{"name":"The Leo King Business Intelligence API Conformance","version":"v1","status":"public-contract","contractVersion":"2026-07-07.enterprise-trust-console-audit-webhook-versioning-limits-examples-support-procurement-conformance-data-processing-launch-readiness-access-control-compliance-map-ai-governance-v1","lastReviewedAt":"2026-07-07","policy":{"status":"live","cadence":["Before push or deploy that changes API contracts, docs, SDKs, auth, billing, or AI generation behavior.","After production deploys that affect gateway routing, public metadata, OpenAPI, SDKs, usage logging, or paid route behavior.","Before enterprise demos, procurement review, package publication, custom limits, or signed customer launch."],"requiredBefore":["publishing SDK packages","approving enterprise procurement packets","raising rate limits","launching a signed partner integration","declaring AI generation logic healthy after deploy"],"launchGates":["Production env guard prints READY FOR PUSH/DEPLOY for the target environment.","Public metadata routes, OpenAPI, Postman, docs, llms files, sitemap, and robots discovery all agree.","SDK source, generated dist, README snippets, and public endpoint catalog stay in sync.","Dedicated gateway smoke passes against https://api.theleokingai.com.","Buyer-path smoke proves a paid route writes usage ledger evidence for the exact request_id.","Fresh AI outputs created after deploy satisfy required sections, depth, metadata, and no fallback-looking copy."],"partnerGuidance":["Run public metadata checks without an API key before generating clients.","Run one no-AI Core Compute request before wiring paid AI routes.","Preserve Idempotency-Key across retries and keep request_id for support.","Treat 429, 409, 502, and 503 according to /api/v1/errors rather than blind retry loops.","Do not publish AI output when required sections, metadata, or quality gates are missing."],"evidenceRetention":"Keep smoke outputs, request_id, endpoint, UTC timestamp, key prefix only, commit SHA, deployment URL, and sanitized payload shape for support and procurement review."},"checks":[{"id":"local-contract-suite","suite":"Local Contract Suite","status":"live","owner":"platform","target":"Source, route handlers, OpenAPI, docs, SDK helpers, robots, sitemap, and gateway config.","command":"npm run test -- --run tests/api-v1.test.ts tests/api-reference-docs.test.ts tests/robots.test.ts tests/api-gateway-config.test.ts tests/sdk-contract.test.ts","proves":"Public API metadata, docs discovery, gateway rewrites, and SDK helpers agree before deploy.","passCriteria":["All focused API-platform tests pass.","OpenAPI exposes public metadata routes without API-key auth.","Docs, sitemap, robots, SDK source, and README helper lists include the same public metadata surfaces."],"evidenceArtifacts":["Vitest focused suite output","changed file diff","OpenAPI route assertions"],"failureEscalation":"Fix contract drift before build, push, or deploy."},{"id":"sdk-source-and-dist","suite":"SDK Source And Dist","status":"live","owner":"platform","target":"Node TypeScript source/dist and Python source package.","command":"npm --prefix sdk/node run build && python -m compileall sdk\\python\\theleoking_ai_api","proves":"SDK public metadata helpers, authenticated route helpers, webhook helpers, and generated Node dist compile.","passCriteria":["Node TypeScript build emits dist/index.js and dist/index.d.ts.","Python package compiles with no syntax errors.","Generated Python __pycache__ is removed before handoff."],"evidenceArtifacts":["Node SDK build output","Python compileall output","SDK contract test output"],"failureEscalation":"Block package publication and generated-client work until source and dist match."},{"id":"production-build-suite","suite":"Production Build","status":"live","owner":"platform","target":"Next.js app routes, static API metadata, docs page, and TypeScript.","command":"npm run build","proves":"The app compiles, route handlers type-check, and static public metadata routes are generated.","passCriteria":["Next build completes successfully.","Static metadata routes include /api/v1/status, /api/v1/openapi, /api/v1/procurement, and /api/v1/conformance.","No route handler or docs TypeScript errors are present."],"evidenceArtifacts":["Next build output","route list","TypeScript output"],"failureEscalation":"Do not push deploy-bound changes until build passes."