STANDING BANNER — read before using this package. (1) Status honesty. Nexus Synergy Ltd is pre-incorporation, pre-revenue, pre-pilot. The Finnish Border Guard, Elering, Fingrid, EMSA and the EU Cable Security Toolbox node are TARGETS, not customers, partners, or deployments. Our ~178-surface UI gallery is a gallery, not traction. Nothing here is a contract, an LOI, or a commitment. (2) Anti-cookie-cutter. The §8 mockups are generated by _build/archetypes/gen_baltic-sentry-cable-protection.py and filled with this buyer's real entities (Estlink 2, M/T Eagle S, KP-114, Fingrid SCADA, Elisa DAS). They are this buyer's screens, not a reused shell. (3) Every probability is [PRIOR] — a subjective pre-pilot estimate for prioritisation, never a forecast. Re-score after every real conversation.

§0 — Header + one-line thesis

Baltic Sentry — Subsea Cable & Pipeline Protection COP. A sovereign, human-gated common operating picture that fuses AIS, distributed-acoustic-sensing (DAS) cable telemetry and grid SCADA into one cross-border anomaly picture for the Gulf of Finland, turning three weak signals into one auditable decision — detection-to-coast-guard-challenge, not warfighting, not surveillance of people.

One line: "You have the sensors and the cuts; you don't have the picture. We are the sovereign decision layer that fuses AIS + acoustic + grid telemetry into one human-gated, fully-audited cable-protection COP — above your detection vendors, not replacing them."

§1 — Entity snapshot (cited)

Attribute	Value	Source
Primary buyer	Finnish Border Guard (Rajavartiolaitos) — building a regional maritime-surveillance mechanism with "regional hubs to exchange information, risk analyses, threat assessments and real-time information"; Mikko Hirvi, head of maritime safety	Euronews 26 Jan 2026 `[verified]`; Capacity 2026 `[verified]`
Secondary buyers	Elering (Estonian TSO) + Fingrid (Finnish TSO) — operators of the damaged Estlink 2 HVDC link; grid telemetry is a fusion input	Fingrid/Elering 2024-25 `[verified]`
Funding/oversight node	EU Cable Security Toolbox + Connecting Europe Facility (CEF) Digital (€347m) under the EU Action Plan on Cable Security	EC Joint Communication JOIN(2025)9, 21 Feb 2025 `[verified]`; EC Feb 2026 `[verified]`
Operating theatre	Gulf of Finland (Helsinki ↔ Tallinn corridor); the most-attacked subsea segment in Europe — ≈45 shadow-fleet vessels/week transit it	Euronews 26 Jan 2026 `[verified]`
Status to us	Cold-to-warm target; entry via the EU Cable Security Toolbox process + Estonia's high e-gov receptivity + a MAHI EU bridge	this package `[unverified — no contact made]`

The reference incident this package is built on: the Estlink 2 HVDC interconnector between Finland and Estonia failed at 12:26 EET on 25 December 2024, cutting cross-border capacity from 1,016 MW to 358 MW; Finnish authorities detained the Cook Islands-flagged tanker M/T Eagle S (suspected "shadow fleet") on 26 Dec 2024; its anchor was recovered on 7 January 2025 by the Swedish navy vessel HSwMS Belos from ~80 m depth; repair completed and the link returned to commercial use 20 June 2025 at an estimated cost of tens of millions of euros (up to ~€60m). [verified — Wikipedia/Fingrid/NPR/Submarine Networks]

§2 — The pain (web-verified, dated, cited)

The Baltic is the world's busiest subsea-sabotage theatre, and the affected states currently see the picture in fragments across separate agencies and operators:

A 15-month wave of cable damage. At least 11 Baltic cables were damaged between October 2023 and January 2025, pushing NATO to act. [verified — Defense News, 28 Jan 2025]
Estlink 2 (25 Dec 2024). A national-grade power-interconnector cut on Christmas Day; the suspected cause (anchor-drag by Eagle S) was only reconstructed after the fact by stitching AIS history, seabed drag-marks and the recovered anchor — exactly the post-hoc forensics a fused live picture would have collapsed into a same-day alert. [verified]
NATO Baltic Sentry (14 Jan 2025). Launched at the Helsinki summit (SecGen Rutte, President Stubb of Finland, PM Michal of Estonia), led by JFCBS with MARCOM; deploys frigates, maritime-patrol aircraft and naval drones, and explicitly aims to "integrate national surveillance assets" — i.e. the integration layer is the named gap. [verified — NATO News, 14 Jan 2025]
EU Action Plan on Cable Security (21 Feb 2025). The Commission + High Representative adopted a plan across prevention, detection, response/recovery, deterrence; in Feb 2026 a Cable Security Toolbox and €347m (CEF Digital) followed, with 13 Cable Projects of European Interest and explicit calls to "expand monitoring, surveillance and detection capabilities." [verified — EC JOIN(2025)9; EC IP/25/580; EC Feb 2026]
The fragmentation pain (named, Jan 2026). Finland's Border Guard maritime-safety head Mikko Hirvi said the new mechanism will include regional hubs to exchange information, risk analyses, threat assessments and real-time information — a candid admission that the picture today is not shared in real time across authorities and states. [verified — Euronews, 26 Jan 2026]
Sensors arriving without a brain. Finland + Elisa Oyj ran a successful distributed-acoustic-sensing (DAS) early-warning field test in June 2026 — new seabed-vibration data with no sovereign fusion/decision layer above it yet. [verified — Bloomberg, 5 Jun 2026]

The wedge in one sentence: the buyers are acquiring sensors (DAS, sat-AIS, naval drones) and mandates (Toolbox, NIS2) faster than they are acquiring the sovereign decision layer that fuses those signals into one human-gated, cross-border, auditable picture.

§3 — Use-case & value (DECLINE-SAFE framing)

The loop we close: three independent weak signals — an AIS loiter/gap over a cable corridor, a DAS acoustic scrape at a cable kilometre-point, and a grid-telemetry power dip — each individually ambiguous (a trawler, a glitch, maintenance), but time-concurrent they cross an anomaly threshold. Nexus Synergy fuses them, raises one alert, runs a human-gated Decision Room, and (only on sign-off) tasks a coast-guard VHF challenge / boarding request and lodges a NIS2 incident notice — closing the loop with a cable-repair-vessel stand-by and a PROV-O audit chain.

