Release 2 — Scale and AI

Companion: Roadmap Index · Release 1 — Foundations · Risks & Tradeoffs · AI Architecture · Payments Architecture · Lock & Key Integration

R2 is the wave that takes Ghasi Melmastoon from a five-tenant pilot to a fifty-tenant operating product with AI and chain capabilities. Horizon: next ~6 months after R1 close. Scale target: 50 tenants live, 5,000 reservations/day. Operational target: AI-driven dynamic pricing in production with HITL acceptance > 60% on the cohort. Geography: existing AF + TJ markets deepened, and Iran exploratory deployment under sanctions-aware boundary.

R2 is the wave where the platform's AI thesis stops being a promise and becomes measurable revenue impact for tenants. It is also the wave where chain operators become a real customer segment and where multi-region operation removes single-region availability as a question.

1. Vision & Outcomes

1.1 Vision

A 50-tenant fleet across Afghanistan, Tajikistan, and pilot Iranian properties runs daily operations with AI assistance the operators have learned to trust. Dynamic pricing suggestions push the right way during high-demand windows; the GM clicks accept on most of them. Demand forecasting helps the head housekeeper schedule rooms ahead of the morning rush. Multilingual message drafting cuts communication time per booking by half. A chain operator with three properties switches between them in the desktop without re-launching the app. A guest paying through PayPal in Herat completes a booking that a year ago would have left the platform for an OTA.

1.2 Outcomes — measurable

Outcome	Target	Measurement
Tenants live in production	50 tenants (mix: AF 20, TJ 15, IR pilot 5, regional secondary 10)	Tenant tracker
Daily reservations across cohort	5,000 reservations/day, sustained 14-day rolling	`reservation-service` aggregations
AI dynamic pricing acceptance	> 60% accept rate over 30 days per tenant	`ai-orchestrator-service` telemetry
AI message-drafting acceptance	> 70% accept rate over 30 days per tenant	`ai-orchestrator-service` telemetry
Sync p99 under load	< 5 s under 3G + 5% packet loss + cohort load	Sync telemetry
BFF availability SLO	99.9% per BFF per region	OTel + monitoring
Chain operator TTV	First active session within 14 days of contract signature	Onboarding tracker
Multi-region failover	< 5 min RTO; 0 minute RPO for non-billing data	DR drill
Per-tenant per-month GCP cost	< $40 USD at 50 tenants	FinOps dashboard
Direct-booking share	> 60% across the cohort	`reservation-service` channel attribution
Provider-onboarding time	< 14 days kickoff to first live booking (down from R1 30 days)	Onboarding tracker
Pen-test #3 + #4	Two external pen-tests; all critical/high findings closed	Security review

1.3 Vision boundary

R2 is not the wave for white-label resellers, native staff sub-app on mobile, kiosk mode for arrivals, voice transcription production, or local-LLM upgrades. Those are R3. R2 is also not the wave for OTA channel manager — channel-manager support remains in the long-term backlog. R2 is the wave where AI and chain capabilities become real and where geography expands deliberately.

2. Scope (in / out)

2.1 IN

2.1.1 New backend services and major capability expansions

Service	R2 capability surface
`ai-orchestrator-service`	Full capability set — dynamic pricing suggestions; demand forecasting; anomaly detection (cloud + edge); AI-drafted multilingual messages; smart alerts; embeddings + RAG over property-help-content; image moderation; voice transcription pilot (production in R3); HITL gate enforced on irreversible actions; provenance on every artifact
`ai-gateway` (within ai-orchestrator)	Vertex AI provider routing; cost tracking per tenant per feature; per-prompt registry with versioning; eval suites in CI; multi-provider abstraction
`staff-service`	Full surface — staff profiles, roles, shifts, lightweight time tracking; payroll integration stays out
`analytics-service`	BigQuery sink fully wired; Looker dashboards (12 canonical reports + custom); per-tenant slot reservation; cohort KPIs
`pricing-service`	Adds AI suggestions on rate plans (manual rate plans remain available); per-tenant suggestion-acceptance dashboard
`housekeeping-service`	AI-suggested cleaning order; predicted turnover ETA per room; staff-load balancing
`notification-service`	Adds WhatsApp Business + Viber + push (web + mobile); marketing campaigns module (templates, scheduled sends, suppression lists); AI-drafted templates in 5 locales
`reporting-service`	Full surface — 12 canonical reports + scheduled exports + per-tenant custom reports
`lock-integration-service`	Adds Salto adapter and Assa Abloy generic adapter; mobile-key full integration (Apple Wallet + Google Wallet pilot in R2)
`payment-gateway-service`	Adds PayPal, EasyPaisa, M-PESA, Pamir-Pay MFS providers; per-tenant routing rules; settlement-currency choice
`theme-config-service`	v2 — theme editor improvements (visual preview, side-by-side compare, draft → review → publish workflow with approver role); preset count grows from 3 to 8; content blocks from ~10 to ~25
`tenant-service`	Chain multi-tenant — chain entity with member properties; chain-operator role; cross-property dashboard scaffolding
`bff-backoffice-service`	Chain switcher in Electron desktop; chain-aware authorization; cross-property views

