Capabilities matrix

What ships today, what ships next, what we won't build.

Every capability resolves to a single canonical row. Status pills follow Stripe API rigor: Production rows carry evidence references; Roadmap rows carry target quarters; Not-Planned rows are intentional exclusions. Drift between this page and the underlying claim registry is mechanically impossible — registry entries reference capabilityId.

Last updated: 2026-04-26 · Schema version 1

Back to home

ICP filter: all rows render across both buyer views — direct merchant and partner / VAR. Per BPG audit, splitting truth per visitor inverts ledger semantics. The matrix is one canonical source; what changes between views is which rows default-expand, not which rows exist.

Production

Shipping today with evidence references. Every row carries a feature-package, audit-log entry, gotcha section, or external-doc reference verifiable by any reader.

Four-layer tenant isolation (incl. PostgreSQL RLS)

CAP-tenant-isolation-rls · owner: gotcha-20

Production

EF Core query filter + per-request tenant-scoped session variable + database-command verification interceptor + PostgreSQL Row-Level Security policies on every tenant-scoped table. Migration 20260426220000_AddPostgresRlsPolicies. See gotcha §20 for the four-layer defense + IPlatformAdminQueryScope break-glass pattern.

Evidence

gotcha-section: docs/engineering/gotchas.md#20 — Four-layer tenant isolation including PostgreSQL Row-Level Security with FORCE ROW LEVEL SECURITY + 104 entities scanned by guard_rls_policies.py

Claims: CLAIM-data-isolation-rls, CLAIM-postgresql-rls

Pricing governance engine — guardrails, approval chains, override audit

CAP-pricing-governance-engine · owner: FEAT-152

Production

Margin floors enforced on every quote; overrides routed through approval chains; every override captured with reason code, approver, dollar impact. Backed by FEAT-152 hash-chained audit trail.

Evidence

feat-package: docs/plans/90-completed/22-FEAT-152-commercial-truth-billing-governance — FEAT-152 shipped pricing governance + hash-chained audit trail with three-layer IAppendOnly defense.

Claims: CLAIM-pricing-guardrails, CLAIM-quote-approvals, CLAIM-profit-protection-engine

Hash-chained pricing audit trail (SHA-256 sealed)

CAP-hash-chained-audit-trail · owner: FEAT-152

Production

Every governance event hash-chained per FEAT-152. Tamper-evident, not "immutable" — we detect tampering, we do not claim cryptographic immutability (CT §3.6).

Evidence

feat-package: docs/plans/90-completed/22-FEAT-152-commercial-truth-billing-governance — BillingGovernanceHeader with three-layer IAppendOnly defense (interceptor + trigger + REVOKE) per gotcha §14.

Claims: CLAIM-audit-trail

QuickBooks Online bidirectional sync

CAP-quickbooks-integration · owner: FEAT-146

Production

Production-ready bidirectional sync — orders, customers, invoices reconcile without re-keying. Active VoltEdge Supply tenant integration.

Evidence

feat-package: docs/plans/90-completed/24-FEAT-146-quickbooks-price-drift-detection-and-erp-pricing-reconciliation — FEAT-146 ships QuickBooks bidirectional sync + price-drift detection.

Claims: CLAIM-quickbooks-integration

Role-based access control — five tiers + MFA step-up

CAP-rbac-five-tier · owner: FEAT-130

Production

Customer / Fulfillment Coordinator / Sales Rep / Sales Manager / Admin (Super Admin reserved for platform). MFA step-up gates privileged operations.

Evidence

gotcha-section: docs/engineering/gotchas.md#13 — JWT ClaimTypes mapping discipline + BaseController helpers — every claim read uses ClaimTypes.* constants.

Claims: CLAIM-rbac-five-level, CLAIM-mfa-auth, CLAIM-oauth2-oidc-auth

White-label tenant deployment (custom domains, branding, terminology)

CAP-white-label-tenant · owner: FEAT-085

Production

Custom domains, theming, content authoring, seeded provisioning. VoltEdge Supply launch tenant proves the path; additional tenants onboarding through 2026.

Evidence

external-doc: voltedgesupply.com — VoltEdge Supply launch tenant in production today.

Claims: CLAIM-white-label, CLAIM-platform-ready

WorkOS SSO + SCIM federation

CAP-workos-sso-scim · owner: FEAT-127

Production

Enterprise IdP support (Okta, Azure AD, Google Workspace) with tenant self-service configuration. Activated at Enterprise tier.

Evidence

feat-package: docs/plans/90-completed/16-FEAT-127-workos-sso-scim — WorkOS SSO/SCIM rollout hardening shipped.

Claims: CLAIM-sso-scim-workos

Limited GA

Shipped to a controlled subset (e.g., one tenant). Qualifier required on every render site — the row notes disclose the limitation explicitly.

