Tenant ownership remains with customer admins
Launchpad guides and validates Claude and IdP setup, but does not mutate unsupported admin settings through brittle automation.
Practical governance for Claude Enterprise rollout.
By design, we never ask for or store your identity-provider credentials — setup is scoped, read-only, in your tenant, and revocable, and you keep MFA. Launchpad turns identity, data access, user training, connector approvals, and BlueSky exception routing into visible operational controls.
Security operating model
Frontend on Vercel uses public-only environment variables.
Backend deploys through AWS SAM with API Gateway, Lambda, Step Functions, SQS, DynamoDB, S3, Cognito, SES, KMS, and CloudWatch.
Private tokens are stored in AWS Secrets Manager under environment-scoped paths and read only by runtime IAM policies.
Webhook signatures, idempotency, redaction, private S3 access, tenant checks, and role checks are part of the implementation plan.
Private secrets stay in AWS Secrets Manager
Stripe, Attio, SES, identity, connector OAuth, and webhook secrets are read by server-side Lambda code only.
Write actions require approval gates
MCP tools that can create, update, send, or approve anything require explicit human approval before rollout.
Self-attested completion evidence
SSO, SCIM, connector enablement, policy acceptance, and training completion are captured as self-attested completion checks instead of tribal knowledge.
Governance packets
Customers leave with policies they can actually operate.
The goal is not a generic AI policy binder. The packet maps directly to Claude setup, connector approval, user rollout, and escalation ownership.
Claude acceptable-use policy with approved use cases, restricted data, human review, and escalation language.
Connector approval policy with OAuth scopes, data classes, read/write tiers, audit review, and emergency disablement.
Rollout governance with pilot groups, training completion, department expansion, exception ownership, and Agentic OS candidate review.
Security evidence plan for SSO, SCIM/JIT, domain verification, connector authorization, policy acknowledgment, and user training.