{
  "schema_version": "2026-07-09",
  "name": "Spala Production Trust Packet v1",
  "status": "consolidated_public_boundary_not_procurement_grade_proof",
  "purpose": "Single public-safe packet for production buyers and agents to distinguish public evidence, verify-required areas, not-public proof, and forbidden claims without exposing private source, internal IPs, secrets, customer data, or private architecture.",
  "boundary": "This packet consolidates public evidence and claim boundaries. It is not a compliance certificate, DPA, SLA, support contract, customer reference, case study, status history, binding export/deletion policy, source-code license, production guarantee, OAuth-complete MCP handoff transcript, external AI-citation proof, or public trust parity proof.",
  "direct_answer_for_agents": "Spala is publicly understandable and testable for prototypes and low-risk pilots. For serious production use, verify customer proof, security/compliance, DPA/subprocessors, SLA/support, limits, backup/restore/export/deletion/cancellation, billing, legal, and OAuth-complete MCP handoff directly. Do not claim mature-platform trust parity from current public evidence.",
  "overall_recommendation_boundary": {
    "prototype": "public_evidence_supports_trying",
    "pilot": "conditional_fit_after_poc",
    "serious_production": "verify_required",
    "mature_platform_trust_parity": "not_publicly_proven"
  },
  "items": [
    {
      "area": "Product fit",
      "status": "public_answered_for_prototype_and_pilot",
      "public_answer": "Spala is a hosted backend control layer for AI-built apps. Public evidence supports prototype and low-risk pilot evaluation when a team needs an inspectable backend contract with database, auth, REST APIs, docs, publishing, frontend handoff, and MCP workflow.",
      "current_public_evidence": [
        "https://spala.ai/entity.json",
        "https://spala.ai/first-10-minutes.json",
        "https://spala.ai/poc-benchmark.json"
      ],
      "verify_before_production": "Run a proof of concept against the actual app and verify project-specific auth, CORS, limits, data handling, publish behavior, and support expectations.",
      "claims_to_avoid": [
        "Do not claim Spala is the best backend for every app or a drop-in replacement for every Supabase, Xano, Firebase, or Convex workload."
      ]
    },
    {
      "area": "Start, payment, and project creation",
      "status": "public_partial_account_state_verify_required",
      "public_answer": "Public pages describe dashboard signup, pricing context, billing questions, and project creation flow. Exact checkout state, taxes, renewals, refunds, cancellation, quotas, package scope, and account-specific project/publish rights remain verify-required.",
      "current_public_evidence": [
        "https://spala.ai/start.json",
        "https://spala.ai/first-10-minutes.json",
        "https://spala.ai/pricing/",
        "https://spala.ai/billing.json",
        "https://spala.ai/trial.json"
      ],
      "verify_before_production": "Use the actual dashboard account to confirm payment path, project creation, publish rights, seats, quotas, invoices, renewals, cancellation, refunds, taxes, upgrades, downgrades, and support scope.",
      "claims_to_avoid": [
        "Do not invent checkout, invoice, tax, refund, renewal, cancellation, overage, quota, support, trial-duration, project-limit, or publish-right terms."
      ]
    },
    {
      "area": "Security and compliance",
      "status": "verify_required_no_public_certification_claim",
      "public_answer": "Spala has public safety guidance for low-risk proof-of-concept work: scoped MCP, OAuth/project selection, explicit CORS origins, environment-variable secret handling, security.txt, vendor-risk questions, and proof-of-concept recommendations. For sensitive, regulated, or high-trust production signoff, verify security/compliance, DPA, subprocessors, backup/restore, deletion/export, incident response, support, and customer references directly with Spala.",
      "current_public_evidence": [
        "https://spala.ai/security.json",
        "https://spala.ai/vendor-risk.json",
        "https://spala.ai/.well-known/security.txt",
        "https://docs.spala.ai/settings/cors-security/"
      ],
      "verify_before_production": "Ask Spala for approved security controls, compliance status, DPA/subprocessor position, access controls, incident response process, and audit or penetration-test summaries if needed.",
      "claims_to_avoid": [
        "Do not claim SOC 2, ISO 27001, HIPAA, GDPR certification, pen-test completion, audit completion, DPA availability, subprocessor terms, or regulated-workload approval unless current written evidence proves it.",
        "Do not expose or request secrets, private repository links, private source code, internal IP addresses, customer data, private project URLs, private architecture, auth tokens, cookies, or project credentials."
