PMO Reporting · Phase 1 Hardening Backlog · 26 June 2026
Phase 1 hardening backlog.
The structural answer to Decision D207 tabled at Steerco #2 on
22 June 2026. Flip 360 is in the same breed as Air BnB, Afterpay, Uber,
AirTasker and Canva. The standard of diligence Flip 360 holds itself to is the standard a
listed-company tech IPO is held to. We never compromise on thought leadership or quality.
We accelerate the build so the copy becomes true.
The PMO position
Every claim made on /faq, /sweetener, /architecture,
/attribution, /member and /solution falls into one of
three columns: evidenced today (the repo proves it),
sprint committed (window, owner, Steerco gate set), or
scoped for Phase 2 (decision logged, deferred). Nothing
sits in "we say so". That's the standard. This page makes it operational.
Total claims tracked
19
Aspirational copy → committed delivery
Evidenced today
0
Repo proves it · zero gap
Sprint committed
16
Window · owner · gate set
Scoped
3
Decision logged · sprint to window
Engineering days · Phase 1
46
59 total · 13 deferred to Phase 2
Zero items flagged "not committed"
Every aspirational claim in the public marketing copy has either evidence in the repo today or a committed sprint with owner and gate. This is the operating standard.
Tier 0 · Foundational trust
Auth, identity, signature primitives — without these, no honest claim survives
H001
Sprint committed
3 engineering days
Member auth & signup (email + password + magic link)
Owner · Gate
Carla Oliver
SC#3 · 6 Jul 2026
The claim in marketing copy
"Every member signs every chain event with a key bound to their device — Apple Secure Enclave / Android StrongBox / WebAuthn."
Cited at:
/faq (Q5 "How are signatures verified?" + Q20 "What's the tech stack?") ·
/sweetener (§ Spec card "Non-repudiable signatures") ·
/architecture (C4 model · containers · signature primitives)
Evidence today
No auth provider integrated. No /signup, /login or /logout routes. `contacts` table exists in D1 but has no `auth_provider_id` column. Every page renders ungated.
Gap to close
Before WebAuthn / device-bound keys is honest, the platform needs a real identity layer. Foundational gap — every Tier-0 item below builds on this.
Sprint window: SC#2 → SC#3 · 22 Jun – 6 Jul 2026 (10 working days)
Acceptance test (PMO will run at Steerco gate)
Mathew completes signup with email+password, receives magic-link verification, sees gated /me/* surfaces, signs out and back in. Five test members provisioned via signup, not seed migration.
H002
Sprint committed
5 engineering days
KYC / identity verification for partners (FrankieOne or Greenid)
Owner · Gate
Carla Oliver
SC#4 · 20 Jul 2026
The claim in marketing copy
"Members are verified humans — AML/CTF identification, AUSTRAC threshold reporting, ATO RCTI compliance."
Cited at:
/faq (Q4 "Six functional outcomes" · "AUSTRAC threshold reporting") ·
/sweetener (§ Spec card "Regulator-ready disclosure")
Evidence today
No KYC integration. `contacts` has no `kyc_status` column. No AML/CTF gating on payout eligibility.
Gap to close
A claim to AUSTRAC-grade reporting without identity verification is not honest. FrankieOne or Greenid is the Australian-market default.
Sprint window: SC#3 → SC#4 · 6 Jul – 20 Jul 2026 (10 working days)
Acceptance test (PMO will run at Steerco gate)
New partner signup triggers KYC check; partner cannot reach "Earnings withdrawable" state until KYC=PASS; failed KYC visible on admin dashboard.
H003
Sprint committed
3 engineering days
Signature primitive v1 — drawn pad + sha-256 + audit row
Owner · Gate
Carla Oliver
SC#4 · 20 Jul 2026
The claim in marketing copy
"Every handshake is signed by the party's device-bound key and chained to the previous event's hash."
Evidence today
engagement_signatures table (migration 0007) DOES exist and works for the CoSai engagement. Drawn signature pad, sha-256 hashing, IP+UA audit row. /engage and /engage-corrina prove the pattern. causation_receipts + receipt_events + device_keys tables exist (migration 0005) but device_keys.public_key is seed placeholder.
