Command Document
QA Matrix
Rendered as a real command-center page. Source notes remain in the repo for agents, but navigation uses pages and real files.
QA Launch Matrix
Scope: NyrA Swarm Little Buddy desktop paid-beta release gate.
This matrix is the release evidence map for what must keep passing before the app can take paid beta customers. It separates verified local/release gates from user-owned live deployment blockers.
Automated Release Gates
| Gate | Command | Coverage | Clean Build |
|---|---|---|---|
| Command center collaboration | npm run test:command-center |
Dashboard form fields, Collaboration intake, dashboard update journal, Daily Agents page, Cloud/App Version forms, browser cloud connection controls, generated navigation | Required |
| Command center link integrity | npm run test:command-center-links |
Recursively checks generated dashboard and Cloud Pages links, rejects raw Markdown/private local dashboard targets, and verifies core page/file artifacts exist | Required |
| Command center workbook | npm run test:command-center-workbook |
Generated Excel workbook sheets, Command Brief queue coverage, Cloud Bootstrap queue rows, handoff markers, and secret-value exclusion | Required |
| Command center local API security | npm run test:command-center-server-security |
Local dashboard API JSON content-type enforcement, request size cap, upload base64 validation, 10 MB upload cap, sanitized upload content types, and manual intake write protection | Required |
| Automation status | npm run test:automation-status |
Real Codex automation files exist for required NyrA daily agents, including Business Legal, Support Ops, and Version Control, remain active, cover Today Command Brief, Daily Standup, Handoff Action Pack, Secret Store Setup Pack, Cloud Deploy Pack, Payment Launch Pack, Support Ops Pack, Release Trust Pack, Version Control Pack, Handoff Routing Rehearsal, Handoff Delta Pack, Agent Dispatch Pack, command-center handoffs, and render into the Daily Agents dashboard | Required |
| Collaboration Workspace | npm run collaboration:workspace |
Generates the shared fillable dashboard model with department sections, answer fields, upload slots, cloud migration target, app-version map, visual-production loop, and daily continuation commands | Required |
| Collaboration Workspace check | npm run test:collaboration-workspace |
Verifies collaboration workspace JSON/CSV/Markdown, dashboard and Collaboration page forms, Daily Brief queue, Agent Dispatch wiring, Cloud Pages inclusion, workbook build wiring, and no-secret handling | Required |
| Daily command brief | npm run daily:brief |
Generates the daily operating brief from dashboard update journal, release-candidate, deployability, Handoff Action Pack, Secret Store Setup Pack, Cloud Deploy Pack, cloud, automations, marketing, visual, and task-board evidence | Required |
| Daily command brief check | npm run test:daily-brief |
Verifies daily brief JSON, CSV, Markdown, dashboard page, Excel sheet, dashboard update queue, Secret Store Setup Pack queue, Cloud Deploy Pack queue, command-center state, QA matrix, clean-build wiring, and secret-value exclusion | Required |
| Agent Dispatch Pack | npm run agent:dispatch |
Converts the Today Brief, dashboard update queue, and launch packs into department-level assignments, safe commands, output files, handoff blockers, and evidence routing for the daily automation team | Required |
| Agent Dispatch Pack check | npm run test:agent-dispatch |
Verifies dispatch JSON, CSV, Markdown, Daily Agents dashboard, Excel workbook wiring, Cloud Pages artifact inclusion, QA matrix, clean-build wiring, and secret-value exclusion | Required |
| Source of truth map | npm run source:truth |
Maps every deployability blocker to its dashboard page, field or upload slot, daily-agent coverage, department coverage, source artifacts, and verification command | Required |
| Source of truth map check | npm run test:source-truth |
Verifies every launch blocker is routed, covered by daily brief/launch packs/agent dispatch, rendered in the dashboard, included in Cloud Pages, and free of raw secrets | Required |
| Daily Standup | npm run daily:standup |
Generates the morning collaboration view from Today Brief, Agent Dispatch Pack, Source Of Truth Map, automation inventory, handoff deltas, cloud status, release status, and visual status | Required |
| Daily Standup check | npm run test:daily-standup |