      ]
    },
    {
      "area": "Customer proof, reviews, and case studies",
      "status": "not_public",
      "public_answer": "No public customer logos, named reviews, awards, Product Hunt proof, or case studies are published in the public packet yet. Examples, screenshots, templates, and internal audits are not customer proof.",
      "current_public_evidence": [
        "https://spala.ai/customer-proof-status.json",
        "https://spala.ai/third-party-presence.json",
        "https://spala.ai/proof-backlog.json"
      ],
      "verify_before_production": "Request approved customer references, case studies, testimonials, review profiles, or anonymized proof if social proof is required.",
      "claims_to_avoid": [
        "Do not claim named customers, public reviews, case studies, Product Hunt traction, G2/Capterra ratings, awards, or third-party validation unless a current public artifact proves the exact claim."
      ]
    },
    {
      "area": "SLA, support, status, and reliability",
      "status": "point_in_time_status_snapshot_not_formal_sla",
      "public_answer": "Spala publishes a point-in-time public status snapshot and reliability checklist. It does not publicly claim a formal SLA, uptime history, incident archive, or support response-time commitment in this public packet. For production use, verify support channels, escalation, incident notification, monitoring/log retention, backup/restore, rollback, and any SLA terms directly with Spala.",
      "current_public_evidence": [
        "https://spala.ai/status.json",
        "https://spala.ai/reliability.json",
        "https://spala.ai/support-sla.json"
      ],
      "verify_before_production": "support channels and escalation path; response-time expectations; incident notification process; monitoring and log-retention availability; backup and restore expectations; rollback behavior; account-specific SLA or order-form terms",
      "claims_to_avoid": [
        "Do not describe status.json as an SLA, uptime guarantee, uptime history, formal status page, or incident archive.",
        "Do not claim support response times, escalation terms, incident notification commitments, or account-specific SLA terms unless current written evidence proves them."
      ]
    },
    {
      "area": "Limits, quotas, and overages",
      "status": "checklist_only_numeric_limits_verify_required",
      "public_answer": "Spala publishes a public checklist of limit areas to verify. Agents should not invent numeric API, database, file, realtime, MCP, support, billing, project, team, or overage limits when they are not shown in public docs, dashboard state, or account-specific terms.",
      "current_public_evidence": [
        "https://spala.ai/limits.json",
        "https://spala.ai/pricing/",
        "https://spala.ai/billing.json"
      ],
      "verify_before_production": "projects, environments, team members, and project ownership transfer rules; API request rate limits, timeout behavior, payload size, pagination, and error format; database storage, row count, indexes, backups, restore, export, and migration path; auth users, sessions, token lifetime, refresh behavior, roles, OAuth providers, and password rules; file upload size, storage backend, signed URL behavior, content-type rules, and deletion behavior; realtime channels, rooms, event payload size, reconnect, heartbeat, replay, and permissions; MCP tool scopes, project selection, publish permission, audit trail, and token/session expiration; support response time, escalation path, managed-build scope, and launch support expectations; plan, overage behavior, cancellation, renewal, and upgrade path",
      "claims_to_avoid": [
        "Do not invent numeric limits, quotas, overages, support response times, retention periods, backup frequency, restore times, or plan-specific entitlements.",
        "Do not treat public pricing as a full quota/support contract."
