STANDING BANNER — read first. Nexus Synergy Ltd is pre-incorporation, pre-revenue, pre-pilot; FRONTEX and the Member-State National Coordination Centres are a TARGET, not a customer, pipeline, or deployment. Our ~178-surface UI gallery is a gallery, not traction. Every probability in this document is a [PRIOR] — a subjective pre-pilot estimate for prioritisation, not a forecast.

Anti-cookie-cutter: the §8 mockups are the generated ASCII from _build/archetypes/gen_frontex-eurosur-mda-sar.py (alignment-guarded), filled with this buyer's real entities (EUROSUR NCC, CleanSeaNet, Copernicus Marine, Sentinel-1, GMV). They are this buyer's screens, not a reused template.

DECLINE-POLICED buyer — hard framing. FRONTEX sits under documented fundamental-rights scrutiny (OLAF 2022 pushback findings; the Executive Director's 2022 resignation). We pursue only the decline-safe slice — maritime-safety + Search-and-Rescue (SAR) + environmental (oil-spill) monitoring — with an explicit, structural no-biometric / no-migrant-profiling / no-person-risk-scoring exclusion, and we gate the entire engagement behind a delivered decline-safe reference (an Irish/EU SAR or civil-protection pilot first). If the engagement cannot be held to that slice, we decline, on the record.

§0 — Header + one-line thesis

Thesis. For the maritime-safety, SAR, and environmental-monitoring slice of EUROSUR — and nothing else — Nexus Synergy is the EU-sovereign, human-gated, fully-audited decision/operating-picture layer that sits above the existing Fusion Services (GMV / EMSA CleanSeaNet / Copernicus), turns a detection into a coordinated, provenance-stamped SAR action with a structural no-biometric boundary, and proves restraint is built-in rather than promised. This is a LATER-EU row: high strategic value (an EU-agency reference), low near-term probability, gated behind both the legal vehicle and a prior decline-safe reference.

§1 — Entity snapshot (cited)

FRONTEX — the European Border and Coast Guard Agency; 2025 budget ≈ EUR 1.12 billion (up from EUR 143m in 2015) [verified — Wikipedia/Statewatch, 2025]. EUROSUR (European Border Surveillance System) is established by Regulation (EU) 2019/1896 (the European Border and Coast Guard Regulation), which integrated the earlier EUROSUR Regulation [verified — EUR-Lex CELEX:32019R1896].
National Coordination Centre (NCC) — under Reg 2019/1896, each Member State must designate, operate and maintain an NCC operating 24/7, the single point of contact coordinating all national external-border authorities and exchanging the national situational picture with other NCCs and the Agency [verified — frontex.europa.eu; home-affairs.ec.europa.eu/eurosur]. The NCC and its national situational picture are the realistic, decline-safe buyer surface — not Frontex HQ risk-analysis.
EUROSUR Fusion Services — Frontex-provided shared services including automated vessel tracking and detection, anomaly detection, position prediction, and precise weather/oceanographic forecasts; vessel detection explicitly locates "vessels requiring search-and-rescue operations" and supports environmental assessment [verified — coastguard.europa.eu Fusion Services catalogue; frontex.europa.eu Copernicus]. Delivered in cooperation with EMSA (CleanSeaNet), the EU Satellite Centre (SatCen) and Copernicus [verified].
Funding for the safe slice — the Commission provided EUR 47.6m (2015–2020) to Frontex for Copernicus-based services (coastal monitoring, vessel detection, environmental assessment, SAR) [verified — gmv.com; digit.site36.net]; Frontex 2025 annual procurement envelope ≈ EUR 107.745m [verified — Frontex MB-Decision 42/2024 Annual Procurement Plan 2025].
Incumbent — GMV is the prime contractor for the development of the EUROSUR network [verified — gmv.com]; EMSA CleanSeaNet is the operational satellite oil-spill + vessel-detection service since 2007 [verified — emsa.europa.eu]. We sit above these as a decision layer; we do not replace them.

§2 — The pain (web-verified, dated, cited)

The NCC operator's decline-safe pain is fusion-to-coordination latency in a life-safety setting, not lack of sensors:

Detection arrives in fragments. Vessel detections (Sentinel-1 SAR), AIS, CleanSeaNet oil-spill imagery, Copernicus drift forecasts, and DSC distress alerts arrive in separate Fusion-Services products and tools; the operator manually stitches them into one picture [verified — EUROSUR Fusion Services catalogue lists these as separate services]. In a SAR or pollution event the golden hour is consumed by stitching.
SAR is a duty, and the agency has been criticised for under-performing it. Reg 2019/1896 and the integrated Regulation (EU) 656/2014 (surveillance of the EU's external maritime borders) impose life-saving obligations; an EU Ombudsman inquiry criticised Frontex for failing to take a more active role in search-and-rescue, and the OLAF 2022 report found serious failings around pushbacks [verified — euronews 2022-10-14; ombudsman/SIEPS 2022]. The forcing function for our safe slice is precisely the institutional pressure to make SAR coordination demonstrably faster, human-gated, and auditable.
Environmental events need cross-agency hand-off. A CleanSeaNet sheen detection has to be handed to EMSA's environmental responders and the relevant CISE/coast-guard authorities; the EMSA Multipurpose Maritime Operation 2025 (La Manche / Southern North Sea) and POLEX oil-spill exercise show the multi-asset, multi-nation coordination load is real and rehearsed [verified — emsa.europa.eu, 2025].
Provenance and proportionality are reputational survival. Given the scrutiny, every operational action must be reconstructable — who decided what, on what evidence, under what lawful basis — which is exactly what a provenance ledger + proportionality gate provide. There is no credible buy here that is not about defensible, auditable, human-gated coordination.

§3 — Use-case & value (DECLINE-SAFE framing)

What we build (the only slice we will build): a sovereign EUROSUR-compatible national-situational-picture decision layer for the NCC that fuses vessel-detection + AIS + CleanSeaNet environmental + Copernicus drift + DSC-distress into one operating picture, then closes a single human-gated SAR/environmental action: post a EUROSUR SAR-incident, alert the MRCC, alert the EMSA environmental team — each proportionality-scored, dual-control-signed, and provenance-stamped.

What we will NOT build — structural exclusions (enforced in schema, router, and UI, not just policy):

No predictive policing. No real-time biometric identification / facial recognition. No emotion recognition. No social scoring. No untargeted scraping. No psychometric profiling. No individual migrant risk-scoring or person-level "risk" inference of any kind. (These are on the company Declined List and are filtered out before ranking; here they are additionally disabled in the data model and the AI Provider Router.)
The COP shows objects at sea as safety/SAR/environmental tracks — vessel in distress, oil sheen, persons-in-water — never as profiled individuals. An unidentified detection is rendered "unlit / unknown — treat as possible-SAR", never matched against a person.

