# Hatchways Security and Procurement Packet

Answer the first enterprise review questions for adding HotTea to a Hatchways-style GitHub assessment pilot without overstating compliance maturity.

## Deployment Boundary

- App host: Fly.io app agentic-evidence
- VM host: Fly.io Machines app agentic-evidence-vms
- Candidate workspace: Provisioned developer VM with tokenized terminal access and recorder wrappers.
- Primary adapter: GitHub Actions workflow fallback at /github-action.yml.
- Optional adapter: GitHub App install UX is dormant until GITHUB_APP_INSTALL_URL is configured.

## Data Handled

- candidate identity: candidate name, candidate email, role. Purpose: assessment session routing and reviewer packet labeling.
- assessment content: instructions, repo URL, public/hidden test summaries. Purpose: task context and reviewer evidence.
- engineering evidence: terminal output, git snapshots, test output, diff metadata, Claude/Codex JSONL exports. Purpose: reviewer packet and audit trail.
- billing/account data: Stripe checkout state, organization name, admin email. Purpose: paid account activation and dashboard access.

## Controls

- Candidate URLs and reviewer reports use per-session tokens.
- Dashboard access uses HttpOnly cookies; API access uses bearer keys.
- Secrets are blocked/redacted from prompt input and evidence payloads with high-signal secret patterns.
- Candidate VMs receive scoped recorder/session tokens instead of the upstream Anthropic key.
- VM cleanup is exposed through authenticated /api/vm/teardown-expired and a launchd-backed cleanup caller.
- Public product, docs, packet, config, OpenAPI, and health routes do not depend on mutable persisted assessment state.
- State writes are temp-file plus atomic rename with recovery for recoverable concatenated JSON corruption.

## Reviewer Assurances

- No locked browser or screen recording is required for the Hatchways path.
- Hidden tests and Hatchways human review remain the decision system of record.
- HotTea provides supporting evidence, follow-up questions, and anomaly context; it is not an automated hiring decision.

## Current Limits

- No SOC 2, DPA, or enterprise security review has been completed yet.
- Real GitHub App creation and GITHUB_APP_INSTALL_URL deployment config remain account-level blockers.
- The verified v1 integration path is GitHub Actions plus tokenized report links.
- Retention, deletion SLA, SSO, and customer-managed encryption would need to be agreed before an enterprise rollout.

## Pilot Question

Is the GitHub Actions fallback plus tokenized packet enough for a limited technical pilot, or must a real GitHub App and formal procurement review exist first?

## Proof URLs

- Security JSON: https://hottea.ai/hatchways/security.json
- Buyer packet: https://hottea.ai/hatchways/packet.md
- Integration guide: https://hottea.ai/hatchways/integration.md
- Reviewer calibration: https://hottea.ai/hatchways/calibration.md
- Sample reviewer packet: https://hottea.ai/sample-report
- API config: https://hottea.ai/api/config