Skip to main content

Production Readiness Checklist

Reviewed on: 2026-01-21

This checklist is for internal readiness validation. It does not replace legal, security, or compliance reviews.

Status rules:

  • PASS means there is repository evidence of the requirement (docs, code, or tests).
  • FAIL means evidence is missing or the requirement has not been verified.
  • PASS does not imply production configuration or external audits are complete.
  • Evidence links are repository-relative and may not resolve in published docs.

Global Gates (Required for Release)

ItemStatusEvidence
Threat model completed and reviewedFAILthreat-model.md
Data classification documented (PII/PHI/PCI/Secrets)PASSdata-handling.md
Data flows and egress reviewed and approvedFAILdata-flows.md
Encryption at rest and in transit validatedFAILencryption.md
Access control and least privilege verifiedFAILaccess-control.md
Secrets management configured (no secrets in source control)FAILsecrets-management.md, secret-scan.log (artifacts/test-results/secret-scan.log)
Logging and alerting configuredFAILlogging-alerting.md
Backup and disaster recovery plan testedFAILdisaster-recovery.md
Rollback plan documentedPASSrollback-plan.md
Incident response plan documentedPASSincident-response.md
Security testing completed (SAST, dependency scan, DAST where applicable)FAILsecurity-testing.md, dotnet-vulnerable.log (artifacts/test-results/dotnet-vulnerable.log), npm-audit/summary.json (artifacts/test-results/npm-audit/summary.json)
Performance/load testing completed for expected trafficFAILperformance-testing.md
Compliance review completed for US and India targetsFAILcompliance-review.md

Identity and Access (PrimusSaaS.Identity.Validator)

ItemStatusEvidence
All issuers configured and validated (Auth0/Azure AD/Okta/etc.)FAILNone
Token validation rules verified (issuer, audience, lifetime, signing keys)PASSPrimusSaaS.Identity.Validator.Tests.trx (artifacts/test-results/PrimusSaaS.Identity.Validator.Tests.trx)
Tenant isolation configured (if multi-tenant)FAILNone
Refresh token store is durable (not in-memory)FAILNone
Rate limiting and brute-force protections enabledFAILNone
Audit logs for auth events enabledFAILNone

Notifications (PrimusSaaS.Notifications)

ItemStatusEvidence
Production email provider configured and tested (SMTP or provider adapter)FAILNone
SMS provider configured and tested (Twilio/SNS/Azure)FAILNone
Durable queue configured (not in-memory)FAILNone
Template validation and fallback behavior verifiedPASSPrimus.Notifications.Tests.trx (artifacts/test-results/Primus.Notifications.Tests.trx)
Delivery failure handling and retries verifiedFAILNone

Payments (PrimusSaaS.Payments)

ItemStatusEvidence
Stripe webhook validation tested with live signaturesFAILPrimus.Payments.Tests.trx (artifacts/test-results/Primus.Payments.Tests.trx) (unit tests only)
PayPal webhook validation tested with verify APIFAILNone
Idempotency storage configured for productionFAILNone
All required event handlers implementedFAILNone
Error handling and retry policy verifiedFAILNone

Storage (PrimusSaaS.Storage)

ItemStatusEvidence
Provider configured (Azure Blob/AWS S3/Local)FAILPrimus.Storage.Tests.trx (artifacts/test-results/Primus.Storage.Tests.trx) (local provider only)
Tenant isolation path template validatedPASSPrimus.Storage.Tests.trx (artifacts/test-results/Primus.Storage.Tests.trx)
Pre-signed URL expiry validatedFAILNone
Access control and bucket/container policies verifiedFAILNone

Logging and Audit (PrimusSaaS.Logging / PrimusSaaS.Audit)

ItemStatusEvidence
PII masking rules configured and verifiedPASSPrimusSaaS.Logging.Tests.net8.trx (artifacts/test-results/PrimusSaaS.Logging.Tests.net8.trx) (net8 only)
Log sinks configured for production (AppInsights/Serilog/NLog/etc.)FAILNone
Retention and deletion policies documentedFAILNone
Audit trail coverage validated for sensitive operationsFAILNone

Feature Flags (PrimusSaaS.FeatureFlags)

ItemStatusEvidence
Production provider configured (not only in-memory)FAILNone
Rollout rules validatedPASSPrimusSaaS.FeatureFlags.Tests.trx (artifacts/test-results/PrimusSaaS.FeatureFlags.Tests.trx)
Kill switch behavior validatedFAILNone