Value (decline-safe only): faster, auditable fusion-to-coordination in SAR and pollution events; a provenance + proportionality spine that directly answers the agency's accountability gap; EU-sovereign processing (AI Provider Router refuses out-of-jurisdiction model calls). The value proposition is resilience, safety, and coordination — and restraint as a feature.

Honest gating note. This row is deliberately LATER: we will not approach FRONTEX/an NCC until a delivered decline-safe reference (e.g. an Irish Coast Guard / civil-protection SAR pilot — see vol-B coast-guard-sar) exists to anchor the no-biometric story with evidence, not assertion.

§4 — Ontology (this buyer's domain entities + relationships)

(SrrZone)──coordinated_by──►(NationalCoordinationCentre)──exchanges──►(EuropeanSituationalPicture)
   │                                  │ single-PoC 24/7 (Art 21, Reg 2019/1896)
   │ contains                          │
   ▼                                  ▼
(SarIncident)──has_datum──►(SarDatum)──drift──►(DriftCone:CopernicusMarine)
   │  distress_class∈{founder,fire,flood,collision,medical,other}      (NO person attributes)
   │ flags                              ▲
   ▼                                    │ tipper
(EnvEvent:OilSheen)──detected_by──►(CleanSeaNetProduct:EMSA)──derived_from──►(Sentinel-1 SAR)
   │ hands_to                           ▲
   ▼                                    │ source
(EmsaEnvTeam)                    (VesselDetection)──status──►{unlit/unknown → possible-SAR}
                                        │  (NEVER linked to a person record)
(SarAsset)──tasked_by──►(MrccCoordination)──posts──►(EurosurSarPost)──gated_by──►(ProportionalityGate)
(ProvenanceRecord)──attests──►(everything above)        (DecisionRoom 2/2 dual-control)

The ontology is deliberately person-free. There is no Person node, no biometric attribute, no risk-score field anywhere in the safe slice. The entities are zones, incidents, environmental events, detections-as-objects, assets, and provenance.

§5 — Data model (synergy.* tables; RLS + a load-bearing CHECK)

The load-bearing safety property is decline-safety enforced in the database: a maritime-safety incident may carry only safety/SAR/environmental fields, must be human-gated before any EUROSUR write-back, and structurally cannot carry biometric or person-risk data — enforced by a DB CHECK, not application logic.


SQL
51 lines
-- EUROSUR-compatible national-situational-picture incident (decline-safe slice ONLY).
CREATE TABLE synergy.eurosur_sar_incident (
    id              uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id          uuid NOT NULL,                       -- RLS: app.current_org_id (the NCC tenant)
    incident_ref    text NOT NULL,                       -- 'SAR-EUSUR-2026-1042'
    srr_zone        text NOT NULL,                       -- Member-State Search-and-Rescue Region
    position        geography(POINT, 4326) NOT NULL,     -- 35.6833N 13.3667E
    distress_class  text NOT NULL
                    CHECK (distress_class IN ('founder','fire','flood','collision','medical','other')),
    souls_reported  int,                                 -- COUNT only, may be NULL/unknown (fail-safe)
    env_flag        boolean NOT NULL DEFAULT false,      -- CleanSeaNet sheen present?
    obs_level       text NOT NULL DEFAULT 'reported'
                    CHECK (obs_level IN ('asserted','reported','inferred','direct','confirmed')),
    -- DECLINE-SAFE STAMP: this row is for safety/SAR/env only and carries no person data.
    contains_person_data   boolean NOT NULL DEFAULT false,
    contains_biometric     boolean NOT NULL DEFAULT false,
    contains_risk_score    boolean NOT NULL DEFAULT false,
    human_gated     boolean NOT NULL DEFAULT false,      -- false => may not write back to EUROSUR
    eurosur_posted_at timestamptz,
    opened_at       timestamptz NOT NULL DEFAULT now(),
    closed_at       timestamptz,
    prov_o          jsonb NOT NULL,                      -- DscAisIngest / CleanSeaNet attribution
    -- LOAD-BEARING INVARIANT: a EUROSUR post is impossible unless it is decline-safe AND human-gated.
    CHECK (
        eurosur_posted_at IS NULL
        OR (human_gated = true
            AND contains_person_data = false
            AND contains_biometric   = false
            AND contains_risk_score  = false)
    )
);
ALTER TABLE synergy.eurosur_sar_incident ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.eurosur_sar_incident
    USING (org_id = current_setting('app.current_org_id')::uuid);

-- Environmental detection (CleanSeaNet sheen) handed to the EMSA env team — no person fields exist here.
CREATE TABLE synergy.env_detection (
    id              uuid PRIMARY KEY DEFAULT gen_random_uuid(),
    org_id          uuid NOT NULL,                       -- RLS: app.current_org_id
    incident_id     uuid REFERENCES synergy.eurosur_sar_incident(id),
    sheen_geom      geography(POLYGON, 4326) NOT NULL,   -- possible-spill footprint
    area_km2        numeric(8,2) NOT NULL,
    source_product  text NOT NULL DEFAULT 'EMSA-CleanSeaNet',
    sentinel_pass   timestamptz,                         -- S1 acquisition time
    handed_to_emsa  boolean NOT NULL DEFAULT false,
    prov_o          jsonb NOT NULL,
    CHECK (area_km2 >= 0)
);
ALTER TABLE synergy.env_detection ENABLE ROW LEVEL SECURITY;
CREATE POLICY org_isolation ON synergy.env_detection
    USING (org_id = current_setting('app.current_org_id')::uuid);

The CHECK on eurosur_sar_incident is the heart of the package: the database itself refuses to record a EUROSUR post for any incident that is not human-gated and decline-safe. Restraint is an invariant, not a setting.