2.1.2 New surfaces and surface expansions

Chain switcher in Electron desktop — single binary supports multiple tenants for chain operators; per-tenant SQLite store; per-tenant key derivation; per-tenant sync cursor; switcher UI with property selector and quick-stats chips.
Theme editor v2 in control plane — visual preview, side-by-side compare, draft → review → publish workflow.
Looker dashboards — Looker Studio reports for tenants on the higher tier; custom report definitions per tenant.
Marketing campaigns surface in notification-service — segmented email/SMS/WhatsApp campaigns; scheduled sends; bounce/complaint suppression; per-tenant template library.
Mobile-key integration in consumer app — guests with a confirmed reservation see a "Add to Wallet" affordance for their stay; pilot tenants opt in.
Iran tenant onboarding (exploratory) — 5 pilot Iranian tenants under sanctions-aware boundary; payment routing through Iranian rails (Shaparak, bank-transfer); CMEK on PII; per-tenant data classification reviewed.

2.1.3 Lock vendor matrix

TTLock (R1).
Generic Wiegand (R1).
Salto (cloud + offline issuance via vendor SDK).
Assa Abloy (generic adapter for SDK-supported product lines).
Mobile-key (Apple Wallet + Google Wallet) — pilot tenants only in R2; production rollout in R3.

2.1.4 Payments

Stripe (R1).
Cash-on-arrival (R1).
AfghanPaisa MFS (R1, expanded).
Bank-transfer (R1).
PayPal (where regional availability permits).
EasyPaisa (Pakistan; for tenants serving cross-border guests).
M-PESA (Tanzania, Kenya pilot for the regional secondary cohort).
Pamir-Pay (Tajikistan).

2.1.5 AI capabilities (full set)

Capability	Surface	HITL stance
Dynamic pricing	`pricing-service` (suggestions); GM dashboard	Default HITL; tenant may opt to auto-apply within rate band after sustained acceptance > 80%
Demand forecasting	GM dashboard	Always HITL — informational, never auto-action
Anomaly detection (cloud)	`ai-orchestrator-service` ↔ all services	HITL; surfaces alerts; never auto-blocks
Anomaly detection (edge)	Electron desktop ONNX	Local-only; surfaces alerts; HITL
AI-drafted messages	`notification-service`	Always HITL on guest-facing; templates allowed without HITL
Smart alerts	GM dashboard	Always HITL
Embeddings + RAG over property-help-content	Operator help surface in desktop	HITL by default for any action recommendation
Image moderation	`file-storage-service`	Auto-quarantine; HITL to release
Voice transcription (pilot)	Desktop microphone for housekeeping notes	Pilot tenants only; HITL editing of transcript

2.1.6 Multi-region

asia-south1 (Mumbai) — primary, R1.
asia-southeast1 (Singapore) — added in R2; multi-region replicas; failover topology.
Cloud SQL multi-region read replicas; Pub/Sub multi-region; Cloud Storage multi-region buckets for media.
Per-tenant region affinity based on geography.

2.1.7 Iran exploratory deployment

5 pilot Iranian tenants under explicit sanctions-aware boundary.
Payment routing: Shaparak/Sadad domestic rails + bank-transfer; Stripe + PayPal disabled for Iran tenants.
CMEK enabled on PII for Iran cohort.
Per-tenant data-classification review to ensure no inadvertent flow of restricted data through US-touching services.
Legal counsel sign-off per tenant; OFAC + EU sanctions screening.

2.2 OUT (deferred to R3 or later)

White-label reseller program — R3.
GraphQL surface — not planned (REST + per-surface BFF resolvers stays).
Native iOS/Android staff app — R3 (React Native staff sub-mode).
Kiosk mode for self-check-in — R3.
Voice transcription in production — R3 (R2 is pilot only).
Local-LLM upgrades on edge — R3.
AI content generation for theme blocks — R3.
OTA channel manager (Booking.com / Expedia) — long-term backlog.
Loyalty / rewards — long-term backlog.
Restaurant POS / ancillary inventory — long-term backlog.
Deep accounting integration (QuickBooks, Xero) — R3+.
GCC + Europe expansion — R3.

3. Epics included

Epic ID	Epic name	Owning service(s)
EP-MEL-19	Chain multi-tenant + Electron switcher	tenant-service, iam-service, bff-backoffice-service, desktop
EP-MEL-20	AI orchestrator full capability set	ai-orchestrator-service
EP-MEL-21	Dynamic pricing AI in production	pricing-service, ai-orchestrator-service
EP-MEL-22	Demand forecasting + smart alerts	ai-orchestrator-service, GM dashboard
EP-MEL-23	AI-drafted multilingual messages	notification-service, ai-orchestrator-service
EP-MEL-24	Embeddings + RAG over help content	ai-orchestrator-service, desktop
EP-MEL-25	Image moderation + voice transcription pilot	ai-orchestrator-service, file-storage-service, desktop
EP-MEL-26	Theme editor v2 + preset/content expansion	theme-config-service, control plane
EP-MEL-27	Salto + Assa Abloy adapters + mobile-key pilot	lock-integration-service
EP-MEL-28	PayPal + EasyPaisa + M-PESA + Pamir-Pay	payment-gateway-service
EP-MEL-29	Marketing campaigns module	notification-service
EP-MEL-30	Looker dashboards + 12-report catalog	reporting-service, analytics-service
EP-MEL-31	Multi-region (asia-south1 + asia-southeast1)	All services + SRE
EP-MEL-32	Iran exploratory deployment + compliance	tenant-service, payment-gateway-service, compliance
EP-MEL-33	Staff service full surface	staff-service
EP-MEL-34	Self-service tenant onboarding (SMB tier)	tenant-service, control plane
EP-MEL-35	Partner channel pilot (resellers, R2 trial)	tenant-service, commercial

4. Service rollout

R2 splits into two quarters with overlapping tracks. Q1 (months 7-9) is AI + chain + lock vendors. Q2 (months 10-12) is multi-region + Iran exploratory + marketing + Looker.

