# Customer-Facing Promise Audit — Route Commerce **Date:** 2026-06-26 **Scope:** Every promise the product makes to customers across marketing, documentation, public UI, and "AI answers" (admin copy that talks to the user in product voice). Includes pricing, security, changelog, roadmap, landing hero/stats, FAQ copy, product descriptions, and `LAUNCH_CHECKLIST.md`. **Method:** Walked every customer-touching surface in the repo. For each distinct promise, captured (a) the exact copy, (b) the file/line, and (c) the strongest evidence — code, schema, docs, or absence of evidence — underneath. Then assigned one label per the user contract. **Labels used** | Label | Meaning | |---|---| | **PROVEN** | Code/schema/docs substantiate the claim today. | | **PARTLY PROVEN** | Substantially true but with caveats; copy overstates one detail. | | **MISLEADING** | The headline reads true but the fine print is materially wrong, or the framing suggests a stronger guarantee than reality. | | **UNSUPPORTED** | No code, schema, audit, contract, or credential backs the claim. | | **OUTDATED** | Was true at one point, no longer true. | | **MISSING EVIDENCE** | Need a human or system to confirm before we can label. | --- ## 1. Landing & marketing surfaces ### 1.1 Landing hero stats — `src/components/landing/HeroSection.tsx:48` ``` { stat: "500+", label: "Farm Brands" } { stat: "98%", label: "On-Time" } { stat: "50K+", label: "Deliveries" } ``` Plus `STAT_COUNTERS` (HeroSection.tsx:84): ``` 500 "Produce Brands" 50K "Orders Delivered" 98% "On-Time Delivery" $2M+ "Weekly Sales" ``` **Evidence:** None. No customers in tree, no DB row count, no integration that surfaces live numbers. The pricing-assessment doc (docs/pricing-assessment.md:79) already flags this: *"Landing-page stats are aspirational, not real. The working tree has no customers; this is a marketing claim that could trip up B2B buyers doing due diligence. Either back it with real numbers or remove it."* **Label:** **UNSUPPORTED** (high-risk: B2B due-diligence exposure). **Fix rank:** #1. ### 1.2 Landing feature copy — HeroSection.tsx:53–98 | Promise | Evidence | Label | |---|---|---| | "Showcase seasonal produce with rich media galleries and **real-time availability** updates" | No realtime subscriptions on storefront. `supabase` is mentioned in `indian-river-direct/page.tsx` for brand lookup, but product availability is a fresh fetch. | **MISLEADING** | | "Optimize delivery routes with **intelligent mapping** and real-time scheduling" | `src/app/api/ai/route-optimizer/route.ts` exists but is gated on admin user + AI provider key. No live routing on the storefront. | **PARTLY PROVEN** (admin-only) | | "Track orders from placement through delivery with **automated status** updates" | No delivery tracking. Order status is admin-set. | **UNSUPPORTED** | | "Give buyers a dedicated space to browse pricing and place bulk orders" | Wholesale portal exists. | **PROVEN** | | "Send email and SMS campaigns about seasonal availability and new harvests" | Harvest Reach exists for admin. | **PROVEN** (admin surface) | | "Uncover sales trends and operational insights with **real-time dashboards**" | Reports dashboard exists; not realtime. | **PARTLY PROVEN** | ### 1.3 Pricing page — `src/app/pricing/PricingClientPage.tsx` | Promise | Evidence | Label | |---|---|---| | AggregateRating in JSON-LD `4.9 / 12 reviews` (`src/app/page.tsx:55`) | Inline comment: `// Placeholder — replace with real review data once collected.` | **UNSUPPORTED** (fabricated rating published as structured data; Google could surface it). | | "Marcus T., Fresh Fields Farm" / "Sandra K., Pacific Produce Co-op" / "James R., Gulf Coast Distribution" testimonials (PricingClientPage.tsx:54–58) | No source. Names are made up. | **MISLEADING** (named-person testimonials with no consent) | | "Harvest Reach alone paid for the subscription. Our pickup rate went from 70% to 94% in two months." | No source. | **UNSUPPORTED** (specific metric, no customer) | | "Every new account starts on the Starter plan. … No credit card required to start." (FAQ line 24) | Waitlist page (line 103) contradicts: *"Early access members get 30 days free on any plan."