Toggle Persistent</button>
+      <button onclick="toggleColumn('evolving')" style="margin:0 4px;padding:6px 10px;border:none;border-radius:6px;background:#4a5568;color:#fff;cursor:pointer;font-size:12px">Toggle Evolving</button>
+      <button onclick="toggleColumn('emergent')" style="margin:0 4px;padding:6px 10px;border:none;border-radius:6px;background:#4a5568;color:#fff;cursor:pointer;font-size:12px">Toggle Emergent</button>
+    </div>
+    <table id="matrix" style="width:100%;border-collapse:collapse;background:#fff;border-radius:12px;overflow:hidden;box-shadow:0 10px 30px rgba(0,0,0,.1)">
+      <thead>
+        <tr>
+          <th style="background:#1a202c;color:#fff;padding:10px;font-size:13px;border:1px solid #4a5568">Development Stage</th>
+          <th class="persistent" style="background:#1a202c;color:#fff;padding:10px;font-size:13px;border:1px solid #4a5568">Persistent Risks</th>
+          <th class="evolving" style="background:#1a202c;color:#fff;padding:10px;font-size:13px;border:1px solid #4a5568">Evolving Risks</th>
+          <th class="emergent" style="background:#1a202c;color:#fff;padding:10px;font-size:13px;border:1px solid #4a5568">Emergent Risks</th>
+        </tr>
+      </thead>
+      <tbody>
+        ${[1,2,3,4,5,6,7,8,9,10].map(n=>`<tr>
+          <td style="padding:10px;border:1px solid #e2e8f0;background:linear-gradient(135deg,#667eea,#764ba2);color:#fff;font-weight:600">Stage ${n}</td>
+          <td class="persistent" style="padding:10px;border:1px solid #e2e8f0">Persistent risk ${n}</td>
+          <td class="evolving" style="padding:10px;border:1px solid #e2e8f0">Evolving risk ${n}</td>
+          <td class="emergent" style="padding:10px;border:1px solid #e2e8f0">Emergent risk ${n}</td>
+        </tr>`).join('')}
+      </tbody>
+    </table>
+    <div style="display:flex;gap:12px;justify-content:center;margin-top:8px;flex-wrap:wrap">
+      <span style="display:flex;align-items:center;gap:6px;background:rgba(255,255,255,.8);padding:6px 10px;border-radius:16px"><span style="width:14px;height:14px;background:#38b2ac;border-radius:3px"></span>Persistent</span>
+      <span style="display:flex;align-items:center;gap:6px;background:rgba(255,255,255,.8);padding:6px 10px;border-radius:16px"><span style="width:14px;height:14px;background:#ed8936;border-radius:3px"></span>Evolving</span>
+      <span style="display:flex;align-items:center;gap:6px;background:rgba(255,255,255,.8);padding:6px 10px;border-radius:16px"><span style="width:14px;height:14px;background:#d53f8c;border-radius:3px"></span>Emergent</span>
+    </div>
+  </div>
+</div>
+<script>
+  function toggleColumn(cls){
+    const cells=[...document.querySelectorAll('#matrix .'+cls)];
+    const isHidden=cells.every(td=>td.style.display==='none');
+    cells.forEach(td=>td.style.display=isHidden?'table-cell':'none');
+  }
+</script>
+`;
+
+const GOV_DASHBOARD = `
+<div style="padding:16px;font-family:Segoe UI,Tahoma,Geneva,Verdana,sans-serif;background:linear-gradient(135deg,#667eea 0%,#764ba2 100%);">
+  <div style="background:rgba(255,255,255,0.95);backdrop-filter:blur(10px);border-radius:16px;padding:16px;max-width:1400px;margin:12px auto;">
+    <h2 style="margin:0 0 8px 0;color:#2c3e50;font-size:20px;font-weight:600;text-align:center">AGI/ASI Governance Dashboard (Lite)</h2>
