Project 12: Deployed Multi-Session Operations Decision App

Deploy a secured, read-only Livebook App that combines bounded operational data, SLA evidence, human-owned decision support, private notes, durable handoff exports, and repeatable rollback.

Quick Reference

Attribute Value
Difficulty Level 4 — Expert
Time Estimate 35–50 hours
Language Elixir and bounded parameterized SQL; packaged JavaScript only for optional custom UI
Prerequisites Projects 5–11 or equivalent data, Kino, Nx, runtime-security, Docker, and operations experience
Key Topics Livebook Apps, multi-session isolation, read-only data access, authentication, secrets, stamping, app servers, CI deployment, capacity, observability, rollback

1. Learning Objectives

By completing this project, you will:

  1. Convert a replayable notebook into a code-hidden multi-session application without confusing presentation with sandboxing.
  2. Draw a complete authority and state-ownership map before implementing the UI.
  3. Keep operational access in a standalone runtime through least-privilege, bounded, read-only database/API interfaces.
  4. Separate private session state, immutable shared reference data, durable evidence, and deployment configuration.
  5. Integrate an optional model suggestion with provenance, abstention, and human accept/correct/skip behavior.
  6. Configure authentication, authorization expectations, shared secrets/storage, stamps, and audit evidence without exposing values.
  7. Measure cold start, warmup, session memory, shared resource memory, load, inactivity shutdown, and source freshness.
  8. Deploy an immutable notebook revision through a repeatable staging-to-production path.
  9. Define smoke tests, health dimensions, alerts, rollback triggers, and a tested previous-revision rollback.
  10. Prove that the completed production path has no mutation, attached runtime, arbitrary query, arbitrary code, or unrestricted production-shell capability.

2. Theoretical Foundation

2.1 Core Concepts

A deployed notebook is an executable service. App mode hides selected source and exposes rendered outputs, but the runtime still has operating-system, network, secret, and dependency authority. Security begins with what the runtime can access, not what the browser can see.

Multi-session is an isolation and capacity decision. Each user or workflow gets a separate notebook session. Private filters, uploads, notes, and outputs should remain in that session. Shared immutable model or reference resources may be centralized only when their lifecycle and privacy behavior are proven. Every active session consumes processes and memory, so concurrent-session capacity is a first-class design input.

State needs explicit ownership and lifetime. Private session state disappears when a session stops unless exported or written to an approved durable store. Shared cache state must never contain user content. Durable handoff evidence belongs in an external read/write store with an intentionally scoped credential; operational source systems remain read-only. Deployment settings and secrets belong outside notebook source.

Authentication is not authorization. Authentication identifies the app user. Authorization determines which environment, incident group, or dataset that identity may access. Livebook Teams and supported identity providers can protect the app surface, but the app still needs an explicit mapping from identity context to permitted read-only operations. Database credentials must not inherit browser authority implicitly.

Read-only must exist at several layers. The notebook UI exposes a fixed query/runbook catalog. Requests are parameterized and bounded. The database/API credential itself lacks mutation capability. The runtime is standalone, not attached. The final application contains no arbitrary SQL, Remote Execution, attached-node evaluation, shell, dynamic MFA, or mutating endpoint.

Freshness and process health differ. An app server can be healthy while its data is stale, a model is unavailable, or a query source is partially failing. Render revision, source mode, observed-at time, data age, last successful refresh, and failure status separately. Never convert missing data into a reassuring zero.

Deployment needs evidence and reversal. A production-ready notebook names its Git revision, dependency resolution, stamp authority, app-server image, model revision, source contract, clean-replay result, two-client isolation, memory budget, smoke result, and rollback target. Promotion should deploy the reviewed immutable revision; rollback should be a tested normal operation.

2.2 Why This Matters

Internal operations tools often begin as scripts or privileged dashboards and gradually become business-critical without gaining production controls. Livebook can shorten the path from analysis to usable application, but speed is safe only when runtime authority, identity, data limits, privacy, capacity, and rollback are made explicit. This project demonstrates a disciplined path: a rich decision surface backed by narrow read-only interfaces rather than a disguised production shell.

