Launch activation manifest
The missing launch dependencies, ready to activate.
Strict readiness names the blockers. This manifest turns them into an operator-grade activation plan with Vercel env names, source systems, proof commands, evidence targets, and claim locks without exposing secret values.
11
activation groups
38
production env names
15
operator-local inputs
30
linked open gaps
Activation order
Configure the dependency, then prove the claim.
Each group lists where the values come from, which command proves activation, where evidence is attached, and which claims stay locked if the group is skipped.
THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:readiness -- --strict
1. Operator fixture seed and auth-smoke records
Production launch seed records, authenticated smoke users, and fixture IDs used by strict readiness.
Owner: Operator
Source: Operator password manager, Supabase service role, Vercel production env, and protected launch seed route.
Evidence: Operator proof bundle, tenant fixture evidence, launch room, and launch dossier.
Linked gaps: 11
Seed output must identify production seed records and fixture IDs in a locked operator file before authenticated RLS/API proof is accepted.
2. Local fixture shell and proof exports
Authenticated API, issuer, evidence, audit, privacy, notification, support, SCIM, and Stripe fixture commands.
Owner: Operator
Source: Locked operator env file and `/tmp/thesmios-auth-smoke.env` generated by launch seeding.
Evidence: Operator proof bundle and tenant external launch evidence references.
Linked gaps: 11
Every mutating fixture proof must either pass from the locked shell or remain explicitly excluded from the accepted launch scope.
3. Trust, evidence, audit, and job-runner secrets
DID/JWKS discovery, VC signing, scheduled jobs, audit anchoring, verification webhooks, evidence scans, and audit exports.
Owner: Security
Source: Vercel production env, Supabase storage, and issuer key-management handoff.
Evidence: Security review pack, tenant fixture evidence, operator proof bundle, and launch dossier.
Linked gaps: 5
Security/privacy controls become buyer-accepted only after the matching fixture output and tenant evidence reference are attached.
4. Support email and status broadcasts
Customer-request acknowledgements, support lifecycle notifications, status subscriptions, and incident broadcasts.
Owner: Operator
Source: Resend production dashboard, status broadcast secret, and verified test recipient.
Evidence: Operator proof bundle, support communications package, and launch room support section.
Linked gaps: 5
Automated support and status email claims require a controlled-send or retained delivery-attempt fixture plus manual fallback notes for failures.
5. Stripe self-serve billing
Public checkout, card-backed activation, cancellation, and webhook-driven subscription lifecycle.
Owner: Finance
Source: Stripe production dashboard, webhook signing secret, and price catalog.
Evidence: Billing evidence package, tenant launch decision, and launch dossier.
Linked gaps: 4
Self-serve checkout remains blocked until production Stripe env, price IDs, and signed webhook fixture proof are attached.
6. Enterprise OIDC broker
Brokered enterprise OIDC login and customer IdP proof.
Owner: Enterprise
Source: Customer IdP application registration and enterprise broker configuration.
Evidence: Tenant SSO evidence package, provisioning guide, launch room, and launch dossier.
Linked gaps: 6
OIDC can be sold only after customer IdP setup, broker configuration, test login evidence, and accepted tenant SSO evidence are attached.
7. Enterprise SAML IdP
Brokered enterprise SAML login and customer IdP proof.
Owner: Enterprise
Source: Customer SAML IdP metadata, signing certificate, and broker configuration.
Evidence: Tenant SSO evidence package, provisioning guide, launch room, and launch dossier.
Linked gaps: 6
SAML can be sold only after customer IdP metadata, certificate handling, broker proof, and accepted tenant SSO evidence are attached.
8. SCIM tenant provisioning token
Tenant SCIM user/group create, read, update, and deprovision fixture proof.
Owner: Enterprise
Source: Authenticated tenant settings, customer IdP SCIM app, and provisioning guide.
Evidence: Tenant SSO evidence package, tenant fixture evidence, launch room, and launch dossier.
Linked gaps: 8
SCIM is enterprise-ready only after tenant token creation, IdP mapping, fixture proof, and customer approval are attached.
9. HRIS connectors
Live Workday and BambooHR sync claims.
Owner: Customer
Source: Customer Workday and BambooHR admin consoles, sandbox credentials, and field-mapping approval.
Evidence: Tenant vendor evidence package, launch room, and launch dossier.
