CODITECT Pilot Launch Checklist
CODITECT Pilot Launch Checklist
Target Date: December 24, 2025 Status: Pre-Launch (Day 5 COMPLETE + P0/P1 Security Hardening ADDED - Day 5.5 Security NEXT) Days Remaining: 2 Last Updated: December 22, 2025
⚠️ CONFORMANCE GAP ALERT
Security Conformance Score: 42/100 (F grade) - from Dec 21 analysis Action Taken: Added Day 5.5 P0/P1 Security Hardening section (8-12 hours) Reference: E008-SECURITY-COMPLIANCE epic for full enterprise security (post-pilot)
Pre-Launch Checklist (Dec 17-23)
Day 1-2: Infrastructure Setup (Dec 17-18)
Stripe Configuration
- Create Stripe account / verify existing
- Complete business verification
- Add business logo and branding
- Create product: "CODITECT Pilot Starter" ($19/mo)
- Create product: "CODITECT Pilot Professional" ($49/mo)
- Configure prices (monthly + annual)
- Add webhook endpoint:
https://api.coditect.ai/webhooks/stripe - Subscribe to required events
- Configure Customer Portal
- Copy API keys (test + live)
- Copy webhook signing secret
- Test checkout flow with Stripe CLI
GCP Infrastructure
- Create Cloud SQL PostgreSQL instance (
coditect-dbus-central1 RUNNABLE) - Create database and apply schema (
coditectdatabase created) - Create Cloud Run service for API
- Configure VPC connector for DB access
- Set up DNS for api.coditect.ai
- Configure SSL certificate
- Store secrets in Secret Manager:
-
STRIPE_SECRET_KEY(stripe-api-key, 2025-11-24) -
STRIPE_WEBHOOK_SECRET -
DATABASE_URL -
JWT_SECRET(jwt-secret, 2025-11-24)
-
Day 3-4: License Server MVP (Dec 19-20) ✅ COMPLETE
Authentication Endpoints
-
POST /auth/signup- User registration (auth.py) -
POST /auth/login- JWT token generation (auth.py) - Password hashing with Argon2 (auth.py:pwd_context)
- JWT middleware for protected routes (auth.py:get_current_user)
License Endpoints
-
POST /licenses/validate- Validate license + hardware (licenses.py) -
POST /licenses/activate- Activate on device (licenses.py) - License key generation algorithm (licenses.py:generate_license_key)
- Hardware fingerprint validation (licenses.py:hash_hardware_id)
Billing Endpoints
-
POST /billing/checkout- Create Stripe session (billing.py) -
POST /billing/portal- Customer portal session (billing.py) -
POST /webhooks/stripe- Webhook handler (billing.py) - Handle
checkout.session.completed(billing.py) - Auto-create license on payment (billing.py)
Unit Tests
- Auth endpoint tests (tests/test_auth.py)
- License endpoint tests (tests/test_licenses.py)
- Webhook handler tests (tests/test_billing.py)
- 79% code coverage (27/27 tests pass) -
01021d5
Commits:
0fce047- feat: Implement License Server MVP for pilot launch (3,124 lines)01021d5- fix: Resolve async SQLAlchemy and Stripe compatibility issues
Day 5: CLI Integration (Dec 21) ✅ COMPLETE
License Validation in CLI
- License validation on startup (license_client.py)
- Hardware fingerprint generation (fingerprint.py - cross-platform)
-
coditect activatecommand (cli.py) -
coditect license statuscommand (cli.py) - Offline grace period (72 hours) (cache.py)
- Clear error messages (cli.py - colored output)
Client Module Files Created:
client/__init__.py- Module exportsclient/exceptions.py- Custom exception hierarchyclient/config.py- Configuration management (env/yaml/defaults)client/cache.py- Offline cache with 72-hour grace periodclient/fingerprint.py- Cross-platform hardware fingerprintingclient/license_client.py- Async HTTP client with offline fallbackclient/cli.py- Click-based CLI (activate, status, deactivate, info)
Note: Hardware fingerprinting has Docker limitations - use env var mode for containers.
