{"success":true,"module":"mupza_private_beta_operator_handoff_pack_v1","data":{"packId":"mupza-private-beta-operator-handoff-pack-v1","route":"/private-beta-operator-handoff","mockApiRoute":"/api/mock/restaurant-os/private-beta-operator-handoff","metadata":{"title":"Private Beta Operator Handoff Pack","day":"22 / 30","remaining":"8 days","mode":"Local/mock only","decisionState":"Operator review required","safetyState":"No production/staging action","humanGoRequired":true},"safetyAssertions":{"localMockOnly":true,"noProduction":true,"noStaging":true,"noDeploy":true,"noSsh":true,"noDocker":true,"noSecretsOrEnvChanges":true,"noBackendOrDatabase":true,"noCustomerData":true,"humanGoRequiredForRealBeta":true},"checklist":[{"id":"readiness-scorecard-review","label":"Readiness scorecard review","operatorQuestion":"Does the Private Beta Readiness Scorecard show green/acceptable categories with no unexplained blockers?","expectedEvidence":"Open /private-beta-readiness-scorecard and verify the scorecard summary, category rows, QA markers and human-gated release language.","holdIfMissing":true},{"id":"audit-evidence-timeline-review","label":"Audit evidence timeline review","operatorQuestion":"Can the operator trace permission, tenant, branch, redaction and QA decisions through audit evidence?","expectedEvidence":"Open /audit-evidence-timeline and confirm synthetic local events include audit evidence for pass/block/redact decisions.","holdIfMissing":true},{"id":"tenant-branch-guard-review","label":"Tenant/branch guard review","operatorQuestion":"Are cross-tenant and cross-branch examples denied before data is exposed?","expectedEvidence":"Open /tenant-branch-scope-guard and confirm same-branch allow plus cross-branch/cross-tenant block examples.","holdIfMissing":true},{"id":"sensitive-data-redaction-review","label":"Sensitive data redaction review","operatorQuestion":"Are sensitive fields masked or omitted before operator-visible evidence is shown?","expectedEvidence":"Open /sensitive-data-redaction and /public-receipt-redaction to confirm redaction examples use placeholders only.","holdIfMissing":true},{"id":"permission-role-review","label":"Permission/role review","operatorQuestion":"Do owner/admin/manager/cashier/waiter permissions match the expected role boundaries?","expectedEvidence":"Open /owner-admin-permission-matrix and /permission-adapter-preview to confirm allow/deny rows and role scope notes.","holdIfMissing":true},{"id":"qa-build-evidence-review","label":"QA/build evidence review","operatorQuestion":"Can the operator find build proof, QA markers and route smoke evidence for this pack?","expectedEvidence":"Run npm run build and scripts/qa/run-private-beta-operator-handoff-pack-v1.ps1; review /release-evidence and /route-smoke-index.","holdIfMissing":true},{"id":"public-flow-smoke-review","label":"Public flow smoke review","operatorQuestion":"Do public QR, order status, receipt and abuse-guard previews remain read-only and mock-only?","expectedEvidence":"Review QR/order/receipt routes and confirm no real backend, payment capture, provider send or customer data dependency appears.","holdIfMissing":false},{"id":"owner-admin-panel-review","label":"Owner/admin panel review","operatorQuestion":"Can owner/admin preview pages demonstrate setup, role and operational visibility without secrets?","expectedEvidence":"Open /owner-admin and /owner-admin-permission-matrix; confirm local/mock assumptions and no secret values.","holdIfMissing":false},{"id":"pos-local-offline-assumptions-review","label":"POS/local/offline assumptions review","operatorQuestion":"Are POS and Local Hub offline assumptions stated and testable in local/mock review?","expectedEvidence":"Open /pos-desktop, /pos-offline and /local-hub; confirm LAN/offline assumptions are documented as preview evidence, not production guarantees.","holdIfMissing":true},{"id":"qr-order-receipt-flow-review","label":"QR/order/receipt flow review","operatorQuestion":"Can QR intake, order confirmation/status and receipt previews be followed end-to-end in mock mode?","expectedEvidence":"Open /qr-website-order-intake, /public-order-confirmations, /public-order-status and /public-customer-receipts.","holdIfMissing":false},{"id":"risk-hold-decision-review","label":"Risk and HOLD decision review","operatorQuestion":"Has every P0/P1 risk been mapped to a required action and GO/HOLD impact?","expectedEvidence":"Review this handoff pack risk register and record whether a safe GO recommendation or HOLD recommendation is appropriate.","holdIfMissing":true}],"evidenceMap":[{"id":"private-beta-readiness-scorecard","label":"Private Beta Readiness Scorecard","area":"readiness","route":"/private-beta-readiness-scorecard","linkState":"linked","operatorUse":"Confirm Day 21 readiness summary, risk level and human-gated beta language."},{"id":"audit-evidence-timeline","label":"Audit Evidence Timeline","area":"audit evidence","route":"/audit-evidence-timeline","linkState":"linked","operatorUse":"Trace local/mock evidence for permission, scope, redaction, approval and QA decisions."},{"id":"sensitive-data-redaction","label":"Sensitive Data Redaction","area":"redaction","route":"/sensitive-data-redaction","linkState":"linked","operatorUse":"Verify masked placeholder examples and no raw customer or secret values."