Linked gaps: 2
HRIS automation can be claimed only after customer sandbox credentials, field mapping, import reconciliation, and accepted vendor evidence are attached.
10. Official issuer connectors
Direct official-source automation claims.
Owner: Security
Source: Companies House, Home Office / UKVI, DBS Update Service, and USCIS E-Verify approval channels.
Evidence: Tenant vendor evidence package, security review pack, launch room, and launch dossier.
Linked gaps: 7
Official-source automation can be claimed only after each authority credential, consent/legal basis, approval, and first customer lookup evidence is attached.
11. Customer acceptance, signed scope, and exclusions
Turning implemented controls and fixture outputs into an accepted B2B tenant launch.
Owner: Customer
Source: Signed order form, buyer security/privacy approval, launch acceptance route, and external evidence records.
Evidence: Tenant launch room, launch dossier, launch decision, billing evidence, and external evidence package.
Linked gaps: 5
A tenant is launch-accepted only after the buyer signs scope, accepted stage, exclusions, external evidence references, and residual-risk decisions.
Environment manifest
Vercel names are explicit. Values stay out of the browser.
| Group | Variable | Source system | Required for | Command |
|---|---|---|---|---|
| Operator fixture seed and auth-smoke records | LAUNCH_OPERATIONS_SECRETAlternative: AUDIT_ADMIN_SECRET | Operator password manager | Protected launch seed route | vercel env add LAUNCH_OPERATIONS_SECRET production |
| Operator fixture seed and auth-smoke records | AUDIT_ADMIN_SECRETAlternative: LAUNCH_OPERATIONS_SECRET | Operator password manager | Fallback launch seed and audit admin operations | vercel env add AUDIT_ADMIN_SECRET production |
| Operator fixture seed and auth-smoke records | SUPABASE_SERVICE_ROLE_KEY | Supabase project settings | Server-side seed, tenant operations, and fixture data creation | vercel env add SUPABASE_SERVICE_ROLE_KEY production |
| Operator fixture seed and auth-smoke records | NEXT_PUBLIC_SUPABASE_URL | Supabase project settings | Browser auth clients and authenticated smoke fixture scripts | vercel env add NEXT_PUBLIC_SUPABASE_URL production |
| Operator fixture seed and auth-smoke records | NEXT_PUBLIC_SUPABASE_ANON_KEY | Supabase project settings | Browser auth clients and authenticated smoke fixture scripts | vercel env add NEXT_PUBLIC_SUPABASE_ANON_KEY production |
| Trust, evidence, audit, and job-runner secrets | VC_PUBLIC_JWKAlternative: VC_PRIVATE_JWK | Issuer key-management handoff | Durable public issuer key discovery | vercel env add VC_PUBLIC_JWK production |
| Trust, evidence, audit, and job-runner secrets | VC_PRIVATE_JWK | Issuer key-management handoff | Production credential signing and issuer fixture proof | vercel env add VC_PRIVATE_JWK production |
| Trust, evidence, audit, and job-runner secrets | CRON_SECRET | Operator password manager | Scheduled expiry and monitoring routes | vercel env add CRON_SECRET production |
| Trust, evidence, audit, and job-runner secrets | PLATFORM_JOB_RUNNER_SECRET | Operator password manager | Evidence verification, retention, and audit export jobs | vercel env add PLATFORM_JOB_RUNNER_SECRET production |
| Trust, evidence, audit, and job-runner secrets | AUDIT_ADMIN_SECRET | Operator password manager | Audit anchoring, audit verification, and launch seed fallback | vercel env add AUDIT_ADMIN_SECRET production |
| Trust, evidence, audit, and job-runner secrets | VERIFY_WEBHOOK_SECRET | Operator password manager | Signed inbound verification webhooks | vercel env add VERIFY_WEBHOOK_SECRET production |
| Support email and status broadcasts | RESEND_API_KEY | Resend production dashboard | Support and status email delivery | vercel env add RESEND_API_KEY production |
| Support email and status broadcasts | STATUS_BROADCAST_SECRET | Operator password manager | Secret-protected incident and maintenance broadcasts | vercel env add STATUS_BROADCAST_SECRET production |
| Stripe self-serve billing | STRIPE_SECRET_KEY | Stripe production dashboard | Checkout sessions and subscription lifecycle | vercel env add STRIPE_SECRET_KEY production |