Containerization Strategy (Dec 19) ✅ COMPLETE
MOE Analysis
- 3 analyst agents researched Cloud Run vs GKE Autopilot
- Web search with 2024-2025 sources for current best practices
- MOE judges synthesized findings into final decisions
- Executive summary document created (618 lines)
Decisions
- Pilot: Cloud Run @ $33/month (zero ops overhead)
- Production: GKE Autopilot @ $505/month (50K users)
- Migration trigger: 10K+ users OR 100+ sustained RPS
Deployment Configurations
- Dockerfile: Multi-stage Python 3.11 build
- Cloud Run: service.yaml with auto-scaling 0-10
- GKE: deployment.yaml with HPA (3-20 replicas)
- Terraform: main.tf with full GCP infrastructure
- GitHub Actions: CI/CD pipeline with canary deploys
Documentation
-
docs/Coditect-Containerization-Executive-Summary-Decision.md - Architecture diagrams (3 Mermaid diagrams)
- Migration checklist (7-phase plan)
- Risk matrix (17 identified risks with mitigations)
Commits: 505f5ed - docs: Add containerization strategy executive summary and deployment configs
Developer Containerization Strategy (Dec 19) ✅ COMPLETE
MOE Analysis
- Web search researcher: Kubernetes 2024-2025, OpenTofu, DevContainers
- DevOps engineer: Local/Team/CI-CD container strategies
- Cloud architect: 4-tier licensing architecture design
- MOE judges: Final decisions on all aspects
4-Tier Licensing Model Defined
- Individual: $29/mo (1 user, local Docker, 5 cloud workspaces)
- Team: $99/mo (5 users, CI/CD runner, org dashboard)
- SMB: $499/mo (25 users, SSO, 5 CI runners, GKE namespace)
- Enterprise: $2,499+/mo (100+ users, dedicated cluster, air-gap)
Container Identity Strategy
- Developers: OAuth JWT (Google, GitHub) with 7-day offline grace
- CI/CD: Organization API keys with concurrent limits
- Enterprise: Kubernetes RBAC + NetworkPolicy + mTLS
IaC Decisions
- OpenTofu over Terraform (MPL 2.0 open source)
- Kustomize over Helm (simpler, GitOps-native)
Documentation
-
docs/Developer-Containerization-Executive-Summary.md(435 lines) - Architecture diagrams and Mermaid flows
- Cost analysis (58-98% gross margins)
- Implementation timeline (4 phases)
Commits: 74226cd, ca5a620 - Developer containerization strategy docs
OAuth CLI Implementation (Dec 19) ✅ COMPLETE
OAuth Authentication Module
- Browser-based OAuth 2.0 flow (client/oauth.py)
- Google OAuth provider support
- GitHub OAuth provider support
- PKCE (Proof Key for Code Exchange) security
- Local callback server for token capture
- State parameter for CSRF protection
Credentials Management
- Secure token storage (~/.coditect/credentials.json) (client/credentials.py)
- Access token expiration tracking (15 min default)
- Refresh token support (90 days)
- 7-day offline grace period
- Token validation and status checking
CLI Commands
-
coditect login [--provider google|github]- Browser OAuth login -
coditect logout- Revoke tokens and clear credentials -
coditect whoami- Show logged-in user and session details - Colored output with status indicators
- Session expiration warnings
Client Module Files Created:
client/oauth.py- OAuth 2.0 client with browser callback (458 lines)client/credentials.py- Secure credentials manager (399 lines)client/cli.py- Updated with login/logout/whoami commands
Server OAuth Endpoints
-
POST /api/v1/auth/oauth/callback- Exchange code for tokens (oauth_handlers.py) -
POST /api/v1/auth/oauth/refresh- Refresh OAuth tokens (oauth_handlers.py) - Google OAuth provider support
- GitHub OAuth provider support
- User model OAuth fields (oauth_provider, oauth_provider_id)
- License info returned with tokens
Commits: 71a862f - Client OAuth CLI, 5198c5a - Server OAuth endpoints
Build & Package
- Build CLI for all 6 platforms
- Update version to 1.0.0-pilot.1
- Generate checksums
- Test local installation
Day 5.5: P0/P1 Security Hardening (Dec 21-22) 🔒 NEW
Source: Conformance Analysis - Security Score 42/100 (F grade)
P0 - MUST Have Before Launch (Blocking)
-
Rate Limiting - Prevent brute force attacks
- Add
slowapiorfastapi-limiterdependency - Rate limit
/auth/login: 5 attempts/minute per IP - Rate limit
/auth/signup: 3 attempts/minute per IP - Rate limit
/licenses/validate: 60/minute per license key - Rate limit