Verifies standup JSON, CSV, Markdown, dashboard page, Excel sheet, Cloud Pages artifact inclusion, QA matrix, clean-build wiring, and no-secret handling | Required |
| Handoff action pack | npm run handoff:pack |
Converts handoff readiness into ordered user actions, secret-store actions, evidence slots, dashboard fields, no-secret rules, and Codex follow-up routing | Required |
| Handoff action pack check | npm run test:handoff-pack |
Verifies handoff action pack JSON, CSV, Markdown, dashboard page, Excel sheet, command-center state, QA matrix, clean-build wiring, and secret-value exclusion | Required |
| Secret store setup pack | npm run secret:pack |
Generates the no-raw-secret setup guide for Stripe, billing Worker, license signing, command-center bearer token, local sync variables, and verification commands | Required |
| Secret helper dry run | npm run secret:helper:dry-run |
Verifies the interactive PowerShell helper can enumerate Cloudflare Worker secrets without prompts, remote writes, raw-value logging, or repo secret storage | Required |
| Secret store setup check | npm run test:secret-pack |
Verifies secret-store JSON, CSV, Markdown, dashboard page, Excel sheet, Wrangler placeholder commands, handoff phasing, QA matrix, clean-build wiring, and secret-value exclusion | Required |
| Stripe setup no-secret plan | npm run billing:stripe-plan |
Previews the Stripe product, monthly Price readiness, Customer Portal dependency, required dashboard fields, and no-secret rules without requiring STRIPE_SECRET_KEY or creating Stripe resources | Required |
| Stripe setup no-secret plan check | npm run test:stripe-setup-plan |
Verifies Stripe setup dry-run output, approved-price planning, execute secret-key guard, live-key guard, and secret-value exclusion | Required |
| Payment Launch Pack | npm run payment:launch-pack |
Converts price, hosted AI cap, Stripe product/price, Customer Portal, webhooks, billing backend, secret store, test rehearsal, and live-payment no-go rules into one dashboard/workbook queue | Required |
| Payment Launch Pack check | npm run test:payment-launch-pack |
Verifies payment launch pack JSON, CSV, Markdown, dashboard page, Excel sheet, Today Brief queue, Stripe command sequence, QA matrix, clean-build wiring, and secret-value exclusion | Required |
| Support Ops Pack | npm run support:ops-pack |
Converts support inbox, public support contact, diagnostics, Customer Portal, hosted billing support links, legal review, support visuals, canned replies, and support no-go rules into one dashboard/workbook queue | Required |
| Support Ops Pack check | npm run test:support-ops-pack |
Verifies support ops pack JSON, CSV, Markdown, Support dashboard form, Excel sheet, Today Brief queue, Agent Dispatch routing, Cloud Pages artifact inclusion, QA matrix, clean-build wiring, and no-secret support handling | Required |
| Deployability preflight | npm run test:deployability-preflight |
Single money-readiness verdict, generated JSON/Markdown report, P0 blocker coverage, dashboard page, no secret leakage | Required |
| Intake readiness scan | npm run test:intake-scan |
Saved dashboard fields, upload manifest evidence, secret-store present/missing status, handoff readiness JSON/CSV/report, and dashboard page | Required |
| Handoff Routing Rehearsal | npm run handoff:rehearsal |
Synthetic dry run proving dashboard answers, upload slots, and secret-presence flags route handoffs into Codex review without clearing real blockers | Required |
| Handoff Routing Rehearsal check | npm run test:handoff-rehearsal |
Verifies rehearsal JSON, CSV, Markdown, Handoff Readiness dashboard, Excel sheet, Cloud Pages artifact inclusion, QA matrix, clean-build wiring, and secret-value exclusion | Required |
| Handoff Delta Pack | npm run handoff:delta |
Compares the current handoff scan to the previous dashboard baseline so daily agents can see newly saved answers, uploads, and secret-presence changes | Required |
| Handoff Delta Pack check | npm run test:handoff-delta |
Verifies delta JSON, CSV, Markdown, synthetic changed-handoff behavior, Handoff Readiness/Collaboration/Daily Agents/Today Brief dashboard wiring, Excel sheet, Cloud Pages artifact inclusion, automation prompt coverage, clean-build wiring, and secret-value exclusion | Required |
| Command center concurrency | npm run test:command-center-concurrency |