| Stripe self-serve billing | STRIPE_WEBHOOK_SECRET | Stripe webhook endpoint | Signed webhook verification | vercel env add STRIPE_WEBHOOK_SECRET production |
| Stripe self-serve billing | STRIPE_PRICE_REPORT | Stripe product price catalog | Report plan checkout price | vercel env add STRIPE_PRICE_REPORT production |
| Stripe self-serve billing | STRIPE_PRICE_MONITORING | Stripe product price catalog | Monitoring plan checkout price | vercel env add STRIPE_PRICE_MONITORING production |
| Enterprise OIDC broker | ENTERPRISE_OIDC_ISSUER | Customer IdP application | OIDC issuer discovery | vercel env add ENTERPRISE_OIDC_ISSUER production |
| Enterprise OIDC broker | ENTERPRISE_OIDC_CLIENT_ID | Customer IdP application | OIDC broker client | vercel env add ENTERPRISE_OIDC_CLIENT_ID production |
| Enterprise OIDC broker | ENTERPRISE_OIDC_CLIENT_SECRET | Customer IdP application | OIDC broker token exchange | vercel env add ENTERPRISE_OIDC_CLIENT_SECRET production |
| Enterprise SAML IdP | SAML_IDP_ENTITY_ID | Customer SAML IdP | SAML issuer metadata | vercel env add SAML_IDP_ENTITY_ID production |
| Enterprise SAML IdP | SAML_IDP_SSO_URL | Customer SAML IdP | SAML single sign-on redirect | vercel env add SAML_IDP_SSO_URL production |
| Enterprise SAML IdP | SAML_IDP_CERTIFICATE | Customer SAML IdP | SAML response signature verification | vercel env add SAML_IDP_CERTIFICATE production |
| HRIS connectors | WORKDAY_REST_BASE_URL | Customer Workday tenant | Workday REST API sync | vercel env add WORKDAY_REST_BASE_URL production |
| HRIS connectors | WORKDAY_ACCESS_TOKEN | Customer Workday tenant | Workday REST API bearer access | vercel env add WORKDAY_ACCESS_TOKEN production |
| HRIS connectors | BAMBOOHR_COMPANY_DOMAIN | Customer BambooHR account | BambooHR directory sync | vercel env add BAMBOOHR_COMPANY_DOMAIN production |
| HRIS connectors | BAMBOOHR_API_KEY | Customer BambooHR account | BambooHR directory API access | vercel env add BAMBOOHR_API_KEY production |
| Official issuer connectors | COMPANIES_HOUSE_API_KEY | Companies House developer account | Companies House lookup | vercel env add COMPANIES_HOUSE_API_KEY production |
| Official issuer connectors | HOME_OFFICE_RTW_API_KEYAlternative: UKVI_RIGHT_TO_WORK_API_KEY | Home Office / UKVI credential handoff | Home Office / UKVI right-to-work checks | vercel env add HOME_OFFICE_RTW_API_KEY production |
| Official issuer connectors | UKVI_RIGHT_TO_WORK_API_KEYAlternative: HOME_OFFICE_RTW_API_KEY | Home Office / UKVI credential handoff | Alternative right-to-work credential | vercel env add UKVI_RIGHT_TO_WORK_API_KEY production |
| Official issuer connectors | DBS_UPDATE_SERVICE_API_URL | DBS Update Service partner handoff | DBS Update Service endpoint | vercel env add DBS_UPDATE_SERVICE_API_URL production |
| Official issuer connectors | DBS_UPDATE_SERVICE_API_KEY | DBS Update Service partner handoff | DBS Update Service API access | vercel env add DBS_UPDATE_SERVICE_API_KEY production |
| Official issuer connectors | EVERIFY_WEB_SERVICES_BASE_URL | E-Verify MOU and web-services approval | USCIS E-Verify Web Services endpoint | vercel env add EVERIFY_WEB_SERVICES_BASE_URL production |
| Official issuer connectors | EVERIFY_COMPANY_ID | E-Verify MOU and web-services approval | E-Verify company registration | vercel env add EVERIFY_COMPANY_ID production |
| Official issuer connectors | EVERIFY_USERNAME | E-Verify MOU and web-services approval | E-Verify API username | vercel env add EVERIFY_USERNAME production |
| Official issuer connectors | EVERIFY_PASSWORD | E-Verify MOU and web-services approval | E-Verify API password | vercel env add EVERIFY_PASSWORD production |
| Official issuer connectors | EVERIFY_CLIENT_CERT | E-Verify MOU and web-services approval | E-Verify client certificate | vercel env add EVERIFY_CLIENT_CERT production |
| Official issuer connectors | EVERIFY_CLIENT_KEY | E-Verify MOU and web-services approval | E-Verify client certificate key | vercel env add EVERIFY_CLIENT_KEY production |
| Official issuer connectors | EVERIFY_INTEGRATION_APPROVEDExpected value: true | E-Verify MOU and acceptance-testing approval | E-Verify production approval flag | vercel env add EVERIFY_INTEGRATION_APPROVED production |
Operator runbook
The run path is evidence-first.