§6 — Action-loop pseudocode (detect → enrich → triage → gate → task → execute → BDA → close)


Python
46 lines
def coordinate_eurosur_safe_slice(incident_ref, ncc_org):
    # 1. DETECT — DSC distress and/or a CleanSeaNet sheen enters the national situational picture.
    inc = ingest_distress(incident_ref)            # DSC-070 relay + AIS; person-free by construction
    assert inc.contains_person_data is False        # decline-safe gate at ingest

    # 2. ENRICH — fuse EU-sovereign sources ONLY (Fusion Services we sit above).
    drift  = copernicus_marine_leeway(inc.position)            # CMEMS drift cone (advisory, no gate)
    sheen  = cleanseanet_query(inc.position, radius_km=10)     # EMSA env product (Sentinel-1 SAR)
    detx   = sentinel1_vessel_detect(inc.position)             # objects-at-sea -> 'unlit/unknown'
    detx   = [d.as_object_track() for d in detx]               # NEVER resolved to a person

    # 3. TRIAGE — life-safety first; environmental second; no person-risk anywhere.
    sar_datum = set_sar_datum(inc, drift)                       # human-set datum (operator action)
    env       = flag_environment(sheen) if sheen else None     # -> EMSA env team

    # 4. GATE — proportionality + Decision Room, 2/2 dual-control; civil-society reviewer seated.
    P = proportionality(necessity="HIGH",                       # life-safety
                        proport=0.91,
                        least_intrusive="safety_min")           # N x P x L
    gate = decision_room(
        proposal = EurosurSarPost(inc, sar_datum, env, detx),
        personas = [OP_COORDINATION, PROPORTIONALITY,
                    CIVIL_SOCIETY('Foxglove/FRO'), DEVILS_ADVOCATE, COASTGUARD_SAR_EXPERT],
        threshold = P_MIN_TIER2,
        hard_exclusions = ["biometric", "person_risk_score", "migrant_profiling"])
    if not gate.passed:
        return Disposition.REFUSED(gate.rationale)              # logged refusal is a valid outcome

    # 5. TASK + 6. EXECUTE — write back ONLY to safety/SAR/env targets, each provenance-stamped.
    inc.human_gated = True
    write_back("eurosur.sar_post", ncc_org, EurosurSarPost(inc, sar_datum))     # Art 21/24 NCC post
    write_back("mrcc.cad",         ncc_org, SarTasking(asset="nearest", datum=sar_datum))
    if env:
        write_back("emsa.cleanseanet_team", ncc_org, EnvAlert(env))             # environmental hand-off
    # person.tracker / biometric.match are NOT registered targets — they do not exist in this build.

    audit.append(inc.id, boundary_state="life-safety", merkle=True)
    return Disposition.EXECUTED

def assess_and_close(inc):
    # 7. BDA — outcome assessment: persons-in-water accounted, sheen contained/handed off.
    bda = capture_bda(inc)                                       # safety outcomes only
    register_prospective(inc, trigger="srr_seasonal_distress_pattern")  # planning input, NOT a trigger
    inc.closed_at = now()
    # 8. CLOSE — ledger sealed; nothing about any individual is retained.
    return bda

§7 — nexus-workflows YAML DAG (same loop; a blocking human-gate node)


YAML
43 lines
# nexus-workflows job — EUROSUR decline-safe SAR/env coordination. NO cron; event-triggered.
name: eurosur-safe-sar-coordination
trigger:
  event: dsc_distress_or_cleanseanet_sheen        # NCC national situational picture
concurrency: { key: "{{ incident_ref }}", limit: 1 }
nodes:
  - id: ingest
    uses: synergy.detect.distress_ingest
    out: [incident]
    assert: "incident.contains_person_data == false"   # decline-safe at the door
  - id: enrich
    uses: synergy.enrich.fusion
    needs: [ingest]
    with: { copernicus_marine: true, cleanseanet: true, sentinel1_vessel_detect: as_objects }
    out: [drift, sheen, detections]
  - id: triage
    uses: synergy.triage.sar_env
    needs: [enrich]
    out: [sar_datum, env_flag]
  - id: human_gate                                  # ── BLOCKING ──
    type: human_gate
    blocking: true
    needs: [triage]
    require:
      personas: [op_coordination, proportionality, civil_society, devils_advocate, sar_expert]
      dual_control: 2                               # 2/2 sign-off
      proportionality_min: 0.80
      hard_exclusions: [biometric, person_risk_score, migrant_profiling]
    on_timeout: { after: 30m, action: escalate_mrcc_duty_officer }
    out: [gate_decision]
  - id: write_back
    uses: synergy.act.write_back
    needs: [human_gate]
    when: "gate_decision.passed == true"
    targets:
      - { adapter: eurosur.sar_post, lawful_basis: "Reg 2019/1896 Art 21/24; Reg 656/2014" }
      - { adapter: mrcc.cad,         lawful_basis: "national SAR framework / IAMSAR" }
      - { adapter: emsa.cleanseanet_team, when: "env_flag == true" }
    # person.tracker / biometric.match adapters are absent by design.
  - id: bda_close
    uses: synergy.assess.bda
    needs: [write_back]
    out: [bda, prospective_item]

§8 — UI/UX mockups (verbatim generated ASCII)

Figure E07.1 — map_ops (PRIMARY). ShellLayout + ClassificationBanner (EU-RESTRICTED · TLP:AMBER · decline-safe) + TopBar with PccPill (Reg 2019/1896) + RendererChip (MapLibre-2D) + LeftSidebar LAYERS with BIOMETRIC/PERSON-SCORE explicitly OFF + MapConsole (Central-Med SRR) + Inspector + BottomStatusBar. The same archetype is rendered as the bespoke SVG at _build/figures/frontex-eurosur-mda-sar/uc-map_ops.svg.

Figure — Operational picture (map_ops · live MapLibre). Production-fidelity React surface (buildable); the faithful ASCII follows.

