PILOT_SCOPE — Canonical Decisions Log¶
Status: Locked for pilot v1
Reference commit: 958a7ca (gate API, outcomes, webhooks, intake scan, payments gate, letter PDF, pilot nav, unified audit trail)
Related docs: ONBOARDING_CHECKLIST.md, CRM_WEBHOOK_INTEGRATION.md
1. Product Thesis¶
Pre-Execution Compliance Infrastructure — a system that sits between intent and action, decides legality in real time, logs the decision, and proves whether the system followed it.
Floor OS is not a dialer, not a CRM, and not a collections suite. It is the compliance layer a collections operation wraps around any dialer, CRM, or payment processor it already owns. Every contact attempt, payment authorization, and letter send passes through a gate that returns allow or block with statutory reasons, a time-boxed audit_id, and a mandatory outcome webhook back to us. The audit trail is not a report generated after the fact — it is the primary artifact, written synchronously with the decision.
2. Wedge¶
Compliance enforcement that cannot be bypassed.
Existing compliance tooling is advisory: a dashboard, a policy library, a training module. If an agent dials anyway, the tool logs a complaint months later. Floor OS inverts that: the decision to dial is ours, the decision to charge a card is ours, the decision to send a letter is ours. The tenant's dialer asks us first and we answer in under 50 ms. If our gate is unreachable, the tenant's system fails closed — no contact, no charge, no send. The agency keeps its existing stack. We replace the moment of authorization.
3. Killer Lines¶
- "If something goes wrong, this system proves we did the right thing — or shows exactly who didn't."
- "If a violation happens, we can prove whether it was prevented or ignored."
These are the two sentences that sell the product. Every feature below earns its place by making one of these sentences more defensible.
4. In-Scope for Pilot v1¶
| Capability | What ships | Why it's in scope |
|---|---|---|
| Gate API | POST /api/v1/compliance/contact-check |
The core wedge. Sub-50 ms allow/block with statutes and audit_id. |
| Outcome API + 4 webhook adapters | POST /api/v1/compliance/contact-outcome plus /webhooks/{five9,twilio,convoso,generic}/{tenant_id} |
Closes the loop. Without outcomes, we can't prove the decision was followed. |
| Payments gate | check_account_payment_allowed() wired into 7 payment endpoints |
P0 risk — charging a card on a bankruptcy stay is a criminal-adjacent violation. Fail-closed. |
| Ingestion + intake scan | Every uploaded row scanned at upload. Report: "X of Y accounts blocked." | First 60 seconds of the tenant's experience. Shows the product working before any config. |
| Letters PDF | GET /api/v1/letters/{id}/pdf, POST /api/v1/letters/bulk-pdf |
Validation notices and state-required letters. Every PDF generation is an event in the audit trail. |
| Debt validation workflow | Intake → 30-day validation window tracking → auto-block until resolved | FDCPA 1692g is the most litigated section. Non-negotiable for pilot v1. |
| Compliance analytics / reports | Dashboards over compliance_event_log: blocks by statute, blocks by channel, outcomes vs decisions |
Tenant's compliance officer and examiner both read this. |
| Library | Policy, templates, statutes, rule database (per-state) | Where the rules live. Editable by tenant's compliance lead. |
| Portfolio View (read-only Excel replacement) | Tabular view of the portfolio with intake scan flags inline | Replaces the spreadsheet agencies email around. Read-only — editing happens in their CRM. |
| Skip trace + RDN connectors | Outbound adapters to tenant-provided skip trace / repossession network vendors | Tenants expect these integrations to survive the pivot. Minimal surface, not a product. |
| IT/Admin surfaces | Tenant provisioning, API key mgmt, SSO, user roles, dialer_config with webhook secrets | Required for any multi-tenant pilot. |
| Consumer portal (link-out) | External URL the agency can forward consumers to for validation requests and complaint intake | Not hosted in our UI chrome. Link-out only in pilot v1. |
| Coverage Dashboard | Which channels / accounts / tenants have intake scan, gate calls, outcomes — and which don't | The "are we actually covered?" question. Surfaces silent failures. |
5. Deferred for Pilot v1¶
Code stays in the repo. Routes stay registered. Hidden via the pilot_mode tenant flag or VITE_PILOT_MODE=1 env var via web/src/lib/nav/pilotFilter.ts.
- Dialer pages (predictive dialer UI, manual dial screen, disposition wrap-up)
- SMS Center (send UI, threads, campaigns)
- Coaching (real-time listen-in, whisper, barge)
- QA (scorecards, call grading)
- Training standalone (LMS, quizzes, certification tracking)
- Agent-workflow tooling (agent desktop, scripts runner, next-best-action)
- Lob mailing (physical mail send integration)
Rationale: every item above is a full product by itself. None of them are the wedge. Keeping the code means a tenant who needs one of them in month 3 gets it turned on, not rebuilt.
