← All docs · source: ONBOARDING-CHECKLIST.md

LazyToken — Customer Onboarding Checklist

The implementation playbook for standing up LazyToken in a customer environment. This is also the professional-services product (see 04-PRICING.md §4 — enterprise implementation): a repeatable sequence with clear owners, prerequisites, and go-live criteria.

Target: from kickoff to a live dashboard with real data in under 60 minutes of hands-on work (PRD §7 time-to-value), spread across a short engagement. Roles referenced: LT = LazyToken implementer (you / Tzedek), IT = customer IT/infra, Sec = customer security/CISO, Champion = the customer's DevEx/Platform lead.


Phase 0 — Pre-kickoff (before day 1) #

ItemOwner
Signed order / license terms; seat count, tier, contract term agreedLT + Customer
Security review complete or scheduled — send the Security Whitepaper + DATA-FLOW + NOT-COLLECTEDLT → Sec
DPA signed if required (DPA-TEMPLATE)Legal
Deployment target chosen: Docker Compose / Helm (K8s) / air-gappedIT + LT
Identify the pilot cohort (≤ 25 devs recommended for a 30-day pilot)Champion
Decide anonymization policy (teams-only vs. named) — a works-council/GDPR callSec + Champion
Confirm AI agents in use (Claude Code, Copilot, Cursor, Gemini CLI) and their MDM (Intune/Jamf/GPO)Champion + IT

Exit criteria: contract + security sign-off done; deployment target and pilot cohort chosen.


Phase 1 — Server stand-up (day 1, ~30 min hands-on) #

ItemOwnerReference
Provision host/cluster + PostgreSQL 16ITAdmin Guide §2
Generate JWT_SECRET (and SSO_ENCRYPTION_KEY if SSO) out-of-bandIT
Deploy the stack (compose/helm) and confirm GET /healthz = okIT + LT
Put the server behind TLS 1.3 (ingress / reverse proxy) with a real certIT
Air-gapped only: carry images in, load to local registry, enable NetworkPolicyITAIR-GAPPED.md
Bootstrap the first admin (env vars or bootstrap:admin)LTAdmin Guide §3
Log in to the dashboard; confirm the empty org loadsLT

Exit criteria: dashboard reachable over TLS; first admin can log in.


Phase 2 — License & configuration (day 1) #

ItemOwnerReference
Vendor issues the signed license (gen:license create) for the agreed org/seats/tier/expiryLTAdmin Guide §4
Set LICENSE_PUBLIC_KEY on the server; install the key via PUT /v1/admin/licenseIT + LT
Verify GET /v1/license/status shows the correct seats/tier/expiryLT
Set token prices to the customer's real per-agent contract rates (Settings)LT + FinanceAdmin Guide §9
Set retention_days to the customer's policyIT + Sec
Apply the anonymization decision at policy levelLTAdmin Guide §8

Exit criteria: license installed and healthy; prices/retention/anonymization set.


Phase 3 — Identity & access (day 1–2) #

ItemOwnerReference
Create teams matching the org structureLT + ChampionAdmin Guide §6
Configure SSO (OIDC/SAML) against the real IdP and test the full login round-trip in stagingIT + LTAdmin Guide §7
Assign RBAC roles: admin(s), finance, team leads, viewersLT + Champion
Confirm MFA is enforced via the customer's IdPSec

Exit criteria: an SSO user can log in and lands with the correct role/scope. (Caveat: validate SSO against the actual IdP — each has quirks.)


Phase 4 — Policy & Context Firewall (day 2) #

ItemOwnerReference
Review the default policy; set filter level (strict/balanced)LT + ChampionAdmin Guide §8
Enable Context Firewall rules; add any org-specific custom regex + guardrailsSec + LT
Distribute standard CLAUDE.md / AGENTS.md via policy if in scope (SDLC templates)Champion
Assign policies to teams/devices; confirm signed policy serves and verifiesLT

Exit criteria: a signed policy is assigned; a test cat .env shows [REDACTED] / a guardrail block, and the event appears on the Security screen.


Phase 5 — Fleet enrollment (day 2–3) #

ItemOwnerReference
Create an enroll token (with max-uses/expiry)LTAdmin Guide §5
Package the agent (MSI/pkg/deb/rpm) with --server/--token pre-seededITdeploy/packaging/
Note: enable installer signing (EV/notarization/GPG) before broad rolloutIT + LT
Enroll a pilot machine manually; confirm ltk status and first metrics arriveLT
Push to the pilot cohort via MDM (Intune/Jamf/GPO)ITdeploy/mdm/
Confirm devices appear on the Fleet screen; no silent devices unexpectedLT

Exit criteria: the full pilot cohort is enrolled and reporting; Fleet is green.


Phase 6 — Reporting & handover (day 3) #

ItemOwnerReference
Confirm the daily rollup populates the aggregated dashboardsLT
Configure monthly ROI report delivery (email recipients / Slack webhook)LT + FinanceAdmin Guide §10
Air-gapped/PDF: run npx playwright install chromium so the ROI PDF rendersIT
Generate a sample ROI PDF and review with Finance/CFOLT + Finance
Admin training: dashboard tour, policy edits, user/device management, audit logLT → ChampionAdmin Guide §11
Hand over runbook: backups (protect DB — it holds the policy private key), health checks, jobsLT → ITAdmin Guide §12

Exit criteria: admins are trained; ROI report delivered; runbook handed over.


Go-live criteria (sign-off gate) #

All must be true before declaring go-live:


30-day pilot follow-through (professional services) #

ItemOwner
Week 1 adoption check — chase silent/unenrolled devicesLT + Champion
Tune filters using the Opportunities screen (high-volume passthrough tools)LT
Review Security screen trends with Sec; tune firewall sensitivity/custom rulesLT + Sec
End-of-pilot: deliver the customer's own ROI report as the renewal artifactLT → CFO
Optional: "working effectively with coding agents" workshop for dev teamsLT
Optional: monthly retainer (optimization, reports, updates)LT