Operator checklist

Go-live checklist.

96 tasks covering infrastructure, money, product flow, support, legal, and launch day — everything needed to ship Rewrite successfully. Check items off as you go (saved in this browser). Sort and filter the table below. Customer App Store / Google Play steps live separately in the launch guide.
API diagnostics →Stripe checklist ↗Render deploy ↗Native-direct roadmap ↗Shipped inventory ↗

Progress

/ 96

Loading saved checkmarks… · Saved in this browser only

Showing 96 tasks · 0 done in this view · Click column headers to sort

  • criticalInfrastructure

    Chromium installed in API build (Playwright)

    Build command includes `PLAYWRIGHT_BROWSERS_PATH=0 npx playwright install chromium`. Service env has `PLAYWRIGHT_BROWSERS_PATH=0`.

    Verify: Guided live URL capture completes (not stuck on Playwright executable missing).

    deploy-render.md

  • criticalInfrastructure

    API service deployed on Render (`rewrite-backend-api`)

    Production API runs `node dist/cli.js serve` from repo root with Node 20. Auto-deploys from `main`.

    Verify: Open your API URL — JSON at `/` shows `name: rewrite-api`.

    deploy-render.md

  • criticalInfrastructure

    Marketing + guided UI deployed (`rewrite-web`)

    Next.js app in `web/` serves meetrewrite.com and talks to the API.

    Verify: Homepage loads; guided flow can reach the API (no CORS errors in browser console).

    deploy-render.md

  • criticalInfrastructure

    `REWRITE_WEB_APP_URL` points at the public site

    Stripe Checkout and OAuth return users to `/guided/:id`, not raw API JSON.

    Verify: After test checkout, browser lands on meetrewrite.com guided step — not an API error page.

    deploy-render.md

  • highInfrastructure

    GitHub CI green on `main` before trusting production

    `ci.yml` runs tests, Next build, and Playwright guided smoke.

    Verify: Latest `main` commit shows green checks in GitHub.

    github-actions-in-plain-english.md

  • highInfrastructure

    Custom domain on API (e.g. api.meetrewrite.com)

    After attaching, set `NEXT_PUBLIC_REWRITE_API_URL` on web to the custom API URL (not the ephemeral `*.onrender.com` slug).

    Verify: `GET /health` works on the custom API hostname.

    deploy-render.md

  • highInfrastructure

    Custom domain on web service (meetrewrite.com)

    Attach domain in Render; DNS points to Render; HTTPS cert active.

    Verify: Browser shows valid HTTPS at your public marketing URL.

    deploy-render.md

  • highInfrastructure

    `REWRITE_PUBLIC_BASE_URL` set to public API URL

    Used for Stripe fallbacks, GitHub OAuth callback, and native bundle API base hints.

    Verify: OAuth redirect and webhook URLs use the intended host.

    .env.example

  • mediumInfrastructure

    Render service names match `render.yaml`

    Name drift can spawn duplicate API services and miswire `NEXT_PUBLIC_REWRITE_API_URL`.

    Verify: Dashboard shows `rewrite-backend-api` + `rewrite-web` — not an extra mystery API.

    render.yaml

  • criticalSecurity

    `REWRITE_API_KEYS` set (long random secrets)

    Without this, anyone on the internet can hit heavy API routes.

    Verify: `GET /health` → `auth.apiKeysRequired: true`. Unauthenticated session create fails in prod.

    deploy-render.md

  • criticalSecurity

    `REWRITE_ENFORCE_PROD_API_KEYS=true`

    Server refuses to boot without API keys in production.

    Verify: Set in Render env (also default in `render.yaml`).

    render.yaml

  • criticalSecurity

    `REWRITE_JWT_SECRET` (≥ 32 random chars)

    Signs browser sign-in tokens for account-owned sessions.

    Verify: `GET /health` → `auth.acceptsUserJwt: true`. Sign-in flow persists across refresh.

    .env.example

  • criticalSecurity

    No live secrets committed to git

    Keys live in Render dashboard / private `.env` only.

