Pro Se Seat
Matter intake, uploaded records, missing-item checklist, packet readiness, settings, and connections remain visible.
Extracted facts and imported records remain review-required before becoming matter content.
Justice For All
Available workspaces
Three paid workspaces. One legal operations platform.
ProSe Legal Operations Platform is focused on the active paid seats first: Pro Se, Attorney, and Family Communications. Each workspace has a clear first action, review-safe assistance, and practical outputs.
Launch posture
Users see the workspace included with their seat. Institutional surfaces remain preserved, gated, and excluded from paid-seat navigation until they are intentionally activated.Pro Se Seat
Individual workspace
Turn records, dates, messages, and filings into a clear matter workspace with review-required outputs.
Attorney Seat
Professional matter workspace
Manage active matters from one legal operations workspace instead of disconnected notes, files, and reminders.
Family Communications Seat
Standalone seat or add-on
Reduce conflict before it escalates while preserving protective options only when sustained harmful patterns require them.
Institutional workspaces
Court and justice-system workspaces remain preserved for controlled institutional rollout. They are not part of the current paid-seat navigation.
/justice/judicial/clerk/judge/prosecutor/defender
Public conversion handoff
Choose a seat, keep the handoff, open the right workspace.
The public path keeps the active paid workspaces clear. A visitor chooses Pro Se, Attorney, or Family Communications, then account access carries that selected seat into the correct protected workspace with saved progress, settings, and connections visible.
Attorney Seat
Matters, clients, tasks, deadlines, evidence review, private work product, reports, settings, and connections remain visible.
Professional output separates private work product from client-safe and packet-ready material.
Family Communications Seat
Threads, participants, templates, drafts, reviewed digests, settings, and connections remain visible.
Communication coaching stays private by default and protective posture requires sustained-pattern review.
Public conversion handoff
Choose a seat, keep the handoff, open the right workspace.
The public path keeps the active paid workspaces clear. A visitor chooses Pro Se, Attorney, or Family Communications, then account access carries that selected seat into the correct protected workspace with saved progress, settings, and connections visible.
Pro Se Seat
Matter intake, uploaded records, missing-item checklist, packet readiness, settings, and connections remain visible.
Extracted facts and imported records remain review-required before becoming matter content.
Attorney Seat
Matters, clients, tasks, deadlines, evidence review, private work product, reports, settings, and connections remain visible.
Professional output separates private work product from client-safe and packet-ready material.
Family Communications Seat
Threads, participants, templates, drafts, reviewed digests, settings, and connections remain visible.
Communication coaching stays private by default and protective posture requires sustained-pattern review.
Billing and entitlement
Paid seats, trials, receipts, and plan changes stay tied to account access.
Pro Se, Attorney, and Family Communications seats are the active commercial workspaces. Subscription state controls workspace access, while deferred institutional portals remain preserved outside paid-seat navigation.
Checking billing state
Pro Se Individual
Provider-managed monthly plan
Trial posture: 14 day trial window when enabled by the payment provider.
Receipt label: Pro Se workspace subscription
Attorney Professional
Provider-managed professional plan
Trial posture: 14 day trial window when enabled by the payment provider.
Receipt label: Attorney workspace subscription
Family Communications
Standalone or add-on plan
Trial posture: 14 day trial window when enabled by the payment provider.
Receipt label: Family Communications subscription
Invoices and receipts
Receipts will appear after payment provider connection is completed.
Upgrade, downgrade, cancel
Plan changes start through the billing action endpoint and require provider confirmation before entitlements change.
Lockout behavior
Past-due or canceled subscriptions remove seat access until billing support or provider confirmation restores the entitlement.
Durable persistence and migration
Material records stay out of browser storage before paid launch.
Pro Se, Attorney/Firm, Family Communications, billing, e-filing, ingest, packets, and audit records are mapped to tenant-scoped durable persistence with migration boundaries, training-data separation, and backup/restore smoke proof.
Durable adapter required
Runtime posture
Mode: local-evaluation. Adapter: provider_pending_configuration. Pilot and production fail closed until the durable adapter keys are configured.
Migration boundary
Browser/local-file records can migrate only after tenant, owner, matter scope, checksums, and migration audit are present.
Backup/restore smoke
Backups restore into an isolated validation namespace and compare counts, checksums, tenant indexes, matter indexes, and audit continuity.
Pro Se matters
pro-se
Indexes: tenantId, ownerId, matterId, updatedAt
Pro Se evidence and timeline
pro-se
Indexes: tenantId, ownerId, matterId, sourceFileId, reviewStatus, eventDate
Pro Se documents, drafts, packets, and exports
pro-se
Indexes: tenantId, ownerId, matterId, packetId, exportedAt, documentStatus
Billing entitlements and subscription state
account
Indexes: tenantId, accountId, customerId, subscriptionId, seatId, status, updatedAt
Ingest quarantine and file security
Untrusted files stay quarantined until scanner, OCR, and review gates clear.
