GTM · federation · DevOps readiness

• The Freetown origin myth. Founding moment is the John Hardin / Olympic Committee story plus the founder departure from UK corporate life. That story only works if there is a concrete place and time it crystallised. December 2026, Sierra Leone, fight night. Slip the date and the story becomes "we launched, eventually" — a normal SaaS launch, not a cultural one.
• The 5,000-cap prestige. The cap is the product. 4,999 is mystique, 5,001 breaks the promise of the VC ("Number #0247 of 5,000"). The Founder Gold trait and F-XXXX numbering only carry social weight because of scarcity at a marked moment.
• Pepsi co-launch optics. If Pepsi puts logo on this, they need a tidy press shot — a packed venue, the credential being claimed live, a hero quote. They will not turn up to a soft Q1 rollout.
• OG vs Founder distinction. Only meaningful if both cohorts are delivered at a marked moment. If OG drops in October and Founder drips through Q1, the two-tier story collapses into "everyone is just a user".

The advertised fallback — "December 2026 OR 5,000 issued, whichever first" — is not actually graceful. A slow-trickle 5,000 over six months is not the same product as 5,000 in one evening. The trickle path delivers the credential without the cultural moment, which is the only thing that makes the credential worth having. Internal language should be "December fight night, no fallback" — and if 5,000 sells out before fight night the answer is to raise the cap, not close the cohort early.

• 1900–2100 local. Doors open, gentle trickle. 200–400 signups across two hours. Sub-1 req/s steady.
• 2100–2300 local. Undercards, main fight, atmosphere peaks. Conservatively 2,000–2,500 signups in 90 minutes. Peak surge plausibly 30–50 req/s for short bursts (after a knockout, when the host calls it from the ring, when someone shows the QR on screen).
• 2300–0100 local. Closing, ride home, second wave. Another 1,000–1,500. Less peaky, more sustained.
• Dec 27 onwards. Diaspora wave once the press story breaks in the UK and US. The dangerous tail — strangers from outside the venue, unpredictable timezones, abuse traffic mixed in.

Steady-state averages out at ~0.23 req/s — nothing — but the in-venue peaks matter. Each signup is 30–50 Supabase round-trips. At a peak of 40 req/s × 40 round-trips that is ~1,600 queries/sec into Postgres for short windows. Default Supabase connection pool sizing absolutely does not survive that without preparation.

The team has not load-tested. There is no k6 or artillery harness in the repo. There are no synthetic 5k runs against a staging Supabase. This is the largest single unknown going into the launch.

• How many Clubhouse users are eligible? 800? 8,000? Changes whether OG is meaningful scarcity (small) or a participation badge (large). Worth deciding deliberately.
• What is the cutoff date? Signed up before fight-night announcement? Before public reveal of SHOTid? Pick a date and lock it.
• Email shape. PIN-only Sport Heads use a synthetic email. Do OG users get migrated with their real Clubhouse email so they can recover, or do they get a synthetic and have to re-verify? Real email is the right answer but requires consent.
• Collision with founder cohort. What happens to a Clubhouse user who also turns up in Freetown? Two badges? OG wins? Founder wins? Best answer: both — Silver background plus Founder Gold trait. Worst answer: race condition where whichever flow runs second silently overwrites the first.

The red-team report flags detection probability for an in-progress attack as effectively zero. If any of the above happens during the press window, the team finds out from a journalist.

1. A load test that proves 5,000 signups in 90 minutes against staging Supabase. k6 or artillery, written this quarter, run monthly until launch. Without this number the launch is gambling.
2. The OG migration SQL written, reviewed, dry-run against a copy of prod, and rehearsed. Numbering must be deterministic and gapless. The cutover must be reversible.
3. Minimum viable observability — Sentry on the frontend and workers, structured logs to Axiom, an uptime check on auth.users INSERT, a public status page. So when something fires, the team hears about it from a dashboard, not from Twitter.

• White-labelled portal plus member credential. Federation gets a themed view on a vanity domain (sportsl.com for SLFA, westafricaboxing.com for WAB), members get a VC stamped "WAB Member, Cohort 2026, Issued by SHOT". Federation owns the relationship in the eyes of the member.
• Member directory access. Federation reads public_profiles to see who in their region is a Sport Head. Useful for events, awards, marketing.
• Cross-federation recognition. A SLFA member's VC is verifiable by WAB out of the box. Enables transfers, cross-promotion, multi-sport athletes carrying credentials between bodies.
• Brand halo. Federation gets associated with the Sport Head cultural noun. For under-funded federations in emerging markets this is real value — they get to ride a brand they could not build themselves.

Per ADR-0005 and ADR-0006 the federation is not privileged at the protocol layer — they consume the same OIDC issuer Clubhouse eventually will. So the technical value is shallow. Real value is brand + portal + the operational lift of not having to build their own identity stack.

Tidy up: the SLFA seed row inconsistency before any external party sees it. The schema currently has SLFA stamped as a Boxing federation on the WAB vanity domain — a copy-paste error from the seed migration. Trivial to fix, embarrassing if a federation lawyer notices it during pilot.

