4 · Installer + harden

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: 4 · Installer + harden
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/04-installer-smoke/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 5
- step_number: 4
- est_time: ~20 min
- description: Temporarily unblock /install, run the CodeCanyon web installer wizard, verify the app loads, then immediately re-block /install + /update and re-harden storage and .env permissions from the installer's insecure 777 state.
- tags: codecanyon, laravel, installer, hardening

## Execution rules (binding)
- This is step 4 of phase 5 (~20 min) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# 4 · Installer + harden

## TL;DR

**Objective** — install the app the CodeCanyon way (a web wizard, not artisan migrations): temporarily unblock `/install`, run the wizard against the staging DB, verify the app loads, then immediately re-block `/install` + `/update` and re-harden permissions — because you opened a writable, installable surface to the public web.

:::note[User part + done-when]
**👤 User part** — running the installer wizard is browser work: open `/install`, walk the requirements/database/admin/settings screens, and **save the admin password to your password manager**. Toggling the optional Cloudflare WAF rule is also a dashboard action. An agent drives the `.htaccess` unblock/re-block and the permission harden over SSH.

**Done when** the wizard reports "Installation Complete", admin login works, `/install` is re-blocked (403), the Cloudflare WAF rule is restored, and permissions are walked back to least-privilege. &nbsp;·&nbsp; **⏱ ~20 min** &nbsp;·&nbsp; 🔀 mixed (👤 wizard + WAF, 🤖 SSH).
:::

## Background

CodeCanyon apps install through a web wizard, not artisan migrations. Phase 3 blocked `/install` and `/update` for safety, so this page **temporarily** unblocks them, runs the wizard, then re-blocks and re-hardens. The harden step is not optional — you opened a writable, installable surface to the public web.

## Steps

### 1. Temporarily unblock the `/install` route

Phase 3 added `.htaccess` rules (and possibly a Cloudflare WAF rule) blocking `/install`, `/update`, and `/upgrade-script`. Comment them out so the wizard can load.

<Steps>

1. **Unblock the install routes and remove any stale lock.**

   ```bash
   # Is /install currently blocked?
   ssh <staging-alias> "grep 'RewriteRule ^install' ~/domains/staging.yourapp.com/deploy/current/public/.htaccess 2>/dev/null"

   # Comment out the blocking rules (idempotent — skip lines already commented)
   ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current/public && \
     grep -q "^RewriteRule ^install" .htaccess && \
     sed -i "s/^RewriteRule ^install/# RewriteRule ^install/" .htaccess; \
     grep -q "^RewriteRule ^update" .htaccess && \
     sed -i "s/^RewriteRule ^update/# RewriteRule ^update/" .htaccess; \
     grep -q "^RewriteRule ^upgrade-script" .htaccess && \
     sed -i "s/^RewriteRule ^upgrade-script/# RewriteRule ^upgrade-script/" .htaccess; \
     echo "install/update unblocked"'

   # Remove any stale install lock
   ssh <staging-alias> "rm -f ~/domains/staging.yourapp.com/deploy/shared/storage/installed 2>/dev/null && echo 'lock removed'"
   # Expected: "install/update unblocked" and "lock removed"
   ```

   - ✅ The blocking rules are commented out and any stale `installed` lock is removed.

2. **Confirm the wizard is reachable.**

   ```bash
   curl -sI https://staging.yourapp.com/install 2>&1 | head -1   # expect HTTP/2 200
   # Expected: HTTP/2 200
   ```

   - ✅ `/install` returns `HTTP/2 200`.

</Steps>

If you created a Cloudflare WAF rule in Phase 3, toggle it **OFF** now (👤): *Cloudflare → Security → WAF → "Block install and update routes" → OFF*.

:::note[A 500 on `/` is still expected here]
The database is empty until the wizard runs — the homepage may 500. You're only confirming `/install` returns 200.
:::

### 2. Run the installer wizard

The wizard is browser-only — an agent can't click through it. Open `https://staging.yourapp.com/install` and walk the screens.

:::note[Who does this]
👤 **User** runs the web wizard in a browser and saves the admin password to a password manager — interactive, in-browser steps an agent can't perform.
:::

<Steps>

1. **Requirements** — all checks green → Next. (Reds usually mean a missing PHP extension or a permission the page-3 `chmod 777` should have fixed.)

   - ✅ Every requirement check is green.

2. **Database** — Host `localhost`; database / username / password from `.env.staging`; **Test Connection** → Next.

   - ✅ Test Connection succeeds against the staging DB.

3. **Admin account** — name, a staging admin email, and a **strong password saved to your password manager now**.

