Operator launch console

The production launch run path, in one place.

A B2B launch cannot rely on memory, browser-visible config, or a scattered runbook. This console turns the current launch register into an ordered operator execution plan with explicit secret groups, mutating commands, evidence outputs, and claim boundaries.

Operator JSON Gap register Production proof Launch clearance Managed beta Claims guard Evidence ledger

operator execution gaps

mutating proof groups

env groups

variable names tracked

Launch mode snapshot

The operator can run proof. The evidence still decides what can be sold.

The console reads the same live launch register as the buyer-facing evidence packs. Managed and invoice paths can move only with scoped acceptance; self-serve and enterprise claims stay blocked until strict readiness clears.

THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:readiness -- --strict

conditional

Managed private beta

Managed private beta can be sold only with signed customer acceptance, scoped exclusions, and 17 tracked gaps.

conditional

Invoice-led paid beta

Invoice-led paid beta can be sold only with signed customer acceptance, scoped exclusions, and 20 tracked gaps.

blocked

Self-serve paid launch

Self-serve paid launch is blocked until 24 gaps are resolved or explicitly removed from scope.

blocked

Broad enterprise expansion

Broad enterprise expansion is blocked until 26 gaps are resolved or explicitly removed from scope.

Execution phases

ready to run

1. Scope and gap review

Freeze the launch motion, disallowed claims, and owner queue before any mutating command runs.

read only

THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:launch-gap-register && THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:launch-clearance

Launch mode decision, blocker count, disallowed claims, and owner queue output.

Do not approve order-form claims until the launch mode is clear or conditionally accepted.

requires operator secret

2. Operator environment preflight

Validate local secret availability without printing values before production mutation.

read only

npm run check:operator-env -- --env-file /tmp/operator.env --seed --include-fixtures --json

JSON preflight output showing every active env group is ready and no unsafe env file permissions exist.

Stop. Retrieve real values from approved systems instead of copying Vercel placeholders or browser-visible config.

requires operator secret

3. Launch seed and fixture export

Create or refresh deterministic production fixture data and write the locked fixture env export.

mutates production

CONFIRM_OPERATOR_LAUNCH_PROOF=thesmios-operator-proof LAUNCH_OPERATIONS_SECRET=<secret> THESMIOS_SMOKE_URL=https://www.thesmios.com npm run proof:operator-launch -- --seed --include-fixtures

Subject, credential, workflow task, passport share, and smoke actor references written to the launch proof bundle.

Do not claim tenant isolation, role separation, or production fixture evidence if the seed fails or is skipped.

requires fixture export

4. Fixture proof bundle

Run authenticated API, issuer, evidence, audit, privacy, notification, Stripe, and SCIM proofs from the locked fixture export.

mutates production

THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:launch-proof-bundle -- --include-fixtures --strict --env-file /tmp/thesmios-auth-smoke.env --output /tmp/thesmios-launch-proof-bundle.json

Attachable launch proof bundle with pass, skip, or expected-until-launch blocker status for every proof.

Skipped or missing fixture output must remain a launch-room blocker for the matching paid or enterprise claim.

requires customer or vendor

5. Customer and vendor acceptance

Attach signed commercial, security, privacy, support, billing, vendor, and scoped-exclusion evidence to the customer launch room.

mutates production

PATCH /api/platform/external-evidence and PATCH /api/platform/launch-acceptance from an authenticated tenant operator session

Launch room and launch dossier show accepted stage, signer, external references, exclusions, and missing-evidence decisions.

Do not mark the tenant live, paid, or enterprise-ready without accepted customer evidence.

ready to run

6. Strict readiness rerun

Recompute the production gate after operator, vendor, fixture, and customer evidence has been attached.

read only

THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:readiness -- --strict

Strict readiness output showing remaining blockers before self-serve paid or enterprise claims are enabled.

Managed or invoice beta can continue only with scoped exclusions; self-serve and enterprise claims stay blocked.

