Decision (2026-05-02): Stay on Mac-bundle delivery model through Adam's deployment + first 3-5 paying franchises. Reject pure-cloud SaaS pivot.
Why:
- Pure cloud kills chrome_bridge → BV/Track/EagleWeb/SmartLead UI scrape paths. Those don't have public APIs at the price points we can pay. ~40% of system value lives in those paths.
- Pure cloud flips PII liability from "tenant's Mac, tenant's problem" to "our servers, our problem" — SOC 2 Type 2 + DPAs + per-tenant encryption + GDPR/CCPA workflow = 6-12 months of compliance work + ongoing cost.
- Anthropic API costs become the operator's burden to mark up + meter rather than each tenant paying their own.
- Build time (~9-12 months for v1) burns runway before first revenue.
How to apply:
- All near-term productization work assumes Mac-bundle delivery (install.sh + package-snapshots + per-tenant launchd + chrome_bridge).
- Cloud control plane + local edge agent ("Salesforce + a desktop assistant" model) is the v2 architecture — invest in it after customer 3-5, not before.
- Pure SaaS is the destination at customer 50+ or first enterprise prospect requiring SOC 2 Type 2, not customer 1.
Tier 1 punch list before Adam's first paying-client deployment (ALL DONE 2026-05-03):
1. ✅ End-to-end install proof on a fresh user account — DONE 2026-05-02 PM via HOME-override sandbox. 6 install-time bugs surfaced + patched.
2. ✅ Remote support / fleet observability — DONE 2026-05-03. Per-tenant fleet_status_push.py (already wired into nightly-consolidation Step 12) POSTs metrics to a central CF KV. Admin dashboard via fleet_dashboard_builder.py. Setup procedure documented in FLEET_OBSERVABILITY_SETUP.md. No PII transits — counts/statuses/timestamps only.
3. ✅ Rollback procedure — DONE 2026-05-03. package-sync.sh now archives current snapshots into previous-snapshots/<version>_<timestamp>.tar.gz before every sync. Last 3 archives retained (older auto-pruned). One-command bash rollback.sh (interactive) or bash rollback.sh <archive-name> (specific) restores. rollback.sh --list shows available archives. Pre-rollback state itself archived so rollback is reversible.
4. ✅ Operator runbook — DONE 2026-05-03. OPERATOR_RUNBOOK.md covers Day 1 / Week 1 / Steady state, daily/weekly cadence, common operations, failure recovery, what's automatic vs manual. Sized for a non-technical franchise operator.
5. ✅ Versioning in _MANIFEST.json — DONE 2026-05-03. VERSION file at bundle root (0.1.0). package-sync.sh reads VERSION, writes into manifest as top-level version field. install.sh writes <RUNTIME_ROOT>/VERSION + .install_history log on each tenant install. First debugging question — "what version are you on?" — now answered by cat ~/Library/Application\ Support/<NS>/VERSION.
Final Tier-1-complete dry-run results (2026-05-03 14:22Z):
- install.sh rc=0 PASS
- verify.sh rc=0 — 28 GREEN, 2 YELLOW (.env missing + heartbeat partial — both fresh-install-expected), 0 RED
- gate_proof.sh rc=0 — 38 PASSED / 0 FAILED
- Tenant version 0.1.0 stamped at
<RUNTIME_ROOT>/VERSION - Install history logged at
<RUNTIME_ROOT>/.install_history
Tier 2 (within first 90 days of first paying client):
- Schema migration framework (forward-migrate JSONL shapes, not just drop-invalid)
- Per-tenant API cost cap + alert
- DPA paperwork with Anthropic, Cloudflare, HubSpot, SmartLead, BeenVerified, Track
- EULA / Acceptable Use / liability terms
- Independent pen-test (~$5-15K)
- DR drill on a real replacement Mac (currently RTO 24h is paper-only)
Tier 3 (product maturity):
- Staging tenant — Mac mini M4 base ($599) once first paying client signs. Becomes 24h-ahead canary for snapshot pushes + DR replacement target.
- Right-to-delete workflow for homeowner PII (CO consumer privacy law)
- Self-service install (vs Joseph manually installing each tenant)
Hardware plan:
- Now → Adam: Joseph's existing Mac (parent tenant + skyrun-test user for dry-run)
- First paying client: $599 Mac mini becomes permanent staging tenant + DR backup
- Customer 5+: re-evaluate hybrid control-plane build