   - ✅ The admin account is created and its password is in the vault.

4. **Settings** — app name (e.g. "Your App — Staging"), URL `https://staging.yourapp.com`.

   - ✅ App name and URL are set for staging.

5. **Install / Finish** → confirm "Installation Complete".

   - ✅ The wizard reports "Installation Complete".

</Steps>

Use the table to recover from a wizard that won't load or stalls:

| Installer result | Action |
|---|---|
| Wizard loads | Continue |
| 403 Forbidden | `.htaccess` still blocking — re-run section 1 |
| 404 | Installer route missing — confirm the app ships one |
| 500 | `tail -50 …/deploy/current/storage/logs/laravel.log` |
| 504 Gateway Timeout | PHP timeout too low — confirm `shared/.user.ini` has `max_execution_time = 300` (page 1, step 7), then retry |
| "Access Denied" mid-wizard | Stale cached config with old DB values — `optimize:clear` with the versioned PHP binary (page 3, step 2), then retry |
| "Already installed" | Remove `storage/installed` (section 1) |

:::danger[Broken-state 500 on `/install` — first install only]
If a partial/failed migration leaves the database half-built, a 500 can persist. **Only on a first install with no real data**, reset and retry:

```bash
# GUARD FIRST — refuse to wipe a DB that already holds users. `--force` skips
# the interactive prompt, so prose like "first install only" is not a safeguard
# on a shared/re-run staging DB. Abort unless the users table is empty (0 rows).
ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current && \
  USERS=$(php artisan tinker --execute="echo \DB::table(\"users\")->count();" 2>/dev/null | tail -1) && \
  if [ "${USERS:-1}" != "0" ]; then echo "ABORT: users table has $USERS row(s) — not a clean first install"; exit 1; fi && \
  php artisan db:wipe --force'
ssh <staging-alias> "rm -f ~/domains/staging.yourapp.com/deploy/shared/storage/installed"
# then reload /install in the browser
```

Use `db:wipe`, not `migrate:fresh` — the web installer builds the schema correctly, while `migrate:fresh` can trip over CodeCanyon migration-ordering bugs. This **destroys all data** — the guard above blocks it once the app holds users; never lift the guard on a DB you care about.
:::

### 3. Verify the installation

Sign in and confirm the app is healthy after the wizard.

:::note[Who does this]
👤 **User** signs in at `/login` with the admin account and walks the dashboard in a browser — interactive verification an agent can't drive.
:::

<Steps>

1. **Sign in at `/login` and walk the post-install checks.**

   Visit `https://staging.yourapp.com/login` and sign in with the admin account.

   | Check | Pass |
   |---|---|
   | Dashboard loads | [ ] |
   | Navigation works | [ ] |
   | No PHP errors | [ ] |
   | CSS/JS loading | [ ] |
   | SSL padlock shows | [ ] |

   - ✅ Admin login works and all five post-install checks pass.

</Steps>

### 4. Re-block `/install` and `/update`

The writable, installable surface must close as soon as the wizard finishes.

<Steps>

1. **Re-comment the blocking rules and confirm `/install` is forbidden.**

   ```bash
   ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current/public && \
     grep -q "^# RewriteRule ^install" .htaccess && \
     sed -i "s/^# RewriteRule ^install/RewriteRule ^install/" .htaccess; \
     grep -q "^# RewriteRule ^update" .htaccess && \
     sed -i "s/^# RewriteRule ^update/RewriteRule ^update/" .htaccess; \
     grep -q "^# RewriteRule ^upgrade-script" .htaccess && \
     sed -i "s/^# RewriteRule ^upgrade-script/RewriteRule ^upgrade-script/" .htaccess; \
     echo "install/update re-blocked"'

   curl -sI https://staging.yourapp.com/install 2>&1 | head -1   # expect HTTP/2 403
   # Expected: "install/update re-blocked" then HTTP/2 403
   ```

   - ✅ The rules are restored and `/install` returns `HTTP/2 403`.

</Steps>

Re-enable the Cloudflare WAF rule if you toggled it off (👤).

:::danger[Do not skip the re-block]
An installable, world-writable app on the public web can be reinstalled by anyone who finds `/install`, wiping or hijacking the database. Re-blocking and re-hardening are part of "the installer ran," not a follow-up nicety.
:::

### 5. Re-harden permissions

Walk back the temporary 777 from page 3 to least-privilege.