4.1 Q1 — months 7-9

Month 7 — AI orchestrator full + chain foundations

Primary: ai-orchestrator-service full capability shipping; chain multi-tenant model in tenant-service; chain switcher scaffolding in Electron.

AI gateway with Vertex AI routing; per-tenant budget; per-feature quota; cache-by-prompt-hash; provenance enforcement.
Prompt registry with eval suites in CI; safety pipeline (pre + post moderation); refusal UX.
First three AI capabilities live in shadow: dynamic pricing, demand forecasting, message-drafting.
tenant-service chain entity; chain-operator role in iam-service.
Electron desktop chain-switcher UI scaffolded.

Month 8 — AI capabilities to production + theme editor v2

Primary: AI capabilities promoted from shadow to HITL production; theme editor v2; new lock vendor adapters (Salto, Assa Abloy).

Dynamic pricing in HITL production; per-tenant suggestion-acceptance dashboard.
Message-drafting in HITL production (5 locales).
Anomaly detection cloud + edge in production.
Theme editor v2: visual preview + side-by-side compare + draft → review → publish workflow.
Salto adapter shipped to production; nightly contract tests live.
Assa Abloy generic adapter shipped to production; nightly contract tests live.

Month 9 — Mobile-key + image moderation + remaining AI capabilities

Primary: Mobile-key (Apple Wallet + Google Wallet) pilot integration; image moderation in file-storage-service; voice transcription pilot; embeddings + RAG over property-help-content.

Mobile-key flow: pilot tenants opt in; "Add to Wallet" affordance in consumer app post-confirmation.
Image moderation: auto-quarantine on upload; HITL to release; per-tenant policy.
Voice transcription pilot: desktop microphone capture for housekeeping notes; pilot tenants only.
RAG: ingest property-help-content per tenant; embeddings into pgvector partitioned per tenant; operator help surface in desktop.

Q1 exit criteria: AI dynamic pricing in production with first measurable acceptance metrics; chain operator pilot tenant onboarded; Salto + Assa Abloy lock-issuance success rate ≥ 99%; theme editor v2 used by ≥ 10 tenants.

4.2 Q2 — months 10-12

Month 10 — Marketing campaigns + Looker + payment expansion

Primary: Marketing campaigns module; Looker dashboards; PayPal + EasyPaisa + Pamir-Pay + M-PESA.

Marketing campaigns: per-tenant template library; segmentation; scheduled sends; suppression lists.
Looker: 12 canonical reports as Looker Studio templates + per-tenant custom report support.
Payment provider matrix: PayPal where eligible, EasyPaisa for cross-border PK, Pamir-Pay for TJ, M-PESA for regional secondary cohort.

Month 11 — Multi-region + Iran exploratory deployment

Primary: Multi-region deployment (asia-south1 + asia-southeast1); Iran exploratory deployment under sanctions-aware boundary.

Cloud SQL multi-region read replicas live in asia-southeast1.
Pub/Sub multi-region topology.
Per-tenant region affinity; failover playbook.
DR drill on multi-region: 5-min RTO target; 0-min RPO for non-billing data.
Iran exploratory deployment: 5 pilot Iranian tenants onboarded under explicit sanctions-aware boundary; CMEK enabled; per-tenant data classification reviewed.

Month 12 — Self-serve onboarding + partner pilot + hardening

Primary: Self-serve tenant onboarding (SMB tier); partner channel pilot; hardening; pen-tests.

Self-serve onboarding for SMB tier: tenant create → property + rooms → theme draft → payment provider connect → live; field rep approval gate before first live booking.
Partner channel pilot: 2 partner agencies onboarding tenants on our behalf with a revenue share.
Pen-test #3 (full R2 scope) and #4 (chain + Iran scope) — findings closed before R2 close.
Performance pass against 5,000 reservations/day load on the staging cohort.
FinOps review; per-tenant cost on track for < $40 USD at 50 tenants.

Q2 exit criteria: All 50 tenants live; multi-region failover validated; Iran cohort operational; pen-tests closed; self-serve flow handles ≥ 30% of new SMB onboardings.