+    <div id="status" style="text-align:center;color:#475569;font-size:13px;margin-bottom:8px">Design Phase Active • 4 checkpoints scheduled</div>
+    <div style="display:grid;grid-template-columns:1fr 340px;gap:16px">
+      <div style="position:relative;min-height:360px;background:#fff;border-radius:12px;box-shadow:0 8px 24px rgba(0,0,0,.08);padding:16px">
+        <div id="rings" style="position:relative;width:320px;height:320px;margin:0 auto">
+          <div data-layer="context" style="position:absolute;top:4px;left:4px;width:312px;height:312px;border-radius:50%;border:3px solid #667eea;display:flex;align-items:center;justify-content:center;background:linear-gradient(45deg,#55a3ff,#667eea);color:#fff;font-weight:700">Context & Safeguards</div>
+          <div data-layer="operational" style="position:absolute;top:34px;left:34px;width:252px;height:252px;border-radius:50%;border:3px solid #0984e3;display:flex;align-items:center;justify-content:center;background:linear-gradient(45deg,#74b9ff,#0984e3);color:#fff;font-weight:700">Operational Framework</div>
+          <div data-layer="core" style="position:absolute;top:94px;left:94px;width:132px;height:132px;border-radius:50%;border:3px solid #ee5a24;display:flex;align-items:center;justify-content:center;background:linear-gradient(45deg,#ff6b6b,#ee5a24);color:#fff;font-weight:700">Core Elements</div>
+        </div>
+      </div>
+      <div style="background:#fff;border-radius:12px;box-shadow:0 8px 24px rgba(0,0,0,.08);padding:16px">
+        <div style="font-size:14px;font-weight:700;margin-bottom:6px">Layer Detail</div>
+        <div id="layerTitle" style="font-size:13px;color:#334155;margin-bottom:6px">System Overview</div>
+        <div style="font-size:12px;color:#475569;margin-bottom:6px">Aggregated Risk: <span id="aggRisk" style="font-weight:700;color:#16a34a">Low</span></div>
+        <div style="font-size:12px;color:#475569;margin-bottom:6px">Governance: <span id="govBody">Safety Oversight Board</span></div>
+        <div style="display:flex;gap:8px;margin-top:8px">
+          <button onclick="parent.postMessage({type:'risk-pulse'},'*')" style="flex:1;padding:8px 10px;border:none;border-radius:8px;background:#667eea;color:#fff;font-weight:600">Export Report</button>
+          <button onclick="parent.postMessage({type:'risk-pulse'},'*')" style="flex:1;padding:8px 10px;border:none;border-radius:8px;background:#764ba2;color:#fff;font-weight:600">Schedule Review</button>
+        </div>
+      </div>
+    </div>
+  </div>
+</div>
+<script>
+  const layerRisks={core:'Medium',operational:'Medium',context:'High'};
+  const govBodies={core:'Model Review Board & Algorithm Ethics Panel',operational:'System Integration Board',context:'Safety Oversight Board'};
+  document.querySelectorAll('#rings [data-layer]').forEach(el=>{
+    el.addEventListener('click',()=>{
+      const layer=el.getAttribute('data-layer');
+      document.getElementById('layerTitle').textContent = layer.charAt(0).toUpperCase()+layer.slice(1)+' Layer';
+      document.getElementById('aggRisk').textContent = layerRisks[layer];
+      document.getElementById('aggRisk').style.color = layerRisks[layer]==='High'?'#e11d48':(layerRisks[layer]==='Medium'?'#f59e0b':'#16a34a');
+      document.getElementById('govBody').textContent = govBodies[layer];
+    })
+  })
+</script>
+`;
