ProSe Legal Operations Platform
Justice For All
Unified verification and launch proof

Active seats, preserved surfaces, and release proof in one path

This owner-facing proof path confirms that Pro Se, Attorney, and Family Communications can be entered, used, exported from, and verified while deferred institutional surfaces remain preserved and gated.

Unified proof path ready
Enter · use · export

Active paid-seat use proof

Pro Se
entered-used-exported

Start or resume a matter, review imported records, organize proof, track service and proof, and prepare a reviewed court packet.

/pro-se/intake/pro-se/uploads/pro-se/evidence/pro-se/timeline/pro-se/filings/pro-se/exports
  • case summary
  • evidence index
  • timeline report
  • hearing-prep packet
  • court-day packet
  • service/proof summary
Attorney
entered-used-exported

Open a matter, manage professional work, review evidence and timeline records, preserve privileged notes, and prepare client-safe or court-facing output.

/attorney/matters/attorney/documents/attorney/reports/attorney/connections/firm/matters/firm/reports
  • matter summary
  • evidence binder
  • issue timeline
  • discovery summary
  • hearing packet
  • client-safe status report
Family Communications
entered-used-exported

Create private threads, draft messages, use Before You Send review, preserve private mode, and prepare reviewed digests only when appropriate.

/pro-se/family-communications/pro-se/family-communications/settings/pro-se/family-communications/connections/pro-se/family-communications/recovery
  • communication digest
  • issue summary
  • pattern summary
  • protective packet after threshold and review
Gated and inactive in paid navigation

Deferred surface preservation

Judicial Edition
Not in paid navigation

preserved, gated, and compile-safe

/judicial/clerk/judge/prosecutor/defender
Justice workspace
Not in paid navigation

preserved and outside active paid-seat navigation

/justice/justice-for-all
Institutional APIs
Not in paid navigation

protected by route and API verification

/api/judicial/*/api/e-filing/*/api/ingest/*
Review-gated filing posture

E-filing and ingest proof

Public filing lane

Public e-filing routes keep upload-first intake, editable review, staging controls, status tracking, and no direct court submission from app automation.

npm run verify:e-file:all
Ingest boundary

Parser output remains staged until human promotion and the ordinary app API cannot directly treat parser candidates as canonical facts.

npm run verify:efiling:security-all
Transaction safety

Filing envelopes, attempts, payment separation, export guards, audit, defect repair, relation-back support, fallback support, and plain-language posture are included in the proof chain.

npm run verify:runtime-to-revenue:all
No leakage or unfinished language

Public copy, privacy, export, and accessibility proof

Public copy

Active public conversion paths focus on Pro Se, Attorney, and Family Communications without promoting deferred institutional paths as paid seats.

verified
Privacy

Private notes, privileged work product, family communication drafts, and court-facing packet records carry separate scope labels and review gates.

verified
Exports

Paid-seat exports carry scope, review, and sensitive-content labels before records leave the workspace.

verified
Accessibility

Primary paid workflows use wrapping layouts, readable action targets, keyboard posture, and no clipped controls at narrow widths.

verified
Do not open paid access when any item fails

Blocking release conditions

Any paid seat primary flow fails

Blocks opening paid access until corrected.

Visible unfinished language appears on public or paid-seat surfaces

Blocks opening paid access until corrected.

Private notes, privileged work product, or family communications leak into the wrong output scope

Blocks opening paid access until corrected.

Deferred institutional surfaces appear as active paid-seat navigation

Blocks opening paid access until corrected.

The documented build path does not complete in the target Node/npm environment

Blocks opening paid access until corrected.

One proof path

Unified verification commands

npm run verify:consolidated:pass26-unified-verification-launch-proof
npm run verify:runtime-to-revenue:all
npm run verify:prose:build-gate
npm run verify:firm:all
npm run verify:fcs:all
npm run verify:e-file:all
npm run verify:judicial:shells
npm run verify:routes
npm run build
Launch readiness

Launch readiness proof

Verification record for active paid seats, access paths, privacy posture, exports, and preserved institutional workspaces.

Ready for paid-seat onboarding after final deployment verification

Active seat route matrix

Pro Se
Open

Start or resume a matter, upload records, review suggested details, organize proof, track service and proof, and produce court-ready outputs.