    Verify: Repo scan + `.gitignore` covers `.env`.

  • criticalSecurity

    `REWRITE_ALLOW_PAYMENT_STUB=false` in production

    Dev shortcut that marks sessions paid without charging must stay off.

    Verify: Render env + `render.yaml` both say false.

    render.yaml

  • highSecurity

    Admin access restricted

    GitHub JWT + allowlist and/or `REWRITE_ADMIN_PASSWORD` for `/admin` routes.

    Verify: Non-admin account gets forbidden on `/admin`.

    .env.example

  • highSecurity

    `REWRITE_ENCRYPTION_KEY` for stored GitHub tokens

    64 hex chars (32 bytes) — recommended when private repo clone is enabled.

    Verify: Private repo flows work without passing `gitToken` every request.

    .env.example

  • highSecurity

    GitHub OAuth app configured

    `GITHUB_CLIENT_ID` + `GITHUB_CLIENT_SECRET`; callback URL matches API.

    Verify: Sign in with GitHub completes; user row appears in `/admin`.

    .env.example

  • highSecurity

    Local path scan disabled in production

    `REWRITE_ALLOW_LOCAL_PATH_SCAN` must stay unset in prod.

    Verify: Arbitrary folder scan routes return disabled in production.

  • highSecurity

    `REWRITE_SERVER_API_KEY` on web service

    One value from API `REWRITE_API_KEYS` — used for investor deck PDF and server-side calls.

    Verify: Investor deck PDF download works from `/investor-package`.

    deploy-render.md

  • mediumSecurity

    Rate limits see real client IP behind Render

    `REWRITE_TRUST_PROXY=1` or `RENDER=true` (auto).

    Verify: Heavy-route rate limits behave under load balancer.

    .env.example

  • criticalData & persistence

    Persistent disk on API (`REWRITE_DATA_DIR`)

    URL capture PNGs, sim previews, support tickets, and file sessions live on disk — ephemeral temp dirs lose them on restart.

    Verify: Disk mounted; env points at mount path. Capture assets still load after redeploy.

    deploy-render.md

  • criticalData & persistence

    PostgreSQL connected (`REWRITE_DATABASE_URL`)

    Sessions, users, and payments survive API restarts.

    Verify: `GET /health` → `auth.database: true`. Create session, redeploy, session still there.

    deploy-render.md

  • highData & persistence

    Postgres backup / restore plan documented

    Render offers automatic backups on paid tiers — know how to restore.

    Verify: You can answer: where is the DB backup and who can restore it?

    database.md

  • highData & persistence

    Support tickets persist across deploys

    Ticket JSON under `$REWRITE_DATA_DIR/support-tickets/`.

    Verify: Create ticket via `/contact`, redeploy API, ticket still in `/admin` inbox.

    support-operator-setup.md

  • mediumData & persistence

    Optional: S3 for sim-preview (multi-instance)

    If you scale API horizontally or skip persistent disk for previews.

    Verify: `REWRITE_SIM_PREVIEW_S3_BUCKET` set; asset URLs work after instance swap.

    sim-preview-production.md

  • criticalPayments

    Stripe live webhook before real charges

    Separate live-mode endpoint + `STRIPE_WEBHOOK_SECRET_LIVE` (or single secret if live-only).

    Verify: Live Dashboard webhook shows successful deliveries after a real test charge.

    stripe-production-checklist.md

  • criticalPayments

    Flip `REWRITE_STRIPE_MODE=live` only when intentional

    Live charges real money. Confirm `/health` mode + no `modeMismatchWarning`.

    Verify: `GET /health` → `stripe.mode: live`, `activeKeyIsLive: true`.

    stripe-production-checklist.md

  • criticalPayments

    Stripe test mode end-to-end verified

    Deposit checkout → webhook → session unlocks next guided steps.

