# Mapex Production Go-Live Checklist

Use this as your final pre-hosting and go-live runbook.

## A. Fill These Production Values First
- Domain: mapexstore.uk
- Production server IP/host: ______________________________
- SSH/hosting user: ______________________________
- PHP version (target): 8.0+ (recommended 8.1+)
- Database host: ______________________________
- Database name: mapex
- Database user: ______________________________
- SMTP provider/domain: ______________________________
- Flutterwave mode: LIVE

## B. Pre-Deploy Local Validation (Required)
- [ ] One-time scripts are not present in web root:
  - run_import_from_img.php
  - run_standardize_categories.php
- [ ] Security files exist:
  - .htaccess
  - uploads/.htaccess
  - userimg/.htaccess
- [ ] Run syntax check:

```powershell
Set-Location C:\xampp\htdocs\finalproject
& "C:\xampp\php\php.exe" -l db.php
& "C:\xampp\php\php.exe" -l cart.php
& "C:\xampp\php\php.exe" -l collection.php
& "C:\xampp\php\php.exe" -l payment\payment.php
& "C:\xampp\php\php.exe" -l track_order.php
& "C:\xampp\php\php.exe" -l track_api.php
& "C:\xampp\php\php.exe" -l Admin\login.php
& "C:\xampp\php\php.exe" -l Admin\products.php
& "C:\xampp\php\php.exe" -l Admin\categories.php
```

## C. Server Requirements (Production)
- [ ] Apache or Nginx configured for PHP app.
- [ ] PHP extensions enabled: mysqli, curl, json, mbstring, openssl.
- [ ] MariaDB/MySQL running and reachable from app.
- [ ] SSL certificate installed and valid.
- [ ] Apache modules (if Apache): headers, rewrite.
- [ ] Directory listing disabled.

## D. Environment Variables (Set In Hosting Panel / Server)
- [ ] App security
  - MAPEX_APP_ENV=production
  - MAPEX_FORCE_HTTPS=1
  - MAPEX_FORCE_SECURE_COOKIE=1
  - MAPEX_SESSION_TIMEOUT=1800
- [ ] Database
  - MAPEX_DB_HOST=________________
  - MAPEX_DB_PORT=3306
  - MAPEX_DB_USER=________________
  - MAPEX_DB_PASS=________________
  - MAPEX_DB_NAME=mapex
- [ ] Admin seed (only used when admin table is empty)
  - MAPEX_ADMIN_USER_ID=ADMIN001
  - MAPEX_ADMIN_PASSWORD=________________
  - MAPEX_ADMIN_NAME=System Administrator
  - MAPEX_ADMIN_EMAIL=________________
  - MAPEX_ADMIN_PHONE=________________
- [ ] SMTP
  - MAPEX_SMTP_HOST=________________
  - MAPEX_SMTP_PORT=587
  - MAPEX_SMTP_USER=________________
  - MAPEX_SMTP_PASS=________________
  - MAPEX_SMTP_ENCRYPTION=tls
  - MAPEX_SMTP_FROM_EMAIL=________________
  - MAPEX_SMTP_FROM_NAME=Mapex
  - MAPEX_SMTP_REPLY_TO=________________
- [ ] Flutterwave (LIVE keys)
  - MAPEX_FLW_PUBLIC_KEY=________________
  - MAPEX_FLW_SECRET_KEY=________________
  - MAPEX_FLW_CURRENCY=USD
  - MAPEX_FLW_PAYMENT_OPTIONS=card,banktransfer,ussd
  - MAPEX_FLW_WALLET_OPTIONS=banktransfer,ussd
  - MAPEX_FLW_LOGO=https://________________

## E. Database and Permissions
- [ ] Create dedicated DB user with least privileges on mapex DB only.
- [ ] Backup database before each deployment.
- [ ] Permissions:
  - Directories: 755
  - Files: 644
  - Writable only: uploads/, userimg/
- [ ] Never set 777 on production.

## F. Deployment Steps (Staging Then Production)
### Staging
- [ ] Deploy code to staging first.
- [ ] Set staging env vars (test keys only).
- [ ] Complete smoke tests in section G.

### Production
- [ ] Deploy during low traffic window.
- [ ] Apply production env vars (live keys).
- [ ] Clear PHP opcache/restart PHP-FPM or Apache.
- [ ] Run smoke tests in section G immediately.

## G. Smoke Test Matrix (Pass/Fail)
### Customer flow
- [ ] Open home.php, collection.php, cart.php.
- [ ] Signup + login works.
- [ ] Add item to cart from collection page.
- [ ] Update quantity and remove item in cart.
- [ ] Save shipping address in cart.
- [ ] Checkout with card redirect opens Flutterwave.
- [ ] Checkout with wallet/mobile money redirect opens Flutterwave.
- [ ] Cash on delivery creates one order and clears cart once.

### Payment integrity
- [ ] Flutterwave success callback creates only one order per tx_ref/payment reference.
- [ ] Refresh callback URL does not create duplicate order.
- [ ] Stock decreases after successful order.
- [ ] Out-of-stock item returns clear message and order is not created.

### Admin flow
- [ ] Admin login works.
- [ ] Categories page loads and can add/edit/delete.
- [ ] Bulk delete categories works.
- [ ] Product add/edit/delete works.
- [ ] Bulk delete products works.

### Tracking flow
- [ ] track_order.php loads with valid tracking code.
- [ ] track_api.php returns tracking details correctly.

## H. Security Verification (Must Pass)
- [ ] HTTP to HTTPS redirect works.
- [ ] These are blocked:
  - /smtp-test.php
  - /uploads/test.php
  - /userimg/test.php
  - /run_import_from_img.php
  - /run_standardize_categories.php
- [ ] CSRF-protected forms reject invalid token requests.
- [ ] Admin login shows no default credential hints.

## I. Monitoring, Logs, and Rollback
- [ ] Enable and verify PHP error logs.
- [ ] Enable web server access/error logs.
- [ ] Uptime monitor on:
  - /home.php
  - /payment/payment.php
  - /track_order.php
- [ ] Keep previous release backup for rollback.
- [ ] Keep latest DB backup before cutover.

## J. Final Go-Live Decision
- [ ] All sections B through I are fully checked.
- [ ] No critical errors in logs after smoke tests.
- [ ] Business owner approval recorded.

## K. Cloudflare Cutover
- [ ] Follow the full guide in CLOUDFLARE_LAUNCH_STEPS.md.
- [ ] Domain added to Cloudflare and nameservers updated at registrar.
- [ ] DNS A records for @ and www point to production origin IP.
- [ ] SSL/TLS mode is Full (strict) and Always Use HTTPS is ON.
- [ ] Post-cutover URL checks and deny checks pass.

Go-live approved by: ______________________________
Date/time: ______________________________
