Nexus Synergy Engagement Package — B05 · Uisce Éireann (Irish Water)

STANDING BANNER — read before using this package. (1) Status honesty. Nexus Synergy Ltd is pre-incorporation, pre-revenue, pre-pilot. Uisce Éireann is a TARGET, not a customer, pilot, or reference. The ~178-surface UI gallery is a gallery, not traction. No relationship into Uisce Éireann exists today (COLD). (2) Anti-cookie-cutter. Every screen in §8 is the GENERATED ASCII for this buyer's entities (Cordangan WTP, SZ-TIP-014, Ovarro SCOPE, EPA RAL, the Unitronics OT pattern) — not a reused template. (3) Probabilities. Every probability and factor score in this file is a [PRIOR] — a subjective pre-pilot estimate for prioritisation, not a forecast. Re-score after every real conversation.

---

§0 — Header + one-line thesis

Uisce Éireann (Irish Water) — Ireland's single national water utility, ~750+ public water supplies, a €10.3bn+ (RC4) asset programme, a proven 2023 OT-cyber incident, and an imminent NIS2 essential-entity duty.

Thesis: Sell the sovereign decision-intelligence + closed-action-loop + conformity-evidence layer above their OT/GIS/asset stack — a water-network resilience common operating picture that turns a source-turbidity-driven boil-water event into a single human-gated, fully-audited loop whose provenance ledger doubles as NIS2/CER incident-reporting evidence. We are the COP and the action loop, never the controller of pumps.

§1 — Entity snapshot (cited)

• Who. Uisce Éireann (formerly Irish Water) — a single, public, semi-state body responsible for all public drinking-water and wastewater services; statutorily retained in public ownership under the Water Services Acts 2007–2023 (a promised constitutional referendum to entrench public ownership has been committed to but not yet held); HQ Dublin. [verified — water.ie / gov.ie]
• Scale. ~750+ public water supplies + the national wastewater network, serving the great majority of the State's population; hundreds of treatment plants plus the SCADA/OT estate that controls them. RC4 delivers new/upgraded 163 water + 61 wastewater treatment plants and 663 km water mains + 34 km sewers. [verified — CRU RC4 / waterbriefing.org]
• Money. CRU-approved Revenue Control 4 (RC4, 2025–2029): CRU approved a record €13.6bn investment (UÉ requested €13.8bn) — €8.56bn capex + €5.02bn opex. The earlier Strategic Funding Plan framed a €16.9bn multi-annual requirement to 2029 (€10.3bn infrastructure/assets + €6.6bn operations). Plus a €2bn NDP ring-fence (July 2025) to unlock housing capacity to 2030. [verified — CRU2025136; waterbriefing.org; gov.ie]
• Strategy. Adopted the Water Services Strategic Plan 2050 (July 2025); RC4 introduces an "Agile Investment and Monitoring Framework" with enhanced outcome reporting. [verified — watermagazine.co.uk]
• Regulators (create pull, do not buy). CRU = economic regulator (revenue/capex, performance). EPA = environmental / drinking-water-quality regulator (Remedial Action List, enforcement). NCSC-IE = the relevant NIS2 competent authority once Ireland transposes the directive. [verified — cru.ie / epa.ie]

§2 — The pain (web-verified, dated, cited)

1. Supply resilience is a live, recurring failure mode. The EPA's 2024 report (published 2 July 2025) put 45 supplies serving ~497,000 people on the "at-risk" Remedial Action List (down from 57/561k in 2023). There were 59 boil-water notices in 2024 affecting ~95,000 people (33 long-term, >30 days). Root causes cited: high raw-water turbidity, ageing assets, weak source resilience. [verified — rte.ie 2025-07-02; epa.ie Drinking Water RAL Q4 2024]
2. Chronic chemical exposures. THMs on the RAL for 19 supplies / ~245,000 people; a National Lead Strategy since 2015 the EPA calls "far too slow", and the legal lead limit halving from 10µg/l to 5µg/l in 2036 — a multi-year asset/network programme. [verified — epa.ie; irishtimes.com 2025-07-01]
3. Cyber/OT exposure is proven, not hypothetical. In December 2023 the "Cyber Av3ngers" group compromised an internet-connected Unitronics PLC at a small scheme in Co. Mayo, cutting water to ~160 households for two days (CVE-2023-6448; default admin password). NCSC-IE subsequently identified all vulnerable Irish equipment and notified owners. This is the canonical Irish water-OT incident in every NIS2 framing. [verified — therecord.media; securityweek.com; CISA]
4. NIS2 duty is arriving but not yet binding. Water (drinking + waste) is an "essential entity" under NIS2; Ireland has not yet transposed (subject to EU infringement proceedings). The transposing instrument is the National Cyber Security Bill (update expected H1 2026). NCSC published draft Risk Management Measures + the CyberFundamentals (CyFun) framework. The forcing function is imminent but not yet a hard legal deadline for UÉ. [verified — NCSC; DLA Piper / William Fry NIS2-Ireland trackers; EU AI Act Art. 5 prohibitions applicable 2 February 2025 — separate instrument, noted for accuracy]
5. Operational fragmentation + a leakage penalty. Asset condition, water-quality telemetry, incident/boil-water management, source protection and customer comms span many systems; UÉ was fined €20m (Nov 2025) for missing leak-fix targets — a public, dated signal that outcome delivery (not just capex) is now economically penalised. A single trustworthy asset+hazard+incident+provenance picture is not obviously in place. [verified — rte.ie 2025-11-25; remainder inferred — confirm in discovery]

§3 — Use case & value (DECLINE-SAFE)

Positioning: a sovereign, EU-built decision-intelligence layer ON TOP of UÉ's existing OT/GIS/asset systems — not a SCADA replacement. We are the common operating picture + closed action loop + conformity evidence, not the controller of pumps. Two decline-safe wedges:

A. Critical-infrastructure resilience operating picture (NIS2/CER readiness). A live asset + hazard + incident COP — treatment plants, networks, reservoirs, source catchments — over a customer-editable ontology (asset → supply zone → population served → risk). A closed action loop for a boil-water / quality / OT event: detect (telemetry + EPA exceedance) → enrich (which supply zone, how many people, which Eircode prefixes) → triage → human-gated sign-off → task crews / pre-stage comms → assess → close — every step written to a provenance ledger that doubles as NIS2 Art-23 / CER incident-reporting evidence.