2.3 Historical Context / Background

Livebook Apps turn notebook outputs and Kino interactions into code-hidden web applications. Single-session apps share one live session; multi-session apps create independent sessions suited to private forms and workflow automation. Livebook Teams adds managed deployment groups, authentication options, organizational stamps, synchronized secrets and storage, and audit capabilities. CLI deployment supports CI/CD. Current official references include Deploy Livebook Apps, CLI deployment, production app-server guidance, authentication, shared secrets, shared storage, and stamping.

2.4 Common Misconceptions

  • “Code hidden means code sandboxed.” It changes presentation, not runtime authority.
  • “Authenticated users may all run the same queries.” Authorization still needs environment and data-scope policy.
  • “Read-only UI makes the system read-only.” Credential, API, runtime, and operation catalog must enforce it.
  • “Multi-session automatically protects every shared process.” A shared cache or serving process can still mix private content.
  • “A green health endpoint means current data.” Process health and source freshness are separate.
  • “A stamp proves business logic is safe.” It preserves authority/resource approval context, not semantic correctness.
  • “Rollback is just deploying an old file.” The old revision must remain compatible with current secrets, storage, schema, and app-server configuration.

3. Project Specification

3.1 What You Will Build

Build a multi-session operations decision app with these panels:

  1. Environment and provenance header: environment, app revision, runtime mode, data age, source mode, optional model revision, and health dimensions.
  2. Incident queue: at most 100 read-only, authorization-filtered incidents with severity, owner, status, and freshness.
  3. SLA evidence: bounded summary cards and charts for availability, error rate, p50/p95/p99 latency, saturation, and comparison window.
  4. Decision assistant: a reviewed runbook catalog and optional model suggestion with evidence, abstention, and human accept/correct/skip.
  5. Private notes: session-local notes clearly labeled ephemeral until the user exports.
  6. Handoff export: a sanitized, durable report containing user-approved evidence, provenance, decisions, and checksums but no secret or forbidden data.
  7. Deployment evidence: clean replay, stamp authority, named secret/storage resources, image digest, warmup, capacity, smoke tests, and rollback revision.

The production deployment uses a standalone runtime and only read-only bounded operational integrations. A separate scoped write credential may write sanitized handoff reports to a dedicated evidence store; it must have no authority over production application data.

3.2 Functional Requirements

  1. Authentication gate: no app panel renders operational content before identity is established.
  2. Authorization filter: identity context maps to allowed environment/service scope; denial is explicit and audited.
  3. Session isolation: forms, filters, uploads, notes, results, and exports remain private to the authenticated session.
  4. Read-only catalog: only fixed, parameterized, bounded data queries and diagnostic guidance exist.
  5. Freshness: every data panel includes source timestamp, observed-at timestamp, and stale/partial state.
  6. Data limits: query timeout, row cap, byte cap, comparison-window cap, and refresh minimum are enforced.
  7. Decision policy: optional model output preserves raw score, provenance, threshold, abstention, and human action separately.
  8. Durable export: only sanitized user-approved evidence enters the dedicated handoff store; export is idempotent.
  9. Revision evidence: UI and export identify notebook/app revision, data contract, query catalog, and model revision.
  10. Failure states: unauthorized, source unavailable, stale, partial, empty, query timeout, model unavailable, overloaded, and export failed are distinct.
  11. Deployment: staging and production deploy the same reviewed immutable notebook revision.
  12. Rollback: previous revision is retained and successfully redeployed through the same smoke gate.

3.3 Non-Functional Requirements

  • Security: no production mutation, attached runtime, arbitrary SQL/source/MFA, shell, or credential display.
  • Privacy: cross-session canary scan passes for UI, cache, logs, exports, and shared serving resources.
  • Availability: one slow source or optional model cannot freeze the app; partial read-only evidence remains clearly labeled.
  • Performance: initial readiness, query latency, rendering, memory, and concurrent-session limits meet declared budgets.
  • Reproducibility: dependency, source-contract, query, model, and notebook revisions are recorded.
  • Accessibility: controls have labels; status is not conveyed only by color; tables and charts have textual summaries.
  • Auditability: authentication/authorization outcome, selected catalog action, revision, time, and result status reach a durable audit sink without private payloads.
  • Recoverability: cold start and rollback work without live package/model downloads.

