Run the live intake, reviewed preview, and governed launch path from one workspace.

App portfolio

This owner-only portfolio is derived from Cairn's generic owner-console JSON. It is a Bootstrap-like admin pattern over shared primitives: app refs, routes, usage, resource posture, billing, CRM, support, review/promote, rollback, provider evidence, and app-user admin surfaces can be composed per app without crossing tenant boundaries. Voice-interview creation lanes stay future governed inputs: private transcripts, provider receipts, resource charges, and owner-reviewed build briefs before any generation or promote.

New app creation brief

This owner-only workbench is the first self-serve app creation step. It drafts a browser-session-only brief for a future reviewed source candidate. It does not create a Cairn app, move refs, run source review, generate code, deploy, promote, rollback, bill, email, provision domains, create users, call providers, run LLM or voice actions, or write browser storage.

No browser-session app creation brief drafted.

No hosted app-build request sent. Preview/create require an authorized owner bearer and an explicit click.

Review-only starter candidate proof

The first source-candidate bridge is checked in as a generic cairn app-source manifest, but this owner page does not call it. The local M94 proof runs a synthetic owner through generic app-source-review only: no app refs move, no effects run, no app is deployed, and the over-capability negative stays local-only.

Voice interview creation boundary

This owner-only boundary maps spoken app interviews onto generic Cairn primitives before any provider is opened: realtime sessions, private transcript refs, provider usage receipts, resource/ledger charges, plaintext-free access evidence, and owner-reviewed build briefs. It is not a microphone widget and it does not call ElevenLabs, upload audio, run live transcription, run live LLM generation, create source candidates, deploy, promote, email, bill, or start provider action.

perffection.com login and OAuth boundary

This owner-only boundary separates the future user-facing perffection.com login from the generic Cairn records underneath: identity rows, Argon2id credential inventory, sessions, auth-attempt limits, OAuth clients, scoped tokens, wallets, ledger/gas accounting, revocation, and audit. It does not perform public signup, public login, OAuth authorization, third-party provider login, token issuance, app-user provisioning, impersonation, hosted email, domain provisioning, checkout, production money, public webhooks, real-user email, live voice provider, or live LLM generation.

account-foundation-chirho.json is the checked account foundation map for the full app: platform admin, tenant owner, app user, and service-account layers. It keeps public signup, public login, OAuth authorization, token issuance, password reset, and third-party provider login closed until a reviewed implementation and hosted evidence promote them.

Platform admin safe oversight boundary

This owner-visible boundary sketches the future L.J./Perffection platform-operator view: tenant/app inventory, service-account gas floors, public-edge monitor status, provider enablement posture, billing evidence, support posture, launch gates, custody/rotation evidence, and signed operator-action history. It is a safe status model only. It does not impersonate tenant owners or app users, does not expose raw bearer tokens, sessions, credentials, provider secrets, billing secrets, private blobs, customer plaintext, support plaintext, feedback plaintext, CRM plaintext, email payloads, or raw ledger internals, and does not run rollback, promote, provider, email, payout, signup, OAuth, token, domain, webhook, voice, or LLM actions.

Platform admin safe overview read model

This read model appears only after the existing generic owner-console JSON authorizes the bearer. It derives safe platform-operator posture from owner-console counts, checked-in service posture, and point-in-time hosted evidence labels. It is not a platform-admin console, not a cross-tenant search surface, not impersonation, and not a mutation surface.

Owner quota state read model

This read model appears only after the generic owner-console JSON authorizes the bearer. It renders safe counts and the installed shared request-cap facts; no public surface exposes owner quota internals, and it does not claim traffic headroom, per-visitor fairness, or DDoS protection.

Quota/fuel refresh policy map

This owner-only map separates Perffection's active platform service-account refresh from future tenant-app allowance policy. It is fixed explanatory copy, not an editable budget, and not a promise that traffic capacity is available.

Product command center

These cards summarize the live perffection path in product terms. They show safe status, counts, and links only; explicit reveal, promote, and rollback still go through the governed generic cairn actions below.

First-run guide

This guide helps a first-time owner interpret an empty workspace. It uses safe counts and route-state constants only; it does not expose owner ids, lead ids, CRM profile plaintext, feedback body plaintext, bearer tokens, or secrets.

Delivery queue board

This board combines service-interest triage, safe feedback metadata, reviewed-preview route state, and lead lifecycle status from existing owner-gated reads. It renders safe ids, hashes, counts, labels, and route availability only; it does not read feedback body plaintext and it does not perform reveal, promote, email, rollback, provider, payment, signup, webhook, domain, or LLM actions.

Engagement handoff summary

This summary is a metadata-only owner handoff. It combines safe counts, fixed engagement labels, service-interest labels, and reviewed-route state; it excludes freeform session notes, reveal plaintext, CRM profile plaintext, email recipient/subject/body, feedback body plaintext, bearer tokens, and secrets.

Handoff readiness checklist

This checklist derives safe owner states from the metadata-only handoff summary. It is read-only and does not copy, download, export, post, persist, reveal, email, bill, or trigger provider actions.

Safe review packet

This packet gives a next human reviewer the safe owner context only. It is a briefing view, not an export, approval, deployment, reveal, email, provider, payment, signup, webhook, domain, or LLM action.

Service library boundary map

This owner-visible catalog is backed by checked-in service-library-chirho.json and maps reference modules to generic Cairn evidence boundaries. Status means capability posture, not automatic live availability; provider, signup, production-money, public-webhook, domain, live-LLM, certification, SLA, bank, and Walmart approvals remain explicit.

Resource admission posture

This owner-visible map is backed by checked-in resource-admission-chirho.json. It explains which traffic should stay at Caddy/static aggregate logs, which actions create durable Cairn rows, and which actions should consume owner and app quota, resource, fuel, or ledger budget. It is posture and next-controls guidance, not a claim of automatic capacity.

Todo app data-growth example

This owner-visible example is backed by checked-in data-growth-example-chirho.json. It uses rough ranges for a small todo app to explain what creates durable Cairn records, what should stay at edge logs, and what needs cold-storage or retention policy. It is not pricing, capacity evidence, or a scale guarantee.

Cold-storage lifecycle boundary

This owner-visible map is backed by checked-in cold-storage-lifecycle-chirho.json. It explains what may be disposable, what may move cold, what must remain verifiable, and what needs restore evidence in a time-travel Cairn app. It is not active GC, not live archive automation, and not permission to erase history.

Lead review

Load the workspace to list safe lead row ids. Revealing a lead posts to cairn's governed app-state reveal route; promoting a lead posts the safe row key to cairn's generic promote-crm-chirho route and reuses the existing private blob without profile reveal.

No lead revealed.

No CRM promotion requested.

No CRM profile revealed.

No CRM email action sent.

No engagement session note in this browser session.

Customer feedback

Load the workspace to list safe feedback metadata from cairn's generic bearer-gated feedback inbox. Feedback body plaintext is not shown unless the owner explicitly runs the governed feedback read. Selecting a row prepares safe metadata for review and an optional browser-session-only read.

Each feedback row can become a generic support discussion issue shaped like feedback-<seq>. The owner chooses which discussion items to build; LLM generation, source review, promote, rollback, provider, billing, and email actions stay separate governed steps.

No feedback body read in this browser session.

Governed feedback must be read before a session-only edit brief can be drafted.

Reviewed edit action

Load the workspace to enable owner-gated promote and rollback through cairn's generic app-review route. The action uses a stored source-review report and candidate hash; feedback body reads remain a separate explicit owner action.

No reviewed edit action sent.