Wake-up brief — 2026-05-20 (T-3 to launch)
Generated 13:03 UTC. Launch 2026-05-23 UTC.
1. Overnight PRs (since 2026-05-19 22:00 UTC)
Merged (3): - #2553 fix(deps): bump fast-uri + @babel/plugin-transform-modules — closes 3 HIGH CVEs (#1444 #1445 #1446) - #2554 fix(ci): synthetic-gate file-issue checkout perms (#1373) - #2555 docs(ops): HTTP-200 AC on new-surface-convention (#1370)
Open (2, both green): - #2577 security(scan): nightly findings 2026-05-20 - #2491 security(scan): nightly findings 2026-05-19
Operator-blocked: 0 PRs (the 2 above are nightly scan artifacts, not blocked).
2. Operator-action queue (25 open, 30 needs-decision)
Top 5 launch-relevant ranked by impact:
| # | Issue | Why it gates launch |
|---|---|---|
| 1 | #2521 provision raptor_app role | Verified done yesterday; pending close-confirmation |
| 2 | #1645 remove CF Access from getraxx.com | Due 2026-05-23 (launch day) — runbook ready |
| 3 | #2443 Queue prod deploy — 4 Stripe LIVE keys | Blocks Queue cutover |
| 4 | #2378 CF provider TF state migration | PR #2542 ready; needs terraform apply with CF_WAF_EDIT token |
| 5 | #1735 CF WAF rollout | PR #2527 merged; needs terraform apply (getraxx first) |
Full queue: gh issue list --label operator-action (25) + gh issue list --label "needs:operator-decision" (30, partial overlap).
Operator-action items that ship today's work end-to-end: - #2537 SC-1 ADR-0101 PEM PKCS#8 vault round-trip - #2544 SC-7 raxx-dev-bot Actions:read scope - #2545 SC-8 seed BILLING_DB_PATH (operator-locked: persistent volume)
3. Wave performance (24h)
- PRs merged 2026-05-19: 40 (peak day this sprint)
- PRs merged 2026-05-20 so far: 0 (post-23:00 UTC handoff to brief)
- Open issues: 386 (was 396 at first check-in yesterday morning; net −10 net of inflow)
ready-for-devqueue: 12- Cards blocked on operator: 25 with
operator-action, 30 withneeds:operator-decision - CRIT pre-launch-blocker closures yesterday: #1455 (raptor_app least-privilege), #1354 (AKIA partial-ref false positive)
The >7d actionable-non-gated queue is empty as of 2026-05-19 22:30 UTC. Remaining old cards are intentional epics or operator-gated.
4. SEV alerts
No new SEV- issues filed since the security agent's 2026-05-19 17:14 UTC triage. The 10 open SEV- tickets in the index are historic Grubify-era artifacts unrelated to Raxx; safe to leave alone or sweep-close post-launch.
Live health pings (13:03 UTC):
- console-staging.raxx.app → 302 (CF Access)
- console.raxx.app → 302 (CF Access)
- api.raxx.app → 302 (CF Access)
- raxx.app → 302 (CF Access — see [[project_quebec_geoblock_decision]] + [[eu-geoblock-decision]] — FLAG_SIGNUP_GEOBLOCK_EU on both apps)
Latest 3 deploys: all success. No deploy-failure pattern.
5. T-3 launch readiness
Days remaining: 3 (launch 2026-05-23 UTC)
Pre-launch-blocker label count: 14 open. Down from 16 yesterday; #1455 family closed 2 of them.
Critical-path items left:
- WAF rollout (#1735, SC-WAF-04/05/05b) — TF ready, needs terraform apply from operator
- Flag reconciler (#2010 #2012 #2013) — 5-min sync job + backfill + kill-switch
- Track-B launch items #1022/#1023/#1025/#1026 — Antlers WebAuthn + Alpaca paper-mode + CF Access removal + Sentry DSN verify
- #1455 SC-5 — Raptor DB credential split runbook (low priority; docs only)
FLAG_RAPTOR_APP_ROLE_SEPARATION staging soak: started 2026-05-19 ~17:57 UTC. Ends ~2026-05-22 17:57 UTC — that's T-1. Operator flips prod after staging soak completes clean.
Standing operator-action checklist (when you have a free 30 min)
heroku config:set FLAG_RAPTOR_APP_ROLE_SEPARATION=1 -a raxx-api-prod >/dev/null 2>&1 # at T-1 (2026-05-22 ~18:00 UTC)
bash scripts/waf-state-migrate-raxx-app.sh # raxx.app cross-stack WAF (Option C locked)
cd terraform/waf && terraform apply tfplan-getraxx # getraxx.com WAF rollout ([PR #2527](https://github.com/raxx-app/TradeMasterAPI/pull/2527))
# Google Admin (recap):
# Convert raxx.app alias→secondary domain (#1212 step 0)
# Sign 4 DPAs: Heroku/Stripe/Sentry/Postmark (#1647)