Deployability and intake scans can run at the same time without corrupting command-center JSON state or losing either dashboard status block | Required |
| Visual asset readiness | npm run test:visual-assets |
Visual asset inventory, screenshot/diagram/video evidence rows, launch-site image references, final screenshot approval semantics, and Visuals dashboard wiring | Required |
| Visual Production Pack | npm run visuals:pack |
Converts visual inventory into clean-worktree screenshot refresh, API-backed capture, Customer Portal capture, demo/ad video, safe command sequence, no-go rules, dashboard, workbook, and daily brief queue | Required |
| Visual Production Pack check | npm run test:visual-production-pack |
Verifies visual production pack JSON, CSV, Markdown, Visuals dashboard, Excel sheet, Today Brief queue, QA matrix, clean-build wiring, Pages artifact inclusion, and screenshot approval guardrails | Required |
| Launch site safety | npm run test:launch-site |
Product screenshots, safe claims, policy links, mobile breakpoint, checkout blocked until ready | Required |
| Billing deployment pack | npm run test:billing-deploy |
Billing service package, Dockerfile, secret list, deployment manifest, health check, route manifest | Required |
| Billing storage guard | npm run test:billing-storage |
Entitlement store writable-health probe, atomic JSON write, production persistent-path guard, and route manifest storage metadata | Required |
| Billing live rehearsal | npm run test:billing-live-rehearsal |
Guarded Stripe go-live preflight, required webhook events, Customer Portal/support/legal blockers, no repo secrets, and live-mode safety flag | Required |
| Cloud billing Worker route check | npm run cloud:billing:check |
Cloudflare Worker syntax and local route harness for Checkout, Customer Portal, webhook signature verification, D1 entitlement state, and license status | Required |
| Cloud billing config sync | npm run cloud:billing:config:sync |
Applies saved Cloud Billing page handoffs to non-secret production billing Worker config values for ALLOWED_ORIGIN, D1 database_id, and pinned Stripe API version | Required |
| Cloud billing config sync check | npm run test:cloud-billing-config-sync |
Verifies billing dashboard-to-Worker config sync updates a temp wrangler config, avoids Stripe/license secret writes, and is wired into command-center and clean builds | Required |
| Cloud billing Worker readiness | npm run test:cloud-billing-worker |
Worker/D1 config, migration, secret list, command-center page, QA matrix wiring, and local mocked Stripe/D1 route behavior | Required |
| Cloud mobile swarm bridge | npm run cloud:mobile-bridge:check |
Cloudflare Worker syntax and local route harness for Android/browser swarm chat, provider status, realtime setup, audio fallback, support logs, and hosted update metadata | Required |
| Cloud mobile bridge readiness | npm run test:cloud-mobile-bridge |
Verifies Worker config, required routes, secret names, R2 support-log storage, command-center page, QA matrix wiring, and clean-build coverage | Required |
| Pricing model | npm run test:pricing-model |
Monthly price and hosted AI cap planner, Stripe/provider cost assumptions, snapshot/CSV generation, command-center pricing page | Required |
| Model benchmark | npm run test:model-benchmark |
Auditable provider benchmark suite for fast chat, deep debugging, and high-impact safety, plus dashboard/report wiring without leaking secrets | Required |
| Public launch config / Public launch config check | npm run public:launch-config and npm run test:public-launch-config |
Public domain/support/price/cap URL map, policy URLs, billing redirect URL values, Stripe business profile references, launch-site dashboard panel, Pages artifact inclusion, and no-secret handling | Required |
| Decision Recommendations / Decision Recommendations check | npm run decision:recommendations and npm run test:decision-recommendations |
Suggested defaults for price, hosted AI cap, legal/entity path, support, refund policy, Cloudflare cloud path, release channel, signing, app-version path, visual approval, and Codex continuation without clearing user-owned handoffs or storing secrets | Required |
| Support readiness | npm run test:support-readiness |
Settings support diagnostics export, support runbook, redaction rules, support command-center page wiring | Required |
| Release package static gate | npm run test:release-package |