4.3 R2 ASCII timeline

                    M7        M8        M9        M10       M11       M12
                   ┌────┐    ┌────┐    ┌────┐    ┌────┐    ┌────┐    ┌────┐
AI orchestrator    │████│    │████│    │░░░░│    │░░░░│    │░░░░│    │░░░░│
  pricing+forecast │████│    │████│    │░░░░│    │░░░░│    │░░░░│    │░░░░│
  msg+RAG+image    │░░░░│    │████│    │████│    │░░░░│    │░░░░│    │░░░░│
  voice (pilot)    │    │    │    │    │░░░░│    │░░░░│    │████│    │████│
Theme editor v2    │    │    │████│    │░░░░│    │░░░░│    │░░░░│    │░░░░│
Lock vendors +2    │░░░░│    │████│    │░░░░│    │░░░░│    │░░░░│    │░░░░│
Mobile-key full    │    │    │░░░░│    │████│    │████│    │░░░░│    │░░░░│
Chain switcher     │░░░░│    │░░░░│    │████│    │████│    │░░░░│    │░░░░│
Marketing module   │    │    │░░░░│    │████│    │████│    │░░░░│    │░░░░│
Looker + reporting │    │    │░░░░│    │████│    │████│    │░░░░│    │░░░░│
Multi-region       │    │    │    │    │░░░░│    │████│    │████│    │░░░░│
Iran cohort        │    │    │    │    │    │    │░░░░│    │████│    │████│
Self-serve onboard │    │    │░░░░│    │░░░░│    │████│    │████│    │░░░░│
Partner channel    │    │    │    │    │    │    │░░░░│    │████│    │████│
                   └────┘    └────┘    └────┘    └────┘    └────┘    └────┘
                   AI on,    Locks +   Theme +   Mkt +     Multi-    Iran
                   chain     mobile-   chain     Looker +  region    GA + 50-
                   scfd      key       GA        wallet    + Iran    tenant
                                                            staging   live

4.4 Multi-region GCP topology (target end of M12)

                         ┌──────────────────────────┐
                         │  Cloud DNS / Load        │
                         │  Balancer (global)        │
                         │  region-affinity routing  │
                         └────────┬────────┬─────────┘
                                  │        │
                ┌─────────────────┘        └────────────────┐
                │                                            │
   ┌────────────▼─────────────┐                ┌────────────▼─────────────┐
   │ asia-south1 (Mumbai)      │                │ asia-southeast1 (Singapore) │
   │  Primary for AF/TJ/PK     │                │  Primary for IR/regional GCC  │
   │                           │                │                           │
   │  Cloud Run × N services   │                │  Cloud Run × N services   │
   │   (NestJS, hexagonal)     │                │   (NestJS, hexagonal)     │
   │                           │                │                           │
   │  Cloud SQL HA (primary)   │◀── replica ──▶ │  Cloud SQL HA (replica)   │
   │  Memorystore (Redis)      │                │  Memorystore (Redis)      │
   │  Pub/Sub topics (regional)│                │  Pub/Sub topics (regional)│
   │  Vertex AI endpoints      │                │  Vertex AI endpoints      │
   │  KMS / Secret Manager     │                │  KMS / Secret Manager     │
   │  Cloud Storage (regional) │                │  Cloud Storage (regional) │
   │  BigQuery (multi-region)  ◀────── shared sink ──────▶                  │
   └───────────┬───────────────┘                └────────────┬──────────────┘
               │                                              │
               │  Outbox replay + Pub/Sub bridge              │
               │  for cross-region eventual consistency       │
               └──────────────────────────────────────────────┘

  Iran cohort lives behind a region-specific tenant routing rule
  with CMEK enforced and sanctions-screened tenant onboarding.

The topology is asymmetric: AF/TJ/PK tenants stay primary in Mumbai; IR + GCC primary in Singapore. Failover is bidirectional with RTO < 5 min, RPO 0 for non-billing. Billing is single-writer per region with reconciliation cron rather than active-active (deferred to R3+).

5. Frontend rollout

Surface	M7	M8	M9	M10	M11	M12
Tenant booking web	AI message drafts	+ Marketing-campaign landing pages	+ RTL polish	+ Looker embed for tenant	+ Region-affinity routing	Hardening
Tenant booking mobile (RN)	+ Mobile-key affordance scaffold	+ Mobile-key pilot	+ RTL polish	+ Wallet integration GA	+ Region-affinity routing	Hardening
Consumer meta web	+ AI ranking experiments	+ Map polish	+ Personalization scaffold	+ Region-affinity routing	+ Iran tenants visible to in-region users	Hardening
Consumer mobile (RN)	+ Push notifications	+ Mobile-key affordance scaffold	+ Mobile-key pilot	+ RTL polish	+ Region-affinity	Hardening
Electron desktop	+ Chain switcher scaffold	+ AI suggestion UX in pricing	+ RAG help surface	+ Marketing campaigns ops view	+ Multi-tenant chain GA	+ Self-serve Iran tenant ops
Control plane	+ Chain entity admin	+ Theme editor v2	+ AI policy admin	+ Looker admin	+ Iran tenant approval	+ Partner channel admin

5.1 Design-system and i18n cadence

@ghasi/ui-melmastoon v2 with chain switcher patterns; updated motion tokens.
i18n bundle adds Arabic (Iran-region tenants who serve Arabic-speaking guests), Russian (Tajikistan secondary), Urdu (Pakistan secondary in regional cohort).
AI message-drafting templates per locale reviewed by locale champions before promotion.