Environment groups

Group	Required for	Variables	Source of truth	Protects
Operator seed authorization	Protected production launch seed and operator proof runner.	CONFIRM_OPERATOR_LAUNCH_PROOF; LAUNCH_OPERATIONS_SECRET; AUDIT_ADMIN_SECRET; THESMIOS_SMOKE_URLAlternatives: LAUNCH_OPERATIONS_SECRET or AUDIT_ADMIN_SECRET	Operator password manager plus protected `/api/platform/launch/seed` route.	Prevents accidental production seed execution from an unapproved shell.
Authenticated smoke fixture	Owner, granted-employer, denied-employer, credential, task, and share fixture proof.	NEXT_PUBLIC_SUPABASE_URL; NEXT_PUBLIC_SUPABASE_ANON_KEY; THESMIOS_AUTH_SMOKE_PASSWORD; THESMIOS_TEST_SUBJECT_ID; THESMIOS_TEST_CREDENTIAL_ID; THESMIOS_TEST_TASK_ID; THESMIOS_TEST_SHARE_ID	Locked launch seed export written outside the repository.	Prevents RLS, passport share, and credential proof from being claimed on missing fixture data.
Mutating fixture secrets	Evidence scanning, audit export, privacy, issuer, notification, and SCIM proof execution.	PLATFORM_JOB_RUNNER_SECRET; STATUS_BROADCAST_SECRET; THESMIOS_NOTIFICATION_TEST_EMAIL; CONFIRM_SUPPORT_NOTIFICATION_FIXTURE; THESMIOS_SCIM_TOKEN	Operator env file, tenant SCIM token console, and verified notification test recipient.	Keeps destructive or customer-visible proof runs explicit and auditable.
Paid launch runtime vendors	Self-serve paid checkout and support/status email delivery.	RESEND_API_KEY; STRIPE_SECRET_KEY; STRIPE_WEBHOOK_SECRET; STRIPE_PRICE_REPORT; STRIPE_PRICE_MONITORING	Resend and Stripe production consoles.	Prevents invoice beta from being represented as self-serve paid launch.
Enterprise identity and issuer connectors	Broad enterprise SSO, HRIS sync, and official issuer automation.	ENTERPRISE_OIDC_ISSUER; ENTERPRISE_OIDC_CLIENT_ID; ENTERPRISE_OIDC_CLIENT_SECRET; SAML_IDP_ENTITY_ID; SAML_IDP_SSO_URL; SAML_IDP_CERTIFICATE; WORKDAY_REST_BASE_URL; WORKDAY_ACCESS_TOKEN; BAMBOOHR_COMPANY_DOMAIN; BAMBOOHR_API_KEY; COMPANIES_HOUSE_API_KEY; HOME_OFFICE_RTW_API_KEY; DBS_UPDATE_SERVICE_API_KEY; EVERIFY_INTEGRATION_APPROVED	Customer IdP, HRIS, official issuer, and partner approval consoles.	Keeps managed enterprise setup separate from live hands-off automation claims.

Evidence outputs

The end state is attachable evidence, not a successful terminal scrollback.

The operator run creates specific artifacts for the customer launch room, security review, finance review, and final go/no-go record.

Locked operator preflight output

Confirms the shell has usable seed, fixture, vendor, and strict paid-launch variables before mutation.

/tmp/operator-env-preflight.json

Audience: Operator

Launch seed fixture export

Carries generated subject, credential, workflow task, passport share, and smoke actor references without printing values.

/tmp/thesmios-auth-smoke.env

Audience: Operator and security reviewer

Launch proof bundle

One attachable record for public checks, authenticated fixtures, strict readiness, and skipped or blocked proofs.

/tmp/thesmios-launch-proof-bundle.json

Audience: Buyer, operator, security, and finance

Customer launch room and dossier

Customer-specific acceptance record for roles, billing, support, governance, continuity, fixture evidence, and exclusions.

