Raxx v1 Launch Punch List — 2026-05-23 UTC (T-9 days)

Generated 2026-05-13 UTC. Static snapshot — operator + SRE/PM agents update as items land.

TL;DR

8 hard blockers open (must land by 2026-05-23 UTC)
5 items waiting on operator action (no code work needed)
3 items at risk of slip (timeline tight; flag immediately if not moving)
5 items already done (verify only)

Hard blockers (must land by 2026-05-23)

1. Quebec geoblock — flag not yet activated — Status: OPERATOR ACTION

Issue: #1976
PR(s): Implementation already merged — [PR #1533](https://github.com/raxx-app/TradeMasterAPI/pull/1533) (2026-05-10). No activation PR exists yet.
Why blocker: FLAG_QUEBEC_GEOBLOCK is deployed but still default: false. Bill 96 / OQLF enforcement is up to CAD $30,000/day. Any Quebec resident who signs up after 2026-05-23 creates instant regulatory exposure. Operator decision to geo-block was locked 2026-05-09.
Owner: Operator (Kristerpher) — heroku config:set on both envs; no code ship needed
ETA risk: LOW — the code is shipped; this is a 15-minute operator action once scheduled
Next step: Run heroku config:set FLAG_QUEBEC_GEOBLOCK=1 -a raxx-api-staging >/dev/null 2>&1, verify 403 on spoofed CF-IPRegion: QC header, then repeat on prod. Follow all acceptance criteria in #1976. Must complete before signups open.

2. Securities-attorney sign-off on MBT narrative copy — Status: AT RISK

Issue: #197 (attorney review), #196 (referral request — CLOSED, sent 2026-04-24)
PR(s): None — waiting on attorney engagement
Why blocker: Epic #256 explicitly states MBT v1 does not go GA until #197 is resolved. Investment Advisers Act §202(a)(11) exposure — the investor-profile narrative copy (Trial / Income Builder / Diversifier) and educational overlay copy must be reviewed before any public-facing use.
Owner: Operator — Matthew Crosby referral reply still pending; operator must follow up and engage the referred securities attorney
ETA risk: HIGH — attorney engagement has not started. Even a fast attorney takes 3-5 business days for a review + revision cycle. With 9 calendar days remaining, engagement must start by 2026-05-14 UTC to have any chance of landing before 2026-05-23. If not engaged by 2026-05-15, MBT v1 launch date should be moved.
Next step: Follow up with Matthew Crosby (mcrosby@schwartzip.com) on the referral sent 2026-04-24. If no reply, ask Crosby directly for a 15-minute phone call. Do not wait past 2026-05-15 UTC.

3. Raptor prod Postgres cutover (RM-10) — Status: IN PROGRESS

Issue: #1568 (RM-10), #1567 (RM-9 — staging soak pending close), #1556 (epic)
PR(s): RM-1 through RM-8 all merged. Staging SOP: [PR #1596](https://github.com/raxx-app/TradeMasterAPI/pull/1596) (merged 2026-05-10). Staging cutover executed; 72-hour soak window closes approximately 2026-05-13 22:55 UTC.
Why blocker: Raptor on raxx-api-prod is still on SQLite. The operator committed to Path B (Postgres v1-blocking) 2026-05-10. Without the prod cutover, Raptor prod cannot reliably support customer accounts, SC-A1 role separation is inoperative, and the audit chain commitments in ADRs 0058-0060 do not hold.
Owner: Operator (Heroku upgrade + heroku restart) + feature-developer (SOP doc for #1568)
ETA risk: MEDIUM — staging soak closes tonight (2026-05-13). If soak is clean, prod cutover can execute 2026-05-14. Soak must not have any Sentry errors. Prod cutover itself is a 1-2 hour operator action with a 48-hour safety window before launch.
Next step: Confirm RM-9 soak is error-free at 2026-05-13 22:55 UTC. If clean, close #1567, dispatch feature-developer to write the prod SOP doc (#1568), then operator executes the prod cutover by 2026-05-16 at the latest.