5.2 Performance budgets (R2 tightened)

Surface	Metric	R2 budget
Tenant booking web	LCP p75 (3G fast)	< 2 s
Tenant booking web	TTI p75	< 3.5 s
Consumer mobile	Cold start	< 2.5 s
Electron desktop	Cold start	< 3.5 s
Electron desktop	Chain switch	< 500 ms
Electron desktop	AI suggestion render	< 800 ms first-token p95
Tenant booking mobile	Booking step transition	< 250 ms

6. Infrastructure milestones

Milestone	Target month	Owner	Acceptance criteria
Multi-region Cloud SQL replicas	M11	SRE	Replica lag < 1 s p95; failover playbook executed
Multi-region Pub/Sub	M11	Platform	Per-region topics; consumer subscriptions per region
BigQuery slot reservation	M10	Platform + Finance	Reserved slots cover 95% of analytical query load
Model registry (AI)	M7	AI Lead	All prompts + models versioned; eval suite gates promotion
ONNX model signing pipeline (matured)	M7	Desktop + AI	Signed models; verification at app start; key rotation playbook
FinOps dashboard	M10	Finance + SRE	Per-tenant, per-feature, per-model cost; daily trend
On-call rotation expanded	M10	SRE	24/7 across 3 timezones; PagerDuty escalation; weekly health pulse
CMEK option (per-tenant for Iran cohort)	M11	Security	KMS hierarchy; per-tenant CMEK key; documented operator playbook
Sanctions screening pipeline	M11	Compliance	OFAC + UN + EU lists synced daily; tenant onboarding screen
Pen-test #3 (full R2 scope)	M12	Security	External pen-test; findings closed
Pen-test #4 (chain + Iran scope)	M12	Security	External pen-test; findings closed
DR drill multi-region	M11	SRE	RTO < 5 min; RPO 0 for non-billing

6.1 AI capability rollout matrix

R2 ships eight AI capabilities through ai-orchestrator-service. Every capability has a default-off setting, a per-tenant opt-in, a HITL gate where applicable, an eval harness, and a per-tenant budget.

Capability	Provider (default)	Edge / cloud	HITL gate	Eval threshold to ship	Per-tenant cap (default)	Reversibility
Anomaly detection (R1, hardened in R2)	ONNX local	Edge	Suggestion only	Precision ≥ 0.7 on 30-day window	n/a	Reversible (suggestion)
Dynamic pricing	Vertex AI Gemini Flash	Cloud	"Try this?" CTA	Acceptance ≥ 60% on 30-day window per tenant	$20 / mo	Reversible (suggestion)
Demand forecasting	Vertex AI Gemini + tabular model	Cloud	None (display only)	MAPE ≤ 25% on 90-day window	$10 / mo	Reversible (display)
Message drafting (guest replies)	Vertex AI Gemini Flash + RAG	Cloud	Mandatory review	Acceptance ≥ 70% on 30-day window per tenant	$30 / mo	Reversible (draft)
Smart alerts (operational)	ONNX local + Vertex (escalations)	Edge + cloud	None	False-positive rate ≤ 10%	$5 / mo	Reversible
Embeddings + RAG (property help, FAQ, internal)	Vertex AI text-embedding	Cloud	n/a	Recall@10 ≥ 0.7	$15 / mo	n/a
Image moderation (theme content + room photos)	Vertex AI Vision	Cloud	Mandatory review on flag	False-negative rate ≤ 1%	$10 / mo	Reversible
Voice transcription (housekeeping pilot)	Vertex AI Speech (Pashto/Dari pilot)	Cloud	Mandatory review	WER ≤ 15% per locale on pilot	Pilot only — no cap, eval-gated	Reversible

Every entry is enforceable in ai-orchestrator-service policy config; no service calls Vertex AI directly. All artifacts persist with provenance per MIT-09.

6.2 R2 vendor capability matrix

Vendors added or expanded in R2. Each has a contract test (MIT-07), an owner, and a fallback.

Vendor	Capability	Adapter status R1 → R2	Owner	Fallback / degraded mode
TTLock	Lock issuance, dynamic codes, audit logs	R1 GA → R2 hardened	Lock lead	Generic Wiegand + mechanical
Salto	Lock issuance, key cards, audit logs	New in R2	Lock lead	TTLock + Generic Wiegand
Assa Abloy (generic SDK)	Lock issuance, RFID encoding	New in R2	Lock lead	TTLock + Generic Wiegand
Stripe	Card payments	R1 GA → R2 hardened (more SCA flows)	Payments lead	Direct bank transfer + cash
PayPal	International card + PayPal balance	New in R2	Payments lead	Stripe (where regionally allowed)
AfghanPaisa	MFS in Afghanistan	R1 pilot → R2 GA	Payments lead	Cash + bank transfer
EasyPaisa	MFS in Pakistan	New in R2	Payments lead	Cash + bank transfer
M-PESA (regional aggregator)	MFS in regional cohort	New in R2	Payments lead	Cash + bank transfer
Pamir-Pay	MFS in Tajikistan / Central Asia	New in R2	Payments lead	Cash + bank transfer
Vertex AI	Cloud LLM + embeddings + speech + vision	New in R2	AI lead	ONNX edge for in-scope features; UX hides AI affordances on outage
Twilio	SMS	R1 GA → R2 hardened (per-region routing)	Notifications lead	Local SMS aggregator per market
Resend / SendGrid	Email	R1 GA → R2 dual-provider	Notifications lead	Provider failover automatic
WhatsApp Business	Messaging	New in R2	Notifications lead	SMS + email fallback
Viber	Messaging (regional)	New in R2	Notifications lead	SMS + email fallback
Apple Wallet / Google Wallet	Mobile-key passes	New in R2	Mobile lead	In-app key + RFID fallback
Looker Studio	Embedded BI for tenants	New in R2	BI lead	Static report PDFs

6.3 R1 → R2 migration playbook

Existing R1 tenants migrate into R2 capabilities incrementally; no big-bang.

