Public proof, buyer-ready routes, and honest readiness signals for HOWFAR.
Evidence-backed trust center. This page is designed so customers, partners, and reviewers can inspect what is verified now, what proof surfaces exist, and where work is still in progress.
The Trust Center is meant to make diligence faster: machine-readable endpoints, public buyer surfaces, evidence-backed claims, and explicit disclosure of what is not fully proven yet.
- Machine-readable trust routes
- Buyer and diligence links
- Known gaps called out directly
What is verified now
16/16 checks currently pass across architecture, implementation, foundation, and operations.
Health, build, readiness, status, and metrics endpoints are committed and available for monitoring and verification.
The repo includes passkey/WebAuthn support, audit-aware administration, and scripted verification gates for deployment confidence.
Status, security, compliance, pricing, support, contact, and investor-relations pages give buyers clear review surfaces.
Verified buyer reviews, seller processing/refund operations, seller listing management, and buyer-side catalog controls are now shipped and test-covered.
Direct messaging, wallet activity, notifications, and activity summary flows were revalidated in integration tests during the P0 proof-and-stability tranche.
Creator plan publishing, Stripe checkout settlement, webhook-driven entitlement activation, billing portal access, cancel-at-period-end, and refunds are now covered end to end.
Sprint 3 adds owner-managed developer apps, one-time bearer key issuance, a verification endpoint, per-key rate limiting on agent chat, and generated contract/docs alignment.
Sprint 4 adds a real article editor, private drafts, public blog delivery, scheduled publish through the existing job queue, and audit-backed cancellation instead of a separate blog-only subsystem.
Creators can load a session-backed dashboard, queue immutable snapshot refreshes, export CSV/JSON views, and inspect the raw-event TTL policy that feeds those aggregates.
Sprint 6 adds photo and video attachments to the existing post pipeline, including asset ownership checks, media-only post creation, moderation payload enrichment, and inline feed playback/rendering.
Machine-readable proof
Machine-readable category scores derived from repo evidence and verification scripts.
Summary of public proof links, buyer-ready routes, and known open gaps.
Detailed capability-by-capability reality check showing which features are LIVE, PARTIAL, or PLANNED.
Public proof artifact covering stock deduction, sold-out transitions, seller publishing guards, and oversell prevention.
Public proof artifact covering developer app registration, one-time key issuance, bearer verification, per-key limits, and docs/OpenAPI sync.
Public proof artifact covering long-form article drafts, public publishing, scheduled release, timezone capture, and audit-backed cancellation.
Public proof artifact covering dashboard availability, immutable snapshot aggregation, raw event retention bounds, and creator export surfaces.
Public proof artifact covering asset upload, media-only post creation, feed rendering, attachment quotas, and moderation-aware photo/video post delivery.
Public proof artifact covering poll attachments on posts, feed delivery of poll payloads, and server-enforced voting rules with anti-abuse constraints.
Public proof artifact covering derived reputation scoring, anti-gaming caps, safety penalties without leaking enforcement details, and profile surfaces.
Public proof artifact covering hosted events, free ticket RSVP issuance, and organizer-only check-in with server-enforced constraints.
Reports the currently serving build commit and deployment context.
Lightweight service health response with build-aware diagnostics.
Runtime dependency readiness for the app shell and core APIs.
Fast status endpoint for uptime monitors and human spot checks.
Prometheus-style operational metrics for observability tooling.
Buyer and diligence routes
Human-readable summary of verified signals, buyer routes, and known open gaps.
Operational status and incident communication surface.
Security posture, vulnerability reporting, and verification entry points.
Governance posture and how compliance claims should be evaluated.
Commercial plans with an enterprise trust path for diligence.
Sales, support, compliance, security, and investor outreach entry point.
Long-horizon platform thesis and governance posture for strategic stakeholders.
Enterprise readiness signals
Security, compliance, status, pricing, contact, and investor-relations routes are live for diligence and procurement review.
Local verification, predeploy verification, live verification, and strict proof scripts are all present in package scripts.
Public status surfaces pair with authenticated admin security and observability areas for internal operations.
Known open gaps
We do not treat “not yet proven” as “done.” These are the areas that still need more product or verification work before stronger claims would be fair.
The detailed feature matrix still includes PARTIAL and PLANNED capabilities, so the repo now tracks honest completion through a strict activation manifest instead of flipping everything to LIVE by declaration.
The k6 harness is in-repo and the Windows Docker path handling was hardened, but smoke/stress artifacts still need to be generated and published before stronger resilience claims are fair.
Marketplace and subscription critical paths are now integration-tested, but public browser E2E artifacts for seller onboarding, checkout, and self-serve billing are not yet published.
Bearer-key access is now live for approved routes, but webhook products, broader OAuth app execution flows, and SDK stubs remain future work instead of being implied as already shipped.
Automated accessibility proof now passes for the covered production routes, but manual screen-reader notes and independent audit artifacts are not yet published.
How to evaluate HOWFAR honestly
- Check the public proof routes and compare them against the routes you care about.
- Use the status, security, and compliance pages for diligence context.
- Ask for the exact critical-path proof you need instead of relying on broad slogans.