Chapter 1. Checklist

Use this to align your local-first setup with how your org builds and ships software.

Platform & Architecture

  • Delivery model: What do you ship today? (SPA / REST / GraphQL / gRPC / monolith / microservices)
  • Hosting posture: Cloud (which?) / on-prem / air-gapped / hybrid — any internet egress limits for scanners?
  • Runtime target: Containers on K8s? Which cluster(s) will mirror your Minikube layout (namespaces, ingress)?
  • Language mix: Mostly Go, or polyglot? Which languages need SAST/Secrets coverage day 1?

Source Control & CI

  • Repo strategy: Monorepo vs multi-repo — where will the Make targets live (root or per-service)?
  • CI system: What hosted CI will call make later (Actions / GitLab / Jenkins / other)? Who owns the runner images?
  • Branch gates: Do you already enforce PR checks (required status, code owners, signed commits)?

Data & Compliance

  • Data classes: What data does the app touch? (PII/PHI/PCI) Any regulatory constraints that affect tooling choice?
  • License stance: Any license allow/deny policy already? (e.g., GPL, AGPL)
  • Audit evidence: Who needs artifacts (JSON/SBOM/reports), and in what format/cadence?

Local Constraints

  • Developer machines: Are Docker/Minikube feasible for everyone (CPU/RAM policy, Windows/macOS/Linux mix)?
  • Proxy/mirrors: Do dev networks require HTTP(S) proxies or internal package mirrors for builds?