Step	Trigger	Owner	Notes
1. Region affinity assignment	Per-tenant on M11	SRE	AF/TJ stay in asia-south1; new IR cohort goes to asia-southeast1
2. Chain switcher migration	Per chain operator on M9	Platform	Single-tenant install upgrades to multi-tenant install via in-app prompt; per-tenant credentials remain
3. AI dynamic pricing onboarding	Per tenant from M8	AI lead + field rep	30-day shadow mode; then "Try this?" mode behind opt-in
4. Mobile-key opt-in	Per tenant from M9	Mobile lead	Tenant must accept Apple/Google Wallet ToS; RFID fallback remains
5. Marketing campaigns onboarding	Per tenant from M10	PM + tenant	Opt-in; whitelisted senders required
6. Looker tier upgrade	Per tenant from M10	BI + sales	Higher-tier plan unlocks Looker; lower tier keeps standard reports
7. Lock-vendor migration (Salto / Assa)	Per tenant from M8	Lock lead + vendor	Only for tenants whose existing locks match vendor; brownfield deployments do not change locks
8. PayPal enablement	Per tenant from M10	Payments + tenant	PayPal regional approval required per tenant market

Migration acceptance criteria per step: zero booking-flow incident; zero payment-incident; zero key-issuance incident in the 7 days following the change.

7. Tenant growth program

R2 is the first wave where tenant growth happens with both assisted and self-serve paths. The two paths converge after the pilot phase per tenant.

7.1 Assisted onboarding (chain + larger SMB)

For chain operators and tenants > 50 rooms: field-rep led onboarding similar to R1's playbook but compressed to 14 days. Adds chain configuration, multi-property setup, chain-operator role provisioning, and cross-property dashboard configuration.

7.2 Self-serve onboarding (SMB tier)

For tenants ≤ 50 rooms with a working internet connection and at least one staff member with basic computer literacy:

Day	Activity	Owner
D-7	Tenant signs up via control plane (email, KYC documents uploaded)	Tenant
D-5	Compliance + KYC review (24h SLA)	Compliance
D-5	Approval; tenant enters configuration wizard	Tenant
D-3	Property + rooms + theme draft completed in wizard	Tenant
D-2	Payment provider connect (Stripe + cash + MFS); test transactions	Tenant + Field rep on call
D-1	Field rep video onboarding session; staff training	Field rep + Tenant
D-0	Go-live; first reservations	Tenant
D+14	Field rep check-in; usage review	Field rep + Tenant

Self-serve target: 30% of new SMB tenants in the second half of R2; field-rep approval gate before first live booking remains until a trust signal accumulates.

7.3 Partner channel pilot

Two partner agencies (regional hospitality consultancies) onboard tenants on our behalf under a revenue-share contract. R2 pilots the model; R3 expands it into the full white-label reseller program.

7.4 Cohort composition target at R2 close

Geography	Tenant count
Afghanistan	20
Tajikistan	15
Iran (pilot)	5
Regional secondary (PK, IQ, EG)	10
Total	50

8. Quality gates

R2 inherits R1 gates and tightens them. The release-specific gates below must all be green before R2 close.

8.1 Functional

All R2 epics' acceptance criteria met.
AI dynamic pricing acceptance > 60% per tenant cohort.
AI message-drafting acceptance > 70% per tenant cohort.
Chain switcher used by at least 5 chain operators in production.
Mobile-key pilot live with at least 3 tenants.

8.2 Non-functional

Sync p99 < 5 s under 3G + 5% packet loss + cohort load.
BFF availability SLO 99.9% per BFF per region.
Multi-region failover RTO < 5 min, RPO 0 for non-billing.
Looker dashboard query p95 < 3 s.
AI gateway first-token p95 < 1.5 s on cache miss; < 400 ms on cache hit.
Tenant booking web LCP p75 < 2 s.
Electron cold start < 3.5 s.

8.3 AI

Prompt registry with eval suites; CI gates promotion.
Safety pipeline (pre + post) live; refusal UX in every AI surface.
Per-tenant AI budget enforced; soft-degrade at 80%, hard-stop at 100%.
Per-locale eval (Pashto, Dari, Persian, Tajik, English, Russian) green.
Provenance on every AI artifact; export includes provenance.
Bias eval on dynamic pricing, anomaly recommender; quarterly.

8.4 Security

Two-tenant + chain isolation suite green on every endpoint.
Pen-test #3 + #4 findings closed.
WebAuthn / passkey default for chain-operator accounts.
Sanctions screening live; OFAC + UN + EU lists; daily refresh.
CMEK enabled per tenant for Iran cohort.
Insider-threat monitoring (chain-operator audit) live.