3.4 Example Usage / Output

OPERATIONS DECISION APP
Environment: PRODUCTION (read-only)
App revision: 9b73c2a
Runtime: standalone
Authenticated scope: payments / viewer
Data observed at: 2026-07-15T19:03:12Z
Data age: 41 seconds [CURRENT]
Model: optional-triage-r17 [READY]
Mutation capability: NONE
INCIDENT INC-TRAINING-SHAPE
Evidence window: 30 minutes
Requests: 8,241,993
Availability: 99.94%
Error rate: 0.37%
p50 / p95 / p99: 42 / 211 / 804 ms
Source status: PARTIAL — saturation feed delayed 73 seconds

Model suggestion: dependency_degradation (score 0.74)
Policy: ABSTAIN — below decision threshold 0.80
Human action: investigate dependency runbook

3.5 Real World Outcome

After authentication, two test users open separate multi-session app sessions. Their queue scope follows authorization policy. Distinct note, filter, upload, and export canaries never cross sessions. Shared reference data and an optional shared serving process contain no user content.

The UI looks and behaves as follows:

┌─────────────────────────────────────────────────────────────────────┐
│ PROD READ-ONLY | Data age 41s | App 9b73c2a | Model r17 | READY    │
├────────────────┬────────────────────────────┬───────────────────────┤
│ Incident queue │ SLA and service evidence   │ Decision assistant    │
│ severity/owner │ latency/errors/saturation  │ suggest/correct/skip  │
│ max 100 rows   │ bounded comparison window  │ human owns decision   │
├────────────────┴────────────────────────────┴───────────────────────┤
│ Private notes | read-only runbook | provenance | export handoff    │
└─────────────────────────────────────────────────────────────────────┘

The staging deployment gate produces:

DEPLOYMENT GATE
clean-runtime replay ................ PASS
source and dependency review ........ PASS
expected team stamp authority ....... PASS
secret names / no values ............ PASS
read-only integration capability .... PASS
two-user isolation canaries ......... PASS
cold start / warmup budget .......... PASS
session memory and load budget ....... PASS
stale/partial/empty failure states ... PASS
handoff idempotency ................. PASS
previous-revision rollback .......... PASS
production mutation paths ........... NONE

Only after the same immutable revision passes staging may it be promoted. Production verification remains read-only.


4. Solution Architecture

4.1 High-Level Design

AUTHORS                          APP USERS
   │                                 │
   │ strong authoring identity       │ OIDC/Teams authentication
   v                                 v
┌────────────────┐          ┌────────────────────────────┐
│ Authoring      │ review   │ Livebook app server        │
│ Livebook/Git   │─────────▶│ multi-session app surface  │
└───────┬────────┘ deploy   └──────────────┬─────────────┘
        │                                  │ one standalone runtime/session
        v                                  v
┌────────────────┐          ┌────────────────────────────┐
│ CI + immutable │          │ private session state      │
│ notebook rev   │          │ filters, notes, results    │
└────────────────┘          └───────┬─────────┬──────────┘
                                    │         │
                          read-only │         │ sanitized idempotent export
                                    v         v
                         ┌────────────────┐  ┌──────────────────┐
                         │ Ops DB/API     │  │ Handoff store    │
                         │ bounded reader │  │ dedicated writer │
                         └────────────────┘  └──────────────────┘
                                    │
                         optional   v
                              ┌──────────────┐
                              │ ML serving   │ immutable model,
                              │ no user cache│ bounded queue
                              └──────────────┘

Durable audit receives identity metadata, catalog action, revision, time,
and outcome—not query payloads, notes, image bytes, or secrets.