Gap to close
The engagement signature primitive works. What's aspirational is *device-bound* (hardware-key) signatures. Sprint v1 — extend the engagement pattern to commission events using the same drawn-pad + sha-256 approach. v2 (WebAuthn) is Tier 3.
Sprint window: SC#3 → SC#4 · 6 Jul – 20 Jul 2026 (5 working days)
Acceptance test (PMO will run at Steerco gate)
Member creates a referral intent through /me/refer, signs with drawn pad; signature_hash stored, audit row written, hash visible at /verify/:id. Three test referrals signed end-to-end without seed data.
H004
Sprint committed
1 engineering day
Member directory honesty — labels match reality
Owner · Gate
Carla Oliver
SC#3 · 6 Jul 2026
The claim in marketing copy
"The /me/refer page reflects real member-to-member referrals from real signups."
Cited at:
/me/refer (Page currently labelled "mockup" in source comments) ·
/attribution (Signatures labelled "SEED_PLACEHOLDER")
Evidence today
attribution.tsx labels itself as "mockup"; signatures explicitly tagged "SEED_PLACEHOLDER" in source code. This is honest in code but invisible to the user.
Gap to close
Add a runtime "SEED DATA" badge on any surface still showing seed contacts / placeholder signatures, until H001 + H002 + H003 ship and real data replaces seed.
Sprint window: SC#2 → SC#3 · 22 Jun – 6 Jul 2026 (1 working day)
Acceptance test (PMO will run at Steerco gate)
Visiting /me/refer with no live signups shows a yellow "SEED DATA · pre-launch demonstration" strip. Once 5+ real members signed up via H001, the badge auto-clears.
Tier 1 · Money rail
Payments, RCTI, disputes, notifications — the path from earned to paid
H101
Sprint committed
4 engineering days
Stripe Connect Express integration (option A from D204)
Owner · Gate
Carla Oliver
SC#3 · 6 Jul 2026
The claim in marketing copy
"Stripe Connect is the rail. Application_fee_amount model — Flip 360 receives only its 1% processing fee, principal moves member-to-member."
Cited at:
/faq (Q14 "How does money actually move?" + Q20 stack list) ·
/sweetener (§ Stack card + § Spec card "Three-way reconciliation") ·
/architecture (C4 model · 9 integrations · Stripe Connect named)
Evidence today
package.json contains no "stripe" dependency. No STRIPE_* secrets configured. No Connect onboarding route. No webhook handler. ABA file rail (alternative) IS wired at /me/payouts (real APCA 120-char format, sha-256 hash anchored).
Gap to close
This is the single largest copy-vs-runtime delta. Sprint is 3-4 days of engineering. Decision D204 at SC#2 (22 Jun) gates this.
Sprint window: SC#2 → SC#3 · 22 Jun – 6 Jul 2026 (4 working days) — pending D204 approval
Acceptance test (PMO will run at Steerco gate)
New partner completes Connect Express onboarding via /me/connect; test-mode payout of $100 from platform account to partner account using application_fee_amount=$1 (1%); webhook fires, ledger entry written, RCTI generated.
H102
Sprint committed
4 engineering days
RCTI PDF generator + ATO-compliant numbering
Owner · Gate
Carla Oliver
SC#4 · 20 Jul 2026
The claim in marketing copy
"Every settlement raises an RCTI (Recipient-Created Tax Invoice) with ATO-compliant sequential numbering, GST line, and counterparty ABN."
Cited at:
/faq (Q14 "Three-way reconciliation" + Q19 "regulator-ready") ·
/me/payouts (Payout queue shows "RCTI raised" status)
Evidence today
ledger_entries.idempotency_key handles dedup. payouts.tsx has APCA ABA file generation. No PDF library installed (no pdf-lib, no puppeteer-in-worker). No rcti_documents table.
Gap to close
PDF generation in Cloudflare Workers is non-trivial (no node fs, no headless browser). Use pdf-lib (works in Workers) to compose the RCTI from a template. Migration 0011 adds rcti_documents + rcti_sequence tables.