+------------------------------------------------------------------------------------------------------+
| EUROSUR NCC maritime-safety/SAR/env COP - decline-safe slice (MapConsole + MapLibre-2D)              |
+--------------------+---------------------------------------------------------------------------------+
| LAYERS             | MAP  ========================================================================== |
| [x] SAR region SRR |   Central Mediterranean  -  Member-State SRR  (decline-safe COP slice)          |
| [x] Distress / DSC |   ~~~~ Met: SW 5-6, seas 2.5m, vis 6km  |  Copernicus Marine leeway drift ~~~~  |
| [x] CleanSeaNet env|                                                                                 |
| [x] Drift cone CMEM|    [DSC-DISTRESS] 35 41N 013 22E  -  small craft, persons-in-water reported     |
| [x] AIS / Sentinel1|       o---->  drift cone 1.4kt @ 050T   (CMEMS leeway)   SAR datum @ t0         |
| [x] SAR assets     |    .------------------.  CleanSeaNet sheen S1-radar @ 35 39N 013 19E            |
| [ ] Fishing effort |    |  SEARCH AREA A   |  3.1 km2 possible-spill (env) -> EMSA polluter check    |
| [x] Met / sea-state|    |   * * * track    |  MRCC <SRR> coordinating  |  patrol-vessel inbound      |
| [ ] BIOMETRIC  OFF |    '------------------'  Fusion vessel-detection: 2 unlit returns (S1 SAR)      |
| [ ] PERSON-SCORE - |    [AREA B] inshore     merchant 'CMA-relay' diverting to assist (SOLAS)        |
|                    |                         Sentinel-1 pass t+38min  |  next CleanSeaNet image      |
| DECLINE-SAFE MODE  |   SAFETY PICTURE: persons-in-water reported | SAR datum set | env sheen flag    |
| safety+SAR+env     |                                                                                 |
| no profiling       |   TASKING CANDIDATE: post EUROSUR SAR-incident + alert MRCC + EMSA env-team     |
|                    |   Proportionality P=0.91 (life-safety) | NCC duty-officer 2/2 sign-off REQ      |
| SOURCES (EU-sov)   |   [ Open Decision Room ]  [ Re-compute drift ]  [ No-biometric: enforced ]      |
| EMSA CleanSeaNet   |                                                                                 |
| Copernicus Marine  |                                                                                 |
| EMODnet bathy      |                                                                                 |
+--------------------+---------------------------------------------------------------------------------+
| INCIDENTS: 09:14 DSC distress | 09:18 SAR datum set | CleanSeaNet flagged | EUROSUR post pending 2/2 |
+------------------------------------------------------------------------------------------------------+

Figure E07.2 — ledger (SECONDARY). The EUROSUR national-situational-picture event ledger — every detection, advisory, and human decision is an append-only, merkle-chained row; the audit drawer binds the EUROSUR post to the proportionality score + 2/2 dual-control. Components: Inspector / HistoryRail-style audit drawer + ClassificationBanner.

Figure — Provenance ledger (Merkle/PROV-O). Production-fidelity React surface (buildable); the faithful ASCII follows.

+--------------------------------------------------------------------------------------------------+
| EUROSUR national sit-picture event ledger (Inspector)   filter: [life-safety][decline-safe][24h] |
+-----------+------------------+------------------+---------------------+--------------------------+
| time(UTC) | event-type       | source           | decision            | merkle/audit             |
+-----------+------------------+------------------+---------------------+--------------------------+
| 09:14:02  | DSC-distress in  | DscAisIngest     | auto-open SAR-inc   | 9c41..safety-only        |
| 09:16:40  | drift-cone calc  | CopernicusMar    | advisory (no-gate)  | a7e0..CMEMS-leeway       |
| 09:18:05  | SAR datum set    | NCC duty-off     | human-set datum     | bb12..2of2-pending       |
| 09:22:31  | sheen detected   | EMSA CleanSeaN   | env-flag -> EMSA    | 4f9a..S1-radar-pol       |
| 09:27:10  | vessel-detect x2 | Sentinel-1 SAR   | show-as-unlit (SAR) | dd07..no-biometric       |
| 09:31:48  | EUROSUR post     | DecisionRoom     | GATE 2/2 PASS       | e5b3..transcript-hx      |
+-----------+------------------+------------------+---------------------+--------------------------+
| DETAIL e5b3..  EUROSUR SAR-incident post  N=HIGH P=0.91 L=safety-min  2/2 dual-control  7y chain |
+--------------------------------------------------------------------------------------------------+

§8b — Field-unit (Pixel) surfaces

The same scenario on the Pixel 10 Pro Fold field unit (Nexus Field app), tightly coordinated with the dashboard COP above — command pushes the task, the unit accepts + ACKs, shares position and reports back to the COP. Built on the same synergy.field_unit / field_task / field_report contract; see §9 and the cluster coordination composite.

Figure §8b.1 — Folded cover · tasking glance (ground_glance): the incoming IMMEDIATE task, ACCEPT + ACK, alert chips, bearing-to-objective.

Figure §8b.2 — Unfolded inner display · field COP: two-pane mini-map + task list + teammate roster + air/command coordination + PTT, with the Material-3 NavigationBar + Report FAB.

§9 — UI/UX flow (literal click-path)

Figure §9.0 — Dashboard ↔ field-unit coordination loop (cluster E): the command COP, the Pixel field unit, and the wire between them annotated with the real synergy-server endpoints — LIVE (/api/v1/cop/picture, /viewport/state) vs PENDING-for-demo (/api/v1/field/{tasks,reports}).

Click-path (the actual buttons on the map_ops surface): MapConsole distress pin → LeftSidebar toggle CleanSeaNet env ON (sheen overlays) → [ Re-compute drift ] (Copernicus cone re-draws) → operator drops SAR datum (one click on the map) → [ Open Decision Room ] → personas deliberate → [ /dual-control sign ] (2/2) → [ /execute ] posts to EUROSUR + MRCC + EMSA → row appears in the ledger (Figure E07.2) → operator opens the audit drawer to confirm the merkle envelope. The [ No-biometric: enforced ] chip is inert by design — it states a structural fact, it is not a toggle.

[Distress pin]→[CleanSeaNet ON]→[Re-compute drift]→[Set SAR datum]
        │
        ▼
[Open Decision Room]→[5-persona deliberation]→[/dual-control sign 2/2]
        │                                            │ (refuse → logged, no write-back)
        ▼                                            ▼
[/execute → EUROSUR + MRCC + EMSA]──────────►[ledger row + audit drawer]──►[BDA + close]

§10 — Decision-Room transcript (the gated decision)

Context. SAR-EUSUR-2026-1042 — small craft in distress, persons-in-water reported, a CleanSeaNet sheen 3.1 km² nearby. Proposal: post a EUROSUR SAR-incident, alert the MRCC, hand the sheen to EMSA. The deliberation is the safety + decline-safety check.