AES-256 encryption at rest

CAP-aes256-encryption-at-rest · owner: FEAT-163

Limited GA

Today: Azure Database TDE with Microsoft-managed keys. Tier 3 customer-managed keys (BYOK) on roadmap (FEAT-163). See claim CLAIM-aes256-at-rest qualifier for present-vs-roadmap split.

Evidence

feat-package: docs/plans/02-p1-foundational-enablers/02-FEAT-163-tier3-customer-managed-keys-byok — Tier 1 (Microsoft-managed) shipping today; Tier 3 BYOK platform implementation roadmapped with 18 deliverables.

Claims: CLAIM-aes256-at-rest

In Development

Active build; not yet shipping at full scope. Status notes capture the implementation gate.

PunchOut / cXML procurement integration

CAP-punchout-cxml · owner: FEAT-136

In Development

Middleware-first architecture with TradeCentric (primary) + Greenwing (fallback). Enterprise tier only. Implementation complete; rollout blocked on middleware contracting + legal prerequisites.

Living Ledger — public hash-chain proof surface

CAP-living-ledger · owner: FEAT-167

In Development

Public /ledger surface with three platform-intrinsic counters (governance seals, verifications served, platform uptime). KPI contract first, UI second. See FEAT-??? Row 15 implementation.

Trust Posture API + co-branded verify URL

CAP-trust-posture-api · owner: FEAT-168

In Development

Five signed JSON signals (audit-chain checksum, claim-registry root hash, RLS policy coverage, last security review, IAppendOnly enforcement coverage). Co-branded verify.partner-domain.com proxy. Trust Footprint Score formula gated behind 60-day VoltEdge pilot validation per business-shark audit.

Roadmap

Committed but not started. Each row carries a target quarter — quarters can slip, but the commitment is on record.

Tier 3 Customer-Managed Keys (BYOK) — encryption at rest

CAP-tier3-byok-encryption · owner: FEAT-163

Roadmap · Q3 2026

VendorX-generated RSA-3072 in Azure Key Vault, paired-region failover, automatic 730-day rotation, soft-delete + purge protection, offline cold-storage backup. 18 platform deliverables per FEAT-163 README.

SOC 2 Type I certification

CAP-soc2-type-i · owner: FEAT-???-soc2

Roadmap · Q3 2026

Month 5–6 target. SOC 2 Type II is a separate later milestone, not present-tense.

Co-Signed Proof Pack — partner + VendorX dual signature

CAP-co-signed-proof-pack · owner: FEAT-169

Roadmap · Q3 2026

Process-attestation language (DigiCert CA pattern) + W3C VC Status List 2021 revocation registry + CAIQ v4 JSON output. PDF + JSON-LD machine-readable companion.

Named technical advisor (public bio + LinkedIn)

CAP-named-technical-advisor · owner: CLAIM-business-continuity-escrow

Roadmap · Q2 2026

Selection criteria: prior operator credential at $50M+ electrical distributor OR engineering tenure at Epicor/Eclipse/Prophet 21. Q2–Q3 2026 close.

Claims: CLAIM-business-continuity-escrow

Not Planned

Intentional exclusions. Listing them publicly closes the "but does VendorX support X?" loop without forcing a sales call.

Per-tenant HYOK (Hold-Your-Own-Key)

CAP-tier4-hyok · owner: TBD

Not Planned

Salesforce Shield-grade per-tenant master key. Architectural change ~20–40 PD. Triggered only by $5M+ ARR enterprise demand; new feature package opens at that point.

How this page is governed

Single source of truth: apps/web/app/_features/capabilities/manifest/capabilities.manifest.ts.
Evidence guard: scripts/ci/guard_capability_evidence.py fails the build if any Production / Limited-GA row lacks at least one evidence reference.
Claim-registry projection: every claim in claim-registry.ts that references a capability traces back here via capabilityId.
Status changes are governance events: every transition writes to the platform audit log via the CapabilityStatusEvent IAppendOnly entity (FEAT-???; mirrors FEAT-152 + RLS Layer 4 + IAppendOnly three-layer defense per gotcha §14).

What ships today, what ships next, what we won't build.

Last updated: 2026-04-26 · Schema version 1

Back to home

How this page is governed

Single source of truth: apps/web/app/_features/capabilities/manifest/capabilities.manifest.ts.

Evidence guard: scripts/ci/guard_capability_evidence.py fails the build if any Production / Limited-GA row lacks at least one evidence reference.

Claim-registry projection: every claim in claim-registry.ts that references a capability traces back here via capabilityId.

Status changes are governance events: every transition writes to the platform audit log via the CapabilityStatusEvent IAppendOnly entity (FEAT-???; mirrors FEAT-152 + RLS Layer 4 + IAppendOnly three-layer defense per gotcha §14).