<Steps>

1. **Restore least-privilege on storage and `.env`.**

   ```bash
   # storage: dirs 775, files 664
   ssh <staging-alias> "cd ~/domains/staging.yourapp.com/deploy/shared/storage && \
     find . -type d -exec chmod 775 {} \; && find . -type f -exec chmod 664 {} \;"

   # .env: 640
   ssh <staging-alias> "chmod 640 ~/domains/staging.yourapp.com/deploy/shared/.env"
   # Expected: storage dirs 775 / files 664; .env 640
   ```

   - ✅ Storage dirs are `775`, files `664`, and `.env` is `640`.

</Steps>

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Wizard completed** — `/install` reachable (200), wizard completed, "Installation Complete" shown.
- [ ] **👤 App verified** — all five post-install checks pass; admin login works.
- [ ] **🔀 Routes re-blocked** — `/install` re-blocked (403); Cloudflare WAF rule restored.
- [ ] **🤖 Permissions re-hardened** — storage dirs `775` / files `664`; `.env` `640`.

:::next[Next step]
[Schedule, migrations + schema](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/05-secure-verify-schema/)
:::

# 4 · Installer + harden

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/04-installer-smoke/

## TL;DR

**Objective** — install the app the CodeCanyon way (a web wizard, not artisan migrations): temporarily unblock `/install`, run the wizard against the staging DB, verify the app loads, then immediately re-block `/install` + `/update` and re-harden permissions — because you opened a writable, installable surface to the public web.

:::note[User part + done-when]
**👤 User part** — running the installer wizard is browser work: open `/install`, walk the requirements/database/admin/settings screens, and **save the admin password to your password manager**. Toggling the optional Cloudflare WAF rule is also a dashboard action. An agent drives the `.htaccess` unblock/re-block and the permission harden over SSH.

**Done when** the wizard reports "Installation Complete", admin login works, `/install` is re-blocked (403), the Cloudflare WAF rule is restored, and permissions are walked back to least-privilege. &nbsp;·&nbsp; **⏱ ~20 min** &nbsp;·&nbsp; 🔀 mixed (👤 wizard + WAF, 🤖 SSH).
:::

## Background

CodeCanyon apps install through a web wizard, not artisan migrations. Phase 3 blocked `/install` and `/update` for safety, so this page **temporarily** unblocks them, runs the wizard, then re-blocks and re-hardens. The harden step is not optional — you opened a writable, installable surface to the public web.

## Steps

### 1. Temporarily unblock the `/install` route

Phase 3 added `.htaccess` rules (and possibly a Cloudflare WAF rule) blocking `/install`, `/update`, and `/upgrade-script`. Comment them out so the wizard can load.

<Steps>

1. **Unblock the install routes and remove any stale lock.**

   ```bash
   # Is /install currently blocked?
   ssh <staging-alias> "grep 'RewriteRule ^install' ~/domains/staging.yourapp.com/deploy/current/public/.htaccess 2>/dev/null"

   # Comment out the blocking rules (idempotent — skip lines already commented)
   ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current/public && \
     grep -q "^RewriteRule ^install" .htaccess && \
     sed -i "s/^RewriteRule ^install/# RewriteRule ^install/" .htaccess; \
     grep -q "^RewriteRule ^update" .htaccess && \
     sed -i "s/^RewriteRule ^update/# RewriteRule ^update/" .htaccess; \
     grep -q "^RewriteRule ^upgrade-script" .htaccess && \
     sed -i "s/^RewriteRule ^upgrade-script/# RewriteRule ^upgrade-script/" .htaccess; \
     echo "install/update unblocked"'

   # Remove any stale install lock
   ssh <staging-alias> "rm -f ~/domains/staging.yourapp.com/deploy/shared/storage/installed 2>/dev/null && echo 'lock removed'"
   # Expected: "install/update unblocked" and "lock removed"
   ```

   - ✅ The blocking rules are commented out and any stale `installed` lock is removed.

2. **Confirm the wizard is reachable.**

   ```bash
   curl -sI https://staging.yourapp.com/install 2>&1 | head -1   # expect HTTP/2 200
   # Expected: HTTP/2 200
   ```

   - ✅ `/install` returns `HTTP/2 200`.

</Steps>

If you created a Cloudflare WAF rule in Phase 3, toggle it **OFF** now (👤): *Cloudflare → Security → WAF → "Block install and update routes" → OFF*.

:::note[A 500 on `/` is still expected here]
The database is empty until the wizard runs — the homepage may 500. You're only confirming `/install` returns 200.
:::

### 2. Run the installer wizard

The wizard is browser-only — an agent can't click through it. Open `https://staging.yourapp.com/install` and walk the screens.

:::note[Who does this]
👤 **User** runs the web wizard in a browser and saves the admin password to a password manager — interactive, in-browser steps an agent can't perform.
:::

<Steps>

1. **Requirements** — all checks green → Next. (Reds usually mean a missing PHP extension or a permission the page-3 `chmod 777` should have fixed.)