Case summary, evidence index, timeline report, hearing-prep packet, court-day packet, and service/proof summary.
/pro-se/dashboard/pro-se/uploads/pro-se/evidence/pro-se/timeline/pro-se/filings/pro-se/exports/pro-se/settings/pro-se/connections/pro-se/recovery
Attorney
Open

Open a matter, manage clients and tasks, track deadlines, review evidence and chronology, preserve private work product, and prepare client-safe or court-facing outputs.

Matter summary, evidence binder, issue timeline, discovery summary, hearing packet, and client-safe status report.
/attorney/matters/attorney/documents/attorney/timeline/attorney/reports/attorney/settings/attorney/connections/attorney/recovery
Family Communications
Open

Create private family communication threads, draft structured messages, use Before You Send review, and produce reviewed digests only when appropriate.

Parent-safe communication digest, issue summary, pattern summary, and protective packet only after threshold and review controls permit it.
/pro-se/family-communications/pro-se/family-communications/settings/pro-se/family-communications/connections/pro-se/family-communications/recovery

Deferred surface preservation

Judicial Edition

Preserved institutional portals, available from the full platform chooser for approved review.

/judicial/clerk/judge/prosecutor/defender
Justice workspace

Preserved and gated outside active paid-seat navigation.

/justice
Public judicial walkthrough

Global banner remains present with training-record and protected-information safety language.

https://prose-demo.tahai.net/

Public conversion and onboarding flow

Choose workspace
/pricing

Public visitors compare only Pro Se, Attorney, and Family Communications seats.

Seat detail
/seats/[seat]

Each active seat page explains audience, workflow, first actions, and outputs.

Create access
/signup?seat=...

The selected seat is preserved into account setup and handoff.

Resume work
/start?seat=...

Returning users are directed to the correct workspace rather than a generic dashboard.

Choose portal
/portal

After access is confirmed, the chooser filters workspaces by seat access.

Onboarding proof

  • New Pro Se users are sent toward intake, uploads, missing-item review, and packet readiness.
  • Attorney users land in the professional matter workspace with tasks, deadlines, evidence, reports, settings, and recovery.
  • Family Communications users land in Private Family Mode with settings, connections, recovery, and Before You Send review.
  • The portal chooser remains the default post-login target so users are not silently dumped into one workspace.

Settings, connections, uploads, and recovery

Pro Se
/pro-se/settings/pro-se/connections/pro-se/recovery/pro-se/uploads
Attorney
/attorney/settings/attorney/connections/attorney/recovery/attorney/documents
Family Communications
/pro-se/family-communications/settings/pro-se/family-communications/connections/pro-se/family-communications/recovery

Public copy proof

  • Public seat pages focus on Pro Se, Attorney, and Family Communications.
  • Public-facing language avoids unfinished implementation wording and avoids claims that automated assistance makes legal decisions.
  • Family Communications remains prevention-first and private by default.
  • Institutional surfaces are preserved without being promoted as active paid seats.

Privacy and export proof

  • Private notes, attorney work product, court-facing packets, client-safe outputs, and family communication digests use separate scope labels.
  • Connector imports remain staged until reviewed before merge or promotion.
  • Sensitive access tokens are not displayed in connection status cards.
  • Exports and downloads carry review posture and scope labeling before use outside the workspace.

Packet and export proof

  • Pro Se outputs include case summary, evidence index, timeline report, hearing-prep packet, court-day packet, and service/proof summary.
  • Attorney outputs include matter summary, evidence binder, issue timeline, discovery summary, hearing packet, and client-safe status report.
  • Family Communications outputs remain parent-safe and private by default; protective packets require sustained-pattern threshold and review controls.
  • Paid-seat outputs carry scope labels so private notes, client-safe material, court-facing packet material, and communication digests stay separated.

Public language safety

  • No active public conversion surface promotes deferred institutional workspaces as paid seats.
  • Public copy avoids implementation wording, vendor attacks, legal outcome promises, and language implying automated decisions.
  • Public examples and route labels avoid real personal information and real-looking docket details.

Verification commands

npm run verify:prose:build-gate
npm run verify:mrr:launch-readiness
npm run verify:mrr:seat-launch
npm run build
Packets, PDFs, templates, and court-output QA

Court-facing outputs carry branding, status labels, manifests, and download audit.

