Set up a New CodeCanyon App

This playbook takes a CodeCanyon Laravel app from the vendor ZIP all the way to a working production deployment — AI-assisted end to end. Phase 1 stands up the AI System (constitution, permission modes, rules, skills, IDE wiring) so every later phase runs with safety hooks and a shared contract. Follow the phases in order — your progress is saved on this device.

Phase 1 opens by creating the project folder and putting vendor code on disk (informal unzip), then machine setup, then writing AGENTS.md and the rest of the agent stack into that folder. Phase 2 is the formal git import — branches, frozen author/v* snapshot, _CUSTOMIZATIONS.md — not a second ZIP extract.

Start here

Roadmap & checklist → — every phase, step, and gate in one toggle view (roadmap or tickable checklist).

Phase 1 · Set up the AI System → — it begins with creating the project & bringing in the code, then writes the constitution, rules, and IDE wiring into the project. Ships with a copy-paste kit.

Prefer to let an agent drive? This whole playbook is also an agent skill — zaj-laravel-codecanyon — that walks every phase interactively with the safety rails (tinker, migrations, vendor handling, secrets) built in. Install it in Phase 1, then run /zaj-laravel-codecanyon and an agent follows these same steps for you. The pages here are the human-readable companion.

For AI agents — follow via the ZajLibrary MCP

These pages are the canonical, complete step list — don’t work from memory or assume a step. Drive the playbook through the ZajLibrary MCP so nothing is skipped:

1. Orient — list_contents to find the phase and its step pages; check each response’s commitShaShort so you know you’re reading the live deploy.
2. Read — get_document the phase page; its ## Steps + ## Checklist are the exact, ordered steps — execute them in order, never invent or reorder.
3. Verify — the ## Checklist is the gate; prove each item with command output before advancing.
4. Feedback — hit a gap, ambiguity, or broken step? File it with submit_feedback (pageUrl + category + dedupeKey = <phase>/<step>) so it reaches the review queue — don’t silently work around it.

The zaj-laravel-codecanyon skill enforces this loop (Constitution rules 20–21) with the full safety rails.

The phases at a glance

The twelve phases group into five stages — set up the agent, build, ship, harden, launch:

Laravel/CodeCanyon — phase pipeline

Each stage gates the next. Phase 1 (AI System) is the foundation; server bootstrap (Admin-Server, once per hosting account) must be done before Phase 4 webhooks — see the note below. Phase 12 (production) is the only stage with a human gate on every write.

Server bootstrap — before Phase 4

Once per hosting account (not per app): run the general Set up shared hosting playbook to install the Admin-Server ops toolkit on the Hostinger/cPanel server so deploy webhooks and Discord/Slack alerts work. Pair it with Phase 1 · machine setup on your laptop.

Then walk the twelve phases in order — your progress is saved on this device:

0 / 12 done Reset

1. 1 Phase 1 · Set up the AI System
   1. Create the project & bring in the code
   2. Machine setup (once per machine)
   3. Project constitution (AGENTS.md, CLAUDE.md)
   4. Claude config — settings, modes, hooks
   5. Rules & skills
   6. Cursor & other IDEs
   7. Verify & gate
2. 2 Phase 2 · Code & repository setup
   1. Prerequisites (toolchain, GitHub repo, SSH)
   2. Branch strategy
   3. Extract & snapshot the vendor
   4. Initialize the repository
   5. Wire .env templates
   6. Commit & freeze the vendor (author/v*)
   7. Optional enhancements
3. 3 Phase 3 · Local development
   1. Dependencies & assets
   2. Local database
   3. Storage, symlinks & SSL
   4. Run the installer
   5. Verify migrations & schema
   6. Commit & secure
   7. Optional tooling
4. 4 Phase 4 · Deploy pipeline
   1. Prerequisite · Admin-Server on hosting account
   2. Deployer (zero-downtime)
   3. Subdomains + SSL
   4. Production .env
   5. CI + ServerSync
   6. DNS email records
   7. Cloudflare CDN
   8. Release + incident response
5. 5 Phase 5 · Deploy to staging
   1. Pre-flight & provision host
   2. DNS + SSL
   3. First release
   4. Installer + harden
   5. Schedule, migrations + schema
   6. Rollback + monitor
   7. ServerSync capture
   8. Deep codebase audit
   9. Atlas Cloud (optional)
6. 6 Phase 6 · Superadmin / god-mode
   1. Concepts & admin model
   2. Survey & brand profile
   3. Credentials & branding
   4. Email (SMTP)
   5. Payments & plans
   6. Legal & consent
   7. Theme & system pages
   8. Engagement & SEO
7. 7 Phase 7 · Security & monitoring
   1. Harden first
   2. Security headers & packages
   3. Activity logging
   4. Off-server backups
   5. Observability (insertable gate — after Phase 5 or 12)
   6. Legal, privacy & GDPR
   7. Compliance tracks (SOC 2 · HIPAA)
8. 8 Phase 8 · Configure the app
   1. MUST path
   2. Brand kit
   3. Payments & billing
   4. Email infrastructure
   5. Performance pass
   6. Optional integrations
   7. Post-launch identity & changelog
9. 9 Phase 9 · Growth & polish
   1. SEO (do first)
   2. Engagement
   3. Support (chat + help center)
10. 10 Phase 10 · Audit & QA
    1. Static audit — code, dependencies, git
    2. Security audit
    3. Performance, database & SEO
    4. Accessibility & cookie compliance
    5. Functional QA & debugger review
    6. Pre-launch sign-off
11. 11 Phase 11 · Pre-customer checks
    1. Technical readiness (MUST)
    2. Launch signoff — tiered go/no-go
    3. Business & legal readiness
    4. Support & onboarding
12. 12 Phase 12 · Deploy to production
    1. Pre-flight security hygiene
    2. Release & first production deploy
    3. Harden, verify & sync
    4. Post-deploy monitoring & day-2

The phases in detail

All twelve phases are authored in full. Use the sidebar to jump to any phase, or start here:

Phase 1 · Set up the AI System → The foundation every later phase depends on — constitution, permission modes, rules, skills, and IDE wiring (7 steps + a copy-paste kit).

After setup — the ongoing lifecycle

Setting up the app is workflow 1 of 5. Once it’s live, these are the workflows you run again and again — all part of the same codecanyon-laravel collection:

Continuous Develop & Deploy → The everyday loop — code, test locally, ship to staging then production behind the database safety gate, and sync server-side changes back into git.

Implement Customizations → Add features without losing them on the next vendor update — the ZajModules + vendor-customizations system.

Implement Vendor Updates → Apply a new vendor release without breaking the database or your customizations — compare the schema, apply on a branch, restore your overlay.

Emergency Hotfix → Production is broken — the fast, safe path to patch a live app and roll back if needed.

New to the ideas behind these? Read the Laravel/CodeCanyon handbook (ZajModules vs vendor customizations, the three-tier admin model, schema + version management), or browse the whole collection — playbooks, handbook, cheat sheets, templates, and kits in one place.