# Master Public Release Gate 6 - Integration Truth

Date: 2026-06-16

## Verdict

Gate 6 status: **Approved for Gate 7.**

This gate does not enable live accounting, calendar, or LLM provider calls. It makes the integration surfaces truthful and testable:

- Accounting provider coverage is contract-tested in sandbox mode for Xero, Intuit QuickBooks Online, Sage Accounting, Zoho Books, MYOB, FreeAgent, Reckon, SMEPlus, FreshBooks, and Wave Accounting.
- Google Calendar and Outlook / Microsoft 365 Calendar show two-way sync contracts, required scopes, webhook verification requirements, and conflict policy while live OAuth remains disabled.
- LLM provider settings show local-only readiness, blocked live model calls, provider contract coverage, and redacted import-sample rules.
- Platform-admin integration health now distinguishes contract-tested foundations from live provider activation.

## Implemented

- Added accounting readiness and provider contract snapshots to `AccountingConnectionService`.
- Added calendar readiness and provider contract snapshots to `CalendarSyncService`.
- Added LLM readiness, provider contract snapshots, and redacted import sample generation to `LlmConnectionService`.
- Updated accounting, calendar, and LLM settings controllers to pass readiness and contract data to their views.
- Updated accounting, calendar, and LLM settings pages with Gate 6 readiness and provider contract coverage panels.
- Updated platform-admin integration health from generic `not_configured` states to explicit `contract_tested` / `guarded_contract_tested` states.
- Added tests for provider coverage, live-disablement, webhook verification requirements, idempotency contract claims, and LLM redaction.

## Routes Extended

- `/settings/accounting`
- `/settings/calendar`
- `/settings/llm`
- `/platform-admin#platform-integrations`

No new live OAuth, webhook, token exchange, background sync, or LLM API routes were added.

## Services Reused

- `AccountingProviderRegistry`
- `AccountingConnectionService`
- `CalendarProviderRegistry`
- `CalendarSyncService`
- `LlmProviderRegistry`
- `LlmConnectionService`
- `PlatformAdminService`
- `RbacService`

## Database Changes

None.

## Security Notes

- Live provider credentials remain blocked.
- No OAuth access tokens, refresh tokens, API keys, raw webhook payloads, raw provider payloads, full import files, or raw LLM prompts are collected or logged.
- LLM import samples are limited and redact emails, phones, addresses, and secret-like fields before any future model call.
- SMEPlus remains owner-confirmation gated because official API documentation is not confirmed in the project.

## Tests Added

- Accounting readiness marks sandbox contracts ready while live OAuth is disabled.
- Accounting provider contracts cover all requested providers.
- Xero contract maps invoices/payments without enabling live sync.
- SMEPlus contract remains owner-confirmation gated.
- Calendar readiness marks two-way contracts ready while live OAuth is disabled.
- Calendar provider contracts cover Google and Outlook.
- Google contract includes event scope and push-channel verification.
- Outlook contract includes read-write scope and subscription verification.
- LLM readiness marks local assistant as guarded while live model calls are disabled.
- LLM provider contracts keep live calls disabled.
- LLM redacted import sample removes PII/secrets and limits rows.
- Platform-admin integration health exposes contract-tested statuses.
- Integration pages expose Gate 6 readiness and provider contract coverage.

## Verification

| Check | Result |
| --- | --- |
| Targeted PHP lint for touched files | PASS |
| `php tests/run.php` | PASS |
| Workspace `composer check` | PASS |
| `tools/production-workflow-smoke.cjs` on fresh port `8102` | PASS, `failureCount=0` |
| XAMPP `tools/browser-smoke.cjs` | PASS, `failureCount=0` |
| XAMPP `tools/role-walkthrough.cjs` | PASS, `failureCount=0` |
| XAMPP `composer check` | PASS |

## Remaining After Gate 6

- Deployment hardening, monitoring, backup/restore, hosted TLS/proxy verification, and CI release-gate checks are now covered by the Gate 7 readiness contract; actual hosted infrastructure values still require owner confirmation.
- Live provider activation still requires real credentials, encrypted token/key storage, provider-specific webhook endpoints, rate limits, retry workers, audit logs, and owner approval.
- Native Android/iOS build, signing, and store readiness remain later gates.
- Accessibility and performance gates remain open.