Upload is intake, scan is a controlled handoff, parser output is staged only, and canonical case, filing, evidence, deadline, packet, or export records are created only through reviewed promotion.
Ingest adapters required
Raw upload sessions
Signed upload intent records point file bytes to private quarantine storage before any parser handoff.
Safe file classification
Extension, MIME, signature, size, archive, executable, and encrypted-PDF posture produce scanner and manual-review states.
Scanner and OCR handoff
Scanner clearance is required before parser work; OCR starts only from sanitized artifacts and never writes official records.
Promotion-only writes
Parser, OCR, connector, and AI output stays in staged candidates until a person accepts, edits, or rejects it.
Storage
provider_pending_configuration
Scanner
provider_pending_configuration
OCR
provider_pending_configuration
Queue
provider_pending_configuration
Audit, logs, telemetry, and support packets
Operational records are structured, redacted, measurable, and support-ready.
Paid-seat launch support needs append-only audit events, safe operational logs, privacy-safe telemetry, and factual support packets that help recover account, billing, ingest, filing, and export issues without exposing legal text or secrets.
Append-only audit ledger
Material access, denial, upload, parse, promotion, filing, export, download, and support actions carry actor, resource, outcome, timestamp, and correlation posture.
Redacted logging
Safe error envelopes and logs redact tokens, cookies, signed URLs, OAuth values, API keys, service-account details, full legal text, and payment data.
Privacy-safe telemetry
Operational signals track denial rates, queue depth, parser failures, review latency, export failures, and support demand without storing document content.
Support packets
Support packets include factual timelines, audit references, telemetry snapshots, safe attachments, and next support actions with short-lived authorized downloads.
Material actions covered
access attemptaccess deniedaccount session verifiedbilling entitlement checkedbilling checkout startedbilling lockout applieddurable persistence status checkedraw upload session created
Production adapter posture
Observability, audit ledger, telemetry, and support-packet storage remain provider-pending until configured through institutional adapters. Production mode fails closed when any required adapter is missing.
End-to-end paid-seat browser flow and output QA
Paid seat paths stay testable from first click to reviewed output.
The launch browser matrix covers visitor selection, secure sign-in, seat-gated workspace entry, Pro Se intake-to-output flow, Attorney/Firm operations, Family Communications, support recovery, and court-safe packet review without exposing deferred institutional navigation.
Browser E2E path
Visitor, login, account, Pro Se, Firm, and FCS routes are organized into paid-seat smoke steps with explicit assertions and no dead-end controls.
Output render review
Case summaries, filing packets, court-day packets, FCS digests, and firm reports require brand, status labels, manifests, hashes, and audit events.
Seat-safe navigation
Active paid seats exclude deferred Judicial, /justice, clerk, judge, prosecutor, and defender links from buyer and account flows.
Human review preserved
Filing, parser, AI, packet, digest, and export actions remain review-led; browser QA does not certify silent mutation paths.
Paid-seat browser flows
Pro Se visitor to workspace
pro-se
/pricing/start/account/pro-se/intake/pro-se/dashboard
Pro Se paid-value path
pro-se
/pro-se/intake/pro-se/uploads/pro-se/evidence/pro-se/timeline/pro-se/filing
Attorney and firm workspace path
attorney
/firm/firm/matters/firm/clients/firm/tasks/firm/queues
Family Communications paid path
family-communications
/family-communications/pro-se/family-communications/pro-se/family-communications/settings
Output QA surfaces
Case summary PDF
packet exported
Filing packet
filing staged after human review
Court-day packet
packet downloaded
Family Communications digest
fcs digest exported
Pro Se parent workflow depth
Parent records stay structured, proof-anchored, and court-neutral.
The Pro Se launch path now tracks parenting time, exchanges, support and expenses, school and medical records, order compliance, and agreements as reviewed records with source manifests before court-facing export.
Parent workflow records
Each record domain has required fields, issue tags, proof anchors, review state, and export outputs for court-day packets.
Court-neutral language
Outputs describe observed events and source support without unsupported conclusions, motive labels, or inflammatory language.
Private notes protected
Private preparation notes stay outside court packets unless the user deliberately converts a reviewed item into an exportable record.
Packet-ready manifests
Logs and summaries require source manifests, review labels, packet hash posture, and download audit coverage.