},{"id":"tenant-branch-guard","label":"Tenant/Branch Guard","area":"tenant and branch","route":"/tenant-branch-scope-guard","linkState":"linked","operatorUse":"Inspect tenant/branch allow and deny examples before any beta recommendation."},{"id":"permission-role-matrix","label":"Permission / Role Matrix","area":"permission","route":"/owner-admin-permission-matrix","linkState":"linked","operatorUse":"Check owner/admin role boundaries and required human review notes."},{"id":"qa-build-evidence","label":"QA / Build Evidence","area":"QA","route":"/release-evidence","linkState":"linked","operatorUse":"Connect build, route smoke and QA marker evidence to the operator recommendation."},{"id":"public-receipt-order-qr-previews","label":"Public Receipt / Order / QR previews","area":"public flow","route":"/qr-website-order-intake","linkState":"linked","operatorUse":"Begin QR/order/receipt smoke review and continue through public receipt/order routes."},{"id":"service-activation-kill-switch-webhook","label":"Service activation / kill switch / webhook verification previews","area":"provider safety","route":"/service-activation","linkState":"linked","operatorUse":"Confirm provider activation, kill switches and webhook verification stay disabled/dry-run until human GO."},{"id":"beta-owner-signoff-log","label":"Private beta owner sign-off log","area":"owner approval","route":null,"linkState":"planned / not linked","operatorUse":"Planned human-owned approval artifact; do not treat this pack as final release approval."}],"riskRegister":[{"riskName":"missing QA evidence","area":"QA/build evidence","severity":"P0","operatorSignal":"Build output or QA marker cannot be found or reproduced.","requiredAction":"Run local build and handoff QA script; attach evidence before recommendation.","goHoldImpact":"HOLD-required"},{"riskName":"redaction gap","area":"redaction","severity":"P0","operatorSignal":"Raw contact, secret-like, internal id or customer payload appears unmasked.","requiredAction":"Stop review, remove sample data, re-run redaction QA and request human security review.","goHoldImpact":"GO-blocking"},{"riskName":"permission mismatch","area":"permission","severity":"P1","operatorSignal":"Role matrix allows a role to perform an unexpected owner/admin action.","requiredAction":"Capture mismatch, update permission evidence or require owner/admin sign-off.","goHoldImpact":"HOLD-required"},{"riskName":"tenant/branch leakage","area":"tenant and branch","severity":"P0","operatorSignal":"Cross-tenant or cross-branch mock examples return data instead of block/deny.","requiredAction":"Stop beta recommendation until isolation is clear and reproduced locally.","goHoldImpact":"GO-blocking"},{"riskName":"receipt/order abuse risk","area":"public receipt/order","severity":"P1","operatorSignal":"Receipt or order preview lacks replay, revocation, rate-limit or read-only language.","requiredAction":"Inspect abuse guard and receipt access previews; record HOLD if abuse guard is unclear.","goHoldImpact":"HOLD-required"},{"riskName":"webhook/payment readiness uncertainty","area":"provider readiness","severity":"P1","operatorSignal":"Webhook verification or payment readiness appears to need real provider calls.","requiredAction":"Keep provider flow disabled/dry-run and require human GO before any real activation.","goHoldImpact":"HOLD-required"},{"riskName":"offline/local hub assumption not verified","area":"POS/local/offline","severity":"P1","operatorSignal":"Operator cannot find Local Hub/POS offline assumption evidence.","requiredAction":"Review Local Hub, POS offline and route smoke previews before beta recommendation.","goHoldImpact":"HOLD-required"},{"riskName":"private beta operator cannot reproduce evidence","area":"operator reproducibility","severity":"P0","operatorSignal":"Operator cannot run local build/QA or open required preview routes.","requiredAction":"Record environment issue, keep decision on HOLD and request fix before review resumes.","goHoldImpact":"GO-blocking"},{"riskName":"real customer data accidentally used","area":"data safety","severity":"P0","operatorSignal":"Any real customer name, order, receipt, phone, email, payment or production/staging backend dependency appears.","requiredAction":"Stop, remove data from working tree and recommend rotation/remediation if needed.","goHoldImpact":"GO-blocking"}],"decisionRules":{"goAllowedOnlyIf":["readiness scorecard is green/acceptable","no P0 risk exists","no real customer data used","tenant/branch isolation is acceptable","redaction is acceptable","QA/build evidence is present","operator can reproduce local/mock review","human owner approval is still pending/final"],"holdRequiredIf":["any P0 risk exists","QA/build evidence missing","redaction/permission/tenant isolation unclear","real customer data or real backend dependency found","production/staging action would be needed","operator cannot reproduce evidence locally"]},"handoffSummary":["This page is a private beta review aid, not a release approval.","No deployment is triggered by this pack.","Final beta GO requires human approval."],"qaMarker":"RESULT: MUPZA_PRIVATE_BETA_OPERATOR_HANDOFF_PACK_V1_PASS"}}