Value:

Time-to-detect collapses from post-hoc forensic reconstruction (days) to same-incident alert (minutes) by correlating the three streams the buyer already owns.
Cross-border, by design. EE↔FI sharing via a CISE-compliant covenant is a first-class feature, directly serving the Toolbox's "faster data exchange between allied authorities" objective.
Sits above incumbents. We integrate Elisa's DAS, Kongsberg/Saab vessel-detection and national AIS — we do not rip-and-replace them.

DECLINE-SAFE — explicitly out of scope (and contractually excluded):

NO predictive policing, NO real-time biometric identification, NO emotion recognition, NO social scoring, NO untargeted scraping, NO psychometric profiling.
This is infrastructure resilience: vessel tracks and infrastructure telemetry, not persons. The picture pseudonymises vessel identity in the UI; identity attribution is for a coast-guard / maritime-authority lawful action, gated by a human, not for intelligence collection on individuals.
The escalation ceiling is a civil coast-guard challenge under SOLAS-type authority, not signals intelligence. ELINT/SIGINT is structurally out of this COP (enforced in the data model, §5).

§4 — Ontology (this buyer's domain entities + relationships)

Entities
  Cable-Asset      (Estlink-2 HVDC; segment KP-114; landfall FI/EE; operator Fingrid/Elering)
  Cable-Event      (DAS acoustic; sensor Elisa-DAS-7; centroid_hz; spl_db; class anchor_drag)
  Grid-Signal      (Fingrid SCADA; interconnector EL2; MW level; dip magnitude; timestamp)
  AIS-Contact      (MMSI-keyed track; per-ping LatLon/heading/SOG; gap intervals)
  Vessel           (M/T Eagle-S; flag COK; IMO; declared manifest = transit-only)
  Protection-Zone  (1-nm cable-protection polygon around the corridor)
  Anomaly-Cluster  (the fused 3-signal correlation; confidence m)
  CISE-Share       (cross-border data-sharing record EE<->FI; covenant id)
  Coast-Guard-Task (VHF query / boarding request; SOLAS authority ref)
  NIS2-Notice      (Art-23 incident lodge to TRAFICOM; 24h/72h clock)

Relationships
  Cable-Event   --located_on-->     Cable-Asset
  Grid-Signal   --measures-->       Cable-Asset
  AIS-Contact   --emitted_by-->     Vessel
  AIS-Contact   --proximal_to-->    Cable-Asset (inside Protection-Zone)
  Cable-Event   --time_concurrent--> Grid-Signal      (t-align within +/-60s)
  Anomaly-Cluster --fuses-->        {Cable-Event, Grid-Signal, AIS-Contact}
  Anomaly-Cluster --shared_via-->   CISE-Share (EE<->FI)
  Anomaly-Cluster --escalates_to--> Coast-Guard-Task   (human-gated)
  Anomaly-Cluster --reported_in-->  NIS2-Notice

The decisive entity is Anomaly-Cluster: it exists only as the fusion of three signals, none of which any single agency tool surfaces together today. That intersection is the white space.

§5 — Data model (synergy.* tables, RLS + a load-bearing CHECK)

Org-scoped for the app.current_org_id RLS predicate. The load-bearing invariant enforces the decline-safe ceiling at the database layer: an anomaly cluster cannot record an escalation without a human gate, and the disposition can never be an intelligence-collection action — only a civil coast-guard challenge — and cross-border sharing requires a registered CISE covenant.


SQL
51 lines
-- One fused cross-border cable-protection anomaly, org-scoped + RLS.
CREATE TABLE synergy.cable_anomaly (
    id                 uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id             uuid NOT NULL,                         -- RLS: app.current_org_id
    cable_segment      text NOT NULL,                         -- 'EL2-KP-114'
    detected_at        timestamptz NOT NULL,                  -- 2024-12-25T12:26:00+02
    -- the three fused signals
    ais_loiter_hours   numeric(6,1) NOT NULL DEFAULT 0,       -- 9.0 inside 1nm zone
    das_class          text NOT NULL                          -- DAS acoustic classifier
                       CHECK (das_class IN ('anchor_drag','trawl_snag','biologic','mechanical','none')),
    das_confidence     numeric(4,3) NOT NULL DEFAULT 0,       -- 0.870
    grid_mw_dip        numeric(8,1) NOT NULL DEFAULT 0,       -- 1016 -> 372 = 644.0
    signal_concurrence integer NOT NULL DEFAULT 0,            -- count of time-aligned signals (0..3)
    anomaly_confidence numeric(4,3) NOT NULL,                 -- 0.910 fused
    -- governance
    in_protection_zone boolean NOT NULL DEFAULT false,        -- 1nm polygon test
    human_gate_by      text,                                  -- duty-officer id; NULL until signed
    human_gate_at      timestamptz,                           -- NULL until signed
    disposition        text NOT NULL DEFAULT 'monitor'
                       CHECK (disposition IN ('monitor','cise_share','coastguard_challenge','repair_standby')),
    obs_level          text NOT NULL DEFAULT 'inferred'
                       CHECK (obs_level IN ('asserted','reported','inferred','direct','confirmed')),
    prov_o             jsonb NOT NULL,                        -- per-signal PROV-O attribution
    -- LOAD-BEARING INVARIANT: any escalation beyond passive monitoring REQUIRES a recorded
    -- human gate; the disposition set is closed (no 'elint'/'sigint'/'biometric' value exists),
    -- so the decline-safe ceiling is structural, not an app-layer convention.
    CONSTRAINT human_gate_required CHECK (
        disposition = 'monitor'
        OR (human_gate_by IS NOT NULL AND human_gate_at IS NOT NULL)
    )
);
ALTER TABLE synergy.cable_anomaly ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.cable_anomaly
    USING (org_id = current_setting('app.current_org_id')::uuid);