Parent workflow domains
Parenting-time tracker
parenting time event
ordercalendarmessagereceipt
Exchange log
exchange event
messagephotolocation notewitness note
Support and expense ledger
support expense record
receiptinvoicebank recordmessage
School and medical log
school medical event
school recordmedical recordemailportal message
Exportable proof records
Parenting-time log
source manifest and review status required
Exchange log
source manifest and review status required
Support and expense ledger
source manifest and review status required
School and medical log
source manifest and review status required
Attorney/Firm paid seat operational coherence
Firm work stays matter-centered, review-gated, and client-safe.
The Attorney/Firm paid seat now ties matter setup, clients, tasks, queues, evidence and timeline review, drafts, time, billing prep, reports, and client-safe preview into one operational launch contract.
Matter setup
Matters require client, court, docket, owner, status, next deadline, conflict posture, billing rate, and client-safe preview posture before daily operations.
Review boards
Evidence, timeline, documents, drafts, filings, and MCP suggestions remain human-reviewed before packet, client, or matter use.
Time and billing prep
Attorney and staff time links to matters and work sources with review status; billing prep does not create invoices or draw trust funds automatically.
Client-safe preview
Client-visible outputs exclude privileged work product, carry status labels, include source manifests, and emit export audit events.
Firm daily operations
Matter setup
/firm/matters
create matterlink clientassign ownerset court and docket
Clients and parties
/firm/clients
client recordparty relationshipconflict postureclient-safe preview
Tasks and work items
/firm/tickets
ticket queuetask boardassignment ownerclosure code
Evidence and timeline review
/firm/evidence
evidence reviewtimeline reviewdocument reviewdraft review
Review and output gates
evidence review
human review required
Needs review -> Approved for packet or Returned for correction
timeline review
human review required
Suggested -> Court-safe -> Packet-ready
document review
human review required
Draft -> Needs review -> Client-safe or Court-facing
draft review
human review required
Draft -> Attorney review -> Export-ready
FCS paid seat operational completion
Private communications stay coaching-first, consent-aware, and threshold-reviewed.
The Family Communications paid seat now ties private thread lanes, participants, Before You Send coaching, protective thresholds, reviewed digests, recovery controls, and safe escalation into one sellable seat contract.
Private Family Mode
Ordinary communication remains private by default. The product organizes messages for calmer parenting coordination rather than starting from an evidence-first posture.
Before You Send coaching
The composer keeps the sender in control while reviewing tone, clarity, child focus, and practical next steps before messages are saved or sent.
Consent and participants
Participant labels, relationship context, direct-message limits, child-reference rules, and digest scopes stay visible before communication is shared or summarized.
Protective threshold
Protective output is blocked until sustained harmful patterns and human review justify scoped safety review. One isolated message does not activate protective mode.
Private communication lanes
Parenting-time logistics
private-mode readyKeep exchange, pickup, drop-off, and schedule messages in one practical lane.
thread setupparticipant labelsmessage composerBefore You Send review
Expenses and reimbursements
private-mode readyTrack requested amounts, receipts, due dates, response posture, and follow-up without mixing money issues into every message.
receipt noteagreement trackerresponse statusdigest export
School and medical updates
private-mode readyShare child-centered care updates while separating care information from conflict language.
school updatemedical updateroutine check-inchild wellbeing note
Boundaries and safety
private-mode readyPreserve calm boundary language and route sustained harmful patterns into reviewed protective posture only when threshold rules are met.
boundary templatesignal historythreshold reviewprotective packet
Reviewed digest and escalation gates
Parent-safe communication digest
review requiredReady for reviewed export.
No raw private-message export in ordinary private mode
Issue summary
review requiredReady for reviewed export.
No raw private-message export in ordinary private mode
Reviewed pattern summary
threshold reviewSustained pattern threshold and human review are required before protective output.
No raw private-message export in ordinary private mode
ChatGPT/MCP production connector pass
Pro Se case context can connect to ChatGPT without silent writes.
The production connector contract keeps ChatGPT access Pro Se-only, uses the lowercase MCP endpoint, advertises owner-scoped read tools, queues all write-back as review items, records audit events, and gives a clear in-product bridge when direct ChatGPT app access is not available yet.
OAuth metadata ready
Protected-resource metadata, authorization-server metadata, dynamic client registration, authorization-code exchange, and PKCE posture are part of the connector route contract.
Account linking
The Pro Se popup card can start linking, confirm a pairing code, reconnect, disconnect, and clear local ChatGPT workspace state for shared-device safety.
Read tools are scoped
Cases, evidence, timeline, source files, issue summaries, and export options are owner-scoped and reviewed/source-backed before they are exposed to ChatGPT.
Write-back is review-only
ChatGPT can create draft notes, timeline suggestions, and evidence tag suggestions, but official matter records stay unchanged until a person reviews the item.