    Verify: Test card completes; payment events appear on `/status` session diagnostics.

    stripe-production-checklist.md

  • criticalPayments

    Stripe test webhook configured

    Dashboard → Webhooks → `POST …/api/v1/webhooks/stripe` with signing secret in env.

    Verify: `GET /health` → `stripe.webhookSecretsConfigured: true` in test mode.

    stripe-production-checklist.md

  • highPayments

    Deposit + balance flow matches pricing page

    25% deposit ($50 floor); balance after approvals. Marketing `/pricing` in sync with `src/estimate.ts`.

    Verify: Walk one session: deposit → approve → balance checkout amounts match quote.

    Pricing page

  • highPayments

    Both test + live Stripe keys on host (optional but recommended)

    `STRIPE_SECRET_KEY_TEST` + `STRIPE_SECRET_KEY_LIVE` + `REWRITE_STRIPE_MODE`.

    Verify: Switch mode without redeploying different key sets.

    stripe-production-checklist.md

  • highPayments

    Refund playbook tested (admin internal refund)

    Support inbox can issue partial refunds; Stripe receipt trail intact.

    Verify: Dry-run refund on test session; customer email + session state update.

    support-agent-handbook.md

  • mediumPayments

    Care plan Stripe products (if selling support tiers)

    We Care / We REALLY Care / VIP monthly prices wired in `support-packages.ts`.

    Verify: Optional add-on at checkout creates subscription in Stripe Dashboard.

  • mediumPayments

    100% promo codes for comps (investors / friends)

    Live mode rejects test cards — use Stripe coupons + promotion codes for free passes.

    Verify: Checkout shows promo field; `INVESTOR*` code completes at $0.

    stripe-production-checklist.md

  • criticalAI & build pipeline

    OpenAI API key current (polish + build load-bearing)

    All polish tiers default to GPT-5.4. Expired key = hard 401 (no fallback if key present but invalid).

    Verify: Free preview polish completes; check API logs for 401s.

    AGENTS.md LLM section

  • criticalAI & build pipeline

    Live URL capture runs real Chromium (not stub)

    `REWRITE_URL_CAPTURE` unset or `real` in production — stub is for CI/dev only.

    Verify: Capture produces real PNGs from customer live site.

    .env.example

  • highAI & build pipeline

    Android Compose translation enabled (unless intentionally off)

    `REWRITE_COMPOSE_POLISH_ENABLED` — both platforms should match approved SwiftUI.

    Verify: Android handoff zip contains polished Compose, not only deterministic fallback.

    android-pipeline.md

  • highAI & build pipeline

    Fallback provider keys (Anthropic / Gemini)

    Safety net when primary provider fails — only helps when primary key is missing, not expired.

    Verify: At least one backup key set if OpenAI is sole provider.

    AGENTS.md LLM section

  • highAI & build pipeline

    Native integration coverage enforced in prod

    `REWRITE_NATIVE_INTEGRATION_COVERAGE_ENFORCED=true` blocks hollow integration Swift.

    Verify: Full bundle for session with Stripe/Firebase/etc. includes wired generators.

    full-native-integrations.md

  • highAI & build pipeline

    `REWRITE_NATIVE_DIRECT_PREVIEW=true` on API (native Swift/Kotlin pilot)

    After repo scan, generates real SwiftUI + Compose via AppSpec (`src/native-direct/`). Guided UI shows Native-direct preview card; CLI: `rewrite local sync --native-direct`. Default off until you flip this flag.

    Verify: Repo guided session: scan completes → card shows generating → ready; `GET …/native-direct/project.zip?platform=ios` returns a zip when ready.

    native-direct-roadmap.md

  • highAI & build pipeline

    `REWRITE_LLM_POLISH_ENABLED` intentionally set

    Disabling skips AI preview polish — know the tradeoff before launch.

    Verify: Preview step produces expected quality for your tier promise.

    .env.example

  • highAI & build pipeline

    Preflight compile workflow wired (optional hard gate)

    GitHub `preflight-build.yml` + PAT + env vars; Step 12 advisory or blocking.

