Flip 360 Commission Platform
Source
Live board Workstream ops Registers Steerco papers Scoping · CRM CRM · truth doc CRM · features map CRM design · Contact 360° Deal room Hardening backlog Learn (ADKAR) Framework
Scoping document · Phase 1 · WS2 · Build CRM

Build CRM · high-level scoping document

The federated CRM that holds each professional service provider's "telephone book" as a private database, then exposes consented contacts to other providers via an opt-in/opt-out fabric, feeding the flip 360 referral and commission engine. Same breed as Air BnB / Afterpay / Uber / Airtasker: the protocol is the moat.

 P0 · Highest priority  Mon 22/06 → Fri 26/06 · 5 days  WS2 Lead: Carla Oliver  Consult: Matt + Corrina
Budget · D112 · payable today

$550 AUD AI workforce credits

WS2 Lead requests $500 AUD ex-GST + $50 GST = $550 AUD total payable to fund the AI workforce credits/tokens powering this 5-day scoping sprint. CoSai CFO Services Pty Ltd to issue the invoice and procure the credits on Flip 360's behalf. Same-day payment.

View tax invoice CSC-INV-2026-002
Issued Mon 22 Jun 2026 · Due same-day

1  ·  Business problem · verbatim brief

Two stakeholders briefed the CRM requirement on Sat 21 Jun 2026. Their verbatim words are quoted below — the scoping is anchored on what they actually said, not a reinterpretation.

M
Matt Punter
CEO & Founder · WS7 Lead · 21 Jun 2026

"The participants of the flip360 business eg a financial planner, an accountant, a mortage broker and so on have a 'telephone book' of clients (a client database) that they can park onto the flip360 business as contactable by other flip360 professional service providers with an opt in/opt out filter for would you like to be connected with. But each of this business providers dont want another business provider being able to direct access their telephone book. Do you follow this data protection legislation and the business offering that matt wants to set up under CRM that feeds the flip360 referral/commission engine?"

C
Corrina McGowan
WS1 + WS6 Lead · Marketing & BDM · 21 Jun 2026

"The workstream lead Corrina wants to be able to warm up a database that has opted in and be able to have full utilisation of the CRM."

Carla's read-back (WS2 Lead interpretation)

flip 360 is a federated trust marketplace: each provider brings their own book; the platform's value is the consent-gated cross-referral fabric between books. Three non-negotiables:

  1. Provider A's book is provider A's IP. Provider B cannot see names, counts, or any PII of A's contacts without a consent grant.
  2. Consent is the protocol. A client opts in to be discoverable by category. Their data, their choice, one-click opt-out.
  3. Conversions fire commission. An introduction that converts triggers the existing commission engine, governed by a signed Introducer Agreement at /legal/introducer/F360-LEG-####.

Corrina's warm-up CRM is a layered capability on top: once a client has opted in, the owning provider can segment, nurture, campaign, and track lifecycle — full Notion-equivalent CRM utilisation, scoped to that provider's tenant.

2  ·  RACI matrix

Per Carla's instruction: Corrina and Matt for consult on what this CRM needs to do; Carla responsible for elicitation of user requirements mapping to functional spec and UAT.