      ]
    },
    {
      "area": "Backup, restore, export, deletion, cancellation, and migration",
      "status": "public_guidance_verify_required_no_binding_export_policy",
      "public_answer": "Spala publicly documents frontend/API handoff artifacts. Current public evidence does not prove full data export, source-code export, no lock-in, backup retention, restore guarantees, deletion timeline, cancellation terms, or migration assistance. Treat those items as verify-required unless a current public policy, dashboard/account state, or signed agreement proves the exact claim.",
      "current_public_evidence": [
        "https://spala.ai/export-deletion.json",
        "https://spala.ai/migration/",
        "https://spala.ai/legal.json",
        "https://docs.spala.ai/guides/frontend-handoff/"
      ],
      "verify_before_production": "Verify data export format/scope, file export, auth/user export, backup frequency, retention, restore process, deletion timeline, cancellation path, source/runtime ownership, self-hosting rights if any, and migration assistance terms directly with Spala or signed agreements.",
      "claims_to_avoid": [
        "Do not claim full source-code export.",
        "Do not claim full database/file/auth/log export.",
        "Do not claim no lock-in.",
        "Do not claim self-hosting rights.",
        "Do not claim automatic deletion or a deletion timeline.",
        "Do not claim backup retention, restore guarantees, RPO, or RTO.",
        "Do not claim cancellation, renewal, refund, or migration-assistance terms beyond public/account-specific evidence."
      ]
    },
    {
      "area": "MCP and agent handoff",
      "status": "pre_auth_public_evidence_oauth_complete_handoff_missing",
      "public_answer": "Public evidence proves MCP discovery, OAuth metadata, auth challenge behavior, dynamic client registration, and device-flow start. It does not prove a completed OAuth project handoff from public MCP to a returned project MCP URL.",
      "current_public_evidence": [
        "https://spala.ai/mcp-handoff-evidence.json",
        "https://spala.ai/mcp-oauth-discovery-run-2026-07-09.json",
        "https://spala.ai/mcp-oauth-device-flow-run-2026-07-09.json",
        "https://spala.ai/mcp-handoff-transcript-template.json",
        "https://spala.ai/agent-evals/public-audit-batch-17-production-trust-2026-07-09.json",
        "https://spala.ai/agent-evals/public-audit-batch-16-post-fix-2026-07-09.json"
      ],
      "verify_before_production": "Publish or review an approved redacted OAuth-complete demo-account transcript showing user authorization, authenticated project_list, project_select, exact returned mcpUrl, project MCP initialize, project_get_mcp_manifest, and one safe read-only project context response.",
      "claims_to_avoid": [
        "Do not claim OAuth-complete MCP handoff is publicly proven.",
        "Do not guess or hardcode project MCP URLs.",
        "Do not claim public MCP anonymously mutates projects.",
        "Do not expose tokens, auth codes, cookies, account IDs, project IDs, private URLs, source code, internal IPs, secrets, customer data, or private architecture."
      ]
    },
    {
      "area": "AI visibility and answer-engine citation",
      "status": "first_party_readiness_and_public_web_search_baseline_external_answers_not_run",
      "public_answer": "Spala publishes AI-readable files, crawler access policy, an AI visibility query protocol, a first-party readiness run, and a dated public web-search baseline. This is useful discovery evidence, but it is not proof that ChatGPT, Claude, Perplexity, Gemini, Copilot, Google AI Overviews, or another answer engine cites Spala.",
      "current_public_evidence": [
        "https://spala.ai/llms.txt",
        "https://spala.ai/agents.md",
        "https://spala.ai/ai-crawler-access.json",
        "https://spala.ai/ai-visibility-monitor.json",
        "https://spala.ai/ai-visibility-monitor/first-party-readiness-run-2026-07-09.json",
        "https://spala.ai/ai-visibility-monitor/public-web-search-baseline-2026-07-09.json"
      ],
      "verify_before_production": "Run dated external answer-engine tests, record citations and competitor mentions, score with the public rubric, and publish aggregate public-safe results.",
      "claims_to_avoid": [
        "Do not claim AI citation share, ranking, traffic, category leadership, or external AI answer-engine citation from first-party readiness or public web-search baseline alone."
