TOMO Sandbox-to-Production Checklist
Audience: every TOMO partner. This is the gate that flips your status from sandbox to live. TOMO admin reviews each item; you cannot self-promote.
Time to review after submission: 24-72 hours.
1. The principle
Sandbox traffic is real-shape but does not reach end users. Production traffic does. The bar between them is verification — TOMO must trust three things before flipping the gate:
- You return real, complete data. No placeholders, no Lorem Ipsum, no AI-generated photos.
- You honor the contract. What's in your search response is what the user pays + receives.
- Your business is legally + operationally legitimate. GSTIN, domain-specific licenses, working customer support.
Every checklist item maps to one of those three. No shortcuts.
2. Universal checklist (applies to every partner regardless of intent)
Account + auth
[ ] Corporate email signup completed
Signup email is on a domain you own (not gmail.com etc. for org accounts).
[ ] Sandbox client_id + client_secret + customer_id issued and stored in your secrets manager
[ ] Webhook URL saved
Webhook URL is HTTPS only, TLS 1.2+, public-reachable (not behind a VPN/firewall).
[ ] Webhook signing key stored in your secrets manager
NOT committed to source control. NOT in plain-text logs.
[ ] At least one test CPC POST sent + received 201 from TOMO
Verifies your signing logic works.
[ ] HMAC verification implemented on YOUR webhook endpoint
For when TOMO sends outbound notifications.
Manifest
[ ] Manifest submitted via dashboard or API
[ ] Every declared intent.intent matches _INTENT_CATALOG.md exactly
[ ] Every intent.intent_version matches a live spec version
[ ] Every pricing.min ≥ 0 and ≤ pricing.max
[ ] Every service_area entry validates (canonical city or pincode)
[ ] Every TTBS signal is 0.0-1.0 and reflects honest self-positioning
[ ] Every completion_callback follows the exact pattern
[ ] Every widget_type matches the intent's §9 widget_type
[ ] Manifest reviewed + status: pending_review
MCP / API tools
[ ] All required tools per each intent's §3 implemented
[ ] tools/list returns all tools with full _meta.tomo blocks
[ ] tools/call returns spec-compliant payloads on every tool
[ ] No partial implementations (you didn't skip cancel_* or modify_*)
[ ] HTTPS endpoint, TLS 1.2+
[ ] Bearer token auth implemented + rejecting unauth requests with INVALID_AUTH
[ ] Latency p50 / p95 / p99 within spec for every tool
Measured during 100-call sandbox load test.
[ ] Idempotency on every create_* tool (booking, ordering)
Same idempotency_key returns same result.
[ ] Rate limit headers honored (RATE_LIMITED on overshoot)
Response shape compliance
[ ] Every required field per intent §4 populated with real production data
No fixtures, no Lorem Ipsum, no placeholder photos, no test merchant_ids.
[ ] Every controlled vocabulary in §6 respected
No free-text drift in enum slots.
[ ] No forbidden fields anywhere in any response
Specifically: paid_placement_score, ad_bid, sponsored_rank, promotion_priority,
kickback_amount, referral_fee_kickback, _partner_revenue_share, artificial_urgency_text,
fake_*_count, auto_inflate_*, ai_generated_photo (must equal false).
[ ] AI-generated photos absent (photo_ai_generated == false on every photo)
TOMO field-tests by sampling photos and reverse-image-searching.
[ ] Reviews + ratings unrounded floats from real verified events
No "rounded up to 4.5 for marketing."
Anti-fabrication
[ ] No paid_placement signals anywhere in any field
[ ] No artificial_urgency_text without backing inventory data
[ ] high_demand=true requires inventory.rooms_left ≤ 3 OR demonstrable demand evidence
[ ] No fake review excerpts (review_excerpts.verified_stay = true)
[ ] No commission-based response shaping
TOMO 1% audit randomly samples your responses + cross-checks against your own
public website results. Material divergence = breach.
[ ] customer_support claims honest
customer_support_24x7 == true means a human responds within 5 min
during all hours. TOMO field-tests during random off-hours.
