This checklist captures the MVP pre-launch hardening steps and links to automated validations where possible.

• No secrets committed in source.
• Enforced via pre-commit scanning and CI checks.

Recommended local run:

pre-commit run --all-files

• Automated test ensures protected /api/v1 routes reject unauthenticated calls.
• Public exceptions are explicitly documented (/health, /auth/register, /auth/login, /auth/refresh, /auth/logout).

Run:

cd server
pytest tests/test_security_authz.py -v

• RLS behavior is covered by existing tests (org-scope isolation and context propagation).

Run:

cd server
pytest tests/test_rls.py -v
pytest tests/test_context_integration.py -v

• Log statements avoid plaintext secrets (API keys, passwords, tokens).
• Structured logging via Loguru enabled; avoid logging user payload bodies directly.

Recommended periodic audit:

rg "logger\.(debug|info|warning|error|exception)" server/app -n

• CORS origins are configurable from environment (cors_origins) instead of fixed code constants.
• Local default remains permissive only when explicit origins are not set.

• Redis-backed rate limiting is enabled via SlowAPI.
• Default global limit per API key/token is configurable.
• Memory search has a stricter dedicated limit.
• 429 responses include rate-limit headers and retry guidance.
• Health endpoint is exempt.

• Postgres async pool tuned for production defaults.
• Redis pool max_connections=20 is configured.
• Pool exhaustion timeout warnings are logged.