B. Flood / source-protection / catchment operating picture. Integrate sovereign flood/weather/catchment layers (we already wire Copernicus/Sentinel/ERA5/CAMS) with the asset map, so a source-water turbidity event (the literal cause of the recent Tipperary boil notices) is anticipated and pre-actioned, not reacted to.

Sovereignty as a feature. A classification-aware AI Provider Router keeps critical-infra data on EU-sovereign models/infrastructure; FRIA + provenance ledger + transparency portal give the utility auditable conformity-by-construction as NIS2/the National Cyber Security Bill land — and most incumbents are US-headquartered.

Explicitly decline-safe. This is asset/hazard/incident decision-intelligence for critical-infrastructure resilience. It touches nothing on the published Declined List — no predictive policing, no biometric ID, no emotion recognition, no social scoring, no untargeted scraping, no psychometric profiling. People appear only as anonymised population-served counts per supply zone and Eircode prefixes (no individual records). We do not do OT/SCADA security controls — we partner for that and stay in the decision layer (this is also our decline-safe boundary).

Value framing. Fewer/shorter boil-water notices, faster incident closure, defensible NIS2/CER incident reporting, and a unified asset/risk picture across a €10bn+ programme — with the leak-target penalty (€20m, Nov 2025) as proof that outcome-grade evidence now has direct economic value.

§4 — Ontology (this buyer's domain)

Entities. TreatmentPlant (WTP/WwTP) · SupplyZone · SourceCatchment · Reservoir · NetworkSegment (water main / sewer) · OtAsset (PLC / RTU / HMI / SCADA node) · QualityReading (turbidity, THM, chlorine, lead) · RalFlag (EPA Remedial Action List entry) · ResilienceEvent (turbidity breach / OT anomaly / outage) · BoilWaterNotice · CrewTask · IncidentReport (NIS2/CER).

Relationships. SourceCatchment -feeds-> TreatmentPlant -serves-> SupplyZone -coversPopulation-> (count only); TreatmentPlant -controlledBy-> OtAsset; SupplyZone -flaggedBy-> RalFlag; ResilienceEvent -affects-> SupplyZone -mayTrigger-> BoilWaterNotice; ResilienceEvent -taskedTo-> CrewTask; BoilWaterNotice -evidencedBy-> IncidentReport. The Fellegi-Sunter problem here is event-to-cause correlation: does this turbidity spike + this rainfall signal + this RAL flag concur into one ResilienceEvent cluster (vs an isolated sensor fault)? People are never an entity — only a coversPopulation scalar on SupplyZone.

§5 — Data model (synergy.*, RLS + load-bearing CHECK)

SQL
58 lines
Copy
-- Quality / source / OT reading fused into a resilience-event candidate.
-- Every table carries org_id for the app.current_org_id RLS predicate.
CREATE TABLE synergy.water_quality_reading (
    id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id        uuid NOT NULL,                       -- RLS: app.current_org_id
    wtp_id        text NOT NULL,                       -- 'CORDANGAN-WTP'
    supply_zone   text NOT NULL,                       -- 'SZ-TIP-014'
    metric        text NOT NULL CHECK (metric IN ('turbidity_ntu','thm_ugl','chlorine_mgl','lead_ugl')),
    value         numeric(8,3) NOT NULL,               -- 6.100
    limit_value   numeric(8,3) NOT NULL,               -- 1.000 (clarified-water turbidity)
    source        text NOT NULL CHECK (source IN ('scope_ot','epa_ral','era5','cams','manual_sample')),
    observed_at   timestamptz NOT NULL DEFAULT now(),
    CHECK (value >= 0)
);
ALTER TABLE synergy.water_quality_reading ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.water_quality_reading
    USING (org_id = current_setting('app.current_org_id')::uuid);
CREATE INDEX ON synergy.water_quality_reading (supply_zone, observed_at DESC);

-- Supply zone carries only an anonymised population count (decline-safe: no person rows).
CREATE TABLE synergy.supply_zone (
    id               uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id           uuid NOT NULL,
    zone_code        text NOT NULL,                    -- 'SZ-TIP-014'
    name             text NOT NULL,                    -- 'Tipperary Town'
    population_served integer NOT NULL CHECK (population_served >= 0),  -- 13800 (count ONLY)
    eircode_prefixes text[] NOT NULL,                  -- {'E34','E91'} prefixes, NEVER full codes
    ral_active       boolean NOT NULL DEFAULT false,
    CHECK (array_length(eircode_prefixes, 1) IS NULL
           OR (SELECT bool_and(char_length(p) <= 3) FROM unnest(eircode_prefixes) p))  -- prefix-only
);
ALTER TABLE synergy.supply_zone ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.supply_zone
    USING (org_id = current_setting('app.current_org_id')::uuid);

-- Boil-Water Notice = a gated decision, never an automatic write.
CREATE TABLE synergy.boil_water_notice (
    id               uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id           uuid NOT NULL,
    supply_zone      text NOT NULL,
    trigger_event    uuid NOT NULL,                    -- FK to the resilience-event cluster
    disposition      text NOT NULL
                     CHECK (disposition IN ('precautionary-bwn','enhanced-monitor','no-action')),
    proportionality  numeric(3,2) CHECK (proportionality BETWEEN 0 AND 1),  -- 0.86
    sign_dwc_officer text,                             -- Drinking-Water Compliance QES, NULL until signed
    sign_ops_duty    text,                             -- Operations duty manager QES, NULL until signed
    issued_at        timestamptz,                      -- NULL until the notice is recorded as issued
    merkle_leaf      bytea NOT NULL,
    -- LOAD-BEARING INVARIANT: a precautionary Boil-Water Notice cannot be recorded as ISSUED
    -- without 2-of-2 human sign-off (Drinking-Water Compliance + Operations duty). The DB,
    -- not the UI, enforces that the public-health decision is human-gated.
    CHECK (issued_at IS NULL
           OR disposition <> 'precautionary-bwn'
           OR (sign_dwc_officer IS NOT NULL AND sign_ops_duty IS NOT NULL))
);
ALTER TABLE synergy.boil_water_notice ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.boil_water_notice
    USING (org_id = current_setting('app.current_org_id')::uuid);

The load-bearing CHECK on boil_water_notice is the decline-safety guarantee made structural: a public-health notice that affects ~13,800 people cannot be emitted by a model or a button — only by two named humans signing. The supply_zone prefix-only CHECK enforces that we keep population as a count, never as resolvable person data.

