Production baseline
| Area | Baseline |
|---|---|
| Secrets | Use environment variables or a secret manager. Do not ship production passwords in config files. |
| Database | Use MySQL for real deployments. JSONL storage is for local smoke tests only. |
| Scheduling | Use the DB-backed lease/claim model for multi-instance semantics. |
| Rate limits | Use centralized rate-limit ledgers, not per-process memory maps. |
| Shutdown | Use graceful shutdown so claimed jobs and in-flight deliveries can be recovered. |
Smoke checks
SHRemote smoke
BAILING_SMOKE_URL=https://your-hub.example.com \ BAILING_SMOKE_TOKEN=<admin-token> \ npm run smoke
Security rule
Treat all user input and page context as untrusted data. Business permissions must be checked inside the business system after verifying signatures.