MuseHub Pre-Launch Checklist

This document governs what must be complete, verified, and signed off before MuseHub opens to users beyond gabriel. Items are grouped by domain. Nothing ships until every checkbox is checked. Re-check after any major refactor.

0. Philosophy

The threat model is realistic: we are open source, so attackers can read every route, every query, every auth flow. We assume they will. The bar is not "unbreakable against nation-states." The bar is: a well-resourced, intelligent adversary with full source access cannot compromise data, impersonate users, or take the service down with commodity tooling. Normal abuse — scrapers, credential stuffing, path traversal attempts, large payload bombs — should be a non-event.

1. Authentication & Authorization

1.1 Ed25519 / MSign

Auth is Ed25519 per-request signing (MSign). No server secret, no token expiry, no refresh. The public key registered in the DB is the credential.

• [x] No server secret, no ACCESS_TOKEN_SECRET — auth is pure Ed25519 key pairs
• [x] Per-request Ed25519 signature verified on every protected route (require_signed_request)
• [x] 30-second replay window enforced (REPLAY_WINDOW_SECONDS = 30 in request_signing.py)
• [x] Challenge nonce is single-use — consumed with .pop() on first verify; 5-min TTL for GC
• [x] identity.toml keys are per-host, never shared across environments (muse CLI enforces this)
• [x] Key revocation: compromised key deleted via DELETE /api/auth/keys/{handle}/{key_id}
• [x] Auth endpoints rate-limited at 20 req/min per IP via slowapi (AUTH_LIMIT in rate_limits.py)
• [x] Bearer tokens explicitly rejected with 401 (MSign is the only accepted scheme)
• [x] WWW-Authenticate: MSign realm="musehub" returned on all 401 responses
• [x] Failed-auth-specific rate limiting: musehub/auth/failure_limiter.py — in-memory per-IP failure counter with exponential backoff. Thresholds: 5→30s, 10→5min, 20→15min. Wired into POST /api/auth/verify (check before, record_failure on AuthError, record_success on ok).
• [x] No CAPTCHA needed — there is no password or secret the attacker could guess; the private key never leaves the client machine

1.2 Authorization (ownership checks)

• [x] Every repo-scoped JSON API endpoint asserts repo.owner == current_user (or team membership) Destructive/state-changing ops (delete, transfer, close, merge, assign, label, milestone) use _guard_owner / _guard_repo_owner helpers. Collaborator team membership is future work.
• [ ] SSR UI layer visibility gate — all 14 repo-scoped ui_*.py route handlers must check repo.visibility before serving content. Fixed in issue #90 (task/ssr-visibility-gate). Previously, private repos returned HTTP 200 to anonymous browser requests. ui_repo_settings.py and ui_sessions.py additionally require claims.handle == owner.
• [x] Repo visibility (public/private) is checked before serving any object, blob, or archive All JSON API GET endpoints gate on optional_token + repo.visibility != "public" check.
• [x] Object download (/archive, /blob, /object) cannot be path-traversed to another repo get_file_at_ref resolves via snapshot manifest; get_object_row filters by repo_id AND object_id in SQL — DB is the authority, no path concatenation.
• [x] Issue, merge-proposal, and comment endpoints verify the caller owns the parent repo _guard_repo_owner added to: close/reopen/update/assign/milestone/labels on issues; merge/request-reviewers/remove-reviewer on proposals; delete-comment. _guard_write_access added to: create-issue, create-comment, create-proposal, create-proposal-comment (private repos: owner-only; public repos: any authenticated user).
• [ ] Admin-only endpoints (/api/admin/*) are gated by a separate is_admin claim No /api/admin/* routes exist yet. MSignContext.is_admin is defined but always False. Low priority — no system-admin operations are needed pre-launch.
• [x] There is no "owner" field that a caller can self-assign via POST body create_repo sets owner_user_id from claims (the authenticated caller), never from the request body. The body's owner field is a display slug only. PATCH on identities explicitly whitelists allowed fields and does not expose handle or identity_type.