§6 — Action-loop pseudocode (detect → … → close)

Python
42 lines
Copy
def run_resilience_loop(streams, zones, requesting_org):
    # 1. DETECT — fuse OT telemetry + source rainfall + EPA RAL into a resilience cluster.
    cluster = fellegi_sunter_fuse(streams)          # turbidity 6.1 NTU + ERA5 31mm/6h + RAL flag
    if cluster.modalities < 2:
        return Disposition.MONITOR_ONLY             # single signal => sensor-fault hypothesis

    # 2. ENRICH — which supply zone, how many people, which Eircode PREFIXES (counts only).
    zone = resolve_zone(cluster.wtp_id)             # SZ-TIP-014: ~13,800 served, prefixes {E34,E91}
    cluster.attach(population=zone.population_served, eircode_prefixes=zone.eircode_prefixes)

    # 3. TRIAGE — Cryptosporidium-barrier risk vs sensor fault; proportionality bound.
    P = proportionality(necessity="public-health-precaution",
                        least_intrusive="enhanced-monitor")   # ~= 0.86

    # 4. GATE — Decision Room; civil-society reviewer seated INSIDE the decision.
    gate = decision_room(
        proposal = ChooseDisposition(cluster, zone),
        personas = [OPS_DUTY, DRINKING_WATER_COMPLIANCE, CIVIL_SOCIETY("consumer-advocate"),
                    DEVILS_ADVOCATE, DOMAIN_EXPERT("water-treatment"), OT_SECURITY],
        threshold = P_MIN_TIER2)
    if not gate.passed:
        return Disposition.REFUSED(gate.rationale)

    # 5. DUAL-CONTROL — a precautionary BWN needs 2-of-2 QES (DWC + Ops duty); CHECK enforces it too.
    sign_dwc = await qes_sign("dwc.officer",  ChooseDisposition(cluster, zone))
    sign_ops = await qes_sign("ops.duty",     ChooseDisposition(cluster, zone))
    if gate.disposition == "precautionary-bwn" and not (sign_dwc and sign_ops):
        audit.append(cluster.id, "BWN unsigned — withheld", merkle=True)
        return Disposition.WITHHELD

    # 6. TASK + EXECUTE + WRITE-BACK — crew tasking, pre-staged comms, OT isolation, NIS2 draft.
    task_crew("coagulant-dose+2x-sampling", zone)            # CMMS work order
    if cluster.ot_anomaly:                                   # PLC-12 default-cred pattern
        recommend_isolate("PLC-12"); draft_nis2_art23(NCSC_IE)
    notice = boil_water_notice(cluster, zone, disposition=gate.disposition, proportionality=P,
                               sign_dwc_officer=sign_dwc, sign_ops_duty=sign_ops)
    write_back("synergy.boil_water_notice", notice, issued_at=now(), merkle=True)

    # 7. BDA — at +6h re-sample; clear or sustain; close the loop, register a ProspectiveItem.
    bda = await assess_at(hours=6, zone=zone)               # turbidity back < 1.0 NTU ?
    register_prospective("turbidity>4NTU @ Cordangan within 30d -> auto-elevate to AMBER monitor")
    return Disposition.from_notice(notice, bda)

§7 — nexus-workflows YAML DAG (declarative, blocking human-gate node)

YAML
39 lines
Copy
# nexus-workflows: water-resilience-loop (NO cron — every scheduled step is a workflow job)
name: uisce-water-resilience-loop
trigger:
  on_event: [ scope_ot.threshold_breach, epa_ral.update, era5.rainfall_alert ]
nodes:
  - id: detect_fuse
    skill: fellegi_sunter_fuse
    inputs: { streams: "${event.streams}" }
    out: cluster
  - id: enrich_zone
    skill: resolve_supply_zone
    inputs: { wtp_id: "${cluster.wtp_id}" }       # population count + Eircode prefixes only
    out: zone
  - id: triage
    skill: proportionality_score
    inputs: { cluster: "${cluster}", zone: "${zone}" }
    out: P
  - id: decision_room                              # BLOCKING human-gate node
    type: human_gate
    blocking: true
    personas: [ops_duty, drinking_water_compliance, civil_society_consumer_advocate,
               devils_advocate, domain_water_treatment, ot_security]
    require_signoff: 2_of_2                         # DWC + Ops duty QES (matches DB CHECK)
    on_refuse: { goto: close_refused }
  - id: task_and_writeback
    depends_on: [decision_room]
    parallel:
      - skill: cmms_work_order      # coagulant dose + 2x sampling
      - skill: prestage_comms       # consumer notification draft (held until issue)
      - skill: ot_isolate_recommend # PLC-12 default-cred -> recommend isolate + rotate
      - skill: nis2_art23_draft     # incident notice to NCSC-IE (CER incident log)
    out: notice
  - id: bda_close
    schedule_in: 6h                                # workflow-scheduled, NOT cron
    skill: resample_and_close
    inputs: { zone: "${zone}", notice: "${notice}" }
    register_prospective: "turbidity>4NTU @ Cordangan within 30d -> AMBER monitor"
  - id: close_refused
    skill: audit_append_merkle

§8 — UI/UX mockups (verbatim generated ASCII)

Figure b05.1 — map_ops (PRIMARY). ShellLayout + TopBar (PccPill, RendererChip = MapLibre-2D) + LeftSidebar + LAYERS panel + MapConsole carrying the Cordangan turbidity alert, the SZ-TIP-014 supply-zone polygon (population count only), the EPA RAL flag, the Ovarro SCOPE OT health strip, and the Inspector resilience-event card; BottomStatusBar + ClassificationBanner frame it.

Figure — Operational picture (map_ops · live MapLibre). Production-fidelity React surface (buildable); the faithful ASCII follows.