Connector route and tool coverage
/pro-se/connections
protected Pro Se workspaceVisible account linking card and connection management
/pro-se/mcp
protected Pro Se workspaceReview-safe MCP and ChatGPT action workspace
/mcp
authenticated MCP endpointLowercase public MCP endpoint for ChatGPT discovery and tool calls
/.well-known/oauth-protected-resource
public metadataProtected-resource metadata for ChatGPT connection discovery
/.well-known/oauth-authorization-server
public metadataAuthorization-server metadata for ChatGPT connection discovery
/oauth/authorize
authenticated account linkAuthorization-code start with PKCE and Pro Se-only scope
Plan-access fallback and review-safe actions
MCP endpoint ready
Direct ChatGPT app availability can depend on the user's ChatGPT plan or workspace settings. ProSe keeps reviewed context and draft-safe review actions available in-product while access is pending.
Fallback path: /pro-se/mcp
prose.list_cases
cases.read • owner-scoped case index
prose.get_case_context
cases.read • active matter context summary
prose.search_evidence
evidence.read • source-backed evidence rows
prose.search_timeline
timeline.read • source-backed timeline rows
prose.create_review_note_draft
Human review required • official record mutation false
prose.create_timeline_suggestion
Human review required • official record mutation false
prose.queue_evidence_tag_suggestion
Human review required • official record mutation false
Packets, PDFs, templates, and court-output QA
Court-facing outputs carry branding, status labels, manifests, and download audit.
The output QA pass render-reviews Pro Se packets, Attorney reports, Family Communications digests, hearing packets, and e-filing fallback packets for page breaks, signatures, status labels, court-neutral language, manifests, packet hash posture, and safe download audit.
Brand and court posture
Every output keeps the ProSe Legal Operations Platform / Justice For All lockup, generated timestamp, footer posture, and court-neutral language.
Status labels
Draft, reviewed, service/proof, payment, court-acceptance, client-safe, work-product, and protective-threshold labels stay visible before download.
Page breaks and signatures
Packet templates declare page-break review and signature or acknowledgement posture without implying automatic court filing.
Manifest and audit
Each export requires a source manifest, packet hash posture, short-lived authorized download, and structured audit action without raw legal text in logs.
Court-output render review surfaces
Pro Se case summary packet
pro-se · case-summary-packet
Reviewed records onlyNot proof of court acceptanceGenerated timestampPacket manifest
Audit action: prose.case_summary_packet_exported
Filing packet
pro-se · filing-packet
Review required before stagingPayment is not court acceptanceService/proof statusHuman review required
Audit action: prose.filing_packet_exported
Court-day packet
pro-se · court-day-packet
Court-day preparation packetHearing dateDeadline postureEvidence index
Audit action: prose.court_day_packet_exported
Attorney client-safe status report
attorney · client-safe-status-report
Client-safeWork product excludedReviewed recordsExport audit
Audit action: firm.client_safe_status_report_exported
Attorney hearing packet
attorney · attorney-hearing-packet
Attorney work productReview before filingSource indexPacket hash
Audit action: firm.hearing_packet_exported
Template QA requirements
Brand lock
requiredEvery output uses ProSe Legal Operations Platform / Justice For All branding and approved partner attribution where appropriate.
Status labels
requiredEvery packet shows draft, review, service/proof, payment, acceptance, and protective-threshold status where the output touches those lanes.
Page breaks
requiredLong evidence, timeline, digest, and attachment sections are rendered with controlled page breaks and no clipped rows.
Signature blocks
requiredFiling, service, client delivery, and support packets show signature/acknowledgement posture without implying automatic court filing.
Manifest and hash
requiredExports include a manifest, packet hash posture, source count, generated timestamp, and audit event name.
Download audit
requiredEvery download/export emits a structured audit action and uses short-lived authorized delivery where applicable.
Mobile, accessibility, and performance hardening
Paid-seat paths stay usable on phones, tablets, keyboards, screen readers, and normal network latency.
The launch hardening matrix covers phone, tablet, and desktop viewports; keyboard flow; screen-reader labels; table overflow; loading and error states; Core Web Vitals budgets; and route bundle-size review without exposing deferred institutional surfaces in active paid-seat navigation.
Responsive viewports
4 device profiles
Phone, large phone, tablet, and desktop coverage are mapped.
Paid routes
27 routes
Public conversion, Pro Se, Firm, FCS, and account readiness routes are in scope.
Accessibility checks
6 checks
Keyboard, screen-reader, touch, overflow, and loading/error states are required.
Performance budgets
4 vitals
LCP, INP, CLS, and TTFB budgets are recorded before public launch.
