WitnessOps · production SaaS gate
Production readiness
Fail-closed checklist for enabling the SaaS app, API, provider integrations, billing, database, and deployment surfaces.
production blockedexplicit enable missing0 required missing7 placeholder0 invalid shape
Provider cutover plan
5 actionsClerk production app
blockedInstall Clerk live secret, live publishable key, and production webhook secret in the provider source.
CLERK_SECRET_KEYplaceholder_or_testNEXT_PUBLIC_CLERK_PUBLISHABLE_KEYplaceholder_or_testCLERK_WEBHOOK_SECRETplaceholder_or_test
npm run production:provider-source:upsertnpm run production:runtime-env:materializenpm run production:blockersStripe live billing
blockedInstall Stripe live secret and live webhook secret after live products, prices, and webhook endpoint are configured.
STRIPE_SECRET_KEYplaceholder_or_testSTRIPE_WEBHOOK_SECRETplaceholder_or_test
npm run production:provider-source:upsertnpm run production:runtime-env:materializenpm run production:blockersResend sender
blockedInstall a Resend API token and verified production sender address.
RESEND_TOKENplaceholder_or_test
npm run production:provider-source:upsertnpm run production:runtime-env:materializenpm run production:blockersArcjet protection
blockedInstall the Arcjet production key.
ARCJET_KEYplaceholder_or_test
npm run production:provider-source:upsertnpm run production:runtime-env:materializenpm run production:blockersFinal production enable flag
pendingKeep production disabled until provider live checks, migrations, images, deploy status, ingress, public probes, and webhook smoke checks pass.
WITNESSOPS_PRODUCTION_ENABLEmust_remain_false_until_cutover
WITNESSOPS_RUNTIME_ENV_REQUIRE_ENABLE=true npm run production:runtime-env:verifynpm run production:cutover:verifyCore URLs
5/5 ready- presentPublic marketing URL
NEXT_PUBLIC_WEB_URL - presentAuthenticated app URL
NEXT_PUBLIC_APP_URL - presentAPI URL
NEXT_PUBLIC_API_URL - presentOperator shell URL
WITNESSOPS_OPERATOR_URL - presentProduction host URL
VERCEL_PROJECT_PRODUCTION_URL
Authentication
4/7 ready- placeholderClerk server key
CLERK_SECRET_KEY - placeholderClerk webhook secret
CLERK_WEBHOOK_SECRET - placeholderClerk publishable key
NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY - presentClerk sign-in URL
NEXT_PUBLIC_CLERK_SIGN_IN_URL - presentClerk sign-up URL
NEXT_PUBLIC_CLERK_SIGN_UP_URL - presentClerk post sign-in URL
NEXT_PUBLIC_CLERK_AFTER_SIGN_IN_URL - presentClerk post sign-up URL
NEXT_PUBLIC_CLERK_AFTER_SIGN_UP_URL
Database
1/1 ready- presentNeon/Postgres database URL
DATABASE_URL
Billing
0/2 ready- placeholderStripe secret key
STRIPE_SECRET_KEY - placeholderStripe webhook secret
STRIPE_WEBHOOK_SECRET
- placeholderResend API token
RESEND_TOKEN - presentTransactional sender
RESEND_FROM
Security
2/3 ready- placeholderArcjet key
ARCJET_KEY - presentFeature flag secret
FLAGS_SECRET - presentEntitlement enforcement flag
ENTITLEMENTS_ENFORCED
Observability
0/5 ready- optionalBetterStack API key
BETTERSTACK_API_KEY - optionalBetterStack ingest URL
BETTERSTACK_URL - optionalGoogle Analytics measurement ID
NEXT_PUBLIC_GA_MEASUREMENT_ID - optionalPostHog key
NEXT_PUBLIC_POSTHOG_KEY - optionalPostHog host
NEXT_PUBLIC_POSTHOG_HOST
Content and collaboration
0/5 ready- optionalBaseHub token
BASEHUB_TOKEN - optionalLiveblocks secret
LIVEBLOCKS_SECRET - optionalSvix token
SVIX_TOKEN - optionalKnock API key
KNOCK_API_KEY - optionalKnock feed channel
KNOCK_FEED_CHANNEL_ID
Gate notes
fail closed- No secret values are returned by this readiness check.
- WITNESSOPS_PRODUCTION_ENABLE must equal true, every required item must be present, and required values must not match known placeholders or invalid production shapes before production is enabled.
- This gate rejects obvious template values, local URLs, known test-key prefixes, and weak production-shaped values, but it does not prove third-party account validity.