[Op-coordination · L3]   Recommend: EUROSUR SAR-post + MRCC tasking on the human-set datum;
                         drift cone 1.4kt @050T; 2 unlit Sentinel-1 returns shown as objects.
[Proportionality · L3]   N=HIGH (life-safety). P=0.91. L=safety-min. Pass — BUT scope-lock the
                         write-back to safety/SAR/env fields only. No person attributes leave this room.
[Civil-society (Foxglove/FRO) · L2]   DISSENT: who guarantees the 'unlit returns' never get matched
                         to a person downstream? I will not sign unless the schema *forbids* it, not
                         just the policy. Also: confirm no migrant-profiling adapter exists in this build.
[SAR expert · L2]        Concur on life-safety urgency; the merchant 'CMA-relay' is closest under SOLAS;
                         recommend MRCC retasks it for on-scene relay while the patrol vessel closes.
[Devil's advocate · L2]  Is the EUROSUR post even *needed* now, or does it just create a record that
                         outlives its purpose? Counter-question to keep us honest about retention.
[Op-coordination · L3]   Rebut DA: the post is the life-safety coordination channel (Reg 656/2014);
                         retention is governed by the safety-only ledger, 7y chain, zero person data.
[Article/Decline reviewer] RESOLUTION (folds Foxglove dissent): write-back is hard-scoped to
                         eurosur.sar_post + mrcc.cad + emsa.cleanseanet; person.tracker / biometric.match
                         adapters are ABSENT (build-time, not config); CHECK constraint enforces it.
                         Unlit returns persist as object-tracks only, never resolved to identity.
------------------------------------------------------------------------------------------------
GATE VERDICT: ACCEPT (N x P x L PASS) under 2-of-2 dual-control: NCC duty-officer + MRCC watch.
              Foxglove dissent RESOLVED by schema-level exclusion (logged in the transcript hash).

§11 — Write-back + BDA + PROV-O + deltas-only regulatory traceback

Write-back targets (safety/SAR/env ONLY; each provenance-stamped):

eurosur.sar_post — EUROSUR SAR-incident post; lawful basis Reg (EU) 2019/1896 Art 21/24 (NCC / situational picture) + Reg (EU) 656/2014 (maritime-border SAR).
mrcc.cad — SAR tasking to the Maritime Rescue Coordination Centre; lawful basis national SAR framework / IAMSAR.
emsa.cleanseanet_team — environmental hand-off; lawful basis EMSA environmental-response MoU.

person.tracker, biometric.match, risk.score are not registered adapters — they do not exist in this build.

WriteBackBubble → eurosur.sar_post   EUROSUR SAR-incident (decline-safe)
  incident_ref   : SAR-EUSUR-2026-1042
  srr_zone       : Member-State SRR (Central Med)
  contents       : position + SAR datum + drift cone + env-flag  (NO person data)
  proportionality: N=HIGH · P=0.91 · L=safety-min · gate=PASS (2/2)
  lawful_basis   : Reg 2019/1896 Art 21/24 · Reg 656/2014
  audit_envelope : transcript-hash + NCC-duty-sig + MRCC-watch-sig
  [submit · audit-envelope]

BDA (loop close): persons-in-water accounted via MRCC on-scene coordination; sheen handed to EMSA and contained; incident closed; no individual-level data retained — the ledger holds safety events only. A ProspectiveItem (srr_seasonal_distress_pattern) is registered as a planning input, explicitly NOT a live trigger.

PROV-O attribution chain (W3C, Turtle-style):

:DscDistress         prov:wasGeneratedBy  :DscAisIngest .
:DscAisIngest        prov:used            :AisFeed , :Dsc070Channel .
:DriftCone           prov:wasGeneratedBy  :CopernicusMarineConsume .
:SheenDetection      prov:wasGeneratedBy  :CleanSeaNetIngest .
:CleanSeaNetIngest   prov:used            :Sentinel1SAR , :EmsaCleanSeaNet .
:VesselDetections    prov:wasGeneratedBy  :Sentinel1VesselDetect .   # objects-at-sea only
:EurosurSarPost      prov:wasGeneratedBy  :DecisionRoomCompose .
:ProportionalityGate prov:wasGeneratedBy  :ProportionalityPersona .  # N×P×L PASS
:DeclineSafeScope    prov:wasGeneratedBy  :DeclineReviewerPersona .  # Foxglove dissent resolved
:EurosurSarPost      prov:wasInformedBy   :DeclineSafeScope .        # schema-level exclusion

Deltas-only regulatory traceback (only what differs from §4.0 defaults):

AI Act — the prohibited practices (Art 5: real-time biometric ID, social scoring) are excluded by construction; the high-risk migration/border use cases (Annex III) are out of scope — we operate only the SAR/environmental slice, which is not the high-risk border-control function. (NB: EU AI Act Art 5 prohibitions are applicable from 2 February 2025 — [verified].) A FRIA is produced for the SAR coordination decision.
GDPR — the safe slice processes no personal data by design (contains_person_data = false enforced); if any incidental personal data appeared, the build would refuse the EUROSUR post (the load-bearing CHECK).
Dual-use export (Reg (EU) 2021/821) — vessel/comms monitoring can classify as controlled cyber-surveillance; export classification per integrated config ⚖️ CONFIRM.

§12 — Buyer & stakeholders

FRONTEX (Agency) — owns EUROSUR, the European situational picture, and Fusion Services; 2025 budget ≈ EUR 1.12bn [verified]. [Named contact: TBD] — we will not cold-approach Agency HQ; the realistic surface is a Member-State NCC.
Member-State National Coordination Centre (NCC) — the realistic, decline-safe buyer; operates the national situational picture 24/7 (Reg 2019/1896). The specific Member State and named contact are [TBD — to be selected only after a delivered decline-safe reference].
EMSA — environmental + CleanSeaNet partner; a complementary stakeholder (we hand off to EMSA), not a competitor. (See sibling emsa-cise-node, e02.)
GMV (incumbent) — EUROSUR-network prime; a partner-or-co-exist relationship, not a displacement target.
Fundamental Rights Officer (FRO) / civil society — seated inside the Decision Room (the Foxglove/FRO persona); a stakeholder we design for, given the OLAF history.

§13 — Competition / incumbency + comparator (cited)

Dimension	Incumbent reality	Nexus Synergy (safe slice)
EUROSUR network	GMV prime contractor [verified — gmv.com]	sit above as a decision layer; integrate, don't replace
Environmental + vessel detect	EMSA CleanSeaNet (since 2007) [verified]	consume CleanSeaNet as a tipper; hand off to EMSA
Satellite imagery	SatCen + Copernicus [verified]	consume; no imagery business of our own
Decision / proportionality / audit spine	white space — Fusion Services are detection/forecast services, not a human-gated, provenance-stamped decision layer [verified — Fusion Services catalogue]	the wedge: gate + provenance + EU-sovereign routing + Decision Room
Accountability story	the agency's documented gap (OLAF 2022; Ombudsman SAR criticism) [verified]	restraint-by-construction directly answers it

Comparator (Palantir-class): Palantir Gotham/MetaConstellation could provide a fusion layer, but (a) it is not EU-sovereign at the model-call boundary, and (b) it carries no published Declined List / no structural biometric exclusion — the opposite of what a decline-policed buyer needs to demonstrate. Our differentiation here is restraint as an auditable feature, not raw capability.

