Launch claims guard
Buyer-safe claims, backed by live evidence.
A solid B2B launch needs sales, order forms, procurement answers, and implementation plans to use the same truth source. This guard converts live readiness, capability maturity, launch gaps, and order-form defaults into approved wording and blocked wording.
17
capability claims
2
included with evidence
5
credential-required
2
excluded or blocked
Launch mode wording
The claim changes by launch motion.
Managed private beta can use scoped wording with evidence. Self-serve and broad enterprise wording stays blocked until strict readiness and customer-specific proof clear.
conditional
Managed private beta
Conditionally launchable for a named design partner with signed scope, operator fixture evidence, manual support fallback, and launch acceptance.
Allowed wording: Managed rollout; Invoice or no-charge pilot; Manual support fallback; Explicit excluded scope.
Blocked wording: Self-serve checkout; Broad enterprise SSO/SCIM; Official issuer automation without credentials.
conditional
Invoice-led paid beta
Conditionally launchable only after customer acceptance, billing profile, invoice/order-form evidence, and authenticated fixture proof are attached.
Allowed wording: Invoice-led paid beta; Manual billing fallback; Named tenant launch gates.
Blocked wording: Public self-serve checkout; Unscoped enterprise automation; External certifications before evidence exists.
blocked
Self-serve paid launch
Blocked. Strict readiness must be ready and Stripe fixture proof must pass before self-serve checkout is enabled.
Allowed wording: none until proof clears.
Blocked wording: Self-serve checkout; Automated paid conversion.
blocked
Broad enterprise expansion
Blocked. Enterprise SSO, SAML, HRIS, official issuer credentials, and SCIM fixture evidence remain customer/vendor-specific.
Allowed wording: none until proof clears.
Blocked wording: Broad enterprise automation; Unbounded SSO/SCIM.
Claims matrix
| Capability | Decision | Buyer-safe claim | Order-form treatment | Required evidence | Blocked wording |
|---|---|---|---|---|---|
| Worker compliance passportCore passport - Live | Included with evidence | Worker compliance passport is included for a named managed launch tenant once the matching tenant evidence and acceptance gates are attached. | List in included launch capabilities only with tenant launch-room evidence, acceptance stage, and proof output attached. | Authenticated app routes, worker sections, credential lifecycle APIs, passport share APIs, and audit event storage exist.; Production seed and authenticated smoke users must be run for each launch environment.; Run authenticated production smoke for owner, granted employer, and denied employer fixtures.; NEXT_PUBLIC_SUPABASE_URL; +3 moreGap IDs: proof-authenticated-access | Worker compliance passport is fully automated for all customers.; Worker compliance passport is self-serve or generally available without customer-specific proof.; Worker compliance passport is accepted as live before tenant launch-room evidence is attached. |
| Invoice and order-form billingBilling - Live | Included with evidence | Invoice and order-form billing is included for a named managed launch tenant once the matching tenant evidence and acceptance gates are attached. | List in included launch capabilities only with tenant launch-room evidence, acceptance stage, and proof output attached. | Tenant billing profile, customer request operations, and support assignment flows are in settings.; Signed order form and internal finance owner are still required.; Attach the order-form checklist to each design-partner rollout.; CONFIRM_LAUNCH_OPERATOR_SEED=thesmios-launch-seed run output; +4 moreGap IDs: managed-authenticated-access; managed-credential-evidence; vendor-evidence-operations; proof-operator-env-preflight; proof-launch-seed; proof-notifications | Invoice and order-form billing is fully automated for all customers.; Invoice and order-form billing is self-serve or generally available without customer-specific proof.; Invoice and order-form billing is accepted as live before tenant launch-room evidence is attached. |
