Skip to content
z4j docs

Production checklist

Brain

Section titled “Brain”
  • Z4J_SECRET and Z4J_SESSION_SECRET each independently set to 64 hex chars of entropy. (Z4J_SECRET doubles as the audit-log HMAC key; there is no separate audit secret.)
  • Z4J_PUBLIC_URL set to the public HTTPS URL (used in emails, cookies, cors).
  • TLS terminated in front of the brain; X-Forwarded-Proto honored.
  • Postgres 17+ with backups (pg_dump schedule or managed service snapshots).
  • At least two admin accounts (avoids lockout if one is lost).
  • Email notification channel configured per project if you use invitations / password reset.
  • Z4J_METRICS_AUTH_TOKEN set (or auto-minted) and /metrics scraped by Prometheus.
  • Container resource limits set (not unlimited).
  • Container healthcheck configured.
  • Log aggregation sinks z4j’s JSON stdout.
  • z4j audit verify scheduled via cron / Kubernetes CronJob (the CLI is the verification entry point; there is no in-process auto-verify loop).

Agents

Section titled “Agents”
  • One agent token per agent, stored in the app’s secret manager.
  • Token rotation plan documented (mint new → deploy → revoke old).
  • Z4J_BRAIN_URL uses wss:// in prod.
  • agent_name distinguishes web / worker / beat / cron processes.
  • Egress firewall allows WebSocket to brain.

Security posture

Section titled “Security posture”
  • Redaction rules reviewed for your domain-specific secrets (see redaction).
  • Rate limits verified on /auth/*, /setup, /invite/*.
  • No Z4J_BOOTSTRAP_ADMIN_* left in env after first boot.
  • Password policy appropriate for your org (length, complexity, denylist - all enforced by default).
  • Audit retention policy documented (z4j doesn’t auto-delete; you decide).

Operations

Section titled “Operations”
  • Runbook for “brain down” (restart, check Postgres, check disk).
  • Runbook for “agent offline” (check token, network, app logs).
  • Runbook for “stuck tasks” (reconciliation worker status, manual retry).
  • Disaster recovery tested - can you restore Postgres + re-mint agent tokens?

Compliance notes

Section titled “Compliance notes”

z4j is not certified against SOC 2, HIPAA, or ISO 27001. If you need compliance, the audit log export + Postgres backups provide most of the raw evidence, but you own the policies, controls, and external audit.