Migration assurance
Trust and verification status
This page distinguishes implementation checks from production sign-off. Local tests and a Cloudflare Quick Tunnel can prove the app is wired together, but they do not prove final security, accessibility, performance, uptime, webhook reliability or SEO behavior on the real production domain.
What is verified in implementation
These checks are visible in the app or covered by local regression tests, but they are not a substitute for black-box production verification.
- No-JavaScript fallback text exists for the app shell.
- Marketing pages render semantic H1 text on clean routes.
- Public copy states static analysis only: no code execution and no Amazon credentials.
- Trademark/disclaimer text is present on public pages.
Pending black-box verification
The items below must be checked from the deployed public origin before launch. They should not be marked pass from unit tests, local browser checks or a trycloudflare URL.
| Area | Current status | Required evidence |
|---|---|---|
| CSP | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| HSTS | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| X-Content-Type-Options | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Permissions-Policy | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Referrer-Policy | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Cookies and Set-Cookie attributes | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| API meta fields | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Demo unlock behavior | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Billing feature flags | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Source/report retention values | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Robots directives | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Sitemap | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Canonical URLs | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| JSON-LD | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Upload flow | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Scan accuracy on representative fixtures | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
| Error states | PENDING_BLACK_BOX | Verify from the final HTTPS production domain. |
Accessibility checks that remain manual
Automated tools help find issues, but W3C WAI notes that tools cannot determine full accessibility by themselves. Keyboard and screen-reader behavior require human review; RUM can measure field Core Web Vitals, errors, route timing and interaction latency, but it cannot prove NVDA/VoiceOver output, focus order or dialog focus traps.
| Area | Current status | Required evidence |
|---|---|---|
| Keyboard navigation and visible focus order | PENDING_MANUAL | Manual keyboard QA with visible focus-order notes and dialog/focus-trap checks. |
| Screen-reader output with real assistive technology | PENDING_MANUAL | NVDA and/or VoiceOver manual QA; RUM cannot prove screen-reader output. |
| Responsive mobile UI across target devices | PENDING_MANUAL | Real-device/browser QA across target viewport and input combinations. |
| Lighthouse lab performance on production infrastructure | PENDING_MANUAL | Automated Lighthouse lab test from the production HTTPS origin. |
| Field Core Web Vitals from real-user monitoring | PENDING_MANUAL | Production RUM field data for LCP, CLS, INP and route/error timing. |
Quick Tunnel is demo infrastructure only
The current trycloudflare tunnel is useful for local development and demo review. It must not be used as evidence for production operations, callbacks or SEO.
| Do not conclude from Quick Tunnel | Reason |
|---|---|
| Production uptime | Requires stable production infrastructure and the final domain. |
| Final latency | Requires stable production infrastructure and the final domain. |
| Load capacity | Requires stable production infrastructure and the final domain. |
| Paddle webhook reliability | Requires stable production infrastructure and the final domain. |
| Email link reliability | Requires stable production infrastructure and the final domain. |
| SEO behavior on the real domain | Requires stable production infrastructure and the final domain. |
Production sign-off checklist
- Run the black-box verification script against the final HTTPS domain.
- Confirm CSP, HSTS, X-Content-Type-Options, Permissions-Policy and Referrer-Policy from the public edge.
- Confirm cookies are absent or carry secure attributes where applicable.
- Confirm /api/v1/meta exposes billing, demo unlock and retention values expected for production.
- Confirm robots.txt, sitemap.xml, canonical URLs and JSON-LD use the production origin and contain no fragments.
- Exercise upload, scan, unlock/billing-disabled behavior, report recovery and representative error states.
- Run keyboard and screen-reader checks manually.
- Run Lighthouse on production infrastructure and collect Core Web Vitals after real traffic exists.
Frequently asked questions
Does passing automated accessibility checks prove accessibility?
No. Automated checks assist review; manual keyboard and screen-reader testing remains required.
Can the Cloudflare Quick Tunnel be used for Paddle webhooks or SEO validation?
No. Use it for development/demo only; production callbacks and SEO validation need a stable production domain.
Official sources
Treat production verification as a release gate
Use the final domain and real infrastructure before marking security, accessibility, SEO or performance as passed.
Last reviewed: 2026-07-02.
Open the interactive scanner: /app#/production-readiness