# CapitalGuard Delivery Checklist

This is what a buyer should receive after purchase.

- License key and activation link.
- Commercial license summary.
- Permanent license certificate.
- Fulfillment SLA.
- Secure scan intake.
- AI-agent safe-use guide.
- Policy file starter pack.
- AI-agent firewall installer.
- Dashboard access.
- Redacted findings report.
- Executive PDF export.
- Developer prevention checklist.
- Upgrade path for monitoring.

## Local Scanner Coverage

The downloadable firewall installer now checks for:

- Secret-like files and folders.
- Package registry credentials, machine credentials, service-account files, and kubeconfig material.
- Customer exports, backups, and other sensitive local data paths.
- AI-agent configuration paths such as `.cursor/`, `.claude/`, `.mcp.json`, `AGENTS.md`, and Copilot instructions.
- CI, infrastructure, Kubernetes, Helm, database, billing, auth, Docker, and deployment paths requiring human review.
- Prompt-injection indicators in repository-readable text.
- Risky shell execution, remote install pipelines, package lifecycle scripts, and broad workflow permissions.
- Missing CapitalGuard policy and local agent guardrail files.

## Professional Fulfillment Standard

Every finding must include:

- Severity
- Affected file or path
- Why it matters
- How an AI agent could expose it
- Business impact
- Safe fix
- Confidence level

Raw secret values must never be displayed in customer-facing screens or exports.

## Manual Launch Fulfillment

- Verify the Stripe payment first.
- Issue a license with the operator runbook.
- Send the buyer email draft to the purchase email.
- Store only the license-key hash in the ledger.
- Keep the plaintext key private after delivery.