Security Core (PrimusSaaS.Security)

ItemStatusEvidence
CVE database pipeline configured (local DB provided)FAILNone
Analyzer configuration validated for build and CIFAILPrimusSaaS.Security.Tests.trx (artifacts/test-results/PrimusSaaS.Security.Tests.trx) (unit tests only)
Secret patterns reviewed and tuned for your codebaseFAILNone
Policy engine thresholds reviewed and approvedFAILNone

Security AI (PrimusSaaS.Security.AI)

ItemStatusEvidence
Default heuristic detectors reviewedFAILPrimusSaaS.Security.AI.Tests.trx (artifacts/test-results/PrimusSaaS.Security.AI.Tests.trx) (unit tests only)
Optional: external AI pipeline configured and validatedFAILNone
Remediation agent usage reviewed (human-in-the-loop)FAILNone

Security Reporting (PrimusSaaS.Security.Reporting)

ItemStatusEvidence
Report generation validated (JSON/HTML/SARIF)PASSPrimusSaaS.Security.Reporting.Tests.trx (artifacts/test-results/PrimusSaaS.Security.Reporting.Tests.trx)
PDF provider configured (Primus.PdfGenerator or equivalent)FAILNone
Compliance mapping disclaimers included in external reportsPASSSecurityReportGenerator.cs

Documents and PDF (PrimusSaaS.Documents / PrimusSaaS.PdfGenerator)

ItemStatusEvidence
Document rendering tested with your templatesFAILPrimus.Documents.Tests.trx (artifacts/test-results/Primus.Documents.Tests.trx) (self-test only)
PDF provider configured for production (no placeholder output)FAILNone
Storage and access controls validatedFAILNone

AI Copilot (Primus.AI)

ItemStatusEvidence
Provider configured (Azure OpenAI/GitHub Models)FAILNone
Prompt injection detection configured and validatedPASSPrimus.AI.Tests.trx (artifacts/test-results/Primus.AI.Tests.trx)
Token budgets and tenant isolation enforced (if multi-tenant)PASSPrimus.AI.Tests.trx (artifacts/test-results/Primus.AI.Tests.trx)
Data egress review completed for AI requestsFAILNone

Banking Modules (Primus.Banking.*)

ItemStatusEvidence
In-memory providers replaced with durable implementationsFAILPrimus.IntegrationTests.trx (artifacts/test-results/Primus.IntegrationTests.trx) (integration tests use in-memory providers)
External integrations validated (KYC/AML/Transactions)FAILPrimus.IntegrationTests.trx (artifacts/test-results/Primus.IntegrationTests.trx) (no external provider validation)
Regulatory requirements reviewed (RBI/PCI as applicable)FAILNone

Insurance Modules (Primus.Insurance.*)

ItemStatusEvidence
In-memory providers replaced with durable implementationsFAILPrimus.IntegrationTests.trx (artifacts/test-results/Primus.IntegrationTests.trx) (integration tests use in-memory providers)
External integrations validated (claims, fraud, compliance)FAILPrimus.IntegrationTests.trx (artifacts/test-results/Primus.IntegrationTests.trx) (no external provider validation)
Regulatory requirements reviewed (IRDAI as applicable)FAILNone

Frontend (React/Angular + CLI)

ItemStatusEvidence
Component APIs validated against docsPASScatalog.md, generate-docs-catalog.py, angular-docs-usage.json (artifacts/test-results/angular-docs-usage.json), react-docs-usage.json (artifacts/test-results/react-docs-usage.json)
Accessibility review completedFAILNone
Security review for client-side data handlingFAILNone
Build and bundle verified for productionPASSprimus-ui-cli.build.log (artifacts/test-results/primus-ui-cli.build.log), primus-react-ui.build.log (artifacts/test-results/primus-react-ui.build.log), primus-angular-ui.build.log (artifacts/test-results/primus-angular-ui.build.log)
Real-user smoke test (React + Angular current + Angular legacy)PASSreal-user-smoke-2026-01-22.log (artifacts/test-results/real-user-smoke-2026-01-22.log), run-2026-01-22T00-08-18-657Z (artifacts/real-user-smoke/run-2026-01-22T00-08-18-657Z)

Final Release Decision

ItemStatusEvidence
All applicable checkboxes above are completeFAILNone
Release approved by security and compliance stakeholdersFAILNone
Release approved by engineering leadershipFAILNone

If any item is not complete, the release is not production-ready.