LazyToken — Customer Onboarding Checklist
The implementation playbook for standing up LazyToken in a customer environment. This is also the professional-services product (see §4 — enterprise implementation): a repeatable sequence with clear owners, prerequisites, and go-live criteria.04-PRICING.md
Target: from kickoff to a live dashboard with real data in under 60 minutes of hands-on work (PRD §7 time-to-value), spread across a short engagement. Roles referenced: LT = LazyToken implementer (you / Tzedek), IT = customer IT/infra, Sec = customer security/CISO, Champion = the customer's DevEx/Platform lead.
Phase 0 — Pre-kickoff (before day 1) #
| ✔ | Item | Owner |
|---|---|---|
| ☐ | Signed order / license terms; seat count, tier, contract term agreed | LT + Customer |
| ☐ | Security review complete or scheduled — send the Security Whitepaper + DATA-FLOW + NOT-COLLECTED | LT → Sec |
| ☐ | DPA signed if required (DPA-TEMPLATE) | Legal |
| ☐ | Deployment target chosen: Docker Compose / Helm (K8s) / air-gapped | IT + LT |
| ☐ | Identify the pilot cohort (≤ 25 devs recommended for a 30-day pilot) | Champion |
| ☐ | Decide anonymization policy (teams-only vs. named) — a works-council/GDPR call | Sec + Champion |
| ☐ | Confirm AI agents in use (Claude Code, Copilot, Cursor, Gemini CLI) and their MDM (Intune/Jamf/GPO) | Champion + IT |
Exit criteria: contract + security sign-off done; deployment target and pilot cohort chosen.
Phase 1 — Server stand-up (day 1, ~30 min hands-on) #
| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Provision host/cluster + PostgreSQL 16 | IT | Admin Guide §2 |
| ☐ | Generate JWT_SECRET (and SSO_ENCRYPTION_KEY if SSO) out-of-band | IT | |
| ☐ | Deploy the stack (compose/helm) and confirm GET /healthz = ok | IT + LT | |
| ☐ | Put the server behind TLS 1.3 (ingress / reverse proxy) with a real cert | IT | |
| ☐ | Air-gapped only: carry images in, load to local registry, enable NetworkPolicy | IT | AIR-GAPPED.md |
| ☐ | Bootstrap the first admin (env vars or bootstrap:admin) | LT | Admin Guide §3 |
| ☐ | Log in to the dashboard; confirm the empty org loads | LT |
Exit criteria: dashboard reachable over TLS; first admin can log in.
Phase 2 — License & configuration (day 1) #
| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Vendor issues the signed license (gen:license create) for the agreed org/seats/tier/expiry | LT | Admin Guide §4 |
| ☐ | Set LICENSE_PUBLIC_KEY on the server; install the key via PUT /v1/admin/license | IT + LT | |
| ☐ | Verify GET /v1/license/status shows the correct seats/tier/expiry | LT | |
| ☐ | Set token prices to the customer's real per-agent contract rates (Settings) | LT + Finance | Admin Guide §9 |
| ☐ | Set retention_days to the customer's policy | IT + Sec | |
| ☐ | Apply the anonymization decision at policy level | LT | Admin Guide §8 |
Exit criteria: license installed and healthy; prices/retention/anonymization set.
Phase 3 — Identity & access (day 1–2) #
| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Create teams matching the org structure | LT + Champion | Admin Guide §6 |
| ☐ | Configure SSO (OIDC/SAML) against the real IdP and test the full login round-trip in staging | IT + LT | Admin Guide §7 |
| ☐ | Assign RBAC roles: admin(s), finance, team leads, viewers | LT + Champion | |
| ☐ | Confirm MFA is enforced via the customer's IdP | Sec |
Exit criteria: an SSO user can log in and lands with the correct role/scope. (Caveat: validate SSO against the actual IdP — each has quirks.)
Phase 4 — Policy & Context Firewall (day 2) #
| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Review the default policy; set filter level (strict/balanced) | LT + Champion | Admin Guide §8 |
| ☐ | Enable Context Firewall rules; add any org-specific custom regex + guardrails | Sec + LT | |
| ☐ | Distribute standard CLAUDE.md / AGENTS.md via policy if in scope (SDLC templates) | Champion | |
| ☐ | Assign policies to teams/devices; confirm signed policy serves and verifies | LT |
Exit criteria: a signed policy is assigned; a test cat .env shows [REDACTED] / a guardrail block, and the event appears on the Security screen.
Phase 5 — Fleet enrollment (day 2–3) #
| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Create an enroll token (with max-uses/expiry) | LT | Admin Guide §5 |
| ☐ | Package the agent (MSI/pkg/deb/rpm) with --server/--token pre-seeded | IT | deploy/packaging/ |
| ☐ | Note: enable installer signing (EV/notarization/GPG) before broad rollout | IT + LT | |
| ☐ | Enroll a pilot machine manually; confirm ltk status and first metrics arrive | LT | |
| ☐ | Push to the pilot cohort via MDM (Intune/Jamf/GPO) | IT | deploy/mdm/ |
| ☐ | Confirm devices appear on the Fleet screen; no silent devices unexpected | LT |
Exit criteria: the full pilot cohort is enrolled and reporting; Fleet is green.
Phase 6 — Reporting & handover (day 3) #
| ✔ | Item | Owner | Reference |
|---|---|---|---|
| ☐ | Confirm the daily rollup populates the aggregated dashboards | LT | |
| ☐ | Configure monthly ROI report delivery (email recipients / Slack webhook) | LT + Finance | Admin Guide §10 |
| ☐ | Air-gapped/PDF: run npx playwright install chromium so the ROI PDF renders | IT | |
| ☐ | Generate a sample ROI PDF and review with Finance/CFO | LT + Finance | |
| ☐ | Admin training: dashboard tour, policy edits, user/device management, audit log | LT → Champion | Admin Guide §11 |
| ☐ | Hand over runbook: backups (protect DB — it holds the policy private key), health checks, jobs | LT → IT | Admin Guide §12 |
Exit criteria: admins are trained; ROI report delivered; runbook handed over.
Go-live criteria (sign-off gate) #
All must be true before declaring go-live:
- [ ] Server healthy over TLS; license installed and non-expired.
- [ ] SSO login works against the customer IdP; RBAC roles correct.
- [ ] A signed policy is assigned; Context Firewall verified on a live redaction.
- [ ] Pilot cohort enrolled and reporting; Fleet shows expected devices.
- [ ] Executive dashboard shows real savings with correct token prices.
- [ ] Monthly ROI report configured and a sample delivered.
- [ ] Audit log recording admin actions.
- [ ] Backups configured; operations runbook handed to IT.
30-day pilot follow-through (professional services) #
| ✔ | Item | Owner |
|---|---|---|
| ☐ | Week 1 adoption check — chase silent/unenrolled devices | LT + Champion |
| ☐ | Tune filters using the Opportunities screen (high-volume passthrough tools) | LT |
| ☐ | Review Security screen trends with Sec; tune firewall sensitivity/custom rules | LT + Sec |
| ☐ | End-of-pilot: deliver the customer's own ROI report as the renewal artifact | LT → CFO |
| ☐ | Optional: "working effectively with coding agents" workshop for dev teams | LT |
| ☐ | Optional: monthly retainer (optimization, reports, updates) | LT |
Related documents #
- QUICK-START.md · DEMO.md · ADMIN-GUIDE.md · SECURITY-WHITEPAPER.md
— services and packaging.04-PRICING.md