← Console
Console/Planning/Document Production Candidate
RESOLVING…
Team usage → Mgmt status →

Document Production Candidate

Where the document platform is production-ready and where it is NOT · internal/team production candidate · NOT internet-ready · precise 3-tier truth: team-candidate · partial · deferred
Status Live Batch 13 · closeout Planning A-owned

Your access · สิทธิ์ของคุณ

Production candidate matrix · 3-tier truth

Capability · ความสามารถ
Tier · ระดับ
Why
Universal Document Shell (v1.3)
Team-candidate
Used by 14 A-owned pages · stable · bilingual · print + copy + share integrated.
Per-doc notes loop
Team-candidate
Backend persistence · session-aware mutations when DNS_REQUIRE_SESSION=true · browser fallback honest.
Aggregate notes backlog
Team-candidate
Reads backend as primary · banner shows active source · filter + sort work on either path.
Access model · 5 visibility states
Team-candidate
Resolution algorithm stable · matrix enforced client-side for all shelled pages AND server-side via /api/access/render when routed.
HMAC-signed sessions with exp + revocation
Team-candidate
Signing key persistent · disabled-user lockout · logout revokes · rate-limited login.
Optional team-secret gate
Team-candidate
DAS_TEAM_SECRET · constant-time compare · disabled by default for dev convenience.
Envelope gating (/api/access/gate)
Team-candidate
Shell-cooperative · swaps body on blocked · bilingual banner on restricted.
Server-rendered HTTP gating (/api/access/render)
Partial
Endpoint is live. For FULL route-level protection a reverse-proxy rule is required and is a deployment concern (documented in document-http-gating.html).
Share / Export / PDF bound to access state
Team-candidate
All three driven by allow_share/allow_export from the signed session · propagates through shell in real time.
Deployment docs
Team-candidate
access deployment.md + notes deployment.md + team usage guide + go-live checklist.
Legacy page retrofit (wave 2 bridge)
Partial
4 planning pages have bridge strips but no shell JS. They're usable but not gate-enforced.
Legacy page retrofit (remaining)
Deferred
10+ planning · 15+ runtime · 30+ KB still legacy.
Real password / passkey / OAuth
Deferred
Email + optional team secret only · not strong enough for public internet · out of scope.
TLS + HttpOnly cookie
Deferred
Deployment/platform concern · documented in deployment.md.
Reverse-proxy HTTP route protection
Deferred
Nginx/Cloudflare rule pattern documented · not applied.
Multi-writer notes backend
Deferred
Single-writer assumption · switch to SQLite/Postgres for team-scale concurrency.
Audit trail (auth + notes + gate)
Deferred
Currently stdout logs only.
Notifications (P0 notes · auth events)
Deferred
Out of scope.
AI periodic sweep scheduler
Deferred
Model documented since Batch 6 · no cron.
KB page retrofit
Deferred
Requires B-session coordination.

Go-live checklist (internal / team) · คู่ขนานกับ team-usage

Mirror of the checklist on Team Usage. Use this copy when signing off on the deployment.

Known remaining risks

The platform's team-candidate state is honest. These risks are ALL documented in plain text:

References

Mgmt status Team usage HTTP gating Envelope gating Auth hardening Auth backend (Batch 8) Note backend (Batch 11) access deployment.md notes deployment.md render_contract.json

Notes