Device and viewport matrix
Phone / narrow viewport
360 × 800
primary paid paths keep actions reachable without horizontal scrolling
Large phone
430 × 932
mobile-first intake and paid-seat onboarding remain readable at modern phone widths
Tablet portrait
768 × 1024
rails collapse or stack cleanly before dense tables clip controls
Launch accessibility and performance gates
Phone/tablet/desktop coverage
ready4 device viewports mapped across 5 paid-seat route groups.
Keyboard flow
readyKeyboard path and visible-focus review are required for paid-seat workflows.
Screen-reader labels
readyScreen-reader labels and non-color status text are required.
Table overflow
readyDense attorney, evidence, filing, billing, and support tables require overflow-safe responsive treatment.
Loading and error states
readySlow network, provider, parser, billing, support, and export failures require safe next steps.
Core Web Vitals
readyLCP, INP, CLS, and TTFB budgets are recorded for active paid-seat paths.
Paid-seat responsive route coverage
Visitor to paid seat
public · 4 routes · 4 viewports
//pricing/start/account
Pro Se case command
pro-se · 7 routes · 4 viewports
/pro-se/intake/pro-se/uploads/pro-se/evidence/pro-se/timeline/pro-se/filing
Attorney/Firm operations
attorney-firm · 6 routes · 3 viewports
/firm/dashboard/firm/matters/firm/tasks/firm/reports/firm/time
Family Communications
family-communications · 2 routes · 4 viewports
/pro-se/family-communications/pro-se/family-communications/settings
Security, privacy, and compliance final gate
Paid-seat launch stays blocked until abuse cases, privacy lifecycle, terms, retention, legal hold, and penetration-test prep are reviewed.
The final gate threat-models public conversion, Pro Se matters, Attorney/Firm work product, Family Communications, e-filing/ingest, exports, and ChatGPT/MCP connection paths while preserving human review for AI, parser, filing, and court-output actions.
Paid path families
6
Threat-modeled before public launch.
Abuse cases
8
Credential, entitlement, matter, upload, billing, FCS, MCP, and support abuse reviewed.
Privacy controls
8
Policy, consent, export/delete, retention, legal hold, family safety, and audit minimization.
Pen-test checks
29
Grouped prep for route/API, authz, ingest, AI/connector, privacy, billing, and support.
Paid-path threat model
Public conversion to account
4 risks · 4 controls
Public visitors see only active Pro Se, Attorney/Firm, and Family Communications seats; protected account readiness requires secure sign-in.
Pro Se private matter workspace
4 risks · 4 controls
Private matter access remains owner-scoped and parser/AI candidates stay staged until reviewed by a person.
Attorney/Firm work product
4 risks · 4 controls
Firm workspaces require tenant-safe matter access, client-safe output labels, and audit on material report/export activity.
Family Communications privacy
4 risks · 4 controls
FCS remains prevention-first and private by default; protective posture requires sustained harmful-pattern review.
Launch security gates
Threat-model paid paths
ready6 paid path families and 24 abuse risks are mapped before public launch.
Abuse-case review
ready8 abuse cases cover credential, entitlement, matter/export, upload, billing, FCS, MCP, and support risks.
Privacy compliance controls
ready8 privacy controls cover policy copy, consent, export/delete, retention, legal hold, family safety, and audit minimization.
Data export/delete/retention/legal hold
ready6 data lifecycle workflows distinguish export, delete, retention, and legal hold dispositions.
Penetration-test prep
ready29 penetration-test preparation checks are grouped across route/API, authz, ingest, connector/AI, privacy, billing, and support.
No-regression guardrails
readyPrior pass locks remain explicit for auth, billing, persistence, ingest, audit, output QA, FCS, MCP, packet, mobile, and human-review behavior.
Abuse cases
Credential stuffing and session replay
Strong session check, rotation, secure cookie posture, and denied-access audit events.
Cross-seat entitlement bypass
Seat claim enforcement, lockout behavior, upgrade prompt boundary, and no deferred institutional navigation.
Matter and export enumeration
Object-level authorization, short-lived download path, packet hash manifest, no-store response, and audit.
Malicious upload and parser abuse
Quarantine, scanner/OCR handoff, parser sandbox, staging-only output, and human promotion gate.
Privacy and policy controls
Terms and policy copy
Paid-seat terms, privacy, AI-assist, filing, FCS, billing, and support language must be product-quality and court-neutral.
Privacy notice and consent
Users understand what is stored, what is private, what can be exported, and how connectors/FCS communications are handled.
Data export workflow
Users can request or create scoped exports of account, matter, packet, support, and audit-adjacent records without raw quarantine leakage.
Data delete workflow
Deletion requests are routed through entitlement, matter ownership, legal hold, retention, and audit-preservation checks.