The sequence keeps mutation behind explicit operator confirmation, stores generated evidence outside the repo, and requires strict readiness before self-serve or broad enterprise claims.
1. Pull public runtime and confirm local secret handoff
npm run check:operator-env -- --env-file /tmp/operator.env --seed --include-fixtures --json
The operator shell can see required variable names without printing values and rejects empty Vercel sensitive placeholders.
2. Add or rotate missing production env in Vercel
vercel env add VARIABLE_NAME production
Each activated variable has a source system, owner, and post-activation proof command in this manifest.
3. Seed production launch and auth-smoke fixtures
CONFIRM_LAUNCH_OPERATOR_SEED=thesmios-launch-seed LAUNCH_OPERATIONS_SECRET=<secret> LAUNCH_SEED_ENV_OUTPUT_PATH=/tmp/thesmios-auth-smoke.env THESMIOS_SMOKE_URL=https://www.thesmios.com npm run seed:launch-operator
A locked `/tmp/thesmios-auth-smoke.env` plus production seed records for issuer, DID, jobs, users, grants, credentials, tasks, and shares.
4. Run grouped fixture proof
THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:launch-proof-bundle -- --include-fixtures --strict --env-file /tmp/thesmios-auth-smoke.env --output /tmp/thesmios-launch-proof-bundle.json
One locked proof bundle showing public, authenticated, security, vendor, billing, support, and enterprise fixture outcomes.
5. Attach customer acceptance and exclusions
PATCH /api/platform/launch-acceptance and PATCH /api/platform/external-evidence
Signed scope, accepted stage, scoped exclusions, fixture output references, and residual-risk approvals in the tenant launch room.
6. Re-run strict readiness
THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:readiness -- --strict
Strict readiness has no blockers before self-serve paid launch or broad enterprise expansion claims are approved.
Proof and claim locks
Missing activation keeps the claim out of scope.
Claim locks
Production tenant isolation and RLS evidence.
Authenticated owner, granted-employer, and denied-employer proof.
Paid launch readiness based on fixture-backed production data.
Buyer-accepted malware/quarantine proof before evidence fixture output.
Buyer-accepted audit exports before export fixture output.
Buyer-accepted data-rights fulfilment proof before privacy fixture output.
Do not run operator seeding or fixture proof from this shell; retrieve real secret values from the operator password manager or approved vendor console.
Strict readiness cannot prove RLS or authenticated role separation on production data.
Keep support/status email as dry-run or retained-attempt evidence and use manual customer communication for launch.
Accepted customer tenant
Invoice-led paid beta without fixture proof
Do not claim buyer audit export evidence is proven on production data.
Linked evidence packs
/api/product/launch-activation-manifest
/api/product/production-proof
/api/product/vendor-readiness
/api/product/managed-beta-readiness
/api/product/launch-clearance
/api/product/launch-gap-register
/api/product/operator-launch-console
/api/product/launch-claims-guard
/api/product/launch-evidence-ledger
/api/product/launch-unblock-plan
/api/platform/launch-room
/api/platform/launch-dossier?download=1
/api/platform/launch-decision?download=1
/api/platform/external-evidence
Source boundaries
This manifest exposes variable names, source systems, commands, and evidence targets only; it never exposes secret values or generated fixture IDs.
A production env variable being present is not the same as customer acceptance. Fixture output and signed launch evidence still have to be attached.
Vercel sensitive placeholders from `vercel env pull` are not launch evidence. Operators must source real values from the approved password manager or vendor console.
If a dependency group is skipped, keep the related self-serve, enterprise, automated, HRIS, official-issuer, or notification claim out of the order form.
The manifest is an activation runbook, not a launch waiver. `/api/ready?strict=1`, tenant launch decisions, and buyer acceptance remain authoritative.