* No self-serve signup exists; brands are seeded by `scripts/provision-admin.ts`. | **MISLEADING** (conflicting free-trial claims) | | "Enterprise customers can pay by invoice" (FAQ line 32) | `pricing.ts` prices Enterprise at $399/mo; `stripe-billing.ts` has annual=0 (Custom); the FAQ says invoice. None of these match the public pricing card. | **MISLEADING** (internal pricing model is inconsistent with public copy) | | "Add-ons are available on any plan. … billed proportionally when added mid-cycle." | No proportional-billing code path in `src/actions/billing/`. Stripe proration is on but the proportional UI copy implies a feature we haven't built. | **PARTLY PROVEN** | | Save 25% with annual (line 160) | `pricing.ts` shows: Starter annual 441 = 49×12×0.75 ✓; Farm 1341 = 149×12×0.75 ✓; Enterprise 3591 = 399×12×0.75 ✓. But `stripe-billing.ts:34` shows Farm annual = $1,522.80 (15% off). **Two sources of truth disagree.** | **MISLEADING** (internal inconsistency; one of the two is wrong) | | "Dedicated SLA" (Enterprise feature) | No SLA document, no `sla_*` table or RPC, no uptime monitoring integration. | **UNSUPPORTED** | | "Priority support" (Farm) | No support tier system, no SLA, no escalation path. | **UNSUPPORTED** | | Compare table "AI Intelligence Pack" Enterprise-only | Roadmap / pricing says Farm has Harvest Reach but not AI. Pricing page mirrors that. | **PROVEN** (consistent) | | Compare table "Multi-location Support" — *not actually in the table* (referenced on roadmap only) | n/a | n/a | ### 1.4 Pricing JSON-LD — `src/app/page.tsx` ``` offers: { lowPrice: 49, highPrice: 399, ... } priceSpecification: [ {Starter 49}, {Farm 149}, {Enterprise 399} ] ``` **CLAUDE.md (the canonical reference) says Enterprise is "Custom" pricing.** **Label:** **MISLEADING**. The structured-data layer is publishing a price that the platform says is custom. This is the kind of thing that surfaces in Google search snippets and creates procurement friction. ### 1.5 Waitlist — `src/app/waitlist/page.tsx` | Promise | Evidence | Label | |---|---|---| | "Join **500+** farms on the waitlist" / "**12+** States Covered" / "Q2 Launch Target" | Hard-coded copy. No waitlist row count. | **UNSUPPORTED** (three different numbers, all made up) | | "I've been waiting for a platform like this. The wholesale portal alone will save us hours every week." — Maria S., Sunny Acres Farm | No source. | **UNSUPPORTED** | | "Yes! Early access members get **30 days free on any plan**." | No billing code grants this. | **UNSUPPORTED** | | "Full access to all features including products, orders, stops management, and communications." | Waitlist → /api/waitlist writes a row. Does NOT auto-create a tenant. | **MISLEADING** | ### 1.6 Indian River Direct landing — `src/app/indian-river-direct/page.tsx` ``` TESTIMONIALS = [ { name: "Linda Hurlbut", text: "I finally got my grapefruit from you today..." }, { name: "Phil Myers", text: "I just wanted to comment on the citrus I received..." }, { name: "Bill Prue", text: "I would just like to say how pleased we are..." } ] ``` **Evidence:** These are real customer quotes from the brand owner's email archive (different file than the pricing page). **Label:** **PROVEN** for IRD-specific surface; isolated risk. --- ## 2. Pricing & billing internal consistency ### 2.1 Two pricing sources of truth `src/lib/pricing.ts` (marketing UI): ``` Farm annual = $1,341 (25% off) Enterprise annual = $3,591 (25% off) ``` `src/lib/stripe-billing.ts` (Stripe checkout logic): ``` Farm annual = $1,522.80 (15% off) ← src/lib/stripe-billing.ts:67 Enterprise annual = $0 (Custom) ← src/lib/stripe-billing.ts:82 ``` **Label:** **MISLEADING** — the marketing UI cannot be trusted to match what the checkout will charge. **Fix rank:** #2 (after landing stats, since this can cost real money). ### 2.2 Feature flags display `src/lib/feature-flags.ts:59` shows `wholesale_portal: "Contact us"` and `ai_tools: "OpenAI