/api/platform/launch-room and /api/platform/launch-dossier?download=1

Audience: Customer and implementation owner

Operator queue

Gap	Owner	Stage blocked	Missing evidence	Proof command	Boundary
Authenticated tenant access proofp1 paid launch	Operator	managed private beta; invoice paid beta; self serve paid; enterprise expansion	CONFIRM_LAUNCH_OPERATOR_SEED=thesmios-launch-seed run output; Owner, granted-employer, and denied-employer smoke results; Authenticated tenant launch-room snapshot	Record the evidence in the customer launch room.	Owner: Thesmios operator. Private demo can continue, but a customer tenant cannot be accepted as live.Private demo can continue, but a customer tenant cannot be accepted as live.
Credential and evidence sample proofp1 paid launch	Operator	managed private beta; invoice paid beta; self serve paid; enterprise expansion	check:issuer-fixture output when issuer keys and auth fixtures are configured; check:evidence-fixture output when job runner secret is configured; check:audit-export-fixture output when private storage is configured; check:privacy-fixture output for data-rights proof	Record the evidence in the customer launch room.	Owner: Thesmios operator. Do not claim production credential signing, evidence controls, audit export, or privacy fulfilment as buyer-accepted.Do not claim production credential signing, evidence controls, audit export, or privacy fulfilment as buyer-accepted.
Evidence scanning, audit export, and data-rights fixturesp1 paid launch	Operator	invoice paid beta; self serve paid	THESMIOS_AUTH_SMOKE_PASSWORD; THESMIOS_TEST_SUBJECT_ID; THESMIOS_TEST_CREDENTIAL_ID; Evidence, audit-export, and privacy fixture output references recorded against the tenant launch room.	THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:evidence-fixture && THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:audit-export-fixture && THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:privacy-fixture	Configure or explicitly exclude THESMIOS_AUTH_SMOKE_PASSWORD, THESMIOS_TEST_SUBJECT_ID, THESMIOS_TEST_CREDENTIAL_ID.Treat evidence operations as managed-beta controls only; do not mark paid-beta fixture evidence accepted.
Operator environment preflightp1 paid launch	Operator	managed private beta; invoice paid beta; self serve paid; enterprise expansion	Locked operator env file with usable LAUNCH_OPERATIONS_SECRET or AUDIT_ADMIN_SECRET; Supabase public config and authenticated smoke fixture variables; PLATFORM_JOB_RUNNER_SECRET for evidence and audit fixtures	npm run check:operator-env -- --env-file /tmp/operator.env --seed --include-fixtures	Attach the operator environment preflight evidence to the launch room or mark the claim out of scope.Do not run operator seeding or fixture proof from this shell; retrieve real secret values from the operator password manager or approved vendor console.
Operator launch seedp1 paid launch	Operator	managed private beta; invoice paid beta; self serve paid; enterprise expansion	CONFIRM_OPERATOR_LAUNCH_PROOF; LAUNCH_OPERATIONS_SECRET or AUDIT_ADMIN_SECRET; THESMIOS_AUTH_SMOKE_PASSWORD	CONFIRM_OPERATOR_LAUNCH_PROOF=thesmios-operator-proof LAUNCH_OPERATIONS_SECRET=<secret> THESMIOS_SMOKE_URL=https://www.thesmios.com npm run proof:operator-launch -- --seed --include-fixtures	Attach the operator launch seed evidence to the launch room or mark the claim out of scope.Strict readiness cannot prove RLS or authenticated role separation on production data.
Support and status notification proofp1 paid launch	Operator	managed private beta; invoice paid beta; self serve paid; enterprise expansion	RESEND_API_KEY; STATUS_BROADCAST_SECRET; THESMIOS_NOTIFICATION_TEST_EMAIL; NEXT_PUBLIC_SUPABASE_URL; +3 more	THESMIOS_SMOKE_URL=https://www.thesmios.com STATUS_BROADCAST_SECRET=<secret> THESMIOS_NOTIFICATION_TEST_EMAIL=<test-email> npm run check:notification-fixture && CONFIRM_SUPPORT_NOTIFICATION_FIXTURE=thesmios-support-notification-fixture THESMIOS_SMOKE_URL=https://www.thesmios.com THESMIOS_NOTIFICATION_TEST_EMAIL=<test-email> npm run check:support-notification-fixture	Attach the support and status notification proof evidence to the launch room or mark the claim out of scope.Keep support/status email as dry-run or retained-attempt evidence and use manual customer communication for launch.
Support emailp1 paid launch	Operator	managed private beta; invoice paid beta; self serve paid; enterprise expansion	RESEND_API_KEY; STATUS_BROADCAST_SECRET; THESMIOS_NOTIFICATION_TEST_EMAIL; NEXT_PUBLIC_SUPABASE_URL; +3 more	THESMIOS_SMOKE_URL=https://www.thesmios.com STATUS_BROADCAST_SECRET=<secret> THESMIOS_NOTIFICATION_TEST_EMAIL=<test-email> npm run check:notification-fixture && CONFIRM_SUPPORT_NOTIFICATION_FIXTURE=thesmios-support-notification-fixture THESMIOS_SMOKE_URL=https://www.thesmios.com THESMIOS_NOTIFICATION_TEST_EMAIL=<test-email> npm run check:support-notification-fixture	Complete Support and status notification proof and rerun strict readiness.Keep support/status email as dry-run or retained-attempt evidence and use manual customer communication for launch.
