Managed GA evidence register
This register separates implemented product evidence from live or third-party gates. A checked implementation is not evidence that an external drill or legal approval occurred.
Implemented and reproducible
- Core and Cloud CI, security, browser, integration, image, and mirror gates.
- Signed amd64/arm64 RC bundles, SBOMs, checksums, installer, Compose bundle, and signed multi-architecture image.
- Exact load profile: 100 repositories, 30 servers, 50 builds, five concurrent claims, 100 MiB log, and 100 authenticated SSE clients.
- Team roles, TOTP, sessions, OIDC, service accounts, audit, environment policy, Git providers, preview environments, artifacts/caches, CLI/MCP, connector, managed admission, usage, backups, restore/rollback, export, and purge controls.
- Static marketing/docs, comparison pages, policy drafts, disclosure policy, Echo container pre-stage, and nginx/TLS/DNS rollback package.
- Managed DR procedure and strict evidence verifier.
Evidence still required before paid GA
| Gate | Required proof | Blocking owner |
|---|---|---|
| Dedicated managed infrastructure | reviewed provider/account/node-pool design, isolated tenant provisioning without manual host access, capacity and failure test | infrastructure operator |
| Production object storage | provider, bucket policy, KMS, versioning, lifecycle, object lock, least-privilege role, deletion test | infrastructure/security |
| Separate-host DR | passing sanitized evidence with RPO ≤ 4h and RTO ≤ 2h plus provider evidence | operations |
| Billing | live/test-mode transition checklist, signed webhook replay, trial/upgrade/downgrade/cancel/failed-payment and tax/refund acceptance | billing/operator |
| authenticated sending domain, invitation/verification delivery, bounce/complaint/unsubscribe handling | email/operator | |
| Independent security review | final report, critical/high closure, retest, residual-risk register | external reviewer |
| Legal and privacy | operator entity details, trademark clearance, approved terms/privacy/DPA/AUP/subprocessors and consent language | qualified counsel/operator |
| Public edge | truthful no-signup staging contract, nginx install, DNS to Echo, SAN certificate, external smoke, immutable-image rollback proof, DNS fallback proof | domain/edge operator |
| Beta outcomes | 15 active teams, five paid commitments, onboarding/retention and pipeline-success metrics | product/operator |
Paid onboarding stays closed while any row lacks authoritative evidence. Store private reports, credentials, invoices, customer commitments, and provider screenshots outside the source repository; link them from the controlled launch record by non-secret evidence ID.