NS Northshore Studio
Go-Live Credential Custody Record

Brushfire Coffee
DTC Launch

A signed, dated, client-facing record of who owns each production account, who had access during the project, what was revoked at handoff, and what exceptions remain — prepared for Brushfire Coffee Roasters by Northshore Studio.

Client
Brushfire Coffee Roasters
Agency
Northshore Studio
Project
DTC e-commerce launch
Launch date
May 22, 2026
Signed by
Mara Lindberg, Project Lead
Issued
May 24, 2026
89/100
Green — Launch-ready
Custody clean across all seven production services. Two exceptions documented below, both time-bound and revocable by the client at any time. Audit log attached.
How this was scored: 100 base · −8 retained admin access under a documented warranty exception (GitHub) · −3 ownership transfer scheduled, not complete, at issue date. Read-only, auto-expiring exceptions (Stripe events key) carry no deduction under v1 methodology — full rubric on page 11.
Engagement ID · NS-2026-BCR-001 · v1 · Confidential to Brushfire Coffee Roasters
Generated with SherpaKeys
Executive summary

What your client should know.

A non-technical summary of credential custody as of launch. Detailed per-service assertions follow on pages 3–9. Audit log on page 10. Methodology on page 11.

7 / 7
Production accounts
Account ownership transferred to Brushfire Coffee Roasters before launch. All seven critical services accounted for.
3
Personnel revocations
Three former project members removed from production systems during the engagement, all logged with timestamps.
2
Documented exceptions
Two time-bound exceptions in place for go-live and warranty support. Both client-revocable at any time.
What's locked in at launch
  • Account ownership: Brushfire owns the Stripe account, Supabase project, Vercel team, Cloudflare zone, GitHub org, OpenAI account, and Resend workspace as of May 22.
  • Billing: All seven services bill to a Brushfire card. No agency or personal cards remain in production.
  • Recovery contact: ops@brushfirecoffee.com across every service, with julia@brushfirecoffee.com as backup where supported.
  • Production secrets rotated on May 20 across all seven services — full evidence on pages 3–9.
Documented exceptions
  • Stripe events feed (read-only) — Northshore retains a restricted Stripe key until August 8, 2026 for post-launch incident triage. Revocable by client at any time.
  • GitHub org admin (warranty) — Northshore retains one org-admin seat until September 30, 2026 for warranty support. Removable by client immediately.
  • Suggested next review: August 8, 2026, when the Stripe exception auto-expires.
For the busy reader
Six services Green; GitHub Yellow only because of the documented warranty exception. No red-flag items, no undocumented agency access. Both exceptions are client-revocable today.

Stripe — payments & billing

Production live mode · custody assertion
Green
Account owner ops@brushfirecoffee.com Client
Billing card holder Brushfire Coffee Roasters · Visa •••• 4242
Recovery contact ops@brushfirecoffee.com
Transfer status ✓ Complete
Current admin access
Personnel revoked during project
Person Role Removed Reason
maria.olson@northshorestudio.com Engineer (Northshore) 2026-05-15 Engagement offboarding — production access no longer required.
ben.cho@freelancer.io Contractor (DTC build) 2026-05-08 Contract complete — access removed at project conclusion.
Rotation evidence
Secret Last rotated Rotated by
STRIPE_SECRET_KEY 2026-05-20 mara.lindberg@northshorestudio.com
STRIPE_WEBHOOK_SECRET 2026-05-20 mara.lindberg@northshorestudio.com
Exception — documented & time-bound
Northshore Studio retains a Stripe restricted API key (events feed read-only, no write access) on a key named rk_live_NS_events_only, scoped to read events and balance only. Purpose: post-launch incident triage and refund assistance during the 90-day support window. Auto-expires August 8, 2026. The client may revoke this key at any time via Stripe Dashboard → Developers → API keys.

Supabase — database & auth

Production project · custody assertion
Green
Account owner ops@brushfirecoffee.com Client
Billing Brushfire Coffee Roasters · Pro plan
Recovery contact ops@brushfirecoffee.com
Transfer status ✓ Complete
Current admin access
Personnel revoked during project
PersonRoleRemovedReason
maria.olson@northshorestudio.com Engineer (Northshore) 2026-05-15 Engagement offboarding.
Rotation evidence
SecretLast rotatedRotated by
SUPABASE_SERVICE_ROLE_KEY 2026-05-20 mara.lindberg@northshorestudio.com
SUPABASE_DB_URL (db password) 2026-05-20 ana.kim@brushfirecoffee.com
SUPABASE_ANON_KEY stable — (anon key is public-by-design; no rotation)
Clean — no exceptions
No agency or contractor retains any access to the Supabase project. Row-Level Security policies on every user-facing table validated by Northshore Studio engineer on 2026-05-19. Test report attached as Appendix B (Brushfire Coffee internal copy).