Audit export package proofp1 paid launch	Security	managed private beta; invoice paid beta; self serve paid; enterprise expansion	NEXT_PUBLIC_SUPABASE_URL; NEXT_PUBLIC_SUPABASE_ANON_KEY; THESMIOS_AUTH_SMOKE_PASSWORD; PLATFORM_JOB_RUNNER_SECRET	THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:audit-export-fixture	Attach the audit export package proof evidence to the launch room or mark the claim out of scope.Do not claim buyer audit export evidence is proven on production data.
Authenticated access and RLS proofp1 paid launch	Security	managed private beta; invoice paid beta; self serve paid; enterprise expansion	NEXT_PUBLIC_SUPABASE_URL; NEXT_PUBLIC_SUPABASE_ANON_KEY; THESMIOS_AUTH_SMOKE_PASSWORD; THESMIOS_TEST_SUBJECT_ID; +3 more	THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:auth-api	Attach the authenticated access and rls proof evidence to the launch room or mark the claim out of scope.Do not claim production tenant isolation or verifier access control has been proven.
Evidence file controls proofp1 paid launch	Security	managed private beta; invoice paid beta; self serve paid; enterprise expansion	NEXT_PUBLIC_SUPABASE_URL; NEXT_PUBLIC_SUPABASE_ANON_KEY; THESMIOS_AUTH_SMOKE_PASSWORD; THESMIOS_TEST_SUBJECT_ID; +2 more	THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:evidence-fixture	Attach the evidence file controls proof evidence to the launch room or mark the claim out of scope.Private beta can use the policy scanner, but enterprise file-control proof remains incomplete.
Issuer signing proofp1 paid launch	Security	managed private beta; invoice paid beta; self serve paid; enterprise expansion	NEXT_PUBLIC_SUPABASE_URL; NEXT_PUBLIC_SUPABASE_ANON_KEY; THESMIOS_AUTH_SMOKE_PASSWORD; THESMIOS_TEST_SUBJECT_ID	THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:issuer-fixture	Attach the issuer signing proof evidence to the launch room or mark the claim out of scope.Do not claim production credential signing is fully proven for a tenant.
Privacy and data-rights proofp1 paid launch	Customer	managed private beta; invoice paid beta; self serve paid; enterprise expansion	NEXT_PUBLIC_SUPABASE_URL; NEXT_PUBLIC_SUPABASE_ANON_KEY; THESMIOS_AUTH_SMOKE_PASSWORD	THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:privacy-fixture	Attach the privacy and data-rights proof evidence to the launch room or mark the claim out of scope.Do not treat DSAR and erasure fulfilment evidence as customer-accepted.
Enterprise SSO and SCIM provisioningp2 enterprise	Enterprise	enterprise expansion	ENTERPRISE_OIDC_ISSUER; ENTERPRISE_OIDC_CLIENT_ID; ENTERPRISE_OIDC_CLIENT_SECRET; SAML_IDP_ENTITY_ID; +4 more	THESMIOS_SMOKE_URL=https://www.thesmios.com THESMIOS_SCIM_TOKEN=<tenant-token> npm run check:scim-fixture	Configure or explicitly exclude ENTERPRISE_OIDC_ISSUER, ENTERPRISE_OIDC_CLIENT_ID, ENTERPRISE_OIDC_CLIENT_SECRET, SAML_IDP_ENTITY_ID.Keep enterprise SSO/SCIM out of self-serve scope; require managed implementation and customer approval.
SCIM and enterprise SSO proofp2 enterprise	Enterprise	enterprise expansion	THESMIOS_SCIM_TOKEN; ENTERPRISE_OIDC_ISSUER; ENTERPRISE_OIDC_CLIENT_ID; ENTERPRISE_OIDC_CLIENT_SECRET; +3 more	THESMIOS_SMOKE_URL=https://www.thesmios.com THESMIOS_SCIM_TOKEN=<tenant-token> npm run check:scim-fixture	Attach the scim and enterprise sso proof evidence to the launch room or mark the claim out of scope.Sell enterprise SSO/SCIM as managed setup only, not self-serve enterprise provisioning.
Support and incident fallbackp3 customer acceptance	Operator	managed private beta; invoice paid beta; self serve paid; enterprise expansion	Named customer support owner; Manual incident communication channel; Status subscriber and broadcast dry-run evidence; Support request notification lifecycle fixture output; +1 more	Record the evidence in the customer launch room.	Owner: Thesmios support owner. Keep support communication manual and exclude automated email delivery from the launch claim.Keep support communication manual and exclude automated email delivery from the launch claim.
Support email and status broadcastsp3 customer acceptance	Operator	invoice paid beta; self serve paid	RESEND_API_KEY; Status subscription/broadcast output, support notification fixture output, and manual follow-up evidence if email is skipped.	STATUS_BROADCAST_SECRET=<secret> THESMIOS_NOTIFICATION_TEST_EMAIL=<test-email> THESMIOS_SMOKE_URL=https://www.thesmios.com npm run check:notification-fixture	Configure or explicitly exclude RESEND_API_KEY.Keep support email as manual-fallback; do not promise automated notification delivery.

