Go/No-Go Checklist V0.1
Every item below is a blocking gate. V0.1 cannot ship until all criteria are validated.
API & Security
All security criteria are CI-blocking — they must pass in automated tests before merge.
| # | Criterion | Validation |
|---|
| 1 | SLO targets met | k6 load test (3 tenants x 4 locales x 10k articles): API p95 < 300ms, p99 < 600ms, error < 1%. Measured at api-nginx level. |
| 2 | JWT strict validation | iss/aud/azp/sub verified, access token only (id_token forbidden), JWKS with circuit breaker, double-KID rollover, cross-env/tenant tokens refused, clock skew +/-120s. |
| 3 | Collection security | Doctrine Filter global ON for all reads, no line-level voters on collections, cross-tenant query tests passing. |
| 4 | QueryFilterEnforcer | HTTP requests fail-fast (500) if tenant filter OFF. CLI exemptions whitelisted and tested. GET out-of-tenant returns 404, WRITE returns 403. |
| 5 | Public projections | /v1/public/* uses distinct DTO whitelists, anonymous access, complete Vary headers. Edge strips Authorization (fallback: 403 + no-store). Zero PII in responses (CI test). |
| 6 | Preview one-time tokens | /v1/preview/* with X-Preview-Token header (HMAC-SHA256), Redis SETNX+TTL, TTL max 5 min, no-store, replay refused, UA unfurlers blocked, X-Robots-Tag: noindex. |
| 7 | State Processor | tenantId injected server-side on POST/PUT/PATCH. Malicious tenantId in request body silently ignored. |
| 8 | ETag / If-Match | Strong ETag via CanonicalJsonNormalizer, If-Match on PUT/PATCH. CONCURRENCY_STRICT flag (V0.1=0 warnings, V0.2=1 blocking). Non-regression tests passing. |
| 9 | RFC 7807 errors | All 4xx/5xx responses conform to application/problem+json (unique schema). |
| 10 | Pagination | X-Total-Count + Link headers (RFC 5988). Sort/filter working on all list endpoints. |
Front-Office
| # | Criterion | Validation |
|---|
| 11 | CSP hash-only | No unsafe-inline, no nonce. CI grep fails on unhashed inline. Playwright XSS test passes. |
| 12 | Performance budgets | Lighthouse CI hard-fail: JS ≤ 180KB (+20% V0.1), CSS ≤ 60KB (+20% V0.1), LCP ≤ 2.0s desktop / 2.5s mobile. No hardcoded hex colors (lint). |
| 13 | Hreflang + CLS | Correct hreflang tags for all locales. CLS approximately 0. |
Infrastructure
| # | Criterion | Validation |
|---|
| 14 | Docker Compose health | All containers healthy. /healthz pings DB + JWKS cache + clock skew + exposes ICU version. |
| 15 | OpenAPI contract | /v1 export in CI, x-openapi-rev header, /contract-hash endpoint. FO/BO hash verification. Spectral linting OK. |
| 16 | CDN invalidation | Surrogate-Key headers exposed via CORS. Slug-level invalidation if needed. Plan B: pattern-based purge documented. |
| 17 | Rate limiting | Auth/public keys RGPD-safe (SHA-256 + pepper), Retry-After header, whitelists, quotas per role, structured logging. Pepper rotation tested. |
| 18 | Backups | Daily full backup + WAL. Monthly restoration test on shadow DB passing. 30-day retention. |
Status
This checklist is a living document. Each criterion must be signed off by the responsible team lead before V0.1 release.
| Team | Owner | Status |
|---|
| API (1-10) | Backend team | Pending |
| Front-Office (11-13) | Frontend team | Pending |
| Infrastructure (14-18) | DevOps | Pending |