Activity Responsible (does) Accountable (owns) Consulted Informed Deliverable
Elicitation of business requirements Carla Oliver (WS2 Lead) Carla Oliver Matt Punter (CEO & Founder, Flip 360 — federated telephone-book model, commission-engine wiring) · Corrina McGowan (CMO / WS1 Lead — warm-up campaigns, WS6 partner activation use cases) Steering Committee · WS Leads Verbatim requirement statements + traceability matrix in §1
Mapping requirements → functional spec Carla Oliver Carla Oliver Mathew (validates business model coverage) · Corrina (validates campaign + segment coverage) Steerco Functional requirements register in §3 (every requirement → surface → user story → acceptance test)
Privacy + compliance review Carla Oliver (draft) · Pine Lawyers (review) Carla Oliver WS4 fractional counsel · Mathew Steerco · OAIC (if breach notifiable) APP-by-APP scaffolding in §4 + Pine Lawyers engagement letter (separate artefact, ref D110 → D204)
Data model design Carla Oliver Carla Oliver Mathew (validates business semantics) · WS4 counsel (consent grant schema) Steerco Schema diagram + DDL stubs in §5
UAT plan authoring Carla Oliver Carla Oliver Matt + Corrina (sign off acceptance criteria) Steerco Named testers + scripted scenarios + acceptance criteria in §6
UAT execution (post-build) Matt + Corrina (test scripts) · Carla (defect triage) Carla Oliver WS Leads (cross-WS scenarios) Steerco UAT pass/fail register + defect log + sign-off card · executed in build sprint, not scoping sprint
Build (design → code → deploy) Carla Oliver Carla Oliver Matt + Corrina (requirements clarifications during build) Steerco (fortnightly status reports) Live CRM surfaces on cosaiflip360.org/crm · NOT in this 5-day scoping sprint
Cutover + hypercare Carla Oliver Carla Oliver Matt + Corrina · WS4 counsel (go-live legal sign-off) Steerco · all WS Leads Cutover runbook + 14-day hypercare plan · Phase 2 deliverable
Growth + exit Carla Oliver (CTO equivalent through to liquidity event) Carla Oliver Steering Committee · Series A advisors · acquirer/IPO counsel All stakeholders Multi-tenant scale architecture · audited data-room artefact · exit-grade handover docs · long-horizon deliverable
Note on Single Accountable: Every activity has exactly one accountable name (Carla Oliver as WS2 Lead). Responsible can be plural; accountable cannot. This is the discipline that makes the build defensible at exit.

3  ·  Functional requirements register

15 requirements — architectural/platform baseline (FR-CRM-001 to 015) elicited from the briefs in §1 plus Carla's WS2 Lead architectural foundation. Every requirement traces to a verbatim source, maps to a proposed surface, and carries an acceptance test that UAT will execute against.

