Asks

As-of: 2026-05-09. These are what the product needs from leadership to move forward. Each ask includes why it matters, what it costs, and when the decision is needed.

A-001: Convert Keeper Trial to Paid License

FieldDetail
AskApprove budget for Keeper enterprise licensing and convert the trial before it expires
WhyThe 12-day trial (provisioned 2026-04-25) is the only thing powering KSM reads in staging. When it expires, vault integration goes dark. No KSM = no credential metadata = no governance decisions.
Cost / EffortKeeper enterprise pricing is not public — requires sales engagement. Estimated range: $5–15/user/month depending on tier and seat count. Need to size for pilot (10 users) vs. target (100–1,000).
Decision Needed ByImmediately — trial expiry is imminent
StatusUrgent
Decision OwnerCTO (budget), Ben (execution)

A-002: Production Infrastructure Approval

FieldDetail
AskApprove production App Service deployment: SKU choice, VNet + NAT Gateway, custom domain, SSL certificate
Whyapp-passkey-prod-1353 is provisioned but not deployed. No path to production exists without infrastructure approval. Estimated run rate: ~$220–260/mo (see Cost Model).
Cost / Effort~$220–260/mo ongoing Azure costs. 20–30 engineering hours for deployment + validation.
Decision Needed ByBefore v3 scope lock
StatusOpen
Decision OwnerCTO
Sub-decisions(a) App Service tier: S1 Standard vs. P1V2 Premium. S1 is minimum for custom domain + SSL. P1V2 adds VNet integration + auto-scale. (b) Custom domain: portal.pazzkey.com? (c) Postgres tier: stay Burstable B1ms or upgrade to General Purpose D2s_v3 for production SLA?

A-003: Bot Framework Registration (M365 Admin)

FieldDetail
AskIdentify the M365 admin who can register the Teams bot, and get the registration completed
Whynotification.service.ts and Adaptive Card templates exist but the bot isn’t registered. Teams notifications are the primary user-facing delivery channel — without this, notifications are in-app only (visible only when a user is actively in the portal).
Cost / Effort$0 (Bot Framework Teams channel is free tier). ~15–25 engineering hours to wire up after registration.
Decision Needed ByBefore v3 scope lock
StatusOpen
Decision OwnerCTO / M365 admin
Sub-decisions(a) Who owns the bot identity in the org? (b) Does the bot need approval through an app governance process?

A-004: Security Review Allocation

FieldDetail
AskBudget X hours for a SOC 2 Type II alignment audit
WhyThe system is designed to align with SOC 2 and HITRUST CSF (see Security Architecture), but “designed to align” is not “certified.” A formal review validates the claim and identifies gaps before they become audit findings.
Cost / EffortInternal review: 40–80 engineering hours. External audit firm: $30K–80K for initial SOC 2 Type II readiness assessment.
Decision Needed ByBefore production launch to external users
StatusOpen
Decision OwnerCTO
Sub-decisions(a) Internal review only, or external audit firm? (b) SOC 2 only, or HITRUST CSF as well? (c) Timeline for readiness vs. certification?

A-005: Lock v3 Scope

FieldDetail
AskDefine and lock the boundary between v3 and v4 — what’s in scope for the next engineering cycle, what’s deferred
Whyv3 is currently a bucket of “things needed for production.” Without a locked scope, engineering effort can’t be estimated, prioritized, or committed to. The Roadmap lists 15 v3 items — not all are equal priority.
Cost / Effort2–4 hours of PO/CTO/engineering time for scope review
Decision Needed By2026-06-01 (suggested)
StatusOpen
Decision OwnerCTO / PO
Key questions for scope lock(a) User volume target for v3 — 10, 100, 1,000? Drives SKU sizing and Keeper licensing. (b) Is multi-tenant in scope for v3? (c) Which frontend surfaces need to be production-ready vs. admin-only? (d) SLA targets (uptime, RTO, RPO)? (e) Is discovery strategy finalization (UID-pinned) a v3 requirement or can it be deferred?

A-006: Commit or Defer v4 (SMS Android MFA)

FieldDetail
AskDecide whether v4 (SMS Android MFA) is a committed roadmap item or an indefinitely deferred concept
Whyv4 is currently conceptual. If committed, it affects v3 architecture decisions (e.g., designing the issuance endpoint for two-step exchange, choosing an SMS gateway). If deferred, v3 can be simpler. The engineering effort range is 70–220 hours depending on companion app vs. SMS-only.
Cost / EffortDecision time: 1–2 hours. No engineering cost for the decision itself.
Decision Needed ByAt or before v3 scope lock
StatusOpen
Decision OwnerCTO

A-007: Headcount Decision

FieldDetail
AskIs a dedicated frontend or fullstack engineer needed for v3 acceleration?
Whyv1 was built by a single engineer (Ben). v3 has 80–125 hours of projected work. With one engineer, that’s 2–3 months of focused effort. A second engineer could parallelize frontend test coverage, Teams integration, and production deployment while Ben handles vault integration and governance hardening.
Cost / EffortOne FTE or contractor, 2–3 months
Decision Needed ByAt v3 scope lock
StatusOpen
Decision OwnerCTO

Open Questions for Ben

These are items identified during site content drafting that need Ben’s input:

  1. Keeper trial expiry date: Exact day? The manifest says provisioning was 2026-04-25 with a 12-day trial — that puts expiry around 2026-05-07. Is the trial still active or already expired?

  2. KSM Application status: Has the IP lock been unchecked? Have folders been granted to the KSM Application?

  3. Commander version: What version of keepercommander is installed in the staging environment? Is it pinned?

  4. Staging validation status: Has anyone run a manual end-to-end flow (request → approve → issue → retrieve → release) on staging with KSM reads active?

  5. v3 engineering timeline: When does v3 engineering start? Is there a sprint or cycle boundary this aligns to?

  6. Entra app registration for prod: Does a separate Entra app registration exist for production, or does production share the staging registration?

  7. Cost model verification: The Azure pricing figures in the Cost Model need verification against current Azure pricing pages. Can Ben confirm or update?