diff --git a/next-app/app/risk/pulse-script.ts b/next-app/app/risk/pulse-script.ts
new file mode 100644
index 0000000..309642f
--- /dev/null
+++ b/next-app/app/risk/pulse-script.ts
@@ -0,0 +1,18 @@
+export const PULSE_SCRIPT = `
+(async function(){
+  const pulseEl = document.getElementById('pulse');
+  async function tick(){
+    try{
+      const res = await fetch('/api/risk/scores');
+      const json = await res.json();
+      const ctx = json.series.find((s:any)=>s.key==='context');
+      const last = ctx?.points?.[ctx.points.length-1]?.v ?? 0;
+      if(pulseEl){ pulseEl.textContent = 'Context risk: ' + Math.round(last); }
+      const iframe = document.getElementById('riskFrame') as HTMLIFrameElement | null;
+      iframe?.contentWindow?.postMessage({type:'risk-pulse'}, '*');
+    }catch(e){ if(pulseEl) pulseEl.textContent = 'Risk: n/a'; }
+    setTimeout(tick, 6000);
+  }
+  tick();
+})();
+`;
diff --git a/next-app/app/templates/artefact-templates/page.tsx b/next-app/app/templates/artefact-templates/page.tsx
new file mode 100644
index 0000000..df83d4a
--- /dev/null
+++ b/next-app/app/templates/artefact-templates/page.tsx
@@ -0,0 +1,7 @@
+import { readFileSync } from 'fs';
+import path from 'path';
+export const dynamic = 'force-static';
+export default function Page() {
+  const md = readFileSync(path.join(process.cwd(), 'next-app', 'templates', 'artefact-templates.md'), 'utf8');
+  return <pre className="whitespace-pre-wrap text-sm">{md}</pre>;
+}
diff --git a/next-app/app/templates/kpi-alignment/page.tsx b/next-app/app/templates/kpi-alignment/page.tsx
new file mode 100644
index 0000000..6d63410
--- /dev/null
+++ b/next-app/app/templates/kpi-alignment/page.tsx
@@ -0,0 +1,7 @@
+import { readFileSync } from 'fs';
+import path from 'path';
+export const dynamic = 'force-static';
+export default function Page() {
+  const md = readFileSync(path.join(process.cwd(), 'next-app', 'templates', 'kpi-alignment.md'), 'utf8');
+  return <pre className="whitespace-pre-wrap text-sm">{md}</pre>;
+}
diff --git a/next-app/app/templates/pilot-charter/page.tsx b/next-app/app/templates/pilot-charter/page.tsx
new file mode 100644
index 0000000..b87e1ba
--- /dev/null
+++ b/next-app/app/templates/pilot-charter/page.tsx
@@ -0,0 +1,7 @@
+import { readFileSync } from 'fs';
+import path from 'path';
+export const dynamic = 'force-static';
+export default function Page() {
+  const md = readFileSync(path.join(process.cwd(), 'next-app', 'templates', 'pilot-charter.md'), 'utf8');
+  return <pre className="whitespace-pre-wrap text-sm">{md}</pre>;
+}
diff --git a/next-app/data/maturity.json b/next-app/data/maturity.json
new file mode 100644
index 0000000..a37aaa3
--- /dev/null
+++ b/next-app/data/maturity.json
@@ -0,0 +1,44 @@
+{
+  "dimensions": [
+    {
+      "id": "exec_alignment",
+      "name": "Executive Alignment",
+      "phase": "foundation",
+      "score": 2,
+      "evidence": ["Governance appears in strategy slides"],
+      "gaps": ["Not linked to budget or OKRs"],
+      "remediation": ["Tie governance KPIs to annual plan; assign budget owners"],
+      "links": {"glossary": "/docs/governance-terms-mapping", "template": "/templates/artefact-templates", "training": "/docs/readiness-checklist"}
+    },
+    {
+      "id": "authority_mapping",
+      "name": "Authority Mapping",
+      "phase": "org_change",