§14 — Readiness (honest, pre-pilot)

Reuse (real): the maritime/SAR pillars are the most-developed in the corpus — the W-14 Coast Guard MCI SAR case already models eurosur.alert as a write-back target, a 5-persona Decision Room with a civil-society reviewer, drift-cone fusion (Copernicus + ROMS), and a PROV-O chain. The map_ops + ledger surfaces exist in the gallery. The AI Provider Router (sovereign model-call refusal) and the proportionality gate are core platform components.

Real gaps (honest):

No delivered reference. This row is gated — we must land an Irish/EU decline-safe SAR/civil-protection pilot first.
No EUROSUR / Fusion-Services adapter built. The eurosur.sar_post and emsa.cleanseanet_team adapters are designed, not implemented.
No security accreditation for an EU-agency / NCC environment.
The legal vehicle is unresolved (Stamp-1G — see §20).
Confidence is "unverified" per the spec: we have a verified mandate, budget, incumbent, and procurement route, but no named buyer contact and no warm path.

§15 — ENGAGEMENT PLAYBOOK

This row is LATER-EU. The playbook below is the sequenced motion once the gate (a delivered decline-safe reference) is cleared — it is not a "go now" plan.

Stage	Trigger	Owner	Activity / template-or-script	Exit criterion	Deliverable
0. Gate	A delivered Irish/EU decline-safe SAR reference exists	Founder	Do not approach FRONTEX/NCC until this is true	Reference live + a named civil-society sign-off	Reference one-pager
1. First-contact	Gate cleared + EU presidency / EUROSUR window	Founder + EU sponsor	Warm intro only (via EMSA/CISE ecosystem or MAHI EU network) — never cold to Agency HQ. Adapt outreach-draft #3, leading with "decline-safe SAR/environmental slice, structural no-biometric exclusion, EU-sovereign"	A named NCC/EMSA contact agrees to a discovery call	Intro email sent
2. Free discovery	Contact accepts	Founder	Run the 60-min discovery agenda (below), scoped hard to SAR + environmental; pre-screen Declined List; confirm no person/biometric data in scope	Sponsor names a SAR/env pain + confirms safe slice	Discovery write-up + Declined-List PASS
3. Scoped demo	Discovery PASS	Founder	Replay the SAR/env loop on representative (not real) Med/Atlantic data: CleanSeaNet sheen + drift + DSC distress → gate → EUROSUR post. Lead with the CHECK constraint + the civil-society persona	Sponsor asks "could we try this on a narrow real slice?"	Demo + 1-page pilot proposal
4. Pilot	Demo PASS	Founder + partner vehicle	Time-boxed (8–12 wk), grant-funded (EUDIS/EDF civil-security or Member-State line). Prove one falsifiable thing (fusion-to-EUROSUR-post latency X→Y)	Success criteria met or credibly trending	Pilot result memo
5. LOI	Pilot criteria met	Partner vehicle	LOI checklist (below); Declined-List affirmation clause is mandatory here	Signed non-binding LOI naming an NCC sponsor	Signed LOI
6. Contract	LOI + funded line	Partner-vehicle prime	TED / EU Funding & Tenders Portal procedure (or sub-component to a GMV/EMSA prime)	Award	Signed contract

60-min discovery agenda (adapted for this buyer): 0:00 frame + permission (state the decline-safe scope first); 0:05 the current SAR/env operating picture (how many tools to fuse one picture?); 0:20 lawful basis + AI-Act/decline-safety (confirm no person/biometric data in scope — if there is, we decline); 0:35 stakeholders/budget/timing (which EU funding vehicle carries a pilot?); 0:45 map their SAR loop onto our 8 stages, find the gate/provenance gap; 0:55 close — earn the demo, no ask for money/LOI.

1-page pilot proposal (filled for this buyer): Title — "EUROSUR-compatible decline-safe SAR/environmental decision-layer pilot". Sponsor — [NCC TBD] + [budget owner TBD]. Problem — "Fusing vessel-detection + CleanSeaNet + drift + distress into one coordinated SAR/environmental action is manual and slow, and every action must be auditable." The one thing we prove — "Reduce fusion-to-EUROSUR-SAR-post time from X to Y on representative data, with a human-gated, provenance-stamped, no-biometric decision." Scope IN — SAR + environmental slice, 5 sources, gate→post. Scope OUT (explicit) — all border/migration risk-analysis, all person/biometric/risk-scoring (Declined List). Data — representative/synthetic, EU-RESTRICTED, EU-hosted. Success criteria — latency + 100% human-gated + 0 person-data leakage (DB-enforced). Timeline — 8–12 wk, mid-point checkpoint. Commercials — EUR 0 to the institution if grant-funded; production band Tier-1 EUR 120–240k → Tier-3 EUR 2.4–4.8m. Funding vehicle — EUDIS/EDF civil-security or a Member-State NCC line. After — LOI if criteria met.

LOI checklist (deltas for this buyer): all standard items + a mandatory Declined-List affirmation (no biometric / no migrant-profiling / no person-risk-scoring) + governing law Irish (or EU-agency framework) + solicitor review ⚖️.

Warm-intro email (adapt outreach-draft #3, decline-safe lead): "[Name] — [warm-intro context, via EMSA/CISE or MAHI EU network]. We build an EU-sovereign, human-gated decision layer for the maritime-safety, SAR and environmental slice of EUROSUR — explicitly not border-risk analysis, and with a structural no-biometric exclusion enforced in the database. We have a delivered decline-safe SAR reference. Could I show 20 minutes of how a CleanSeaNet sheen + a distress alert close into one auditable, proportionality-scored SAR action? — [Founder]"

§16 — PM / timeline

                         M1   M2   M3   M4   M5   M6   M7   M8   M9  M10  M11  M12 .. M18
GATE: deliver ref      |####|####|####|####|####|####|    |    |    |    |    |    |    |   <- CRITICAL
1 first-contact (warm) |    |    |    |    |    |    |##  |    |    |    |    |    |    |
2 free discovery       |    |    |    |    |    |    |  ##|    |    |    |    |    |    |
3 scoped demo          |    |    |    |    |    |    |    |### |    |    |    |    |    |
*Stamp-1G/vehicle gate*|    |    |    |    |    |####|####|####|####|####|####|####|    |   <- CRITICAL (paid)
4 pilot (grant-funded) |    |    |    |    |    |    |    |    |####|####|####|    |    |
5 LOI                  |    |    |    |    |    |    |    |    |    |    |    |##  |    |
6 contract (TED)       |    |    |    |    |    |    |    |    |    |    |    |    |....->  (18mo+)

Milestones: M6 decline-safe reference delivered (gate); M7 first warm contact; M8 scoped demo; M11 pilot complete; M12 LOI; ~M18+ contract via TED. Critical path: the delivered reference (a hard prerequisite — nothing starts without it) and the Stamp-1G / partner-vehicle gate (no paid pilot signable until resolved). These two run in parallel and both must clear before any paid step.

