# LazyToken — Customer Onboarding Checklist

The implementation playbook for standing up LazyToken in a customer environment.
This is also the **professional-services product** (see
[`04-PRICING.md`](../04-PRICING.md) §4 — enterprise implementation): a repeatable
sequence with clear owners, prerequisites, and go-live criteria.

**Target:** from kickoff to a live dashboard with real data in **under 60
minutes of hands-on work** (PRD §7 time-to-value), spread across a short
engagement. Roles referenced: **LT** = LazyToken implementer (you / Tzedek),
**IT** = customer IT/infra, **Sec** = customer security/CISO, **Champion** = the
customer's DevEx/Platform lead.

---

## Phase 0 — Pre-kickoff (before day 1)

| ✔ | Item | Owner |
|---|---|---|
| ☐ | Signed order / license terms; seat count, tier, contract term agreed | LT + Customer |
| ☐ | Security review complete or scheduled — send the [Security Whitepaper](./SECURITY-WHITEPAPER.md) + [DATA-FLOW](./DATA-FLOW.md) + [NOT-COLLECTED](./NOT-COLLECTED.md) | LT → Sec |
| ☐ | DPA signed if required ([DPA-TEMPLATE](./DPA-TEMPLATE.md)) | Legal |
| ☐ | Deployment target chosen: Docker Compose / Helm (K8s) / air-gapped | IT + LT |
| ☐ | Identify the pilot cohort (≤ 25 devs recommended for a 30-day pilot) | Champion |
| ☐ | Decide anonymization policy (teams-only vs. named) — a works-council/GDPR call | Sec + Champion |
| ☐ | Confirm AI agents in use (Claude Code, Copilot, Cursor, Gemini CLI) and their MDM (Intune/Jamf/GPO) | Champion + IT |

**Exit criteria:** contract + security sign-off done; deployment target and pilot
cohort chosen.

---

## Phase 1 — Server stand-up (day 1, ~30 min hands-on)

| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Provision host/cluster + PostgreSQL 16 | IT | [Admin Guide §2](./ADMIN-GUIDE.md#2-installation) |
| ☐ | Generate `JWT_SECRET` (and `SSO_ENCRYPTION_KEY` if SSO) out-of-band | IT | |
| ☐ | Deploy the stack (compose/helm) and confirm `GET /healthz` = ok | IT + LT | |
| ☐ | Put the server behind TLS 1.3 (ingress / reverse proxy) with a real cert | IT | |
| ☐ | Air-gapped only: carry images in, load to local registry, enable NetworkPolicy | IT | [AIR-GAPPED.md](../deploy/AIR-GAPPED.md) |
| ☐ | Bootstrap the first admin (env vars or `bootstrap:admin`) | LT | [Admin Guide §3](./ADMIN-GUIDE.md#3-first-admin-bootstrap) |
| ☐ | Log in to the dashboard; confirm the empty org loads | LT | |

**Exit criteria:** dashboard reachable over TLS; first admin can log in.

---

## Phase 2 — License & configuration (day 1)

| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Vendor issues the signed license (`gen:license create`) for the agreed org/seats/tier/expiry | LT | [Admin Guide §4](./ADMIN-GUIDE.md#4-licensing) |
| ☐ | Set `LICENSE_PUBLIC_KEY` on the server; install the key via `PUT /v1/admin/license` | IT + LT | |
| ☐ | Verify `GET /v1/license/status` shows the correct seats/tier/expiry | LT | |
| ☐ | Set **token prices** to the customer's real per-agent contract rates (Settings) | LT + Finance | [Admin Guide §9](./ADMIN-GUIDE.md#9-settings-retention-token-prices-report-delivery) |
| ☐ | Set **retention_days** to the customer's policy | IT + Sec | |
| ☐ | Apply the **anonymization** decision at policy level | LT | [Admin Guide §8](./ADMIN-GUIDE.md#8-policies) |

**Exit criteria:** license installed and healthy; prices/retention/anonymization
set.

---

## Phase 3 — Identity & access (day 1–2)

| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Create **teams** matching the org structure | LT + Champion | [Admin Guide §6](./ADMIN-GUIDE.md#6-teams-users-and-rbac) |
| ☐ | Configure SSO (OIDC/SAML) against the real IdP and test the full login round-trip in staging | IT + LT | [Admin Guide §7](./ADMIN-GUIDE.md#7-sso-oidc--saml) |
| ☐ | Assign RBAC roles: admin(s), finance, team leads, viewers | LT + Champion | |
| ☐ | Confirm MFA is enforced via the customer's IdP | Sec | |

