Current status is pre-launch. This page separates merged proof, guarded claim boundaries, and work that must finish before paid customer launch.
These items are confirmed by repo-visible files, merged PRs, and current launch-control artifacts.
Privacy policy, terms of service, and credits pages are published. The launch checklist still requires lawyer review before paid launch.
Source: apps/web/src/app/privacy/page.tsx, apps/web/src/app/terms/page.tsx, apps/web/src/app/credits/page.tsx, docs/legal-launch-checklist.md
Launch, legal, AI, security, privacy, field, compliance, and regulator-facing claims are tracked as approved, conditional, internal-only, deferred, or blocked.
Source: docs/launch-claims-register.md
Project grants, consent effects, API-key scope disclosure, audit redaction, passkey session revocation, media purpose disclosure, gallery manifest evidence, observation review evidence, detection project scoping, and acoustic source hashes have merged.
Source: Merged PRs #3893, #3894, #3897, #3899, #3900, #3912, #3915, #3918, #3920, #3924
These items have landed, but they still carry caveats about certification, regulator acceptance, and production launch readiness.
Merged PR #3930
The custody schema and read-only projection API have merged. Public wording still stays internal-only until durable obligations, report/export proof, and review workflows land.
Merged PR #3927
Seed/demo and shared wording now align to Perch v2 for bird audio and manual review for bat audio. AI claims still need human-review caveats.
Merged PRs #3925 and #3926
Route wiring and cross-tenant route matrices have merged. They strengthen security review evidence, but they are not a public security certification.
These are the remaining launch blockers or verification gaps carried in the production checklist.
Map keys, JWT/HMAC secrets, SMTP, CORS, app URLs, WebAuthn origin, database password, and production-only origins still need final production configuration.
Source: docs/legal-launch-checklist.md section 1
Admin MFA enforcement, Redis-backed rate limiting, CSRF session binding, DB TLS, password breach checks, and dependency review remain pre-launch work.
Source: docs/legal-launch-checklist.md section 2
Lawyer-reviewed terms/privacy, professional indemnity insurance, cyber liability insurance, GST threshold handling, registrar hardening, and privacy officer assignment remain open.
Source: docs/legal-launch-checklist.md sections 3 and 8
Log aggregation, external uptime monitoring, production error tracking, on-call ownership, and production backup verification still need launch evidence.
Source: docs/legal-launch-checklist.md sections 4 and 8
Seed data removal, default-admin lockdown, ALA bundle verification, compliance-rule freshness checks, account deletion, export attribution, and export-format validation are still open checks.
Source: docs/legal-launch-checklist.md sections 5 and 7