+      "score": 1,
+      "evidence": ["Org chart documented"],
+      "gaps": ["Decision rights unclear for incident mode"],
+      "remediation": ["Produce before/after authority map; define decisive-mode path"],
+      "links": {"glossary": "/docs/governance-terms-mapping", "template": "/templates/artefact-templates"}
+    },
+    {
+      "id": "incentive_alignment",
+      "name": "Incentive Alignment",
+      "phase": "org_change",
+      "score": 0,
+      "evidence": [],
+      "gaps": ["No KPIs linking oversight to compensation"],
+      "remediation": ["Adopt KPI examples; run pilot in one org unit"],
+      "links": {"template": "/templates/kpi-alignment"}
+    },
+    {
+      "id": "pilot_mgmt",
+      "name": "Pilot Management",
+      "phase": "impl",
+      "score": 3,
+      "evidence": ["PMO staffed", "Pilot charters used in other programs"],
+      "gaps": ["No scale-up gates for governance pilots"],
+      "remediation": ["Add scale criteria to pilot charter; ownership for institutionalization"],
+      "links": {"template": "/templates/pilot-charter"}
+    }
+  ]
+}
diff --git a/next-app/docs/governance-terms-mapping.md b/next-app/docs/governance-terms-mapping.md
new file mode 100644
index 0000000..d58a2e3
--- /dev/null
+++ b/next-app/docs/governance-terms-mapping.md
@@ -0,0 +1,24 @@
+# Integrated 18‑Point Glossary → Phase Mapping
+
+This table anchors each concept to: phase, artefacts, risk hooks, roles, dependencies, and notes. Use alongside docs/roadmap.md.
+
+| # | Term | Phase | Artefacts | Risk Hooks | Roles | Dependencies | Notes |
+| - | ---- | ----- | --------- | ---------- | ----- | ------------ | ----- |
+| 1 | Framework | 1 | Architecture docs, standards charter | Vendor lock‑in check | Architects, Standards | → Model, System | Validate enterprise fit |
+| 2 | Architecture | 1 | System diagrams, dependency maps | Scalability & vuln scans | Architects, Security | All | Ensure adaptive access |
+| 3 | Dataset | 1 | Governance policy, audit trails | Contamination detection | Data Gov, Legal | → Model, Metrics | Privacy by design |
+| 4 | Model | 2 | Review board records, training logs | Drift detection | ML Eng, Ethics | Framework, Dataset | Thresholds trigger reviews |
+| 5 | Algorithm | 2 | Ethics panel reviews | Fairness monitoring | Ethics, Auditors | Model | Baseline fairness & cycles |
+| 6 | Pipeline | 2 | Dashboards, audit trails | Failure recovery | DevOps, SRE | Dataset→Model | Escalation on fail |
+| 7 | System | 3 | Integration board docs | Rollback procedures | Integration, Arch | 1–2 | Gate before deploy |
+| 8 | Agent | 3 | Behavior logs, autonomy limits | Anomaly detection | Oversight, Auditors | 4–6 | Enforce boundaries |
+| 9 | Environment | 3 | Safety assessments | Boundary monitoring | Safety, Ops | Agent | Pre‑defined protocols |
+|10 | Interface | 3 | Accessibility & UX records | Access control checks | UX, A11y | System | Transparency by default |
+|11 | Module | 3 | Integration docs | Isolation & impact checks | Module Arch | All | Define clear contracts |
+|12 | Controller | 4 | Oversight logs | Authority validation | Oversight | Agent, Policy | Escalation paths |
+|13 | Policy | 4 | Compliance monitoring | Constraint enforcement | Policy, Compliance | Agent, Controller | Adaptive policies |
