v1.5 Release Checklist

This checklist is the fail-closed bar for MUTX v1.5.

Owners

Area	Owner
Backend and contracts	`area:api`
Dashboard and browser UX	`area:web`
Desktop runtime and packaging	`area:desktop`
Release validation	`area:testing`
Docs and positioning	`area:docs`
Infrastructure and Helm	`area:infra`
Security and auth	`area:security`
Pico product lane	`area:pico`

Gate

Check	Owner	Pass condition
Python validation suite	`area:api`	`bash scripts/test.sh` passes its Python lint, compile, and pytest stages
Generated contract verification	`area:api`	`bash scripts/verify-generated-artifacts.sh` reports current artifacts with no drift
Release lint	`area:web`	`npm run lint` passes for the release-critical web and desktop surfaces
Typecheck	`area:web`	`npm run typecheck` passes
Production build	`area:web`	`npm run build` passes with `proxy.ts` and no deprecated `middleware.ts` warning
Serial browser smoke	`area:testing`	`npm run test:e2e:release` passes the Chromium dashboard, auth, and registration flows
Desktop cockpit smoke	`area:desktop`	`npm run test:e2e:release` passes the desktop cockpit scenarios against the standalone build
Pico progress contract	`area:pico`	`/v1/pico/progress` GET/POST roundtrip works and matches `docs/api/openapi.json` + `app/types/api.ts`
Compose smoke	`area:api`	`bash scripts/smoke-compose-prod.sh` passes without skips
Signing environment	`area:desktop`	`npm run desktop:signing-check` passes on the release machine
Signed macOS package	`area:desktop`	`npm run desktop:package:release` builds signed `.app` bundles and ZIPs, then assembles DMGs whose mounted apps still pass recursive codesign verification
Notarization validation	`area:desktop`	`npm run desktop:notarize:status` reports valid signatures, mounted-DMG app integrity, Gatekeeper acceptance, and stapled tickets
Built app launch smoke	`area:desktop`	`npm run desktop:launch:smoke` launches the built `.app` and exits cleanly after readiness
SDK contract tests	`area:testing`	`pytest sdk/tests/` passes for the shipped `/v1/*` surfaces
RBAC enforcement	`area:security`	Routes under `/audit/`, `/security/`, `/policies/`, and `/approvals/` reject unprivileged tokens
OIDC token validation	`area:security`	JWKS fetcher resolves, JWT signature and claim validation pass with a test IdP
Helm chart lint	`area:infra`	`helm lint infrastructure/helm/mutx/` passes clean
Helm template render	`area:infra`	`helm template mutx infrastructure/helm/mutx/` renders without errors
Railway production promotion	`area:ops`	frontend and backend Railway services deploy from the release commit using the production-promotion workflow
Public production smoke	`area:testing`	`bash scripts/verify-production-release.sh` passes against `mutx.dev`, `app.mutx.dev`, `api.mutx.dev`, and the synced release-notes page
Self-hosted docs live	`area:docs`	`https://docs.mutx.dev/docs/v1.5` is reachable after merge
Public release summary	`area:web`	`https://mutx.dev/releases` reflects the current desktop artifact set and links
Surface positioning	`area:docs`	preview/stable language in docs matches the actual gated surface set

Positioning Rule

Promote app.mutx.dev/dashboard to Supported only when all checks above pass on the release candidate machine, including signed packaging, notarization, checksum publication, and launch validation.

Keep preview-labeled control routes and partially implemented backend surfaces out of primary stable navigation until their live contracts are complete.

Launch Order

Confirm the notarized macOS assets exist on the v1.5.0 GitHub release.
Confirm docs/releases/v1.5.md is merged, https://docs.mutx.dev/docs/v1.5 is live, and https://mutx.dev/releases reflects the same release.
Verify RBAC enforcement on /audit/*, /security/*, /policies/*, and /approvals/* routes.
Verify OIDC token validation with the configured IdP (skip only when no external IdP is in scope).
Verify /v1/pico/progress matches the generated OpenAPI spec and frontend types.
Run helm lint infrastructure/helm/mutx/ and helm template to validate the chart.
Run the Railway production-promotion workflow for the frontend and backend services.
Run bash scripts/verify-production-release.sh.
Verify the public download, release, auth, dashboard, API, docs, and Kubernetes surfaces point to the supported v1.5 surfaces.

New Environment Variables

No new environment variables are required just to clear the v1.5 checklist beyond the existing v1.4 contracts. Reconfirm these remain documented and correctly wired:

# OIDC Token Validation (optional — enable when connecting an external IdP)
OIDC_ISSUER=
OIDC_CLIENT_ID=
OIDC_JWKS_URI=

# CrewAI Adapter (required if using run_crew())
MUTX_API_KEY=***

Breaking Changes

Track any release-specific breaking changes in docs/releases/v1.5.md before launch. At minimum, keep auth/RBAC expectations, generated contract drift, and preview-vs-supported surface changes explicit.

