user-system/docs/team/PRODUCTION_CHECKLIST.md

# 生产级发布清单

版本：3.0  
更新时间：2026-04-02

本清单用于发布前、发布后和对外表述前的最后核查。

## 0. PR 提交前检查（必须通过）

### 0.1 分支与提交

- [ ] 功能分支从 `main` 最新状态拉取
- [ ] 每个提交是可独立验证的最小单元
- [ ] 提交信息格式：`类型: 简短描述`

### 0.2 代码审查

- [ ] 至少 1 人完成代码审查
- [ ] 所有 🔴 阻塞问题已修复
- [ ] 所有 🟡 建议问题已有修复计划

### 0.3 验证矩阵

- [ ] 后端：`go test ./... -count=1` 通过
- [ ] 后端：`go vet ./...` 通过
- [ ] 后端：`go build ./cmd/server` 通过
- [ ] 前端：`npm.cmd run lint` 通过
- [ ] 前端：`npm.cmd run build` 通过
- [ ] 前端：`npm.cmd run test -- --run` 全绿（如改动前端代码）
- [ ] 真实浏览器 E2E：`npm.cmd run e2e:full:win` 通过（如涉及认证/导航/主流程）

### 0.4 文档

- [ ] PR 描述包含变更目的、验证命令及结果、影响范围
- [ ] API 文档已更新（如改动 API）
- [ ] `docs/status/REAL_PROJECT_STATUS.md` 已同步更新（如改变真实结论）

---

## 1. 发布前必须完成

### 1.1 代码与构建

- [ ] `go test ./... -count=1`
- [ ] `go vet ./...`
- [ ] `go build ./cmd/server`
- [ ] `cd frontend/admin && npm.cmd run lint`
- [ ] `cd frontend/admin && npm.cmd run build`

### 1.2 真实浏览器验证

- [ ] `cd frontend/admin && npm.cmd run e2e:full:win`
- [ ] 本轮改动涉及认证、路由、导航、弹窗、防线或主流程时，不得跳过真实浏览器回归

### 1.3 运行时规则核查

- [ ] 非测试代码中无 `panic`
- [ ] 运行时无 mock provider / fake success 路径
- [ ] `smoke` 仅用于诊断，不是运行时依赖
- [ ] 敏感接口仍带 `no-store` 等防缓存头
- [ ] 邮件、短信、文件上传、外部调用均为 fail closed

### 1.4 配置与安全核查

- [ ] release 模式下无占位密钥
- [ ] release 模式下无 localhost OAuth 回调
- [ ] release 模式下无 `*` CORS 放行
- [ ] 真实密钥来自环境变量或密钥管理系统

## 2. 可选但建议同时检查

- [ ] `cd frontend/admin && npm.cmd run test:run`
- [ ] 已同步检查 `docs/status/REAL_PROJECT_STATUS.md`
- [ ] 已同步检查是否需要补证据文档

## 3. 不能夸大的结论

满足本清单，不等于自动满足以下结论：

- [ ] 完整 OS 级自动化已闭环
- [ ] 真实第三方 OAuth live 验证已闭环
- [ ] 外部 Secrets/KMS 已闭环
- [ ] 多环境 CI/CD 密钥分发已闭环
- [ ] 跨历史版本 schema downgrade 回滚证据已闭环

如果上述材料未齐备，必须在发布说明中明确列为剩余缺口。

## 4. 当前项目的主验收路径

当前受支持的真实浏览器主验收路径：

```powershell
cd D:\project\frontend\admin
npm.cmd run e2e:full:win
```

当前可诚实表述的边界：

- 已完成浏览器级真实 E2E 收口
- 未完成完整 OS 级自动化收口

## 5. 发布后 30 分钟内检查

- [ ] 核心登录/登出链路正常
- [ ] 后台主导航正常
- [ ] 关键日志无新增异常
- [ ] 无异常弹窗、popup、page error、401 回归
- [ ] 健康检查正常：
  - `GET /health`
  - `GET /health/live`
  - `GET /health/ready`

## 6. 2026-04-10 多轮 Review 补充检查项

### 6.1 RBAC / 管理员治理改动

- [ ] 涉及 `GetUserRoles`、`AssignRoles`、`CreateAdmin`、`DeleteAdmin`、角色表单或管理员页的改动时，已验证越权读取失败、越权修改失败。
- [ ] 已验证不可自删管理员、不可删除最后一个管理员、不可把系统带入无管理员状态。
- [ ] 已验证角色赋权、管理员创建、管理员删除具备事务性；若失败，数据库状态可回滚到操作前。
- [ ] 已验证未引入绕过 bootstrap 或 service 校验链路的硬编码角色 ID 或默认角色假设。