Deploy 2.0.6 — Register B retired: The prior role-by-role user-req register (FR-CRM-016+) and its supporting artefacts were sourced from a wrong-framed data file that described Community Managers as acquiring "members" instead of partners. Carla (CRM architect, ex-Salesforce/MS Dynamics) has paused that authoring track to redesign the CRM from first principles under the correct frame. See /crm-truth for the canonical understanding and D116 (Superseded 25 Jun 2026) for the audit anchor.
P0 · Must
11
P1 · Should
4
P2 · Could
0
FR-CRM-001 P0 scoping Tenant isolation
Each professional service provider has a private database of their own clients ("telephone book") that NO other provider can directly access.
Source
Matt verbatim 21 Jun: "each of this business providers dont want another business provider being able to direct access their telephone book"
Surface
/crm/contacts — every query scoped by owner_id at middleware layer
Acceptance test
Provider B authenticated as B cannot retrieve a single row of provider A's contacts via any /crm/* endpoint, /api/* endpoint, or direct D1 query. Penetration test passes.
FR-CRM-002 P0 scoping Consent fabric
Each contact can be opted-in by the data subject to be discoverable to other providers, with a category filter ("would you like to be connected with mortgage broker / accountant / etc.").
Source
Matt verbatim 21 Jun: "with an opt in/opt out filter for would you like to be connected with"
Surface
/me/{token} — data subject self-service portal · /crm/contacts/:id consent panel for provider view
Acceptance test
Client receives opt-in email, lands on consent page, selects categories, submits. Their record flips owner_visibility from PRIVATE to DISCOVERABLE with category array. Opt-out is one-click and instantaneous.
FR-CRM-003 P0 scoping Consent fabric
When provider B searches the discovery layer, they see anonymised counts ("3 clients in your area open to mortgage introductions") — NEVER the names or owning provider.
Source
Matt verbatim 21 Jun: "each of this business providers dont want another business provider being able to direct access their telephone book"
Surface
/crm/network — anonymised discovery cards
Acceptance test
Provider B sees zero PII of any contact owned by provider A until an introduction is requested, approved by A, and made by A.
FR-CRM-004 P0 scoping Introductions feed commission engine
Every cross-provider introduction that converts to commercial activity fires a commission ledger entry governed by a signed Introducer Agreement.
Source
Matt verbatim 21 Jun: "the business offering that matt wants to set up under CRM that feeds the flip360 referral/commission engine"
Surface
/crm/introductions/:id with governing_agreement_execution_id link to /legal/introducer/F360-LEG-####
Acceptance test
A conversion flips introduction.status to CONVERTED, fires a commission_rules row, appears as a /chain ledger entry. Trace from /chain row back to signed legal instrument completes in 2 clicks.
FR-CRM-005 P1 scoping Warm-up + campaigns
Provider can segment the opted-in marketing list and run nurture campaigns (email, SMS later) against it with full lifecycle tracking.
Source
Corrina verbatim 21 Jun: "want to be able to warm up a database that has opted in and be able to have full utilisation of the crm"
Surface
/crm/campaigns + /crm/campaigns/:id with send / open / click / convert / unsubscribe events
Acceptance test
Corrina creates a campaign, picks a segment (financial-planning category, age 30-50, urban postcodes), sends to ~50 contacts (test list), sees send + open + click counts within 5 minutes.
FR-CRM-006 P1 scoping Lifecycle stage tracking
Each contact has a lifecycle stage: Cold → Warming → Engaged → Active → Lapsed. Stage advances on defined events.
Source
Corrina verbatim 21 Jun: "warm up a database"
Surface
/crm/contacts/:id lifecycle panel · /crm/reports aggregate by stage
Acceptance test
Stage advances automatically on: open count ≥ 3 (Warming), click count ≥ 1 (Engaged), introduction accepted (Active), no engagement 90 days (Lapsed).
FR-CRM-007 P0 scoping Audit + APP 11 compliance
Every disclosure of personal information is logged with timestamp, querying provider, target contact, query type.
Source
Privacy Act 1988 APP 11.2 (record of disclosures)
Surface
/crm/admin/audit (privacy officer only) · disclosure_log table append-only
Acceptance test
Disclosure log query returns every read of contact data for the last 90 days with full attribution chain. Pen test confirms no bypass route.
FR-CRM-008 P0 scoping Self-service data subject rights
Every data subject can view, edit, export, and delete the data flip 360 holds on them via a unique self-service link.
Source
Privacy Act 1988 APP 12 + APP 13
Surface
/me/{token} portal
Acceptance test
Data subject lands on portal, sees full record, downloads JSON export, can submit deletion request which propagates to deletion within 30 days.
FR-CRM-009 P0 scoping Provider onboarding KYC
A new provider must complete KYC (AFSL/ACL or equivalent + professional indemnity insurance certificate + signed Provider Agreement) before being issued a tenant scope.
Source
Carla as WS2 Lead: existential platform integrity requirement
Surface
/crm/admin/providers/new + /legal/provider-agreement (new Pine Lawyers instrument)
Acceptance test
Provider candidate cannot import a single contact until KYC checklist is 100% complete and countersigned by a flip 360 admin.
FR-CRM-010 P0 scoping Marketing consent separation
Introduction consent is SEPARATE from marketing-email consent. Two checkboxes on opt-in form. Spam Act 2003 compliant.
Source
Spam Act 2003 + Privacy Act APP 7
Surface
Opt-in consent page two-checkbox UX
Acceptance test
A contact who consents only to introductions never receives a marketing campaign. Audit log proves segregation.
FR-CRM-011 P1 scoping Pipeline kanban
Provider can drag a contact through pipeline stages (Lead → Qualified → Active → Won / Lost) with stage-change activity log.
Source
Carla as WS2 Lead: minimum CRM viability
Surface
/crm/pipelines/:type kanban board
Acceptance test
Drag-and-drop stage advance fires activity entry, updates contact.stage column, persists across reloads.
FR-CRM-012 P1 scoping Activity timeline
Every contact has a chronological activity timeline: email logged, call note, meeting note, stage change, introduction made, campaign send, legal doc signed.
Source
Standard CRM table-stakes
Surface
/crm/contacts/:id activity panel
Acceptance test
Timeline renders 50 most recent events in correct order; full audit trail downloadable.
FR-CRM-013 P0 scoping Integration with existing platform
CRM extends the existing contacts table; does NOT fork. Wiring to commission_rules, ledger, legal_agreements is preserved.
Source
Carla as WS2 Lead: architectural integrity — single source of truth
Surface
Schema migration 0011_crm_overlay.sql (no breaking changes to /app/*)
Acceptance test
Every existing /app/* surface continues to work; /commission ledger continues to fire; no migration of existing data.
FR-CRM-014 P0 scoping Bulk import safeguards
CSV bulk import requires click-through warranty by provider that they have lawful basis to import, and auto-fires APP 5 collection notice to every imported contact within 30 days.
Source
Privacy Act 1988 APP 5
Surface
/crm/contacts/import flow
Acceptance test
Warranty checkbox blocks import until ticked; collection notice queued to send; audit log of every imported row.
FR-CRM-015 P0 scoping WebAuthn for providers
Provider accounts (which hold whole telephone books) must use WebAuthn / hardware key authentication, not password-only.
Source
Carla as WS2 Lead: a compromised provider account = a whole telephone book leaked
Surface
Auth flow at /auth/* · WS2 hardening backlog H302 promoted
Acceptance test
Provider cannot log in without WebAuthn registered. TOTP fallback only for recovery.