4. WAF cutover challenge → block (Phases 2-4) — Status: AT RISK

Issue: #1740 (SC-WAF-04/05), #1741 (SC-WAF-07 — FLAG_ENFORCE_CF_ORIGIN flip, gated on Phase 4f)
PR(s): Phase 1 (log-only TF module) shipped via [PR #1795](https://github.com/raxx-app/TradeMasterAPI/pull/1795). WAF Terraform is still in log-only mode (managed_ruleset_action = "log"). Phase 2 (challenge) has not started.
Why blocker: The operator agreed SC-WAF-07 (#1741 — FLAG_ENFORCE_CF_ORIGIN flip) is pre-launch-blocking. That flip requires Phase 4f soak to be complete. Phase 4 alone requires 7 days log + 48h challenge + 7 days block = approximately 16 days minimum wall-clock. With 9 days remaining, Phase 4f cannot complete by 2026-05-23 under the full progression in #1740.
Owner: Operator (Terraform apply sign-offs), feature-developer (Terraform var changes)
ETA risk: SLIP-CERTAIN for the full Phase 4f path. The dependency chain (#1740 → #1741) cannot close by 2026-05-23 under the original soak windows.
Next step: Operator decision required immediately. Two viable options: (A) Accept that FLAG_ENFORCE_CF_ORIGIN stays off at launch and remove #1741 as a v1 pre-launch-blocker — the Heroku origin bypass is a defense-in-depth measure, not a complete-absence-of-WAF risk, since Phase 1 log mode is already deployed; or (B) Compress the soak windows with operator sign-off (e.g., run Phase 2 challenge for 24 hours on staging, Phase 3 block for 24 hours if zero false positives, accelerate prod rollout). Option A is lower risk to the launch date. This is a product/security tradeoff decision for Kristerpher.

5. Stripe webhook handler + billing data layer — Status: AT RISK

Issue: #1682 (webhook handler), #1632 (Price ID backfill, blocked on Stripe provisioning)
PR(s): None — blocked on Stripe account provisioning (live mode) and Queue data model
Why blocker: Without the Stripe webhook handler, billing state is never written to Queue-DB when a customer subscribes or pays. The billing system cannot function pre- or post-launch without this. #1682 is labeled pre-launch-blocker. #1632 (founders-tier Price ID backfill) cannot run until Stripe live-mode account is provisioned.
Owner: Operator must provision Stripe live-mode account and create founders Product + Price. Then feature-developer can implement #1682.
ETA risk: HIGH — estimated 2-3 dev-days for implementation. No PR open, no dev in progress. Stripe provisioning has no recorded completion date. If Stripe account is not provisioned by 2026-05-15, the webhook handler cannot be built and tested in time.
Next step: Operator to provision Stripe live-mode account this week and post confirmation on #1682. Then dispatch feature-developer immediately. Note: if the v1 launch is "freemium / waitlist invite only with no paid tier on day 1," this blocker may be reclassified — operator must confirm whether paid subscriptions open on 2026-05-23 or post-launch.

6. getraxx.com: Privacy Policy, Terms of Service, waitlist endpoint — Status: AT RISK

Issues: #586 (Privacy Policy + ToS pages), #589 (waitlist form endpoint), #588 (noindex removal), #590 (cookie consent banner)
PR(s): None — all four issues are open and blocked (attorney gate on #586 and #590; backend not wired for #589)
Why blocker: The marketing site has footer links for "Privacy" and "Terms" that are hash stubs scrolling nowhere. Shipping a commercial site that collects email addresses without a visible privacy notice is a GDPR/CAN-SPAM/FTC violation. The waitlist form (WaitlistSection.js) is a confirmed no-op — every lead captured since launch has been silently discarded. The noindex header (#588) must be removed before public traffic, but #588 is itself gated on the legal pages existing.
Owner: feature-developer for #589 (can start now, no attorney gate). Attorney gate on #586 and #590 — operator must first decide: (A) ship Privacy/ToS stub pages with "draft, not legally operative" banners (the card allows this), or (B) wait for attorney sign-off. Option A unblocks #588 and #589 immediately.
ETA risk: HIGH — four cards, no PRs open, 9 days remaining. The waitlist endpoint (#589) is a 1-sprint item and can move in parallel with the attorney question.
Next step: Dispatch feature-developer on #589 (waitlist endpoint wiring) immediately — no attorney gate applies to the backend implementation. For #586: decide now whether to ship draft-banners pages or wait for attorney. Given the attorney timeline risk on #197, the draft-banner option is likely the only viable path to a 2026-05-23 launch.

