Trust starts at the audit log.

Audit-trail coverage is being expanded mutation-by-mutation. The WSLCB-relevant events you’d expect to see — age-verification attempts, dob mismatches, manager overrides, role changes, voids — write to the audit log today. Full coverage of every server action is on the roadmap, disclosed honestly.

• Server-side actions call writeAudit() before revalidatePath() — pattern, not a guarantee on every mutation yet
• Existing audit rows include actor (user_id), action (verb), entity (table + row), and request context
• Manager, admin, and bookkeeper each get scoped read access to the audit surface
• Real-time SMS escalation for critical events (sale-to-minor block, large void) is in design — today these surface in the alerts inbox + manager-on-duty digest

RBAC checks live in src/lib/roles.ts — every access decision flows through one of nine canonical helpers, not ad-hoc string compares scattered across the codebase.

• Nine roles: admin · general manager · manager · inventory manager · purchasing · lead · budtender · bookkeeper · vendor
• Helpers: isAdmin / isManagerPlus / canSeeStoreProfit / canSeeProductCost / roleRank — never compare role strings directly
• Role embedded in HMAC-signed session cookie (12-hour TTL); rotation = next login
• Cross-store SSO uses ranked-role HMAC warp tokens that refuse name-fallback escalations

Washington WAC 314-55 family is mapped feature-by-feature. The platform refuses to do certain things — sale to minors, sale during prohibited hours — at the code level, not as a policy.

• WAC 314-55-079 (retailer privileges) — excise math, lab-test 5% passthrough, age 21+ enforced at scan time
• WAC 314-55-082 (security) — surveillance retention, alarm requirements surfaced as enforced gates
• WAC 314-55-095 (records) — transactions retained 3 years, video 30+ days, employee records 24 months
• WAC 314-55-155 (advertising) — no efficacy or medical-advice claims pass through without manager-PIN override + reason

Each store gets its own Postgres database. Cross-store reads are explicit and auditable, not implicit and silent.

• Per-store Neon Postgres — Wenatchee and Seattle have separate, isolated DBs even today
• Database snapshots backed up nightly with point-in-time recovery up to 7 days
• Customer can request a full SQL export at any time — operator owns their data, no exit penalty
• TLS in transit, AES-256 at rest, secrets via Vercel encrypted env vars — never committed

Some features ship with their implementation details deliberately held back on the public site. The demo discloses everything; the page-print-protection is a wedge.

• Crown-jewel features marked PROPRIETARY with a black-bar visual treatment + 'proprietary technology' caption
• Patent strategy in development with experienced cannabis IP counsel
• Customers under a signed NDA see the full implementation on the demo call
• Proprietary posture is an honesty signal, not obfuscation — the matrix stays mostly ✓/✗

Operator-direct communication is the policy. Manually-curated status page is live; automated probes are next on the roadmap.

• Direct SMS + email to admin contacts when the platform detects a critical-path issue
• Postmortem written for any incident affecting POS, payroll, or compliance — shared with affected operators
• No 'no comment' policy — if your data was touched, you hear it from us before you read about it elsewhere
• Status page lives at /status — manually curated today, automated probes shipping next