From 9c3d3f5b7256147c3f940cc582e71c35dd97f283 Mon Sep 17 00:00:00 2001 From: echo Date: Sun, 29 Mar 2026 15:49:47 +0200 Subject: [PATCH] add release hardening checklist for admin and mobile --- docs/RELEASE_HARDENING_CHECKLIST.md | 68 +++++++++++++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 docs/RELEASE_HARDENING_CHECKLIST.md diff --git a/docs/RELEASE_HARDENING_CHECKLIST.md b/docs/RELEASE_HARDENING_CHECKLIST.md new file mode 100644 index 0000000..b5ff93c --- /dev/null +++ b/docs/RELEASE_HARDENING_CHECKLIST.md @@ -0,0 +1,68 @@ +# Release Hardening Checklist + +This checklist is the final validation gate before shipping security and mobile API changes. + +## 1) Pre-Release Validation + +- [ ] Confirm target branch is up to date with `master` +- [ ] Verify no unintended files are staged (`git status --short`) +- [ ] Confirm release notes summarize risky changes (authz, API contracts, caching) + +## 2) Automated Checks + +Run from repository root: + +```bash +npm run typecheck:admin +npm run typecheck:mobile +npm run test:admin +``` + +Run mobile API-focused tests: + +```bash +cd apps/mobile +npm run test -- src/api/__tests__/gyms.test.ts src/api/__tests__/recommendations.test.ts src/api/__tests__/notifications.test.ts +``` + +## 3) Admin Security Spot Checks + +- [ ] Verify non-admin receives `403` on privileged routes +- [ ] Verify unauthenticated requests receive `401` +- [ ] Verify cross-gym actions are denied for non-superAdmin +- [ ] Verify `DELETE /api/users` blocks self-delete for admin users +- [ ] Verify recommendation approval derives approver from auth context (not request body) + +## 4) Mobile Functional Smoke Checks + +- [ ] Sign in as User A and load tabs/profile data +- [ ] Sign out and sign in as User B +- [ ] Confirm no User A data remains in goals, hydration, nutrition, stats, recommendations, notifications +- [ ] Confirm onboarding gym selection and profile save flow still succeed +- [ ] Confirm notifications load and unread count updates after read/delete actions + +## 5) Rollback Plan + +If release incidents occur: + +1. Revert the release commit(s) from newest to oldest. +2. Redeploy reverted build. +3. Validate authentication and onboarding flows. +4. Post incident note with root cause and follow-up action. + +Suggested rollback command pattern: + +```bash +git revert +git revert +``` + +## 6) Deployment Record + +Capture this in PR/release notes: + +- Release date/time: +- Release owner: +- Commits included: +- Validation commands run: +- Known caveats (if any):