    Verify: Preflight card on Step 12 dispatches workflow; status returns to API.

    next-build.md

  • mediumAI & build pipeline

    LLM daily budget cap configured

    `REWRITE_LLM_DAILY_BUDGET_USD` prevents runaway spend.

    Verify: Budget file path documented; alert if cap hit during busy day.

    .env.example

  • mediumAI & build pipeline

    Visual fidelity gate policy chosen

    `REWRITE_NATIVE_VISUAL_GATE` defaults to **block** at pass floor 80 (Jun 2026). Use `warn` only if Mac fidelity loop is not run for every session.

    Verify: Ship-readiness blocks when approved screens lack Simulator proof; `tests/fidelity-gate.test.mjs` green.

    .env.example

  • criticalGuided product flow

    Handoff zip opens and builds locally

    iOS Xcode project + Android Gradle project; README + store guides included.

    Verify: Download zip from paid session; `xcodebuild` / `./gradlew assembleDebug` succeed.

    ios-ship-checklist.md

  • criticalGuided product flow

    Per-screen preview approval before full build

    Customer must approve looks; compare decisions if guardrail enabled.

    Verify: Generate full bundle blocked until approvals + payment gates pass.

  • criticalGuided product flow

    Full guided smoke path on production API

    Scan → capture → inspection → preview → pay (test) → handoff download.

    Verify: Run `npm run test:e2e:prod:headed` or manual walkthrough with test Stripe.

    AGENTS.md e2e

  • highGuided product flow

    Account sign-in owns sessions

    Anonymous sessions OK for demo; real customers should sign in so work persists.

    Verify: Signed-in user sees session list on `/account`; session survives logout/login.

  • highGuided product flow

    Both iOS + Android zips deliver after full payment

    `?platform=android` handoff; pricing always includes both.

    Verify: Same session yields two zips; Android smoke Gradle build passes.

    android-ship-checklist.md

  • highGuided product flow

    Inspection checklist blocks contract when required

    Unresolved rows gate sign & pay; bulk approve path tested.

    Verify: Try to sign contract with open checklist — blocked with clear message.

  • highGuided product flow

    Local truth CLI — Simulator / emulator proof

    `rewrite local sync/run` — handoff zip path, or **`--native-direct`** when native-direct preview is enabled (downloads generated Swift/Compose project, no deposit handoff).

    Verify: Copy-paste command from guided UI works on Mac with Xcode (iOS) or Android Studio (emulator).

    native-direct-roadmap.md

  • highGuided product flow

    Native-direct pilot smoke (repo path)

    Connect repo → scan → free preview step shows Native-direct card → `rewrite local doctor && rewrite local sync --session … --api … --native-direct` → `rewrite local run`. Browser phone preview still runs in parallel until P0 primary swap.

    Verify: One real repo session reaches `nativeDirectPreview.status=ready` and compiles locally (Mac for iOS).

    native-direct-roadmap.md

  • highGuided product flow

    Private GitHub repo path tested

    OAuth + encrypted token clone — or clear copy that zip-only is required.

    Verify: Private repo scan succeeds for allowlisted test repo.

  • highGuided product flow

    Ship-readiness endpoint matches UI blockers

    `GET …/ship-readiness` — single source for what's blocking delivery.

    Verify: UI Refresh blockers matches API JSON for a stuck session.

    api-v1.md

  • mediumGuided product flow

    Delivery-ready email notifications

    `REWRITE_DELIVERY_EMAIL_NOTIFICATIONS_ENABLED` + Resend from address.

    Verify: Full payment triggers customer email with handoff link.

    .env.example

  • highSupport & ops

    Admin can find user sessions

    Search users, list sessions, design trace panel for debugging.

    Verify: Lookup test customer by GitHub login; open their session.

  • highSupport & ops

    Escalation email + admin inbox workflow

    `REWRITE_SUPPORT_ESCALATION_TO` — you get pinged when bot escalates.

