diff --git a/salesflow-saas/commercial/claims_registry.yaml b/salesflow-saas/commercial/claims_registry.yaml new file mode 100644 index 00000000..80b29d13 --- /dev/null +++ b/salesflow-saas/commercial/claims_registry.yaml @@ -0,0 +1,109 @@ +# claims_registry.yaml — Dealix Commercial Claims Registry +# Rule: No marketing material may state a capability unless it exists here with status=approved. +# Last updated: 2026-04-17 + +claims: + # ── APPROVED (backed by runtime evidence) ────────────── + - id: golden_path_works + claim_en: "End-to-end partner workflow with structured outputs, approval enforcement, and evidence packs" + claim_ar: "مسار شراكة كامل من البداية للنهاية مع مخرجات مهيكلة وموافقات إلزامية وحزم أدلة" + status: approved + evidence: "POST /api/v1/golden-path/run — creates dossier, economics, approval, evidence" + disclaimer_required: false + + - id: evidence_packs_sha256 + claim_en: "Tamper-evident evidence packs with SHA256 hash verification" + claim_ar: "حزم أدلة مقاومة للتلاعب مع تحقق SHA256" + status: approved + evidence: "backend/app/services/evidence_pack_service.py — hash computed and stored" + + - id: executive_room_live + claim_en: "Real-time Executive Room aggregating live data from 7 sources" + claim_ar: "غرفة قيادة تنفيذية لحظية تجمع بيانات من 7 مصادر" + status: approved + evidence: "GET /api/v1/executive-room/snapshot — queries Deal, Approval, Connector, Compliance, Contradiction, StrategicDeal, EvidencePack tables" + + - id: approval_sla + claim_en: "Approval Center with SLA tracking and escalation" + claim_ar: "مركز موافقات مع تتبع SLA وتصعيد" + status: approved + evidence: "sla_escalation_alerts.py — escalation levels 0-3" + + - id: arabic_first + claim_en: "Arabic-first UI with full RTL support" + claim_ar: "واجهة عربية أولاً مع دعم RTL كامل" + status: approved + evidence: "9 frontend components with Arabic labels, RTL layout, i18n" + + - id: pdpl_consent_checks + claim_en: "PDPL consent verification before outbound messaging" + claim_ar: "التحقق من موافقة PDPL قبل الرسائل الصادرة" + status: approved + evidence: "services/pdpl/consent_manager.py — check before send" + + - id: trust_enforcement + claim_en: "Class B actions blocked without correlation_id traceability" + claim_ar: "الإجراءات الحساسة محظورة بدون معرف تتبع" + status: approved + evidence: "openclaw/approval_bridge.py — missing_correlation_id check" + + - id: seventeen_schemas + claim_en: "17 structured output schemas with Provenance (trace_id, confidence, freshness)" + claim_ar: "17 مخطط مخرج مهيكل مع بيانات المصدر والثقة" + status: approved + evidence: "schemas/structured_outputs.py + services/structured_output_producers.py" + + # ── RESTRICTED (partially true, needs qualifier) ────── + - id: rls_isolation + claim_en: "Database-level tenant isolation via PostgreSQL RLS" + claim_ar: "عزل المستأجرين على مستوى قاعدة البيانات عبر RLS" + status: restricted + qualifier: "Migration exists; production deployment pending. Say 'RLS-ready architecture' not 'RLS-enforced'." + evidence: "alembic/versions/20260417_0002_add_rls.py" + + - id: durable_execution + claim_en: "Crash-safe durable workflows with persistent checkpoints" + claim_ar: "تنفيذ متين مع نقاط حفظ دائمة" + status: restricted + qualifier: "Checkpointer exists; not yet integrated into golden path. Say 'durable execution architecture' not 'crash-proof workflows'." + + # ── FORBIDDEN (never claim) ──────────────────────────── + - id: soc2_compliant + claim_en: "SOC 2 Type II compliant" + status: forbidden + reason: "No auditor report. Can only say 'SOC 2 readiness in progress'." + + - id: ai_perfect + claim_en: "100% AI accuracy" + status: forbidden + reason: "No ML system achieves 100% accuracy." + + - id: better_than_salesforce + claim_en: "Better than Salesforce" + status: forbidden + reason: "Different positioning, not direct comparison. Say 'complementary' or 'specialized for GCC'." + + - id: temporal_production + claim_en: "Temporal in production" + status: forbidden + reason: "Temporal is Watch tier. No code exists." + + - id: opa_production + claim_en: "OPA policy engine in production" + status: forbidden + reason: "OPA is Watch tier. No code exists." + + - id: full_autonomy + claim_en: "Fully autonomous AI decisions" + status: forbidden + reason: "HITL is mandatory for Class B actions. Never claim full autonomy." + + - id: enterprise_grade + claim_en: "Enterprise-grade" + status: forbidden + reason: "No SOC 2, no pentest, no production deployment yet. Too early." + + - id: ten_x_revenue + claim_en: "10x revenue increase" + status: forbidden + reason: "No customer data supports this