The output QA pass render-reviews Pro Se packets, Attorney reports, Family Communications digests, hearing packets, and e-filing fallback packets for page breaks, signatures, status labels, court-neutral language, manifests, packet hash posture, and safe download audit.

render review required before paid launch
Brand and court posture
Every output keeps the ProSe Legal Operations Platform / Justice For All lockup, generated timestamp, footer posture, and court-neutral language.
Status labels
Draft, reviewed, service/proof, payment, court-acceptance, client-safe, work-product, and protective-threshold labels stay visible before download.
Page breaks and signatures
Packet templates declare page-break review and signature or acknowledgement posture without implying automatic court filing.
Manifest and audit
Each export requires a source manifest, packet hash posture, short-lived authorized download, and structured audit action without raw legal text in logs.
Court-output render review surfaces
Pro Se case summary packet
pro-se · case-summary-packet
render-review required before paid public launch
Reviewed records onlyNot proof of court acceptanceGenerated timestampPacket manifest
Audit action: prose.case_summary_packet_exported
Filing packet
pro-se · filing-packet
render-review required before paid public launch
Review required before stagingPayment is not court acceptanceService/proof statusHuman review required
Audit action: prose.filing_packet_exported
Court-day packet
pro-se · court-day-packet
render-review required before paid public launch
Court-day preparation packetHearing dateDeadline postureEvidence index
Audit action: prose.court_day_packet_exported
Attorney client-safe status report
attorney · client-safe-status-report
render-review required before paid public launch
Client-safeWork product excludedReviewed recordsExport audit
Audit action: firm.client_safe_status_report_exported
Attorney hearing packet
attorney · attorney-hearing-packet
render-review required before paid public launch
Attorney work productReview before filingSource indexPacket hash
Audit action: firm.hearing_packet_exported
Template QA requirements
Brand lock
required
Every output uses ProSe Legal Operations Platform / Justice For All branding and approved partner attribution where appropriate.
Status labels
required
Every packet shows draft, review, service/proof, payment, acceptance, and protective-threshold status where the output touches those lanes.
Page breaks
required
Long evidence, timeline, digest, and attachment sections are rendered with controlled page breaks and no clipped rows.
Signature blocks
required
Filing, service, client delivery, and support packets show signature/acknowledgement posture without implying automatic court filing.
Manifest and hash
required
Exports include a manifest, packet hash posture, source count, generated timestamp, and audit event name.
Download audit
required
Every download/export emits a structured audit action and uses short-lived authorized delivery where applicable.
Mobile, accessibility, and performance hardening

Paid-seat paths stay usable on phones, tablets, keyboards, screen readers, and normal network latency.

The launch hardening matrix covers phone, tablet, and desktop viewports; keyboard flow; screen-reader labels; table overflow; loading and error states; Core Web Vitals budgets; and route bundle-size review without exposing deferred institutional surfaces in active paid-seat navigation.

live device proof required before public launch
Responsive viewports
4 device profiles
Phone, large phone, tablet, and desktop coverage are mapped.
Paid routes
27 routes
Public conversion, Pro Se, Firm, FCS, and account readiness routes are in scope.
Accessibility checks
6 checks
Keyboard, screen-reader, touch, overflow, and loading/error states are required.
Performance budgets
4 vitals
LCP, INP, CLS, and TTFB budgets are recorded before public launch.
Device and viewport matrix
Phone / narrow viewport
360 × 800
viewport test
primary paid paths keep actions reachable without horizontal scrolling
Large phone
430 × 932
viewport test
mobile-first intake and paid-seat onboarding remain readable at modern phone widths
Tablet portrait
768 × 1024
viewport test
rails collapse or stack cleanly before dense tables clip controls
Launch accessibility and performance gates
Phone/tablet/desktop coverage
ready
4 device viewports mapped across 5 paid-seat route groups.
Keyboard flow
ready
Keyboard path and visible-focus review are required for paid-seat workflows.
Screen-reader labels
ready
Screen-reader labels and non-color status text are required.
Table overflow
ready
Dense attorney, evidence, filing, billing, and support tables require overflow-safe responsive treatment.
Loading and error states
ready
Slow network, provider, parser, billing, support, and export failures require safe next steps.
Core Web Vitals
ready
LCP, INP, CLS, and TTFB budgets are recorded for active paid-seat paths.
Paid-seat responsive route coverage
Visitor to paid seat
public · 4 routes · 4 viewports
covered
//pricing/start/account
Pro Se case command
pro-se · 7 routes · 4 viewports
covered
/pro-se/intake/pro-se/uploads/pro-se/evidence/pro-se/timeline/pro-se/filing
Attorney/Firm operations
attorney-firm · 6 routes · 3 viewports
covered
/firm/dashboard/firm/matters/firm/tasks/firm/reports/firm/time
Family Communications
family-communications · 2 routes · 4 viewports
covered
/pro-se/family-communications/pro-se/family-communications/settings
Security, privacy, and compliance final gate