Release notes, known issues, rollback plan, release runbook, command-center page, and clean-build evidence wiring | Required |
| Installer artifact readiness | npm run test:installer-artifact |
NSIS installer target, installer rehearsal script, release manifest installer-artifact wiring, and signed/store-trust paid-beta gate | Required |
| Release candidate preflight | npm run release:candidate:preflight |
Generates the version-specific paid-beta/internal-alpha verdict from release evidence, deployability, handoffs, cloud, automations, marketing, visuals, billing, support, legal, and app-version state | Required |
| Release candidate preflight check | npm run test:release-candidate-preflight |
Verifies release candidate JSON, CSV, Markdown, state, dashboard Release Package page, QA matrix, clean-build wiring, and secret-value exclusion | Required |
| App version roadmap | npm run test:app-version-roadmap |
App Version dashboard roadmap, editable version/mobile fields, package version agreement, beta cut rules, mobile companion boundary, and daily version-agent queue | Required |
| Release trust artifact generation | npm run release:trust |
Signing/distribution decision doc, plan JSON, plan CSV, and command-center state releaseTrust block | Required |
| Signing and distribution | npm run test:signing-distribution |
Release-trust decision doc, dashboard form, signing/store paths, secret-store guidance, no-go rules, deployability wiring, and clean-build coverage | Required |
| Release Trust Pack | npm run release:trust:pack |
Converts the signed/store-trusted installer blocker into release channel, signing path, evidence slot, safe command sequence, no-secret rules, dashboard, workbook, and daily brief queue | Required |
| Release Trust Pack check | npm run test:release-trust-pack |
Verifies release trust pack JSON, CSV, Markdown, dashboard page, Excel sheet, Today Brief queue, QA matrix, clean-build wiring, Pages artifact inclusion, and secret-value exclusion | Required |
| Version Control Pack | npm run version:control-pack |
Converts Git, GitHub remote, CI workflow, branch/tag policy, release evidence, and backup/archive status into a daily dashboard, workbook, Today Brief, and agent queue | Required |
| Version Control Pack check | npm run test:version-control-pack |
Verifies version control JSON, CSV, Markdown, dashboard page, Today Brief queue, Agent Dispatch wiring, QA matrix, clean-build wiring, Pages artifact inclusion, and no credential leakage | Required |
| GitHub Actions workflows | npm run test:github-actions-workflows |
Verifies GitHub Actions command-center CI and manual release-rehearsal workflows, required launch-gate commands, artifact evidence upload, QA matrix wiring, clean-build wiring, and no credential leakage | Required |
| License activation | npm run test:license-activation |
Settings License & Billing panel, checkout-session activation, device token, offline grace, no renderer Stripe secrets | Required |
| NyrA API swarm provider validation | npm run validate:nyra-swarm |
Confirms the desktop runtime can find configured OpenAI, Anthropic, Gemini, and Grok provider keys without exposing secret values | Required |
| NyrA Captain/Crew swarm council | npm run test:nyra-swarm-council |
Verifies desktop and mobile swarm routes can use a Captain synthesis with multiple crew providers for deep, comparison, and best-model requests | Required |
| NyrA desktop/Android surface parity | npm run test:surface-parity |
Verifies the desktop and Android surfaces keep the same buddy-first UX contract, Android screen capture bridge, and native bridge URL rules | Required |
| Android phone-control static gate | npm run test:android-phone-control |
Verifies Android Accessibility phone control, JavaScript bridge, screen capture, direct phone actions, setup, and restricted-settings recovery wiring | Required |
| Mobile bridge security | npm run test:mobile-bridge-security |
Verifies stored bridge URL/token handling, token headers, APK download token query, generated LAN token, hosted Worker docs, and no support-log path leaks | Required |
| Mobile runtime bridge startup | npm run test:mobile-runtime-bridge-status |
Verifies Android startup bridge status messaging, provider readiness count, failure disclosure, and setup persistence behavior | Required |
| Mobile phone self-test | npm run test:mobile-phone-self-test |