8.5 Multi-tenant + chain

Chain entity model in tenant-service; ABAC predicates evaluated per chain.
Chain-operator JWT carries cid claim plus per-property scope.
Cross-tenant CI test 100% of endpoints; cross-property within chain test 100%.
Per-tenant AI budget visible in tenant settings; per-chain AI budget visible to chain operator.
Theme isolation per tenant verified; no theme leak across tenants in same chain.

8.6 Observability

Dashboards per service per region.
AI-specific dashboards: per-tenant burn, per-feature burn, per-model latency, refusal rate, eval drift.
Sync dashboards per region.
Mobile RUM live for consumer + tenant booking mobile.
On-call rota across 3 timezones; runbooks for every R2 service.

8.7 Documentation

All 17 doc files filled for every R2 service (or stubbed with rationale).
ADRs created for: chain multi-tenant model, Iran exploratory deployment, mobile-key integration, multi-region topology.
Tenant-facing AI policy doc per tenant published in their settings.
Chain operator playbook published.

9. Risks specific to R2

R2 introduces or amplifies several risks; the full register lives in docs/12-risks-and-tradeoffs.md.

9.1 AI cost runaway

Adding 8 AI capabilities across 50 tenants is the single biggest cost-amplification surface in R2. A misconfigured retry policy, a runaway prompt loop, or a hot tenant can multiply Vertex AI cost by 10× in a week.

Mitigations: per-tenant budget; per-feature quota; cache-by-prompt-hash; default-off for net-new features; daily cost alerts; weekly FinOps review; vendor batch APIs where latency tolerates.
Watchpoint: daily AI cost > 2× 7-day moving average per tenant; per-tenant burn > 80% of budget before mid-period.

9.2 Multi-region latency surprises

Sync p99 under cohort load is non-trivial. Cross-region replica lag can affect read consistency. Failover topology has not been exercised at R2 scale.

Mitigations: per-tenant region affinity; replica lag SLO; failover drill in M11; chaos-test cross-region scenarios in staging.
Watchpoint: replica lag > 1 s p95; failover RTO > 5 min on drill.

9.3 Vendor scaling (TTLock, Salto, payment providers)

Vendor APIs that were fine at 5 tenants may degrade at 50. Salto / Assa Abloy contract test fails on production volume. PayPal account holds on Iran-adjacent traffic.

Mitigations: vendor SLA review per vendor; nightly contract tests; fallback adapter; per-vendor circuit breaker; vendor partnership signed before scaling.
Watchpoint: vendor success rate < 99% per attempt; vendor incident notification.

9.4 Iran sanctions posture changes

Iran exploratory deployment depends on sanctions posture not changing materially during R2. A change forces an immediate rollback of the cohort.

Mitigations: per-tenant data classification; Plan B IaC for co-located deployment; legal counsel on retainer; tenant-cohort suspension playbook documented.
Watchpoint: sanctions-list change; OFAC notice; GCP availability change in Iran.

9.5 Chain isolation bugs

Chain multi-tenant adds ABAC complexity. A bug in chain-scope evaluation could expose property A's data to a chain operator authorized for property B but not A.

Mitigations: chain isolation test suite in CI 100% of endpoints; pen-test #4 includes chain scope; ABAC predicate fuzz tests.
Watchpoint: any chain isolation test fail; any chain-operator support ticket about wrong-property data.

9.6 R2 risk-register slice

ID	Description	R2 mitigation
R-MEL-009	GCP region outage	Multi-region from M11
R-MEL-302	Data residency change (Iran)	Per-tenant data classification; Plan B IaC; CMEK
R-MEL-303	KYC mandate change	Per-jurisdiction adapter expansion
R-MEL-403	Card unavailability	PayPal + 4 MFS adapters
R-MEL-501	Pricing model drift	HITL; rate band; shadow model; rollback
R-MEL-502	Hallucinated message text	HITL default; structured generation; round-trip verification
R-MEL-503	AI cost runaway	Per-tenant budget; cache; default-off; FinOps
R-MEL-507	Edge model fairness across locales	Per-locale eval; locale-specific fine-tunes
R-MEL-601	TTLock/Salto API breaking change	Adapter pattern + nightly contract tests
R-MEL-602	Stripe/PayPal regional restriction	Pluggable; per-tenant config; MFS coverage
R-MEL-603	Vertex AI deprecation	AI gateway + multi-provider abstraction
R-MEL-704	On-call burnout	3-timezone rota; runbook quality; weekly health pulse

10. Cost envelope

R2 must demonstrate that per-tenant unit cost decreases as the cohort grows.

10.1 Target monthly GCP cost (50 tenants)

Component	Monthly USD (50 tenants)
Cloud Run (22 services across 2 regions)	~$650
Cloud SQL HA + multi-region replicas	~$520
Memorystore (Redis, 2 GB across regions)	~$110
Pub/Sub	~$80
Cloud Storage (multi-region)	~$60
Cloud Logging/Monitoring/Trace	~$80
Networking (egress, multi-region)	~$120
BigQuery (slot reservation)	~$200
Looker (per-tenant)	~$150
Vertex AI (LLM + embeddings, 50 tenants × 8 features)	~$900
Other (KMS, Secret Manager, Artifact Registry)	~$50
Total	~$2,920
Per-tenant per-month	~$58

R2 target is < $40 USD/tenant/month at 50 tenants. The first cohort will sit at ~$58; we expect that to drop as Cloud SQL HA, Cloud Run min-instance, and BigQuery slot reservations amortize across more tenants.