### 6.2 主入口与测试洁净度

- [ ] 文档声明的主入口命令本身已跑通：`go test ./... -count=1`、`cd frontend/admin && npm.cmd run e2e:full:win`。
- [ ] 若包装脚本、临时缓存、工作目录切换或环境注入失败，已按真实失败处理，而不是拿局部命令绿灯代替。
- [ ] `cd frontend/admin && npm.cmd run test:run` 与 `cd frontend/admin && npm.cmd run test:coverage` 运行后，无 `window.alert`、`window.confirm`、`window.prompt`、`window.open` 调用和 jsdom `Not implemented` 噪声。
- [ ] 如本轮改动把 stub、`not implemented` 或 mock 接口切换为 live 实现，已补充负向权限测试、边界条件测试、失败回滚测试。

## 2026-04-23 Latest Gate Snapshot

Use this section as the current release-facing snapshot for the workspace. If older notes elsewhere in this file conflict with this section, use this snapshot first.

### Re-verified Commands

- `cd frontend/admin && npm.cmd run test:run -- src/pages/admin/DevicesPage/DevicesPage.test.tsx`
- `cd frontend/admin && npm.cmd run test:run -- src/services/webhooks.test.ts`
- `cd frontend/admin && npm.cmd run test:run -- src/pages/admin/WebhooksPage/WebhooksPage.test.tsx`
- `cd frontend/admin && npm.cmd run test:run -- src/services/social-accounts.test.ts`
- `cd frontend/admin && npm.cmd run test:run -- src/services/settings.test.ts src/pages/admin/SettingsPage/SettingsPage.test.tsx src/pages/admin/ImportExportPage/ImportExportPage.test.tsx`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run e2e:full:win`

### Current Honest Release Conclusion

- The supported browser-level acceptance path `cd frontend/admin && npm.cmd run e2e:full:win` is green again in the current workspace.
- The latest green browser run included `admin-bootstrap`, `public-registration`, `email-activation`, `login-surface`, `auth-workflow`, `responsive-login`, `desktop-mobile-navigation`, `user-management-crud`, `user-management-batch`, `role-management-crud`, `device-management`, `login-logs`, `operation-logs`, `webhook-management`, `import-export`, `profile-and-security`, `settings`, and `dashboard-stats`.
- This evidence is sufficient for the supported browser-level gate, but it does not by itself replace the backend full matrix (`go test ./... -count=1`, `go vet ./...`, `go build ./cmd/server`).
- This snapshot also does not prove OS-level automation, live third-party OAuth validation, or external secrets/KMS delivery evidence.

## 2026-04-23 Additional Browser Gate Checks

- [ ] Cursor or list-page changes include a regression proving initial load does not self-trigger `next_cursor` pagination or burst extra requests.
- [ ] Frontend service changes against admin APIs verify exact response-envelope fields in service tests, not only page rendering.
- [ ] Frontend services using the shared HTTP client do not unwrap `data` twice; service tests reflect the real `request()` contract.
- [ ] Playwright selector changes prefer route, heading, role, or labeled-control locators over broad text searches.
- [ ] If suite retry reuses the same backend state, bootstrap or similar one-time preconditions are re-evaluated before rerunning browser scenarios.
- [ ] If a late-suite E2E failure blocks release, the release note records whether the root cause was product behavior, contract drift, selector drift, or browser-runtime instability.

## 2026-04-23 Password Reset Gate Snapshot

### Latest Green Evidence

- `go test ./... -count=1`
- `go vet ./...`
- `go build ./cmd/server`
- `cd frontend/admin && npm.cmd run test:run`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && node --check ./scripts/run-playwright-cdp-e2e.mjs`
- `cd frontend/admin && npm.cmd run e2e:full:win`

### Current Honest Release Conclusion

- The current supported browser-level gate is green with `19` scenarios and now includes `password-reset`.
- The same branch state also re-proved the backend full matrix and the frontend unit/lint/build matrix.
- This still does not prove OS-level automation or live third-party OAuth/secrets delivery.

### Additional Checklist Items

- [ ] If a public auth route is conditionally mounted, `/api/v1/auth/capabilities` exposes the same availability bit from the same source of truth.
- [ ] A newly added auth or session browser flow is only accepted after both its targeted run and the full supported browser gate are green.
- [ ] When CDP loses the persistent page late in the suite, fix runner recovery before classifying the gate as inherently flaky.

## 2026-04-23 Permissions CRUD And Full Matrix Snapshot

Use this section first if earlier 2026-04-23 notes in this file conflict with it.