-- Cross-border data-sharing record (CISE covenant) — sharing is auditable + consented.
CREATE TABLE synergy.cise_share (
    id            uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id        uuid NOT NULL,
    anomaly_id    uuid NOT NULL REFERENCES synergy.cable_anomaly(id),
    from_state    text NOT NULL CHECK (from_state IN ('FI','EE','SE','LT','LV','EC')),
    to_state      text NOT NULL CHECK (to_state IN ('FI','EE','SE','LT','LV','EC')),
    covenant_ref  text NOT NULL,                              -- CISE data-sharing covenant id (required)
    shared_at     timestamptz NOT NULL DEFAULT now(),
    prov_o        jsonb NOT NULL,
    -- LOAD-BEARING: no cross-border share without a registered covenant + different states.
    CONSTRAINT covenant_present CHECK (length(covenant_ref) > 0 AND from_state <> to_state)
);
ALTER TABLE synergy.cise_share ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.cise_share
    USING (org_id = current_setting('app.current_org_id')::uuid);

§6 — Action-loop pseudocode (detect → enrich → triage → gate → task → execute → BDA → close)


Python
43 lines
def cable_protection_loop(das_event, grid_window, ais_window, org):
    # 1. DETECT — a DAS acoustic event at a cable kilometre-point (Elisa DAS feed).
    if das_event.spl_db < SPL_FLOOR or das_event.cls == 'none':
        return Disposition.MONITOR                       # show on globe, no escalation

    # 2. ENRICH — pull time-aligned signals the buyer already owns.
    grid = align_grid_dip(grid_window, das_event.t)      # Fingrid SCADA: 1016 -> 372 MW
    ais  = ais_contacts_in_zone(ais_window, das_event.kp, radius_nm=1.0)
    contact = fellegi_sunter_resolve(ais)                # M/T Eagle-S, COK flag (W > T_mu -> accept)

    # 3. TRIAGE — fuse. None alone escalates; concurrence does.
    concurrence = sum([
        ais.loiter_hours >= 4 and ais.in_zone,
        das_event.cls == 'anchor_drag' and das_event.conf >= 0.80,
        grid and abs(grid.mw_dip) >= GRID_DIP_FLOOR and within(grid.t, das_event.t, 60),
    ])
    conf = bayes_fuse(ais, das_event, grid)              # ~0.91
    if concurrence < 2:
        return Disposition.MONITOR                       # ambiguous -> watch, re-poll

    cluster = persist_anomaly(org, das_event, grid, contact, conf, concurrence)

    # 4. GATE — HUMAN sign-off in the Decision Room (DB CHECK enforces this, §5).
    verdict = decision_room(cluster, personas=[
        'maritime_ops', 'proportionality', 'civil_society_reviewer',
        'devils_advocate', 'subsea_acoustic_expert', 'cise_data_steward'])
    if not verdict.signed:                               # 2-of-2 duty officers (FI + EE)
        return refuse_and_log(cluster, verdict)          # logged refusal is a valid outcome

    # 5. TASK — civil coast-guard challenge ONLY (no ELINT; not in the disposition enum).
    cluster.disposition = 'coastguard_challenge'
    task = coastguard_vhf_query(contact, authority='SOLAS-V')   # + boarding request if non-compliant

    # 6. EXECUTE — cross-border share + statutory lodge (write-back, §11).
    share = cise_share(cluster, from_state=org.state, to_state='EE', covenant_ref=org.covenant)
    notice = nis2_lodge(cluster, regulator='TRAFICOM', clock_h=24)
    repair = cable_repair_standby(cluster, asset='Atlantic-CMA')

    # 7. BDA — did the loop change the outcome?
    bda = assess(task, share, notice)                    # vessel challenged & re-routed; cut prevented/contained

    # 8. CLOSE — seal the PROV-O chain; archive the Decision Room transcript to Audit.
    return close_loop(cluster, bda, prov_o=seal_provenance(cluster))

§7 — nexus-workflows YAML DAG (same loop, declarative, blocking human-gate node)


YAML
43 lines
# nexus-workflows: cable-protection COP loop (Gulf of Finland). NO cron — event-triggered.
workflow: baltic_cable_protection_loop
on:
  event: das.acoustic_event            # Elisa DAS feed (per cable kilometre-point)
concurrency: { group: "cable-${{ event.cable_segment }}", cancel_in_progress: false }
jobs:
  detect:
    run: skills/das_classify@1.4
    out: { spl: $.spl_db, cls: $.classification, conf: \$.confidence, kp: \$.kp }
  enrich:
    needs: [detect]
    if: ${{ jobs.detect.cls != 'none' && jobs.detect.spl >= env.SPL_FLOOR }}
    steps:
      - run: skills/grid_align@1.1        # Fingrid SCADA dip, +/-60s window
      - run: skills/ais_zone_resolve@2.0  # Fellegi-Sunter -> M/T Eagle-S, COK
  triage:
    needs: [enrich]
    run: skills/anomaly_fuse@1.2          # concurrence + Bayes fuse -> confidence ~0.91
    out: { concurrence: \$.concurrence, confidence: \$.confidence }
  human_gate:                              # <-- BLOCKING. The loop cannot proceed without it.
    needs: [triage]
    if: ${{ jobs.triage.concurrence >= 2 }}
    type: manual_approval
    block: true
    approvers: { roles: [fi_border_guard_duty, ee_elering_duty], min: 2 }   # 2-of-2 cross-border
    decision_room:
      personas: [maritime_ops, proportionality, civil_society_reviewer,
                 devils_advocate, subsea_acoustic_expert, cise_data_steward]
    timeout: 30m
    on_timeout: refuse_and_log
  task:
    needs: [human_gate]
    if: ${{ jobs.human_gate.approved }}
    run: skills/coastguard_challenge@1.0   # SOLAS-V VHF query; disposition='coastguard_challenge'
  execute:
    needs: [task]
    steps:
      - run: skills/cise_share@1.0         # EE<->FI; requires covenant_ref (DB CHECK)
      - run: skills/nis2_lodge@1.0         # TRAFICOM Art-23, 24h clock
      - run: skills/cable_repair_standby@1.0
  bda_close:
    needs: [execute]
    run: skills/bda_seal_provenance@1.0    # PROV-O chain sealed; transcript -> Audit ledger

§8 — UI/UX mockups (VERBATIM generated ASCII)

Generated by _build/archetypes/gen_baltic-sentry-cable-protection.py (imports globe_rmp, stix_board from archetypes.py; each builder's _ck() asserts equal-length pure-ASCII). SVG twin of the primary screen: _build/figures/baltic-sentry-cable-protection/uc-globe_rmp.svg.