claim." diff --git a/salesflow-saas/docs/execution_log.md b/salesflow-saas/docs/execution_log.md new file mode 100644 index 00000000..fcf344a0 --- /dev/null +++ b/salesflow-saas/docs/execution_log.md @@ -0,0 +1,6 @@ +# Execution Log — Dealix Tier-1 Blueprint + +| Task | Date | Commit SHA | Result | +|------|------|-----------|--------| +| TASK-999 | 2026-04-17 | pending | State Audit written | +| TASK-010 | 2026-04-17 | pending | TRUTH.yaml + claims_registry.yaml created | diff --git a/salesflow-saas/docs/internal/STATE_AUDIT.md b/salesflow-saas/docs/internal/STATE_AUDIT.md new file mode 100644 index 00000000..dd9ba36f --- /dev/null +++ b/salesflow-saas/docs/internal/STATE_AUDIT.md @@ -0,0 +1,132 @@ +# STATE AUDIT — Dealix Pre-Execution Assessment + +> **Date**: 2026-04-17 +> **Auditor**: Claude Code (automated) +> **Scope**: Answer all §1.4 questions from DEALIX_EXECUTION_BLUEPRINT.md + +--- + +## Q1: Is the project still a fork of system-prompts-and-models-of-ai-tools? + +**Answer**: YES — Dealix currently lives inside `salesflow-saas/` subdirectory of `VoXc2/system-prompts-and-models-of-ai-tools`, which is a repository containing leaked AI tool prompts from 45+ vendors. + +**Risk**: Commercial, legal, and reputational. Core IP shares a repo with leaked/extracted prompts. + +**Action**: TASK-001 (repository separation) is BLOCKER. + +--- + +## Q2: What is the actual Python test pass rate? + +**Answer**: UNKNOWN (CI failing due to pre-existing dependency drift). + +**Evidence**: +- 19 test files exist in `backend/tests/` +- 1,073 total lines of test code +- CI exit code 4 (pytest collection error) on all commits after `a319feb` +- Root cause: unpinned transitive dependency updated on PyPI between CI runs +- Router.py and pytest.ini byte-identical between passing and failing commits + +**Action**: TASK-003 (dependency lockfile with `uv`) will resolve this. + +--- + +## Q3: What is the actual RLS coverage per table? + +**Answer**: MIGRATION EXISTS but NOT APPLIED to production. + +**Evidence**: +- `alembic/versions/20260417_0002_add_rls.py` — migration defines RLS for 23 tables +- `database_rls.py` — helpers for SET LOCAL app.tenant_id +- `middleware/tenant_rls.py` — extracts tenant_id from JWT +- **Current state**: Migration exists in code but no production PostgreSQL to apply it to + +**Action**: Apply migration on first production deployment. + +--- + +## Q4: Which external actions actually have idempotency keys? + +**Answer**: MIDDLEWARE EXISTS but NOT YET INTEGRATED into specific routes. + +**Evidence**: +- `models/idempotency_key.py` — table defined +- `services/idempotency_service.py` — get_existing/store logic +- `middleware/idempotency.py` — HTTP middleware checks Idempotency-Key header +- **Not integrated**: Middleware not added to FastAPI app middleware stack + +**Action**: Add middleware to app initialization in main.py. + +--- + +## Q5: Which code paths actually emit OTel spans? + +**Answer**: ONE code path — OpenClaw gateway. + +**Evidence**: +- `observability/otel.py` — init_otel/span/inject_correlation_id (graceful degradation) +- `openclaw/gateway.py` — wraps execute() in span with correlation_id bridge +- **NOT instrumented**: Individual golden path stages, LLM calls, DB queries, HTTP handlers +- **OTel packages NOT in requirements.txt** — installed as optional + +**Action**: Add OTel packages to requirements, instrument golden path stages. + +--- + +## Q6: Is there any production traffic today? + +**Answer**: NO — based on repo evidence. + +**Evidence**: +- No production deployment configuration found +- No monitoring/alerting setup active +- docker-compose.yml exists for local dev +- No Kubernetes, Terraform, or cloud deployment files + +--- + +## Q7: Are there any active paying customers? + +**Answer**: NO — no billing records, no customer data, no invoices. + +**Evidence**: Revenue activation docs exist as plans, not records. + +--- + +## Q8: What is the current infrastructure cost/month? + +**Answer**: ~$0 (development only, no production infrastructure running). + +--- + +## Q9: What are the LLM costs/month and which providers? + +**Answer**: $0 in production. Configured providers: + +| Provider | Model | Status | +|----------|-------|--------| +| Groq | llama-3.3-70b | Configured as primary | +| OpenAI | gpt-4o | Configured as fallback | +| Claude | opus-4-6 | In model_router | +| Gemini | 2.0-flash | Pilot | +| DeepSeek | coder | Pilot | + +No production API keys observed. All testing/development. + +--- + +## Summary + +| Question | Status | +|----------|--------| +| Repo separated? | **NO** — BLOCKER | +| Tests