4  ·  Privacy compliance scaffolding

flip 360 will (at scale) be an APP entity under the Privacy Act 1988 holding personal information of tens of thousands of Australians, plus a sender under the Spam Act 2003. Compliance is not a phase 2 feature; it is the foundation.

Mandatory blocker before launch: Pine Lawyers reviews consent flow + drafts privacy policy + collection notice + Provider Agreement. Without this signed off, the federated consent fabric (FR-CRM-002, 003, 014) cannot ship. Sequencing option (a) in §8 mitigates by shipping the owner-private CRM first.
APP Principle CRM implementation Linked requirement
APP 1 Open & transparent management Privacy policy published at /legal/privacy. Privacy officer named. Data-handling practices documented. FR-CRM-007
APP 3 Collection of solicited PI Each contact has collection_purpose, collection_source, collected_at columns. No collection without lawful purpose. FR-CRM-014
APP 5 Notification at/before collection Every opt-in page renders the collection notice. CSV imports auto-fire notice within 30 days. FR-CRM-014
APP 6 Use & disclosure Disclosure only with active consent grant + category match. Every disclosure logged. FR-CRM-002, FR-CRM-003, FR-CRM-007
APP 7 Direct marketing Marketing opt-in SEPARATE from introduction opt-in. Two-checkbox UX. One-click unsubscribe. FR-CRM-010
APP 8 Cross-border disclosure Cloudflare global edge declared in privacy policy. Data sovereignty stance documented. FR-CRM-007
APP 10 Quality of PI Data subject self-service portal (/me/{token}) lets contact update record. FR-CRM-008
APP 11 Security of PI Encryption at rest (D1 default) + in transit (TLS). Hash-anchored audit log. RBAC. WebAuthn for providers. FR-CRM-007, FR-CRM-015
APP 12 Access to PI Self-service portal shows what flip 360 holds. JSON export available. FR-CRM-008
APP 13 Correction of PI Self-service portal allows edit + deletion request (30-day propagation). FR-CRM-008
Spam Act 2003 Commercial electronic messages Express consent only. Sender identification on every message. Working unsubscribe < 5 days. FR-CRM-010

5  ·  Data model proposal

The CRM extends the existing live schema; it does not fork. The existing contacts / deals / commission_rules / legal_agreements tables continue to be the source of truth. New tables overlay consent, disclosure audit, introductions, campaigns.