7. Remove CF Access beta gate from getraxx.com — Status: UNSTARTED

Issue: #1645
PR(s): None — operator Terraform destroy action, no PR needed. Runbook exists at docs/ops/runbooks/getraxx-launch-day-cf-access-removal.md.
Why blocker: A Cloudflare Access login wall is currently in front of getraxx.com. Real users and crawlers see an auth challenge instead of the marketing site. This must be removed before any public traffic is directed to the domain.
Owner: Operator (Terraform destroy via vault credentials)
ETA risk: LOW — fully documented, 15-minute Terraform destroy. Zero code required.
Next step: Execute the removal commands from the runbook on launch day (or the day before). Verify with curl -I https://getraxx.com/ returning HTTP/2 200.

8. Raptor prod Postgres: SC-A1 role separation + FLAG_RAPTOR_APP_ROLE_SEPARATION — Status: UNSTARTED

Issue: #1569 (RM-11), #1455 (security finding — DATABASE_URL as Postgres owner)
PR(s): None — blocked on RM-10 prod cutover completing first
Why blocker: #1455 is labeled severity:critical — Heroku DATABASE_URL connects as the Postgres owner, making all raptor_app role-separation DDL ineffective. The security commitment in ADR-0058 / SC-A1 is not live until this is corrected. Without proper role separation, a SQL injection in any Raptor endpoint has schema-level write access.
Owner: feature-developer (depends on #1568 — prod cutover SOP must complete first)
ETA risk: MEDIUM — small card (size:s) but blocked until prod cutover completes (~2026-05-14-16). Can be dispatched immediately after RM-10.
Next step: Close #1567 once soak is confirmed, execute RM-10, then dispatch feature-developer on #1569.

Operator action queue (no code work needed, just operator)

Quebec geoblock activation — #1976: heroku config:set FLAG_QUEBEC_GEOBLOCK=1 on both staging and prod. 15-minute action. Must complete before signups open. Full procedure in the issue body.
RM-9 soak confirmation + RM-10 prod cutover — #1567 / #1568: Confirm the 72-hour staging soak ends clean tonight (2026-05-13 22:55 UTC). If no Sentry errors: close #1567, execute the prod cutover per runbook at docs/ops/runbooks/raptor-postgres-prod-cutover.md (once #1568 is written).
Stripe live-mode account provisioning — Required for #1682 and #1632: Create the Stripe live-mode account, create the founders Product + Price objects, and post the Product ID and webhook secret to Infisical at /Raxx/Queue/Billing/Stripe/. No card tracks this action directly — confirm it is done and comment on #1682.
Securities-attorney follow-up on #197: Follow up with Matthew Crosby on the referral sent 2026-04-24. This cannot be delegated. If no reply by 2026-05-15, the MBT v1 attorney-review gate will miss the launch window and the launch date must move.
WAF phase acceleration decision — #1740 / #1741: The full Phase 4f soak (14+ days) cannot complete by 2026-05-23. Decide: accept FLAG_ENFORCE_CF_ORIGIN=false at launch (remove #1741 as pre-launch-blocker) or compress soak windows. Comment the decision on #1740.

Items needing decision (not yet operator-actionable)

A. LLC formation timeline vs. v1 soft-launch posture

PA LLC formation was submitted 2026-05-13. Expected approval: 2026-05-25 to 2026-05-30. EIN: approximately 3-5 business days post-approval. This means the entity will not be in good standing until approximately 2026-05-28 to 2026-06-04 — 5 to 12 days after the planned launch date.

The question: can Raxx open for paying customers under sole-proprietor posture (MooseQuest LLC not yet formed) before the LLC is approved?

This is a pre-meeting question for the CPA or Matthew Crosby, not a code question. Options: - Soft-launch 2026-05-23 as a waitlist/freemium (no paid tier) under sole-prop posture, activate paid tiers after LLC confirms. - Delay paid-tier access until LLC is approved and bank account is open under the new entity. - Accept the overlap if counsel confirms a sole-prop to single-member LLC revenue bridge is low-risk for a pre-revenue SaaS.