Figure e04.1 — globe_rmp (PRIMARY). Components: ShellLayout + TopBar (with RendererChip = CesiumJS + PccPill in rightSlot) + LeftSidebar glyph-rail + MapConsole (CesiumJS-globe over EMODnet/S-101, the Estlink 2 route, the KP-114 break, the 1-nm protection zone, the Eagle-S loiter track) + right-docked ChatTerminal TRACKS rail + HistoryRail + BottomStatusBar + ClassificationBanner (top+bottom mirror).

Figure — Recognised maritime picture (globe_rmp). Production-fidelity React surface (buildable); the faithful ASCII follows.

+--------------------------------------------------------------------------------------------------+
| Gulf of Finland Cable-Protection RMP - Border Guard maritime mechanism (CesiumJS-globe)          |
+-------------------------------------------------------------------+------------------------------+
|         . - '' - .       GULF OF FINLAND (Helsinki<->Tallinn)     | TRACKS (sorted: anomaly)     |
|      /   o ----._  \   Estlink 2 HVDC + 3 fibre cables            | M/T EAGLE-S  COK flag        |
|     |  [!] AIS loiter|   EMODnet bathy -82m :: IHO S-101 ENC      |   AIS gaps, loiter 9h        |
|     |   M/T contact  |  M/T EAGLE-S (COK flag, AIS gaps)          |   over EL2 + fibre KP-114    |
|     |  speed 4kn 9h  |   loiter 9h astride cable corridor         | DAS acoustic event           |
|      \ __X cable EL2_/  DAS acoustic hit @ KP-114 (anchor-drag)   |   KP-114  scrape 38s         |
|       \ '. _____ .'/   SPL spike + scrape 38s :: Elisa fibre      |   class: anchor_drag .87     |
|         ' - x__ - '    Fingrid telemetry: 1016 -> 372 MW dip      | GRID telemetry (Fingrid)     |
|   Camera {lat 59.83 lon 24.6 alt 18km} CesiumJS-globe             |   EL2 1016->372 MW dip       |
|   Concurrence: AIS loiter + DAS scrape + grid-MW dip              |   t-align +40s of DAS        |
|   -> ANOMALY 0.91  ::  HUMAN GATE before any tasking              | [#] CISE share: EE+FI        |
|                                                                   | gate: coastguard challenge   |
|                                                                   |   not ELINT (civil COP)      |
+-------------------------------------------------------------------+------------------------------+
| EMODnet bathy + IHO S-101 + AIS mux + Elisa DAS + Fingrid SCADA :: CISE FI<->EE share ON         |
+--------------------------------------------------------------------------------------------------+

Figure e04.2 — stix_board (anomaly fusion). The OBSERVED → CORRELATED → ACTIONED board behind the globe: each raw signal (OBSERVED), the fused cluster + classifier (CORRELATED), and the human-gated civil actions (ACTIONED). Components: ShellLayout + Inspector-style three-column board inside the C2 surface; ClassificationBanner foot.

Figure — Signal-fusion board (OBSERVED→CORRELATED→ACTIONED). Production-fidelity React surface (buildable); the faithful ASCII follows.

+----------------------------------------------------------------------------------------------------+
| Cable-Protection Anomaly Fusion - Gulf of Finland (stix_board)                                     |
+--------------------------------+--------------------------------+----------------------------------+
| OBSERVED                       | CORRELATED                     | ACTIONED                         |
| AIS gap MMSI 273*              | cluster CBL-114 m=.91          | CISE share EE Elering            |
|   EAGLE-S, COK flag            |   3-signal concurrence         |   + FI Fingrid duty              |
| DAS event KP-114               | anchor_drag .87 (DAS)          | Coast-guard VHF query            |
|   scrape 38s, 167 dB           |   vs trawl_snag .09            |   + boarding request             |
| Fingrid SCADA dip              | loiter-in-corridor 9h          | NIS2 Art-23 lodge                |
|   EL2 1016->372 MW             |   inside 1nm zone              |   TRAFICOM 24h notice            |
| Sat-AIS Copernicus             | manifest mismatch:             | Cable-repair stand-by            |
|   re-acquire 24.61E            |   declared transit-only        |   Atlantic CMA asset             |
+--------------------------------+--------------------------------+----------------------------------+
| ALL human-gated :: civil-security COP :: NO biometric/predictive :: PROV-O chain per signal        |
+----------------------------------------------------------------------------------------------------+

§8b — Field-unit (Pixel) surfaces

The same scenario on the Pixel 10 Pro Fold field unit (Nexus Field app), tightly coordinated with the dashboard COP above — command pushes the task, the unit accepts + ACKs, shares position and reports back to the COP. Built on the same synergy.field_unit / field_task / field_report contract; see §9 and the cluster coordination composite.

Figure §8b.1 — Folded cover · tasking glance (ground_glance): the incoming IMMEDIATE task, ACCEPT + ACK, alert chips, bearing-to-objective.

Figure §8b.2 — Unfolded inner display · field COP: two-pane mini-map + task list + teammate roster + air/command coordination + PTT, with the Material-3 NavigationBar + Report FAB.

§9 — UI/UX flow (literal click-path)

Click-path: duty officer opens C2 → Cable-Protection RMP → DAS alert auto-pins KP-114 on the MapConsole globe → clicks the [!] Eagle-S track in the TRACKS rail → Inspector shows AIS gap + manifest mismatch → clicks "Fuse signals" → the stix_board slides in showing the 3-signal CORRELATED cluster (m=.91) → clicks "Open Decision Room" → six persona bubbles deliberate in ChatTerminal → /dual-control sign (FI Border Guard + EE Elering duty, 2-of-2) → /execute → coast-guard fans out CISE share + VHF challenge + NIS2 lodge → HistoryRail logs each receipt → BDA bubble closes the loop.

