# Launch Checklist Shared TODO for launch prep. Updated by multiple AI sessions across tools. ## Blockers - [x] Fix serializer leaking internal fields in public API responses - [x] Rotate credentials that were exposed in public endpoints - [x] Add regression tests for auth token visibility - [x] Migrate auth provider (removed 11 unused packages) - [x] Set up email verification flow for new accounts ## Should Fix Before Launch - [x] Add rate limiting headers to all public endpoints - [ ] Write security disclosure page with honest maturity note - [x] Restrict file types for anonymous uploads (text + code only) - [x] Enable WAL mode on database with busy timeout - [x] Add content security policy with nonce-based script loading - [x] Restrict CORS on authenticated endpoints - [x] Add new account quarantine (rate limits for first 24h) - [x] Protect vanity URLs (30-day change cooldown, reserved names) - [x] Sanitize SVG uploads (strip scripts, event handlers) - [ ] Verify deleted content is filtered from all public feeds - [ ] Align API spec with actual response shapes - [ ] Publish source repo or remove "audit every line" claim ## Launch Day - [ ] Publish blog post - [ ] Record 2 demo GIFs (web upload + terminal push) - [ ] Submit to HN as Show HN - [ ] Post to relevant subreddits - [x] Set up project Twitter account ## Post-Launch - [ ] Set up payment integration - [ ] Add search and filtering to browse page - [ ] Create dataset export pipeline - [ ] Write position paper for arXiv - [ ] Add more OAuth providers (Apple) - [x] Docker multi-stage build (remove build tools from production image) - [x] Set up database backup to cloud storage - [x] Add forgot-password flow to login page - [x] Explain email field purpose on signup page
1 file changed (1 modified)
Log in to leave a comment.