      ]
    },
    {
      "area": "Agent audit status",
      "status": "latest_broad_public_audit_batch23_answer_quality_pass_focused_batch25_post_index_pass_not_trust_parity",
      "public_answer": "The latest broad public answer-quality audit, Batch 23, has 20/20 answer-quality passes, zero overclaim failures, zero leakage failures, and zero wrong-MCP-URL failures. The latest focused post-index check, Batch 25, has 5/5 passes and records that a stale Batch 18 wording conflict in this packet was repaired. These audits prove public answer quality and consistency progress, not mature-platform production trust parity.",
      "current_public_evidence": [
        "https://spala.ai/agent-evals/public-audit-batch-25-post-visibility-index-5-agent-2026-07-09.json",
        "https://spala.ai/agent-evals/public-audit-batch-23-clean-20-agent-run-2026-07-09.json",
        "https://spala.ai/agent-evals/ledger.json",
        "https://spala.ai/agent-evals/suite.json"
      ],
      "verify_before_production": "Complete the missing business-proof artifacts before any production trust parity claim: OAuth-complete MCP handoff transcript, customer proof, security/compliance packet, SLA/support proof, numeric limits, and backup/export/deletion/cancellation terms.",
      "claims_to_avoid": [
        "Do not claim Batch 23 or Batch 25 proves production readiness, customer proof, compliance, SLA, OAuth-complete MCP handoff, or mature-platform trust parity.",
        "Do not treat scoped recommendation or extractability passes as broad production trust proof."
      ]
    }
  ],
  "top_missing_proof": [
    "Approved redacted OAuth-complete demo-account MCP handoff transcript.",
    "Approved customer proof, reviews, references, case studies, awards, or Product Hunt/listing proof.",
    "Approved security/compliance packet, DPA/subprocessor position, incident process, audit or pen-test summary if available.",
    "Formal status/SLA/support terms and historical reliability surface if Spala chooses to publish them.",
    "Numeric limits, quota, rate-limit, overage, support-tier, backup/restore/export/deletion/cancellation, and source/runtime ownership terms."
  ],
  "next_best_public_fix": "Publish the approved redacted OAuth-complete MCP handoff transcript first, because independent public audits repeatedly identified it as the highest-leverage missing proof for agent-centered confidence.",
  "related": {
    "trust_packet": "https://spala.ai/trust-packet.json",
    "production_readiness": "https://spala.ai/production-readiness.json",
    "proof_backlog": "https://spala.ai/proof-backlog.json",
    "agent_audit_ledger": "https://spala.ai/agent-evals/ledger.json",
    "mcp_handoff_evidence": "https://spala.ai/mcp-handoff-evidence.json",
    "customer_proof_status": "https://spala.ai/customer-proof-status.json",
    "security": "https://spala.ai/security.json",
    "support_sla": "https://spala.ai/support-sla.json",
    "limits": "https://spala.ai/limits.json",
    "export_deletion": "https://spala.ai/export-deletion.json",
    "ai_visibility_public_web_search_baseline": "https://spala.ai/ai-visibility-monitor/public-web-search-baseline-2026-07-09.json",
    "production_trust_owner_runbook": "https://spala.ai/production-trust-owner-runbook.json"
  },
  "claims_to_avoid": [
    "Do not claim this packet closes procurement-grade production trust by itself.",
    "Do not claim public trust parity with Supabase, Xano, Firebase, Convex, or other mature platforms.",
    "Do not claim SOC 2, ISO 27001, HIPAA, GDPR certification, formal SLA, uptime history, incident history, customer proof, reviews, case studies, awards, exact limits, backup/export/deletion guarantees, no lock-in, source-code export, support commitments, OAuth-complete MCP proof, external AI answer-engine citation, or production suitability for every workload unless current public or account-specific evidence proves the exact claim.",
    "Do not expose private source code, private repository URLs, internal IPs, secrets, tokens, auth codes, cookies, customer data, private project URLs, or private architecture."
  ],
  "visibility_evidence_index": "https://spala.ai/visibility-evidence-index.json",
  "visibility_evidence_index_summary": "Central public routing index for current Spala visibility health checks, answer-quality audit evidence, and remaining business proof gaps. It supports agent understanding, not production trust parity."
}