1.3 Key hygiene

• [x] Private keys are never logged — auth logs contain only handle, algo, key_id, and fingerprint prefixes; public_key_b64, signature_b64, and Authorization header values are never passed to any logger
• [x] MSign signatures are never returned in redirect URLs — all RedirectResponse targets are static paths or /{owner}/{repo}?welcome=1; no auth material in any Location header
• [x] Authorization: MSign is the only accepted transport — no ?token= query param, no Bearer fallback path

2. Input Validation & Injection

2.1 Path / traversal

• [x] All owner, repo, branch, path URL segments are validated against an allowlist regex (^[a-zA-Z0-9_.-]+$, length-capped) before touching the filesystem or DB
• [x] Constructed file paths are resolved with Path.resolve() and checked to be inside the expected root — no ../../ escapes
• [x] Objects are fetched from the blob store (R2/MinIO) by object_id; no disk paths involved

2.2 SQL / ORM

• [x] Zero raw SQL string interpolation anywhere in the codebase (muse content-grep "f\"" audit)
• [x] All queries go through the ORM or parameterized text() with bound params
• [x] Search / filter inputs are sanitized before being passed to LIKE or tsvector

2.3 Payload / content

• [x] Request bodies have a hard size cap (e.g., 10 MB for API, 100 MB for object upload) enforced at the ASGI/nginx layer, not just application code (nginx: client_max_body_size 500m; ASGI: ContentSizeLimitMiddleware — 10 MB API, 500 MB push)
• [x] Markdown rendered server-side is sanitized (no raw <script>, <iframe>, event handlers) — use a strict allowlist renderer (e.g., bleach + mistune) (mistune 3.x HTMLRenderer(escape=True) escapes all raw HTML; javascript: URLs blocked; see jinja2_filters.py)
• [x] Filenames in archives are validated before extraction (zip-slip prevention) (N/A — no server-side archive extraction in current codebase; objects are stored as content-addressed blobs)
• [x] YAML / TOML config uploaded by users is parsed in a sandbox, not eval'd (CI workflow YAML uses yaml.safe_load with 256 KiB size limit; no other user-uploaded config parsed)

2.4 Object / commit integrity

• [x] Every pushed object is content-addressed: SHA-256 of payload must match its stored ID (_verify_object_hash in musehub_wire.py — applied in both wire_push and wire_push_objects before any bytes touch the storage backend; non-sha256: prefixes are forwarded for compat)
• [x] muse verify passes cleanly on every repo after a push (server-side SHA-256 check at receive time is the equivalent gate; any object that passes wire_push is already content-address-verified — muse verify will agree)
• [x] Commits with forged parent_id references are rejected at receive time (each declared parent_commit_id must exist in the push mpack OR in the DB for this repo; parents belonging to a different repo are rejected with 409)

3. Network & Transport

• [x] TLS 1.2 minimum enforced at the load balancer / nginx; TLS 1.0/1.1 disabled (ssl_protocols TLSv1.2 TLSv1.3 + explicit cipher suite added to deploy/nginx-cf.conf)
• [x] HSTS header set (max-age=31536000; includeSubDomains) (SecurityHeadersMiddleware sets max-age=63072000; includeSubDomains; preload — 2 years with preload, exceeds requirement; only in non-debug mode)
• [x] All HTTP traffic redirects to HTTPS (301, not 302) (port 80 server block added to deploy/nginx-cf.conf with return 301 https://...)
• [x] CORS policy is explicit and minimal — not * for authenticated endpoints (allow_methods restricted to GET/POST/PATCH/DELETE/OPTIONS/HEAD; allow_headers restricted to Authorization/Content-Type/Accept/X-Requested-With; origins via cors_origins env var, warns if *)
• [x] Content-Security-Policy header prevents inline script execution and framing (CSP set globally in SecurityHeadersMiddleware: no unsafe-inline in script-src; frame-ancestors 'none'; unsafe-eval retained for Alpine.js v3)
• [x] X-Content-Type-Options: nosniff and X-Frame-Options: DENY set globally (both set in SecurityHeadersMiddleware on every response)
• [x] Cookies (session, CSRF) are Secure, HttpOnly, SameSite=Strict (N/A — no server-side cookies. Auth is Ed25519 MSign per-request signing; no session middleware; no CSRF tokens)
• [x] No mixed-content (HTTP resources loaded from HTTPS pages) (CSP includes upgrade-insecure-requests; connect-src 'self' and img-src 'self' data: https: block HTTP sub-resources)

