Production launch
NO-GO
F070 · production security
Tracks CSP, iframe sandbox validation, postMessage allowlist, rate-limit fixtures and token redaction regression.
Production launch
NO-GO
Scope
F070 report
Blocked phases
1
Warning phases
0
F070
Security rules are fail-closed until iframe sandbox, CSP, origin allowlist, rate limit and token redaction are proven in browser and backend.
CSP examples
CSP guidance exists but must be tested against real embed domain.
iframe sandbox validation
Sandbox flags are set by loader; browser fixture evidence is pending.
Token redaction regression
No production approval until DOM/URL/screenshot scan passes in Playwright/manual browser QA.
Frontend green gate
Run pnpm install/typecheck/lint/build/test/dev/test:e2e in local or staging.
Backend green gate
Run npm ci, prisma generate/validate, typecheck, lint, test, start/dev and migration check.
Browser/embed QA
Plain HTML, Next.js, WordPress-like, mobile, multi-widget and no-token checks require real browser evidence.
Security/observability evidence
Token redaction, CSP, iframe sandbox, postMessage allowlist and trace id propagation must be proven.
Release/docs evidence
Customer install guides, troubleshooting, known limitations and rollback docs need final review.
Run F066-F075 as a production-track readiness/handoff, then collect real local/staging frontend, backend and browser evidence before RC1 or production launch.