Production checklist
Verify the complete custom board before directing users or search engines to it.
A
JWork through this list on the deployed runtime with a real board.
Configuration and connectivity
- The SDK uses
https://api.cavuno.com; any explicitPUBLIC_CAVUNO_API_URLoverride points to the Cavuno-supplied non-production environment. PUBLIC_CAVUNO_BOARDresolves the expected board name, features, language, and theme.- The deployed runtime satisfies Node.js 20+ or provides standards-compatible
fetch,Headers,FormData, and Web APIs. - No operator or Admin API key is present in frontend bundles.
Public routes and data
- Home, job listing, search, job detail, company, blog, salary, and legal routes match enabled features.
- Empty states distinguish “no results” from an API failure.
- Unknown records return a real 404; legacy paths use
board.redirects.resolvebefore the 404. - Pagination preserves the current filters and never mixes
offsetand a follow-up cursor. - Loading and error states remain usable with JavaScript delayed or a request aborted.
Authentication and private features
- Registration, verification, login, refresh, logout, magic link, and configured OAuth providers complete from their public entry points.
- SSR tokens stay in the SDK session cookie and private reads use per-call authorization.
- Candidate profile, saved jobs, applications, alerts, and messaging are tested only when the board exposes those capabilities.
- Employer company, posting, applicant, billing, and checkout flows are exercised with the correct company membership.
- Expired, revoked, or malformed sessions clear once and do not loop.
Monetization and external handoffs
- Posting, candidate-access, talent-access, and invoice paths branch on the returned server status rather than assuming Stripe Checkout.
- Checkout and portal destinations are validated before redirecting.
- A return from checkout reloads authoritative status from the API instead of trusting query parameters.
- Disabled plans and insufficient entitlements render an intentional upgrade or unavailable state.
SEO and discovery
- Canonicals, Open Graph URLs, breadcrumbs,
JobPostingJSON-LD, sitemap entries, androbots.txtuse the production origin. - Expired or private jobs do not emit active
JobPostingdata. - Sitemap buckets exclude disabled features and thin taxonomy pages according to SDK rules.
- A representative sitemap URL resolves without authentication.
Caching, security, and operations
- Public cache lifetimes match the publish/unpublish expectation.
- Authorization and board-password requests bypass shared caches.
- CSP, XSS defenses, redirect validation, upload limits, and proxy rate limits are enabled.
- Logs include API error codes and request IDs but exclude tokens, cookies, personal data, and application bodies.
- Monitoring distinguishes Board API failures, search unavailability, rate limiting, and frontend rendering failures.
Accessibility and interface states
- Keyboard, focus, screen-reader labels, contrast, reduced motion, and mobile layouts are reviewed on the deployed site.
- Each major surface has loading, empty, validation, permission, rate-limit, offline, and unexpected-error behavior.
- Destructive or paid actions require an unambiguous confirmation and remain safe against double submission.
Run the release check
bash
12PUBLIC_CAVUNO_BOARD=pk_0123456789abcdef0123456789abcdef \npx @cavuno/board doctor --frontend https://jobs.example.com
Record every pass, failure, and skip. A skipped optional feature is acceptable only when the board does not expose that feature and the reason is documented.
Production notes
- Confirm persisted API state after every write flow—do not trust the redirect or toast alone.
- Test disabled feature flags as deliberately as enabled ones.
- Keep rollback instructions for DNS, routing, session-cookie, and cache-policy changes.
- Re-run this checklist after an SDK major upgrade or a material authentication, routing, or deployment change.
Use the SDK reference to resolve any method-specific failure found during the checklist.