10.2 AI cost per tenant

Target: < $20 USD/tenant/month for AI capabilities.
Per-tenant budget enforced at $25 default; override per tier.
Hot tenants (> 100 rooms) may consume more; per-tenant tier handles this with higher budget.

10.3 FinOps cadence

Weekly cost review (Founder + SRE + Finance + AI Lead).
Per-tenant cost attribution from M10.
Budget alerts at 80% and 100% per tenant per category.
Quarterly review with Vertex AI account team for committed-use discounts.

11. Dependencies & decision points

11.1 External dependencies

Dependency	Required by	Status / action
Vertex AI capacity in asia-south1 + asia-southeast1	M7	Capacity confirmed via account team
Salto vendor SDK + commercial agreement	M8	Vendor partnership signed
Assa Abloy generic SDK access	M8	SDK access confirmed
PayPal merchant approval per market	M10	Application per market initiated M7
EasyPaisa partner integration	M10	Partnership signed
M-PESA aggregator partnership (regional cohort)	M10	Partnership signed
Pamir-Pay integration	M10	Partnership confirmed
Iran sanctions-aware legal review	M11	Counsel engaged M7; per-tenant approval gate
Looker Studio account + per-tenant provisioning	M10	Account opened M9
WhatsApp Business + Viber per-tenant template approval	M9	Template library reviewed M8
Code-signing cert renewal + EV upgrade	M9	Renewal initiated M7
Apple Wallet + Google Wallet developer accounts	M9	Accounts opened M7; pilot tenants enroll M9

11.2 Decision points

Decision	Latest decision date	Inputs needed
Add 6th Iran tenant (vs. cap at 5 for R2)	End of M11	Cohort stability; sanctions posture
Auto-apply dynamic pricing within rate band per tenant	End of M9	Acceptance > 80% sustained 30 days per tenant
Voice transcription production (vs. stay pilot)	End of M11	Pilot accuracy ≥ 90% per locale
OTA channel manager (vs. defer to long-term)	End of M12	R3 demand; tenant ask; OTA terms negotiated
GCC/Europe expansion in R3 (vs. defer further)	End of M12	R2 outcomes; commercial pipeline

R2 default for each: defer R3+ capabilities unless inputs justify pulling forward. R2 wins by being deep on AI, chain, and geography.

12. Definition of R2 done

R2 is done when all of the following are true.

When all boxes are checked, R2 is closed; R3 begins. R2 retrospective produces written learnings folded into the risk register and the next wave's plan.

1. Vision & Outcomes​

1.1 Vision​

1.2 Outcomes — measurable​

1.3 Vision boundary​

2. Scope (in / out)​

2.1 IN​

2.1.1 New backend services and major capability expansions​

2.1.2 New surfaces and surface expansions​

2.1.3 Lock vendor matrix​

2.1.4 Payments​

2.1.5 AI capabilities (full set)​

2.1.6 Multi-region​

2.1.7 Iran exploratory deployment​

2.2 OUT (deferred to R3 or later)​

3. Epics included​

4. Service rollout​

4.1 Q1 — months 7-9​

Month 7 — AI orchestrator full + chain foundations​

Month 8 — AI capabilities to production + theme editor v2​

Month 9 — Mobile-key + image moderation + remaining AI capabilities​

4.2 Q2 — months 10-12​

Month 10 — Marketing campaigns + Looker + payment expansion​

Month 11 — Multi-region + Iran exploratory deployment​

Month 12 — Self-serve onboarding + partner pilot + hardening​

4.3 R2 ASCII timeline​

4.4 Multi-region GCP topology (target end of M12)​

5. Frontend rollout​

5.1 Design-system and i18n cadence​

5.2 Performance budgets (R2 tightened)​

6. Infrastructure milestones​

6.1 AI capability rollout matrix​

6.2 R2 vendor capability matrix​

6.3 R1 → R2 migration playbook​

7. Tenant growth program​

7.1 Assisted onboarding (chain + larger SMB)​

7.2 Self-serve onboarding (SMB tier)​

7.3 Partner channel pilot​

7.4 Cohort composition target at R2 close​

8. Quality gates​

8.1 Functional​

8.2 Non-functional​

8.3 AI​

8.4 Security​

8.5 Multi-tenant + chain​

8.6 Observability​

8.7 Documentation​

9. Risks specific to R2​

9.1 AI cost runaway​

9.2 Multi-region latency surprises​

9.3 Vendor scaling (TTLock, Salto, payment providers)​

9.4 Iran sanctions posture changes​

9.5 Chain isolation bugs​

9.6 R2 risk-register slice​

10. Cost envelope​

10.1 Target monthly GCP cost (50 tenants)​

10.2 AI cost per tenant​

10.3 FinOps cadence​

11. Dependencies & decision points​

11.1 External dependencies​

11.2 Decision points​

12. Definition of R2 done​