passing? | **NO** — dependency drift | +| RLS coverage? | **CODE EXISTS** — not applied | +| Idempotency? | **CODE EXISTS** — not integrated | +| OTel spans? | **1 PATH** — gateway only | +| Production traffic? | **NONE** | +| Paying customers? | **NONE** | +| Infrastructure cost? | **$0** | +| LLM cost? | **$0** | + +**Verdict**: Dealix is a pre-revenue, pre-production project with strong architecture but no live deployment. TASK-001 (repo separation) and TASK-003 (dependency fix) are true blockers. diff --git a/salesflow-saas/docs/registry/TRUTH.yaml b/salesflow-saas/docs/registry/TRUTH.yaml new file mode 100644 index 00000000..2d75f31c --- /dev/null +++ b/salesflow-saas/docs/registry/TRUTH.yaml @@ -0,0 +1,137 @@ +# TRUTH.yaml — Dealix Canonical Truth Registry +# Last updated: 2026-04-17 +# Owner: Founder + CTO +# Rule: Edited only via PR with review. No file outside this registry may create a new claim. + +version: "1.0.0" + +orchestrator: + canonical: "dealix-core-orchestrator" + engine: "openclaw-2026.4.x" + deprecated: [] + +llm_policy: + primary: "groq/llama-3.3-70b-versatile" + fallback: "openai/gpt-4o" + arabic_specialist: "groq/llama-3.3-70b-versatile" + embedding: "openai/text-embedding-3-large" + budget_per_tenant_monthly_usd: 50 + cost_alert_threshold: 0.7 + cost_throttle_threshold: 0.9 + +capabilities: + - id: golden_path_partner + name: "Partner Golden Path" + status: live + evidence_path: "backend/app/services/golden_path.py" + runtime_flag: null + public_claim_allowed: true + + - id: saudi_sensitive_workflow + name: "Saudi PDPL Data Sharing Workflow" + status: live + evidence_path: "backend/app/services/saudi_sensitive_workflow.py" + runtime_flag: null + public_claim_allowed: true + + - id: structured_outputs + name: "17 Schema-Bound Decision Outputs" + status: live + evidence_path: "backend/app/schemas/structured_outputs.py" + runtime_flag: null + public_claim_allowed: true + + - id: executive_room + name: "Executive Room + Weekly Pack" + status: live + evidence_path: "backend/app/api/v1/executive_room.py" + runtime_flag: null + public_claim_allowed: true + + - id: approval_center + name: "Approval Center with SLA" + status: live + evidence_path: "backend/app/api/v1/approval_center.py" + runtime_flag: null + public_claim_allowed: true + + - id: evidence_packs + name: "Evidence Packs with SHA256" + status: live + evidence_path: "backend/app/services/evidence_pack_service.py" + runtime_flag: null + public_claim_allowed: true + + - id: contradiction_engine + name: "Contradiction Detection & Tracking" + status: live + evidence_path: "backend/app/services/contradiction_engine.py" + runtime_flag: null + public_claim_allowed: true + + - id: rls_multi_tenancy + name: "PostgreSQL Row-Level Security" + status: partial # migration exists, not applied to production + evidence_path: "backend/alembic/versions/20260417_0002_add_rls.py" + runtime_flag: null + public_claim_allowed: false + + - id: durable_execution + name: "Persistent Durable Checkpoints" + status: partial # model + service exist, not integrated into golden path + evidence_path: "backend/app/services/durable_runtime.py" + runtime_flag: null + public_claim_allowed: false + + - id: idempotency + name: "Idempotency Keys for Side Effects" + status: partial # middleware + model exist, not in app middleware stack + evidence_path: "backend/app/middleware/idempotency.py" + runtime_flag: null + public_claim_allowed: false + + - id: opentelemetry + name: "OpenTelemetry Observability" + status: partial # gateway spans + otel.py, packages not in requirements + evidence_path: "backend/app/observability/otel.py" + runtime_flag: null + public_claim_allowed: false + + - id: ma_os + name: "M&A / Corporate Development" + status: roadmap + evidence_path: "docs/governance/ma-os.md" + runtime_flag: null + public_claim_allowed: false + + - id: pmi_os + name: "PMI / Strategic PMO" + status: roadmap + evidence_path: "docs/governance/pmi-os.md" + runtime_flag: null + public_claim_allowed: false + + - id: temporal_integration + name: "Temporal Durable Workflows" + status: roadmap + evidence_path: null + runtime_flag: null + public_claim_allowed: false + + - id: soc2_type_ii + name: "SOC 2 Type II Certification" + status: roadmap + evidence_path: null + runtime_flag: null + public_claim_allowed: false + +data_residency: + regions_supported: ["me-south-1"] # AWS Bahrain + default_region: "me-south-1" + ksa_option: "planned" + +security_claims: + rls_enforced: false # migration exists, production deployment pending + soc2_type_ii: false + pdpl_compliant: "in-progress" + annual_pentest: false