Verifies Settings can run a phone self-test covering bridge status, update manifest, APK route HEAD probe, support log upload, phone runtime, phone control, screen-look probe, and local/cloud bridge route support | Required |
| Mobile phone self-test evidence ingest | npm run test:phone-self-test-ingest |
Verifies uploaded phone self-test support logs can update command-center evidence before deployability preflight without falsely clearing non-phone or failed reports | Required |
| Billing server smoke | npm run billing:smoke |
Health route, unauthorized denial, active/inactive license status, checkout-session claim, device-token auth | Required |
| Paid feature static gate | npm run test:paid-feature-gates |
API swarm, voice, realtime, screen capture, computer control, file/app control, and terminal entitlement gates | Required |
| Paid feature runtime smoke | npm run test:paid-feature-runtime |
Unlicensed computer control, API swarm chat, and screen capture deny with NYRA_PRO_REQUIRED |
Required |
| High-impact static gate | npm run test:high-impact-gates |
Approval guard wiring for computer control, file/app control, developer terminal, audit logging, denial code | Required |
| High-impact runtime smoke | npm run test:high-impact-runtime |
Routine action allowed, sensitive app launch blocked, installer path blocked, terminal command blocked | Required |
| Privacy consent static gate | npm run test:privacy-consent-gates |
First-run consent, Settings Privacy & Consent, export/delete, main-process consent enforcement | Required |
| Privacy consent runtime smoke | npm run test:privacy-consent-runtime |
Computer control, API swarm, and screen capture deny without consent; routine control works after consent | Required |
| Typed IPC static gate | npm run test:typed-ipc-gates |
Preload allowlists, store-key restrictions, payload validation, no raw Electron event exposure | Required |
| Typed IPC runtime smoke | npm run test:typed-ipc-runtime |
Allowed IPC still works; unknown invoke/store key/unsafe URL are blocked | Required |
| Support diagnostics runtime smoke | npm run test:support-diagnostics-runtime |
Redacted diagnostics IPC works and does not leak license tokens, raw email, raw device ID, chats, or passive transcripts | Required |
| Policy readiness | npm run test:policy-readiness |
Privacy, terms, EULA, refund/cancellation, security, legal review packet, command-center policy pages | Required |
| Production safety gates | npm run test:production-gates |
OpenAI Responses store:false default and developer terminal env gate |
Required |
| Cloud command center | npm run cloud:command-center:check |
Worker API syntax, D1/R2/cloud API behavior, auth guard, local test harness | Required |
| Cloud command center sync | npm run test:cloud-command-center-sync |
Browser cloud connection controls, CLI health/push/pull/source-truth/roundtrip scripts, mocked Worker state, Source Of Truth Map routing, and intake sync | Required |
| Cloudflare handoff discovery | npm run cloudflare:discover |
Non-destructive Wrangler discovery for Cloudflare auth, D1, R2, Pages, and Worker deployments; writes redacted/non-secret findings to the dashboard, daily brief, workbook, and Pages artifact | Required |
| Cloudflare handoff discovery check | npm run test:cloudflare-discovery |
Verifies fake authenticated discovery, no-secret redaction, dashboard/workbook generator wiring, Cloud Pages artifact inclusion, QA matrix coverage, and clean-build coverage | Required |
| Cloud bootstrap pack | npm run cloud:bootstrap:pack |
Turns Cloudflare discovery, Worker configs, Pages config, D1/R2 targets, migrations, secrets, deploy commands, and first cloud sync into a plan-only resource bootstrap queue | Required |
| Cloud bootstrap pack check | npm run test:cloud-bootstrap-pack |
Verifies bootstrap JSON, CSV, Markdown, dashboard/workbook/daily-agent wiring, official Wrangler references, plan-only approval rules, QA matrix, clean-build coverage, Pages artifact inclusion, and secret-value exclusion | Required |
| Cloud Worker config sync | npm run cloud:command-center:config:sync |
Applies saved Cloud page handoffs to non-secret production Worker config values for ALLOWED_ORIGIN, optional ALLOWED_EMAIL, D1 database_id, R2 bucket, and closed production open API | Required |
| Cloud Worker config sync check | npm run test:cloud-command-center-config-sync |
Verifies dashboard-to-Worker config sync uses non-secret state, updates a temp wrangler config, avoids token writes, and is wired into command-center and clean builds | Required |
