Capability claims with clear maturity labels.

Employees can maintain a portable compliance passport with evidence, credentials, shares, and audit events.

Evidence

Authenticated app routes, worker sections, credential lifecycle APIs, passport share APIs, and audit event storage exist.

Dependency

Production seed and authenticated smoke users must be run for each launch environment.

Next step

Run authenticated production smoke for owner, granted employer, and denied employer fixtures.

Company profile, officer, and PSC records can become source-attributed credentials when the API key is configured.

Evidence

Companies House route normalises live responses and bounded seeded fallback data.

Dependency

COMPANIES_HOUSE_API_KEY.

Next step

Configure production key and record first customer lookup evidence.

Right-to-work checks are supported through Home Office / UKVI share-code evidence with consent and legal basis.

Evidence

Dedicated right-to-work route and issuer status payload are present.

Dependency

HOME_OFFICE_RTW_API_KEY or UKVI_RIGHT_TO_WORK_API_KEY plus customer legal basis.

Next step

Configure approved credentials or treat as a managed upload/share-code workflow.

Standard and enhanced DBS refresh can be handled when consent and legal basis are recorded; Basic DBS remains upload/manual evidence.

Evidence

DBS route distinguishes update-service coverage from Basic DBS manual refresh.

Dependency

DBS_UPDATE_SERVICE_API_URL, DBS_UPDATE_SERVICE_API_KEY, consent, and legal basis.

Next step

Use manual/upload path until customer-specific DBS credentials are approved.

Form I-9/E-Verify workflow can be represented, but production use requires employer enrolment and USCIS approval.

Evidence

E-Verify route and status helper gate production claims behind required environment and approval flags.

Dependency

E-Verify web-services approval and tenant credentials.

Next step

Keep US eligibility checks as managed/manual until approval evidence exists.

Sanctions sources can be screened on demand and queued for monitoring once production job secrets are configured.

Evidence

Sanctions route, monitoring pipeline, and cron-gated worker exist.

Dependency

CRON_SECRET, PLATFORM_JOB_RUNNER_SECRET, source credentials where required.

Next step

Prove scheduled production cadence and alert triage.

Worker records can sync into the passport graph when a customer supplies approved Workday REST access.

Evidence

Workday adapter normalises live worker responses and returns not-configured state until tenant credentials are present.

Dependency

WORKDAY_REST_BASE_URL and WORKDAY_ACCESS_TOKEN.

Next step

Run first customer sandbox import and reconcile employee identifiers.

BambooHR employee directory data can sync for smaller people teams when API credentials are supplied.

Evidence

BambooHR adapter normalises live directory responses and returns not-configured state until tenant credentials are present.

Dependency

BAMBOOHR_COMPANY_DOMAIN and BAMBOOHR_API_KEY.

Next step

Run first customer sandbox import and confirm field mapping.

Tenant SCIM tokens can persist users, deprovisioning state, and group-derived role/workspace mapping.

Evidence

SCIM token management, tenant SCIM user tables, and scoped SCIM routes are implemented.

Dependency

Pending migrations must be applied and authenticated SCIM fixture proof must be run in production.

Next step

Apply SCIM migrations and run create/read/patch/delete SCIM fixture against a launch tenant.

Tenant admins can save IdP setup state, domains, JIT defaults, and mapping metadata; production broker integration is not yet live.

Evidence

Tenant SSO settings, metadata routes, and setup-gated SAML/OIDC endpoints exist.

Dependency

Production SSO broker and tenant IdP credentials.

Next step

Sell as managed enterprise setup until the broker is connected to saved tenant profiles.

Admin passkeys are a roadmap security control, not a launch claim.

Evidence

Security control registry marks passkeys as planned.

Dependency

WebAuthn enrolment, recovery, and step-up UX.

Next step

Do not include passkeys in paid beta contracts unless separately scoped.

DID, JWKS, status-list, and verifier APIs are deployed, but production signing must use durable issuer keys.

Evidence

Discovery routes return public documents and readiness warns when VC key material is missing.

Dependency

VC_PUBLIC_JWK and VC_PRIVATE_JWK or seeded production DID material.

Next step

Configure production issuer keys and run verifier API fixture.

Tenant admins can record invoice requests and billing lifecycle state for managed paid pilots.

Evidence

Tenant billing profile, customer request operations, and support assignment flows are in settings.

Dependency

Signed order form and internal finance owner are still required.

Next step

Attach the order-form checklist to each design-partner rollout.

Checkout and webhook routes exist, but self-serve payment should stay off until Stripe secrets and prices are configured.

Evidence

Checkout and webhook endpoints are deployed; the signed webhook fixture command proves configured webhook processing before checkout is enabled.

Dependency

STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PRICE_REPORT, and STRIPE_PRICE_MONITORING.

Next step

Configure Stripe in production and run npm run check:stripe-fixture.

Tenant admins can request downloadable audit export packages once storage/migrations are applied.

Evidence

Audit export request table, private storage bucket migration, signed download URLs, CSV builder, ZIP builder, and fixture runner exist.

Dependency

Supabase migrations/storage bucket must be applied in production and audit export fixture output must be attached.

Next step

Run npm run check:audit-export-fixture in production.

Evidence uploads can be hashed, signature-checked, EICAR-tested, quarantined, and retention-deleted by worker jobs.

Evidence

Evidence worker validates hashes, active content markers, EICAR signature, quarantine state, retention timestamps, and retention deletion.

Dependency

External scanner evidence, evidence fixture output, job secrets, and operating procedure.

Next step

Run npm run check:evidence-fixture in production.

Customers can subscribe to incident, maintenance, security, and availability notices; full broadcast workflow needs email configuration.

Evidence

Status subscription intake table, validation, rate limiting, and confirmation email helper exist.

Dependency

RESEND_API_KEY and incident broadcast operator workflow.

Next step

Configure sender reputation and send first incident-status fixture.