Paid-seat launch stays blocked until abuse cases, privacy lifecycle, terms, retention, legal hold, and penetration-test prep are reviewed.

The final gate threat-models public conversion, Pro Se matters, Attorney/Firm work product, Family Communications, e-filing/ingest, exports, and ChatGPT/MCP connection paths while preserving human review for AI, parser, filing, and court-output actions.

security review required before public launch
Paid path families
6
Threat-modeled before public launch.
Abuse cases
8
Credential, entitlement, matter, upload, billing, FCS, MCP, and support abuse reviewed.
Privacy controls
8
Policy, consent, export/delete, retention, legal hold, family safety, and audit minimization.
Pen-test checks
29
Grouped prep for route/API, authz, ingest, AI/connector, privacy, billing, and support.
Paid-path threat model
Public conversion to account
4 risks · 4 controls
threat-modeled
Public visitors see only active Pro Se, Attorney/Firm, and Family Communications seats; protected account readiness requires secure sign-in.
Pro Se private matter workspace
4 risks · 4 controls
threat-modeled
Private matter access remains owner-scoped and parser/AI candidates stay staged until reviewed by a person.
Attorney/Firm work product
4 risks · 4 controls
threat-modeled
Firm workspaces require tenant-safe matter access, client-safe output labels, and audit on material report/export activity.
Family Communications privacy
4 risks · 4 controls
threat-modeled
FCS remains prevention-first and private by default; protective posture requires sustained harmful-pattern review.
Launch security gates
Threat-model paid paths
ready
6 paid path families and 24 abuse risks are mapped before public launch.
Abuse-case review
ready
8 abuse cases cover credential, entitlement, matter/export, upload, billing, FCS, MCP, and support risks.
Privacy compliance controls
ready
8 privacy controls cover policy copy, consent, export/delete, retention, legal hold, family safety, and audit minimization.
Data export/delete/retention/legal hold
ready
6 data lifecycle workflows distinguish export, delete, retention, and legal hold dispositions.
Penetration-test prep
ready
29 penetration-test preparation checks are grouped across route/API, authz, ingest, connector/AI, privacy, billing, and support.
No-regression guardrails
ready
Prior pass locks remain explicit for auth, billing, persistence, ingest, audit, output QA, FCS, MCP, packet, mobile, and human-review behavior.
Abuse cases
Credential stuffing and session replay
Strong session check, rotation, secure cookie posture, and denied-access audit events.
Cross-seat entitlement bypass
Seat claim enforcement, lockout behavior, upgrade prompt boundary, and no deferred institutional navigation.
Matter and export enumeration
Object-level authorization, short-lived download path, packet hash manifest, no-store response, and audit.
Malicious upload and parser abuse
Quarantine, scanner/OCR handoff, parser sandbox, staging-only output, and human promotion gate.
Privacy and policy controls
Terms and policy copy
Paid-seat terms, privacy, AI-assist, filing, FCS, billing, and support language must be product-quality and court-neutral.
Privacy notice and consent
Users understand what is stored, what is private, what can be exported, and how connectors/FCS communications are handled.
Data export workflow
Users can request or create scoped exports of account, matter, packet, support, and audit-adjacent records without raw quarantine leakage.
Data delete workflow
Deletion requests are routed through entitlement, matter ownership, legal hold, retention, and audit-preservation checks.
Data lifecycle requests
Account data export
export
prepare export manifest and notify user when authorized package is ready
Matter and packet export
export
authorized packet export with reviewed status labels and audit event
Connector disconnect and delete
delete
disconnect live access, retain required audit metadata, and mark staged suggestions closed or preserved
Family Communications purge review
delete
review privacy, safety, and hold posture before any purge or export action
Final paid-seat launch release candidate

Well-Oiled Seat-Launch proof is locked for owner go-live review.

