Product and berths
- Approved product family copy and berth limits.
- Tax, refund, invoice, and order-form handling.
- Support expectations that do not imply unapproved service commitments.
Harbor checklist
Use this checklist before making any production-readiness claim.
M100 now gives BayStore a bounded non-payment launch packet for api_origin api.baystore.com: GO_NON_PAYMENT_BOUNDED and claim bounded_non_payment_release_gate_only are available only when the required API/worker/runtime/customer-owner evidence is fresh, PASS, and live where required. Live payments, hosted checkout, managed providers, and full production readiness still require separate evidence.
Current public state
What is visible now, and what remains deferred?
| Area | Current public state | Remaining blocker or non-claim |
|---|---|---|
| Marketing site | Static native HTML/CSS/JS with self-hosted assets and sitemap coverage. | GitHub/Cloudflare deploy proof, deployment-specific CDN, TLS, and cache policies. |
| Checkout | Checkout remains sandbox_placeholder; this public site does not charge cards or configure production provider billing. | Approved live payments, hosted checkout, tax handling, receipts, and merchant review. |
| Customer access | M99 validates Web signin, dashboard target matching, Web /api Harbor access, Open berth UI, product access probe, and owner boundaries. | Long-term identity provider, account issuance policy, and authorization operating model remain launch decisions. |
| Runtime operations | M100 aggregates API, worker, runtime, and customer-owner reports into a bounded non-payment launch packet. | Managed Vault/KMS, managed SaaS observability/on-call, managed backup RPO/RTO, and full production readiness are not claimed. |
| Compliance claims | BayStore does not currently claim SOC 2, ISO 27001, HIPAA, PCI DSS, or other third-party compliance certification. | Independent audit evidence and approved public claims. |
Readiness work
Production launch needs decisions across product, trust, and operations.
Security and legal
- Privacy, DPA, cookies, and terms reviewed for the launch jurisdiction.
- Access control, data handling, retention, and incident process evidence.
- No certification claim unless approved evidence exists.
Runtime operations
- Provision, suspend, upgrade, retry, and retire actions wired to approved execution paths.
- Backup metadata and restore procedure tested in the production environment.
- Status page and support handoff aligned to actual deployment behavior.
Use this checklist as a boundary document: it explains what the static public surface can say today and which claims require separate evidence before publication.