| Stripe self-serve checkoutBilling - Credential-required | Excluded or blocked | Stripe self-serve checkout is not a live production commitment for the standard launch scope. | List under exclusions or roadmap boundaries unless a separately signed statement of work funds and accepts the work. | Checkout and webhook endpoints are deployed; the signed webhook fixture command proves configured webhook processing before checkout is enabled.; STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET, STRIPE_PRICE_REPORT, and STRIPE_PRICE_MONITORING.; Configure Stripe in production and run npm run check:stripe-fixture.; STRIPE_SECRET_KEY; +4 moreGap IDs: strict-stripe-self-serve-billing; vendor-stripe-self-serve; proof-stripe; strict-enterprise-oidc-broker-config; strict-enterprise-saml-idp-config; vendor-enterprise-identity | Stripe self-serve checkout is fully automated for all customers.; Stripe self-serve checkout is self-serve or generally available without customer-specific proof.; Stripe self-serve checkout is included in standard private beta scope. |
| Companies HouseOfficial issuer - Credential-required | Credential required | Companies House can be enabled after approved production credentials, customer approval, and fixture proof are attached. | List under customer dependencies or optional scope; do not commit automation until credentials and fixture proof pass. | Companies House route normalises live responses and bounded seeded fallback data.; COMPANIES_HOUSE_API_KEY.; Configure production key and record first customer lookup evidence.; HOME_OFFICE_RTW_API_KEY; +4 moreGap IDs: vendor-official-issuer-connectors; strict-official-issuer-connector-credentials; managed-self-serve-enterprise-boundary | Companies House is fully automated for all customers.; Companies House is self-serve or generally available without customer-specific proof.; Companies House is live before production credentials and fixture proof are attached. |
| Home Office / UKVI right to workOfficial issuer - Credential-required | Credential required | Home Office / UKVI right to work can be enabled after approved production credentials, customer approval, and fixture proof are attached. | List under customer dependencies or optional scope; do not commit automation until credentials and fixture proof pass. | Dedicated right-to-work route and issuer status payload are present.; HOME_OFFICE_RTW_API_KEY or UKVI_RIGHT_TO_WORK_API_KEY plus customer legal basis.; Configure approved credentials or treat as a managed upload/share-code workflow.; THESMIOS_AUTH_SMOKE_PASSWORD; +4 moreGap IDs: vendor-evidence-operations; proof-authenticated-access; proof-privacy-rights; proof-vendor-readiness; vendor-official-issuer-connectors; strict-hris-connector-credentials | Home Office / UKVI right to work is fully automated for all customers.; Home Office / UKVI right to work is self-serve or generally available without customer-specific proof.; Home Office / UKVI right to work is live before production credentials and fixture proof are attached. |
| DBS Update ServiceOfficial issuer - Manual-required | Managed or manual | DBS Update Service is available only as managed beta or manual fallback with scoped rollout limits and explicit customer acceptance. | List as managed/manual scope with automation exclusions, named owner, and acceptance evidence. | DBS route distinguishes update-service coverage from Basic DBS manual refresh.; DBS_UPDATE_SERVICE_API_URL, DBS_UPDATE_SERVICE_API_KEY, consent, and legal basis.; Use manual/upload path until customer-specific DBS credentials are approved.; RESEND_API_KEY; +4 moreGap IDs: proof-notifications; vendor-official-issuer-connectors; strict-official-issuer-connector-credentials; managed-self-serve-enterprise-boundary | DBS Update Service is fully automated for all customers.; DBS Update Service is self-serve or generally available without customer-specific proof.; DBS Update Service is hands-off automation or included without managed-scope wording. |
| US E-VerifyOfficial issuer - Manual-required | Managed or manual | US E-Verify is available only as managed beta or manual fallback with scoped rollout limits and explicit customer acceptance. | List as managed/manual scope with automation exclusions, named owner, and acceptance evidence. | E-Verify route and status helper gate production claims behind required environment and approval flags.; E-Verify web-services approval and tenant credentials.; Keep US eligibility checks as managed/manual until approval evidence exists.; HOME_OFFICE_RTW_API_KEY; +4 moreGap IDs: vendor-official-issuer-connectors; strict-official-issuer-connector-credentials; managed-self-serve-enterprise-boundary | US E-Verify is fully automated for all customers.; US E-Verify is self-serve or generally available without customer-specific proof.; US E-Verify is hands-off automation or included without managed-scope wording. |