Data lifecycle requests
Account data export
exportprepare export manifest and notify user when authorized package is ready
Matter and packet export
exportauthorized packet export with reviewed status labels and audit event
Connector disconnect and delete
deletedisconnect live access, retain required audit metadata, and mark staged suggestions closed or preserved
Family Communications purge review
deletereview privacy, safety, and hold posture before any purge or export action
Final paid-seat launch release candidate
Well-Oiled Seat-Launch proof is locked for owner go-live review.
The final release-candidate gate preserves all completed seat-launch controls, adds support/admin/customer-success operations, records go-live decision points, and keeps production configuration plus launch-owner approval as the controlling release step.
Go-live locks
8
Prior pass contracts preserved through final release-candidate proof.
Support ops
7
Support, admin, customer-success, recovery, billing, connector, and filing workflows covered.
Go-live decisions
6
Scope, blockers, configuration, human review, data operations, rollback, and support decisions recorded.
Proof commands
8
Final RC proof path includes launch, MRR, e-filing, support, and build gates.
Go-live locks
Cold build and runtime proof
release owner
Fresh extraction must install, build, start, and answer health without hidden bypasses or unexpected route-config warnings.
npm run verify:launch:build-proof
Paid seat entitlement and billing
account operations
Pro Se, Attorney/Firm, and Family Communications seats require active entitlement, trial, or documented support state before workspace access.
npm run verify:launch:billing-entitlements
Durable persistence and audit readiness
platform operations
Material records must use durable adapters in pilot/production, with audit, support packet, backup, restore, retention, and legal-hold posture preserved.
npm run verify:launch:durable-persistence && npm run verify:launch:observability-support
Ingest quarantine and e-filing transaction safety
filing operations
Raw files enter quarantine, parser output stays staged, human promotion is required, filing retries are idempotent, and no court action is automated outside approved provider boundaries.
npm run verify:launch:ingest-quarantine && npm run verify:efiling:security-all
Final launch gates
All prior seat-launch passes locked
locked8 go-live locks preserve Passes 255 through 267 plus support/admin/customer-success operations.
Support/admin/customer-success operations
locked7 support operations cover queue intake, diagnostics, recovery, billing, connector, filing, and knowledge-base posture without private-data leakage.
Go-live decision register
locked6 decisions define scope, blockers, configuration, human review, customer data operations, rollback, and support readiness.
Release-candidate proof commands
lockedFinal proof path includes seat-launch pass 18, launch all, MRR support operations, e-filing security, and build commands.
Paid-seat scope preserved
lockedActive launch scope remains Pro Se, Attorney/Firm, and Family Communications; deferred institutional surfaces stay preserved and gated.
Support, admin, and customer-success operations
Support queue intake
support operations
Receive paid-seat support issues with seat, account, matter, billing, connector, export, filing, and urgency classification.
No full legal text, raw messages, tokens, cookies, signed URLs, or payment data are stored in the support ticket body.
Impersonation-safe diagnostics
admin and support operations
Show account, plan, route, adapter, export, packet, connector, and ingestion posture without opening private matter content as the user.
Support reads metadata and redacted support packets only; private case content requires customer-controlled export or explicit escalated authorization policy.
Account recovery workflow
account operations
Recover access, rotate sessions, handle lost SSO, and resolve locked accounts without bypassing entitlement or private-data boundaries.
Recovery never grants cross-seat access and never exposes protected data before identity and entitlement are confirmed.
Refund and cancellation workflow
billing operations
Handle plan cancellation, failed payment, refund request, invoice issue, downgrade, and trial conversion with entitlement reconciliation.
Payment events are separated from legal records; refund or cancellation does not delete legal data without a separate retention and export workflow.
Go-live decision register
Launch scope
owner reviewPublic paid-seat launch remains limited to Pro Se, Attorney/Firm, and Family Communications.
Disposition: deferred institutional surfaces preserved and hidden from active paid-seat navigation
Launch blockers
owner reviewCritical and high-risk blockers must be closed or explicitly accepted by the launch owner with a mitigation and support procedure.
Disposition: no unresolved critical/high risks in the launch risk register
Production configuration
owner reviewProduction launch requires approved auth, billing, persistence, audit, storage, queue, ingest, email, connector, and provider configuration.
Disposition: provider-pending surfaces are labeled and cannot imply live production integration
Connections, imports, uploads, and recovery permanence
Pro Se Seat intake controls
Upload a folder, photos, PDFs, messages, and records without merging anything until review is complete.
Connector status
0/7
accounts linked
Staged records
3
Review before merge
Pending review
3
requires user action
Promotions
0
candidate records only
Recovery
Ready
interrupted work is recoverable
Import destination controls
Choose where newly received records should wait for review.
Current destination: Evidence review queue
Downloadable settings export
Export preferences, recovery posture, account-link labels, promotion history, and staged-record labels without exposing connector tokens.