6. Demo Entry — 3-Box Structure¶
The demo landing page presents three doors, not a list of features. The first box is featured; the other two are equal-weight secondary.
- Compliance (featured) — Gate API live console, intake scan walkthrough, audit-trail reconstruction, coverage dashboard.
- Operations — Portfolio view, debt validation workflow, letters, payment gate, analytics/reports.
- Admin & IT — Tenant setup, API keys, webhook secrets, SSO, user roles, integration health.
Every other entry point is collapsed behind one of these three.
7. Pricing Tiers¶
Flat monthly pricing per tenant. No per-seat fees. Each tier covers the tenant's typical monthly volume; overage applies if exceeded.
| Tier | Monthly | Setup | Includes |
|---|---|---|---|
| Pilot (featured) | $2,000 | $2,500 one-time | 1 tenant, covers typical monthly volume, 1 dialer/SMS/payment integration, CSV upload, contact-check API, audit log, compliance dashboard. |
| Starter | $2,500 flat | waived | Covers typical monthly volume, 3 integrations, basic analytics, audit log, compliance dashboard. |
| Professional | $5,000 flat | waived | Higher monthly volume included, unlimited integrations, audit-ready reports, custom compliance rules, priority support. |
| Enterprise | Custom, starting $8,000 | scoped at contract | Custom volume commitment, SLA, SSO/SAML, dedicated CSM, on-prem option, custom compliance packs. |
Pricing is per tenant, not per seat. API-key-only integrations are included — every active user or system that calls the gate is covered by the tenant subscription.
8. Reference Commit¶
958a7ca — "Compliance-as-a-service pivot: gate API, outcomes, webhooks, intake scan, payments gate, letter PDF, pilot nav, unified audit trail"
Shipped surfaces:
POST /api/v1/compliance/contact-check (external gate wrapper)
POST /api/v1/compliance/contact-outcome (mandatory outcome receipt)
POST /api/v1/webhooks/{five9,twilio,convoso,generic}/{tenant_id}
GET /api/v1/compliance/events?account_id= (unified reconstruction)
GET /api/v1/ingestion/{upload_id}/intake-report
GET /api/v1/letters/{id}/pdf
POST /api/v1/letters/bulk-pdf
Persistence:
compliance_memory— gate decisions, keyed byaudit_id, 5-minute TTL.contact_outcomes— outcomes keyed byaudit_id, idempotent on(audit_id, outcome, occurred_at).compliance_event_log— unified canonical event stream across decision types. This is the CFPB-reconstruction table.intake_reports+intake_account_scans— ingestion scan results.- Existing tamper-proof
audit_logchain — mirrored into fromlog_compliance_event().
Frontend: pilotFilter.ts hides deferred nav when tenant.pilot_mode=true. PILOT badge in sidebar header.
9. Open Stones Not Yet Turned¶
Tracked explicitly so we don't ship into these cliffs.
- Legal letter review per state. Every state has its own validation-notice wording requirements. The PDF generator renders templates; the templates need a lawyer's signoff per state before a tenant sends one.
- SOC 2 readiness. Type I audit scoping not started. Several controls (access review cadence, change management evidence, incident response runbook) are drafted but not exercised.
- SLA commitments. No written latency or availability commitments to tenants. Gate API measured p50/p99 internally; not yet contractual.
- Fail-closed defaults on our side. Tenant fail-closed is documented; our own behavior when the gate's downstream (state rules DB, SCRA check, bankruptcy check) is slow needs a hard timeout + explicit "allowed=false, reason=degraded" path rather than raising 500.
- CAN-SPAM mapping. Email channel is in
_VALID_CHANNELSbut CAN-SPAM-specific checks (opt-out propagation window, physical-address requirement in footer, sender identity) are not enforced by the gate yet. - HIPAA / BAA if medical debt. No BAA offered. Medical debt tenants require one. Scoping unknown — may narrow the tenant funnel.
- Pen test. Not scheduled. Required for enterprise sales.
- Rule database maintenance. State-rule updates are currently code changes. Needs a process (who watches for regulatory changes, how fast they land, how tenants are notified).
- Statute-of-limitations per state. SOL expiry blocks contact in several states. Captured in the rule database but not cross-checked against the account's first-delinquency date during intake scan in all cases.
- Re-scan triggers. Intake scan runs once on upload. A newly filed bankruptcy the day after upload is not caught until the next gate call. Scheduled re-scan cadence is undefined.
- Revenue model (flat tenant vs. volume overage). Current tiers are flat monthly per tenant with a typical-volume envelope. Overage pricing (per-call or per-contact once the envelope is exceeded) is not yet codified in the contract and is deferred to pilot telemetry.