[DAS alert KP-114] -> [globe pin + TRACKS] -> [Inspector: Eagle-S] -> [Fuse -> stix_board]
        -> [Decision Room: 6 personas] -> [/dual-control sign 2/2 FI+EE]
        -> [/execute: CISE share | VHF challenge | NIS2 lodge] -> [HistoryRail receipts] -> [BDA close]

§10 — Decision-Room transcript (the gated decision)

▣ EU-RESTRICTED · TLP:AMBER · CIVIL-SECURITY COP ▣   Cable-Protection RMP — KP-114 anomaly
┌───────────────────────────────────────────────────────────────────────────────────────────┐
│ ⊟ Maritime-ops persona [EU-sovereign LLM]                                                   │
│    Reco: AIS loiter 9h inside the 1nm zone + DAS anchor_drag .87 + Fingrid 1016->372 MW dip │
│    t-aligned within 40s. Propose: coast-guard VHF challenge to M/T Eagle-S + boarding        │
│    request; place Atlantic-CMA cable-repair vessel on stand-by.                              │
│ ⊟ Proportionality persona                                                                    │
│    Necessity/proportionality satisfied for a CIVIL challenge: Estlink 2 = a national-grade   │
│    interconnector; a VHF query is the least-intrusive lawful step. Boarding only on          │
│    non-compliance (SOLAS-type authority).                                                    │
│ ⊟ Civil-society reviewer  [the dissent]                                                      │
│    OBJECTION: do NOT let an AIS-derived identity attribution become a pretext for any         │
│    signals-intelligence collection on this vessel. Surveillance-creep, not bandwidth, is the │
│    risk. Keep this a civil coast-guard action; ELINT must stay OUT of this COP.              │
│ ⊟ Devil's advocate                                                                           │
│    Counter: a 38s scrape could be an innocent trawl-net snag on the cable protector — don't  │
│    escalate to "intent" before a challenge-and-inspect.                                       │
│ ⊟ Subsea-acoustic expert                                                                      │
│    SPL 167 dB at low frequency, sustained 38s, is consistent with anchor-drag, NOT a trawl   │
│    (trawl = higher-frequency intermittent thuds). ObservationLevel = Inferred, conf 0.87.    │
│ ⊟ CISE data-steward                                                                          │
│    EE<->FI share is permitted ONLY under the registered CISE covenant (covenant_ref present).│
│    Pseudonymise vessel identity in the shared picture; full identity stays with the lawful   │
│    acting authority.                                                                          │
│                                                                                              │
│ GATE VERDICT: ACCEPT (narrowed). The civil-society + devil's-advocate inputs COLLAPSE the    │
│   reco from "intercept + collect" to "VHF challenge-and-inspect"; ELINT excluded; boarding    │
│   gated on non-compliance. Disposition = coastguard_challenge.                               │
│   [/dual-control sign — FI Border Guard duty]   [/dual-control sign — EE Elering duty]       │
│   [ /execute ]                                  [ Refuse + log ]                              │
▣ EU-RESTRICTED · TLP:AMBER · INFRASTRUCTURE RESILIENCE ONLY ▣

The materially decision-changing disagreement: the civil-society reviewer's objection (no SIGINT pretext) plus the devil's advocate's trawl-snag alternative narrowed an "intercept + collect" reco into a civil VHF challenge-and-inspect — exactly the decline-safe ceiling the §5 CHECK constraint hard-codes.

§11 — Write-back + BDA + PROV-O + deltas-only regulatory traceback

Write-back (UNO actions):

coastguard_vhf_query(Eagle-S, SOLAS-V) → maritime-authority tasking bus.
cise_share(anomaly, FI→EE, covenant_ref) → cross-border picture push to Elering/Fingrid duty.
nis2_lodge(anomaly, TRAFICOM, 24h) → statutory incident notice.
cable_repair_standby(Atlantic-CMA) → repair-vessel pre-positioning.

BDA (loop close): the challenge prompts Eagle-S to lift anchor and clear the corridor; a cut is prevented/contained rather than reconstructed days later; the BDA bubble records delta-to-baseline (detect time minutes vs. the Estlink-2 days-long post-hoc forensic).

PROV-O chain (per signal):

das.acoustic_event  --wasGeneratedBy--> Activity[das_classify@1.4, model=acoustic-v1.4]
grid.scada_dip      --wasGeneratedBy--> Activity[grid_align@1.1]
ais.zone_resolve    --wasGeneratedBy--> Activity[ais_zone_resolve@2.0, Fellegi-Sunter]
cable_anomaly       --wasDerivedFrom--> {das.event, grid.dip, ais.resolve}
                    --wasAttributedTo--> Agent[fi_border_guard_duty] (human gate)
coastguard_task     --wasGeneratedBy--> Activity[coastguard_challenge@1.0]  (post-gate only)

Deltas-only regulatory traceback (only what differs from the §4.0 defaults):

EU AI Act: the fusion classifier is decision-support, human-in-the-loop (Art. 14); no Art. 5 prohibited practice (no biometric ID, no social scoring); the prohibitions have applied since 2 February 2025. A FRIA is run if a buyer deems the COP high-risk. [verified — AI Act Art. 5 applicable 2 Feb 2025]
NIS2: the nis2_lodge write-back implements the Art-23 incident-reporting duty (24h early-warning / 72h notification clocks).
GDPR: vessel tracks/telemetry are not personal data; the only personal-data edge (a vessel master) is pseudonymised in the picture and handled under a DPA by the lawful acting authority — not by this COP.

§12 — Buyer & stakeholders

Role	Who	Status
Operational owner	Finnish Border Guard maritime-safety command — Mikko Hirvi, head of maritime safety (named, quoted Jan 2026)	`[verified person/role; not contacted]`
Cross-border counterpart	Estonian authorities (Erkki Tori, national security adviser, named in Atlantic Council) + Elering duty	`[verified person; not contacted]`
Grid operators (data owners)	Fingrid (FI) + Elering (EE) — SCADA/telemetry inputs	`[Named contact TBD]`
Funding/oversight	EU Cable Security Toolbox Expert Group + DG-CNECT (CEF Digital)	`[channel verified; contact TBD]`
Regulator (NIS2)	TRAFICOM (FI)	`[verified institution; contact TBD]`
Our warm-bridge candidate	MAHI (mahi.be) EU network → Belgian/EU maritime ecosystem; founder relationship	`[verified relationship; this specific intro TBD]`

§13 — Competition / incumbency + comparator (cited)

Comparator	What it is	Our position
Nordic Warden (JEF)	UK-led AI risk-assessment system tracking ~22 areas of interest, activated Jan 2025	National/alliance threat-tracking, not a buyer-owned fused COP with a human-gated action loop + audit. We sit beside it as the sovereign decision layer. `[verified — Atlantic Council]`
CTF Baltic (German-led, Oct 2024)	NATO command/coordination cell	A C2 structure, not a software COP product. `[verified]`
Elisa Oyj + Border Guard DAS test (Jun 2026)	Distributed-acoustic-sensing early-warning sensor	A feed, not a fusion brain. We consume DAS as one of three inputs. The clearest "above-the-incumbent" wedge. `[verified — Bloomberg]`
Kongsberg / Saab	Vessel-detection-from-space + fixed-point subsea surveillance hardware	Sensor primes; we are the vendor-neutral decision layer over their feeds, not a competitor. `[verified — Kongsberg]`
Palantir-class primes	Generic fusion platforms	EU-sovereignty-by-architecture + published Declined List + conformity-by-construction is the differentiator; we win on sovereignty + restraint, not feature count.

