WorkspaceDemo
UKEN

Operational status

Alvo readiness for demo, pilot, and production integrations.

This page shows which platform layers are operational, what still requires legal or production review, and which security mode is active now.

Version0.1.0-stage
APIv1
Modedecision-support
Rate limit120/60s

Data runtime

Current market-data path without secrets.

Shows whether the Nest/Postgres/Redis platform path is ready and whether Next may still use live OREE as a migration fallback.

StatusReview
Modegraceful fallback
Postgresneeded
Redisneeded
DB readsdisabled
Ingestiondisabled
Live OREE fallbackenabled

This mode is suitable for demos and migration. For staging/production, disable fallback after the DB-read path is verified.

Production gates

Stable launch control.

Separate from basic health, this shows what is ready for paid pilots, what needs review, and what blocks production access.

0/7not ready
blocked

Protected API

Production API access must run in protected mode with a server-side key and no secret leakage.

Owner: security
blocked

External auth

Paid workspaces need tenant identity, roles, SSO/MFA-ready auth, and access audit.

Owner: security
review

Tenant RBAC

Roles and high-risk permissions must actually guard APIs, exports, and the future submit flow.

Owner: security
review

Data freshness

OREE/UEEX and future sources need freshness checks, blocker handling, and fallback behavior.

Owner: data
review

Durable audit trail

Events must be tenant-aware and usable for evidence, exports, and incident review.

Owner: platform
review

Notifications

Push/alert delivery needs keys, provider, subscription storage, and future role-based limits.

Owner: product
review

Trust layer

Diia/QES/document flows require legal basis, consent, retention policy, and data-minimized UX.

Owner: legal

Security

API key required: no

API key configuredno
Auth providernot selected

PWA notifications

Notification layer for signals, risk updates, and future alerts.

Shows whether browser subscription is only contract-ready or whether production delivery is configured through a provider, VAPID keys, and tenant storage.

StatusReview
Modecontract ready
Providernot selected
Public VAPIDneeded
Private VAPIDneeded
Subscription storeneeded

Next step: add the production private key, choose the delivery provider, and connect tenant-scoped subscription storage.

Security posture

OWASP, SOC 2, HIPAA scope, and auth without overclaiming.

Shows the real control state: what already exists in code, what needs production review, and which auth layer should become the next foundation.

Auth readiness

not selected

Required
no
Configured
no
Mode
public demo
Recommendation
WorkOS
review

OWASP ASVS

The current baseline already has headers, CSP, validation, rate limiting, upstream allowlists, and an audit trail.

Before production, map every ASVS requirement to a test or owner.
planned

SOC 2

Initial technical evidence exists for Security: health, audit, API access control, and repeatable CI checks.

Next we need policies, evidence owners, incidents, vendor review, and change management.
not applicable

HIPAA

Out of scope while Alvo handles energy-market data and does not process PHI/ePHI.

Revisit HIPAA only if a healthcare or PHI workflow appears.
planned

Auth provider

We need a provider-agnostic OIDC/JWT layer with organizations, roles, MFA, SSO, and audit.

For B2B pilots, WorkOS is the first candidate, while domain code stays provider-independent.
planned

RBAC

Roles and permissions are defined as a code contract for tenant, API, trader, risk, and audit work.

Connect RBAC to the auth adapter, tenant id, and policy tests before paid pilots.

Access and roles

Least-privilege model for teams, APIs, and future submit flows.

Roles are fixed before wiring the auth provider, so WorkOS/Clerk/Auth0 provide identity while Alvo owns domain policy.

Modeplanned
Roles6
Permissions14
High-risk4
Role

Owner

Manages tenant, API, roles, settings, and critical approvals.

14 permissions
Role

Trader

Works with market data, plans, AI briefs, BESS, and exports.

8 permissions
Role

Analyst

Prepares data, scenarios, backtests, and explanations without admin actions.

6 permissions
Role

Risk control

Reviews risks, audit evidence, and future high-risk approvals.

5 permissions
Role

API client

Service access to calculations and exports without tenant administration.

6 permissions
Role

Auditor

Read-only access to audit trail, risks, and action evidence.

3 permissions

Connect RBAC to the external auth adapter, tenant id, and audit trail before paid pilots.

Data sources

Integration registry powering the trading decision.

Shows what is already connected, which sources require a token or approval, and what moves into later releases.

market

Market Operator

connected

Official DAM/IDM layer: hourly prices, indexes, and trading results.

Used as the primary trading layer for DAM recommendations and market-day validation.
Freshness: pending monitorLatest data: n/aWindow: 36h
API: /api/oree/prices, /api/oree/indexes, /api/oree/trading-resultsSource
Next step: production approval for format, SLA, and permitted data usage.
benchmark

Ukrainian Energy Exchange

review

Public BCM BASE indexes for a longer-horizon benchmark context.