RACI:

Activity	Founder	Warm-intro sponsor (EMSA/CISE or MAHI EU)	Partner vehicle	NCC champion	NCC/EU procurement
Deliver decline-safe reference	R/A	C	C	I	I
Warm intro to NCC/EMSA	C	R/A	I	I	I
Free discovery + demo	R/A	C	I	C	I
Pilot delivery	R	I	A	C	I
LOI	C	I	R/A	R	C
Contract / TED procedure	I	I	R/A	C	R

§17 — Funding / procurement vehicle

Pilot (non-dilutive, preferred): EUDIS / EDF civil-security maritime calls (consortium-only — generally a minimum of three Member States / associated countries, though disruptive-technologies calls require only two; most EDF 2026 calls close 29 Sep 2026 [verified — EC EDF 2026 work programme]) — an all-EU Belgian(MAHI)+Irish team fits; OR a Member-State NCC operating line.
Production procurement: the EU Funding & Tenders Portal / TED open or restricted procedure [verified — frontex.europa.eu/procurement]; Frontex 2025 annual procurement envelope ≈ EUR 107.745m [verified]. Realistically, an early entry is a sub-component to a GMV/EMSA prime, not a head-to-head Frontex prime award.
Excluded: NATO DIANA (Ireland is non-NATO — ineligible) [verified]; do not assume any NATO route.

§18 — TWO-STAGE FORMULA SCORECARD

Every factor is [PRIOR] with a dated rationale (2026-06-05). This is the volume floor by design: high strategic value, low near-term probability, decline-policed, gated.

Stage-1 {mandate_pull, access_warmth, demonstrability, decline_safety, white_space, cycle_speed, pillar_fit}; weights {.22,.22,.18,.14,.10,.08,.06}:

Factor	Score	Dated rationale (2026-06-05) [PRIOR]
mandate_pull	4	Reg 2019/1896 EUROSUR + mandatory 24/7 NCC + Reg 656/2014 SAR are live legal duties; Fusion Services explicitly cover "vessels requiring SAR" + environmental [verified]. Not 5: no named funded line for our specific slice.
access_warmth	1	Cold; reputational caution; no warm intro, no named contact [spec: confidence "unverified"].
demonstrability	4	Reuses storm-replay/W-14 SAR pillars (eurosur.alert already a write-back target); demoable on representative Med data.
decline_safety	3	The slice is decline-safe, but the institution is decline-policed (OLAF 2022; Ombudsman SAR criticism) [verified] — capped at 3 with hard schema-level exclusion + gate-behind-reference.
white_space	2	GMV (network) + EMSA (CleanSeaNet) entrenched; we sit above as a thin decision layer [verified].
cycle_speed	1	Multi-year TED/OJEU; 18-mo resolve; no sub-threshold route.
pillar_fit	4	Maritime COP core, but the safe slice is narrower than the full action loop.

S1 = .22·4 + .22·1 + .18·4 + .14·3 + .10·2 + .08·1 + .06·4 = 2.76. P_LOI = 0.55 / (1 + exp(−1.15·(2.76 − 2.6))) ≈ 0.30 (band ≈ 26–34%). Score100 = S1 · 20 = 55.2.

Stage-2 {contractability, funding_to_pay, procurement_clarity, incumbency_displacement, time_to_value, reference_leverage}; weights {.24,.22,.18,.16,.12,.08}:

Factor	Score	Dated rationale (2026-06-05) [PRIOR]
contractability	1	Solo founder on Stamp-1G; MAHI is a maritime edge partner, not an EU-agency contracting prime for Frontex.
funding_to_pay	3	Real money exists (Frontex EUR 1.12bn 2025; EUR 107.745m procurement envelope; EUR 47.6m Copernicus 2015–20) [verified] — but no named line for our slice.
procurement_clarity	2	TED / F&T Portal is a clear but slow open route; not sub-OJEU; not on a framework [verified].
incumbency_displacement	2	We sit above GMV/EMSA (integrate, don't rip-replace), but the slot is crowded.
time_to_value	1	18-mo resolve outruns any near-term window; no deadline we uniquely satisfy.
reference_leverage	1	First-ever EU-agency logo, no proof point; and spec gates this behind a delivered reference.

S2 = .24·1 + .22·3 + .18·2 + .16·2 + .12·1 + .08·1 = 1.78. P_raw = 0.70 / (1 + exp(−1.1·(1.78 − 2.8))) ≈ 0.172.

Legal gate G = V·T. T = (30 − 18)/30 = 0.40.

V = 0.10 today: G = 0.040 → P(Contract) = P_LOI·G·P_raw = 0.30·0.040·0.172 ≈ 0.2%.
V = 0.45 (brokered vehicle): G = 0.18 → ≈ 0.9%.
V = 0.75 (MAHI/partner prime confirmed): G = 0.30 → ≈ 1.5%.
V = 1.00 (Stamp-4 + incorporated; T still 0.40 at 18-mo resolve): G = 0.40 → ≈ 2.1%.

Reconciliation to board_anchor. The spec sets score100: "[PRIOR-derive]", value: high. Derived Score100 = 55.2 (P_LOI band ≈ 26–34%). This is the lowest score in volume E (siblings land 63.6–76) — correct and intended: e07 is the only decline-policed, LATER-EU, no-warm-intro, gated-behind-a-reference row. The value band stays "high" because the strategic payoff of an EUROSUR/NCC reference is large; the probability is deliberately low. Value band: high (strategic) / low (near-term probability). ✓

§19 — Commercial

Tier	Scope	Indicative ACV	Terms / requirements
Tier 1	Single NCC, SAR+env slice, representative data	EUR 120–240k/yr	grant-funded pilot first (EUR 0 to institution); EU-hosted; DPA; Declined-List affirmation
Tier 2	NCC production + EMSA env hand-off + EUROSUR adapter	EUR 0.5–1.2m/yr	security accreditation; partner-vehicle prime; framework or sub-prime to GMV/EMSA
Tier 3	Multi-NCC / sea-basin decline-safe decision layer	EUR 2.4–4.8m/yr	TED award or major-prime sub-component; multi-year

Cost advantage from the open-source substrate + sovereign HPC + shared conformity file + no forward-deployed-engineer dependency. All figures indicative; no commercial conversation has occurred — pre-revenue.