Last saved: Not changed in this session
Visible folder upload
Choose a whole folder and keep it staged for review before anything becomes workspace data.
No folder selected yet
Connector status cards
Connection state stays visible in settings, recovery, and account-linked import records.
Gmail
Email
Email records stay staged until reviewed.
Account: No account linked
Last linked: Not linked yet
Destination: Communications review queue
Records stay staged until reviewed.Account-linked imports permanent
Google Drive
Cloud files
Drive records can be organized by matter before promotion.
Account: No account linked
Last linked: Not linked yet
Destination: Document review queue
Records stay staged until reviewed.Account-linked imports permanent
Calendar
Dates
Calendar dates remain suggested until confirmed.
Account: No account linked
Last linked: Not linked yet
Destination: Timeline review queue
Records stay staged until reviewed.Account-linked imports permanent
OneDrive
Cloud files
Microsoft files stay in a reviewed import lane.
Account: No account linked
Last linked: Not linked yet
Destination: Document review queue
Records stay staged until reviewed.Account-linked imports permanent
Outlook
Email
Outlook messages are staged before matter use.
Account: No account linked
Last linked: Not linked yet
Destination: Communications review queue
Records stay staged until reviewed.Account-linked imports permanent
Dropbox
Cloud files
Dropbox records can be reviewed before packet use.
Account: No account linked
Last linked: Not linked yet
Destination: Evidence review queue
Records stay staged until reviewed.Account-linked imports permanent
Box
Cloud files
Box records stay staged and scoped to the selected workspace.
Account: No account linked
Last linked: Not linked yet
Destination: Evidence review queue
Records stay staged until reviewed.Account-linked imports permanent
Import queue and staged records
Every imported record waits here until a person reviews it and explicitly creates a candidate record.
Folder upload intake
Device folder → Evidence review queue
Workspace import
Needs reviewStaged onlyRecoverableNot promoted
Connector import batch
Connected service → Evidence review queue
Workspace import
Needs reviewStaged onlyRecoverableNot promoted
Interrupted work recovery
Recovery panel → Evidence review queue
Workspace import
Needs reviewStaged onlyRecoverableNot promoted
Recovery panel
Recover interrupted work and keep staged records visible until they are deliberately handled.
Recovery panel ready
Promotion history
Reviewed imports can create candidate records only. They do not silently change official matter, packet, timeline, evidence, or communication records.
No reviewed promotions yet.
Permanence rules
Connector state remains visible across settings, connections, recovery, and account-linked import surfaces.
Staged imports stay recoverable until reviewed, promoted, or deliberately cleared by the user.
Reviewed promotions create candidate records only; official workspace mutation remains disabled.
Settings export includes provider state, import destination, recovery posture, and promotion history without exposing tokens.
Account-linked imports carry a provider, account label, destination, review state, restore state, and promotion state.
No silent import mergeNo hidden connection stateNo loss of staged recordsNo cross-user leakageNo sensitive token displayInactive connectors remain visible with safe setup statesReviewed promotions are candidate records only
Privacy, security, and public language
Privacy, security, language, and accessibility safeguards activeActive paid workspaces keep sensitive records scoped, downloads labeled, destructive actions confirmed, visible language production-ready, and core workflows readable on phone, tablet, and desktop.
Public copy safety
Public and paid-seat surfaces use production-ready language and avoid personal public examples.
ReadyPrivate boundaries
Private notes, privileged material, and ordinary family communication stay in the correct scope.
ProtectedSensitive-content handling
Tokens, signed links, provider secrets, and full legal text stay out of visible errors, logs, and support-ready records.
RedactedMobile and accessibility workflow
Core paid workflows remain usable on phone, tablet, and desktop with readable grouped controls.
ResponsiveRole and seat visibility
Active paid seats remain visible to their users while deferred institutional roles stay preserved and gated.
GatedExport guardrails
Downloads carry scope labels and review-state posture before sharing.
VisibleFCS privacy posture
Family Communications remains private by default with protective posture only after sustained-pattern review.
Private by defaultUnified verification and launch proof
Active seats, preserved surfaces, and release proof in one path
This owner-facing proof path confirms that Pro Se, Attorney, and Family Communications can be entered, used, exported from, and verified while deferred institutional surfaces remain preserved and gated.
Enter · use · export
Active paid-seat use proof
Pro Se
entered-used-exportedStart or resume a matter, review imported records, organize proof, track service and proof, and prepare a reviewed court packet.
/pro-se/intake/pro-se/uploads/pro-se/evidence
Attorney
entered-used-exportedOpen a matter, manage professional work, review evidence and timeline records, preserve privileged notes, and prepare client-safe or court-facing output.