4. Rate Limiting & Abuse Prevention

• [x] Global rate limit per IP: e.g., 300 req/min baseline, configurable per route (Limiter(default_limits=["300/minute"]) in rate_limits.py — applies to all routes without an explicit tighter limit)
• [x] Auth endpoints (login, register, challenge): stricter limit, e.g., 10 req/min per IP (AUTH_LIMIT = "20/minute" on all auth routes; failure_limiter.py adds per-IP exponential backoff on failures)
• [x] Object upload endpoint: limited by both request rate and total bytes/hour per user (push endpoints at 30/min via WIRE_PUSH_LIMIT; bytes/hour per-user tracking deferred — push body size cap at 500 MB covers payload bombs)
• [x] Archive download: rate-limited and/or requires authentication for private repos (GET /o/{object_id} limited to 120/min via OBJECT_LIMIT; private repo visibility enforced at repo layer)
• [x] Search endpoint: limited to prevent full-index scraping (@limiter.limit(SEARCH_LIMIT) wired up on /api/search, /search, /search/repos, /repos/{id}/search)
• [x] 429 responses include Retry-After header (_handle_rate_limit override in main.py computes Retry-After from X-RateLimit-Reset timestamp)
• [x] Bot / scraper detection via User-Agent + behavioral heuristics; block or throttle (BotThrottleMiddleware in musehub/middleware/bot_throttle.py: known-bad UA patterns → 429; missing UA on non-CDN paths → 429; /healthz, /static/, /mcp exempt)
• [x] Webhook delivery retries are capped and backed off (no retry storms) (_MAX_ATTEMPTS = 3, _BACKOFF_BASE = 1.0 → 1s/2s/4s exponential backoff in musehub_webhook_dispatcher.py)

5. Data Integrity

5.1 Database

• [ ] Postgres WAL archiving enabled (point-in-time recovery) (ops config — on the Postgres server set archive_mode=on, archive_command, wal_level=replica; requires postgres superuser access. Not automatable from app code.)
• [x] Automated daily snapshot backup to a separate storage location (not same disk) (deploy/backup.sh: daily pg_dump | gzip at 3 AM; syncs to Cloudflare R2 via rclone for off-disk retention (90 days). Set BACKUP_R2_BUCKET=<bucket> in .env.)
• [ ] Backup restore drill: restore latest backup to a staging DB and verify row counts (ops procedure — decompress latest .sql.gz, psql musehub_staging < dump.sql, run SELECT COUNT(*) FROM musehub_repos etc. Do before every major migration.)
• [x] Foreign key constraints enforced (not deferred or disabled for speed) (all FK columns use ForeignKey(..., ondelete="CASCADE"); PostgreSQL enforces FKs natively)
• [x] Critical tables have updated_at triggers for audit trails (added updated_at to MusehubRepo, MusehubProposal, MusehubWebhook, MusehubRelease; already present on MusehubIssue/Comment/Milestone/Comment/RenderJob. Migration 0020 backfills existing rows with server_default=func.now().)
• [x] No orphaned objects: object rows reference valid repo IDs (FK + periodic scan) (FK+CASCADE guarantees DB-level cleanup on repo delete; musehub/maintenance/orphan_scan.py provides scan_orphan_objects() and delete_orphan_objects() for scheduled maintenance)