Schema overlay (migration 0011_crm_overlay.sql)

-- EXTEND existing contacts table (no breaking changes)
ALTER TABLE contacts ADD COLUMN owner_provider_id INTEGER REFERENCES providers(id);
ALTER TABLE contacts ADD COLUMN owner_visibility TEXT DEFAULT 'PRIVATE';
  -- 'PRIVATE' (default, owner-only) | 'DISCOVERABLE' (consent granted)
ALTER TABLE contacts ADD COLUMN discoverable_categories TEXT;  -- JSON array
ALTER TABLE contacts ADD COLUMN collection_purpose TEXT;
ALTER TABLE contacts ADD COLUMN collection_source TEXT;
ALTER TABLE contacts ADD COLUMN collected_at DATETIME;
ALTER TABLE contacts ADD COLUMN consent_version TEXT;
ALTER TABLE contacts ADD COLUMN lifecycle_stage TEXT DEFAULT 'cold';
  -- 'cold' | 'warming' | 'engaged' | 'active' | 'lapsed'
ALTER TABLE contacts ADD COLUMN self_service_token TEXT UNIQUE;

-- NEW · providers (the tenants)
CREATE TABLE providers (
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  business_name TEXT NOT NULL,
  professional_category TEXT NOT NULL,  -- 'financial-planner' | 'broker' | ...
  afsl_acl_number TEXT,
  pi_insurance_cert_url TEXT,
  kyc_completed_at DATETIME,
  provider_agreement_execution_id INTEGER REFERENCES agreement_executions(id),
  webauthn_credential_id TEXT,
  status TEXT DEFAULT 'PENDING',  -- 'PENDING' | 'ACTIVE' | 'SUSPENDED'
  created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);

-- NEW · consent_grants (the consent ledger, hash-anchored)
CREATE TABLE consent_grants (
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  contact_id INTEGER NOT NULL REFERENCES contacts(id),
  owner_provider_id INTEGER NOT NULL REFERENCES providers(id),
  granted_at DATETIME NOT NULL,
  consent_version TEXT NOT NULL,
  categories TEXT NOT NULL,  -- JSON array
  marketing_opt_in INTEGER DEFAULT 0,  -- Spam Act separation
  introduction_opt_in INTEGER DEFAULT 0,
  ip_address TEXT,
  user_agent TEXT,
  withdrawn_at DATETIME,
  payload_hash TEXT NOT NULL  -- sha-256
);

-- NEW · disclosure_log (APP 6 + APP 11.2 audit)
CREATE TABLE disclosure_log (
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  query_provider_id INTEGER NOT NULL REFERENCES providers(id),
  target_contact_id INTEGER NOT NULL REFERENCES contacts(id),
  query_type TEXT NOT NULL,  -- 'discovery-count' | 'intro-request' | 'intro-made'
  occurred_at DATETIME DEFAULT CURRENT_TIMESTAMP,
  request_id TEXT  -- correlates with introductions.id where applicable
);

-- NEW · introductions (feeds commission engine)
CREATE TABLE introductions (
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  introducer_provider_id INTEGER NOT NULL REFERENCES providers(id),
  target_provider_id INTEGER NOT NULL REFERENCES providers(id),
  contact_id INTEGER NOT NULL REFERENCES contacts(id),
  status TEXT NOT NULL,  -- 'REQUESTED' | 'APPROVED' | 'DECLINED' | 'MADE' | 'CONVERTED'
  governing_agreement_execution_id INTEGER REFERENCES agreement_executions(id),
  commission_rule_id INTEGER REFERENCES commission_rules(id),
  requested_at DATETIME DEFAULT CURRENT_TIMESTAMP,
  converted_at DATETIME
);

-- NEW · campaigns (Corrina's warm-up)
CREATE TABLE campaigns (
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  owner_provider_id INTEGER NOT NULL REFERENCES providers(id),
  name TEXT NOT NULL,
  segment_definition TEXT NOT NULL,  -- JSON query spec
  status TEXT DEFAULT 'DRAFT',
  marketing_consent_gate INTEGER DEFAULT 1,  -- hard requirement
  created_at DATETIME DEFAULT CURRENT_TIMESTAMP
);

