Production Checklist
Backend
-
DATABASE_URLis set as a Cloudflare secret -
ADMIN_API_KEYis set as a Cloudflare secret - Queue producer and consumer bindings are configured
- Cron trigger is configured for retention cleanup
-
rate_limit_counterstable exists - Retention cleanup dry-run works
- Event rate limit test fails on attempt 61 with the default config
- Endpoint create rate limit test fails on attempt 31 with the default config
Security
- SSRF protection rejects localhost, private IPs, metadata hosts, embedded credentials, and non-HTTP protocols
- Payload size limit is enforced
- Fan-out limit is enforced
- Endpoint quota is enforced
- Signed webhooks are enabled
- Secret rotation overlap works
- API keys are never exposed in browser code
Documentation
- Quickstart works from a clean tenant
- Signature verification examples are correct
- Error handling page includes common failures
- PowerShell quickstart is up to date
- API reference matches deployed routes