+|14 | Knowledge Base | 4 | Accuracy validation | Integrity checks | Info Arch | Memory | Build from ops history |
+|15 | Memory | 4 | Retention docs | Corruption detection | Mgmt Board | Knowledge Base | Audit continuously |
+|16 | Reward Function | 4 | Alignment validation | Reward hacking detection | Alignment | Agent | Sandbox validation |
+|17 | Evaluation Metrics | 4 | Benchmarks | Manipulation detection | Validation | All | Prevent gaming |
+|18 | Safety Layer | 4 | Incident logs | Escalation & enforcement | Safety | All | Rapid response integration |
diff --git a/next-app/docs/readiness-checklist.md b/next-app/docs/readiness-checklist.md
new file mode 100644
index 0000000..2fe99e8
--- /dev/null
+++ b/next-app/docs/readiness-checklist.md
@@ -0,0 +1,19 @@
+# Implementation Readiness Checklist
+
+Assess before committing timelines:
+
+- People & Competencies
+  - Roles staffed or contracting plan (Architecture, Data Gov, Ethics, UX, Safety)
+  - Training paths identified; time boxed
+- Technology
+  - Hosting & data residency constraints documented
+  - Secrets management, logging, monitoring plan
+  - DB & messaging choices fit capacity
+- Processes
+  - Governance councils named; decision rights clear
+  - Escalation/incident process defined
+  - Documentation habit & templates adopted
+- Compliance & Risk
+  - Regulatory scope mapped; artefact list reconciled
+  - Privacy & data handling policies approved
+  - Third‑party/vendor assessments ready
diff --git a/next-app/docs/roadmap.md b/next-app/docs/roadmap.md
new file mode 100644
index 0000000..9ded8f1
--- /dev/null
+++ b/next-app/docs/roadmap.md
@@ -0,0 +1,29 @@
+# Capacity-aware Governance Roadmap (Phases 1a–4)
+
+This roadmap staggers infrastructure risk and surfaces governance value early.
+
+## Phase 1a — Docs & Contracts
+- Unified data contract (risks, events, dependencies) in JSON/YAML
+- Readiness checklist to gate infra choices
+
+## Phase 1b — Mocked Dynamic Risk + Light Telemetry
+- /api/risk/scores mock endpoint; pulse indicators on /risk
+- Periodic polling first; swap to streaming later
+
+## Phase 1c — Governance Workflow Bootstrapping
+- /api/governance/events (create/list) with hash-chained audit
+- Bind ritual markers to workflows; RBAC skeleton
+
+## Phase 2 — Drift Pilot + Milestone Triggers
+- Baseline profiles + tunable thresholds
+- Milestone triggers for non-linear development
+
+## Phase 3 — Enterprise Integration
+- Auth/RBAC across /risk and APIs
+- OpenTelemetry + product analytics
+- Data residency/masking controls
+
+## Phase 4 — Adaptive Oversight
+- Competency-linked access
+- Incident “Decisive mode” with authority paths
+- Governance charter updates & retrospectives
diff --git a/next-app/docs/strategy-map.md b/next-app/docs/strategy-map.md
new file mode 100644
index 0000000..b74fccf
--- /dev/null
+++ b/next-app/docs/strategy-map.md
@@ -0,0 +1,28 @@
+# Strategy Map: Phases × Transformation Dimensions
+
+```mermaid
+flowchart LR
+  subgraph Phase_1a[Phase 1a: Docs & Contracts]
+    A[Contracts] --> B[Readiness]
+  end
+  subgraph Phase_1b[Phase 1b: Mocked Risk]
+    C[Risk API] --> D[Pulse]
+  end
+  subgraph Phase_1c[Phase 1c: Workflows]
+    E[Gov Events] --> F[RBAC]
+  end
+  subgraph Phase_2[Phase 2: Drift Pilot]
+    G[Baselines] --> H[Triggers]
+  end
+  subgraph Phase_3[Phase 3: Enterprise]
+    I[Auth/RBAC] --> J[OTel + Analytics]