    Verify: Force escalation on test ticket; email arrives; case visible in admin.

    support-operator-setup.md

  • highSupport & ops

    Resend email configured

    `REWRITE_RESEND_API_KEY` + verified `REWRITE_DELIVERY_EMAIL_FROM` domain.

    Verify: Send test email from `/admin`; arrives in inbox (not spam).

    support-operator-setup.md

  • highSupport & ops

    Support chat loads product docs

    API reads `docs/support-knowledge-base.md` + bundled vision/journey/checklists.

    Verify: Ask `/contact` chat a pricing question — accurate answer, not generic fallback.

    support-knowledge-base.md

  • highSupport & ops

    Support docs deployed with API

    After product changes, redeploy API so chat picks up new facts.

    Verify: Recent FAQ change reflected in chat answer without code deploy lag.

    support-knowledge-base.md

  • mediumSupport & ops

    Support agent handbook reviewed by operators

    Scripts, escalation matrix, env troubleshooting.

    Verify: Team knows where handbook lives and when to use internal refund.

    support-agent-handbook.md

  • mediumSupport & ops

    `/status` diagnostics usable for support

    Health, session ship-readiness, payment events — paste session ID.

    Verify: Support can diagnose stuck payment from status page alone.

  • lowSupport & ops

    Optional Slack webhook for escalations

    Free Incoming Webhook — additive to email.

    Verify: Escalation posts to `#rewrite-support` when URL set.

    support-operator-setup.md

  • criticalLegal & marketing

    Pricing page matches engine quotes

    Tier anchors, deposit %, both platforms included — sync with `estimate.ts`.

    Verify: Spot-check three repo sizes: UI quote matches API estimate band.

    Pricing page

  • criticalLegal & marketing

    Privacy policy live (`/privacy`)

    Covers data collected in guided flow, payments, support chat.

    Verify: Link in footer; content matches actual data practices.

  • criticalLegal & marketing

    Terms of service live (`/terms`)

    Deposit, scope, refund boundaries, delivery expectations.

    Verify: Contract step references terms; footer link works.

  • highLegal & marketing

    Contact / support path obvious

    `help@meetrewrite.com` or `/contact` — reachable from guided errors.

    Verify: Error states link to human help.

  • highLegal & marketing

    Main path copy is plain language

    Prospects grasp look + behavior before pay; jargon in collapsibles only.

    Verify: Read `/start` and step 1 as a non-dev — no scary internal terms upfront.

    product-customer-voice.md

  • highLegal & marketing

    What we ship page sets honest expectations

    Fully functional native promise, Apple/Google work customer owns.

    Verify: No one-button full rewrite claims; launch guide linked.

    product-customer-voice.md

  • mediumLegal & marketing

    Site analytics disclosed (if enabled)

    Privacy policy mentions analytics; cookie/consent if required in your jurisdictions.

    Verify: Privacy policy section exists if `SiteAnalytics` is on.

  • mediumLegal & marketing

    Changelog updated for launch release

    Customers see what changed since last public milestone.

    Verify: Recent ship features listed on `/changelog`.

  • highQuality & CI

    Native-direct verify workflow in CI

    `.github/workflows/native-direct-verify.yml` — generates from fixture, compiles **generated** iOS (macOS) + Android (Linux) output. Runs on `src/native-direct/**` changes.

    Verify: Latest push to `main` with native-direct paths shows green `generate-and-test`, `android-build`, `ios-build` jobs.

    native-direct-roadmap.md

  • highQuality & CI

    Playwright guided smoke in CI

    Linux Chromium against `/guided` with test API.

    Verify: `ci.yml` Playwright job green on main.

  • highQuality & CI

    `npm test` green locally and in CI

    Build + broad API/unit coverage before every merge to main.

    Verify: Latest CI run passed all test jobs.

  • highQuality & CI

    Next.js production build succeeds

    `npm run web:build` — no type errors or missing env at build time.

    Verify: CI Next build job green.

  • mediumQuality & CI

    Android Gradle smoke in CI

    Generated kitchen-sink project compiles when Android template changes.

