Production Readiness And Control Plane
TattooAPI is the governed API control plane. Readiness means the hosted API can receive governed intake, private worker, and approved portfolio workflows without giving vendors or private workers direct write authority.Health Layers
| Check | Use it for | Success means |
|---|---|---|
GET /api/v1/health/live | API liveness | The API process is running. |
GET /api/v1/health/ready | Production dependency readiness | Required providers and safety posture are configured. |
npm run smoke:api-production-release-ready | Release gate | Live and ready endpoints are both safe for production promotion. |
/live can be green while /ready is blocked. Use /ready for production decisions.
Required Provider Families
/ready reports dependency names, not secret values:
- public API hosting
- private staging for portfolio intake media
- communications buffer
- TattooAPI identity evidence lookup, not legal KYC
- outbound private worker configuration
- approved portfolio storage
- runtime and actor mapping store
- partner auth and machine access
- metadata-only observability
Release Ready
releaseReady=true means the strict release smoke saw:
/api/v1/health/livereturn200/api/v1/health/readyreturn200withstatus="ready"- no missing readiness dependency envs
- no production loopback runtime URLs
- communications and partner-auth direct probes accepted
- safety posture still blocks public writes and direct private-worker writes
Safety Posture
Production readiness keeps the boundary strict:- public writes are blocked
- direct private-worker writes to approved portfolio storage are blocked
- direct private-worker mutations to runtime records are blocked
- communications providers cannot publish directly
- staged media is private
- observability traces are metadata-only and not write authority
