Production checklist

Verify the complete custom board before directing users or search engines to it.

Work through this list on the deployed runtime with a real board.

Configuration and connectivity

  • The SDK uses https://api.cavuno.com; any explicit PUBLIC_CAVUNO_API_URL override points to the Cavuno-supplied non-production environment.
  • PUBLIC_CAVUNO_BOARD resolves the expected board name, features, language, and theme.
  • The deployed runtime satisfies Node.js 20+ or provides standards-compatible fetch, Headers, FormData, and Web APIs.
  • No operator or Admin API key is present in frontend bundles.

Public routes and data

  • Home, job listing, search, job detail, company, blog, salary, and legal routes match enabled features.
  • Empty states distinguish “no results” from an API failure.
  • Unknown records return a real 404; legacy paths use board.redirects.resolve before the 404.
  • Pagination preserves the current filters and never mixes offset and a follow-up cursor.
  • Loading and error states remain usable with JavaScript delayed or a request aborted.

Authentication and private features

  • Registration, verification, login, refresh, logout, magic link, and configured OAuth providers complete from their public entry points.
  • SSR tokens stay in the SDK session cookie and private reads use per-call authorization.
  • Candidate profile, saved jobs, applications, alerts, and messaging are tested only when the board exposes those capabilities.
  • Employer company, posting, applicant, billing, and checkout flows are exercised with the correct company membership.
  • Expired, revoked, or malformed sessions clear once and do not loop.

Monetization and external handoffs

  • Posting, candidate-access, talent-access, and invoice paths branch on the returned server status rather than assuming Stripe Checkout.
  • Checkout and portal destinations are validated before redirecting.
  • A return from checkout reloads authoritative status from the API instead of trusting query parameters.
  • Disabled plans and insufficient entitlements render an intentional upgrade or unavailable state.

SEO and discovery

  • Canonicals, Open Graph URLs, breadcrumbs, JobPosting JSON-LD, sitemap entries, and robots.txt use the production origin.
  • Expired or private jobs do not emit active JobPosting data.
  • Sitemap buckets exclude disabled features and thin taxonomy pages according to SDK rules.
  • A representative sitemap URL resolves without authentication.

Caching, security, and operations

  • Public cache lifetimes match the publish/unpublish expectation.
  • Authorization and board-password requests bypass shared caches.
  • CSP, XSS defenses, redirect validation, upload limits, and proxy rate limits are enabled.
  • Logs include API error codes and request IDs but exclude tokens, cookies, personal data, and application bodies.
  • Monitoring distinguishes Board API failures, search unavailability, rate limiting, and frontend rendering failures.

Accessibility and interface states

  • Keyboard, focus, screen-reader labels, contrast, reduced motion, and mobile layouts are reviewed on the deployed site.
  • Each major surface has loading, empty, validation, permission, rate-limit, offline, and unexpected-error behavior.
  • Destructive or paid actions require an unambiguous confirmation and remain safe against double submission.

Run the release check

bash
PUBLIC_CAVUNO_BOARD=pk_0123456789abcdef0123456789abcdef \
npx @cavuno/board doctor --frontend https://jobs.example.com

Record every pass, failure, and skip. A skipped optional feature is acceptable only when the board does not expose that feature and the reason is documented.

Production notes

  • Confirm persisted API state after every write flow—do not trust the redirect or toast alone.
  • Test disabled feature flags as deliberately as enabled ones.
  • Keep rollback instructions for DNS, routing, session-cookie, and cache-policy changes.
  • Re-run this checklist after an SDK major upgrade or a material authentication, routing, or deployment change.

Use the SDK reference to resolve any method-specific failure found during the checklist.