+------------------------------------------------------------------------------------------------------+
| Water-Network Resilience COP - Tipperary (MapConsole + MapLibre-2D)                                  |
+--------------------+---------------------------------------------------------------------------------+
| LAYERS             | MAP  ========================================================================== |
| [x] WTP assets     |   Tipperary Town supply zone (SZ-TIP-014)  -- River Aherlow catchment           |
| [x] Supply zones   |   ----------------------------------------------------------------------        |
| [x] EPA RAL flags  |   [WTP] Cordangan WTP  <!> raw-water turbidity 6.1 NTU (limit 1.0 clarified)    |
| [x] Src turbidity  |      |    intake spiked after 31mm rain in 6h (ERA5 + CAMS source overlay)      |
| [x] Boil-water note|      |    clarifier breakthrough risk -> Cryptosporidium barrier at risk        |
| [x] OT/SCADA health|   [SZ] Supply zone served: ~13,800 people / 5,210 connections                   |
| [ ] CAMS/Sentinel  |      |    Eircodes in zone: E34**, E91** (count only -- NO person records)      |
| [ ] Reservoir level|   [RAL] EPA Remedial Action List flag: ACTIVE (treatment-resilience)            |
|                    |   [OT]  Ovarro SCOPE telemetry: clarifier-3 OK | UV-bank OK | chlorine OK       |
| INCIDENT FOCUS     |                                                                                 |
| Cordangan WTP      |   >> Candidate event: precautionary Boil-Water Notice, SZ-TIP-014               |
| Tipperary Town SZ  |   >> Field crew tasking: increase coagulant dose + 2x sampling run              |
| Pop served ~13,800 |                                                                                 |
|                    |   RESILIENCE EVENT: turbidity breach -> BWN candidate (NOT yet issued)          |
| SOURCES (sovereign)|   Decision: precautionary BWN needs Drinking-Water-Compliance human sign-off    |
| Ovarro SCOPE OT    |   [ Open Decision Room ]  [ Pre-stage comms ]  [ Task crew ]  [ Annotate ]      |
| EPA RAL feed       |                                                                                 |
| Copernicus/ERA5    |                                                                                 |
+--------------------+---------------------------------------------------------------------------------+
| INCIDENTS: 09:14 Cordangan turbidity 6.1 NTU | SZ-TIP-014 ~13,800 served | BWN P=0.86 | human-gate   |
+------------------------------------------------------------------------------------------------------+

Figure b05.2 — stix_board (secondary). The same loop seen as an OT + source-quality signal-fusion board — OBSERVED → CORRELATED → ACTIONED columns inside the Investigations surface; the ACTIONED column is the write-back set (BWN-to-gate, crew task, NIS2 Art-23 draft, OT isolation), every row human-gated.

Figure — Signal-fusion board (OBSERVED→CORRELATED→ACTIONED). Production-fidelity React surface (buildable); the faithful ASCII follows.

+----------------------------------------------------------------------------------------------------+
| Water-OT + Source-Quality Signal Fusion - SZ-TIP-014 (stix_board)                                  |
+--------------------------------+--------------------------------+----------------------------------+
| OBSERVED                       | CORRELATED                     | ACTIONED                         |
| Turbidity 6.1 NTU              | cluster RES-014 m=.86          | BWN candidate -> gate            |
|   Cordangan intake             |   3-signal concurrence         |   DWC sign-off pending           |
| ERA5 31mm/6h rain              | source_spike .81 (rain)        | Crew task: coagulant +           |
|   Aherlow catchment            |   vs sensor_fault .07          |   2x sampling SZ-TIP-014         |
| EPA RAL flag active            | Cryptosporidium-barrier        | NIS2 Art-23 draft notice         |
|   SZ-TIP-014                   |   clarifier breakthrough       |   to NCSC-IE (OT signal)         |
| SCOPE OT: PLC-12 auth          | OT anomaly: default-cred       | Isolate PLC-12 + rotate          |
|   Unitronics class HMI         |   CVE-2023-6448 pattern        |   cred; CER incident log         |
+--------------------------------+--------------------------------+----------------------------------+
| ALL human-gated :: OT-resilience COP :: NO biometric/predictive :: pop counts only :: PROV-O chain |
+----------------------------------------------------------------------------------------------------+

§8b — Field-unit (Pixel) surfaces

The same scenario on the Pixel 10 Pro Fold field unit (Nexus Field app), tightly coordinated with the dashboard COP above — command pushes the task, the unit accepts + ACKs, shares position and reports back to the COP. Built on the same synergy.field_unit / field_task / field_report contract; see §9 and the cluster coordination composite.

Figure §8b.1 — Folded cover · tasking glance (ground_glance): the incoming IMMEDIATE task, ACCEPT + ACK, alert chips, bearing-to-objective.

Figure §8b.2 — Unfolded inner display · field COP: two-pane mini-map + task list + teammate roster + air/command coordination + PTT, with the Material-3 NavigationBar + Report FAB.

§9 — UI/UX flow (literal click-path)

Interaction path: LAYERS ▸ [x] Src turbidity reveals the Cordangan 6.1 NTU flag → click the [WTP] Cordangan WTP glyph on MapConsole → Inspector opens the RESILIENCE EVENT card (P=0.86, ~13,800 served) → [ Open Decision Room ] → the six personas deliberate in the right-docked ChatTerminal → [ Pre-stage comms ] drafts the consumer notice (held) and [ Task crew ] raises the CMMS work order → [ /dual-control sign ] collects the Drinking-Water-Compliance + Operations-duty QES → the boil_water_notice row is written issued_at=now() (DB CHECK passes only because both signatures exist) → at +6h the BDA resample auto-closes or sustains.

[Src-turbidity layer]→[Cordangan WTP glyph]→[Inspector resilience card]→[Open Decision Room]
        →[Pre-stage comms + Task crew]→[/dual-control sign 2-of-2]→[write boil_water_notice]→[+6h BDA close]

§10 — Decision-Room transcript (the gated decision)