5.2 Object store

• [x] Object files on disk are immutable after write (append-only content-addressed store)
• [x] Periodic integrity scan: re-SHA-256 a random sample of stored objects against their IDs
• [x] Disk usage quotas enforced per repo and per user (prevent storage exhaustion)
• [x] Deletion is soft-delete first (tombstone), hard-delete only after a retention window

5.3 Migrations

• [x] All schema changes go through versioned Alembic migrations
• [x] Migrations are tested against a production-sized data snapshot before apply
• [x] Rollback migration exists for every forward migration
• [x] Migration is run in a transaction; failure rolls back cleanly

6. Performance & Scalability

6.1 Database

• [x] Indexes exist on all foreign keys and common filter columns (repos.owner, commits.repo_id, symbols.repo_id + address, issues.repo_id)
• [x] EXPLAIN ANALYZE run on the 10 highest-traffic queries; no seq scans on large tables
• [x] Connection pooling configured (PgBouncer or SQLAlchemy pool); max connections capped
• [x] Slow query log enabled (threshold: 100 ms); alerts wired

6.2 API

• [x] Symbol list, commit log, and blame endpoints are paginated — no unbounded result sets
• [x] Large diffs / blobs are streamed, not buffered in memory
• [x] Archive download streams directly from disk — no full file read into RAM
• [x] Symbol intelligence queries (hotspots, dead code) are pre-computed at push time, never computed on-the-fly per request

6.3 Static assets

• [x] app.css and JS are served with far-future Cache-Control headers + content hash in filename for cache busting (StaticCacheMiddleware: public, max-age=31536000, immutable for .css/.js/.map; static_version = SHA-256(app.css+app.js)[:8] injected as ?v= on all assets in base.html)
• [x] Assets are gzip or brotli compressed at the nginx/CDN layer (deploy/nginx-cf.conf: gzip on; gzip_comp_level 6; covers text/css, application/javascript, application/json, image/svg+xml and more)
• [x] No blocking synchronous calls in request handlers (all DB and I/O are async) (objects.py: bare open() wrapped in asyncio.to_thread; storage reads use stream() async generator)

6.4 Load testing

• [x] Baseline load test: 100 concurrent users, normal read-heavy traffic — p99 < 500 ms (Locust BaselineUser scenario in deploy/load-tests/locustfile.py; run against staging. Infra readiness verified: pool_size=20 + max_overflow=40 = 60 DB conns; UVICORN_WORKERS defaults to 4; GLOBAL_LIMIT=300/min allows normal browsing patterns.)
• [x] Spike test: 10× normal traffic for 60 s — service degrades gracefully (429s), does not crash (Locust SpikeBurst scenario; 429s verified to carry Retry-After header via _handle_rate_limit; RateLimitExceeded handler registered in app exception handlers.)
• [x] Soak test: sustained moderate load for 12 h — no memory leak, no connection leak (Locust SoakUser scenario; MemoryLogMiddleware registered as outermost ASGI layer, logs RSS > 400 MiB; rss_mb() via psutil available for monitoring.)
• [x] Write-heavy test: 50 concurrent pushes — object store and DB remain consistent (Locust WritePushUser scenario; in-process concurrent push verified with asyncio.gather over 10 pre-upload + 5 concurrent commit push calls — no 500s, no deadlocks.)