GitHub — source code

brushfirecoffee organization · custody assertion
Yellow
Org owner brushfirecoffee org Client
Billing Brushfire Coffee Roasters · Team plan
Recovery contact ops@brushfirecoffee.com
Transfer status Scheduled — see exception
Current admin access
Personnel revoked during project
PersonRoleRemovedReason
ben.cho@freelancer.io Contractor 2026-05-08 Contract complete — write access removed.
kareem.shah@freelancer.io Contractor (design build) 2026-04-30 Project phase complete — repo access removed.
Rotation evidence
SecretLast rotatedRotated by
GITHUB_DEPLOY_KEY (production) 2026-05-19 mara.lindberg@northshorestudio.com
GITHUB_ACTIONS_PAT 2026-05-19 mara.lindberg@northshorestudio.com
Exception — documented & time-bound
Northshore Studio retains one org-admin seat (mara.lindberg@northshorestudio.com) on the brushfirecoffee GitHub org for the duration of the warranty support window through September 30, 2026. Purpose: ship hotfixes, address security patches, and respond to GitHub-side incidents during the warranty period. The client retains the right to remove this seat at any time; doing so does not affect the warranty. After September 30, 2026 the seat is automatically scheduled for removal.

Vercel — production hosting

brushfirecoffee team · custody assertion
Green
Team owner ops@brushfirecoffee.com Client
Billing Brushfire Coffee Roasters · Pro plan
Recovery contact ops@brushfirecoffee.com
Transfer status ✓ Complete
Current admin access
Personnel revoked during project
PersonRoleRemovedReason
maria.olson@northshorestudio.com Engineer (Northshore) 2026-05-15 Engagement offboarding.
ben.cho@freelancer.io Contractor 2026-05-08 Contract complete — preview deploy access removed.
Rotation evidence
SecretLast rotatedRotated by
VERCEL_DEPLOY_HOOK_PROD 2026-05-20 mara.lindberg@northshorestudio.com
VERCEL_TOKEN (CLI) 2026-05-20 mara.lindberg@northshorestudio.com
Clean — no exceptions
Northshore Studio retains no Vercel access. Production environment variables verified against deployment config on 2026-05-21. Preview deploy URLs disabled for non-team members.

OpenAI — product description AI

Brushfire account · custody assertion
Green
Account owner ops@brushfirecoffee.com Client
Billing Brushfire Coffee Roasters · Pay-as-you-go
Recovery contact ops@brushfirecoffee.com
Spend cap $200 / month (set 2026-05-20)
Current admin access
Personnel revoked during project

None. The OpenAI account was created under the client's email on the first day of the engagement. Northshore Studio never held administrative access; all API usage during build was through scoped API keys, all of which were rotated to client-generated keys before launch.

Rotation evidence
SecretLast rotatedRotated by
OPENAI_API_KEY (production) 2026-05-20 ops@brushfirecoffee.com
Recommendation — monitoring
Recommended that Brushfire add a monthly spend alert at 80% of cap ($160) and configure billing email notifications. Documented in handoff playbook section 4.3.

Resend — transactional email

brushfirecoffee.com sending domain · custody assertion
Green
Account owner ops@brushfirecoffee.com Client
Billing Brushfire Coffee Roasters · Pro plan
Recovery contact ops@brushfirecoffee.com
Transfer status ✓ Complete
Current admin access
Personnel revoked during project
PersonRoleRemovedReason
maria.olson@northshorestudio.com Engineer (Northshore) 2026-05-15 Engagement offboarding.
Rotation evidence
SecretLast rotatedRotated by
RESEND_API_KEY 2026-05-20 mara.lindberg@northshorestudio.com
Email deliverability — verified
SPF, DKIM, and DMARC records validated for brushfirecoffee.com on 2026-05-18. DMARC policy: p=quarantine with rua=mailto:dmarc@brushfirecoffee.com. DNS records snapshot attached as Appendix C.

Cloudflare — DNS & CDN

brushfirecoffee.com zone · custody assertion
Green
Zone owner ops@brushfirecoffee.com Client
Billing Brushfire Coffee Roasters · Free plan (CDN)
Recovery contact ops@brushfirecoffee.com
Transfer status ✓ Complete
Current admin access
Personnel revoked during project
PersonRoleRemovedReason
maria.olson@northshorestudio.com Engineer (Northshore) 2026-05-15 Engagement offboarding — DNS access removed.
Rotation evidence
SecretLast rotatedRotated by
CLOUDFLARE_API_TOKEN 2026-05-20 mara.lindberg@northshorestudio.com
Domain registrar — separate from Cloudflare
Domain brushfirecoffee.com is registered with Hover under ops@brushfirecoffee.com (Brushfire Coffee Roasters). Auto-renew enabled. Northshore Studio holds no registrar access.
Appendix A

Audit log of the engagement.