| Sanctions screeningOfficial issuer - Managed beta | Managed or manual | Sanctions screening is available only as managed beta or manual fallback with scoped rollout limits and explicit customer acceptance. | List as managed/manual scope with automation exclusions, named owner, and acceptance evidence. | Sanctions route, monitoring pipeline, and cron-gated worker exist.; CRON_SECRET, PLATFORM_JOB_RUNNER_SECRET, source credentials where required.; Prove scheduled production cadence and alert triage.; HOME_OFFICE_RTW_API_KEY; +4 moreGap IDs: vendor-official-issuer-connectors; strict-official-issuer-connector-credentials; managed-self-serve-enterprise-boundary | Sanctions screening is fully automated for all customers.; Sanctions screening is self-serve or generally available without customer-specific proof.; Sanctions screening is hands-off automation or included without managed-scope wording. |
| WorkdayEmployer system - Credential-required | Credential required | Workday can be enabled after approved production credentials, customer approval, and fixture proof are attached. | List under customer dependencies or optional scope; do not commit automation until credentials and fixture proof pass. | Workday adapter normalises live worker responses and falls back to demo fixtures when unconfigured.; WORKDAY_REST_BASE_URL and WORKDAY_ACCESS_TOKEN.; Run first customer sandbox import and reconcile employee identifiers.; WORKDAY_REST_BASE_URL; +3 moreGap IDs: strict-hris-connector-credentials; vendor-hris-connectors | Workday is fully automated for all customers.; Workday is self-serve or generally available without customer-specific proof.; Workday is live before production credentials and fixture proof are attached. |
| BambooHREmployer system - Credential-required | Credential required | BambooHR can be enabled after approved production credentials, customer approval, and fixture proof are attached. | List under customer dependencies or optional scope; do not commit automation until credentials and fixture proof pass. | BambooHR adapter normalises live directory responses and falls back to demo fixtures when unconfigured.; BAMBOOHR_COMPANY_DOMAIN and BAMBOOHR_API_KEY.; Run first customer sandbox import and confirm field mapping.; WORKDAY_REST_BASE_URL; +3 moreGap IDs: strict-hris-connector-credentials; vendor-hris-connectors | BambooHR is fully automated for all customers.; BambooHR is self-serve or generally available without customer-specific proof.; BambooHR is live before production credentials and fixture proof are attached. |
| SCIM 2.0 provisioningEnterprise identity - Managed beta | Managed or manual | SCIM 2.0 provisioning is available only as managed beta or manual fallback with scoped rollout limits and explicit customer acceptance. | List as managed/manual scope with automation exclusions, named owner, and acceptance evidence. | SCIM token management, tenant SCIM user tables, and scoped SCIM routes are implemented.; Pending migrations must be applied and authenticated SCIM fixture proof must be run in production.; Apply SCIM migrations and run create/read/patch/delete SCIM fixture against a launch tenant.; ENTERPRISE_OIDC_ISSUER; +4 moreGap IDs: strict-enterprise-oidc-broker-config; strict-enterprise-saml-idp-config; vendor-enterprise-identity; strict-hris-connector-credentials; strict-official-issuer-connector-credentials; proof-scim-sso | SCIM 2.0 provisioning is fully automated for all customers.; SCIM 2.0 provisioning is self-serve or generally available without customer-specific proof.; SCIM 2.0 provisioning is hands-off automation or included without managed-scope wording. |
| SAML/OIDC SSOEnterprise identity - Manual-required | Managed or manual | SAML/OIDC SSO is available only as managed beta or manual fallback with scoped rollout limits and explicit customer acceptance. | List as managed/manual scope with automation exclusions, named owner, and acceptance evidence. | Tenant SSO settings, metadata routes, and setup-gated SAML/OIDC endpoints exist.; Production SSO broker and tenant IdP credentials.; Sell as managed enterprise setup until the broker is connected to saved tenant profiles.; NEXT_PUBLIC_SUPABASE_URL; +4 moreGap IDs: proof-issuer-signing; strict-enterprise-oidc-broker-config; strict-enterprise-saml-idp-config; vendor-enterprise-identity; strict-hris-connector-credentials; strict-official-issuer-connector-credentials | SAML/OIDC SSO is fully automated for all customers.; SAML/OIDC SSO is self-serve or generally available without customer-specific proof.; SAML/OIDC SSO is hands-off automation or included without managed-scope wording. |
