{ "items": [ { "area": "Infrastructure", "id": "infra-waf-cdn", "required": true, "task": "Place public site/API behind WAF/CDN with DDoS protection and bot filtering." }, { "area": "Admin access", "id": "admin-vpn-allowlist", "required": true, "task": "Restrict /admin, /api/admin and /api/auth to localhost/VPN/static IP allowlist at both app and reverse-proxy layers." }, { "area": "Transport security", "id": "tls-hsts", "required": true, "task": "Use HTTPS/TLS, enable HSTS in production, redirect HTTP to HTTPS at reverse proxy." }, { "area": "Resilience", "id": "backup-restore-drill", "required": true, "task": "Run backup and restore drill before launch; verify database, public exports and history snapshots." }, { "area": "Legal", "id": "legal-review-high-risk", "required": true, "task": "Review high-risk modules before broad publication: hostile countries, sponsors/abuse, terrorism-support indicators, child/survivor protection, impeachment/high-treason." }, { "area": "Editorial governance", "id": "reviewer-assignments", "required": true, "task": "Assign named internal reviewer roles without exposing protected contributor identities publicly." }, { "area": "Source protection", "id": "source-handler-sop", "required": true, "task": "Operationalize secure source-handler workflow for sealed/offline evidence and metadata stripping." }, { "area": "Incident response", "id": "incident-contact", "required": true, "task": "Publish public correction/contact channel and define private emergency escalation route." }, { "area": "Static export", "id": "sftp-dry-run", "required": true, "task": "Run SFTP dry-run, verify only data/public files are uploaded." }, { "area": "Integrity", "id": "snapshot-signing", "required": true, "task": "Verify latest.json SHA256 and public snapshot history before release." } ], "schema": "paso-production-launch-checklist-v1", "status": "launch_candidate_requires_operator_confirmation", "title": "Production launch checklist" }