The final release-candidate gate preserves all completed seat-launch controls, adds support/admin/customer-success operations, records go-live decision points, and keeps production configuration plus launch-owner approval as the controlling release step.

owner go-live approval required
Go-live locks
8
Prior pass contracts preserved through final release-candidate proof.
Support ops
7
Support, admin, customer-success, recovery, billing, connector, and filing workflows covered.
Go-live decisions
6
Scope, blockers, configuration, human review, data operations, rollback, and support decisions recorded.
Proof commands
8
Final RC proof path includes launch, MRR, e-filing, support, and build gates.
Go-live locks
Cold build and runtime proof
release owner
locked
Fresh extraction must install, build, start, and answer health without hidden bypasses or unexpected route-config warnings.
npm run verify:launch:build-proof
Paid seat entitlement and billing
account operations
locked
Pro Se, Attorney/Firm, and Family Communications seats require active entitlement, trial, or documented support state before workspace access.
npm run verify:launch:billing-entitlements
Durable persistence and audit readiness
platform operations
locked
Material records must use durable adapters in pilot/production, with audit, support packet, backup, restore, retention, and legal-hold posture preserved.
npm run verify:launch:durable-persistence && npm run verify:launch:observability-support
Ingest quarantine and e-filing transaction safety
filing operations
locked
Raw files enter quarantine, parser output stays staged, human promotion is required, filing retries are idempotent, and no court action is automated outside approved provider boundaries.
npm run verify:launch:ingest-quarantine && npm run verify:efiling:security-all
Final launch gates
All prior seat-launch passes locked
locked
8 go-live locks preserve Passes 255 through 267 plus support/admin/customer-success operations.
Support/admin/customer-success operations
locked
7 support operations cover queue intake, diagnostics, recovery, billing, connector, filing, and knowledge-base posture without private-data leakage.
Go-live decision register
locked
6 decisions define scope, blockers, configuration, human review, customer data operations, rollback, and support readiness.
Release-candidate proof commands
locked
Final proof path includes seat-launch pass 18, launch all, MRR support operations, e-filing security, and build commands.
Paid-seat scope preserved
locked
Active launch scope remains Pro Se, Attorney/Firm, and Family Communications; deferred institutional surfaces stay preserved and gated.
Support, admin, and customer-success operations
Support queue intake
support operations
covered

Receive paid-seat support issues with seat, account, matter, billing, connector, export, filing, and urgency classification.

No full legal text, raw messages, tokens, cookies, signed URLs, or payment data are stored in the support ticket body.

Impersonation-safe diagnostics
admin and support operations
covered

Show account, plan, route, adapter, export, packet, connector, and ingestion posture without opening private matter content as the user.

Support reads metadata and redacted support packets only; private case content requires customer-controlled export or explicit escalated authorization policy.

Account recovery workflow
account operations
covered

Recover access, rotate sessions, handle lost SSO, and resolve locked accounts without bypassing entitlement or private-data boundaries.

Recovery never grants cross-seat access and never exposes protected data before identity and entitlement are confirmed.

Refund and cancellation workflow
billing operations
covered

Handle plan cancellation, failed payment, refund request, invoice issue, downgrade, and trial conversion with entitlement reconciliation.

Payment events are separated from legal records; refund or cancellation does not delete legal data without a separate retention and export workflow.

Go-live decision register
Launch scope
owner review

Public paid-seat launch remains limited to Pro Se, Attorney/Firm, and Family Communications.

Disposition: deferred institutional surfaces preserved and hidden from active paid-seat navigation

Launch blockers
owner review

Critical and high-risk blockers must be closed or explicitly accepted by the launch owner with a mitigation and support procedure.

Disposition: no unresolved critical/high risks in the launch risk register

Production configuration
owner review

Production launch requires approved auth, billing, persistence, audit, storage, queue, ingest, email, connector, and provider configuration.

Disposition: provider-pending surfaces are labeled and cannot imply live production integration

Enterprise readiness

Enterprise launch hardening

Operational control record for secure access, paid-seat continuity, reviewed imports, output safeguards, incident recovery, and full platform owner access.

Platform owner access opens all portals through the post-login chooser.