▸ EU-RESTRICTED · TLP:AMBER · Tier-2 ◂
▣ Nexus-Synergy [commercial ▾]  Map═══ Command Ontology Decisions Investigations Audit  [PCC 3⟳]
┌──┬─────────────────────────────────────┬──────────────────────────┐
│LS│ MapConsole (RenderRef=MapLibre-2D)   │ Nexus Chat [▢][▭][✕]    │
│  │ ▣ Cordangan WTP turbidity 6.1 NTU    │ ⊟ Ops-duty persona       │
│Cm│ ▣ SZ-TIP-014 zone ~13,800 served     │ Recommend precautionary  │
│On│ ▣ EPA RAL flag ACTIVE                │ BWN for SZ-TIP-014; task │
│Ds│ ▣ ERA5 31mm/6h + CAMS source overlay │ coagulant+ & 2x sampling │
│Iv│ ▣ SCOPE OT: PLC-12 default-cred watch│ ⊟ Drinking-Water Compl.  │
│Lb│                                     │ Cryptosporidium barrier  │
│Sk│                                     │ at risk on clarifier     │
│Ad│                                     │ breakthrough — BWN is the│
│  │                                     │ defensible call. P=0.86  │
│  │                                     │ ⊟ Civil-society (consumer│
│  │                                     │ advocate) Publish the     │
│  │                                     │ uncertainty + when it     │
│  │                                     │ lifts; ~13,800 people     │
│  │                                     │ deserve a clear reason,   │
│  │                                     │ not just 'boil water'.    │
│  │                                     │ ⊟ Devil's advocate       │
│  │                                     │ Is this a SENSOR fault?   │
│  │                                     │ One probe spiked; check   │
│  │                                     │ the redundant turbidimeter│
│  │                                     │ before alarming 13,800.   │
│  │                                     │ ⊟ Domain: water-treatment │
│  │                                     │ Redundant probe agrees    │
│  │                                     │ (5.8 NTU); rainfall is    │
│  │                                     │ real (ERA5). NOT a fault. │
│  │                                     │ But: enhanced-monitor for │
│  │                                     │ 2h MAY avert a full BWN.  │
│  │                                     │ ⊟ OT-security persona     │
│  │                                     │ PLC-12 is Unitronics-class│
│  │                                     │ w/ default cred — isolate │
│  │                                     │ + rotate; draft NIS2 Art23│
│  │                                     │ [Ops-duty — REVISED]      │
│  │                                     │ Accept: 2h enhanced-mon + │
│  │                                     │ pre-staged BWN ready; auto│
│  │                                     │ -issue if turbidity >4 at │
│  │                                     │ +2h. OT isolate now.      │
│  │                                     │ [Proportionality agree]   │
│  │                                     │ Revised P=0.84; tighter.  │
│  │                                     │ [/dual-control sign 2/2]  │
│  │                                     │ [/execute → CMMS + NCSC]  │
│  │                                     │ Ask Nexus… [↑]            │
├──┴─────────────────────────────────────┴──────────────────────────┤
│ HistoryRail: [● turbidity 09:14] [● ERA5 09:06] [● RAL 08:50] [● PLC-12 08:41]│
│ BottomStatusBar: sync✓ · NORMAL · sovereign Router L2-EU · NIS2 essential-entity│
▸ EU-RESTRICTED · TLP:AMBER · Tier-2 ◂

The recommendation genuinely moves. The Devil's-advocate persona forced the sensor-fault hypothesis (one probe could be fouled); the Domain-water-treatment persona resolved it (the redundant turbidimeter agrees at 5.8 NTU and the ERA5 rainfall is real) but offered a less-intrusive rung — 2h enhanced-monitor with a pre-staged BWN and an auto-issue tripwire if turbidity exceeds 4 NTU at +2h. The civil-society consumer-advocate's dissent — publish a clear reason and a lift-time, not just "boil water" — is captured as a load-bearing record, not a footnote. Gate verdict: ACCEPT enhanced-monitor + armed-BWN tripwire; OT isolate now; 2-of-2 QES (Drinking-Water Compliance + Operations duty). Before: blanket BWN for 13,800. After: a graduated response that may avert the notice entirely, with the public-health fallback armed and the OT root-cause closed.

§11 — Write-back + BDA + PROV-O + deltas-only regulatory traceback

Write-back chain.

BDA + ProspectiveItem. BDA at +6h: re-sample SZ-TIP-014. Outcome — turbidity back to 0.7 NTU after coagulant increase, full BWN averted — yields ObservationLevel = HIGH-CONFIDENCE (redundant probe + lab sample). A ProspectiveItem auto-registers: "If turbidity > 4 NTU at Cordangan within 30 days, auto-elevate to AMBER enhanced-monitor and re-open the loop."

PROV-O attribution chain. qualityStream(scope_ot, era5, epa_ral) -wasGeneratedBy-> senseActivity -wasInformedBy-> fusionActivity (fellegiSunterFusion) -wasAssociatedWith-> opsDutyPersona (L2 EU-edge) -wasInfluencedBy-> drinkingWaterCompliance, civilSocietyConsumerAdvocate, devilsAdvocate, domainWaterTreatment, otSecurity -wasAttributedTo-> dualSigners (DWC-officer, Ops-duty) -wasAssociatedWith-> writeBackActivity (6 targets) -wasGeneratedBy-> bdaActivity (+6h) -wasInfluencedBy-> prospectiveItemRegistration. Every node carries prov:wasAttributedTo (agent) + prov:wasGeneratedBy (activity); Merkle-anchored to a transparency log at interval τ.

Regulatory traceback (deltas only — only what differs from §4.0 defaults). NIS2: Art-23 incident notification is the live delta (the OT-anomaly write-back to NCSC-IE) — applicable once the National Cyber Security Bill transposes; until then the artefact is "readiness evidence", not a statutory filing. CER Directive: critical-entity incident log to the competent authority. GDPR: not engaged — population appears only as a count + Eircode prefix; no person rows (the supply_zone prefix-only CHECK is the compliance artefact). EU AI Act: decision-support, not autonomous; no Annex-III high-risk trigger here (resilience/asset COP, not law-enforcement or biometric) — FRIA filed conservatively as conformity-by-construction. EPA Drinking Water Regulations: the precaution + resolution note links to the RAL entry.