Sprint window: SC#3 → SC#4 · 6 Jul – 20 Jul 2026 (4 working days)
Acceptance test (PMO will run at Steerco gate)
Test settlement triggers RCTI PDF generation; PDF downloadable from /me/payouts/:id/rcti; sequence number monotonic; GST line shows; ABN of recipient and payer both present; admin can re-issue with the same sequence number on duplicate webhook.
H103
Sprint committed
3 engineering days
Disputes workflow — admin queue + 7-day SLA
Owner · Gate
Carla Oliver
SC#5 · 3 Aug 2026
The claim in marketing copy
"Most disputes resolve within 7 days. If a member is found to have refused payment on a complete chain, they lose honour points, lose tier status, and on repeat offences lose their membership."
Cited at:
/faq (Q8 "What if a member refuses to pay?") ·
/app/disputes (Admin disputes queue (route exists, behaviour partial))
Evidence today
/app/disputes route exists with admin queue UI. disputes table NOT explicitly named in migrations — uses ledger_entry.status="disputed". No SLA timer, no auto-escalation, no honour-point deduction on adverse finding.
Gap to close
Add migration for `disputes` table with raised_at, sla_deadline, status, resolution, points_adjustment. Wire SLA timer (Cloudflare Cron Trigger checks every hour). Add admin "Resolve in favour of [referrer|recipient]" action with automatic honour-point adjustment.
Sprint window: SC#4 → SC#5 · 20 Jul – 3 Aug 2026 (3 working days)
Acceptance test (PMO will run at Steerco gate)
Raise dispute via /me/refer/:id/dispute; admin sees in queue with SLA countdown; resolve action writes resolution row, adjusts honour points, sends notification (depends on H105).
H104
Sprint committed
1 engineering day
Idempotency replay test published
Owner · Gate
Carla Oliver
SC#4 · 20 Jul 2026
The claim in marketing copy
"Idempotent settlement — webhook fires twice or network drops, the platform raises one RCTI and pays exactly once."
Cited at:
/faq (Q4 "Six functional outcomes" + Q20 systems table NPP row) ·
/sweetener (§ Spec card "Idempotency") ·
/architecture (NFR list · idempotent webhooks)
Evidence today
commission_events.idempotency_key column exists (UNIQUE NOT NULL) in migration 0001. 18 references in src/engine/*. No published runtime test that proves duplicate webhooks result in exactly one settlement.
Gap to close
Add /api/admin/replay-test endpoint that fires the same Stripe webhook 5× and asserts (a) one ledger entry, (b) one RCTI, (c) four "duplicate, ignored" log rows. Publish the test result at /engagement/pmo/evidence/idempotency.
Sprint window: SC#3 → SC#4 · 6 Jul – 20 Jul 2026 (1 working day)
Acceptance test (PMO will run at Steerco gate)
POST /api/admin/replay-test → response shows 1 settlement / 1 RCTI / N-1 duplicates ignored, screenshot lodged with Steerco pack.
H105
Sprint committed
2 engineering days
Transactional email + SMS notifications
Owner · Gate
Carla Oliver
SC#4 · 20 Jul 2026
The claim in marketing copy
""The dispute resolves on evidence, not on who shouts loudest" — implies the parties are notified."
Cited at:
/faq (Q7 "What happens when a referral converts?" — implicit notification) ·
/me (Member dashboard shows referrals but no notification trail)
Evidence today
No email provider (no SendGrid / Mailgun / Postmark / Resend). No SMS provider (no Twilio / MessageBird). No notification_log table.
Gap to close
Resend is the lightest-weight pick (Cloudflare-friendly, REST API). Add migration for notification_log. Wire on five trigger events: referral_intent_created, intake_acknowledged, settlement_recorded, outcome_confirmed, dispute_raised.
Sprint window: SC#3 → SC#4 · 6 Jul – 20 Jul 2026 (2 working days)
Acceptance test (PMO will run at Steerco gate)
Test referral flow sends 5 emails (one per chain event), all delivered, audit row in notification_log for each.
H106
Sprint committed
3 engineering days
Honour points engine — earn, deduct, ranking
Owner · Gate
Carla Oliver
SC#5 · 3 Aug 2026
The claim in marketing copy
"Honour points are awarded to the *confirmer* of a payment, not the *claimer*. They affect directory ranking, tier benefits, referral priority, recognition."