Enterprise hardening in place for active paid-seat onboarding
Required launch controls

Enterprise control gates

Secure access and portal selection
Owner: Account access
Hardened

Login lands on the portal chooser, workspace access issues a platform-scoped session for approved owner accounts, and direct login loops are rejected.

Post-login portal chooserApproved-account session scopeSafe next-path normalizationSign-out clears local session state
Seat isolation and workspace boundaries
Owner: Seat access
Hardened

Active MRR seats remain Pro Se, Attorney, and Family Communications while institutional portals remain separated from paid-seat navigation.

Active seat route matrixDeferred institutional route preservationPrivate/client/court output labelsPortal-group filtering by access scope
Reviewed import and merge discipline
Owner: Connections and imports
Hardened

Connector material stays staged until a person reviews destination, scope, and merge intent before promotion.

Staged import queueDestination controlsRecovery panelNo sensitive token display
Court-neutral packet and report posture
Owner: Reports and exports
Hardened

Paid-value outputs carry review posture, scope labels, and neutral wording before use outside the workspace.

Court-facing scope labelClient-safe scope labelPrivate-note exclusionReviewed digest requirement
Family Communications privacy posture
Owner: Family Communications
Hardened

Family Communications stays private by default; protective posture requires sustained harmful patterns and reviewed output controls.

Private Family ModeBefore You Send reviewSustained-pattern thresholdProtective packet review gate
Owner operations and recovery readiness
Owner: Platform operations
Hardened

The account workspace now exposes launch proof, enterprise readiness, connections, recovery, and route inventory from the portal chooser.

Launch readiness pageEnterprise readiness pageFeature preservation recordKnown limitation register
Active MRR seats

Paid-seat feature and safeguard matrix

Pro Se
Enterprise-grade paid seat
Features
  • Guided intake
  • Evidence registry
  • Timeline intelligence
  • Service/proof posture
  • Court-day packet
  • Settings and recovery
Safeguards
  • Review-required extracted facts
  • Private notes excluded from court packets
  • Court-neutral language
  • Folder upload and connector recovery
/pro-se/dashboard/pro-se/uploads/pro-se/evidence/pro-se/timeline
Attorney
Enterprise-grade paid seat
Features
  • Matter workspace
  • Task and deadline posture
  • Evidence review
  • Discovery summary
  • Client-safe report
  • Professional packet output
Safeguards
  • Privileged notes stay private
  • Client-safe preview boundary
  • Reviewed connector imports
  • Court/client/private scope labeling
/attorney/attorney/matters/attorney/documents/attorney/timeline
Family Communications
Enterprise-grade paid seat
Features
  • Private Family Mode
  • Structured threads
  • Saved drafts
  • Calm message templates
  • Before You Send review
  • Parent-safe digest
Safeguards
  • Private by default
  • No evidence-first framing
  • No single-message protective trigger
  • Reviewed digest before export
/pro-se/family-communications/family-communications/family-communications/conversations/family-communications/coaching
Final readiness

Final launch package readiness

Owner-facing record for the paid-seat release package, controlled configuration notes, responsive review, and final verification path.

Package ready for final local build and deployment smoke
Release contents

Package manifest

Source package
Included

Application source, public assets, route families, shared utilities, package manifest, lockfile, verifier scripts, and configuration examples remain in the release package.

Active paid seats
Included

Pro Se, Attorney, and Family Communications stay active for paid onboarding with settings, connections, recovery, reports, and export surfaces preserved.

Deferred institutional surfaces
Preserved

Judicial Edition, Justice, Clerk, Judge, Prosecutor, Defender, and Law Court surfaces remain compatible and separated from active MRR navigation.

Configuration and review posture

Controlled launch notes

Environment values
Controlled configuration required

Production service URLs, allowed accounts, session secret, OAuth redirect values, and provider keys must be supplied through the deployment environment before release.

Deployment preflight verifies required values and reports optional provider configuration separately.

OAuth provider status
Provider configuration required

Google and Microsoft entries remain safe when provider configuration is unavailable, and Google local-origin handling avoids invalid 0.0.0.0 redirects during local review.

Login and Google SSO origin verifiers protect the post-login portal chooser contract.

Connector imports
Review required

Imported material stays staged until a person confirms destination, scope, and merge intent before promotion into a matter.

Paid-seat connections and recovery verification protects staged import review and recovery controls.