White space: nobody is selling the buyers a sovereign, cross-border, human-gated COP that fuses AIS + DAS + grid telemetry into one auditable action loop. The sensors and the mandate exist; the brain does not.

§14 — Readiness (honest, pre-pilot)

Reuse (real): the globe_rmp + stix_board surfaces exist in the gallery; the action-loop, Decision Room, AI Provider Router (EU-sovereign routing), PROV-O ledger and FRIA workflow are architecture we can demo on representative data. The maritime/sub-sea pillar (UC-55 / W-11) is the closest-built analogue.

Real gaps (no hand-waving):

No live DAS / SCADA / national-AIS integration — these are pilot-build, not shipping. [gap]
No deployed reference anywhere — first-logo risk. [gap]
No contracting vehicle — founder on Stamp 1G (see §20). [gap]
Non-NATO, non-Nordic Irish entity — eligibility for some NATO/JEF-adjacent funding is excluded (DIANA), and cross-border CISE covenants are buyer-side legal work. [gap]
Distance/language — Finnish/Estonian public sector, no on-the-ground presence. [gap]

§15 — ENGAGEMENT PLAYBOOK (first-contact → free discovery → demo → pilot → LOI → contract)

Stage	Trigger	Owner	Activity / template-or-script	Exit criterion	Deliverable
1. First contact	EU Cable Security Toolbox process is live + a MAHI/EU bridge	Founder	Warm-intro email (below) routed via MAHI's EU network or an EU Cable Security Toolbox Expert-Group contact; lead with the fused-COP wedge, not a product tour	A named maritime-safety / Toolbox contact replies	Logged intro + reply
2. Free discovery	Contact agrees to a call	Founder	60-min discovery agenda (below), adapted: their words on how today's AIS/DAS/grid signals are not fused, who owns which feed, the CISE-sharing pain, NIS2 reporting load	Named sponsor agrees the fusion gap is real + decline-safe; PASS the Declined-List check	Same-day discovery write-up
3. Scoped demo	Sponsor asks "show me on our kind of data"	Founder	Replay the Estlink-2 incident on the gallery: the 3-signal concurrence → human gate → civil challenge, on representative (not classified) Gulf-of-Finland data	Sponsor asks "could we try this on a narrow real slice?"	Recorded demo + 1-page pilot proposal
4. Pilot	Demo-exit yes + a funding route identified	MAHI/partner vehicle + Founder	1-page pilot proposal (below), grant-funded (CEF Digital / EU Cable Security Toolbox / EUDIS), time-boxed 8–12 wks, success-criteria set week 1	Success criteria met or credibly trending	Pilot result memo
5. LOI	Pilot criteria met	MAHI/partner vehicle	LOI checklist (below); non-binding; Declined-List affirmation; solicitor-reviewed	Signed LOI naming sponsor + next step	Signed LOI
6. Signed contract	LOI + a viable procurement route (CEF / national / framework)	MAHI/partner vehicle	Contract under the identified vehicle; Stamp-1G gate resolved via partner-vehicle	Counter-signed contract + invoice raised	Contract + first invoice

Warm-intro email (adapted draft #3, decline-safe):

Subject: A no-cost fused cable-protection picture — discovery, not a pitch. [Name] — [MAHI/Toolbox intro context]. We build an EU-sovereign common-operating-picture platform. After Estlink 2 and the Baltic Sentry launch, the gap we keep hearing is fusion: AIS, acoustic-sensing and grid telemetry live in separate hands, so a cable incident is reconstructed days later instead of caught the same hour. We run a free discovery session to map exactly where your picture is fragmented today, with no cost and no obligation. We publicly refuse biometric ID and predictive policing — this is infrastructure resilience, human-gated, fully audited, with cross-border sharing under a CISE covenant. Could I show you 20 minutes? — [Founder]

60-min discovery agenda (adapted): 0–5 frame + decline-safe statement; 5–20 "walk me through Estlink-2 from first signal to challenge — who saw what, in what order?"; 20–35 lawful basis / NIS2 / CISE-sharing constraints; 35–45 who owns the DAS, AIS and SCADA feeds + the funding route (CEF/Toolbox); 45–55 map their loop onto detect→…→close, find the fusion gap; 55–60 earn the demo.

1-page pilot proposal (filled): Title — "Gulf-of-Finland Fused Cable-Protection COP pilot"; Sponsor — FI Border Guard maritime safety (+ Elering/Fingrid data); One thing we prove — "fuse AIS + DAS + grid telemetry into one human-gated alert and cut time-to-detect-anomaly from days to minutes" (X/Y baseline set week 1); Scope IN — globe_rmp + stix_board + Decision Room on representative data; OUT — any biometric/ELINT, live classified feeds; Data — representative AIS + synthetic DAS + historical SCADA, EU-hosted; Funding — CEF Digital / EU Cable Security Toolbox grant route (pilot €0 to the buyer); Timeline — 8–12 wks; After — LOI.

§16 — PM / timeline

                              Wk1-4   Wk5-8   Wk9-12  Wk13-16 Mo5-6   Mo7-9   Mo10-12
 First contact (warm)        [====]
 Free discovery                 [==]
 Scoped demo (Estlink replay)      [===]
 Pilot (grant-funded)                  [==========]
 Stamp-1G / partner-vehicle gate   [================]  <-- CRITICAL PATH (paid pilot blocked until resolved)
 LOI                                              [==]
 Procurement route (CEF/natl)                        [==============]
 Signed contract                                                   [=====]

Milestones: M1 named contact (Wk2); M2 discovery write-up (Wk4); M3 demo-exit yes (Wk8); M4 partner-vehicle confirmed (≤Mo3, gating); M5 pilot result (Wk12); M6 signed LOI (Wk14); M7 contract (Mo10–12).