### Latest Green Evidence

- `go test ./... -count=1`
- `go vet ./...`
- `go build ./cmd/server`
- `cd frontend/admin && npm.cmd run test:run`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && node --check ./scripts/run-playwright-cdp-e2e.mjs`
- `cd frontend/admin && $env:E2E_SCENARIOS='permissions-management-crud'; npm.cmd run e2e:full:win`
- `cd frontend/admin && npm.cmd run e2e:full:win`

### Current Honest Release Conclusion

- The current supported browser-level gate is green with `20` scenarios and now includes `permissions-management-crud`.
- The same branch state also re-proved the backend full matrix and the frontend unit, lint, and build matrix.
- This evidence proves the supported browser-level acceptance path in the current workspace. It still does not prove OS-level automation, live third-party OAuth validation, or external secrets or KMS delivery evidence.

### Additional Checklist Items

- [ ] If a frontend service normalizes backend enum values for UI consumption, tests cover the raw backend payload shape, the normalized frontend shape, and outbound write serialization.
- [ ] If a browser scenario succeeds in the page but CDP request or response observers miss the proxied call, runner-level proof records the real in-page fetch result before classifying the product as broken.
- [ ] If a modal-driven CRUD flow depends on an overlay leaving animation, the next user action waits for the modal to stop blocking interaction instead of relying on a broad hidden assertion alone.
- [ ] If `npm.cmd run build` depends on Vite native config loading on Windows, the supported config keeps HTML inputs under an explicit project root instead of relying on wrapper scripts to mask absolute-path errors.

## 2026-04-24 Profile Security Contract Recovery Snapshot

### Latest Green Evidence

- `cd frontend/admin && npm.cmd run test:run -- src/pages/admin/ProfileSecurityPage/ProfileSecurityPage.behavior.test.tsx src/services/profile.test.ts src/services/service_adapters_additional.test.ts`
- `cd frontend/admin && node --check ./scripts/run-playwright-cdp-e2e.mjs`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && npm.cmd run e2e:full:win`

### Current Honest Release Conclusion

- The supported browser-level gate remains green with `20` scenarios after the real `profile-and-security` password-update contract fix.
- This round re-proved the directly affected frontend regression set, lint, build, and the supported browser gate on the same workspace state.
- This round did not re-run the backend full matrix, so backend-wide claims still rely on the latest earlier verified snapshot.

### Additional Checklist Items

- [ ] If a UI form shape differs from the backend write contract, the service adapter must serialize the backend field names explicitly and service tests must pin the exact outbound payload.
- [ ] If a browser runner waits on in-page fetch diagnostics, that wait must be created in the same control flow as the submit action and must not be allowed to outlive a failed click or fill step.

## 2026-04-24 Scenario-Isolated Browser Gate Snapshot

### Latest Green Evidence

- `cd frontend/admin && npm.cmd run test:run -- src/lib/playwright-e2e-scenarios.test.ts`
- `cd frontend/admin && npm.cmd run test:run`
- `cd frontend/admin && npm.cmd run lint`
- `cd frontend/admin && npm.cmd run build`
- `cd frontend/admin && $env:E2E_SCENARIOS='email-activation'; npm.cmd run e2e:full:win`
- `cd frontend/admin && npm.cmd run e2e:full:win`

### Current Honest Release Conclusion

- The supported browser-level gate is green again in the current workspace after changing the wrapper to run each scenario in a fresh browser process while keeping one real backend and one real test database alive.
- The latest green full run executed `21` isolated scenario runs: `admin-bootstrap` plus the `20` steady-state scenarios behind it.
- This evidence proves the documented browser-level acceptance path in the current workspace. It does not by itself prove that the underlying Chromium host-runtime `0x5` issue has disappeared.

### Additional Checklist Items

- [ ] If the host browser runtime is the unstable component, isolate browser processes per scenario before expanding suite-level retries.
- [ ] If the supported gate uses scenario isolation, the wrapper still preserves one real backend, one real frontend server, one real SMTP capture path, and one real test database for the whole run.
- [ ] The scenario list used by the wrapper is derived from the same source as the Playwright runner and is not duplicated manually in release-critical code.

## 2026-04-24 Resource Ownership Authorization Snapshot

### Additional Checklist Items

- [ ] For any owner-scoped resource endpoint addressed by path ID, verify that a non-owner cannot read, update, delete, or privilege-toggle another user's resource through the supported API surface.
- [ ] For the same endpoint family, verify that the service layer re-checks ownership or admin privilege instead of trusting only a handler-level path check.
- [ ] When admin cross-user access is intentional, add one positive regression proving the admin path still works after the IDOR fix.