Helps compare DAM spreads with longer contractual price indicators.
Freshness: pending monitorLatest data: n/aWindow: 45d
API: /api/ueex/electricity-indexesSource
Next step: extend history and add DAM vs BCM deviation alerts.
system

ENTSO-E Transparency Platform

connected

Load, generation, cross-border flows, and system context for price forecasting.

This layer improves forecasting quality and the explanation of price movements.
Freshness: pending monitorLatest data: n/aWindow: 4h
API: connectedSource
Next step: obtain an API token and add time-series quality checks.
system

Ukrenergo

review

System balance, consumption, generation, grid constraints, and outage signals.

Gives AI context for peak hours, shortage/surplus states, maintenance, and transmission constraints.
Freshness: pending monitorLatest data: n/aWindow: 6h
API: reviewSource
Next step: define permitted datasets, cadence, historical format, and fallback behavior for missing publications.
weather

Weather provider layer

token required

Temperature, wind, solar radiation, cloud coverage, and precipitation for load and generation forecasts.

Weather data is critical for solar/wind output, load spikes, and volatility explanations.
Freshness: blockedLatest data: n/aWindow: 3h
API: token requiredSource
Next step: compare ECMWF, Meteostat, OpenWeather, and Tomorrow.io by cost, license, and latency.
macro

Fuel and carbon benchmarks

token required

Gas, coal, oil, and EU ETS as macro drivers of electricity prices.

Helps explain longer price regimes and risks for thermal generation and imports.
Freshness: blockedLatest data: n/aWindow: 36h
API: token requiredSource
Next step: select benchmark sources and define which indicators the forecasting model needs.
system

Energy Map

token required

Ukrainian aggregated energy datasets for a broader market picture.

Can enrich the model with generation, consumption, regional, and reference datasets.
Freshness: blockedLatest data: n/aWindow: 1d
API: token requiredSource
Next step: review access terms and shortlist datasets for V2.
regulatory

NEURC

review

Regulatory decisions, tariffs, licensing, and compliance signals.

Needed for risk control, audit-ready explanations, and the legal layer of the product.
Freshness: pending monitorLatest data: n/aWindow: 7d
API: reviewSource
Next step: define which documents we monitor and how rules are versioned.
regulatory

Antimonopoly Committee of Ukraine

review

Market monitoring, competition, concentration, and antimonopoly signals.

Useful for compliance explanations, market limits, and a future anti-manipulation layer.
Freshness: pending monitorLatest data: n/aWindow: 14d
API: reviewSource
Next step: define which publications to monitor and how risk escalations should work.

Trust and verification

Diia, signatures, and documents as a future trust layer.

This is not a live integration yet. We are documenting where Diia can support onboarding, signatures, and responsible-person verification before pilots or submit flows.

signature

Diia.Signature

legal review

Electronic signature for document signing or authorization through Diia.

Signing a contract, pilot request, decision package, or critical trader approval.
Contract/approval: yesSource
Next step: Collect legal basis, Diia contract requirements, UX flow, and signed decision package format.
documents

Diia document sharing

legal review

Receiving digital document copies and metadata after user approval.

Ukrainian company onboarding, representative verification, and KYC/KYB field prefill.
Contract/approval: yesSource
Next step: Define the minimum document set and retention policy before requesting any personal data.
identity

Diia validation

planned

Digital document validation and protection against fake screenshots.

Responsible-person verification before paid pilot access or a submit-flow.
Contract/approval: yesSource
Next step: Compare with WorkOS/SSO and QES so identity checks are not duplicated unnecessarily.
signature

QES / qualified e-signature

planned

Signed-document verification and compatibility with QES processes.

Fallback for legally significant documents when the Diia flow is unavailable.
Contract/approval: noSource
Next step: Define archive format, signature verification, and evidence storage in the audit trail.

Readiness checks

7 Pass · 3 Review · 0 Block

Pass

Next.js application

Marketing, workspace, PWA shell, and bilingual routes are available.

Pass

API surface

Strategy, BESS, backtest, AI brief, risk, audit, OREE price/index/trading-result, UEEX index, health, and OpenAPI endpoints are registered.

Review

API key mode

The current API key protection state is shown above; production API access should use protected mode.

Pass

Rate limiting

Requests are limited per route and client fingerprint.

Review

Market data

OREE adapters and UEEX benchmark indexes are available; ENTSO-E, Ukrenergo, weather, fuel/carbon, Energy Map, NEURC, and AMCU are tracked in the data source registry.

Pass

Decision engine

DAM spread planning and backtesting run in deterministic server-validated code.

Pass

BESS engine

Charge/discharge planning supports capacity, power, efficiency, cycles, and degradation cost.

Pass

AI brief

V1 uses deterministic brief generation with Ukrainian and English output.

Pass

Audit trail

Workspace actions and API audit events use typed event creation.

Review

PWA notifications

The Web Push contract is connected; production delivery needs a VAPID private key, provider, and tenant subscription store.

Need a technical integration?

The status page gives an operational signal, OpenAPI describes the contract, and the workspace lets you verify a DAM scenario quickly.

API docs Workspace