/attorney/matters/attorney/documents/attorney/reports
Family Communications
entered-used-exportedCreate private threads, draft messages, use Before You Send review, preserve private mode, and prepare reviewed digests only when appropriate.
/pro-se/family-communications/pro-se/family-communications/settings/pro-se/family-communications/connections
Launch readiness
Launch readiness proof
Verification record for active paid seats, access paths, privacy posture, exports, and preserved institutional workspaces.
Active seat route matrix
Pro Se
OpenStart or resume a matter, upload records, review suggested details, organize proof, track service and proof, and produce court-ready outputs.
Case summary, evidence index, timeline report, hearing-prep packet, court-day packet, and service/proof summary.
/pro-se/dashboard/pro-se/uploads/pro-se/evidence/pro-se/timeline
Attorney
OpenOpen a matter, manage clients and tasks, track deadlines, review evidence and chronology, preserve private work product, and prepare client-safe or court-facing outputs.
Matter summary, evidence binder, issue timeline, discovery summary, hearing packet, and client-safe status report.
/attorney/matters/attorney/documents/attorney/timeline/attorney/reports
Family Communications
OpenCreate private family communication threads, draft structured messages, use Before You Send review, and produce reviewed digests only when appropriate.
Parent-safe communication digest, issue summary, pattern summary, and protective packet only after threshold and review controls permit it.
/pro-se/family-communications/pro-se/family-communications/settings/pro-se/family-communications/connections/pro-se/family-communications/recovery
Deployment readiness
Production deployment readiness
Release-control record for build proof, source context hygiene, runtime entry, environment checks, and post-deployment smoke review.
Platform owner access remains routed through the portal chooser before opening any workspace.
Production package checks
Release control gates
Source package hygiene
ReadyThe deployment package excludes generated archives, local dependency folders, prior build output, audit debris, and private environment files while preserving public assets, route mirrors, verifiers, and documentation required by release checks.
Clean source contextNo committed dependency folderNo private environment filesVerifier assets preserved
Build verification chain
ReadyThe build gate runs repository hygiene, export integrity, store contract, public language, login, auth entry, portal integrity, upload/settings/connections, public banner, Justice For All, public filing, and ChatGPT connector checks before production build.
Build gate before buildAuth verifierPublic route locksConnector guardrails
Runtime entry point
ReadyThe application package builds for the standalone runtime entry and starts through the packaged server with the assigned port.
Standalone outputPort-aware startPublic assets copiedStatic assets copied
Support operations
Support operations readiness
Owner-facing control record for onboarding support, access recovery, import recovery, output review, and release interruption handling.
Paid-seat operating controls
Support lanes
Access recovery
Owner: Account operations
Login opens secure access
Successful access opens the portal chooser
Sign-out clears the local workspace session
Owner access can open all portals
Use the portal chooser as the recovery point for users who reach the wrong workspace or return from a stale link.
Paid-seat onboarding
Owner: Seat operations
Pro Se opens to case command work
Attorney opens to professional matter operations
Family Communications opens to private threads
Settings and connections remain visible
Smoke the primary workspace and the settings/connections/recovery path before marking the account ready.
Import recovery
Owner: Connections operations
Connector status cards remain visible
Imported records stay staged
Destination can be changed before promotion
Interrupted work can be restored
Keep records staged until the user confirms destination, scope, and merge intent.
Final readiness
Final launch package readiness
Owner-facing record for the paid-seat release package, controlled configuration notes, responsive review, and final verification path.
Release contents
Package manifest
Source package
IncludedApplication source, public assets, route families, shared utilities, package manifest, lockfile, verifier scripts, and configuration examples remain in the release package.
Active paid seats
IncludedPro Se, Attorney, and Family Communications stay active for paid onboarding with settings, connections, recovery, reports, and export surfaces preserved.
Deferred institutional surfaces
PreservedJudicial Edition, Justice, Clerk, Judge, Prosecutor, Defender, and Law Court surfaces remain compatible and separated from active MRR navigation.
Configuration and review posture
Controlled launch notes
Environment values
Controlled configuration requiredProduction service URLs, allowed accounts, session secret, OAuth redirect values, and provider keys must be supplied through the deployment environment before release.
Deployment preflight verifies required values and reports optional provider configuration separately.
OAuth provider status
Provider configuration requiredGoogle and Microsoft entries remain safe when provider configuration is unavailable, and Google local-origin handling avoids invalid 0.0.0.0 redirects during local review.
Login and Google SSO origin verifiers protect the post-login portal chooser contract.
Connector imports
Review requiredImported material stays staged until a person confirms destination, scope, and merge intent before promotion into a matter.
Paid-seat connections and recovery verification protects staged import review and recovery controls.