§12 — Buyer & stakeholders

• Economic buyer (likely): Director-level owner of Asset Management / Operations or Digital/Technology (CIO/CTO office); RC4's "Agile Investment and Monitoring Framework" implies a programme owner for outcome reporting. [Named contact TBD]
• NIS2/security buyer: CISO / Head of OT Security — the Dec-2023 Unitronics incident likely created internal sponsorship here. [Named contact TBD]
• Resilience/quality stakeholder: Drinking-Water Compliance / EPA-liaison function (owns the Remedial Action List relationship). [Named contact TBD]
• Influencers/gatekeepers: Procurement (OJEU/eTenders); Data Protection Officer; incumbent SIs (Ovarro for telemetry; engineering primes for asset programmes). [Named contacts TBD]
• External regulators shaping demand (do not buy): CRU (outcome reporting), EPA (RAL enforcement + the €20m leak penalty mechanism), NCSC-IE (NIS2).
• Champion to find: an Operations or Digital leader personally exposed by the boil-water/incident cycle who wants a single defensible picture. [Named contact TBD]

§13 — Competition / incumbency + comparator

• Entrenched. Ovarro SCOPE is a confirmed, deployed national telemetry/SCADA system (built to IEC 62443, monitoring ~2,000+ water/wastewater assets) — the single most important incumbency fact: we integrate above SCOPE as a data source, never displace it. [verified — ovarro.com; watermagazine.co.uk 2025-02-17] Expect further incumbency from GIS (Esri/ArcGIS), OT/EAM vendors (AVEVA/Schneider, IBM Maximo-class), Big-4 NIS2 advisory, and managed-service partners.
• SI-threat to watch. An Accenture–Palantir Foundry systems-integration play across Irish CNI is a plausible strategic threat to a sovereign-decision-layer wedge, [unverified] for UÉ specifically — confirm in discovery; do not assert.
• Comparator + delta. No direct public comparator at this resilience-COP + closed-loop + conformity-evidence composition for an Irish water utility. Closest analogues are GIS-dashboard-plus-EAM-plus-consultancy-NIS2-programme stacks. Our delta: the Decision Room dialectic + civil-society persona, the per-action PROV-O bundle that is the NIS2/CER evidence, and EU-sovereign AI routing where the incumbents are US-headquartered. Wins: traceability, dissent-as-record, sovereignty. Losses: no water-sector reference, no OT integrations yet, no security accreditation. Ties: spatial visualisation (Esri does this well).
• Risk: a utility may "good-enough" this with a GIS dashboard + existing EAM + a consultancy NIS2 programme. We must show the closed loop + write-back + conformity evidence, not another viewer.

§14 — Readiness (honest, pre-pilot)

• Pre-incorporation, pre-revenue, pre-pilot. ~178 UI surfaces exist as a gallery; the live COP, ontology, triple-renderer map, AI Provider Router, and conformity components are partially built and not production-hardened for a national CNI customer.
• Real gaps: no water-sector reference; no OT integration to a water SCADA/EAM stack (e.g. Ovarro SCOPE); no security accreditation (ISO 27001 / NIS2-relevant certs). A CNI utility will demand security posture we do not yet have.
• Decline-safe boundary doubles as a scope boundary: we do not do OT/SCADA security controls — we partner and stay in the decision layer.
• Reuse we can demo soon: the storm-replay resilience-COP storyboard, the closed-action-loop concept, sovereign map layers (Copernicus/Sentinel/ERA5/CAMS already wired), and the provenance/FRIA conformity narrative.
• Honest verdict: strong pull, strong fit narrative, dragged to NEXT by a cold relationship, heavy incumbency (Ovarro confirmed), slow public procurement, and real pre-pilot gaps. Fund discovery, do not build against it now — water is secondary to the maritime beachhead.

§15 — ENGAGEMENT PLAYBOOK (first-contact → signed contract)

Stage 1 — First contact (warm-route build).

• Trigger: a mapped route into a UÉ Digital/Operations or OT-security leader is found (no such route exists today — this stage is mostly route-hunting).
• Owner: Founder.
• Activity: hunt a warm route via the Water Services Innovation Fund (WSIF) intake, Engineers Ireland / Water Forum, NCSC/NIS2 community, or an incumbent SI/GIS partner as a channel. Send the warm-intro email below once a bridge exists.
• Template (warm-intro email): "[Name] — [warm-intro context via WSIF / Engineers Ireland]. We build an EU-sovereign water-network resilience operating picture that turns a source-turbidity boil-water event into one human-gated, fully-audited loop — and the audit trail is your NIS2/CER incident evidence. It sits above your existing telemetry (we read SCOPE, we don't replace it). We publicly refuse biometric ID, predictive scoring and profiling — this is asset/hazard/incident resilience only. Could I show you a 20-minute decline-safe demo on a public incident pattern (the Tipperary turbidity boil-water case)? No cost, no obligation. — [Founder]"
• Exit criterion: one named, responsive contact. Deliverable: a logged warm route + first reply.

Stage 2 — Free discovery (60-min session, no slides).

• Trigger: contact agrees to a call. Owner: Founder.
• Activity (adapted 60-min agenda): 0:00–0:05 frame ("discovery, not a pitch; no commitment"); 0:05–0:20 "Walk me through your last boil-water / OT event from detection to closure — how many systems did you touch?"; 0:20–0:35 lawful basis + NIS2/CER scope + "does AI processing have to stay EU-sovereign for you?"; 0:35–0:45 who owns the budget (Asset/Ops vs CISO vs Digital), is there a WSIF / OT-security / digital-transformation line; 0:45–0:55 sketch their loop onto detect→enrich→triage→gate→task→execute→assess→close and find the gap (usually detect→act with no enrich/gate/evidence); 0:55–1:00 reflect back top-3 pains, ask for the scoped demo date. Declined-List pre-screen: PASS (resilience COP only).
• Exit criterion: a named sponsor agrees a problem worth solving + agrees to a demo. Deliverable: a co-authored written problem statement.

Stage 3 — Scoped demo (their loop, replayed).

• Trigger: discovery exit met. Owner: Founder.
• Activity: the Tipperary turbidity → boil-water resilience-COP walkthrough (§8/§10) on a real public incident pattern; show detect→enrich→gate→task→execute + the PROV-O bundle as NIS2/CER evidence; lead with sovereignty + conformity-by-construction.
• Exit criterion: sponsor asks "could we try this on a narrow real slice?". Deliverable: a champion who wants a scoped PoC.

Stage 4 — Pilot (one region / one capability, time-boxed).