+  end
+  subgraph Phase_4[Phase 4: Adaptive]
+    K[Competency Access] --> L[Decisive Mode]
+  end
+  B --> C
+  D --> E
+  F --> G
+  H --> I
+  J --> K
+```
diff --git a/next-app/lib/privacy/consentLedger.ts b/next-app/lib/privacy/consentLedger.ts
new file mode 100644
index 0000000..ef614bb
--- /dev/null
+++ b/next-app/lib/privacy/consentLedger.ts
@@ -0,0 +1,50 @@
+import crypto from 'crypto';
+import fs from 'fs/promises';
+import path from 'path';
+
+export type ConsentAction = 'persist_on' | 'persist_off' | 'export';
+export type ConsentEvent = { userId: string; sessionId?: string; action: ConsentAction; ts: string; prevHash?: string; hash?: string };
+
+const DATA_DIR = path.join(process.cwd(), 'next-app', '.data', 'consent');
+
+export async function appendConsentEvent(e: Omit<ConsentEvent, 'hash' | 'prevHash'>) {
+  await fs.mkdir(DATA_DIR, { recursive: true });
+  const chainFile = path.join(DATA_DIR, `${e.userId}.jsonl`);
+  let prevHash: string | undefined;
+  try {
+    const last = await tailLastLine(chainFile);
+    if (last) prevHash = JSON.parse(last).hash;
+  } catch {}
+  const event: ConsentEvent = { ...e, prevHash, ts: e.ts ?? new Date().toISOString() };
+  event.hash = hashEvent(event);
+  await fs.appendFile(chainFile, JSON.stringify(event) + '\n', 'utf8');
+  return event;
+}
+
+export function hashEvent(e: ConsentEvent) {
+  const s = `${e.userId}|${e.sessionId ?? ''}|${e.action}|${e.ts}|${e.prevHash ?? ''}`;
+  return crypto.createHash('sha256').update(s).digest('hex');
+}
+
+export async function exportConsent(userId: string) {
+  const chainFile = path.join(DATA_DIR, `${userId}.jsonl`);
+  try {
+    const raw = await fs.readFile(chainFile, 'utf8');
+    const events = raw.trim().split('\n').map((l) => JSON.parse(l) as ConsentEvent);
+    return { events, root: events.at(-1)?.hash };
+  } catch (e: any) {
+    if (e.code === 'ENOENT') return { events: [], root: undefined };
+    throw e;
+  }
+}
+
+async function tailLastLine(file: string): Promise<string | null> {
+  try {
+    const data = await fs.readFile(file, 'utf8');
+    const lines = data.trim().split('\n');
+    return lines.length ? lines[lines.length - 1] : null;
+  } catch (e: any) {
+    if (e.code === 'ENOENT') return null;
+    throw e;
+  }
+}
diff --git a/next-app/lib/safety/pipeline.ts b/next-app/lib/safety/pipeline.ts
new file mode 100644
index 0000000..ff1477e
--- /dev/null
+++ b/next-app/lib/safety/pipeline.ts
@@ -0,0 +1,18 @@
+export type ModerationAction = 'allow' | 'block' | 'revise';
+export type ModerationEvent = { stage: 'pre' | 'post'; action: ModerationAction; reason?: string };
+
+const SENSITIVE = /(ssn|password|credit\s*card|cvv)/i;
+
+export function preFilter(input: string): ModerationEvent {
+  if (SENSITIVE.test(input)) return { stage: 'pre', action: 'revise', reason: 'redact_sensitive' };
+  return { stage: 'pre', action: 'allow' };
+}
+
+export function steerPrompt(input: string): string {
+  return `Policy: Be safe and helpful. Avoid unsafe advice.\n${input}`;
+}
+
+export function postModerate(output: string): ModerationEvent {
+  if (/violent|illegal/i.test(output)) return { stage: 'post', action: 'block', reason: 'unsafe_content' };
+  return { stage: 'post', action: 'allow' };
+}
diff --git a/next-app/lib/telemetry/record.ts b/next-app/lib/telemetry/record.ts