-- NEW · campaign_sends (per-recipient event log)
CREATE TABLE campaign_sends (
  id INTEGER PRIMARY KEY AUTOINCREMENT,
  campaign_id INTEGER NOT NULL REFERENCES campaigns(id),
  contact_id INTEGER NOT NULL REFERENCES contacts(id),
  sent_at DATETIME,
  opened_at DATETIME,
  clicked_at DATETIME,
  unsubscribed_at DATETIME,
  converted_at DATETIME
);

-- INDICES for tenant isolation enforcement
CREATE INDEX idx_contacts_owner ON contacts(owner_provider_id);
CREATE INDEX idx_consent_grants_contact ON consent_grants(contact_id);
CREATE INDEX idx_disclosure_log_query ON disclosure_log(query_provider_id, occurred_at);
CREATE INDEX idx_introductions_status ON introductions(status);

Tenant isolation enforcement

Tenant isolation is enforced at the middleware layer, not in business logic. Every Hono route handler that reads contact data is wrapped:

// src/middleware/tenantScope.ts (proposed)
export const tenantScope: MiddlewareHandler = async (c, next) => {
  const session = await getSession(c)
  if (!session?.providerId) return c.json({ error: 'unauthenticated' }, 401)
  c.set('providerId', session.providerId)
  // EVERY downstream SELECT on contacts MUST include owner_provider_id = ?
  // Linter enforces; PR review enforces; runtime assertion enforces.
  await next()
}

There is no "admin view" that bypasses tenant scope except a single named privacy-officer route under /crm/admin/audit with every access written to disclosure_log.

6  ·  UAT plan

UAT executes after build, before cutover. Named testers, scripted scenarios, acceptance criteria all gated. Sign-off card on /engagement/pmo/scoping/crm at completion.

Testers

UAT scenarios (one per P0 requirement minimum)

# Scenario Tester Pass criterion FR link
UAT-01 Provider B authenticated as B attempts to retrieve provider A's contacts via 12 different endpoints Carla 0 rows returned across all 12 attempts. Pen test log captured. FR-CRM-001
UAT-02 Test contact receives opt-in email, completes consent flow with 3 categories selected, submits Carla via test contact consent_grants row written with hash. Contact owner_visibility = DISCOVERABLE. /crm/network shows the contact in discovery count. FR-CRM-002
UAT-03 Provider B searches discovery for "mortgage broker" category; sees count of 5 anonymised contacts but no PII Carla (acting as provider B) Response payload contains zero PII fields. Only count + category + geo coarse-grain. FR-CRM-003
UAT-04 Provider B requests intro to one of those 5; provider A approves; intro is made; conversion logged Mathew + Carla introductions row flips REQUESTED → APPROVED → MADE → CONVERTED. commission_rules row fires. /chain ledger entry appears. Trace back to /legal/introducer/F360-LEG-#### works in 2 clicks. FR-CRM-004
UAT-05 Corrina creates a campaign on a 50-contact opted-in segment, sends, observes opens + clicks + unsubscribes Corrina Dashboard shows real-time send count, open count, click count, unsubscribe count. All within 5 minutes of send. FR-CRM-005
UAT-06 Corrina attempts to send campaign to a contact who consented to introductions but NOT to marketing Corrina Send routine refuses. Audit log records the refusal. No email leaves. FR-CRM-010
UAT-07 Test data subject lands on /me/{token}, views record, edits phone, exports JSON, requests deletion Carla via test data subject All four operations succeed. Deletion request triggers 30-day workflow with audit entries. FR-CRM-008
UAT-08 Privacy officer queries disclosure_log for last 30 days Carla (privacy officer role) Full chronological log returns. Every disclosure has timestamp, querying provider, target contact, query type. Append-only verified. FR-CRM-007
UAT-09 New provider attempts CSV import before completing KYC Mathew (acting as new provider) Import blocked. Error message points to KYC checklist. After completing KYC, import proceeds. FR-CRM-009, FR-CRM-014
UAT-10 Provider B attempts to log in with password only (no WebAuthn) Carla Login rejected. Message instructs to register hardware key. FR-CRM-015
UAT-11 Provider drags a contact through pipeline stages (Lead → Qualified → Active → Won) Corrina Stage advance fires activity entry, persists across reload. Activity timeline shows 4 stage-change events. FR-CRM-011, FR-CRM-012
UAT-12 Existing /app/rules continues to work after migration 0011 Carla All existing commission engine surfaces unchanged. /app/rules still shows governing-agreement column. /chain still renders. FR-CRM-013
UAT sign-off: 12 of 12 scenarios PASS + Pine Lawyers review countersigned + privacy officer named + first audit log entry verified hash-anchored = green light to cutover. Anything less = defect log + remediation sprint + re-test.