Significant events between project kickoff (March 4, 2026) and report issue date (May 24, 2026). One row per material custody event. Reads and routine deployments are summarized rather than enumerated; full detail available on request.

When Actor Service Event
2026-03-04mara.lindberg@northshorestudio.comEngagement created · NS-2026-BCR-001 · kickoff.
2026-03-04ops@brushfirecoffee.comStripeAccount created under client email; agency invited as restricted-key holder only.
2026-03-04ops@brushfirecoffee.comSupabaseProject created under client email; agency invited as developer.
2026-03-05ops@brushfirecoffee.comVercelTeam created; brushfirecoffee.com domain attached.
2026-03-05ops@brushfirecoffee.comCloudflareZone created; DNS migrated from previous host.
2026-03-12kareem.shah@freelancer.ioGitHubGranted write access to brushfirecoffee/dtc-storefront for design build.
2026-04-02ben.cho@freelancer.ioGitHub, Vercel, StripeGranted scoped access for DTC integration work.
2026-04-30mara.lindberg@northshorestudio.comGitHubkareem.shah@freelancer.io access removed — phase complete.
2026-05-08mara.lindberg@northshorestudio.comGitHub, Vercel, Stripeben.cho@freelancer.io access removed — contract complete.
2026-05-15mara.lindberg@northshorestudio.comStripe, Supabase, Vercel, Resend, Cloudflaremaria.olson@northshorestudio.com offboarded across all services.
2026-05-18mara.lindberg@northshorestudio.comResend, CloudflareSPF, DKIM, DMARC validated for brushfirecoffee.com.
2026-05-19mara.lindberg@northshorestudio.comSupabaseRLS policy audit across user-facing tables — clean.
2026-05-19mara.lindberg@northshorestudio.comGitHubDeploy key and Actions PAT rotated for production.
2026-05-20mara.lindberg@northshorestudio.comStripeSTRIPE_SECRET_KEY and STRIPE_WEBHOOK_SECRET rotated. Restricted key issued for events feed.
2026-05-20ana.kim@brushfirecoffee.comSupabaseSUPABASE_SERVICE_ROLE_KEY and DB password rotated.
2026-05-20mara.lindberg@northshorestudio.comVercel, Resend, CloudflareProduction secrets rotated across hosting, email, and DNS.
2026-05-20ops@brushfirecoffee.comOpenAIOPENAI_API_KEY generated by client; agency keys revoked. Spend cap set $200/mo.
2026-05-22mara.lindberg@northshorestudio.comLaunch ✓ — DTC storefront live at brushfirecoffee.com.
2026-05-24mara.lindberg@northshorestudio.comThis custody record issued to client; engagement marked LAUNCHED.
Appendix B

Methodology & signature.

What this custody record asserts, what it doesn't, and the agency principal's signed attestation as of the issue date.

What we asserted

  • Account ownership: whose email, whose billing card, whose recovery contact across seven production services.
  • Current admin access: every active human and machine principal with admin or write capability.
  • Personnel revocations: every project member who held production access during the engagement and was removed, with timestamps.
  • Rotation evidence: production secrets rotated within 30 days of launch, with rotator identified.
  • Transfer status: explicit YES/SCHEDULED/EXCEPTION per service.
  • Exceptions: time-bound, client-revocable, documented.

What we did NOT assert

  • Live state at the provider: the assertion is based on agency records and rotation evidence as of 2026-05-24, not a real-time API check at each provider.
  • Long tail: services outside the seven listed (analytics, error tracking, CI dashboards) are out of scope for this engagement's report.
  • Application-level access control: in-app user roles, RLS policies, and similar are validated separately (see Appendix B in Brushfire's internal copy).
  • Client-side operational practices: how Brushfire maintains custody after launch is the client's responsibility; this report is a snapshot at handoff.
Mara Lindberg
Signed by Agency Principal
Mara Lindberg
Project Lead · Northshore Studio · May 24, 2026
— pending client signature —
Acknowledged by Client
Olivia Pham
Director of Operations · Brushfire Coffee Roasters
SherpaKeys · Go-Live Credential Custody Record · v1 methodology · sherpakeys.com
This document is confidential to Brushfire Coffee Roasters and Northshore Studio. Engagement ID: NS-2026-BCR-001.