31 lines
1.2 KiB
Markdown
31 lines
1.2 KiB
Markdown
# Public Surface Deployment Checklist
|
|
|
|
This checklist prevents accidental public exposure of app-only commerce surfaces.
|
|
|
|
## Required Production Settings
|
|
|
|
1. `edut.ai` serves landing + legal + trust pages only.
|
|
2. `/store` route disabled or restricted for production public domain.
|
|
3. `/store/offers.json` not publicly served in production.
|
|
4. Marketplace APIs enforce app/session authentication.
|
|
5. Robots headers enforce noindex for any preview-only routes.
|
|
|
|
## Header and Caching Controls
|
|
|
|
1. Preview routes return `X-Robots-Tag: noindex, nofollow, noarchive, nosnippet`.
|
|
2. Catalog manifests use short cache TTL.
|
|
3. Quote responses disable shared cache and include anti-replay headers.
|
|
|
|
## Verification Steps
|
|
|
|
1. Run anonymous request to `/store` and confirm checkout is disabled.
|
|
2. Run anonymous request to `/store/offers.json` and confirm blocked/unavailable.
|
|
3. Confirm launcher-authenticated session can fetch catalog.
|
|
4. Confirm public web page has no links to active checkout surface.
|
|
|
|
## Release Blockers
|
|
|
|
1. Any production route exposes active catalog without app/session auth.
|
|
2. Any production route allows quote creation anonymously.
|
|
3. Any production route indexes preview checkout content.
|