| Cloud command-center deploy preflight | npm run cloud:command-center:deploy:preflight |
Cloudflare Worker deploy config, D1/R2 bindings, cron trigger, production auth closure, Pages artifact, binary exclusion, required cloud handoffs, and post-deploy sync markers | Required |
| Cloud command-center deploy preflight check | npm run test:cloud-command-center-deploy-preflight |
Verifies preflight JSON/report/state wiring, command-center Cloud page, package scripts, clean-build wiring, and no-secret handling | Required |
| Cloud Deploy Pack | npm run cloud:command-center:deploy:pack |
Converts the cloud deploy preflight into Cloudflare resource targets, dashboard handoffs, safe placeholder commands, first sync sequence, no-secret rules, dashboard page, and workbook sheet | Required |
| Cloud Deploy Pack check | npm run test:cloud-command-center-deploy-pack |
Verifies cloud deploy pack JSON, CSV, Markdown, dashboard page, Excel sheet, Today Brief queue, QA matrix, clean-build wiring, Pages artifact inclusion, and secret-value exclusion | Required |
| Cloud Pages dashboard | npm run cloud:command-center:pages:check |
Cloudflare Pages artifact generation, private-dashboard headers, static dashboard links, and exclusion of local upload/state/server files | Required |
| Windows package build | npm run build:dir |
TypeScript, Vite renderer, Electron main/preload builds, Windows unpacked app | Required |
| Release evidence generation | npm run release:evidence |
Generates release-manifest.json and SHA256SUMS.txt from the actual Windows package output |
Required |
| Clean release path | npm run build:clean |
Temp copy outside Google Drive, fresh install, all required gates, Windows unpacked release output | Required |
Targeted Interaction Smokes
These scripts are not all part of build:clean because some are heavier UI/electron interaction checks, but they remain available for release rehearsal and visual evidence:
| Gate | Command | Coverage |
|---|---|---|
| Computer-use smoke | npm run test:computer-use |
Core computer-use smoke path |
| Computer-use actions | npm run test:computer-use:actions |
Visible action execution evidence |
| Computer-use screen look | npm run test:computer-use:screen |
Screen awareness evidence |
| Computer-use interrupt/stop | npm run test:computer-use:interrupt |
User interruption/stop behavior evidence |
| Computer-use realtime | npm run test:computer-use:realtime |
Realtime voice/computer-use path evidence |
| Computer-use camera | npm run test:computer-use:camera |
Camera consent/capture evidence |
| Buddy speaker | npm run test:nyra:buddy-speaker |
Buddy speech behavior evidence |
| Android alpha APK artifact | npm run test:android-alpha-release |
Signed current APK, manifest checksum, signer lineage, and bundled hosted bridge handoff verification |
| Mobile support-log live smoke | npm run test:mobile-support-logs |
Posts a redacted diagnostics bundle to the configured live bridge and verifies list/readback without leaking server paths |
| Clean product smoke | npm run test:product-smoke:clean |
Fresh install/build in %LOCALAPPDATA%\CodexWork, then buddy speaker and one-tool computer-control evidence copied back to the dashboard |
| Clean product smoke full | npm run test:product-smoke:clean:full |
Optional clean-worktree API-backed interaction run for live voice, screen, interruption, and camera screenshots when provider credentials and consent settings are ready |
Remaining Live-Rehearsal Tests
These cannot be fully completed without user-owned handoffs:
- Stripe test-mode checkout against hosted backend.
- Stripe Customer Portal cancellation against hosted backend.
- Stripe webhook endpoint using the real test-mode webhook secret.
- Desktop activation against hosted backend URL.
- Signed or store-trusted Windows installer install/reinstall flow.
- Support inbox ticket roundtrip.
- Public domain policy and launch-site URL check.
Release Evidence Rules
- A paid beta candidate needs
npm run build:cleanpassing from a temp workspace. - Every new P0 gate must be added to this matrix and to
scripts/build-clean.ps1unless it is explicitly marked targeted/heavy. - Checkout must stay disabled on the generated launch site until live billing handoffs are complete.
- Test output is evidence only for the scope the test actually covers. Live Stripe, support, domain, signing, and legal review remain handoff blockers until verified directly.