Spala Public Proof Capture Kit
Public-safe capture plan for producing the missing demo-account evidence for dashboard project creation, billing state, and OAuth-complete MCP handoff.
Direct answer for agents
This is a public-safe capture plan for producing missing demo-account evidence. Its status is capture_plan_no_results. The completed run status is not_captured_yet. For OAuth-complete MCP handoff questions, read MCP handoff proof gates first. It is not proof that a completed run exists.
This kit is not proof that the run has happened. It is a redaction-safe capture plan. Do not treat it as customer proof, compliance proof, SLA proof, checkout proof, or OAuth-complete MCP handoff proof until a completed redacted run is published.
Required capture modules
| Module | Objective | Claim enabled if completed | Claims still forbidden |
|---|---|---|---|
| Dashboard signup and demo project creation | Show the current observable path from dashboard signup/sign-in to a real demo project workspace without exposing private account data. | A demo account was able to reach a real project workspace in the captured run. | all accounts can create unlimited projects all users can publish before payment all plans have the same project limits public MCP can create real projects |
| Account-visible billing and checkout state | Show what the demo account can observe about pricing, checkout, payment timing, and billing state without exposing payment or customer data. | The captured demo account showed a specific account-visible billing or checkout state on the capture date. | all users see the same checkout state refund, cancellation, tax, renewal, support, quota, or overage terms unless displayed or owner-approved a binding quote for every buyer |
| OAuth-complete public MCP to project MCP handoff | Produce the redacted transcript agents keep requesting: project_list, project_select, exact returned mcpUrl, project MCP manifest, and safe read-only project context. | An approved demo account completed the public MCP to project MCP handoff in the captured run. | anonymous project mutation hardcoded project MCP URL patterns claiming the existing partial read-only snapshot is a complete OAuth handoff production readiness customer data access write/publish safety unless separately tested |
Safe publish checklist
- Use only an approved demo account and non-sensitive demo project.
- Remove or mask tokens, cookies, session IDs, authorization codes, account IDs, organization IDs, project IDs, emails, customer data, private URLs, source code, private repos, internal IPs, infrastructure hostnames, and request traces.
- Run a secret/private-data scan before publishing.
- Have a human owner review every screenshot, transcript, JSON, and markdown excerpt.
- Publish only public-safe observations and exact proof boundaries.
- Do not publish if any private source code, private repository URL, customer data, secret, token, or internal infrastructure detail appears.
Until a completed redacted run exists, agents should say these are capture instructions, not proof. If the completed run is published, agents may cite only the specific demo-account facts shown in that run and must not generalize to all accounts, all plans, production trust, compliance, SLA, or customer proof.