| VC issuer signing and discoveryTrust infrastructure - Credential-required | Credential required | VC issuer signing and discovery can be enabled after approved production credentials, customer approval, and fixture proof are attached. | List under customer dependencies or optional scope; do not commit automation until credentials and fixture proof pass. | Discovery routes return public documents and readiness warns when VC key material is missing.; VC_PUBLIC_JWK and VC_PRIVATE_JWK or seeded production DID material.; Configure production issuer keys and run verifier API fixture.; CONFIRM_LAUNCH_OPERATOR_SEED=thesmios-launch-seed run output; +4 moreGap IDs: managed-authenticated-access; managed-credential-evidence; vendor-evidence-operations; proof-operator-env-preflight; proof-launch-seed; proof-notifications | VC issuer signing and discovery is fully automated for all customers.; VC issuer signing and discovery is self-serve or generally available without customer-specific proof.; VC issuer signing and discovery is live before production credentials and fixture proof are attached. |
| Audit export packagesOperations - Managed beta | Managed or manual | Audit export packages is available only as managed beta or manual fallback with scoped rollout limits and explicit customer acceptance. | List as managed/manual scope with automation exclusions, named owner, and acceptance evidence. | Audit export request table, private storage bucket migration, signed download URLs, CSV builder, ZIP builder, and fixture runner exist.; Supabase migrations/storage bucket must be applied in production and audit export fixture output must be attached.; Run npm run check:audit-export-fixture in production.; CONFIRM_LAUNCH_OPERATOR_SEED=thesmios-launch-seed run output; +4 moreGap IDs: managed-authenticated-access; managed-credential-evidence; vendor-evidence-operations; proof-notifications; proof-audit-export; proof-privacy-rights | Audit export packages is fully automated for all customers.; Audit export packages is self-serve or generally available without customer-specific proof.; Audit export packages is hands-off automation or included without managed-scope wording. |
| Evidence malware and retention controlsOperations - Managed beta | Managed or manual | Evidence malware and retention controls is available only as managed beta or manual fallback with scoped rollout limits and explicit customer acceptance. | List as managed/manual scope with automation exclusions, named owner, and acceptance evidence. | Evidence worker validates hashes, active content markers, EICAR signature, quarantine state, retention timestamps, and retention deletion.; External scanner evidence, evidence fixture output, job secrets, and operating procedure.; Run npm run check:evidence-fixture in production.; CONFIRM_LAUNCH_OPERATOR_SEED=thesmios-launch-seed run output; +4 moreGap IDs: managed-authenticated-access; managed-credential-evidence; vendor-evidence-operations; proof-operator-env-preflight; proof-launch-seed; proof-notifications | Evidence malware and retention controls is fully automated for all customers.; Evidence malware and retention controls is self-serve or generally available without customer-specific proof.; Evidence malware and retention controls is hands-off automation or included without managed-scope wording. |
| Status subscription and incident broadcastOperations - Managed beta | Managed or manual | Status subscription and incident broadcast is available only as managed beta or manual fallback with scoped rollout limits and explicit customer acceptance. | List as managed/manual scope with automation exclusions, named owner, and acceptance evidence. | Status subscription intake table, validation, rate limiting, and confirmation email helper exist.; RESEND_API_KEY and incident broadcast operator workflow.; Configure sender reputation and send first incident-status fixture.; CONFIRM_LAUNCH_OPERATOR_SEED=thesmios-launch-seed run output; +4 moreGap IDs: managed-authenticated-access; managed-credential-evidence; vendor-evidence-operations; proof-operator-env-preflight; proof-launch-seed; proof-notifications | Status subscription and incident broadcast is fully automated for all customers.; Status subscription and incident broadcast is self-serve or generally available without customer-specific proof.; Status subscription and incident broadcast is hands-off automation or included without managed-scope wording. |
