The single-page "what am I signing off on" view.
Companion to full-stack-with-embergraph.{md,html} and
embergraph-external-review-synthesis-2026-06-23.md.
Prepared 2026-06-24 for CEO go/no-go on the MVP build before Warm Lead Beta launch.
If you sign off, you authorize ~5-6 weeks of focused engineering at ~$50-100/mo recurring infra cost to converge the 3-engine access architecture into one decision substrate, close every honest gap from slides 3 and 7, and ship a production-ready foundation before the Warm Lead Beta (~July 1).
These are the load-bearing design decisions. If you green-light the MVP, you sign these.
| # | Commitment | What it means | Reversibility |
|---|---|---|---|
| 1 | Single decision authority (matrix as PDP) | Every viewer-gated read consults decideAccess(). No new
code outside lib/access/ makes access decisions. |
Hard to reverse — patent track + CI invariants enforce |
| 2 | Per-domain enforcement paths (PEPs) | Role records get decideRoleVisibility. Records get
shapeRecord. Future RAG gets shapeRagContext.
Shared kernel, separate shapers. |
Reversible per-domain (can collapse if needed) |
| 3 | Three orthogonal axes — governance ⊥ facets ⊥ provenance | Classification, retrieval tags, and origin live on separate axes. Day 1 commitment. | Hard — schema-level decision |
| 4 | Audit split — decision record sync, chain spine async | Decision records co-transactional with projection (trust property). Chain spine async + external anchoring. | Reversible — can fall back to all-sync if anchoring fails |
| 5 | EMB-296 upstream of everything | Dev/prod separation ships FIRST. Building on shared substrate is reckless. | Trivially reversible (you can stop after Phase 0) |
5/5 external reviewers converged on each of these. Highest-confidence panel findings.
Go/no-go per phase. You can stop at any phase boundary.
| Phase | Deliverable | Effort | Cost | Go / No-go / Defer |
|---|---|---|---|---|
| 0 | EMB-296 dev/prod separation | ~14-15 hrs (4-5 days) | +$25-50/mo recurring | ⬜ Go ⬜ No-go ⬜ Defer |
| 1a | AI redaction layer (closes slide-7 gap) | 1-2 days | $0 | ⬜ Go ⬜ No-go ⬜ Defer |
| 1b | 21 RLS table closures | ~1 week | $0 | ⬜ Go ⬜ No-go ⬜ Defer |
| 2 | EMB-420 minimum role-creation UI | ~1 week | $0 | ⬜ Go ⬜ No-go ⬜ Defer |
| 3 | Domino #2 Strategy C — chokepoint convergence | ~2-3 weeks | $0 | ⬜ Go ⬜ No-go ⬜ Defer |
| 4 | Observability (Sentry + logger + cron alerting) | ~1 week | ~$26/mo (Sentry team) | ⬜ Go ⬜ No-go ⬜ Defer |
Recommended: Go on all six. Each phase has a clean stopping point if priorities shift.
Minimum viable if you must trim: Phase 0 + 1a + 1b are non-negotiable for alpha readiness. Phases 2-4 can be reordered, never skipped.
Real money goes here. None over $100/mo, none over a year.
| Decision | Options | Recommendation | Monthly cost |
|---|---|---|---|
| Staging Supabase tier | Free / Pro | Pro (required for staging) | $25 |
| Dev Supabase tier | Free / Pro | Free (upgrade only if workload exceeds) | $0 |
| Error tracking | Sentry / Datadog / LogFlare / none | Sentry (Team plan) | ~$26 |
| Cron monitoring | Cronitor / self-rolled Slack alerts | Self-rolled (Slack already wired) | $0 |
| APM / tracing | Vercel observability / Honeycomb / OTel exporter | Vercel observability (already paid for) | $0 |
| Structured logger | pino / consola / custom |
pino (industry standard, low
overhead) |
$0 |
| External audit anchoring | Defer to Phase 7 | Defer — current hash chain sufficient pre-revenue | $0 |
Total recurring delta: $50-100/mo. No annual commitments. All vendors swappable.