},{"id":"production-env-gate","suite":"Production Env Gate","status":"live","owner":"platform","target":"Vercel production env names, Clerk Convex JWT template, and deploy preconditions.","command":"npm run prod:env:production","proves":"Required production env surfaces exist before push/deploy and Clerk JWT template is configured.","passCriteria":["Vercel production check prints READY FOR PUSH/DEPLOY.","Clerk prod check prints READY FOR PUSH/DEPLOY.","Sensitive values are presence-checked without printing raw secrets."],"evidenceArtifacts":["env guard timestamp","masked checklist","Clerk template check output"],"failureEscalation":"Output BLOCKED: ENV NOT READY and stop before push or deploy."},{"id":"dedicated-gateway-smoke","suite":"Dedicated Gateway Smoke","status":"live","owner":"platform","target":"https://api.theleokingai.com public gateway routing and discovery metadata.","command":"npm run smoke:api-gateway -- --mode final","proves":"Dedicated gateway DNS, root JSON, OpenAPI, Postman, status, and docs discovery work in production.","passCriteria":["Gateway root returns the API index.","OpenAPI and Postman routes resolve through clean gateway paths.","Public metadata routes return current contractVersion."],"evidenceArtifacts":["inference-smoke/api-gateway-smoke.json","HTTP status codes","contractVersion"],"failureEscalation":"Treat as production routing regression and publish incident if partner-impacting."},{"id":"buyer-path-usage-smoke","suite":"Buyer Path Usage Smoke","status":"beta","owner":"shared","target":"Paid route response envelope, credit accounting, and Convex usageEvents reconciliation.","command":"npm run smoke:buyer-path -- --base-url https://api.theleokingai.com --output inference-smoke/buyer-path-gateway-core-YYYYMMDD.json","proves":"A scoped key can call a paid route and the exact request_id appears in the usage ledger.","passCriteria":["Response includes request_id, data, usage, and meta.","Usage lane, credits, billable units, and model metadata match route expectations.","Convex usageEvents contains the exact request_id before enterprise demo or launch."],"evidenceArtifacts":["buyer-path smoke JSON","request_id","Convex usageEvents proof"],"failureEscalation":"Block enterprise demo or launch until response usage and ledger proof agree."},{"id":"ai-output-quality-sampling","suite":"AI Output Quality Sampling","status":"beta","owner":"shared","target":"Fresh production AI outputs after generation, prompt, model, RAG, or provider changes.","command":"Inspect 1-3 fresh live outputs created after the deploy timestamp.","proves":"AI value quality is preserved, not merely that status codes and pipelines succeeded.","passCriteria":["Required sections are present for the selected product contract.","Metadata, model/provider trace, depth, and forward-looking analysis are present where promised.","No placeholder, generic fallback, local path leak, malformed schema, or thin copy is published."],"evidenceArtifacts":["request_id list","output timestamps","quality notes","incident link if failed"],"failureEscalation":"Classify fallback-looking output as product regression before adjacent improvements."}],"productionChecklist":["Production env gate prints READY FOR PUSH/DEPLOY for the target environment.","Dedicated gateway smoke passes in final mode on api.theleokingai.com.","Buyer-path smoke passes against the dedicated gateway with Convex proof enabled.","Core endpoints return no token usage and AI endpoints return model/token visibility.","Fresh AI outputs satisfy product quality requirements after the deploy timestamp.","Support packet includes request_id, endpoint, key prefix only, UTC timestamp, and sanitized payload shape.","Access-control review confirms server-side key custody, endpoint scope, environment separation, rotation triggers, and no public-client key exposure.","Compliance mapping review confirms public evidence links, framework-style mapping, no certification overclaim, and signed-term boundaries.","AI governance review confirms acceptable-use boundaries, prohibited/restricted use cases, human-review requirements, and no fallback-success behavior.","Conformance evidence includes local contract tests, SDK build, app build, env gate, gateway smoke, buyer-path proof, and AI output sampling when relevant.","Data-processing review confirms minimization, restricted-data boundaries, retention policy, subprocessor scope, and signed-DPA requirements.","Launch-readiness handoff includes smoke evidence, partner integration matrix, billing proof, AI quality evidence, and rollback plan."],"links":{"docs":"/api-docs","openapi":"/api/v1/openapi","status":"/api/v1/status","accessControl":"/api/v1/access-control","observability":"/api/v1/observability","onboarding":"/api/v1/onboarding","examples":"/api/v1/examples","errors":"/api/v1/errors","sdks":"/api/v1/sdks","migrations":"/api/v1/migrations","procurement":"/api/v1/procurement","dataProcessing":"/api/v1/data-processing","compliance":"/api/v1/compliance","support":"/api/v1/support"}}