Guardrails

Public-safe by design.

Never paste secret values into the browser, a support ticket, Git, Slack, or a buyer-facing launch room.

Run `check:operator-env` before every mutating production proof command and keep the env file outside the repository with locked permissions.

Treat Vercel sensitive placeholders from `vercel env pull` as missing; retrieve real values only from the approved password manager or vendor console.

Do not run seed or fixture commands unless the customer scope, order-form exclusions, and operator confirmation token are present.

If a fixture is skipped or blocked, attach the reason and keep the corresponding self-serve, enterprise, or automated claim out of scope.

This console exposes variable names, commands, endpoints, and acceptance artifacts only; it never exposes secret values.

A ready console does not mean production is paid-launch ready. Strict readiness and customer acceptance still decide the launch mode.

Operator-owned evidence can clear execution gaps, but customer signatures, vendor credentials, and enterprise IdP approvals remain external dependencies.

Mutating commands should be run from a controlled operator shell, not from a browser session.

/api/product/operator-launch-console

/api/product/launch-claims-guard

/api/product/launch-evidence-ledger

/api/product/launch-gap-register

/api/product/production-proof

/api/product/launch-clearance

/api/product/managed-beta-readiness

/api/product/vendor-readiness

/api/product/customer-launch-room

/api/platform/launch-room

/api/platform/launch-dossier?download=1

/api/product/operations-evidence

/api/product/procurement-evidence