| Decision | Trigger | Recommendation |
|---|---|---|
| Joel Sherwin patent note | Draft exists at
docs/qa/joel-note-draft-2026-06-23.md |
Send before Phase 3 starts — heads-up + invitation, no patent commitment |
| Mark Phillips medical-classification review | Required before Domino #3 build (post-MVP) | Schedule for Q3 (not blocking MVP) |
| Eric Gold (personal) legal review | Required for legal_authoritative field decisions
(post-MVP) |
Defer until Domino #3 design starts |
| Anne UX gates | EMB-420 role-creation UI | Required gate — Anne reviews mockup before Phase 2 PR opens |
legal_authoritative reviewer for EK-the-company |
Open role assignment | Decide before Phase 5 (post-MVP) — Ed extended scope? Joel? External? |
| External architecture review cadence | Quarterly | Decide at Phase 4 close — not blocking MVP |
These live inside the existing EMB-296 spec. Resolve before Phase 0 starts (~30 min of decision time).
| Decision | Options | Recommendation |
|---|---|---|
| D1 — Dev tier | Free / Pro | Free |
| D2 — Resend separation | Separate accounts / single account with domain keys / send-but-suppress code check | Send-but-suppress |
| D3 — Stripe test webhook | Shared / per-env | Shared test webhook |
D4 — migration_apply_log schema |
Minimal / rich | Rich (commit_sha + error_message) |
| D5 — Force-flag rate limit | 1×/week / 1×/month / unlimited | 1×/week |
| D6 — Role enum cleanup | Now (EMB-296) / separately (EMB-343) | EMB-343 (don't entangle) |
D7 — Mystery ember env var |
Investigate / delete | Investigate — ~10 min check |
These items are NAMED but DEFERRED. Each ships only when a real customer signal forces it.
| Deferred item | Trigger that will force it |
|---|---|
Domino #3 — per-field vault_sections
classification |
First customer who asks "why does my attorney see HIPAA notes" |
| Lifecycle expansion (capacity-as-claim model) | First contested incapacity case |
| Owner Intent Ledger moved inside matrix | OIL builds in production, then refactored |
| Sub-filter binding/evaluation engine | 8+ sub-filters in catalog |
| Audit chain external anchoring (transparency log) | Pen test finding OR pre-SOC-2 audit prep |
| State-transition authorization full model | First medical emergency surface |
| Break-glass / emergency override design | Same trigger as above |
| Multi-region replication | EU customer signs OR uptime upgrade past 99.9% |
| Jurisdiction modeling (4th matrix axis) | International customer OR multi-state conflict |
| Right-to-erasure ↔︎ immutable audit resolution | GDPR/CCPA request OR pen test finding |
| Crypto boundary (E2E future) | EK 4.0 product decision |
You can build any of these later without rework. The MVP design accommodates each as a clean addition, not a rewrite.
| Resource | Commitment |
|---|---|
| Engineering time | ~5-6 weeks of focused build |
| Monthly recurring cost | +$50-100 over current spend |
| Annual contracts | None |
| Vendor lock-in | None |
| Architectural decisions locked | 5 (Decision 1) — patent-track substrate |
| Honest gaps closed | Slide-3 (RLS coverage) + slide-7 (AI gating) |
| What ships | Pre-Warm-Lead-Beta production foundation: dev/prod separation, AI redaction, RLS closure, role-creation UI, matrix chokepoint convergence, observability |
| What I'm NOT building yet | 11 items in the "deferred" section above. Each waits for a real customer signal. |
☐ I authorize the MVP build per Decision 2 (all 6 phases, ~5-6 weeks)
☐ I commit to the 5 architectural decisions in Decision 1
☐ I approve the vendor + cost decisions in Decision 3 (~$50-100/mo)
☐ I will send the Joel patent note before Phase 3 starts (Decision 4)
☐ I will resolve EMB-296 D1-D7 before Phase 0 starts (Decision 5)
☐ I accept that the deferred items are NAMED but NOT in scope
Signed: ________________________ Date: __________
Each Friday: weekly check-in against this matrix. Anything off-track surfaces; you decide whether to adjust scope, timeline, or both.
Nothing breaks. The design docs remain canonical. The full-stack picture stays as the north star. The 3-engine drift continues; the slide-7 gap remains open; alpha launch waits.
You can come back to this matrix any time the alpha launch becomes a forcing function. The work is the same; the cost grows with member count (per CoWork pattern #3 — pre-launch is the cheapest moment).
Generated 2026-06-24 by Claude Code. Decision matrix for CEO commitment review. No commitments made until signed.