• Trigger: demo exit ask answered yes. Owner: Founder + warm-intro sponsor.
• 1-page pilot proposal (filled for UÉ): Title "Tipperary Water-Resilience Operating-Picture PoC". Sponsor [UÉ Asset/Ops or OT-security lead — TBD] + budget owner [TBD]. Problem (their words) "we detect turbidity/OT events but can't see population impact, gate the decision, and produce defensible incident evidence in one place." The one thing we'll prove "We can fuse SCOPE OT + EPA RAL + ERA5/CAMS source signals into one human-gated resilience loop for ≥1 supply zone and cut time-to-defensible-incident-record from X to Y" (X/Y baselined in week 1). In/out in: 1 region (Tipperary/Mid-West), read-only SCOPE + EPA + Copernicus, BWN decision loop; out: any SCADA control, any person data, all Declined-List items. Data & lawful basis non-personal asset/quality telemetry + population counts; EU-hosted; classification EU-RESTRICTED, hardened-container isolation. Success criteria 2–4 sponsor-agreed metrics (baseline TBD wk-1). Timeline 8–12 weeks, mid-point checkpoint. Commercials €0 to UÉ if WSIF/innovation-funded; otherwise TBD. Funding vehicle WSIF / OT-security or digital-transformation line / SI subcontract. After → LOI if criteria met.
• Exit criterion: pilot scope + funding route agreed in writing. Deliverable: signed pilot MOU (non-binding, founder-signed pre-incorporation).

Stage 5 — LOI (the milestone).

• Trigger: pilot success criteria met or credibly trending. Owner: Founder + buyer champion.
• LOI checklist (this buyer): parties (UÉ + Founder pre-incorporation, NewCo to ratify under Companies Act 2014 s.45); statement of intent conditional on funding/procurement; scope carried from the pilot; success-criteria reference; named sponsor + budget owner; indicative timeline; indicative commercials ("to be scoped under OJEU framework"); conditions (security accreditation, DPA, data-sharing); non-binding except confidentiality; Declined-List affirmation; Irish governing law; solicitor review confirmed before sending.
• Exit criterion: signed LOI naming a sponsor + next step. Deliverable: the LOI (Patrick-check trigger if a Patrick route materialised).

Stage 6 — Signed contract.

• Trigger: LOI + a contracting vehicle exists (incorporated NewCo or partner prime) + a procurement route. Owner: MAHI/partner-vehicle or NewCo + buyer procurement.
• Activity: OJEU/eTenders framework or mini-competition, or SI subcontract. Exit criterion: executed contract. Deliverable: signed multi-year agreement.

§16 — PM / timeline

Stage \ Month        M1  M2  M3  M4  M5  M6  M7  M8  M9 M10 M11 M12 M13 M14 M15 M16
1 First contact      ####
2 Free discovery       ####
3 Scoped demo            ####
4 Pilot (8-12 wk)          ##########
5 LOI                              #####
6 Contract (OJEU)                       ############################# (>16mo)
--- critical path ---
Stamp-1G / vehicle   <===================== GATE (must resolve before a PAID pilot) ======>

• Milestones: M1 warm route logged · M3 written problem statement · M4 champion wants PoC · M6 pilot scope+funding agreed · M10 pilot success criteria met · M12 signed LOI · M16+ contract.
• Critical path: the Stamp-1G / partner-vehicle gate (a founder on Stamp 1G cannot sign or invoice a paid contract). Free discovery, demo, and a non-binding founder-signed pilot MOU can all proceed before the gate resolves; a PAID pilot or contract cannot. This gate, not the buyer, is the binding constraint.

(A=Accountable, R=Responsible, C=Consulted, I=Informed.)

§17 — Funding / procurement vehicle

• The capital is enormous but not an innovation pot. RC4's €13.6bn is largely treatment-plant/network/asset capital under CRU revenue control — not reachable by a pre-pilot software vendor through a discretionary line.
• Procurement reality: UÉ is a public body → OJEU / eTenders, typically multi-year frameworks / mini-competitions; slow, formal, incumbent-favouring. A direct full procurement is a multi-year horizon.
• Realistic wedges (fastest first): (1) PoC / innovation pilot under a digital-transformation or OT-security line, possibly below OJEU threshold — fastest legitimate entry; (2) the Water Services Innovation Fund (WSIF) intake as the named route (per the package's warm-intro plan) [confirm scope/eligibility in discovery]; (3) NIS2 / National Cyber Security Bill compliance spend (H1 2026 onward) as a budget trigger; (4) subcontract under an incumbent SI's framework (channel play); (5) co-fund via a national/EU innovation instrument (DTIF / Horizon water-resilience) — not the Defence Innovation Challenge (that funds the maritime beachhead). Near-term non-dilutive de-riskers reusable here: Innovation Voucher (€5k, CeADAR/UCD), HPSU Feasibility (≤€30k), PSSF (≤€100k convertible).

§18 — TWO-STAGE FORMULA SCORECARD

Every factor cell is [PRIOR] with a dated one-line rationale (2026-06-05). Stage-1 vector {mandate_pull, access_warmth, demonstrability, decline_safety, white_space, cycle_speed, pillar_fit}; Stage-2 vector {contractability, funding_to_pay, procurement_clarity, incumbency_displacement, time_to_value, reference_leverage}.

Stage 1 — P(LOI).

S1 = 0.22·5 + 0.22·1 + 0.18·3 + 0.14·5 + 0.10·2 + 0.08·1 + 0.06·4 = 3.08. P_LOI = 0.55 / (1 + exp(−1.15·(3.08 − 2.6))) = 0.349 → ~35% [PRIOR]. Score100 = S1·20 = 61.6.

Stage 2 — P(Contract | LOI).

S2 = 0.24·1 + 0.22·3 + 0.18·2 + 0.16·3 + 0.12·2 + 0.08·2 = 2.14. P_raw = 0.70 / (1 + exp(−1.1·(2.14 − 2.8))) = 0.228.

Legal gate G = V·T. t_resolve = 16 mo, H_conv = 30 → T = (30−16)/30 = 0.467.

Reconciliation. Score100 = 61.6, within ~0.3 pts of the board_anchor 61.9 (NEXT band, value high). P_LOI ~35% lands at the top of the anchored 22–35% to-LOI band; the V=1.0 to-buy of ~3.8% via the joint product is far below the anchor's 21–30% to-buy — because the board_anchor's to-buy reads the conditional P(Contract|LOI) (~10.6% at V=1.0, and the anchor's range presumes a resolved vehicle + a delivered reference, which compound it upward). The honest read: the gate (V) and a reference, not the buyer's appetite, govern the contract.

