Honest inventory of every BatonIQ capability. Use this as the internal truth surface before any pilot conversation. Anything marked Mocked or Partial is not production behaviour today.
Using NEXT_PUBLIC_CURRENT_USER_ID stub (a6c931c6…).
Mocked: No real login; single hard-coded reviewer.
Next: Wire Supabase Auth / Clerk / Auth.js. The boundary already lives in lib/auth/current_user.ts.
POST /api/inbound-email is live; Postmark inbound traffic flows end-to-end.
OAuth code path implemented. Awaiting GMAIL_OAUTH_CLIENT_ID / GMAIL_OAUTH_CLIENT_SECRET / NEXT_PUBLIC_APP_URL env vars.
Mocked: IntegrationCredentialsStore is the v1 stub — token persistence is no-op.
Next: Set OAuth env vars per docs/integrations/gmail-oauth-setup.md.
Webhook handler for /api/inbound-email/gmail/push not yet implemented.
Next: After credential storage lands: create Pub/Sub topic + subscription, register watch on the connected mailbox.
No adapter yet. Provider-agnostic IntakeEvent shape means a new adapter is one file.
Anthropic API. 17 task types; NEVER_AUTO_PROCESS hard-coded; confidence-gated Tier 1 + workflow subtype + missing-info extraction.
7 subtypes: money_movement, tax_document_request, beneficiary_maintenance, account_maintenance, administrative_request, new_client_onboarding, acat_transfer_onboarding.
5 rule packs (ACAT/Schwab, money_movement/Schwab, beneficiary/Schwab, account/Schwab, new-client/Schwab). Adding a new (workflow, custodian) pair is a data file.
Mocked: Custodian execution is NOT performed — the package is for human countersignature.
Fixture-driven mock with 4 demo scenarios (matched / multiple / stale / no_match).
Mocked: No live OAuth, no live REST calls, no real contact data.
Next: Wire live OAuth + REST against the unified credential store.
Adapters not yet built. Provider-agnostic CRMProvider interface means each is one file.
Note body format is final (Case ID, Workflow, Verification, Status, Summary, etc.). Mock provider returns a synthetic external_id + permalink.
Postgres triggers (audit_logs_no_update / audit_logs_no_delete) prevent UPDATE / DELETE. Append-only.
Three actions (Approve / Return / Escalate). Audit-first ordering: insert audit row → update task. Typed Case-ID confirmation on Approve.
Document-like view at /app/case/[taskId] with Approval Summary, Inbound Request, Workflow, Classification, Identity, Verification, Attestation History, CRM Write-Back, Audit Chain. Print stylesheet supported.
GET /api/exports/sec-204-2 returns JSON or CSV with SHA-256 tamper-evidence hash. Anchored on stable schema_version.
Phase D4 read-then-write key in metadata. Phase E5 migration 008 adds top-level event_key column + partial unique index for race-safe uniqueness.
Mocked: Migration 008 must be applied manually in the Supabase SQL Editor.
Next: After migration runs, follow-up commit will flip writers to populate the column AND treat 23505 unique_violation as success.
Unified provider-agnostic interface implemented. v1 stub returns null on every read.
Next: Implement encrypted Supabase store (pgsodium) or AWS Secrets Manager backend.
62 emails, 62 tasks, 770 audit_logs across all firms.