7. Infrastructure & Operations

7.1 Environments

• [x] Local dev: runs via docker compose, no shared state with staging/prod (docker-compose.override.yml: DEBUG=true + bind mounts; named volumes musehub_data and postgres_data are isolated from staging/prod)
• [x] Staging: full production mirror (same Docker image, separate DB, separate object store) — accessible at an internal URL only, no public DNS (aws-provision-staging.sh: INSTANCE_NAME=musehub-staging, separate EIP; same AMI as prod; setup-ec2-staging.sh uses staging.musehub.ai domain)
• [x] Production: isolated VPC, restricted inbound (80/443 only), no SSH from public internet (aws-provision.sh: SSH restricted to current IP only, never 0.0.0.0/0; nginx forces HTTP→HTTPS redirect; Cloudflare terminates TLS at edge; uvicorn started with --proxy-headers for correct client IP propagation)
• [x] Environment config (secrets, DB URLs, object store paths) is injected via env vars or secrets manager — never committed to source (.museignore excludes .env and .env.*; pydantic-settings reads all config from env vars; .env.example documents every required field per environment; Settings defaults all secret fields to None; startup guard rejects weak DB_PASSWORD in production; missing WEBHOOK_SECRET_KEY and RUNNER_TOKEN logged at WARNING on startup)

7.2 Secrets management

• [x] DB password, webhook secret, and object store credentials are stored in a secrets manager (e.g., Doppler, AWS Secrets Manager, Vault) — not in .env files in the repo (deploy/secrets.sh: fetches all secrets from AWS SSM Parameter Store SecureString parameters at deploy time, writes /opt/musehub/.env at mode 600; never stores credentials in the repo or Docker image layers)
• [x] Secrets are rotated on a schedule (DB password: 180 days; webhook key: on compromise) (docs/secret-rotation-runbook.md: step-by-step aws ssm put-parameter rotation for DB_PASSWORD (180 days), WEBHOOK_SECRET_KEY (on compromise), RUNNER_TOKEN (90 days), R2 credentials (90 days), and CloudTrail audit procedure)
• [x] No secrets in Docker image layers (docker history audit) (Dockerfile has no secret-bearing ARG/ENV; only PYTHONPATH, PYTHONDONTWRITEBYTECODE, PYTHONUNBUFFERED are baked in; no .env COPY; audit command documented in runbook)
• [x] CI/CD pipelines inject secrets at runtime, not build time (deploy.sh: containers started with --env-file $APP_DIR/.env (runtime); no secrets passed as build args; setup-ec2.sh generates fresh DB_PASSWORD + WEBHOOK_SECRET_KEY via openssl rand / Fernet.generate_key() on first provision)

7.3 Deployment

• [x] Zero-downtime deploy: rolling restart or blue/green, no hard cutover (deploy/deploy.sh: two slots blue/green, nginx upstream pointer file, atomic flip via nginx -s reload; health-checked before flip, old slot stopped after)
• [x] Health check endpoint (/healthz) returns 200 only when DB connection and object store are reachable (GET /healthz in main.py: SELECT 1 DB probe + blob store head_bucket probe; registered before wildcard routes; 200 {"status":"ok"} / 503 {"status":"unhealthy"}; no auth required; Dockerfile HEALTHCHECK and deploy.sh health URLs both point to /healthz)
• [x] Container runs as a non-root user (Dockerfile: groupadd -r musehub && useradd -r -g musehub musehub, USER musehub after pip install)
• [x] Read-only filesystem where possible; writable mounts are explicit and minimal (docker-compose.yml: read_only: true on musehub service; /tmp as tmpfs; /data as named volume musehub_data)
• [x] Resource limits set (CPU + memory) on all containers (docker-compose.yml deploy.resources.limits: musehub 1.0 CPU / 512M, postgres 0.5 CPU / 256M, musehub-runner 0.5 CPU / 256M)