Owners

Area

Owner

Backend and contracts

area:api

Dashboard and browser UX

area:web

Desktop runtime and packaging

area:desktop

Release validation

area:testing

Docs and positioning

area:docs

Infrastructure and Helm

area:infra

Security and auth

area:security

Pico product lane

area:pico

Gate

Check

Owner

Pass condition

Python validation suite

area:api

bash scripts/test.sh passes its Python lint, compile, and pytest stages

Generated contract verification

area:api

bash scripts/verify-generated-artifacts.sh reports current artifacts with no drift

Release lint

area:web

npm run lint passes for the release-critical web and desktop surfaces

Typecheck

area:web

npm run typecheck passes

Production build

area:web

npm run build passes with proxy.ts and no deprecated middleware.ts warning

Serial browser smoke

area:testing

npm run test:e2e:release passes the Chromium dashboard, auth, and registration flows

Desktop cockpit smoke

area:desktop

npm run test:e2e:release passes the desktop cockpit scenarios against the standalone build

Pico progress contract

area:pico

/v1/pico/progress GET/POST roundtrip works and matches docs/api/openapi.json + app/types/api.ts

Compose smoke

area:api

bash scripts/smoke-compose-prod.sh passes without skips

Signing environment

area:desktop

npm run desktop:signing-check passes on the release machine

Signed macOS package

area:desktop

npm run desktop:package:release builds signed .app bundles and ZIPs, then assembles DMGs whose mounted apps still pass recursive codesign verification

Notarization validation

area:desktop

npm run desktop:notarize:status reports valid signatures, mounted-DMG app integrity, Gatekeeper acceptance, and stapled tickets

Built app launch smoke

area:desktop

npm run desktop:launch:smoke launches the built .app and exits cleanly after readiness

SDK contract tests

area:testing

pytest sdk/tests/ passes for the shipped /v1/* surfaces

RBAC enforcement

area:security

Routes under /audit/*, /security/*, /policies/*, and /approvals/* reject unprivileged tokens

OIDC token validation

area:security

JWKS fetcher resolves, JWT signature and claim validation pass with a test IdP

Helm chart lint

area:infra

helm lint infrastructure/helm/mutx/ passes clean

Helm template render

area:infra

helm template mutx infrastructure/helm/mutx/ renders without errors

Railway production promotion

area:ops

frontend and backend Railway services deploy from the release commit using the production-promotion workflow

Public production smoke

area:testing

bash scripts/verify-production-release.sh passes against mutx.dev, app.mutx.dev, api.mutx.dev, and the synced release-notes page

Self-hosted docs live

area:docs

https://docs.mutx.dev/docs/v1.5 is reachable after merge

Public release summary

area:web

https://mutx.dev/releases reflects the current desktop artifact set and links

Surface positioning

area:docs

preview/stable language in docs matches the actual gated surface set

Positioning Rule

Keep preview-labeled control routes and partially implemented backend surfaces out of primary stable navigation until their live contracts are complete.

Launch Order

Confirm the notarized macOS assets exist on the v1.5.0 GitHub release.

Confirm docs/releases/v1.5.md is merged, https://docs.mutx.dev/docs/v1.5 is live, and https://mutx.dev/releases reflects the same release.

Verify RBAC enforcement on /audit/*, /security/*, /policies/*, and /approvals/* routes.

Verify OIDC token validation with the configured IdP (skip only when no external IdP is in scope).

Verify /v1/pico/progress matches the generated OpenAPI spec and frontend types.

Run helm lint infrastructure/helm/mutx/ and helm template to validate the chart.

Run the Railway production-promotion workflow for the frontend and backend services.

Run bash scripts/verify-production-release.sh.

Verify the public download, release, auth, dashboard, API, docs, and Kubernetes surfaces point to the supported v1.5 surfaces.

New Environment Variables

No new environment variables are required just to clear the v1.5 checklist beyond the existing v1.4 contracts. Reconfirm these remain documented and correctly wired:

# OIDC Token Validation (optional — enable when connecting an external IdP) OIDC_ISSUER= OIDC_CLIENT_ID= OIDC_JWKS_URI= # CrewAI Adapter (required if using run_crew()) MUTX_API_KEY=***

v1.5 Release Checklist#

Owners#

Gate#

Positioning Rule#

Launch Order#

New Environment Variables#

Breaking Changes#

v1.5 Release Checklist#

Owners#

Gate#

Positioning Rule#

Launch Order#

New Environment Variables#

Breaking Changes#

v1.5 Release Checklist

Owners

Gate

Positioning Rule

Launch Order

New Environment Variables

Breaking Changes

v1.5 Release Checklist

Owners

Gate

Positioning Rule

Launch Order

New Environment Variables

Breaking Changes