**Exit criteria:** an SSO user can log in and lands with the correct role/scope.
*(Caveat: validate SSO against the actual IdP — each has quirks.)*

---

## Phase 4 — Policy & Context Firewall (day 2)

| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Review the default policy; set filter level (`strict`/`balanced`) | LT + Champion | [Admin Guide §8](./ADMIN-GUIDE.md#8-policies) |
| ☐ | Enable Context Firewall rules; add any org-specific custom regex + guardrails | Sec + LT | |
| ☐ | Distribute standard `CLAUDE.md` / `AGENTS.md` via policy if in scope (SDLC templates) | Champion | |
| ☐ | Assign policies to teams/devices; confirm signed policy serves and verifies | LT | |

**Exit criteria:** a signed policy is assigned; a test `cat .env` shows
`[REDACTED]` / a guardrail block, and the event appears on the Security screen.

---

## Phase 5 — Fleet enrollment (day 2–3)

| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Create an enroll token (with max-uses/expiry) | LT | [Admin Guide §5](./ADMIN-GUIDE.md#5-enrolling-devices) |
| ☐ | Package the agent (MSI/pkg/deb/rpm) with `--server`/`--token` pre-seeded | IT | `deploy/packaging/` |
| ☐ | **Note:** enable installer signing (EV/notarization/GPG) before broad rollout | IT + LT | |
| ☐ | Enroll a pilot machine manually; confirm `ltk status` and first metrics arrive | LT | |
| ☐ | Push to the pilot cohort via MDM (Intune/Jamf/GPO) | IT | `deploy/mdm/` |
| ☐ | Confirm devices appear on the **Fleet** screen; no silent devices unexpected | LT | |

**Exit criteria:** the full pilot cohort is enrolled and reporting; Fleet is
green.

---

## Phase 6 — Reporting & handover (day 3)

| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Confirm the daily rollup populates the aggregated dashboards | LT | |
| ☐ | Configure monthly ROI report delivery (email recipients / Slack webhook) | LT + Finance | [Admin Guide §10](./ADMIN-GUIDE.md#10-scheduled-roi-reports) |
| ☐ | Air-gapped/PDF: run `npx playwright install chromium` so the ROI PDF renders | IT | |
| ☐ | Generate a sample ROI PDF and review with Finance/CFO | LT + Finance | |
| ☐ | Admin training: dashboard tour, policy edits, user/device management, audit log | LT → Champion | [Admin Guide §11](./ADMIN-GUIDE.md#11-reading-the-dashboard) |
| ☐ | Hand over runbook: backups (protect DB — it holds the policy private key), health checks, jobs | LT → IT | [Admin Guide §12](./ADMIN-GUIDE.md#12-operations-quick-reference) |

**Exit criteria:** admins are trained; ROI report delivered; runbook handed over.

---

## Go-live criteria (sign-off gate)

All must be true before declaring go-live:

- [ ] Server healthy over TLS; license installed and non-expired.
- [ ] SSO login works against the customer IdP; RBAC roles correct.
- [ ] A signed policy is assigned; Context Firewall verified on a live redaction.
- [ ] Pilot cohort enrolled and reporting; Fleet shows expected devices.
- [ ] Executive dashboard shows real savings with correct token prices.
- [ ] Monthly ROI report configured and a sample delivered.
- [ ] Audit log recording admin actions.
- [ ] Backups configured; operations runbook handed to IT.

---

## 30-day pilot follow-through (professional services)

| ✔ | Item | Owner |
|---|---|---|
| ☐ | Week 1 adoption check — chase silent/unenrolled devices | LT + Champion |
| ☐ | Tune filters using the **Opportunities** screen (high-volume passthrough tools) | LT |
| ☐ | Review Security screen trends with Sec; tune firewall sensitivity/custom rules | LT + Sec |
| ☐ | End-of-pilot: deliver the customer's own **ROI report** as the renewal artifact | LT → CFO |
| ☐ | Optional: "working effectively with coding agents" workshop for dev teams | LT |
| ☐ | Optional: monthly retainer (optimization, reports, updates) | LT |

---

## Related documents

- [QUICK-START.md](./QUICK-START.md) · [DEMO.md](./DEMO.md) ·
  [ADMIN-GUIDE.md](./ADMIN-GUIDE.md) · [SECURITY-WHITEPAPER.md](./SECURITY-WHITEPAPER.md)
- [`04-PRICING.md`](../04-PRICING.md) — services and packaging.