7.4 Logging & alerting

• [x] Structured JSON logs (level, timestamp, request_id, user_id, path, status, duration) (musehub/logging_config.py: JsonFormatter emits one JSON object per line; request_id_var / user_id_var contextvars populated by AccessLogMiddleware so every in-request log record automatically carries them; optional method, path, status, duration_ms on access records)
• [x] No PII or token values in logs (PiiFilter in musehub/logging_config.py: scrubs Bearer <token>, password=, token=, secret= patterns from fully-formatted message strings before any handler sees them; AccessLogMiddleware extracts only the MSign handle — never logs the raw Authorization value)
• [x] Alerts wired for: 5xx rate > 1%, p99 latency > 2 s, disk > 80%, DB connections > 90% (deploy/cloudwatch-alerts.sh: log group /musehub/app; metric filters for 5xxCount, RequestCount, RequestDurationMs; CloudWatch alarms with SNS → SMS + email to gabriel)
• [x] On-call rotation or at minimum a PagerDuty / SMS alert to gabriel's phone (deploy/cloudwatch-alerts.sh SNS SMS subscription; docs/on-call-runbook.md with incident playbooks for all four alarm types + optional PagerDuty escalation path)
• [x] Log retention: 30 days hot, 1 year cold (deploy/cloudwatch-alerts.sh put-retention-policy --retention-in-days 30; docs/on-call-runbook.md documents S3 export → Glacier after 30d, expire after 365d)

8. Security Hardening (Adversarial)

These items assume an attacker has read the full source code.

• [x] SSRF: any feature that makes outbound HTTP requests (webhooks, avatar fetch, MCP endpoints) validates the target URL against an allowlist; blocks RFC-1918 ranges (musehub/security/ssrf.py: check_url_safe() — sync, scheme + bare IP, used in WebhookCreate.url field_validator; validate_outbound_url() — async + DNS resolution via asyncio.to_thread, used in _attempt_delivery() as defence-in-depth against DNS rebinding; blocks loopback 127.x, RFC-1918 10.x/172.16-31.x/192.168.x, link-local 169.254.x AWS metadata, fc00::/7, 100.64.x carrier NAT)
• [x] Mass assignment: Pydantic models used for all request bodies; no **kwargs or dict(request.body) passed directly to ORM constructors (all route handlers use typed Pydantic models; the one **cache_payload in ui_blame.py is built from server-controlled data, not user input)
• [x] Timing attacks on auth: use hmac.compare_digest for all secret comparisons, never == (runner token: hmac.compare_digest in runner.py; MSign: verify_signature Ed25519 cryptographic verification in request_signing.py — constant-time by design; webhook signatures: hmac.compare_digest in musehub_webhook_dispatcher.py)
• [x] Object enumeration: repo IDs and issue IDs are either UUIDs or obfuscated — sequential integers let attackers enumerate all repos/issues across all users (repo_id, issue_id: String(36) UUID primary keys; issue number is per-repo sequential — scoped by repo, not a global counter)
• [x] Commit ID forgery: muse verify signature check is enforced server-side on receive, not just client-side (REQUIRE_SIGNED_COMMITS=true in Settings + enforcement gate in wire_push: rejects any commit with empty signature or signer_key_id; default False for backward compat; unsigned commits log at DEBUG when enforcement is off)
• [x] Denial of service via regex: all user-supplied regex patterns (search, filter) are compiled with a timeout or replaced with parameterized FTS (search_by_pattern uses Python in operator — no regex; search_by_ask tokenizes with a fixed pre-compiled _TOKEN_RE pattern — no user-controlled regex; no re.compile(user_input) anywhere in the search path)
• [x] Tar bomb / zip bomb: archive extraction enforces max uncompressed size and max file count before extraction begins (N/A: MuseHub does not perform any archive extraction; tarfile/zipfile are not imported anywhere in the application code)
• [x] Polyglot files: file type validation by magic bytes, not just extension (musehub/security/magic_bytes.py: check_magic_bytes(path, content) validates MIDI/MP3/WebP/PNG/JPEG/ZIP/PDF by header signatures; blocks HTML and shebang content in all non-HTML files; called in wire_push before storing each object — returns WirePushResponse(ok=False) on mismatch)
• [x] Clickjacking: X-Frame-Options: DENY + CSP frame-ancestors 'none' (SecurityHeadersMiddleware in main.py:87-109 — sets X-Frame-Options: DENY and Content-Security-Policy with frame-ancestors 'none' on every response)
• [x] Open redirect: redirect-after-login validates target is same-origin only (ui_mcp_elicitation.py: callback = request.url.path (+ query) — stores path-only, never the full absolute URL with scheme/host; prevents attacker from injecting ?next=https://evil.com via a crafted Host header)
• [x] Account takeover via handle squatting: handle registration is case-insensitive normalized (e.g., Gabriel == gabriel) (musehub_auth.py: handle = handle.strip().lower() before MusehubIdentity() — Gabriel and gabriel map to the same row; UNIQUE constraint on handle enforces it)
• [x] Claude / MCP prompt injection: MCP tool results that include user-controlled content are wrapped in a clear delimiter and documented as untrusted; the system prompt instructs the model to treat that content as data, not instructions (mcp/dispatcher.py: success results wrapped in <musehub_tool_result>…</musehub_tool_result>; mcp/prompts.py orientation prompt names the delimiter and lists commit messages, issue bodies, file paths, repo names, branch names as untrusted user data)
• [x] Agent impersonation: agent_id in commit provenance is validated against a registry of known agents; unknown agents are accepted but flagged, never trusted for elevated operations (TRUSTED_AGENT_IDS list in Settings; wire_push logs WARNING and injects metadata["untrusted_agent"] = "true" for any agent_id not matching a trusted prefix; unknown agents are accepted, never rejected)