§19 — Commercial

• Pricing bands (indicative, ask only): Tier-1 €120–240k/yr (one region / one capability — the realistic entry PoC-to-production), Tier-2 €500k–€1.2m/yr (multi-region resilience COP), Tier-3 €2.4–4.8m/yr (national operating picture for the utility). Cost advantage: open-source substrate + sovereign HPC + a shared conformity file + no forward-deployed-engineer dependency.
• ACV (realistic entry): Tier-1 mid ~€180k/yr; expansion path to Tier-2/3 over a multi-year framework.
• Terms: multi-year framework / mini-competition under OJEU; annual subscription; EU-hosted; DPA per buyer; security-accreditation milestone as a contract condition.
• Requirements (we must meet to contract): ISO 27001 / NIS2-relevant security posture; a contracting vehicle (NewCo or partner prime); at least one delivered decline-safe reference; a SCOPE/EAM read integration.

§20 — Legal blockers

• X1 — Stamp-1G cap (binding). The founder on Stamp 1G cannot be a director/shareholder, self-employed, or operate a business → no paid contract signable by the solo founder. Free discovery + demo + a non-binding founder-signed pilot MOU (Companies Act 2014 s.45, ratifiable post-incorporation) are fine; a paid pilot/contract is not until a vehicle resolves (EEA-resident director / partner prime / Stamp 4). ⚖️ CONFIRM (immigration solicitor).
• X7 — Pre-incorporation contracting. Founder personally liable on any agreement until NewCo formed; sign NDAs/MOUs in own name, solicitor-reviewed. ⚖️ CONFIRM.
• Buyer-specific — NIS2 / CER status. UÉ is a NIS2 essential entity, but Ireland has not transposed NIS2 — so the Art-23 write-back is readiness evidence, not a statutory filing until the National Cyber Security Bill lands (expected H1 2026, [unverified date]). Do not claim a binding NIS2 deadline for UÉ.
• GDPR (X3). Not engaged by design — population counts + Eircode prefixes only; the supply_zone prefix-only CHECK is the artefact. A DPA still required if any pilot data set drifts toward personal data. ⚖️ CONFIRM scope per pilot.
• EU AI Act (X2). This COP is decision-support, not Annex-III high-risk and not an Art-5 prohibited practice (no biometric/predictive/social-scoring). FRIA filed conservatively. (Art-5 prohibitions applicable 2 February 2025 — noted for accuracy.)
• Procurement (X5). OJEU/eTenders; no Art-346/defence exemption applies (civil utility). Expect a slow open/competitive route favouring incumbents — channel via an SI framework to avoid a cold prime bid.
• Dual-use (X4). Not engaged — civil water resilience, no vessel/comms surveillance.

§21 — Warm-intro contact + the specific ask

• Status: COLD — no mapped relationship into Uisce Éireann today. None of the known bridges (Patrick Walsh / MAHI founders / Menno Axt) obviously reaches a water utility.
• Primary route to build: the Water Services Innovation Fund (WSIF) intake + the Irish water-engineering ecosystem (Engineers Ireland, Water Forum, CRU/EPA stakeholder events) + the NCSC/NIS2 community as the entry to the OT-security buyer (the timeliest hook given the 2023 incident).
• The specific ask (to Patrick Walsh / Dogpatch network): "Does anyone in the Dogpatch/NDRC network sit on or near Uisce Éireann's digital/innovation, asset-management, or OT-security side — or know the WSIF intake owner? I want one decline-safe, free discovery conversation about a water-network resilience operating picture, built on the public Tipperary turbidity boil-water pattern." Secondary: ask Ricardo Simón Carbajo (CeADAR/UCD) whether a CeADAR water-sector relationship could warm a delivery-partner route.

§22 — Open questions + consolidated sources

Open questions (do not assert until resolved):

• Exact RC4 headline to quote externally (€13.6bn CRU-approved vs €16.9bn strategic-funding vs €10.3bn infrastructure) — reconcile against CRU2025136 before any deck. [figures verified; headline varies by source]
• The real National Cyber Security Bill transposition date + what binds UÉ (currently "H1 2026", not yet law). [TBD]
• Internal owner of NIS2/OT security post-2023 incident — name + reporting line. [TBD]
• Existing stack beyond Ovarro SCOPE — which GIS/EAM/incident systems (Esri? Maximo? AVEVA?) — integrate vs compete. [partly known: SCOPE confirmed; rest TBD]
• Whether the Accenture–Palantir Foundry SI threat is real for UÉ specifically. [unverified]
• Whether a sub-OJEU innovation/OT-security PoC line or the WSIF intake is actually accessible. [TBD]
• Any warm route via Dogpatch / Engineers Ireland / Water Forum / NCSC. [TBD]

Sources (web-verified 2026-06-04 / 2026-06-05):

• CRU — Investing in the future of Ireland's water and wastewater infrastructure + RC4 Executive Summary (CRU2025136), record €13.6bn / €8.56bn capex + €5.02bn opex; cru.ie / consult.cru.ie. [verified]
• gov.ie / water.ie — Uisce Éireann Strategic Funding Plan 2025–2029 (€16.9bn; €10.3bn infrastructure + €6.6bn operations) + NDP €2bn ring-fence (July 2025). [verified]
• RTÉ — Water supplies for 497,000 at risk of disruption, says EPA (rte.ie, 2025-07-02). [verified]
• EPA — Drinking Water Remedial Action List Q4 2024 + quality remains high but supplies must become more resilient (epa.ie); 45 supplies/497k; 59 BWNs/95k; THM 19 supplies/245k; lead limit 10→5 µg/l in 2036. [verified]
• The Record / SecurityWeek / CISA — Cyber Av3ngers / Unitronics Irish water incident, Dec 2023, Co. Mayo, ~160 households, CVE-2023-6448. [verified]
• Ovarro / Water Magazine — Ovarro's SCOPE provides telemetry for Uisce Éireann (IEC 62443, ~2,000+ assets); ovarro.com; watermagazine.co.uk 2025-02-17. [verified]
• RTÉ — Uisce Éireann fined €20m for not hitting leak fix targets (rte.ie, 2025-11-25). [verified]
• NCSC-IE / DLA Piper / William Fry — NIS2 + National Cyber Security Bill transposition status (H1 2026 expected). [verified status; exact binding date unverified]
• Water Magazine — WSSP 2050 (2025-07-31) + RC4 public consultation (2025-11-26). [verified]
• EU AI Act — Art-5 prohibitions applicable 2 February 2025 (noted for accuracy). [verified]

---