Critical path: the Stamp-1G → partner-vehicle (MAHI or incorporated NewCo) gate is critical for a PAID pilot/contract; a free discovery + grant-funded pilot can run in parallel under a founder-signed (personally-liable) MOU, but no invoice can issue until the vehicle exists.

RACI:

Activity	Founder	Warm-intro sponsor (MAHI/Toolbox)	MAHI / partner-vehicle	Buyer champion (Border Guard)	Buyer procurement
First contact	A/R	R	C	I	—
Discovery	A/R	C	I	R	I
Demo	A/R	I	C	R	I
Pilot delivery	R	I	A	C	I
LOI	C	I	A/R	R	C
Contract	I	I	A/R	C	R

§17 — Funding / procurement vehicle

EU Cable Security Toolbox + CEF Digital (€347m, Feb 2026) — the headline route; note the cable-repair-module calls are restricted to public entities with an emergency-response mandate, so we ride a buyer/consortium (Border Guard, grid operator) rather than apply solo for those; broader CEF Digital / monitoring-and-detection measures are the openings for a software decision-layer. [verified — EC; Industrial Cyber; FASI]
CEF Digital backbone/submarine calls (€200m, deadline 30 June 2026) — partner-as-lead route. [verified]
EUDIS / EDF 2026 maritime track (closes 29 Sep 2026) — consortium-only; an EU (Belgium-MAHI + Ireland) team fits the buy-European mandate. [verified — discovery-playbook §8]
National Border-Guard / TSO procurement — the direct buyer route once a reference exists.

§18 — TWO-STAGE FORMULA SCORECARD

Computed by the model in formula-worked-examples.md (P_LOI = 0.55/(1+exp(-1.15·(S1−2.6))); P_raw = 0.70/(1+exp(-1.1·(S2−2.8))); G = V·T; T = (30−t_resolve)/30, t_resolve = 12mo). Every factor [PRIOR] with a dated rationale.

Stage-1 vector {mandate_pull, access_warmth, demonstrability, decline_safety, white_space, cycle_speed, pillar_fit} = {5,2,4,5,3,3,5}

Factor	Score	Dated rationale `[PRIOR]`
mandate_pull	5	EU Action Plan on Cable Security (21 Feb 2025) + Toolbox/€347m (Feb 2026) + NATO Baltic Sentry (14 Jan 2025) + Estlink-2 cut (25 Dec 2024) — the single most acute, most-funded forcing function in the EU portfolio.
access_warmth	2	No named contact yet; MAHI/EU bridge is plausible but unbuilt; foreign-jurisdiction cold-to-warm (2026-06-05).
demonstrability	4	Storm/maritime pillar reuse + a perfect real replay (Estlink 2) on the gallery; not 5 only because data integration is pilot-build (2026-06-05).
decline_safety	5	Infrastructure resilience only — tracks + telemetry, not persons; ceiling hard-coded as a DB CHECK; no biometric/predictive drift possible (2026-06-05).
white_space	3	Sensors (DAS) + C2 (CTF Baltic) + risk-AI (Nordic Warden) exist, but the fused buyer-owned action-loop COP does not — genuine white space above incumbents (2026-06-05).
cycle_speed	3	EU grant-funded pilot routes (CEF/Toolbox/EUDIS) on a clock give a non-OJEU first step (2026-06-05).
pillar_fit	5	Squarely the action-loop COP core (sub-sea RMP + fusion + gate) (2026-06-05).

S1 = 3.80 → P_LOI ≈ 0.439 (44%) · Score100 = S1·20 = 76.0

Stage-2 vector {contractability, funding_to_pay, procurement_clarity, incumbency_displacement, time_to_value, reference_leverage} = {1,4,3,4,3,2}

Factor	Score	Dated rationale `[PRIOR]`
contractability	1	Solo founder on Stamp 1G — no signable/invoiceable vehicle today (2026-06-05).
funding_to_pay	4	Named EU money: CEF Digital €347m + €200m call + Toolbox; grant-funded pilot is real (2026-06-05).
procurement_clarity	3	CEF calls have dates (30 Jun 2026) but some are public-entity-only; partner-as-lead needed (2026-06-05).
incumbency_displacement	4	We sit above Elisa-DAS / Kongsberg / Nordic Warden — integrate, don't rip-and-replace (2026-06-05).
time_to_value	3	Demo-to-value plausible inside the Toolbox window, but cross-border integration is non-trivial (2026-06-05).
reference_leverage	2	No delivered reference yet; this would be among the first logos (2026-06-05).

S2 = 2.82 → P_raw ≈ 0.354

Legal gate G = V·T, t_resolve = 12mo → T = 0.60:

V (vehicle)	G = V·T	P(Contract) = P_LOI·G·P_raw
0.10 (solo Stamp 1G, today)	0.06	0.9%
0.45 (brokered entity in discussion)	0.27	4.2%
0.75 (MAHI/partner confirmed prime)	0.45	7.0%
1.00 (Stamp 4 + incorporated)	0.60	9.3%

Board reconciliation: board_anchor.score100 = "[PRIOR-derive]", value high. Derived Score100 = 76 (Stage-1), P_LOI ≈ 44%, P(Contract) 0.9% today → 7–9% with a vehicle. This sits in the high band (top of the EU portfolio on mandate pull, gated hard by the legal vehicle) — consistent with the NOW-EU tier. All probabilities [PRIOR].

§19 — Commercial

Tier	Scope	Indicative ACV
Tier 1	Single-corridor pilot/POC (Gulf of Finland), representative data, one tenant	€120–240k/yr
Tier 2	Production COP for one authority (FI Border Guard) + 2-state CISE sharing	€600k–1.2m/yr
Tier 3	Multi-state Baltic decision layer (FI/EE/SE/LT/LV) + EU Toolbox node	€2.4–4.8m/yr

Terms: EU-hosted; annual subscription + integration SOW; pilot frequently €0 to the buyer (grant-funded). Requirements: a contracting vehicle (§20), a CISE data-sharing covenant per state-pair, and a named feed owner per signal (DAS/AIS/SCADA). Cost advantage: open-source substrate + sovereign HPC + shared conformity file + no forward-deployed-engineer dependency.