Cited at:
/faq (Q9 "How are honour points calculated?" + Q10 "What do they do?" + Q13 "How do you stop gaming?") ·
/me (Member dashboard implies a points balance)
Evidence today
No honour_points table or column. No /me/honour route. The concept is in copy but not in schema.
Gap to close
Add migration: honour_point_events (event_id, recipient_id, granter_id, points, reason, related_ledger_entry_id, created_at). Trigger: on ledger_entry.status="SETTLED", auto-grant points to the chain originator from the payer. Wire ranking algorithm to weight honour points alongside revenue.
Sprint window: SC#4 → SC#5 · 20 Jul – 3 Aug 2026 (3 working days)
Acceptance test (PMO will run at Steerco gate)
Two real members settle a referral; payer's confirmation grants 10 points to receiver; both members' /me dashboards show updated balances; directory at /community ranks them by combined score.
Tier 2 · Operating standard
Points, data export, AUSTRAC, investor transparency — listed-co diligence
H201
Sprint committed
2 engineering days
Member data export (Privacy Act APP 12 compliance)
Owner · Gate
Carla Oliver
SC#5 · 3 Aug 2026
The claim in marketing copy
"Privacy Act APP 12 (access) — every required disclosure is one query away, with the chain as proof."
Cited at:
/faq (Q19 "regulator-ready disclosure") ·
/sweetener (§ Spec card "Regulator-ready disclosure")
Evidence today
No /me/data-export route. No API for full member-data dump. Members cannot retrieve their own data.
Gap to close
Add /me/data-export that returns a JSON bundle of {profile, contacts, deals, commission_events, ledger_entries, signatures, notifications, honour_points} scoped to the requesting member. Two-click flow: request → email-delivered link → download zip.
Sprint window: SC#4 → SC#5 · 20 Jul – 3 Aug 2026 (2 working days)
Acceptance test (PMO will run at Steerco gate)
Test member requests export; receives email link within 5 minutes; downloads zip containing 8 JSON files; all data scoped to that member only (cross-member SQL test fails).
H202
Sprint committed
2 engineering days
AUSTRAC threshold detection + flagging
Owner · Gate
Carla Oliver
SC#6 · 17 Aug 2026
The claim in marketing copy
"AUSTRAC threshold reporting — tamper-evident transaction record, retrievable on demand under statutory powers."
Cited at:
/faq (Q4 + Q19 + Q20 systems table AUSTRAC row)
Evidence today
No threshold logic. No /admin/austrac queue. ledger_entries does not flag aggregated $10k+ movements per member per 24h.
Gap to close
Add cron job (Cloudflare Workers scheduled trigger) — every hour, aggregate ledger movements per partner per rolling 24h. If aggregate ≥ $10k, write austrac_flags row. Admin queue at /admin/austrac with action to lodge SMR (Suspicious Matter Report).
Sprint window: SC#5 → SC#6 · 3 Aug – 17 Aug 2026 (2 working days)
Acceptance test (PMO will run at Steerco gate)
Seed $12k worth of ledger movements over 24h for one test member; austrac_flag row appears in /admin/austrac queue within 60 minutes; CSV export available for SMR lodgement.
H203
Scoped
3 engineering days
Observability stack — error rate + payout SLA dashboards
Owner · Gate
Carla Oliver
SC#4 · 20 Jul 2026
The claim in marketing copy
"Implied by the operating standard — Steerco needs error rate and payout SLA visibility (WS2 Milestone W8·SC#4)."
Evidence today
No observability dependency (no Sentry / Datadog / Honeycomb / OTel). No error-rate dashboard. No payout SLA tracking.
Gap to close
Decision D206 at SC#2 chooses vendor. PMO recommends Cloudflare Workers Analytics Engine — native, lowest friction, aligns with existing Worker runtime. Wire in W7-W8 (post-SC#3).
Sprint window: SC#3 → SC#4 · 6 Jul – 20 Jul 2026 (3 working days) — pending D206 vendor choice
Acceptance test (PMO will run at Steerco gate)
/admin/observability shows: 24h error rate, p95 response time, payout SLA (target ≤ 5 mins from outcome confirmation to ABA file ready), with 7-day trend.