[ ] All-fees-included pricing
price.total_inr = sum of all fees. No "resort fee at check-in" surprise.
Compliance docs
[ ] GSTIN uploaded + format-validated (15 chars, state code matches)
[ ] PAN uploaded for the legal entity
[ ] Privacy policy URL live + accessible (test from outside your VPN)
[ ] Privacy policy mentions DPDP 2023 compliance
[ ] Customer support phone reachable (TOMO field-tests during review)
[ ] Customer support email valid + responds within published SLA
[ ] Domain ownership verified
For multi-team org accounts: DNS TXT record OR email-link to admin@yourdomain.com
Operational readiness
[ ] Audit log of CPC POSTs maintained on your side (7-year retention)
[ ] Runbook for "what to do if TOMO drops us from live pool"
Latency spike, signature failure, etc. — your team has a checklist.
[ ] Designated technical contact + alternate contact registered
TOMO ops can reach a human within 4 hours for production incidents.
[ ] Webhook signing key rotation tested
You know how to rotate without dropping signed POSTs in flight.
3. Intent-specific checklists
Each intent's spec §11 adds intent-specific items. Examples:
travel.book_hotel (additions)
[ ] search_availability returns ≥1 valid listing for "Bangalore + 7 days out + 2 guests"
[ ] All §4 required Listing fields populated with real production data
[ ] merchant_id present + Google Place ID format on ≥80% of listings
[ ] price.fees_breakdown sum equals price.total_inr exactly
[ ] get_listing returns valid ListingDetail for any id from a live search response
[ ] create_booking returns booking_ref within SLA p95
[ ] cancel_booking returns refund schedule honoring partial_cancel_schedule
[ ] modify_booking returns new total honoring policies
[ ] LGBTQ+ welcoming + female_safety claims independently verifiable
[ ] Tourism Department or HRAWI registration uploaded (per state)
[ ] Fire safety certificate (per property)
[ ] Property registration certificate (per property)
food.order_delivery (additions)
[ ] search_restaurants_and_dishes returns ≥10 restaurants for "Hyderabad + biryani + 35min ETA"
[ ] All §4 required fields populated with REAL data
[ ] photo_ai_generated == false on every dish + restaurant photo
[ ] FSSAI license number + grade present on every restaurant
[ ] Allergens_present complete
TOMO sample-tests vs partner's website / regulatory disclosures.
[ ] Nutritional macros present on every dish (calories, protein, carbs, fat, fiber)
[ ] compute_cart_total honors deals, surge, GST exactly
[ ] place_order returns valid order_ref within SLA p95
[ ] track_order returns rider location updates ≤10s old
[ ] cancel_order respects cancellation policy
[ ] FSSAI license uploaded + verified
[ ] All restaurants have an attached health_inspection report
mobility.book_intracity_ride (additions)
[ ] get_ride_estimates returns ≥3 options for "HITEC City → RGI airport, 1 passenger, 2 bags"
[ ] driver_kyc + vehicle_meta truthful + verifiable on demand
[ ] background_check_passed=true backed by partner's KYC vendor
[ ] fitness_certificate + insurance + PUC + permit numbers all valid
[ ] book_ride returns ride_ref + driver assignment within SLA
[ ] track_ride returns driver location ≤5s old
[ ] cancel_ride respects free_cancel_within_minutes window
[ ] update_ride_drop computes revised fare correctly
[ ] Trip share URL works for ≥2h post-completion
[ ] SOS button tested with TOMO ops monitoring
[ ] Aggregator permit certificate uploaded
[ ] State permit covers all cities partner serves
mobility.book_intercity_ride (additions)
[ ] inter_state_permit_valid=true backed by partner's permit registry
[ ] inter_state_permit_states includes pickup AND drop state
[ ] driver_kyc.dl_for_inter_state=true backed by RTO records
[ ] driver_kyc.drug_alcohol_test_iso ≤90 days old at booking
[ ] vehicle_meta.tyre_age_months reasonable (<36 typical)
[ ] route_quality.toll_passes lat/lng accurate (TOMO sample-tests)
[ ] book_intercity_ride returns advance_payment + balance_due correctly
Read your intent's §11 for the complete intent-specific list.
4. Field-test items (TOMO ops actively verifies)
These are NOT self-attestation. TOMO field-team does them:
[ ] Random photo verification: TOMO reverse-image-searches photos
Photos that match stock libraries or appear elsewhere on the web → flag.
[ ] Customer support call test: TOMO calls during off-hours
customer_support_24x7 == true means human within 5 min.
[ ] Sample booking + cancellation test
TOMO ops books a real intent through your sandbox + cancels
within free-cancel window. Refund must match disclosed schedule.
[ ] 1% live response audit
Random sample of search responses cross-checked against your public website.
Material price/availability divergence → breach.
[ ] Sandbox vs production drift test
After approval, TOMO compares the first 100 production responses against the
last 100 sandbox responses. Material drop in field-completeness → suspension.
5. Decision matrix
After review, TOMO admin produces one of three outcomes:
| Outcome | Meaning | Your action |
|---|---|---|
| APPROVED | All checklist items pass | status flips sandbox → live, traffic starts |
| REVISIONS REQUESTED | Specific items failed | fix the listed items, resubmit (status stays sandbox) |
| REJECTED | Disqualifying issues | full re-application required |
Disqualifying issues (auto-rejection):
- Forbidden fields detected in responses
- AI-generated photos detected
- Material commission-based response shaping
- Compliance documents fraudulent or expired
- Customer support phone non-reachable for 24h post-test
- HMAC signing implemented incorrectly + cannot be fixed within 30 days
- Domain ownership unverifiable
Revision-requested issues (fixable):
- Missing some §4 required fields → populate them
- Latency p95 over spec → optimize
- Privacy policy URL down → bring it up
- Manifest TTBS signals materially divergent from observed → reset to honest values
- Some intent-specific compliance docs missing → upload them
6. Probationary period
Newly approved partners enter a 30-day probation:
- Lower TTBS weight floor (effectively rank-capped at #3 in any matched pool)
- Daily completion-rate review by TOMO ops
- Any anti-fabrication breach during probation → instant suspension + re-application required
- Successful 30 days → full live status, normal ranking
Probation is invisible to users. They see your listings ranked normally. The cap is internal.
7. Ongoing operational gate
Live status is not permanent. TOMO continuously monitors:
SLA compliance: latency p95 within spec
Completeness: no drop in §4 field population
Anti-fab compliance: 1% audit results
Customer support: response time within SLA
Compliance docs: still current (no expired licenses)
Customer ratings: no sustained drop below 4.0/5
Dispute rate: < 2% of completed intents
Drop below threshold → you're moved to "live_caution" (rank-capped). Sustained drop → suspended pending re-review. Two-strikes → permanent ban.
8. Re-application after rejection
If rejected outright, the cooldown is 30 days before you can re-apply. During cooldown, fix the disqualifying issues. Re-apply by:
- Submit a new sandbox account with the SAME corporate email + same legal entity
- Reference the previous rejection in
notes:"Previous rejection on YYYY-MM-DD; fixed items: [list]" - Submit fresh sandbox tests demonstrating the fixes
- Wait for re-review
Triple rejection on the same legal entity → permanent ban. TOMO does not maintain a queue for serial fraudsters.
9. The mental model
Sandbox is yours. Iterate as much as you want, no traffic, no risk. Production is users'. TOMO's brand is anti-fabrication, real-data-only, transparent commerce. Production access requires you to honor that brand.
The checklist is not bureaucracy. It's the price of being part of a marketplace where users trust the rankings.
10. References
- Per-intent §11: every file under
docs/intents/ - Per-intent §12 (anti-fabrication rules): every file under
docs/intents/ - TOMO ingest validator:
server/routes/businessTier1.ts+server/lib/mcp-connector/projector.ts - Admin review surface:
components/admin/AdminReviewQueue.tsx
Built by AUTOMOBNXT · DPIIT Recognised Startup · 2026.