7  ·  Risk + dependency register

Risks

CRM-R01 Impact: Critical Probability: Medium Privacy / regulatory
OAIC complaint or notifiable data breach if consent fabric or tenant isolation fails.
Mitigation: Pine Lawyers reviews consent flow + privacy policy + collection notice before launch. Privacy officer named. APP scaffolding in §4. Tenant isolation enforced at middleware, not business logic. Penetration test before go-live.
CRM-R02 Impact: Critical Probability: Low Provider trust
A provider perceives their book is leaking and withdraws — first such event publicly destroys the federated trust marketplace.
Mitigation: Provider Agreement (Pine Lawyers) explicitly warrants tenant isolation. Audit log accessible to provider showing every disclosure of their data. Bug bounty post-launch.
CRM-R03 Impact: High Probability: Medium Spam Act compliance
Marketing campaign sent to contact who only consented to introductions, not marketing. Up to $1.1m fine per breach.
Mitigation: Two-checkbox consent UX (FR-CRM-010). Campaign send routine refuses to send to a contact without marketing_opt_in=TRUE. Unit test gates deploy.
CRM-R04 Impact: Medium Probability: High Capacity
WS2 Lead (Carla) capacity overload — design, build, cutover, hypercare, growth, exit + existing platform commitments (Stripe Connect, observability, KPMG/EY) may slip.
Mitigation: Sequencing decision at SC#2 explicitly trades milestones. Stripe Connect re-baseline option already open as D204. Health amber on /engagement/pmo/workstream/WS2/ops. Steerco-visible.
CRM-R05 Impact: Medium Probability: High Scope creep
Matt or Corrina expand requirements mid-build; build never reaches cutover.
Mitigation: This scoping doc becomes the change-control baseline. Any new requirement after Fri 26 Jun 17:00 = formal change request to Steerco. RACI makes consult vs accountable explicit.
CRM-R06 Impact: High Probability: Low Data model fragmentation
New CRM tables duplicate existing contacts data — single-source-of-truth principle breaks.
Mitigation: FR-CRM-013 makes extension (not fork) a P0 acceptance criterion. Schema migration 0011 is overlay only.
CRM-R07 Impact: Critical Probability: Medium Authentication
Password-only provider auth = whole telephone book at risk on first credential compromise.
Mitigation: WebAuthn promoted to P0 (FR-CRM-015). H302 hardening item bumped to Phase 1 blocker for CRM launch.
CRM-R08 Impact: High Probability: Medium Pine Lawyers dependency
Consent fabric cannot ship without Pine Lawyers privacy review; Pine Lawyers engagement may slip.
Mitigation: Sequencing option (a) ships owner-private CRM first WITHOUT cross-provider visibility — does not depend on Pine Lawyers. Federated fabric layered when legal review completes. See §8.