H204
Sprint committed
3 engineering days
Investor transparency dashboard
Owner · Gate
Carla Oliver
SC#6 · 17 Aug 2026
The claim in marketing copy
"FY27 → FY31 trajectory: 1k → 175k members, $240k → $42M revenue, the same breed as Air BnB, Afterpay, Uber."
Cited at:
/investors (ASSUMPTIONS.trajectory · five-year financial model)
Evidence today
/investors page exists with static financial model. No live numbers wired from D1. The trajectory is published as assumption, not as actuals-vs-plan.
Gap to close
Add /investors/dashboard (soft-gated like the existing brief). Live D1 queries for: active members, MRR, CAC, LTV, churn, ledger flow. Side-by-side with the FY27 trajectory baseline. Refreshes hourly.
Sprint window: SC#5 → SC#6 · 3 Aug – 17 Aug 2026 (3 working days)
Acceptance test (PMO will run at Steerco gate)
/investors/dashboard renders with live D1 metrics, all under the soft-gate. Numbers reconcile to /engagement/pmo · WS2 metrics within 5%.
H205
Sprint committed
3 engineering days
Three-way reconciliation engine (chain × Stripe × RCTI)
Owner · Gate
Carla Oliver
SC#6 · 17 Aug 2026
The claim in marketing copy
"Every dollar exists simultaneously in (1) the chain event log, (2) the Stripe Connect ledger, and (3) the RCTI register. All three must agree, automatically and continuously."
Cited at:
/faq (Q4 "Six functional outcomes" · three-way reconciliation) ·
/sweetener (§ Spec card "Three-way reconciliation")
Evidence today
commission_events + ledger_entries are linked. No nightly reconciliation cron. No Stripe ledger to reconcile against (depends on H101). No RCTI register (depends on H102).
Gap to close
Add cron (daily 02:00 AEST) that joins commission_events ↔ Stripe API charge list ↔ rcti_documents. Any unmatched row writes a recon_break row; admin at /admin/recon shows breaks with drill-through.
Sprint window: SC#5 → SC#6 · 3 Aug – 17 Aug 2026 (3 working days)
Acceptance test (PMO will run at Steerco gate)
Run 10 settlements; reconciliation cron at 02:00 reports 10/10 matched; deliberately delete one ledger row; next cron run flags 1 break visible at /admin/recon.
Tier 3 · Anti-fragile
Merkle anchor, third-party audit, hardware keys at scale — "the log proves so"
H301
Sprint committed
3 engineering days
Hourly Merkle anchor cron + public-log surface
Owner · Gate
Carla Oliver
SC#6 · 17 Aug 2026
The claim in marketing copy
"The chain is anchored hourly to an external trust authority (planned: a multi-party Merkle root with a top-4 audit firm)."
Cited at:
/faq (Q15 "data sovereignty" · "anchored hourly to an external trust authority") ·
/faq (Q20 systems table · Certificate Transparency row · "Hourly Merkle root anchored") ·
/sweetener (§ Spec card · KPMG/EY anchoring narrative) ·
/architecture (NFR · external anchoring (Certificate Transparency pattern))
Evidence today
chain_blocks table exists (migration 0005). No cron. No published anchor receipt. No third-party signed anchoring. Copy says "planned" — but is read as a live capability.
Gap to close
Sprint v1 (Phase 1): hourly cron computes Merkle root over previous hour's causation_receipts, signs with platform key, publishes to /chain/anchor/:hour. Phase 2: engage KPMG OR EY for quarterly counter-signed root (RFP at SC#5, decision at SC#6).
Sprint window: SC#5 → SC#6 · 3 Aug – 17 Aug 2026 (3 working days for v1)
Acceptance test (PMO will run at Steerco gate)
/chain/anchor renders 24h of hourly Merkle roots, each signed by platform key; clicking a root expands to show the receipts it covers; root verifiable via /api/chain/verify/:hour endpoint.