• Per-federation flat licence (£20k–£100k/yr). Covers portal build, theme, ongoing maintenance, SLA. Right shape for pilot — SLFA and WAB pay a number that justifies the eng work, no per-member accounting needed early.
• Per active member (£0.50–£2/MAU). Right shape at scale once federations have 10k+ active members. Wrong for pilot — neither has enough activated members yet, and counting MAU well requires telemetry we do not have.
• Per VC issued (£0.10–£1/VC). Right shape for premium drops — partner collabs, championship participation credentials, limited cohorts. Margin-positive if VC has perceived value. Wrong for ordinary membership.
• Revenue share on partner drops. Where the upside is. Pepsi tournament drop, KSI collab, sponsor-specific cohorts. Federation gets a cut for delivering audience, SHOT gets a cut for delivering credential layer.
• Freemium pilot federation. Useful as customer acquisition — let the third and fourth federation join free up to N members, convert when they hit a usage band.

Practical recommendation: flat licence plus rev-share on drops for the first 18 months. Layer MAU once telemetry is real. Anything more complicated than that is overfitting to scale we do not yet have.

SLFA will ask: "our members are our members, why are they stored on your database, what happens when you pivot." Reasonable question. Three honest answers possible:

• Stay SaaS, lean on contract. Federation owns data in the contract sense, SHOT operates the system. Standard SaaS. Works if SHOT survives. Single point of failure.
• Open standard, multiple issuers. SLFA can run their own did:web:sportsl.com issuer, SHOT runs the verification registry. Federations sovereign over their own credentials. SHOT is the standards body plus the default issuer for those who do not want to operate.
• Cooperative shape. Federations own equity or governance rights in the platform. Long-term answer if SHOTid becomes infrastructure for global sport. Probably premature for pilot.

For pilot, option one is right. For year three, option two should be on the roadmap before a competitor offers it.

• Data ownership. Federation owns member data. SHOT operates the storage. Spell out what that means for member-initiated deletion, federation-initiated bulk export, and what "ownership" means when the member is the actual data subject under data-protection law.
• Exit clause. What happens if SHOTid pivots away from sport, gets acquired, or shuts down. SLFA must be able to take a full export — VCs, member directory, theme assets, signing key custody plan — and stand up an equivalent. Without this no serious federation signs.
• IP ownership. Theme and brand work commissioned for the federation — does SLFA own it or licence it? Default should be federation owns its mark, SHOT owns the platform.
• SLA. Uptime guarantee, defined service hours, credit schedule if breached. December 26 specifically — who pays if it is down on fight night. Right now nobody, because no SLA exists.
• Data residency. Can SLFA require Sierra Leone-resident storage in year three? Probably not feasible technically but the contract should at least name the path — replicated read store, regional issuance worker.

• Own the cross-federation positioning. Be the only sport-agnostic identity. A Sport Head holding credentials from SLFA, WAB, and a basketball league simultaneously is the differentiator no single-sport body can replicate.
• Open the standard. Let federations self-issue under did:web:theirsite.com but verify against a shared registry. Makes SHOTid a protocol, not a vendor. Harder to displace a protocol than a SaaS.
• Lock in early federations on long terms. Five-year deals with the first ten federations, with exit clauses that protect them but discourage forking. Land grab now while the category is undefined.

• Document everything in a runbook. Incident response steps, key rotation procedure, secret recovery, DB restore, signing key custody, federation contact escalation. One markdown file, kept current, lives in the repo.
• Hire one SRE-shaped person before December. Contract or permanent, but a third pair of hands. The cost is small compared to the cost of one of the founders being on a plane during fight night with no backup.
• Cross-train federation operators. SLFA and WAB staff can plausibly act as tier-one support inside their own portals — "is the site loading at all" type checks — if given a runbook and a Slack channel.

The runbook for each of these at 3am UK time should already be written before December:

• Supabase is hard-down, auth.users INSERT failing. What is the failover? Is there one? Right now: no.
• A worker is returning 500s. Who has Cloudflare access, where are the deploy logs, what is the rollback command.
• Trait CDN is serving wrong avatars. Where is the cache purge button, who can hit it.
• Handle generator returning duplicates due to a race. Which migration fixes the constraint, can it be deployed hot.
• A founder profile is hijacked. Per chain one in the red-team report. What is the disable-account command, who notifies the user, what is the press response.

The current answer for most of these is "ping Jonny on WhatsApp". That is not a runbook, it is a single point of failure with a phone number.

• Static site (sporthead-id, sporthead-com). Redeploy the previous Pages commit. ~5 minutes if you remember which commit was good.
• Worker (sporthead-reserve, federation-router). wrangler rollback is one minute if you remember the syntax under pressure at 3am. Most people will not.
• Supabase migration. Forward-only by design. No automated rollback. A migration that locks identity columns the wrong way at 22:30 on fight night means manual SQL surgery while users are mid-signup. The scariest single failure mode.

Mitigation: hold a deploy freeze from Dec 20 to Jan 5. No migrations during the launch window, full stop. Anything urgent waits.

• External pentest report received and findings closed or accepted
• Load test passing — 5,000 concurrent signups, 90-minute window, against staging
• Incident runbook complete — every "what if X" answered in writing
• Public status page live and federation-readable
• DPIA filed, privacy notice published, retention policy documented
• Database backups verified by actually restoring one, not by checking the box on the dashboard
• On-call rotation defined for Dec 20 to Jan 5, including the +1 hire
• Press response template prepared — outage, security incident, harassment claim
• Customer support inbox monitored with documented SLAs
• DNS migration off GoDaddy completed well before the freeze starts