API required"`, but `pricing.ts` prices them at $99 and $59. **Label:** **MISLEADING** (the add-on tile says "Contact us" while the pricing card says "$99/mo"). Same item, two prices. ### 2.3 Add-on Stripe env-var mismatch `src/actions/billing/stripe-checkout.ts:19` reads `STRIPE_PRICE_WATER_LOG`. `pricing.ts` and `stripe-billing.ts` agree on price. **But** `stripe-billing.ts:154` also defines `_annual` price IDs that are never used. **Label:** **PARTLY PROVEN** (works for monthly, but annual is not actually wired in any Stripe price env var the docs mention). **Fix rank:** lower. --- ## 3. Security page — `src/app/security/page.tsx` | Promise | Evidence | Label | |---|---|---| | "**SOC 2 Compliant** — Our infrastructure meets SOC 2 Type II standards for security, availability, and confidentiality." | No SOC 2 report, no auditor name, no compliance-trust URL. | **UNSUPPORTED** (high-risk; this is a regulatory/compliance claim). | | "We conduct **quarterly penetration tests** and annual security audits with certified third parties." | No pentest repo, no audit report, no scheduled task. | **UNSUPPORTED** | | "**99.9% Uptime SLA** — Enterprise plan customers receive a 99.9% uptime guarantee with 24/7 monitoring." | No SLA doc, no `sla_*` table, no monitoring integration beyond Vercel's defaults. | **UNSUPPORTED** | | "**GDPR & CCPA Compliant**" | `src/app/privacy-policy/page.tsx` exists but does not include DPA, SCCs, or data-residency clauses. | **PARTLY PROVEN** (privacy page exists; compliance posture unverified) | | "Supabase Auth provides secure, compliant authentication with 2FA support." (line 69) | Auth was migrated to **Neon Auth** (`src/lib/auth.ts`), and 2FA is **not enabled** in the Better Auth config. | **OUTDATED + UNSUPPORTED** (both — wrong product AND no 2FA) | | "SSL Secured" / "SOC 2 Compliant" / "GDPR Ready" / "PCI Compliant" trust badges (line 47) | Same SOC 2 / PCI issue. | **UNSUPPORTED** | | "Stripe — PCI-compliant payment processing" (line 178) | Stripe IS PCI DSS Level 1; we inherit it. **PROVEN** for Stripe's posture. | **PROVEN** (when scoped to Stripe's posture, not our own) | | "Vercel — Edge network with automatic DDoS protection and global CDN" (line 168) | Vercel does provide this. | **PROVEN** (when scoped to Vercel's posture) | | "Supabase — PostgreSQL database with built-in encryption and real-time capabilities" (line 173) | DB is now **Neon Postgres direct via `pg`**, not Supabase. | **OUTDATED** | | "256-bit SSL encryption" / "PCI DSS Level 1 compliant" / "Advanced fraud detection" / "Secure card tokenization" | All Stripe attributes, true when scoped to Stripe. | **PROVEN** (Stripe-scoped) | | `mailto:security@routecommerce.com` for vulnerability reports | Inbox unverifiable from repo. | **MISSING EVIDENCE** (need to confirm mailbox monitored) | --- ## 4. Changelog — `src/app/changelog/page.tsx` | Version | Promise | Evidence | Label | |---|---|---|---| | 2.4.0 (2025-01-15) "Harvest Reach Email Campaigns — …templates, scheduling, and analytics" | Templates, scheduling, analytics all in code. | **PROVEN** | | 2.3.0 "Square Inventory Sync" | Settings UI + `square_to_rc` / `rc_to_square` / `bidirectional` modes in `SquareSyncSettingsClient.tsx:443`. | **PROVEN** (UI exists; cron at `/api/square/process-queue` is wired in `vercel.json`). | | 2.2.2 "Dashboard now loads 40% faster" | No benchmark in tree. | **UNSUPPORTED** (specific perf claim with no measurement) | | 2.2.1 "Order Export Fix" | Generic bug-fix entry. | **MISSING EVIDENCE** (cannot verify without git blame) | | 2.2.0 "**AI Intelligence Pack** — Campaign Writer, Pricing Advisor, Demand Forecasting. Available on Enterprise plan." | All 8 AI endpoints exist (`/api/ai/*`); all gated on `getAIClient(brandId)` returning a client. Requires brand to have an AI provider key configured. | **PARTLY PROVEN** (works only when brand has configured an API key — defaults to OpenAI which is BYO key, not "included in Enterprise") | | 2.1.0 "Water Log Module" | Module exists at `/admin/water-log` and `/water`; schema documented in `docs/water-log.md`. | **PROVEN** | | 2.0.0 "New Admin Dashboard" | v2 routes under `/admin/v2/*`. | **PROVEN** | | 1.9.0 (2024-10-30) "Two-Factor Authentication" | **No TOTP/2FA in `src/lib/auth.ts` or `src/auth.config.ts`.