Use this checklist before every public release. A release is ready only when all required items pass.
-
README.mdandSETUP.mdare accurate and tested from scratch on a clean machine. - Setup scripts (
setup.sh,setup.ps1) are idempotent and complete a full local bootstrap. - Backend and frontend quality checks pass in CI.
- No secrets, local artifacts, or proprietary files are included.
- Security disclosure process exists and is documented.
- Changelog has a clear release summary.
Owner: Maintainer
-
README.mdcontains: project purpose, architecture overview, quick start, troubleshooting, API/docs links. -
SETUP.mdcontains: prerequisites, one-command setup, manual fallback path, troubleshooting, cleanup/reset. - Every command in docs was executed at least once during this release cycle.
- Expected success outputs are documented for key checks:
-
http://localhost:8000/health -
http://localhost:8000/docs -
http://localhost:3000
-
- Internal-only or stale notes are removed from top-level docs.
Acceptance evidence:
- Command transcript or short log attached to PR.
- Reviewer confirms links/commands are valid.
Owner: Maintainer
-
./setup.shworks on Linux/macOS. -
./setup.ps1works on Windows PowerShell. - Re-running setup does not fail and does not duplicate resources.
- Database setup step runs successfully (
python -m scripts.setup.setup_all). - Connection verification passes (
python -m scripts.setup.verify_connections). - Failure messages are actionable (what failed, how to fix).
Acceptance evidence:
- Fresh run output (new environment).
- Re-run output (idempotency check).
Owner: Maintainer
- Backend unit tests pass:
-
cd backend && pytest tests/test_acl_unit.py -q
-
- Frontend lint and build pass:
-
cd frontend && npm run lint -
cd frontend && npm run build
-
- Complex logic has concise comments explaining intent (not obvious line-by-line commentary).
- Dead code, TODO placeholders, and debug prints are removed or converted to tracked issues.
Acceptance evidence:
- CI green on default branch and release PR.
Owner: Maintainer
-
.env,venv,node_modules, and local outputs are not committed. - No API keys, tokens, passwords, or internal endpoints in docs/examples.
-
SECURITY.mdexists with a reporting path and response expectations. - Dependency updates reviewed for critical vulnerabilities.
Acceptance evidence:
- Secret scan output attached to PR.
- Manual spot-check of changed files completed.
Owner: Maintainer
-
CONTRIBUTING.mdexplains setup, coding standards, and PR process. -
CHANGELOG.mdincludes release notes in a consistent format. - Clear issue and PR descriptions used for all release changes.
- Version/tag strategy decided before publishing (for example:
v1.0.0).
Acceptance evidence:
- Reviewer verifies docs are present and usable by a new contributor.
Owner: Maintainer + External tester
- One tester with no prior context follows
README.mdonly. - One tester follows
SETUP.mdonly. - Both can run the app and open API docs without direct support.
- All friction points are fixed or tracked before tag/release.
Acceptance criteria:
- 0 blocker issues.
- No silent setup failures.
- CI passing.