What production-ready means

First define process criticality, user types and volume, required availability, data volume, legal requirements, and tolerated data loss and downtime. Only then can measurable go/no-go thresholds be established.

Product maturity versus implementation quality

Open source, a modern stack, modules, and tests do not guarantee secure configuration, correct custom code, or effective operations. Conversely, implementation risk does not automatically mean a framework defect. Assess the two layers separately.

Identity, authorization, and data isolation

Test sign-in, sessions, access recovery, roles, least privilege, privileged accounts, and tenant and organization isolation. Standard infrastructure supports scoping, but custom routes, queries, and integrations must preserve those boundaries.

Encryption, secrets, and auditability

Verify field-encryption configuration, keys, secret rotation, network paths, action logs, retention, and the ability to reconstruct who changed data, when, and why. The presence of encryption code does not prove that the right fields and keys are protected.

Evidence for this section:

Migrations, backups, and recovery

Test schema and data migrations against a representative copy. Define recovery time objective (RTO) and recovery point objective (RPO), then prove them through a complete restoration exercise. A backup file without a restore test is insufficient evidence.

Monitoring, capacity, deployment, and updates

Define service indicators, alerts, on-call owners, and incident procedures. Test load, service limits, queues, and dependency failure. Each release needs migration planning, compatibility review for extensions, regression tests, and a rollback path.

Ownership, handover, and go/no-go

Name owners for code, infrastructure, data, security, updates, support, and suppliers. Handover should let another team deploy, diagnose, recover, and update the system. Launch only when blockers have positive evidence or an authorized owner explicitly accepts the risk; an unknown blocker means pause.

Scope and production definition

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Product evidence and implementation quality

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Security configuration and threat ownership

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Tenant and organization isolation

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Authentication and authorization

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Encryption, keys and secrets

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Auditability and logging

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Migrations, backups and disaster recovery

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Monitoring and alerting

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Capacity and performance evidence

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Deployment and rollback

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Update and compatibility strategy

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Operating ownership and support

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Exit and handover plan

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Evidence authority and final decision

Red
Missing or negative blocking evidence.
Amber
Partial evidence with explicit remediation.
Green
Evidence reviewed by an accountable owner.

Method, assumptions and limitations

Reviewed 14 July 2026. Product facts were checked against both the public code at the cited repository revision and official documentation. Where documentation and code differ, this guide describes behavior supported by code. Interpretations and recommendations concern implementation work, not product guarantees.

This material is not a quote, audit, certification, or legal, tax, or accounting advice. Edition, enabled modules, configuration, custom code, infrastructure, data, third-party providers, and operating practices affect the outcome.

Submit a correction with the public source and the date checked.