4.2 Key Components

Component Responsibility Key Decisions
Notebook/app document Define UI, orchestration, evidence, and app settings Keep stable domain modules in a normal package when complexity grows
Identity adapter Read authenticated context and derive app authorization scope Deny on missing or ambiguous identity
Query catalog Provide fixed read-only operational views Parameterized, timed, capped, versioned
Data adapter Normalize DB/API results and freshness Never treat missing source as zero
Session coordinator Own private filters, notes, current request, and UI state Per-session only; discard on inactivity unless exported
Shared reference cache Hold immutable public/reference metadata No user payload, query result, or note allowed
Optional Nx.Serving Batch approved model inference Immutable artifact; bounded queue; no retained content
Handoff exporter Create sanitized idempotent durable evidence Dedicated store credential unrelated to production DB
Audit emitter Record identity metadata and operation outcome External durable sink, payload-minimized
Deployment pipeline Deploy reviewed revision and preserve rollback Same artifact through staging and production

4.3 Data Structures

authorization_context = {
  authenticated_subject_id,
  groups_or_roles,
  allowed_environments,
  allowed_services,
  identity_source
}

session_state = {
  session_request_id,
  filters,
  selected_incident,
  current_generation,
  private_notes,
  latest_bounded_evidence,
  human_decision,
  export_status
}

evidence_manifest = {
  app_revision,
  query_catalog_revision,
  source_contract_revision,
  model_revision_optional,
  observed_at,
  source_freshness,
  redaction_policy_revision,
  checksums,
  human_decision
}

deployment_record = {
  notebook_revision,
  app_server_image_digest,
  dependency_manifest,
  stamp_authority,
  deployment_group,
  smoke_result,
  capacity_result,
  rollback_revision
}

Do not store secret values, raw authorization tokens, database connection strings, private notes, or user uploads in deployment or audit records.

4.4 Algorithm Overview

Key Algorithm: Authorized Read-Only Decision Workflow

  1. Establish authenticated app identity and derive allowed environment/service scope.
  2. Validate the requested catalog view, incident, filters, and time window against that scope.
  3. Allocate a request generation and render a loading state with prior evidence marked stale.
  4. Execute bounded read-only sources concurrently under supervised deadlines.
  5. Normalize results with observed-at time, source freshness, and partial-failure markers.
  6. Build bounded Explorer summaries and render cards/charts/tables.
  7. Optionally submit a bounded suggestion request; retain model provenance and raw score.
  8. Apply suggest/abstain policy and capture human action separately.
  9. Update UI only if the generation is current.
  10. On explicit export, sanitize selected evidence, compute an idempotency key, write to the dedicated handoff store, and record metadata in audit.
  11. On session shutdown, discard private state and verify shared caches contain no session content.

Complexity Analysis:

  • Query and aggregation cost: bounded by catalog-specific time/row/byte contracts; local summaries O(R log R) at worst for capped R.
  • Rendering cost: O(K) for bounded cards/chart points/table rows.
  • Per-session memory: O(K + notes bound + UI state), plus any explicitly measured per-session model preprocessing.
  • Shared model memory: architecture-dependent and measured separately from session memory.

5. Implementation Guide

5.1 Development Environment Setup

Use separate development, staging, and production configuration with distinct credentials. Development may use synthetic fixtures. Staging must mirror production authorization and schemas while containing safe data. Production credentials must be read-only for operational sources.

Environment contract
  development: synthetic/local data; no production route
  staging: production-like schema; read-only; test identities
  production: standalone runtime; bounded read-only source roles

Secret resources by name only
  OPS_READONLY_DATABASE
  OPS_READONLY_API_TOKEN
  HANDOFF_EVIDENCE_STORE
  OPTIONAL_MODEL_STORE

Forbidden in notebook source/output
  passwords, tokens, connection strings, Teams keys, cookies, raw identity claims

Use Docker and a Livebook Teams deployment group according to the current official deployment guide. CI deployment should reference protected environment secrets and the reviewed notebook path; do not embed a complete credential-bearing command in the notebook or this guide.

