Not Ready for Deployment
Aevum Pre-Deployment Readiness Report
Repeatable release-control assessment for TestFlight / App Store / enterprise compliance gating.
1. Executive Summary
Validated Positives
IntelligenceEngine package tests are green: 30 executed, 1 skipped, 0 failures.- Canonical ingestion is materially improved and user-triggered import/habit/legacy flows now route through
UnifiedIngestionService.
- Background scheduled graph-maintenance architecture has been materially reduced toward a foreground/manual baseline.
Deployment Blockers
- App-level
xcodebuild failed for the iOS Simulator target with code-signing failures on generated package bundles.
- App identity, permissions, privacy claims, and compliance posture remain inconsistent or over-assertive.
- Readiness for App Store acceptance, GDPR, SOC 2, ISO 27001, and DORA is not yet evidenced to deployment standard.
Baseline conclusion: Aevum is engineering-progressive but not release-ready. Package-level logic is significantly healthier; release governance, app build integrity, privacy evidence, entitlement risk, and enterprise control evidence remain below deployment threshold.
2. Evidence Collected
| Evidence Item | Observed Result | Status |
|---|
swift test --package-path .../Packages/IntelligenceEngine |
Exit code 0. 30 tests executed, 1 skipped, 0 failures. |
Pass |
xcodebuild -project core.xcodeproj -scheme MindTwin -destination 'generic/platform=iOS Simulator' build |
Exit code 65. Failed at code-signing generated simulator bundles including PhiInferenceEngine_PhiInferenceEngine.bundle and UIComponents_UIComponents.bundle. |
Fail |
| Entitlements review |
App still requests com.apple.developer.kernel.increased-memory-limit and com.apple.developer.kernel.extended-virtual-addressing. |
High Risk |
| Privacy manifest review |
No app-owned PrivacyInfo.xcprivacy found in the application repo root/targets; only dependency manifests were found in package build/checkouts. |
Gap |
| Outbound model delivery review |
Model download manager points to Cloudflare R2 for model assets; this contradicts stronger “nothing leaves / no cloud” language if not disclosed precisely. |
Conditional Risk |
3. Readiness Matrix
| Domain | Assessment | Status | Release Gate |
|---|
| Engineering Baseline |
Package-level test suite is green, but full app build is not currently green. |
Amber |
App build must pass consistently before TestFlight. |
| App Store / TestFlight Acceptance |
High review risk due to build failure, mixed naming (MindTwin vs Aevum), aggressive entitlements, likely missing privacy manifest, and stronger-than-evidence legal copy. |
Red |
No-Go |
| GDPR Readiness |
Local-first design helps, but documented lawful-basis, deletion/export execution evidence, third-party/vendor disclosure, and privacy notice accuracy are not yet deployment-grade. |
Red |
No-Go |
| SOC 2 Readiness |
No evidence of an implemented control framework, formal access review, change management, incident response evidence, vendor risk program, or audit-ready evidence set. |
Red |
No-Go |
| ISO 27001 Readiness |
No demonstrated ISMS, Statement of Applicability, risk treatment plan, asset register, or audit evidence. |
Red |
No-Go |
| DORA Readiness |
Only relevant if Aevum is a financial entity or critical ICT provider into regulated financial entities. If applicable, current evidence is insufficient. |
Conditional |
No-Go if in scope |
| Security & Data Sovereignty |
Primary user-thought processing appears local-first, but model artifact downloads from Cloudflare R2 and broad local legal claims require tighter disclosure and control evidence. |
Amber |
Conditional |
4. Highest-Risk Release Gaps
Technical Blockers
- App-level build failure on current simulator build path.
- App target still carries restricted/high-risk memory entitlements.
- Missing app-owned privacy manifest.
- Naming inconsistency across project metadata and permission strings.
Compliance Blockers
- Privacy/legal UI copy over-claims legal/compliance position.
- Right-to-erasure / export flows are not yet evidenced as enterprise-grade controls.
- External model download path requires precise disclosure, vendor treatment, and transfer narrative.
- SOC 2 / ISO 27001 / DORA evidence set is largely absent.
5. Specific Codebase Findings
| Area | Observed Evidence | Implication |
|---|
| Entitlements |
App/Aevum.entitlements contains increased memory and extended virtual addressing entitlements. |
Potential App Review rejection or special-approval dependency. |
| Project metadata |
project.yml still names the app and scheme MindTwin, while UI and materials call it Aevum. |
Brand, review, and legal inconsistency risk. |
| Permission strings |
Usage descriptions mix MindTwin and Aevum. |
Review polish issue and product identity inconsistency. |
| Privacy manifest |
No app-owned PrivacyInfo.xcprivacy found. |
Submission and privacy declaration risk. |
| Model delivery |
SLMDownloadManager downloads assets from Cloudflare R2. |
Must be disclosed accurately in privacy/security/compliance materials. |
| Legal copy |
PrivacyManifestoView claims strict EU AI Act compliance, Apple 5.1.1 compliance, CoreLocation usage, and immediate right to erasure. |
These claims need control evidence, code evidence, and legal review before release. |
6. Go / No-Go Decision
Decision: No-Go for TestFlight / App Store deployment on 2026-04-18, version 1.0, until the blockers below are cleared.
7. Mandatory Exit Criteria Before Any Deployment
| # | Exit Criterion | Owner |
|---|
| 1 | App-level xcodebuild and archive pipeline must pass from a clean environment. | Engineering |
| 2 | App Store entitlement strategy must be reviewed and either removed, justified, or formally approved by Apple. | Engineering / Release |
| 3 | App-owned privacy manifest must be added and validated. | Engineering / Compliance |
| 4 | All product metadata and permission strings must use one approved product identity. | Product / Engineering |
| 5 | Privacy/legal copy must be aligned to actual code behavior and legally reviewed. | Legal / Compliance / Product |
| 6 | Model-download/vendor disclosure for Cloudflare R2 must be explicit in privacy and operational documentation. | Compliance / Security |
| 7 | GDPR evidence pack must exist: privacy notice, deletion/export execution evidence, RoPA/DPIA, vendor treatment, retention/deletion policy. | Compliance |
| 8 | SOC 2 / ISO 27001 readiness artifacts must exist before claiming readiness: controls, owners, evidence, policies, access review, incident response. | Security / Operations |
8. Repeatable Pre-Deployment Checklist
- Run package tests and capture output.
- Run clean app build and clean archive build.
- Verify entitlements and signing profile.
- Verify privacy manifest and App Store privacy declarations.
- Verify permission strings, branding, versioning, and legal URLs.
- Verify user-facing privacy/legal copy against current implementation.
- Verify external services, downloads, and vendors are disclosed accurately.
- Verify deletion/export flows actually execute and are test-proven.
- Update the readiness report date, version, evidence, and decision.
9. Versioning Standard for Future Runs
File naming standard: Aevum_Pre_Deployment_Readiness_Report_YYYY-MM-DD_vX.Y.html
Mandatory metadata in every report: report date, report version, product version, assessed branch/build, assessor, overall decision, evidence executed, blockers, exit criteria, and change since previous report.
10. Final Assessment
What improved: Antigravity’s engineering stabilization work is real. The package suite is green, and ingestion/test discipline is materially better than earlier baselines.
Why release is still blocked: launch readiness is broader than package health. Current release evidence does not yet support App Store acceptance confidence or enterprise compliance claims.