Dependencies

# Dependency Blocks Owner Status
D-01 Pine Lawyers engagement (privacy policy + collection notice + Provider Agreement) FR-CRM-002, FR-CRM-003, FR-CRM-009, FR-CRM-014 Mathew via WS4 counsel intro NOT STARTED
D-02 Stripe Connect or ABA file rail decision (D204) FR-CRM-004 (commission firing requires payment rail) Carla / Steerco #2 PENDING SC#2
D-03 WebAuthn library + Cloudflare Worker integration spike FR-CRM-015 Carla BACKLOG (H302)
D-04 Matt + Corrina availability for requirements consult this week Every elicitation activity in §3 Carla to book IN PROGRESS
D-05 Existing contacts / commission_rules / legal_agreements schemas (already live) FR-CRM-013 N/A — already in production AVAILABLE

8  ·  Sequencing options for Steerco #2 decision

Three viable paths through the build. Steerco #2 (Mon 29 Jun 2026) approves one. This scoping document is the evidence base for that decision.

A

Owner-private first, federate later

Ship the owner-private CRM in fortnight 1 (each provider runs their own book, no cross-provider visibility). Layer consent fabric + introductions + commissions in fortnight 2-3 once Pine Lawyers signs off.

Pros: Lowest risk. Corrina gets something usable on day 14 for WS6. Does not block on Pine Lawyers. Stripe Connect can proceed in parallel.

Cons: Federated trust marketplace (the actual product) ships in fortnight 3, not fortnight 1.

Effort: ~25 days across 3 fortnights.
Carla recommendation: RECOMMENDED
B

Full federated CRM end-to-end day 1

Build the full consent fabric + introductions + campaigns + commissions concurrently. Pine Lawyers engaged in parallel from day 1. Ship as a single coherent product in fortnight 3.

Pros: Product launch is the actual federated marketplace, not a stepping-stone. Marketing narrative is clean.

Cons: Hard dependency on Pine Lawyers timing. Corrina waits 3 fortnights for usable surface. WS2 capacity stretched.

Effort: ~30 days across 3 fortnights.
Carla view: Acceptable if Pine Lawyers engagement letter is signed by Wed 24 Jun.
C

Defer to Phase 2

Hold the CRM build until Phase 2. Use a third-party CRM (HubSpot, Pipedrive) for WS6 partner activation in the interim.

Pros: WS2 capacity freed for Stripe Connect + observability + KPMG/EY.

Cons: flip 360 is not "the project management tool" — narrative collapses. Federated trust marketplace deferred. Marketing copy on /architecture mismatches reality.

Effort: 0 days now · ~40 days in Phase 2 (more expensive — context switch + migration from third-party CRM).
Carla view: Not recommended. Compromises Q3 thought-leadership standard.

 Recommendation to Steerco #2

Option A (Owner-private first, federate later) · with Pine Lawyers engagement initiated this week so the federated layer can ship in fortnight 2-3 without slip.

This is the same-breed-as-IPO-comps play: ship the foundation now, prove tenant isolation under real load, layer the federated trust fabric on a hardened base. Air BnB shipped accommodation listings before they shipped Experiences. Afterpay shipped pay-in-four before they shipped business-tier features. Same discipline.

Document control

Sign-off path

  1. Mon 22 Jun — Carla publishes v1 of this document (today) · WS2-S003 in sprint
  2. Tue 23 Jun — Carla schedules consult sessions with Matt (commission/legal wiring) + Corrina (warm-up campaigns)
  3. Wed 24 Jun — Pine Lawyers engagement letter signed (dependency D-01)
  4. Thu 25 Jun — Matt and Corrina review the requirements register (§3) and confirm or amend
  5. Fri 26 Jun 17:00 AEST — Scoping document v1.0 locked. Acceptance card signed by Matt + Corrina + Carla. Posted to Steerco #2 papers.
  6. Mon 29 Jun — Steerco #2 approves sequencing option (A / B / C). Build sprint begins same day.
Author of record
Carla Oliver · WS2 Lead — Technology
End-to-end accountable: design → build → cutover → hypercare → growth → exit (per D110 Approved at Steerco #1)
Open WS2 live ops page Decisions register (D110, D111) Steerco #2 papers (29 Jun) Live PMO board