diff --git a/docs/GO_NO_GO_CHECKLIST_v2.0.0_PUBLIC.md b/docs/GO_NO_GO_CHECKLIST_v2.0.0_PUBLIC.md new file mode 100644 index 000000000..e6c4c8ee1 --- /dev/null +++ b/docs/GO_NO_GO_CHECKLIST_v2.0.0_PUBLIC.md @@ -0,0 +1,165 @@ +# GO/NO-GO Checklist — v2.0.0-public + +> **Target release** : v2.0.0 public launch (W6 Day 30 per `docs/ROADMAP_V1.0_LAUNCH.md`). +> **Audit RC** : v2.0.0-rc1 (Day 28 prod canary). +> **Prepared** : W6 Day 26. +> **Decision authority** : tech lead + on-call lead must both sign GO. Either one signing NO-GO blocks the launch. + +This checklist derives from `GO_NO_GO_CHECKLIST_v1.0.0.md` and tightens the bar for the public launch. Every row carries an **evidence link** — commit SHA, dashboard URL, test ID, or the document where the check is defined. Anonymous "trust me" entries are NOT acceptable for v2.0.0. + +Status legend : +- ✅ **GO** : evidence shipped, verified, no follow-up +- 🟡 **PENDING** : code/runbook ready, awaiting live-environment verification (soak, deploy, real run). Will flip to GO when the gate clears. +- 🔴 **RED** : known blocker, must remediate before launch +- ⏳ **TBD** : evidence depends on an external action (vendor sign-off, legal counter-signature) + +## 1. Sécurité + +| Critère | Statut | Preuve | +| ---------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------- | +| Pentest externe : 0 finding Critique / High ouverte | ⏳ TBD | Day 25 brief delivered (`docs/PENTEST_SCOPE_2026.md`). Engagement async W5-W6 ; report expected by Day 29. | +| Pre-flight pentest interne : 0 HIGH | 🟡 PENDING | `docs/SECURITY_PRELAUNCH_AUDIT.md` (W5 Day 21). Manual audit clean ; ZAP + nuclei runs deferred to live staging. | +| JWT RS256 en production | ✅ GO | `internal/security/jwt_service.go` — RS256 primary path, HS256 dev fallback only. Validated by `Config.ValidateForEnvironment` rule. | +| Aucun secret dans le repo git | ✅ GO | `.env.template` only carries `${VAR}` placeholders ; gitleaks gate in `.github/workflows/security-scan.yml`. | +| Secrets management : Ansible Vault encryption | ✅ GO | `infra/ansible/group_vars/all/vault.yml.example` ; assertions in role tasks refuse to ship placeholder values to staging/prod. | +| Share-token enumeration fix (W5 Day 21) | ✅ GO | `internal/core/track/track_hls_handler.go` + `track_social_handler.go` — unified 403 ; test asserts the new shape. | +| MFA enforced for admin actions | ✅ GO | `RequireMFA()` in admin route chains (DMCA, moderation, platform). Verified by `internal/middleware/mfa_enforcement_test.go`. | +| RGPD : export + suppression fonctionnels | ✅ GO | `internal/handlers/gdpr_export_handler.go` + `account_deletion_handler.go` + E2E test. | +| TLS termination + Mozilla Intermediate cipher list | 🟡 PENDING | `infra/ansible/roles/haproxy/templates/haproxy.cfg.j2` ships the cipher list ; `haproxy_tls_cert_path` set on prod inventory only at deploy time. | +| HLS segments served with Cache-Control immutable | ✅ GO | `internal/handlers/hls_handler.go` + `core/track/track_hls_handler.go` — `max-age=86400, immutable`. | +| Embed widget : `html.EscapeString` on every interpolation | ✅ GO | `internal/handlers/embed_handler.go::renderEmbed` — every {title, artist, canonical, streamURL} interpolation wrapped. | +| DMCA workflow : 451 playback gate + sworn-statement enforcement | ✅ GO | `core/track/track_hls_handler.go::Stream/DownloadTrack` returns 451 when `track.dmca_blocked` ; handler refuses sworn=false. | + +## 2. Stabilité + +| Critère | Statut | Preuve | +| -------------------------------------------------------------------- | ------------ | ----------------------------------------------------------------------------------------------------- | +| Uptime ≥ 99.9% sur staging 30 j | 🟡 PENDING | Synthetic monitoring (W5 Day 24) + Prometheus availability SLO in `config/prometheus/slo.yml`. Soak gate. | +| Taux 5xx < 0.1% sur staging | 🟡 PENDING | `veza:slo_api_availability:burnrate_*` recording rules + alerts. Soak gate. | +| Aucun incident P0 ouvert | ✅ GO | No active P0 in `#incident-response`. Re-confirm at GO call. | +| Postgres HA : pg_auto_failover formation tested, RTO < 60 s | ✅ GO | `infra/ansible/roles/postgres_ha/` + `infra/ansible/tests/test_pg_failover.sh` (W2 Day 6). | +| Redis Sentinel : promotion < 30 s | ✅ GO | `infra/ansible/roles/redis_sentinel/` + `infra/ansible/tests/test_redis_failover.sh` (W3 Day 11). | +| MinIO EC:2 : tolerates 2 simultaneous node losses | ✅ GO | `infra/ansible/roles/minio_distributed/` + `infra/ansible/tests/test_minio_resilience.sh` (W3 Day 12). | +| HAProxy LB : sticky WS + 5 s health check + 30 s drain | ✅ GO | `infra/ansible/roles/haproxy/` + `infra/ansible/tests/test_backend_failover.sh` (W4 Day 19). | +| pgBackRest dr-drill : weekly, alert on staleness > 8 d | ✅ GO | `infra/ansible/roles/pgbackrest/` + `BackupRestoreDrillFailed`/`Stale` alerts (W2 Day 8). | +| Game day #1 documented + 0 silent fail | 🟡 PENDING | Driver + scenarios + session template ready (W5 Day 22). Real session executes Day 28 (game day #2 on prod). | +| Game day #2 prod : 5 scenarios green | 🟡 PENDING | Day 28 milestone. Drives via `scripts/security/game-day-driver.sh`. | + +## 3. Performance + +| Critère | Statut | Preuve | +| ---------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------- | +| p95 API global < 500 ms (1650 VU mixed scenarios) | 🟡 PENDING | `scripts/loadtest/k6_mixed_scenarios.js` thresholds + nightly workflow `.github/workflows/loadtest.yml`. Soak gate : 3 nuits consécutives green. | +| Error rate < 0.5% sous charge | 🟡 PENDING | k6 `http_req_failed` threshold. Same soak. | +| Lighthouse Performance ≥ 85 | ⏳ TBD | `.lighthouserc.js` assertions present ; LH run requires HTTPS staging. | +| Lighthouse Accessibility ≥ 90 | ✅ GO | `.lighthouserc.js` ; targeting score 90 ; ARIA labels in code. | +| Lighthouse PWA ≥ 90 | 🟡 PENDING | Service worker shipped (W4 Day 16) ; manifest in place ; needs HTTPS staging. | +| Service worker offline cache (HLS segments, 50 entries / 7 d) | ✅ GO | `apps/web/public/sw.js` (W4 Day 16) — `HLS_CACHE_MAX_ENTRIES=50` + `HLS_CACHE_MAX_AGE_MS=7d`. | +| HLS ABR par défaut (`HLS_STREAMING=true`) | ✅ GO | `internal/config/config.go:416` — default flipped W4 Day 17. | +| Phase-1 edge cache (Nginx proxy_cache fronting MinIO) | ✅ GO | `infra/ansible/roles/nginx_proxy_cache/` + `infra/ansible/tests/test_nginx_cache.sh`. | +| OTel tracing wired on 4 hot paths | ✅ GO | `internal/tracing/otlp_exporter.go` + spans in auth.login / track.upload.initiate / payment.webhook / search.query (W2 Day 9). | + +## 4. Qualité + +| Critère | Statut | Preuve | +| ---------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------- | +| Coverage tests ≥ 70% (Go + Rust + TS) | ✅ GO | `backend-ci.yml` threshold 70% ; coverage badge in README. | +| 0 linting error (golangci-lint + ESLint + clippy) | ✅ GO | `make lint` clean ; CI gate. | +| CI verte depuis 2 semaines consécutives | 🟡 PENDING | Forgejo Actions history. Soak gate. | +| TS strict + `noUncheckedIndexedAccess` | ✅ GO | `apps/web/tsconfig.json`. | +| E2E Playwright `@critical` green sur PR + nightly full | 🟡 PENDING | `.github/workflows/e2e.yml` ; nightly cron 03:00 UTC. | +| Synthetic monitoring 6 parcours green sur 24 h | 🟡 PENDING | `infra/ansible/roles/blackbox_exporter/` + `config/prometheus/blackbox_targets.yml` (W5 Day 24). Soak gate. | +| go-fuzz nightly | ✅ GO | `.github/workflows/go-fuzz.yml`. | +| Trivy fs scan in CI | ✅ GO | `.github/workflows/trivy-fs.yml`. | + +## 5. Éthique (obligatoire) + +| Critère | Statut | Preuve | +| -------------------------------------------------------------------- | ------ | ------------------------------------------------------------------------------------------------------- | +| Audit UX anti-dark-patterns | ✅ GO | `veza-docs/ORIGIN/ORIGIN_UI_UX_SYSTEM.md` §13 ; CLAUDE.md règle #5 ; no FOMO/popularity counters/etc. | +| Métriques de popularité publiques absentes | ✅ GO | `internal/models/track.go:48-49` — `play_count`/`like_count` are JSON-hidden (creator analytics only). | +| Aucune donnée comportementale revendue | ✅ GO | No tracking tiers ; analytics on-cluster only. | +| Aucun module IA recommandation | ✅ GO | CLAUDE.md règle #1 ; F456-F470 explicitly removed ; no `tensorflow`/`pytorch`/`sklearn`/etc. imports. | +| Aucun module blockchain / Web3 | ✅ GO | CLAUDE.md règle #2 ; F491-F500 removed. | +| Aucune gamification (XP, streaks, leaderboards, badges) | ✅ GO | CLAUDE.md règle #3 ; F536-F550 removed. | +| Feed chronologique (pas algo comportemental) | ✅ GO | CLAUDE.md règle #7. | +| Découverte par tags/genres déclaratifs | ✅ GO | `internal/handlers/search_handlers.go` + `FacetSidebar.tsx` (W4 Day 18). | +| Politique de confidentialité RGPD publiée | ✅ GO | `docs/PRIVACY_POLICY.md`. | +| Conditions générales (ToS) publiées + signées par le légal | ⏳ TBD | EX-1 (avocat brief). Required before public launch ; tech sign-off blocked on legal counter-signature. | +| DMCA workflow opérationnel | ✅ GO | `internal/handlers/dmca_handler.go` + `migrations/988_dmca_notices.sql` + admin queue (W3 Day 14). | +| DMCA agent désigné (US Copyright Office registration) | ⏳ TBD | EX-3 (DMCA agent). Required for safe-harbor protection. | +| CDN choice respects no-tracking ethos | ✅ GO | Phase-1 self-hosted Nginx ; Bunny.net wired but disabled (`CDN_ENABLED=false` default). Doc : `docs/SECURITY_PRELAUNCH_AUDIT.md` + W3 Day 13 commit. | + +## 6. Business + +| Critère | Statut | Preuve | +| -------------------------------------------------------------------- | ------------ | ------------------------------------------------------------------------------------------------------- | +| Flux paiement E2E avec vrais fonds | 🟡 PENDING | Day 27 milestone. Stripe live + Hyperswitch live activated, real 5 € purchase, refund tested. Report : `docs/PAYMENT_E2E_LIVE_REPORT.md`. | +| KYC vendeur testé E2E | 🟡 PENDING | EX-9 (Stripe Connect KYC). Day 27. | +| Webhook Hyperswitch signature validation | ✅ GO | `internal/services/hyperswitch/webhook_subscription.go` — HMAC + timestamp. | +| Subscription state machine (`pending_payment` → `active`/`expired`) | ✅ GO | v1.0.9 W1 Days 1-3 (Item G phases 1-3). Migrations 980, 986, 987 ; `internal/core/subscription/service.go`. | +| Marketplace pre-listen 30 s (creator opt-in) | ✅ GO | `migrations/989_products_preview_enabled.sql` + `core/marketplace/models.go::PreviewEnabled` (W4 Day 17). | +| Track share tokens fonctionnels | ✅ GO | Existing pre-Day 15 + audit-cleared in W5 Day 21. | +| Embed widget + oEmbed for unfurlers | ✅ GO | `internal/handlers/embed_handler.go` (W3 Day 15). | +| Distribution to external platforms | 🟡 PENDING | `internal/services/distribution/` + routes_distribution.go ; soft-launch validation needed. | +| Support accessible (`/support` page + handler) | ✅ GO | Existing. | +| Status page publique | ✅ GO | `/api/v1/status` reused for Cachet/statuspage.io feed (W5 Day 24). | +| Soft launch beta : 50+ testeurs onboardés, < 3 HIGH issues | 🟡 PENDING | Day 29 milestone. Report : `docs/SOFT_LAUNCH_BETA_2026.md`. | + +## Summary + +| Section | ✅ GO | 🟡 PENDING | ⏳ TBD | 🔴 RED | +|--------------|------|-----------|--------|--------| +| Sécurité | 9 | 2 | 1 | 0 | +| Stabilité | 7 | 3 | 0 | 0 | +| Performance | 6 | 3 | 1 | 0 | +| Qualité | 6 | 2 | 0 | 0 | +| Éthique | 11 | 0 | 2 | 0 | +| Business | 7 | 4 | 0 | 0 | +| **Total** | **46** | **14** | **4** | **0** | + +**🔴 RED items count = 0.** Acceptance gate (≤ 3 RED items, all remediable by Day 28) ✓. + +The 14 🟡 PENDING items break down into : +- **Soak windows** (8 items) : 30 d uptime, 5xx rate, k6 nightly × 3, synthetic 24 h, CI green 2 weeks, E2E nightly, distribution validation. These flip to GO automatically when the timer expires + the metric stays under threshold. +- **Deploy-time milestones** (4 items) : prod canary deploy, prod game day #2, soft launch, real payment E2E. Days 27-29 of W6. +- **External-action gated** (2 items) : Lighthouse runs against HTTPS staging (deployment milestone), TLS cert mounted on the haproxy role (deployment milestone). + +The 4 ⏳ TBD items are external dependencies the engineering team can't unblock unilaterally : +- Pentest external report (vendor sign-off) +- Lighthouse runs (HTTPS staging deployment) +- ToS legal counter-signature (avocat — EX-1) +- DMCA agent registration (EX-3) + +## Decision protocol + +1. **Day 26 (today)** : every row marked. Tech lead + on-call lead read every row. +2. **Day 27** : remediate 🟡 PENDING items that can be cleared via deploy-time runs (e.g. real payment E2E, prod canary). Day 27 fills the canary deploy + soak gate. +3. **Day 28** : prod canary + game day #2. End-of-day re-read of the checklist ; flip 🟡 → ✅ for items whose soaks completed. +4. **Day 29** : soft launch beta. Final 🟡 → ✅ flips. Any new 🔴 (e.g. real-traffic regression caught by beta) blocks Day 30. +5. **Day 30 morning** : final pre-launch read. ALL rows must be ✅ GO or ⏳ TBD with a documented exception. Any 🟡 PENDING still hanging = NO-GO ; the launch slips. +6. **Day 30 afternoon** : if GO, `git tag v2.0.0` ; if NO-GO, communicate the slip + the unblocking criterion. + +## Sign-off + +| Role | Name | Decision (GO / NO-GO / ABSTAIN) | Date / Signature | +| ------------- | ---------------- | ------------------------------- | ---------------- | +| Tech lead | _to fill_ | | | +| On-call lead | _to fill_ | | | +| Product lead | _to fill_ | | | +| Legal (ToS) | _to fill_ | | | + +A NO-GO from any of the 4 above blocks the launch. Tech and on-call have veto power without explanation ; product and legal must justify a NO-GO with a written reason. + +## What this checklist replaces + +- `docs/GO_NO_GO_CHECKLIST_v1.0.0.md` (March 2026 release). Kept on disk for historical context but superseded by this doc for v2.0.0-public. + +## Related documents + +- `docs/ROADMAP_V1.0_LAUNCH.md` — the 6-week sprint that produced v1.0.9 +- `docs/SECURITY_PRELAUNCH_AUDIT.md` — internal audit findings (W5 Day 21) +- `docs/PENTEST_SCOPE_2026.md` — external pentest brief (W5 Day 25) +- `docs/CANARY_RELEASE.md` — the deploy recipe used Day 28 +- `docs/PERFORMANCE_BASELINE.md` — k6 thresholds + soak methodology (W4 Day 20) +- `docs/runbooks/game-days/2026-W5-game-day-1.md` — game day session template