** Better Auth supports a `twoFactor` plugin but it is not registered. | **UNSUPPORTED** (high-risk; this is the headline 1.9.0 feature and it doesn't exist) | **Changelog metadata issue:** the changelog's most-recent entry is dated 2025-01-15. We're in June 2026. **Label:** **OUTDATED** as a whole (this page silently went stale). --- ## 5. Roadmap — `src/app/roadmap/page.tsx` ### 5.1 "Shipped" column (page.tsx:35) | Item | Promise | Evidence | Label | |---|---|---|---| | Harvest Reach Email Campaigns | Code lives under `/admin/communications`. | **PROVEN** | | Square Inventory Sync | Code + queue cron. | **PROVEN** | | AI Intelligence Pack | 8 endpoints, brand-gated. | **PROVEN** (with the same caveat as 2.2.0 above) | | Water Log Module | Module lives at `/admin/water-log`. | **PROVEN** | ### 5.2 "In Progress" (page.tsx:43) | Item | Promise | Evidence | Label | |---|---|---|---| | Mobile App (iOS & Android) | No `ios/`, `android/`, or React Native config. The "admin mobile PWA" spec (`docs/superpowers/plans/2026-06-17-admin-mobile-pwa.md`) is a PWA plan, **not a native app**. | **UNSUPPORTED** (a public claim of a native mobile app; reality is a PWA spec). | | Advanced Reporting & Analytics | Reports page exists; advanced exports not all wired. | **PARTLY PROVEN** | | Multi-location Support | No schema for `locations` table; `brands` has no `location_id`. | **UNSUPPORTED** | ### 5.3 "Planned" (page.tsx:51) | Item | Evidence | Label | |---|---|---| | SMS Campaigns | Module already implemented at `/api/ai/stop-blast-advisor` and gated by `sms_campaigns` add-on. | **OUTDATED** (should be "Shipped", not "Planned") | | Route Optimization | Endpoint at `/api/ai/route-optimizer` exists. | **OUTDATED** (should be "Shipped") | | POS Integration (Clover, Toast) | No Clover/Toast integration in tree. | **PROVEN** (still planned) | | Customer Loyalty Program | No code. | **PROVEN** (still planned) | ### 5.4 Roadmap affordances that don't work `docs/qa/audit-2026-06-25/ACCEPTANCE-CRITERIA.md:668` already flagged: `/roadmap/suggestion` form and upvotes have no handlers. **Label:** **MISLEADING** (the page implies a working vote/suggest system). --- ## 6. Public docs (`README.md`, `LAUNCH_CHECKLIST.md`, `docs/`) ### 6.1 README.md | Promise | Evidence | Label | |---|---|---| | "Time Tracking" with PINs, Workers, Tasks (lines "Adding Workers / Adding Tasks / Notification Alerts") | `src/actions/time-tracking/field.ts:7` is **stub code** that returns `{ success: false, error: "Time tracking is not configured" }`. The TODO comment (line 7) explicitly says: *"the time-tracking feature was built on Supabase RPCs … that don't exist in the SaaS rebuild schema. The functions below are stubs … the field UI degrades gracefully (no PIN login, no entry submit)."* | **UNSUPPORTED** (high-risk; README documents a feature that does not work) | | "**Supabase** (Postgres + Auth + RLS)" (Tech Stack) | README still says Supabase; CLAUDE.md says we're on direct Postgres + Neon Auth. | **OUTDATED** | | `npm run migrate` / `supabase link --project-ref` | `supabase/push-migrations.js` exists but CLAUDE.md says only the direct `pg` path is used; Supabase CLI branch is legacy. | **OUTDATED** | | `dev_session` cookie bypass — described as dev-only | CLAUDE.md reinforces this. Code guard at `src/lib/auth.ts:55` returns early in production unless `PERF_TEST_AUTH=1`. | **PROVEN** (well-controlled) | | Email automation cron endpoints (`/api/email-automation/abandoned-cart`, `/api/email-automation/welcome-sequence`) | Endpoints + Vercel cron config in `vercel.json`. | **PROVEN** | ### 6.2 `LAUNCH_CHECKLIST.md` | Claim | Evidence | Label | |---|---|---| | "**Social Proof** ✓ Complete — FeaturesAndStats.tsx" | `FeaturesAndStats.tsx` does not exist in `src/components/landing/`. | **OUTDATED** | | "**Testimonials** ✓ Complete — TestimonialsAndCTA.tsx" | `TestimonialsAndCTA.tsx` does not exist. | **OUTDATED** | | "**Guided Product Tour** ✓ Complete — OnboardingFlow.tsx" | `OnboardingFlow.tsx` does not exist. | **OUTDATED** | | "**Referral Program** ✓ Complete — src/app/api/referrals/route.ts, ReferralSystem.tsx" | `src/app/api/referrals/route.ts` uses **in-memory `Map`** that does not persist across serverless invocations. `ReferralSystem.tsx` does not exist. | **OUTDATED + UNSUPPORTED** | | "**Email Capture** ✓ Complete — Newsletter form in blog page" | `src/app/blog/page.tsx` does not have a working newsletter form (static post list). | **OUTDATED** | ### 6.3 `docs/ADMIN_FUNCTIONALITY_CHECKLIST.md` Lists time-tracking admin features as testable. Combined with the stub status above, this is **OUTDATED + UNSUPPORTED**. --- ## 7. Public storefront / AI answers in product voice ### 7.1 Wholesale portal login — `src/app/wholesale/login/page.tsx:156` > "Google sign-in is available, but the wholesale portal is not yet wired up to it. Please use email + password for now." **Label:** **PARTLY PROVEN** (honest about the limitation, but a customer-facing string saying "not yet wired up" is itself a smell — production copy should not contain TODO-like caveats). ### 7.2 Brand-specific FAQs — `src/app/tuxedo/faq/FAQClientPage.tsx` Mostly verifiable (corn minimum 4 dozen, real phone number 970-323-6874). **Label:** **PROVEN** for Tuxedo-specific FAQ. ### 7.3 `CLAUDE.md` "AI answers" surfaced in admin copy The product has 8 AI endpoints (`/api/ai/{campaign-writer, customer-insights, demand-forecast, pricing-advisor, product-writer, report-explainer, route-optimizer, stop-blast-advisor}`). Each returns a typed response. The admin UI at `/admin/settings/ai` describes them in product voice: > "Configure AI providers, keys, and preferences used by **campaign writer, > pricing advisor, report explainer**, and other tools." **Evidence:** All endpoints exist, but they require: 1. Brand has `get_ai_provider_settings` row (BYO API key). 2. The configured provider must be reachable from the server. 3. The `minimax` provider is hard-coded into `AIProviderPanel.tsx` with model names like `MiniMax-M3`, `MiniMax-M2.7`, `MiniMax-M2.1` — these are **not real public model IDs** and look like leftover copy from a model-bake-off. **Label for "AI Intelligence Pack" as advertised on pricing page:** **PARTLY PROVEN** (works with config; "Available on Enterprise plan" copy implies it's bundled, but the feature requires BYO OpenAI/Anthropic key — the add-on has no included inference credits). **Label for `minimax` provider card:** **UNSUPPORTED** (placeholder model names published to admin UI). --- ## 8. Risk-ranked list of fixes the user must approve Top items, ranked by legal/customer-trust exposure × likelihood a real buyer will notice. **Production copy changes require sign-off** per the user contract. | Rank | Fix | Surface | Risk if unchanged | Effort | |---|---|---|---|---| | 1 | Replace fabricated landing stats ("500+ Farm Brands / 98% On-Time / 50K+ Deliveries / $2M+ Weekly Sales") with neutral copy OR real numbers once available. Remove from JSON-LD `aggregateRating` placeholder. | `src/components/landing/HeroSection.tsx`, `src/app/page.tsx` | **HIGH** — B2B procurement teams check public stats. | XS | | 2 | Pick one pricing source of truth. Reconcile `src/lib/pricing.ts` and `src/lib/stripe-billing.ts`. Update FAQ "Enterprise customers can pay by invoice" if pricing stays Custom. | `src/lib/pricing.ts`, `src/lib/stripe-billing.ts`, FAQ copy | **HIGH** — checkout may charge a different price than the marketing card. | S | | 3 | Remove "Two-Factor Authentication" from `Changelog v1.9.0` and the security page feature list, or implement TOTP via Better Auth's `twoFactor` plugin and verify it works. | `src/app/changelog/page.tsx`, `src/app/security/page.tsx` | **HIGH** — customers rely on advertised features; missing 2FA after promised = trust loss. | M | | 4 | Strip SOC 2 / 99.9% uptime / quarterly pentest claims from `security/page.tsx`, or replace