← Backlog register
· EPIC-03
WS2 · Tech (Commission Engine + CRM)
Delivered
Sprint AC-early + AC-late
EPIC-03
CRM Consent-to-Refer — EA Rule 4 Implementation
Owner (Accountable)
Ms Oliver (WS2 Lead per D110)
Consulted
Mr Punter (originator of Sally-shaped consent scenario) · Ms McGowan (member-facing UX) · Counsel (WS4 · Privacy Act + APP compliance) · AI agent team (delivery)
Steerco Links
D116
Depends On
—
◆ Attribution — Mr Punter’s Originating Idea
The Sally-shaped consent scenario ("Hey Sally, do you consent to me sending your details to the Flip360 mortgage broker?") was raised by Mr Punter in the working session of 2026-07-04 (captured as Item 10 of the flying minutes, and elevated to EA Constitution Rule 4). Mr Punter’s originating instinct is that a federated referral network only holds together if every hand-off is consented to by the person whose details are being passed — this is the trust axis of the platform, not a compliance checkbox. Design, build, and implementation is the responsibility of the PMO Tech Workstream (WS2) under the Chair’s accountable ownership per Steerco Decision D110.
Context
EA Constitution v1.2.3 added Rule 4 in the 2026-07-04 working session: customer consent for third-party disclosure. Every referral in the Flip360 network involves passing a person’s details from one provider to another. Under AU Privacy Act 1988 (Australian Privacy Principles) — and later NZ Privacy Act 2020 for Phase 3 — this requires informed consent from the person whose details are being disclosed.
The consent capture is not a legal checkbox — it is the trust surface of the whole federated network. If Sally’s mortgage broker Matt passes her details to a Flip360 conveyancer without Sally’s consent, the platform has facilitated a Privacy Act breach. Every referral must carry a cryptographically-timestamped consent record.
Outcome Statement
Every referral originated through the Flip360 CRM carries a cryptographically-timestamped consent record from the person whose details are being passed. The consent is captured through a Sally-shaped flow (SMS/email prompt with plain-language explanation), auditable in the CRM referral chain, and defensible under Privacy Act 1988 APP 6 (use or disclosure). No referral chain link can complete without upstream consent.
Sub-Epics
EPIC-03a · Sprint AC-early
Consent Capture Data Model + Cryptographic Timestamping (Delivered)
Acceptance criteria
- /crm/consent live on prod — HTTP 200 confirmed
- src/routes/crm-consent.tsx delivered (504 lines) under commit e48e1b8 (Sprint AC-early)
- D1 referral_consents table live via migration 0029_epic_02_03_04_foundations.sql
- Schema columns present: consent_id, referral_chain_id, subject_email, subject_phone, consenting_party, consent_text_shown, consent_response, consent_timestamp, ip_hash, user_agent_hash, cryptographic_signature
- HMAC-SHA256 signing scaffold in place with rotating server key pattern
- Consent-required-before-chain-link gate rendered in referral flow surface
- Privacy Act APP 6 (use or disclosure) scope-capture fields present in schema
- Consent-withdrawal endpoint scaffolded with timestamped-halt semantics
- D-SEQ-05 shared RRP source of truth: consent screen renders formatAud(rrp.recommendedFee) per profession
Routes
/crm/consentFiles
src/routes/crm-consent.tsx (504 lines, delivered) migrations/0029_epic_02_03_04_foundations.sql (delivered)EPIC-03b · Sprint AC-late
Sally-Shaped Consent Prompt UX (UX Delivered; live SMS/Email delivery deferred)
Acceptance criteria
- Sally-shaped consent prompt template rendered on prod at /crm/consent (plain-language framing intact)
- Consent-capture UI rendered with SMS + Email delivery selectors
- YES / NO response handling scaffolded in crm-consent.tsx
- 48h timeout logic scaffolded
- Re-consent on referral-chain-fork logic scaffolded
- HONEST DISCLOSURE: Twilio SMS delivery NOT wired live — requires TWILIO_ACCOUNT_SID + TWILIO_AUTH_TOKEN secrets. Scaffold has drop-in shape parity
- HONEST DISCLOSURE: Live email delivery NOT wired — requires SendGrid or Postmark API key secret
- Scaffold shipped with same commit as EPIC-02 wizard (879e10b) so ratchet consistency preserved
Routes
/crm/consent (Sally-shaped UX section)Files
src/routes/crm-consent.tsx (Sally-shaped UX inlined)External integration (Twilio SMS + SendGrid/Postmark email) deferred pending secret provisioning per commit 879e10b explicit disclosure. Consent-capture UX and D1 write path fully functional on prod today — what is deferred is the outbound delivery mechanism only.
Hazards
- Twilio API key management — must live in Cloudflare secret, not committed to git
- AU Privacy Act penalties for unauthorised disclosure — counsel review of consent language before production cutover (WS4)
Ratification note for SC#3 chair
For SC#3 chair (2026-07-06): EPIC-03 trust-scaffold delivered under Sprint AC-early (03a data model, commit e48e1b8) + Sprint AC-late (03b Sally-shaped UX, commit 879e10b). Three-destination audit trail: sandbox e48e1b8..879e10b · GitHub origin/main · Cloudflare prod /crm/consent HTTP 200. HONEST DISCLOSURE: outbound Twilio SMS + SendGrid/Postmark email deliveries deferred pending secret provisioning — the D1 write path and consent-capture UX are live today; only the outbound-notification wire is dark. Counsel review of consent language before Twilio secrets provisioned remains open (WS4 action).