ApiaryLensOpen Source Apiary Intelligence

Authoritative project documentation

MVP Release Gate Checklist

Release: 0.1.0-rc.1
Date: 2026-07-15
Status: Not yet releasable

Pre-Deploy

  • Workspace format, type checks, unit tests, Go tests, builds, and local backup/restore verification pass.
  • Cloudflare Worker and all three public properties are deployed over HTTPS.
  • Public properties use no telemetry and block automatic response transformation.
  • Release artifacts are content-addressed and remotely digest verified.
  • The live PWA/backend identity and manifest identify implementation commit 28dcfaac2261d6395d5b55eac5a5b81f134387fc and UTC build time 2026-07-15T18:57:00.6351700Z.
  • CycloneDX SBOM, license report, and unsigned provenance are published and remotely digest verified with the deployment bundles and Scout Bee executable.
  • Release artifacts and provenance are signed with the approved release identity.
  • Compose and Cloudflare report the same immutable migration head (0003), the ordered Compose migration test passes, a production pre-migration snapshot was captured, and Cloudflare applied 0003 successfully.
  • Complete the seeded-predecessor update, interruption, rollback, and restore scenarios on the isolated Cloudflare and Compose UAT deployments.
  • Automated axe checks report no violations on .org, documentation, .app, the isolated demo, and both .dev entry points; dependency audit reports no known high-severity vulnerabilities.
  • The release-scope threat model and OWASP ASVS 5.0.0 chapter map document implemented, partial, and non-applicable controls without claiming certification.
  • Public MVP verification run 29442732874 passes for release-evidence revision 16ec120c0b5f40653e5149bcb62cd7bccf44a8a7, whose manifest pins product-source revision 28dcfaac2261d6395d5b55eac5a5b81f134387fc, including the secret scan, complete workspace verification, clean Compose image builds, and release checks.
  • The SHA-256-pinned Grype 0.115.0 CI scan reports no unresolved high or critical vulnerability in either Compose runtime image at that revision.
  • Manual keyboard, screen-reader, 200% zoom, and security review evidence has no open critical/high findings.
  • Seven required Lucidchart pages have accessible PNG exports and are cataloged.
  • Confirm the editable Lucidchart source is filed in the dedicated ApiaryLens Lucid folder and complete its final visual-polish review.
  • Hyper-V and isolated Cloudflare UAT targets pass Scout Bee preflight.
  • The isolated Cloudflare family service passes protected bootstrap, roles, all P0 resource types, private media, sync, conflict/idempotency, negative viewer authorization, portable export, destructive restore, session rotation and revocation, atomic bootstrap claiming, and record/media recovery at migration 0004 and runtime revision 037d548.

Deploy

  • Deploy to isolated Cloudflare and Hyper-V UAT targets.
  • Run the complete MVP UAT record on both required profiles.
  • Exercise backup, restore, predecessor update, interrupted update/resume, compatible rollback, keep-data uninstall, and recovery.
  • Verify organization isolation and negative authorization on every scoped route.
  • Verify offline draft, media staging, synchronization, and conflict behavior on iPhone, iPad, and computers.

Post-Deploy

  • Verify health and release identity after a 15-minute observation window.
  • Record quota/cost, install time, device matrix, and all evidence links.
  • Publish final release notes, changelog, support window, known limitations, and recovery guidance.
  • Obtain project-owner acceptance.

Isolated Cloudflare Evidence

The current automated Cloudflare journey is recorded in cloudflare-uat-evidence-2026-07-15-v2.json, with the earlier migration-0003 run retained as historical evidence. After the passing restore, the target remained healthy at migration 0004, bootstrap was closed, both temporary deployment secrets were removed, and only the durable authentication-root secret remained configured. The restored database contained three users, one organization, three memberships, 13 P0 resources, one session, and one atomic bootstrap claim; private R2 held the recovered original and thumbnail. This evidence advances the Cloudflare data-path gate but does not satisfy the remaining combined Cloudflare-plus-Compose or physical-device gates.

Rollback Triggers

Rollback or stop immediately for failed health identity, authentication bypass, cross-organization access, public media, lost pending work, migration error, backup verification failure, restore mismatch, or failure of any critical UAT step.

Was this page helpful?

Ask for help or suggest a documentation improvement in the public project.

Open an issue