# Hatchways Procurement Gap Packet

Separate what is already enough for a limited technical proof from the procurement and account work that must exist before an enterprise Hatchways rollout.

Boundary: One synthetic or internal Hatchways-style repo assessment, GitHub Actions fallback only, tokenized reviewer packet, no customer candidate traffic, and no procurement approval claim.

## Ready For Limited Pilot

### Reviewer packet

- Evidence: Sample packet exposes hidden-test status, AI process quality, Claude JSONL exports, git/test evidence, VM events, anomaly context, and ATS-ready reviewer note.
- Proof: https://hottea.ai/sample-report

### Repo adapter fallback

- Evidence: GitHub Actions workflow can POST repo, PR, SHA, diff, test output, and packaged session exports into the reviewer packet.
- Proof: https://hottea.ai/github-action.yml

### Candidate workspace

- Evidence: Provisioned VM flow includes assignment packet, recorder wrappers, Claude/Codex evidence capture, ae-finalize, and VM lifecycle cleanup proof.
- Proof: https://hottea.ai/vm/lifecycle.md

### Buyer proof discovery

- Evidence: OpenAPI, llms.txt, API config, proof index, and buyer packets expose the current route inventory and non-claims.
- Proof: https://hottea.ai/hatchways/index.md

## Blocked Before Enterprise Rollout

### GitHub App

- Current state: Optional install UX exists, but GITHUB_APP_INSTALL_URL is not configured unless /api/config says configured=true.
- Required next step: Create the real GitHub App under a Foundry-owned account, deploy GITHUB_APP_INSTALL_URL, and live-smoke /github-app/install.

### Signed GitHub webhooks

- Current state: Verified ingestion path is GitHub Actions POST to /api/github/evidence.
- Required next step: Add app webhook secret storage, signature verification, installation mapping, and tests after app credentials exist.

### Security review

- Current state: Security packet names controls and limits, but SOC 2, DPA, SSO, vendor review, customer-managed encryption, and formal retention SLA are not complete.
- Required next step: Keep pilots synthetic/internal until a product owner decides the procurement path.

### Deletion and retention policy

- Current state: VM teardown exists; customer-level deletion and retention SLA are not claimed.
- Required next step: Define retention duration, deletion API, audit log export, and owner approval before customer data.

### Partnership authority

- Current state: No official Hatchways partnership, endorsement, or customer rollout is claimed.
- Required next step: Use the packet as buyer-specific proof only until Hatchways explicitly approves a pilot or integration discussion.

## Buyer Questions

- Can Hatchways evaluate one synthetic/internal repo through the GitHub Actions fallback before a real GitHub App exists?
- Which procurement artifact is mandatory before even a technical pilot: DPA, SOC 2, SSO, retention SLA, vendor questionnaire, or none?
- Is the reviewer packet useful enough to justify account-level GitHub App work?
- Which data classes must be excluded from a first pilot: terminal logs, Claude JSONL exports, external transcript uploads, hidden-test summaries, or interview transcript placeholders?

## Stop Conditions

- Do not send production candidate/customer traffic through the pilot boundary.
- Do not claim GitHub App support until GITHUB_APP_INSTALL_URL is configured and /github-app/install redirects.
- Do not claim enterprise procurement readiness, SOC 2, DPA, SSO, or retention SLA coverage.
- Do not claim official Hatchways partnership or automated hiring decisions.

## Next Best Action

If the packet is useful, run one synthetic/internal repo pilot through GitHub Actions fallback; only then spend account work on the real GitHub App and procurement path.

## Not Claimed

- No official Hatchways partnership.
- No real GitHub App before GITHUB_APP_INSTALL_URL is configured.
- No signed GitHub App webhook ingestion before credentials and verifier exist.
- No enterprise procurement readiness.
- No SOC 2, DPA, SSO, retention SLA, or completed vendor security review.
- No production customer rollout.
- No perfect anti-cheat or outside-AI prevention.
- No automated hiring decision.

## Proof URLs

- Procurement gap JSON: https://hottea.ai/hatchways/procurement-gap.json
- Security packet: https://hottea.ai/hatchways/security.md
- Data retention packet: https://hottea.ai/hatchways/data-retention.md
- VM lifecycle proof: https://hottea.ai/vm/lifecycle.md
- GitHub App setup packet: https://hottea.ai/github-app/setup.md
- Proof index: https://hottea.ai/hatchways/index.md