new file mode 100644
index 0000000..33a2ead
--- /dev/null
+++ b/next-app/lib/telemetry/record.ts
@@ -0,0 +1,5 @@
+export type ProviderMeta = { provider?: string; model?: string; layer?: string; version?: string; tokensIn?: number; tokensOut?: number; latencyMs?: number; tools?: any[] };
+export async function recordProviderInvocation(sessionId: string | undefined, meta: ProviderMeta) {
+  // Placeholder: in MVP, just log to console; integrate with OTel/PostHog later
+  console.log('provider_invocation', { sessionId, ...meta });
+}
diff --git a/next-app/next.config.js b/next-app/next.config.js
index 5d68f2e..a1b4064 100644
--- a/next-app/next.config.js
+++ b/next-app/next.config.js
@@ -1,6 +1,13 @@
 /** @type {import('next').NextConfig} */
 const nextConfig = {
   experimental: { serverActions: { allowedOrigins: ["*"] } },
-  reactStrictMode: true
+  reactStrictMode: true,
+  headers: async () => ([{
+    source: '/(.*)',
+    headers: [
+      { key: 'Cross-Origin-Opener-Policy', value: 'same-origin' },
+      { key: 'Cross-Origin-Embedder-Policy', value: 'require-corp' }
+    ]
+  }])
 };
 module.exports = nextConfig;
diff --git a/next-app/templates/artefact-templates.md b/next-app/templates/artefact-templates.md
new file mode 100644
index 0000000..8f82f49
--- /dev/null
+++ b/next-app/templates/artefact-templates.md
@@ -0,0 +1,31 @@
+# Governance Artefact Templates (Starter Pack)
+
+Use these as starting points; keep them small and consistent.
+
+## 1) Dependency Map (per component)
+- Component:
+- Upstream dependencies:
+- Downstream impacts:
+- Controls/constraints:
+- Reviewers:
+
+## 2) Drift Ledger (per capability)
+- Capability:
+- Baseline signature:
+- Thresholds (warn/alert):
+- Events (timestamp, metric, delta, decision):
+- Outcome & notes:
+
+## 3) Retrospective Log (per milestone/incident)
+- Scope:
+- Summary:
+- Root causes:
+- Decisions:
+- Follow‑ups/owners/dates:
+
+## 4) Governance Decision Record (GDR)
+- Topic/Proposal:
+- Options considered:
+- Decision & rationale:
+- Stakeholders & approvals:
+- Review date:
diff --git a/next-app/templates/kpi-alignment.md b/next-app/templates/kpi-alignment.md
new file mode 100644
index 0000000..5d1190d
--- /dev/null
+++ b/next-app/templates/kpi-alignment.md
@@ -0,0 +1,14 @@
+# KPI Alignment Template
+
+Use this to link governance objectives to incentives and performance.
+
+- Objective: e.g., "Reduce safety incidents in AI-supported workflows"
+- KPI(s):
+  - Leading: e.g., % of PRs with safety checklist completed
+  - Lagging: e.g., # incidents per 10k user interactions
+- Measurement cadence: Weekly / Monthly / Quarterly
+- Data source & owner: e.g., PostHog events; Risk PM
+- Target thresholds: Warn / Alert / Critical
+- Incentive linkage: Bonus / OKR weighting / Team award
+- Review & adjustment date:
+- Notes:
diff --git a/next-app/templates/pilot-charter.md b/next-app/templates/pilot-charter.md
new file mode 100644
index 0000000..7c793f9
--- /dev/null
+++ b/next-app/templates/pilot-charter.md
@@ -0,0 +1,12 @@
+# Pilot Charter Template
+
+- Pilot name:
+- Problem statement:
+- Hypothesis & success criteria:
+- Scope & exclusions:
+- Stakeholders and decision rights:
+- Risk controls & mitigations:
+- Data handling & privacy notes:
+- Metrics & telemetry plan:
+- Scale-up gates and exit criteria:
+- Timeline & owners: