ApiaryLensOpen Source Apiary Intelligence

Authoritative project documentation

MVP Release Gate Checklist

Release: 0.1.0-rc.1
Date: 2026-07-15
Status: Not yet releasable

Pre-Deploy

  • Workspace format, type checks, unit tests, Go tests, builds, and local backup/restore verification pass.
  • Cloudflare Worker and all three public properties are deployed over HTTPS.
  • Public properties use no telemetry and block automatic response transformation.
  • Release artifacts are content-addressed and remotely digest verified.
  • The live PWA/backend identity and manifest identify implementation commit 037d54881f79a9381212b94d4d382dc716bbdffc and UTC build time 2026-07-15T19:54:48.2706596Z.
  • CycloneDX SBOM, license report, and unsigned provenance are published and remotely digest verified with the deployment bundles and Scout Bee executable.
  • All deployment artifacts, Scout Bee, SBOM, license report, and provenance are keylessly signed by the approved repository workflow identity, transparency logged, independently verified, and byte-equal to the public CDN copies.
  • Compose and Cloudflare report the same immutable migration head (0004), the ordered Compose migration test passes, a production pre-migration snapshot was captured, and Cloudflare applied 0004 successfully.
  • Complete the seeded-predecessor update, interruption, rollback, and restore scenarios on the isolated Cloudflare and Compose UAT deployments.
  • Automated axe checks report no violations on .org, documentation, .app, the isolated demo, and both .dev entry points; dependency audit reports no known high-severity vulnerabilities.
  • The release-scope threat model and OWASP ASVS 5.0.0 chapter map document implemented, partial, and non-applicable controls without claiming certification.
  • Public MVP verification run 29446576722 passes for release-evidence revision f1cac5548f9376f4ab706fc343b185d037d34545, whose manifest pins product-source revision 037d54881f79a9381212b94d4d382dc716bbdffc, including the secret scan, complete workspace verification, clean Compose image builds, and release checks.
  • The SHA-256-pinned Grype 0.115.0 CI scan reports no unresolved high or critical vulnerability in either Compose runtime image at that revision.
  • Automated WCAG 2.1 A/AA scans and live browser-controlled structural, responsive, icon, and 44-by-44-pixel target checks pass on the public .org, .app, and .dev entry surfaces at 375- and 320-pixel widths.
  • Manual keyboard, screen-reader, 200% zoom, and security review evidence has no open critical/high findings.
  • Seven required Lucidchart pages have accessible PNG exports and are cataloged.
  • All cataloged editable Lucidchart sources are filed in the dedicated ApiaryLens Lucid folder; the seven-page operational source was verified and moved there on 2026-07-15 without changing its document ID.
  • Final Lucidchart visual-polish review passes after the three pages with recorded label and connector collisions were rebuilt, filed, re-exported, and visually rechecked; rejected drafts are outside the authoritative folder.
  • The released Scout Bee Windows executable passes a secret-redacted, pinned release preflight against the isolated Cloudflare UAT resources.
  • The Hyper-V UAT target passes Scout Bee preflight; the combined target gate remains open until that independent run succeeds.
  • The isolated Cloudflare family service passes protected bootstrap, roles, all P0 resource types, private media, sync, conflict/idempotency, negative viewer authorization, portable export, destructive restore, session rotation and revocation, atomic bootstrap claiming, and record/media recovery at migration 0004 and runtime revision 037d548.

Deploy

  • Deploy to isolated Cloudflare and Hyper-V UAT targets.
  • Run the complete MVP UAT record on both required profiles.
  • Exercise backup, restore, predecessor update, interrupted update/resume, compatible rollback, keep-data uninstall, and recovery.
  • Verify organization isolation and negative authorization on every scoped route.
  • Verify offline draft, media staging, synchronization, and conflict behavior on iPhone, iPad, and computers.

Post-Deploy

  • Verify production release identity after a 15-minute observation window.
  • Record the dated Cloudflare quota/cost baseline and planning assumptions.
  • Record install time, device matrix, and all remaining evidence links.
  • Publish final release notes, changelog, support window, known limitations, and recovery guidance.
  • Obtain project-owner acceptance.

Isolated Cloudflare Evidence

The current automated Cloudflare journey is recorded in cloudflare-uat-evidence-2026-07-15-v2.json, with the earlier migration-0003 run retained as historical evidence. After the passing restore, the target remained healthy at migration 0004, bootstrap was closed, both temporary deployment secrets were removed, and only the durable authentication-root secret remained configured. The restored database contained three users, one organization, three memberships, 13 P0 resources, one session, and one atomic bootstrap claim; private R2 held the recovered original and thumbnail. This evidence advances the Cloudflare data-path gate but does not satisfy the remaining combined Cloudflare-plus-Compose or physical-device gates.

The current released Scout Bee Cloudflare preflight is recorded in scout-bee-cloudflare-preflight-2026-07-15-v2.json, with the pre-refresh run retained as historical evidence. Release-signing evidence is recorded in release-signing-evidence-2026-07-15.json. The production observation and provider-allowance baseline is recorded in cloudflare-family-cost-and-observation-2026-07-15.md.

Rollback Triggers

Rollback or stop immediately for failed health identity, authentication bypass, cross-organization access, public media, lost pending work, migration error, backup verification failure, restore mismatch, or failure of any critical UAT step.

Was this page helpful?

Ask for help or suggest a documentation improvement in the public project.

Open an issue