5.2 Project Structure

deployed-ops-app/
├── notebooks/
│   └── operations-decision-app.livemd
├── lib/
│   ├── authorization_policy.ex
│   ├── query_catalog.ex
│   ├── source_adapter.ex
│   ├── freshness.ex
│   ├── decision_policy.ex
│   ├── handoff_export.ex
│   └── audit_event.ex
├── test/
│   ├── authorization_policy_test.exs
│   ├── query_catalog_test.exs
│   ├── session_isolation_test.exs
│   ├── redaction_test.exs
│   └── handoff_export_test.exs
├── fixtures/
│   ├── incidents.json
│   ├── sla-snapshots.parquet
│   └── source-failure-scenarios.json
├── deploy/
│   ├── app-server-contract.md
│   ├── dependency-manifest.locked
│   ├── smoke-test.md
│   └── rollback-runbook.md
├── evidence/
│   └── deployment-record-schema.json
└── README.md

5.3 The Core Question You’re Answering

“What must change when an executable notebook becomes a multi-user service that influences operational decisions?”

The answer includes identity, authorization, runtime authority, session isolation, durable state, freshness, model governance, capacity, observability, immutable deployment, and rollback. App preview alone is not completion.

5.4 Concepts You Must Understand First

  1. App and session semantics
  2. Runtime authority
    • Why must this app use a standalone runtime and narrow interfaces?
    • Primary reference: Livebook runtimes
  3. Authentication and authorization
  4. Secrets, storage, and stamps
  5. App-server capacity
  6. Repeatable deployment
    • How does CI promote one immutable revision and preserve rollback?
    • Primary reference: CLI deployment
  7. Decision support
    • How do freshness, uncertainty, abstention, and human override affect action?
    • Book reference: AI Engineering — evaluation and inference chapters

5.5 Questions to Guide Your Design

  1. Which state is session-private, immutable shared cache, durable handoff, deployment config, and audit metadata?
  2. How are authenticated groups mapped to allowed environments and services?
  3. What independent enforcement makes operational data read-only?
  4. Which source failure produces stale, partial, empty, or failed UI state?
  5. Can a late query result overwrite a newer filter generation?
  6. Does any shared process retain user content after a request?
  7. What cold-start and per-session memory budget follows from the expected concurrency?
  8. What exact smoke failure triggers automatic or manual rollback?
  9. Can the previous revision still use current secrets, storage, schemas, and model artifacts?
  10. What evidence proves production contains no mutation path?

5.6 Thinking Exercise

Create a state and authority matrix before building the UI:

Actor/component Identity Reads Writes Credential Lifetime Durable evidence
App user authenticated subject authorized app views private session controls app identity session metadata only
Session runtime app revision read-only ops sources sanitized handoff only scoped resources session revision/outcome
Query catalog app code approved schemas/APIs none read-only source credential revision query ID/status
Shared cache app server immutable reference data cache refresh source reader server freshness only
Handoff exporter app code selected sanitized evidence dedicated evidence store write-only/scoped store credential request checksum/location
CI protected automation notebook artifact deployment group deploy token pipeline deployment record

Add database, model store, audit sink, author, and app server. If any row has ambiguous write authority, stop and redesign.

5.7 The Interview Questions They’ll Ask

  1. “How do single-session and multi-session Livebook Apps differ?”
  2. “Why does code-hidden app mode not sandbox notebook execution?”
  3. “How do you prevent shared caches or model serving from leaking user data?”
  4. “How do authentication and authorization differ in this app?”
  5. “What does a notebook stamp guarantee and not guarantee?”
  6. “How do you size, deploy, observe, and roll back a Livebook App?”
  7. “How do you prove a production operations tool is read-only?”

5.8 Hints in Layers

Hint 1: Begin with authority, not layout

Select standalone runtime, read-only source credentials, authorization scope, and durable evidence store before drawing cards.

Hint 2: Treat each session as disposable

Private notes and filters live in the session until explicitly exported. Never rely on session memory for durable operational decisions.

Hint 3: Make stale and partial visible

Attach freshness to each source. Do not let a healthy app process hide an old or failed feed.

Hint 4: Promote evidence, not hope

Clean replay, two-user canaries, cold start, memory, load, redaction, smoke, and rollback must pass on the exact revision.

5.9 Books That Will Help

Topic Book Chapter
Production stability and capacity Release It!, 2nd ed. Stability, capacity, and operations chapters
Architecture trade-offs Fundamentals of Software Architecture Architecture characteristics and risk chapters
Data reliability Designing Data-Intensive Applications, 2nd ed. Chapters 1, 3, and 11
Model-backed decisions AI Engineering Evaluation and inference chapters
Continuous delivery Continuous Delivery by Jez Humble and David Farley Deployment pipeline and release strategy chapters

5.10 Implementation Phases

Phase 1: Authority, Contracts, and Fixtures (8–11 hours)

Goals: prove read-only architecture and build testable domain components before app mode.

