What production-ready means
First define process criticality, user types and volume, required availability, data volume, legal requirements, and tolerated data loss and downtime. Only then can measurable go/no-go thresholds be established.
Product maturity versus implementation quality
Open source, a modern stack, modules, and tests do not guarantee secure configuration, correct custom code, or effective operations. Conversely, implementation risk does not automatically mean a framework defect. Assess the two layers separately.
Identity, authorization, and data isolation
Test sign-in, sessions, access recovery, roles, least privilege, privileged accounts, and tenant and organization isolation. Standard infrastructure supports scoping, but custom routes, queries, and integrations must preserve those boundaries.
Encryption, secrets, and auditability
Verify field-encryption configuration, keys, secret rotation, network paths, action logs, retention, and the ability to reconstruct who changed data, when, and why. The presence of encryption code does not prove that the right fields and keys are protected.
Migrations, backups, and recovery
Test schema and data migrations against a representative copy. Define recovery time objective (RTO) and recovery point objective (RPO), then prove them through a complete restoration exercise. A backup file without a restore test is insufficient evidence.
Monitoring, capacity, deployment, and updates
Define service indicators, alerts, on-call owners, and incident procedures. Test load, service limits, queues, and dependency failure. Each release needs migration planning, compatibility review for extensions, regression tests, and a rollback path.
Ownership, handover, and go/no-go
Name owners for code, infrastructure, data, security, updates, support, and suppliers. Handover should let another team deploy, diagnose, recover, and update the system. Launch only when blockers have positive evidence or an authorized owner explicitly accepts the risk; an unknown blocker means pause.
Scope and production definition
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Product evidence and implementation quality
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Security configuration and threat ownership
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Tenant and organization isolation
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Authentication and authorization
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Encryption, keys and secrets
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Auditability and logging
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Migrations, backups and disaster recovery
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Monitoring and alerting
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Capacity and performance evidence
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Deployment and rollback
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Update and compatibility strategy
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Operating ownership and support
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Exit and handover plan
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Evidence authority and final decision
- Red
- Missing or negative blocking evidence.
- Amber
- Partial evidence with explicit remediation.
- Green
- Evidence reviewed by an accountable owner.
Method, assumptions and limitations
Reviewed 14 July 2026. Product facts were checked against both the public code at the cited repository revision and official documentation. Where documentation and code differ, this guide describes behavior supported by code. Interpretations and recommendations concern implementation work, not product guarantees.
This material is not a quote, audit, certification, or legal, tax, or accounting advice. Edition, enabled modules, configuration, custom code, infrastructure, data, third-party providers, and operating practices affect the outcome.
Primary source collections: code repository, documentation, public releases.
Submit a correction with the public source and the date checked.