| Admin passkeys and WebAuthnEnterprise identity - Planned | Excluded or blocked | Admin passkeys and WebAuthn is not a live production commitment for the standard launch scope. | List under exclusions or roadmap boundaries unless a separately signed statement of work funds and accepts the work. | Security control registry marks passkeys as planned.; WebAuthn enrolment, recovery, and step-up UX.; Do not include passkeys in paid beta contracts unless separately scoped.; CONFIRM_LAUNCH_OPERATOR_SEED=thesmios-launch-seed run output; +4 moreGap IDs: managed-authenticated-access; managed-credential-evidence; vendor-evidence-operations; proof-operator-env-preflight; proof-launch-seed; proof-notifications | Admin passkeys and WebAuthn is fully automated for all customers.; Admin passkeys and WebAuthn is self-serve or generally available without customer-specific proof.; Admin passkeys and WebAuthn is included in standard private beta scope. |
Order-form guardrails
Contract scope should mirror the product state.
These are the default clauses and proof expectations sales should carry into order-form review before private beta, paid beta, or enterprise expansion.
Invoice-first private beta unless Stripe products, prices, and webhook fixture proof are configured.
No automatic overage billing during private beta; expanded cohorts, verifier share volume, audit export volume, and connector support are quoted before use.
Managed SSO, SCIM, HRIS, official issuer, and external scanner work is customer-specific scope until fixture proof is attached.
Capabilities marked credential-required, manual-required, managed beta, demo, planned, or excluded are not production commitments unless listed in customer-specific scope.
Use buyer-safe claim wording only with the listed evidence attached to the customer launch room or order-form record.
Copy blocked or excluded wording into the order-form exclusions section when a buyer asks for roadmap, self-serve, or broad enterprise automation.
If a capability is credential-required or manual-required, name the customer credential, approval, or manual fallback owner in the implementation plan.
Proof commands
Claims change only when proof changes.
Launch claims guard smoke
Claims guard page and JSON endpoint are deployed, complete, public-safe, and wired into launch proof bundles.
THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:launch-claims-guard
Launch clearance
Current launch modes and disallowed claims before buyer review.
THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:launch-clearance
Capability maturity
Capability maturity API is published and complete.
THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:api
Order-form template
Customer order form has included capabilities, exclusions, launch gates, and signature sections.
GET https://www.thesmios.com/api/product/order-form-template
Boundaries
No overclaiming.
This guard controls public and contractual wording. It does not configure vendor credentials, seed fixture records, or replace customer sign-off.
A claim is sellable only for the launch mode and evidence state listed here; broader wording remains blocked until strict readiness and customer-specific proof pass.
Capabilities marked credential-required, manual-required, demo, planned, or excluded must not be represented as live automation.
The guard exposes evidence names, route names, and proof commands only; secret values are never exposed.
/api/product/launch-claims-guard
/api/product/launch-evidence-ledger
/api/product/capability-maturity
/api/product/order-form-template
/api/product/launch-clearance
/api/product/launch-gap-register
/api/product/managed-beta-readiness
/api/product/production-proof
/api/product/vendor-readiness
/api/product/operator-launch-console
/api/product/customer-launch-room
/api/platform/launch-room
/api/platform/launch-dossier?download=1