Tasks:

  1. Complete trust, state, credential, and data-flow maps.
  2. Define authorization policy and fixed query catalog.
  3. Build stale, partial, empty, timeout, unauthorized, and overload fixtures.
  4. Define evidence, redaction, audit, and idempotent handoff schemas.
  5. Define optional model provenance and abstention policy.

Checkpoint: normal Mix tests prove authorization, bounds, redaction, and no mutation capability.

Phase 2: Multi-Session App Experience (9–13 hours)

Goals: build private session workflow and honest operational presentation.

Tasks:

  1. Implement identity/scope gate and session coordinator.
  2. Add bounded queue, SLA evidence, failure states, and generation control.
  3. Add private notes and optional model suggestion/human correction.
  4. Add sanitized idempotent export.
  5. Run two-client canary and inactivity cleanup tests.

Checkpoint: app preview meets all privacy, freshness, and read-only interaction requirements.

Phase 3: App Server, Capacity, and Staging (9–13 hours)

Goals: operate the app as a service before production promotion.

Tasks:

  1. Configure Teams workspace, expected stamp authority, deployment group, authentication, secrets, and storage.
  2. Build immutable app-server image/dependency/model artifacts.
  3. Measure cold start, warmup, base memory, per-session memory, shared resources, and load.
  4. Configure inactivity shutdown and health/freshness metrics.
  5. Deploy the reviewed revision to staging and run smoke tests.

Checkpoint: staging gate passes with recorded image digest and capacity margin.

Phase 4: Promotion, Observation, and Rollback (9–13 hours)

Goals: prove deployment and recovery rather than simply publishing.

Tasks:

  1. Promote the same immutable revision through repeatable CI/manual deployment.
  2. Run production read-only smoke checks and audit verification.
  3. Freeze one source and verify freshness alarms while process health stays green.
  4. Redeploy the previous revision and repeat the gate.
  5. Restore the candidate revision only after rollback evidence is captured.

Checkpoint: production read-only verification and previous-revision rollback both pass.

5.11 Key Implementation Decisions

Decision Options Recommendation Rationale
App mode Single-session; multi-session Multi-session Private filters, notes, and workflows require isolation
Runtime Attached; standalone Standalone Narrows authority and preserves dependency isolation
Operational access Arbitrary SQL/remote code; fixed read-only catalog Fixed catalog + read-only credential/API Enforces safety beyond UI promises
Notes Shared cache; session-local with explicit export Session-local Prevents cross-user leakage
Durable export Production DB; dedicated evidence store Dedicated evidence store Separates handoff writing from operational data authority
Model Mandatory and authoritative; optional suggestion Optional suggestion with abstention/human override App remains useful and honest without model
Deployment Mutable “latest”; immutable revision Immutable revision through staging Makes rollback and evidence reliable
Dependencies/model Download at startup; prewarmed immutable artifacts Prewarmed Improves cold start and offline recoverability

6. Testing Strategy

6.1 Test Categories

Category Purpose Examples
Authorization Prevent cross-scope access role/service/environment matrix, denied identity
Query/data contract Bound operational work parameters, row/byte/time limits, stale/partial sources
Session isolation Protect private state two-user filters, notes, uploads, outputs, exports
Shared-resource privacy Keep caches/serving safe user-content canary scans after batching/cache refresh
Decision Preserve human authority abstain, model unavailable, accept/correct/skip
Export/audit Prove durable safe evidence redaction, idempotency, audit metadata, failure retry
Capacity Size app server cold start, memory/session, concurrency, inactivity shutdown
Deployment Prove promotion and reversal staging smoke, immutable revision, rollback compatibility
Security Prove read-only path credential permissions, no dynamic SQL/code, no attached runtime