§20 — Legal blockers

X1 Stamp-1G (CRITICAL): the solo founder cannot be a director/shareholder, self-employed, or sign a paid contract until Stamp 4 — so no paid pilot is signable without a partner/co-founder/Dogpatch-brokered vehicle (or MAHI as prime). ⚖️ CONFIRM (immigration solicitor). This is the dominant gate (V=0.10 today).
Decline-policed buyer (buyer-specific, load-bearing): FRONTEX carries documented fundamental-rights findings (OLAF 2022; Ombudsman SAR criticism; ED resignation) [verified]. Mitigation: safe slice only; structural no-biometric / no-migrant-profiling / no-person-risk-scoring exclusion enforced in schema + router + UI; gate behind a delivered decline-safe reference; Declined-List affirmation in every LOI; if scope drifts, decline on the record.
X2 EU AI Act: Art-5 prohibitions (real-time biometric ID, social scoring) applicable from 2 February 2025 [verified] — excluded by construction; the high-risk border/migration Annex-III functions are out of scope (we run only the SAR/environmental slice). FRIA for the SAR coordination decision. Per-use-case ⚖️ CONFIRM.
X3 GDPR: safe slice processes no personal data by design (DB-enforced). EU-hosted; DPA per buyer.
X4 Dual-use export (Reg (EU) 2021/821): vessel/comms monitoring may classify as controlled cyber-surveillance. ⚖️ CONFIRM (export counsel).
X5 Defence/security procurement (Dir. 2009/81/EC + Art-346 TFEU): an NCC/Agency may run exempt/negotiated procedures — could help or exclude. ⚖️ CONFIRM.
X6 NATO DIANA: Ireland non-NATO → ineligible [verified]; use EU vehicles only.
X7 Pre-incorporation: founder personally liable until NewCo formed; sign MoUs in own name under Companies Act 2014 s.45. ⚖️ CONFIRM.

§21 — Warm-intro contact + the SPECIFIC ask

Realistic path (not Agency HQ): approach a Member-State NCC or EMSA via the EMSA/CISE ecosystem (see sibling emsa-cise-node, e02) or the MAHI EU network (Pieter-Jan Note) — only after a delivered decline-safe reference. The contact register lists Frontex/EUROSUR under cold EU-agency procurement channels (TED / Frontex procurement), explicitly as a "Border/maritime COP reference (post-Irish-reference)" [contact-register §E] — i.e. gated, by our own register.
The SPECIFIC ask (when the gate clears): "A 20-minute walkthrough of an EU-sovereign, human-gated decision layer for the SAR + environmental slice of EUROSUR only — with a structural no-biometric exclusion enforced in the database, and a delivered decline-safe SAR reference behind it. Would that be worth your team's time?"
Do NOT: cold-email Frontex HQ; pitch any border-risk / person-screening capability; approach before the reference exists.

§22 — Open questions + consolidated Sources

Open questions (do not assert until resolved):

Which Member-State NCC is the right first surface, and who is the named contact? [TBD]
Is there a funded line for a decline-safe decision layer, or only Agency-central Fusion-Services money? [TBD]
Will GMV/EMSA co-exist with (or sub-contract) a third-party decision layer, or gatekeep? [unverified]
Exact EUROSUR / Fusion-Services API for a sar_post adapter — [TBD].
Does the decline-safe reference we need exist on the timeline this row assumes? [depends on vol-B coast-guard-sar delivery]

Sources (dated 2026-06-05):

Reg (EU) 2019/1896 (European Border and Coast Guard; EUROSUR) — eur-lex.europa.eu [verified]
Frontex — Legal Basis / EUROSUR NCC 24/7 single-PoC — frontex.europa.eu [verified]
EUROSUR (Migration & Home Affairs) — NCC national situational picture — home-affairs.ec.europa.eu [verified]
EUROSUR Fusion Services — vessel detection "requiring SAR" + environmental — coastguard.europa.eu ; coastguard.europa.eu [verified]
Frontex Copernicus programme + EUR 47.6m (2015–2020) — frontex.europa.eu ; digit.site36.net [verified]
GMV — EUROSUR network prime contractor — gmv.com [verified]
EMSA CleanSeaNet (oil-spill + vessel detection since 2007) — emsa.europa.eu [verified]
EMSA Multipurpose Maritime Operation 2025 + POLEX — emsa.europa.eu [verified]
Frontex 2025 Annual Procurement Plan (envelope ≈ EUR 107.745m) — prd.frontex.europa.eu [verified]
Frontex budget EUR 1.12bn (2025) / EUR 143m (2015) — statewatch.org ; en.wikipedia.org [verified]
OLAF 2022 pushback findings; ED resignation; Ombudsman SAR criticism — euronews.com [verified]
Frontex procurement (TED / F&T Portal) — frontex.europa.eu [verified]
EU AI Act Art 5 prohibitions applicable 2 February 2025 — internal legal-blockers-register §X2 [verified]

STANDING BANNER — read first. Nexus Synergy Ltd is pre-incorporation, pre-revenue, pre-pilot; FRONTEX and the Member-State National Coordination Centres are a TARGET, not a customer, pipeline, or deployment. Our ~178-surface UI gallery is a gallery, not traction. Every probability in this document is a [PRIOR] — a subjective pre-pilot estimate for prioritisation, not a forecast.

Anti-cookie-cutter: the §8 mockups are the generated ASCII from _build/archetypes/gen_frontex-eurosur-mda-sar.py (alignment-guarded), filled with this buyer's real entities (EUROSUR NCC, CleanSeaNet, Copernicus Marine, Sentinel-1, GMV). They are this buyer's screens, not a reused template.

DECLINE-POLICED buyer — hard framing. FRONTEX sits under documented fundamental-rights scrutiny (OLAF 2022 pushback findings; the Executive Director's 2022 resignation). We pursue only the decline-safe slice — maritime-safety + Search-and-Rescue (SAR) + environmental (oil-spill) monitoring — with an explicit, structural no-biometric / no-migrant-profiling / no-person-risk-scoring exclusion, and we gate the entire engagement behind a delivered decline-safe reference (an Irish/EU SAR or civil-protection pilot first). If the engagement cannot be held to that slice, we decline, on the record.