with neutral, scoped language ("Vercel provides edge DDoS protection; Stripe is PCI DSS Level 1"). | `src/app/security/page.tsx` | **HIGH** — regulatory/compliance exposure. | S | | 5 | Remove or label-as-example the three fabricated testimonials on pricing page (Marcus / Sandra / James). Keep the IRD ones (real quotes). | `src/app/pricing/PricingClientPage.tsx` | **HIGH** — fake named-person testimonials can violate FTC guidelines. | XS | | 6 | Reconcile Enterprise pricing: structured-data JSON-LD `$399`, marketing card `$399`, CLAUDE.md "Custom". Pick one. | `src/app/page.tsx`, `src/app/pricing/PricingClientPage.tsx`, FAQ copy | **MEDIUM** — Google snippets, sales-call confusion. | S | | 7 | Remove or implement `dev_session`/`dev_login` claims that promise features not built (e.g., "Not yet wired up to Google" line in wholesale login). | `src/app/wholesale/login/page.tsx` | **MEDIUM** — production copy with TODO language. | XS | | 8 | Replace `MiniMax-M3` etc. in `AIProviderPanel.tsx` with the real `minimax` model catalog or remove the provider until shipped. | `src/components/admin/AIProviderPanel.tsx` | **MEDIUM** — admin sets a non-existent model; calls will 404. | XS | | 9 | Mark Time Tracking as "coming soon" in README + checklist, or rebuild the schema. | `README.md`, `docs/ADMIN_FUNCTIONALITY_CHECKLIST.md`, `src/actions/time-tracking/field.ts` | **MEDIUM** — docs promise a feature whose actions are stubs. | L | | 10 | Refresh changelog & roadmap dates (most recent changelog entry is 2025-01-15; today is 2026-06-26). Reclassify SMS Campaigns and Route Optimization as Shipped. | `src/app/changelog/page.tsx`, `src/app/roadmap/page.tsx` | **LOW** — perception of staleness. | S | | 11 | Wire the `/api/referrals` in-memory `Map` to Postgres OR remove the "Referral Program ✓ Complete" claim from `LAUNCH_CHECKLIST.md`. | `src/app/api/referrals/route.ts`, `LAUNCH_CHECKLIST.md` | **LOW** — feature currently advertised but non-functional. | M | | 12 | OG image: `/og-default.jpg` referenced by pricing/blog/contact but only `/og-default.svg` exists in `public/`. | `src/app/{pricing,blog,contact}/page.tsx`, `public/` | **LOW** — broken preview cards in social shares. | XS | | 13 | Replace Supabase-era auth claim ("Supabase Auth provides 2FA") and DB claim ("Supabase Postgres") on security page. | `src/app/security/page.tsx` | **LOW–MEDIUM** — outdated reference, but page is informational. | XS | | 14 | Resolve `/roadmap/suggestion` form & upvotes (no handlers) — either disable or wire up. | `src/app/roadmap/page.tsx` | **LOW** — UI affordance leads nowhere. | S | --- ## 9. Decisions needed from the user 1. **Replace or keep** the landing hero stats? If keep, commit to a data source. 2. **Choose pricing source of truth** — `pricing.ts` (25% annual) or `stripe-billing.ts` (15% annual, Enterprise=Custom). Recommend: align on `pricing.ts` for marketing parity, set `stripe-billing.ts` annual prices accordingly, and decide Enterprise = Custom (no card on site). 3. **Implement 2FA now** via Better Auth's `twoFactor` plugin, **or remove** from changelog + security page. Recommend: remove from copy; queue 2FA as a real ticket. 4. **Strip SOC 2 / uptime / pentest claims** from security page **or** scope them to providers (Vercel, Stripe). Recommend: scope to providers; queue real compliance work. 5. **Strip fabricated named testimonials** from pricing page. Recommend: yes, replace with either no testimonials or real ones once collected. 6. **Time Tracking**: docs claim it works, actions are stubs. Recommend: mark "coming soon" in README/checklist, file a real ticket to bring back the schema. 7. **Roadmap & changelog**: reclassify SMS Campaigns and Route Optimization as Shipped; refresh dates. 8. **OG image fix**: rename `og-default.svg` to `og-default.jpg`, or generate a JPG. Recommend: rename references in metadata to `/og-default.svg`. 9. **Permission to apply any subset of the above** in this session? If yes, which? (Defaults below assume "yes, apply the safe ones; ask on anything that touches an invoice number.")