6.2 Critical Test Cases

  1. Unauthenticated user: receives no operational content.
  2. Unauthorized scope: a valid user cannot request another service/environment by changing input.
  3. Two-user canaries: notes, filters, model inputs, outputs, and exports remain isolated.
  4. Shared cache scan: no user canary appears in shared state after requests finish.
  5. Late result: an older slow query cannot overwrite a newer filter generation.
  6. Stale source: process health stays ready while UI changes to stale and alarms.
  7. Partial source: valid panels remain visible with explicit missing-source context.
  8. Read-only enforcement: source credential and API reject mutation independently of notebook behavior.
  9. Model unavailable: app remains usable, reports model failure, and allows human-only decision.
  10. Handoff idempotency: retry produces one durable report identity, not duplicates.
  11. Cold offline start: approved dependencies/model are available without runtime internet fetch.
  12. Capacity threshold: excess sessions receive bounded refusal/degradation rather than memory exhaustion.
  13. Rollback: previous revision deploys and passes authentication, secrets, storage, schema, and smoke checks.
  14. Mutation-path scan: source, dependencies, configuration, UI, and network observations show no production write/attached/remote-code path.

6.3 Test Data

Identity fixtures:
  payments_viewer, catalog_viewer, unauthorized_user, missing_identity

Source fixtures:
  current, stale, partial, empty, timeout, oversized, schema_mismatch

Session canaries:
  user-A-note, user-B-note, user-A-upload, user-B-upload

Decision fixtures:
  high suggestion, low/abstain, tie, model unavailable, human correction

Deployment fixtures:
  candidate revision, previous revision, secret-name manifest,
  app-server image digest, expected stamp authority

7. Common Pitfalls & Debugging

7.1 Frequent Mistakes

Pitfall Symptom Solution
Shared input/frame used Users see another session’s data Multi-session controls plus two-user canary tests
UI says read-only but credential writes Hidden mutation capability remains Use independently read-only credential/API
App healthy, data old Operators trust stale evidence Separate runtime health and source freshness
Model copied per session Memory rises sharply with users Measure architecture; share only immutable serving resources safely
Startup downloads dependencies/model Slow or failed restart without network Prewarm and verify immutable artifacts
Notes stored in shared cache Cross-user privacy leak Keep private state in session; export explicitly
Rollback cannot access storage Old revision incompatible with current environment Version deployment contract and rehearse rollback in staging
Audit contains payloads/secrets Privacy/security incident Emit minimal metadata and scan with seeded canaries

7.2 Debugging Strategies

  • Start at the header: verify environment, revision, runtime, identity scope, source time, and model version.
  • Trace one request generation: authentication -> authorization -> query -> normalize -> render -> export.
  • Compare session and app-server memory: identify accidental per-session model/cache copies.
  • Freeze dependencies one at a time: distinguish stale data, model failure, and app-process failure.
  • Use two real authenticated test identities: one browser is insufficient evidence.
  • Inspect source credentials externally: do not rely only on notebook claims of read-only access.
  • Replay the previous revision: rollback failures are usually environment-contract drift.

7.3 Performance Traps

Avoid querying raw production-scale rows for every filter, rendering millions of points, refreshing faster than source change, compiling dependencies or model shapes per session, retaining unbounded notes/logs, and allowing multi-session count to exceed measured memory. Use bounded pre-aggregation, explicit cache keys containing no user data, fixed serving shapes, and inactivity shutdown where workflow permits.


8. Extensions & Challenges

8.1 Beginner Extensions

  • Add a downloadable provenance-only report with no operational row data.
  • Add an accessibility audit and text equivalent for every chart.
  • Add a visible “why this result is stale/partial” explainer.

8.2 Intermediate Extensions

  • Add a second read-only source with independent freshness and partial-failure behavior.
  • Add an app folder and versioned operator handbook for a team deployment.
  • Add a model-free rules suggestion and compare it with optional ML evidence.

8.3 Advanced Extensions

  • Scale app servers across a deployment group and measure session routing, capacity, and shared-resource assumptions.
  • Add a dedicated inference service behind an authenticated bounded API, keeping the Livebook app free of model memory.
  • Add signed handoff artifacts and retention/lifecycle policy in the dedicated evidence store.
  • Add automated dependency/model vulnerability and license checks to the deployment gate.

