Skeleton setup

What needs wiring next.

This is the product boundary layer: standalone business profile, trade pack, API contracts, approval policy and data separation from GPE.

Business profile

NameTrade Office OS Demo

Trade packplumbing-heating-gas-renewables

Approval policyapproval_gated_external_sends

Data sourcedemo · read-only scaffold

Adapter healthhealthy · writes disabled · sends disabled

RollbackUnset TRADE_OFFICE_OS_ENABLE_SQLITE_READONLY and restart preview to return to synthetic demo data.

Release notesPromotion record required before staging/production deploys

Incident support runbooksev0_stop means freeze, preserve evidence and notify Alex before repair

Data boundaryStandalone demo data. No GPE branding or customer data.

Finishing the skeleton

Extract real CRM domain service from existing scripts.
Implement read-only dashboard API first.
Wire intake review actions to approval-gated mutations.
Add auth/roles before any live customer data.
Package mobile as PWA; desktop as PWA first, Tauri later.
Record release notes before any staging/production promotion.

Failure taxonomy

Internal pilot recovery contract: quarantine or read-only mode first; no hidden live data and no app-side external sends. Freeze, classify, contain, then run the full gate before a support fix is complete.

Class	Signal	Operator response
`intake_low_confidence`	Missing identity, address, intent, or conflicting service terms	Keep in review and ask for human clarification before structured writes
`duplicate_or_conflict`	Candidate overlaps an existing customer, quote, follow-up, or document with conflicting facts	Show both records and require owner/admin decision; never auto-merge
`unsafe_outbound`	Draft has unapproved send path, pressure language, opt-out conflict, or risky claims	Quarantine the draft; keep external send disabled and manual-copy only
`adapter_unavailable`	Adapter, schema, import/export, or database boundary cannot be trusted	Fall back to read-only/degraded mode; never swap in hidden live data
`audit_gap`	A command is missing actor, idempotency key, source evidence, or timestamp	Refuse mutation and preserve the raw source item for repair
`privacy_boundary`	Real customer identifiers appear in demo fixtures, docs, screenshots, or seed data	Stop, remove the data, and re-run privacy/static gates before commit

API contracts

Route	Purpose
`GET /api/dashboard.json`	Today summary, KPIs, due work, missed-opportunity rollup
`GET /api/intake.json`	Review queue with route confidence, evidence, suggested next action
`GET /api/follow-ups.json`	Quote chase, callback and review request queues
`GET /api/outbound-queue.json`	Manual-send draft queue with risk flags
`GET /api/weekly-summary.json`	Weekly recovery summary and safety notes
`GET /api/customers.json`	Customer hub summaries and timelines
`GET /api/audit.json`	Audit trail items with safety notes
`GET /api/business-profile.json`	Standalone tenant config, trade terms, branding and policies
`UI /operator-manual`	Pilot onboarding, role boundaries and stop rules before sensitive work