/licenses/activate: 10/hour per license key - Return 429 Too Many Requests with retry-after header
- Add
-
Security Headers Middleware - Protect against common attacks
- Add
X-Content-Type-Options: nosniff - Add
X-Frame-Options: DENY - Add
X-XSS-Protection: 1; mode=block - Add
Strict-Transport-Security(HSTS) - Add
Content-Security-Policyfor API responses
- Add
-
Failed Login Protection - Prevent credential stuffing
- Track failed login attempts by email
- Lock account after 5 failed attempts (15 min cooldown)
- Log all failed login attempts with IP
- Send email alert on lockout (optional for pilot)
P1 - Should Have Before Launch (High Priority)
-
Audit Logging - Track security-relevant events
- Log: signup, login, logout, failed_login, license_activate, license_validate
- Include: timestamp, user_id, IP, user_agent, action, result
- Store in
audit_logstable (add to schema) - Retention: 90 days minimum
-
Input Validation Hardening
- Max email length: 254 chars
- Max password length: 128 chars (prevent DoS)
- Max license key length: 50 chars
- Max hardware_id length: 64 chars
- Reject requests with unexpected fields (strict mode)
-
Webhook Security Verification
- Verify Stripe signature on ALL webhook requests
- Log failed signature verifications
- Return 400 (not 401) on invalid signature
-
Error Response Hardening
- Never return stack traces in production
- Use generic error messages for auth failures
- Don't reveal if email exists on signup failure
P2 - Nice to Have (Post-Launch)
- CAPTCHA on signup (reCAPTCHA v3)
- Device fingerprint anomaly detection
- Geographic login alerts
- Two-factor authentication (TOTP)
Estimated Time: 8-12 hours for P0 + P1 Reference: E008-SECURITY-COMPLIANCE epic (full 1,654 tasks for enterprise)
Day 6: Integration Testing (Dec 22)
End-to-End Flow
- Full signup → payment → activation
- License validation across platforms
- Webhook reliability test
- Offline mode test
- Activation limit test
- NEW: Rate limiting verification
- NEW: Failed login lockout test
Platform Testing
- macOS Intel
- macOS ARM (Apple Silicon)
- Linux x64
- Windows x64
- npm install on all platforms
Day 7: Pre-Launch (Dec 23)
Final Verification
- Switch to production Stripe keys
- Verify all API endpoints
- Verify webhook configuration
- Test one real payment (refund after)
- Verify email delivery
Documentation
- Update PILOT-INSTALLATION-GUIDE.md
- Verify CLI help text
- Prepare support FAQ
Monitoring
- Cloud Run monitoring enabled
- Error alerting configured
- Slack/email notifications
Launch Readiness
- Pilot user list ready (50-100)
- Email template ready
- Support email monitored
- Team on standby
Launch Day (Dec 24)
Morning
- Final production check
- Enable ENABLE_PILOT_SIGNUP=true
- Monitor Cloud Run logs
Noon
- Send first batch of invites (25 users)
- Monitor signups in Stripe
- Watch for activation issues
Afternoon
- Send second batch (25 users)
- Respond to support requests
- Fix any critical issues
Evening
- Review day's metrics
- Document any issues
- Plan next day's invites
Post-Launch (Dec 25+)
Day 1 After Launch
- Morning: Check overnight signups
- Review any support tickets
- Send remaining invites
- Monitor conversion rates
Week 1 Review
- Total signups vs target
- Activation success rate
- Payment success rate
- Support ticket volume
- User feedback themes
Quick Commands Reference
# Deploy API
gcloud run deploy coditect-api \
--source . \
--region us-central1 \
--allow-unauthenticated
# View logs
gcloud run logs read --service coditect-api
# Test webhook locally
stripe listen --forward-to localhost:8000/webhooks/stripe
# Trigger test event
stripe trigger checkout.session.completed
# Check database
psql $DATABASE_URL -c "SELECT * FROM licenses LIMIT 5;"
Emergency Contacts
| Role | Contact | Responsibility |
|---|---|---|
| Founder/CEO | Hal Casteel | Final decisions |
| DevOps | TBD | Infrastructure issues |
| Support | 1@az1.ai | User issues |
Success Criteria
| Metric | Target | Critical Threshold |
|---|---|---|
| Signups | 50+ | 25 minimum |
| Activation Rate | 80%+ | 60% minimum |
| Payment Success | 95%+ | 90% minimum |
| Critical Bugs | 0 | 1 max |
| Server Uptime | 99%+ | 95% minimum |
Last Updated: December 17, 2025 Next Review: December 23, 2025 (Pre-Launch)