Public notice / live development checklist

Compliance & Trust Notice

This page is the public map of the controls Yawn Company is building into Nestheads Homebase. It is not a legal certification or legal advice; it is the live checklist that keeps terms, privacy, child-safety, AI, audit trails, accessibility, security, and copyright obligations visible while the codebase develops.

yawn-company-compliance-live-checklist-v1
Public noticeLive

The compact shared footer links Terms, Privacy, and the full Compliance checklist for child-safety, AI, audit, accessibility, security, and copyright notices.

Mutation boundaryDave-gated

Paid AI, embeddings, database mutation, GitHub mutation, publishing, external email, and real yawn.ai execution require approval.

Audit loopInput -> output -> proof

Every core yawn change keeps coordinates, lacuna, axis, transformation, proof, risk, changed files, and review state visible.

Child-facing entryParent/adult gated

Public yawn.bot play stays text-first and kid-safe; saved child profiles, uploads, and custom generation stay gated.

Expected data categories

What the audit trail may hold

  • Account email, username, role, and auth/session state.
  • Yawn content: prompts, axes, lacunas, proof, approvals, feedback, and world coordinates.
  • Uploaded references or media metadata when Dave explicitly invokes media intake.
  • Local telemetry signals that become owner-gated improvement candidates, not silent public profiling.
  • AI traces when used: prompt, model/version, source references, output, selection, rejection, proof, and final action.

Checklist section

Terms and operating boundaries

Yawn Company is currently an owner-operated, approval-gated creative system. Public entry points explain that account creation, paid compute, publishing, external execution, and destructive changes are not automatic.

Footer links include Terms from public, auth, and logged-in chrome.The shared compliance footer links to /compliance#terms and is mounted on /, /login, /sign-up, /dave, and /dave/{slug} shells.Implemented
Owner approval gates every costly or external mutation.AGENTS.md, project brain, V1 checklist, and app copy all preserve Dave approval before paid AI, embeddings, Supabase/database mutation, GitHub mutation, publishing, external email, or real yawn.ai execution.Implemented
Sign-up is an intake, not instant public provisioning.The sign-up surface records an invitation intake with age and operating-agreement checkboxes; real provisioning remains owner-approved.Implemented

Checklist section

Privacy notice and data-minimization loop

The system should tell users what is collected at or before collection, why it is used, and how the data supports the yawn proof trail. The live checklist keeps that notice tied to implementation work.

Notice appears before account, upload, memory, or telemetry collection expands.The footer links Privacy from every primary surface; future collection points must deep-link to this section before collecting new categories.Implemented
Tracked categories stay explicit.The page names account email, auth/session data, yawn content, uploaded references, local telemetry signals, generation/proof traces, and approval receipts as the expected data categories.Implemented
Data handling follows minimize, protect, dispose, and incident-response discipline.Security checklist items require knowing stored personal information, keeping only what is needed, protecting it, disposing of what is no longer needed, and keeping incident response visible.In progress

Checklist section

Children's privacy and parent gates

The first yawn.bot experience is child-friendly, but persistent child accounts, saved profiles, personal uploads, or paid custom character generation require parent/adult gating before launch.

Public yawn.bot entry is short, concrete, non-pressuring, and text-first.The index world asks what the player is curious about today, creates only a local text Seed Yawn, and exposes Question, Example, and Proof doors before any account or compute step.Implemented
Child profiles, saved uploads, and persistent memory are parent-gated.The checklist treats child persistence as approval-required and blocks public child profiles or private memory by default.Approval required
Custom character generation is adult/payment gated.The yawn.bot intro exposes paid-compute generation as adult approval required and keeps the default character path free.Implemented

Checklist section

AI use, claims, and audit notice

AI may help map lacunas, draft options, generate art, and evaluate proof, but the system must disclose that AI assistance is bounded by human approval, test evidence, and audit records.

AI suggestions cannot silently execute risky changes.The cost/mutation boundary blocks paid AI, real yawn.ai execution, publishing, embeddings, GitHub mutation, database mutation, and email sending until Dave approves.Implemented
Product and AI claims require evidence before public launch.Public/Brody-facing copy is constrained to proof-backed iteration; AI-generated legal, safety, education, or performance claims remain review-gated.In progress
AI work keeps prompt, model, source, output, feedback, proof, and approval traces.Art Engine and yawn work-order contracts require prompt, model/version, source references, output, selection, rejection, proof, and final action fields.In progress

Checklist section

Audit trails and proof receipts

The codebase treats compliance as a live proof loop: every important transformation should preserve what changed, why, who approved it, what proof was run, and what remains risky.

Codex handoffs preserve target, axis, transformation, lacuna, object yawn, recipient yawn, requested change, tests, proof, files, risk, and review state.AGENTS.md requires these fields in every Codex handoff, and the compliance page exposes the requirement publicly.Implemented
YAWNS/ stays the source of truth for feedback drafts, work orders, lacunas, and proof receipts.The closure loop blocks conversion of Target Inspector feedback into work orders unless Dave approval metadata exists.Implemented
The V1 checklist remains aligned with the public compliance route.src/domain/v1-checklist.ts now includes the public compliance notice and footer proof item.Implemented

Checklist section

Security and access boundaries

Security work is treated as a launch blocker rather than a finishing touch. Secrets, auth, storage, mutations, and destructive actions must stay gated and inspectable.

Private Dave state requires authenticated access.Dave routes use the shared logged-in app chrome; public guide yawns are summary-only and hide owner telemetry/schedule controls.Implemented
Known security blockers stay visible until launch.Project brain and V1 checklist keep exposed legacy key rotation and Supabase SECURITY DEFINER cleanup as launch blockers.In progress
Destructive actions require exact confirmation and server-side validation.Settings tests cover Delete All Yawns preview/protection, selected-ID validation, cross-owner rejection, and confirmed DELETE.Implemented

Checklist section

Accessibility and verification

Nestheads should target WCAG 2.2 AA patterns where practical: semantic controls, visible focus, keyboard paths, readable text, sufficient contrast, and route-level browser proof.

Use WCAG 2.2 as the accessibility reference.The compliance page links the W3C WCAG overview and the codebase keeps accessibility as a V1 public guide yawn.Implemented
Compliance footer uses semantic footer/nav/link structure.The shared footer exposes aria labels, stable hrefs, and data attributes for browser proof.Implemented
Route runtime errors and console errors fail UI proof.AGENTS.md verification protocol requires route overlays and console errors to fail browser verification.Implemented
Loading Nestheads