No engineering card blocks on this decision. It does affect whether Stripe provisioning (Blocker 5 above) must be wired to the new LLC entity or can use an existing account.

B. Paid subscriptions on day 1 vs. waitlist-only launch

The billing system (Stripe webhook handler #1682, Queue billing data layer) is not complete. If v1 launches as waitlist-invite-only with no paid tier active on day 1, Blocker 5 above can be reclassified from pre-launch-blocker to post-launch. Confirm launch posture so the billing team knows whether #1682 is critical-path for 2026-05-23 or can land in the week following.

#590 is blocked on privacy attorney engagement, which is deferred to post-launch per #1642 (labeled defer:post-launch). The question: does getraxx.com fire any analytics (PostHog, Clarity) before the banner is live? If yes, the cookie banner is a pre-launch blocker for EU/UK/CA visitors. If the analytics scripts are gated off until the banner ships, this can remain deferred. Verify what fires on getraxx.com before removing the noindex header.

D. DSR erasure flow (#1630) and nightly retention job (#1631)

Both are labeled defer:post-launch but also carry pre-launch-blocker. The manual DSR SOP (#1686 — CLOSED) and the data retention policy doc (#1687 — CLOSED) were shipped as the interim bridge. Confirm with operator: the manual SOP is an acceptable substitute for launch, and #1630 / #1631 can officially move to post-launch. If confirmed, remove the pre-launch-blocker label from both.

Already done (verify only)

#1955 — Console custom 404/403/500 error handlers. Verified: closed via [PR #1993](https://github.com/raxx-app/TradeMasterAPI/pull/1993), merged 2026-05-13. Deploy confirmed.
#1956 — Console dashboard placeholder flag name corrected (FLAG_CONSOLE_DASHBOARD → FLAG_CONSOLE_DASHBOARD_HOME). Verified: closed via [PR #1992](https://github.com/raxx-app/TradeMasterAPI/pull/1992), merged 2026-05-13.
#1641 — CPRA threshold self-determination form signed and committed. Verified: [PR #1977](https://github.com/raxx-app/TradeMasterAPI/pull/1977) merged 2026-05-13; operator signed as "Kristerpher Henderson, Founder / Authorized Representative, MooseQuest LLC dba Raxx" in commit b5195ff0. Signed doc lives at docs/legal/artifacts/cpra-threshold-self-determination.md.
#1739 — SC-WAF-06 synthetic probes (per-surface WAF test flows). Verified: closed via [PR #1822](https://github.com/raxx-app/TradeMasterAPI/pull/1822), merged 2026-05-12. WAF Phase 1 (log-only) is deployed and synthetic probes pass.
#1649 — EU/EEA geo-block at signup. Verified: closed via [PR #1652](https://github.com/raxx-app/TradeMasterAPI/pull/1652), merged 2026-05-11. FLAG_EEA_GEOBLOCK implementation is in parity with the Quebec pattern. (Note: activation of this flag, like the Quebec flag, should be verified against Heroku config on both environments before launch.)

Notes for downstream agents and operator

Issues #1647 (DPAs with vendors) and #1648 (EU Art. 27 representative) are labeled before-first-EU-customer, not pre-launch-blocker. They do not block the 2026-05-23 launch if the launch is US-only. They become blocking the moment the first EU resident registers. Confirm geo-block for EU is active if the operator wants to defer these past launch.
The self-onboarding flow (epic #469): sub-cards #476, #470, #472, #475 are CLOSED. #474 (capture first name / display name) is still OPEN and ready-for-dev. This is not labeled as a hard blocker but a real user cannot complete onboarding without a display name step. Recommend dispatching feature-developer on #474 this sprint.
FreeScout mailbox (#710 — create support@raxx.app mailbox in FreeScout admin) is still OPEN and priority:critical. This is required before any customer email can create a ticket. MX (#708) and Postmark inbound (#709) are both CLOSED. Only the FreeScout-side mailbox creation remains. This is a 5-minute admin UI action.
All times in this document are UTC. The 2026-05-23 UTC hard stop is midnight UTC, not midnight US Eastern or Pacific.