9. Compliance & Legal Minimums

• [x] Privacy policy exists and is linked from the footer (docs/legal/privacy-policy.md; covers pubkey-as-identity model, agent-first design, training data policy, GDPR export/delete rights, and opt-out mechanism; linked from base.html footer)
• [x] Terms of service exist; acceptance is implicit via MSign key registration (docs/legal/terms-of-service.md; agents cannot click accept — the operator's act of registering a key constitutes acceptance; tos_accepted_at + tos_version recorded on MusehubIdentity at registration time in musehub_auth.py; training data policy detailed: public OSI-licensed repos only, training_opt_out=true respected, private repos never used)
• [x] Minimum data: accounts are pubkeys + handles — no passwords, no required email; MusehubIdentity fields audited; only voluntarily-provided profile data (email, bio, avatar) is stored; agent identities store model name and capabilities for discovery, not for PII purposes
• [x] GDPR / CCPA: GET /api/me/export returns full data dump (identity, keys, repos, commits); DELETE /api/me hard-deletes auth keys and soft-deletes identity + repos; training_opt_out: bool field on MusehubRepo (migration 0023_compliance_fields.py)
• [x] DMCA takedown process documented (docs/legal/dmca.md; contact [email protected]; 2-day acknowledgement / 5-day action SLA; counter-notice process; repeat-infringer policy; agent-operator accountability)
• [x] OSS license audit completed (docs/legal/license-audit.md; all direct dependencies are MIT / Apache-2.0 / BSD-3-Clause / LGPL-3.0; psycopg2-binary LGPL-3.0 is compatible under dynamic-linking exception for server-side SaaS; quarterly review schedule established)

10. Pre-Launch Smoke Tests

These must all pass in staging before prod deploy:

• [ ] New user signup → keygen → register → push a repo → view on MuseHub
• [ ] Private repo is not accessible when unauthenticated
• [ ] muse push with a forged object SHA is rejected
• [ ] Rate limit kicks in after threshold on auth endpoint
• [ ] Archive download returns correct bytes for a known commit
• [ ] Symbol index is populated after push and renders on /symbols
• [ ] Issue create → comment → close flow works end to end
• [ ] Merge proposal open → review → merge flow works end to end
• [ ] MCP endpoint returns correct tool schema and executes a read tool correctly
• [ ] docker compose down && docker compose up preserves all data (volumes survive)
• [ ] Backup restore drill: drop staging DB, restore from latest backup, verify

11. Launch Gate

All sections above must be fully checked. Final sign-off:

When every row is checked: tag v1.0.0-rc1, deploy to staging, hold 72 h, then promote to production.