H302
Scoped
5 engineering days
WebAuthn / hardware-key signatures (replacing drawn-pad v1)
Owner · Gate
Carla Oliver
Phase 2 SC#1
The claim in marketing copy
"Apple Secure Enclave / Android StrongBox / WebAuthn — the same chip-level crypto that authorises Apple Pay and your CBA NetBank biometric login."
Cited at:
/faq (Q5 "How are signatures verified?" + Q11 "the handshake" + Q20) ·
/sweetener (§ Spec card "Non-repudiable signatures")
Evidence today
device_keys table (migration 0005) has schema but no active WebAuthn library. No @simplewebauthn/server in package.json. Drawn-pad v1 (H003) is the honest Phase 1 signature.
Gap to close
Install @simplewebauthn/server. Add /me/register-device flow. Extend chain event signing to prefer WebAuthn assertion when available, fall back to drawn-pad. Phase 2 work — Phase 1 ships with drawn-pad signatures.
Sprint window: Phase 2 · Sprint 1 · Sep 2026 (5 working days)
Acceptance test (PMO will run at Steerco gate)
Member registers iPhone passkey at /me/register-device; subsequent referral sign-off prompts Face ID; signature_method="webauthn" stored; assertion verifiable server-side.
H303
Scoped
8 engineering days
Third-party audit engagement (KPMG OR EY) for chain attestation
Owner · Gate
Carla Oliver
SC#6 · 17 Aug 2026 (shortlist) → Phase 2 SC#1 (engagement)
The claim in marketing copy
"Multi-party Merkle root with a top-4 audit firm. KPMG/EY anchoring."
Cited at:
/faq (Q15 · "with a top-4 audit firm") ·
/sweetener (§ Spec card · audit firm narrative)
Evidence today
No audit engagement. No counter-signed anchor receipts. No public attestation letter. This is the strongest claim in current copy and the furthest from runtime.
Gap to close
WS4 (Legal & Compliance) commission RFP at SC#5; shortlist KPMG / EY / Deloitte / PwC at SC#6; appointment in Phase 2. v1 attestation: counter-signed quarterly Merkle root after H301 ships.
Sprint window: RFP SC#5 → SC#6 · Phase 2 engagement Q1 FY27
Acceptance test (PMO will run at Steerco gate)
Engagement letter signed with top-4 firm; first quarterly attestation letter published at /chain/attestation/q1-fy27 within 90 days of engagement.
H304
Sprint committed
1 engineering day
Penetration test + responsible-disclosure programme
Owner · Gate
Carla Oliver
SC#6 · 17 Aug 2026
The claim in marketing copy
"Same standard a market operator answers to · "Designed to the disclosure standards a market operator answers to"."
Cited at:
/faq (Q19 · "regulator-ready disclosure" framing) ·
/sweetener (§ Spec card · same)
Evidence today
No pen-test report. No /security or /.well-known/security.txt. No bug bounty.
Gap to close
Sprint v1 (Phase 1): add /.well-known/security.txt with disclosure address. Engage CyberCX or NCC for pen-test in Phase 2 Sprint 2.
Sprint window: SC#5 → SC#6 · 3 Aug – 17 Aug 2026 (0.5 days for security.txt; pen-test deferred)
Acceptance test (PMO will run at Steerco gate)
/.well-known/security.txt resolves; lists disclosure email and PGP key; published in robots.txt. Pen-test SoW logged on backlog for Phase 2 Sprint 2.
Claim-surface index
Reverse lookup — which copy depends on which backlog item.
For every marketing surface, the backlog items required to make that surface fully honest. Cross-reference before any copy edit.
PMO governance
This backlog is reviewed at every Steerco. Each row's acceptance test is run at the named Steerco gate, with the result lodged in the Steerco pack. Pass → row promoted to "evidenced today". Fail → row escalated to RAID Amber, re-planned at the next Steerco.
Adding a new aspirational claim — any new marketing copy that asserts a capability not in this backlog must trigger a new backlog row before publication. This is a hard gate, enforced by the PMO Director (Carla).
Refresh cadence
- Owner: Carla Oliver · PMO Director · CoSai
- Updated: at every Steerco (fortnightly)
- Source of truth:
HARDENING_BACKLOG in src/routes/engagement.tsx
- Linked from: PMO live board, Steerco #2 paper, Decision D207
