Skip to main content
Run this gate before handing an on-prem build to a customer or merging runtime/provider changes toward production:
The command runs config validation, docs health checks, license checks, shared/module boundary checks, provider checks, targeted enterprise route tests, typecheck, and next build. For faster local iteration on only the enterprise route/provider contract:

Required On-Prem Shape

Use OIDC auth, S3-compatible storage, and the OpenAI gateway for the current on-prem provider path. For Keycloak-compatible deployments, use the realm issuer URL as OIDC_ISSUER_URL.
The same shape is captured in config/onprem-s3-oidc-openai.example.json. Keep secrets in the runtime secret manager; use JSON config for non-secret provider shape. The OIDC provider adapter verifies RS256 bearer/access tokens using the issuer discovery document and JWKS endpoint. Browser sign-in and callback routing remain deployment-specific; verify that flow against the selected IdP before customer handoff.

Disabled State Expectations

When a capability is disabled, the UI must hide or disable the feature and the server route must return capability_disabled with HTTP 403.

Manual UI Gate

Manual QA is required for enterprise handoff because these checks cover customer-visible integration states that are not fully represented by route tests. SaaS staging:
  • App shell renders with no config error.
  • Sign-in works with WorkOS staging credentials.
  • Chat send and conversation list work.
  • File content URLs and output content URLs load.
  • Automation callback path still works when automations are enabled.
  • Settings/system shows redacted WorkOS, Stripe test, R2, OpenRouter, Convex, and capability state.
On-prem minimal:
  • App shell renders with the minimal config.
  • Billing, SSO, webhooks, API key management, vector search, and automation entries are hidden or show the documented disabled state.
  • Primary chat and file surfaces either work with configured providers or show a precise documented disabled state.
  • Basic file listing remains available even when vector search is disabled.
On-prem S3/OIDC/OpenAI:
  • Config view shows OIDC, S3-compatible storage, OpenAI gateway, and disabled billing in redacted form.
  • No secrets, access keys, session secrets, API keys, webhook secrets, or internal service tokens appear in the browser.
  • Chat uses the configured OpenAI default model/allowlist.
  • File upload/content paths use the S3-compatible provider or show a clear disabled state if storage credentials are absent.
Mobile viewport:
  • Hidden billing, integration, SSO, webhook, and API key entries remain hidden.
  • Navigation does not leave broken gaps, empty dividers, or unreachable routes.
  • Disabled-state text fits without overlapping controls.

Release Sign-Off

Record the npm run check:phase6 result and the manual UI gate result in the release notes for any enterprise/on-prem distribution.