Production mutation is deliberately excluded from all extension levels. A separate project and governance review would be required.


9. Real-World Connections

9.1 Industry Applications

  • Incident decision support: combine freshness-aware telemetry with a reviewed diagnostic guide.
  • Customer-support consoles: expose bounded read-only account evidence and private handoff notes.
  • Data-quality operations: review pipeline health and generate sanitized remediation tickets.
  • ML-assisted review: suggest categories while preserving human judgment and model provenance.
  • Compliance evidence: generate reproducible, redacted, revision-identified reports.
  • Livebook: notebook apps, runtimes, deployment, and collaboration.
  • Kino: multi-user inputs, frames, screens, and app context.
  • Explorer: bounded analytical summaries.
  • Nx and Bumblebee: optional model-serving layer.
  • KinoDB: database integration patterns for Livebook.

9.3 Interview Relevance

This capstone supports senior-level discussion of trust boundaries, multi-tenancy, identity, authorization, secrets, data contracts, stale/partial states, model governance, capacity, deployment pipelines, observability, incident readiness, audit minimization, and rollback.


10. Resources

10.1 Essential Reading

10.2 Video Resources

  • Follow the current official deployment tutorial media embedded in the Livebook Apps documentation.
  • Use current Livebook Teams demonstrations at Livebook Teams for SSO, deployment, production access, and audit concepts.
  • Prefer official release demonstrations at Livebook News for multi-session app behavior.

10.3 Tools & Documentation

  • Docker: immutable app-server packaging and offline restart tests.
  • Livebook Teams deployment group: authenticated staging and production app servers.
  • Protected CI environment: deploy token and Teams key storage.
  • Structured log/audit sink: durable minimal metadata outside session memory.
  • Load generator with two authenticated identities: session isolation and capacity verification.
  • Artifact/canary scanner: detect secret and cross-session leakage in notebook, logs, caches, and exports.

11. Self-Assessment Checklist

11.1 Understanding

  • I can explain why app mode is not a sandbox.
  • I can classify every state item by owner, sharing, durability, and lifetime.
  • I can explain authentication, authorization, source credential, and audit identity separately.
  • I can prove why production integrations are read-only at more than one layer.
  • I can explain capacity and rollback using measured evidence.

11.2 Implementation

  • Authentication, authorization, session isolation, and two-user canaries pass.
  • Query catalog, source bounds, freshness, and failure states pass.
  • Optional model suggestion preserves abstention and human authority.
  • Handoff export is sanitized, idempotent, and separate from operational data authority.
  • Staging, capacity, immutable deploy, production read-only smoke, and rollback pass.
  • No production mutation, attached runtime, arbitrary query, or arbitrary code path exists.

11.3 Growth

  • I documented one feature deliberately excluded because it widened authority.
  • I can hand the rollback runbook to another operator without private instructions.
  • I can explain which notebook modules should graduate into a maintained Mix service.
  • I can defend the app’s freshness, privacy, capacity, and model-governance policies in an architecture review.

12. Submission / Completion Criteria

Minimum Viable Completion:

  • A local multi-session app preview authenticates test identity context, isolates two sessions, reads a bounded synthetic/read-only source, shows freshness, and exports a sanitized handoff.
  • Runtime is standalone and no mutation path exists.

Full Completion:

  • Authorization scope, fixed query catalog, stale/partial/empty/failure states, optional human-owned model suggestion, shared-resource privacy, idempotent export, durable audit metadata, Teams authentication/configuration, shared secrets/storage, expected stamp authority, offline cold start, capacity/load, immutable staging/production deployment, and previous-revision rollback all pass.
  • Production verification uses only bounded read-only operations.

Excellence (Going Above & Beyond):

  • Operate multiple app servers with measured capacity and recovery, externalize model inference behind a narrow service, add signed/lifecycle-managed handoff artifacts, automate dependency/model policy checks, and demonstrate a disaster-recovery rehearsal—while preserving the no-production-mutation rule.

This guide was generated from LEARN_LIVEBOOK_ELIXIR_DEEP_DIVE.md. For the complete learning path, see the parent guide.