    Verify: `android-smoke.yml` green when relevant paths change.

  • mediumQuality & CI

    Design fidelity spot-check on real customer shape

    Run fidelity scoring on representative site before promising 99%.

    Verify: At least one dogfood session scores pass on hero screens.

  • mediumQuality & CI

    iOS template smoke (macOS CI when template changes)

    Optional `ios-smoke.yml` on `template/ios/` changes.

    Verify: Last template change built on macOS runner.

  • mediumQuality & CI

    Marketing site mobile UX pass

    Header, footer, guided entry, pricing readable on phone.

    Verify: Manual iPhone Safari pass on top 5 routes.

  • mediumQuality & CI

    Outcome e2e run before major launch (manual)

    Full handoff zips + Simulator/Maestro — burns macOS minutes.

    Verify: `npm run test:e2e:outcome` or manual workflow dispatch succeeded recently.

    AGENTS.md e2e outcome

  • criticalGo-live

    Production `/health` all green

    Stripe mode, webhooks, database, auth flags as expected.

    Verify: Open API `/health` JSON — no warnings you don't understand.

  • criticalGo-live

    One real customer-shaped dry run (you as customer)

    Your repo or URL, real payment, full handoff — end to end.

    Verify: You received zip, opened in Xcode, app runs on device.

  • criticalGo-live

    Switch Stripe to live mode

    Only after test path verified. Update `REWRITE_STRIPE_MODE` + live webhook.

    Verify: Small real charge ($1 or internal) completes and unlocks session.

    stripe-production-checklist.md

  • highGo-live

    Watch API logs first hour after announce

    Render logs + Stripe Dashboard + admin inbox.

    Verify: Operator on call; escalation email audible.

  • highGo-live

    Human on call for first 48 hours

    Support inbox + email + optional Slack monitored.

    Verify: Calendar block; phone notifications on for escalation email.

  • highGo-live

    Rollback plan documented

    Redeploy previous Render commit; flip Stripe back to test if needed.

    Verify: You know which Render deploy to roll back to within 5 minutes.

  • mediumGo-live

    Launch announcement ready

    Email list, social, Product Hunt, etc. — links to `/start`.

    Verify: UTM links work; `/start` loads fast on cold Render wake.

  • mediumGo-live

    Rate limits enabled on expensive routes

    `REWRITE_RATE_LIMIT_ENABLED` default on — protects LLM/capture/bundle.

    Verify: Burst test doesn't take down API for other users.

  • highPost-launch

    Stripe payouts + session state reconcile

    Every successful charge matches unlocked session in admin.

    Verify: Weekly Stripe export vs session payment events — no orphans.

  • highPost-launch

    Daily support ticket triage

    Admin inbox zero escalations older than 24h.

    Verify: Morning routine documented.

  • mediumPost-launch

    LLM + Render capacity plan

    Upgrade instance tier if cold starts or polish queue hurt conversion.

    Verify: Decision criteria written (p95 latency, daily spend cap hits).

  • mediumPost-launch

    Point customers to store launch guide after handoff

    TestFlight / Play internal testing — `/launch-guide` + zip guides.

    Verify: Handoff step links launch guide; customers know Apple/Google is on them.

    Customer launch guide

  • mediumPost-launch

    Update FAQ + handbook from launch learnings

    New objections and failure modes go into support-knowledge-base.

    Verify: At least one FAQ add within first week.

  • mediumPost-launch

    Track funnel metrics week 1

    Start → scan → deposit → handoff conversion; drop-off steps.

    Verify: Spreadsheet or analytics dashboard with daily numbers.

  • lowPost-launch

    Groom `next-build.md` from launch feedback

    Prioritize P1 functional gaps vs P2 fidelity vs P3 UX.

    Verify: Top 3 post-launch engineering items captured.

    next-build.md

  • lowPost-launch

    Ship post-launch fixes to changelog

    Transparency builds trust after hotfixes.

    Verify: Hotfix deploy noted on `/changelog`.