§20 — Legal blockers

Stamp-1G cap (X1) — hard. Founder cannot be director/shareholder/self-employed or sign a paid contract until Stamp 4. No paid pilot or contract is signable by the solo founder. Mitigation: MAHI or a brokered NewCo as contracting prime; EEA-resident director (Patrick/Manuel) for incorporation; pursue Stamp 4. ⚖️ CONFIRM (immigration solicitor).
Non-NATO / DIANA exclusion (X6). Irish entity ineligible for NATO DIANA; some JEF/Nordic-Warden-adjacent funding is closed. Use EU vehicles (CEF/EUDIS/Toolbox); not a blocker for the EU-civil route. [verified]
Dual-use export (X4). AIS/vessel-monitoring fusion can classify as controlled cyber-surveillance tech under Reg. (EU) 2021/821 — export classification per integrated config + end-user due diligence. ⚖️ CONFIRM (export counsel).
EU AI Act. No Art-5 prohibited practice (decline-safe by construction); human-in-the-loop (Art. 14); FRIA if buyer deems high-risk. Prohibitions apply since 2 Feb 2025. [verified]
GDPR / cross-border sharing. Vessel tracks ≠ personal data; the single personal-data edge (a master) is pseudonymised + handled by the lawful authority under a DPA; CISE cross-border sharing needs a registered covenant (enforced by the §5 CHECK). ⚖️ CONFIRM (data-sharing agreement per state-pair).
Pre-incorporation contracting (X7). MOUs signed in founder's own name under Companies Act 2014 s.45 (personally liable until ratified). ⚖️ CONFIRM (solicitor).
Buyer-specific: foreign public procurement (Finnish/Estonian) + the CEF cable-repair-module public-entity-only restriction → ride a buyer/consortium, don't apply solo for restricted calls.

§21 — Warm-intro contact + the specific ask

Route: MAHI (Pieter-Jan Note, mahi.be) → MAHI's EU maritime network / EU Cable Security Toolbox Expert-Group contact → Finnish Border Guard maritime-safety command (Mikko Hirvi's office).

The specific ask to MAHI: "Can you bridge one introduction into the Finnish Border Guard's new maritime-surveillance mechanism (or an EU Cable Security Toolbox Expert-Group contact)? I want a free discovery session on the fusion gap — AIS + DAS + grid telemetry in one human-gated COP — using the Estlink-2 replay. An all-EU Belgian+Irish team is exactly what the Toolbox and EUDIS reward, and it helps us scope you as the contracting vehicle."

§22 — Open questions + consolidated Sources

Open questions (do not assert until resolved):

Who exactly owns the budget inside the Finnish Border Guard mechanism vs. CEF Digital vs. the TSOs? [TBD]
Is the DAS early-warning test (Elisa) a procurement that pre-empts a fusion layer, or a feed we sit above? [likely a feed; CONFIRM]
Will Estonia/Finland accept a non-Nordic, non-NATO vendor for a cross-border COP? [TBD]
Exact CISE covenant mechanics FI↔EE for live anomaly sharing. [TBD]
The precise CEF-Digital eligibility for a software decision-layer (vs. cable-repair modules). [partially verified; CONFIRM]

Sources (dated):

NATO, NATO launches "Baltic Sentry"…, 14 Jan 2025 — nato.int [verified]
Defense News, 11 Baltic cables damaged in 15 months…, 28 Jan 2025 — defensenews.com [verified]
European Commission, EU Action Plan on Cable Security (JOIN(2025)9), 21 Feb 2025 — eur-lex.europa.eu ; press IP/25/580 — ec.europa.eu [verified]
European Commission, Submarine Cable Security Toolbox & Cable Projects of European Interest / €347m CEF Digital, Feb 2026 — digital-strategy.ec.europa.eu ; blue-economy-observatory.ec.europa.eu [verified]
Industrial Cyber, €347m under CEF Digital + Toolbox — industrialcyber.co [verified]
FASI, CEF Digital 2026 calls (€200m, deadline 30 Jun 2026) — fasi.eu [verified]
Wikipedia, 2024 Estlink 2 incident — en.wikipedia.org [verified]
Fingrid, Estlink 2 returns to commercial operation — fingrid.fi [verified]
Submarine Networks, Repair of Estlink 2 up to €60m — submarinenetworks.com [verified]
Euronews, Finland steps up undersea monitoring… (Mikko Hirvi; ~45 shadow vessels/wk), 26 Jan 2026 — euronews.com [verified]
Capacity, Finland to build new maritime surveillance centre — capacityglobal.com [verified]
Bloomberg, Finland Tests Early-Warning System (DAS, Elisa)…, 5 Jun 2026 — bloomberg.com [verified]
Atlantic Council, How the Baltic Sea nations have tackled suspicious cable cuts (Nordic Warden, CTF Baltic, Erkki Tori) — atlanticcouncil.org [verified]
Kongsberg, Vessel detection from space / Fixed-point subsea surveillance — kongsberg.com [verified]
Internal grounding: discovery-playbook.md, formula-worked-examples.md, legal-blockers-register.md, contact-register.md, outreach-drafts.md, AW UC-55/W-11 (…-aw-t03.md).

STANDING BANNER — read before using this package. (1) Status honesty. Nexus Synergy Ltd is pre-incorporation, pre-revenue, pre-pilot. The Finnish Border Guard, Elering, Fingrid, EMSA and the EU Cable Security Toolbox node are TARGETS, not customers, partners, or deployments. Our ~178-surface UI gallery is a gallery, not traction. Nothing here is a contract, an LOI, or a commitment. (2) Anti-cookie-cutter. The §8 mockups are generated by _build/archetypes/gen_baltic-sentry-cable-protection.py and filled with this buyer's real entities (Estlink 2, M/T Eagle S, KP-114, Fingrid SCADA, Elisa DAS). They are this buyer's screens, not a reused shell. (3) Every probability is [PRIOR] — a subjective pre-pilot estimate for prioritisation, never a forecast. Re-score after every real conversation.