   - ✅ Every requirement check is green.

2. **Database** — Host `localhost`; database / username / password from `.env.staging`; **Test Connection** → Next.

   - ✅ Test Connection succeeds against the staging DB.

3. **Admin account** — name, a staging admin email, and a **strong password saved to your password manager now**.

   - ✅ The admin account is created and its password is in the vault.

4. **Settings** — app name (e.g. "Your App — Staging"), URL `https://staging.yourapp.com`.

   - ✅ App name and URL are set for staging.

5. **Install / Finish** → confirm "Installation Complete".

   - ✅ The wizard reports "Installation Complete".

</Steps>

Use the table to recover from a wizard that won't load or stalls:

| Installer result | Action |
|---|---|
| Wizard loads | Continue |
| 403 Forbidden | `.htaccess` still blocking — re-run section 1 |
| 404 | Installer route missing — confirm the app ships one |
| 500 | `tail -50 …/deploy/current/storage/logs/laravel.log` |
| 504 Gateway Timeout | PHP timeout too low — confirm `shared/.user.ini` has `max_execution_time = 300` (page 1, step 7), then retry |
| "Access Denied" mid-wizard | Stale cached config with old DB values — `optimize:clear` with the versioned PHP binary (page 3, step 2), then retry |
| "Already installed" | Remove `storage/installed` (section 1) |

:::danger[Broken-state 500 on `/install` — first install only]
If a partial/failed migration leaves the database half-built, a 500 can persist. **Only on a first install with no real data**, reset and retry:

```bash
# GUARD FIRST — refuse to wipe a DB that already holds users. `--force` skips
# the interactive prompt, so prose like "first install only" is not a safeguard
# on a shared/re-run staging DB. Abort unless the users table is empty (0 rows).
ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current && \
  USERS=$(php artisan tinker --execute="echo \DB::table(\"users\")->count();" 2>/dev/null | tail -1) && \
  if [ "${USERS:-1}" != "0" ]; then echo "ABORT: users table has $USERS row(s) — not a clean first install"; exit 1; fi && \
  php artisan db:wipe --force'
ssh <staging-alias> "rm -f ~/domains/staging.yourapp.com/deploy/shared/storage/installed"
# then reload /install in the browser
```

Use `db:wipe`, not `migrate:fresh` — the web installer builds the schema correctly, while `migrate:fresh` can trip over CodeCanyon migration-ordering bugs. This **destroys all data** — the guard above blocks it once the app holds users; never lift the guard on a DB you care about.
:::

### 3. Verify the installation

Sign in and confirm the app is healthy after the wizard.

:::note[Who does this]
👤 **User** signs in at `/login` with the admin account and walks the dashboard in a browser — interactive verification an agent can't drive.
:::

<Steps>

1. **Sign in at `/login` and walk the post-install checks.**

   Visit `https://staging.yourapp.com/login` and sign in with the admin account.

   | Check | Pass |
   |---|---|
   | Dashboard loads | [ ] |
   | Navigation works | [ ] |
   | No PHP errors | [ ] |
   | CSS/JS loading | [ ] |
   | SSL padlock shows | [ ] |

   - ✅ Admin login works and all five post-install checks pass.

</Steps>

### 4. Re-block `/install` and `/update`

The writable, installable surface must close as soon as the wizard finishes.

<Steps>

1. **Re-comment the blocking rules and confirm `/install` is forbidden.**

   ```bash
   ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current/public && \
     grep -q "^# RewriteRule ^install" .htaccess && \
     sed -i "s/^# RewriteRule ^install/RewriteRule ^install/" .htaccess; \
     grep -q "^# RewriteRule ^update" .htaccess && \
     sed -i "s/^# RewriteRule ^update/RewriteRule ^update/" .htaccess; \
     grep -q "^# RewriteRule ^upgrade-script" .htaccess && \
     sed -i "s/^# RewriteRule ^upgrade-script/RewriteRule ^upgrade-script/" .htaccess; \
     echo "install/update re-blocked"'

   curl -sI https://staging.yourapp.com/install 2>&1 | head -1   # expect HTTP/2 403
   # Expected: "install/update re-blocked" then HTTP/2 403
   ```

   - ✅ The rules are restored and `/install` returns `HTTP/2 403`.

</Steps>

Re-enable the Cloudflare WAF rule if you toggled it off (👤).

:::danger[Do not skip the re-block]
An installable, world-writable app on the public web can be reinstalled by anyone who finds `/install`, wiping or hijacking the database. Re-blocking and re-hardening are part of "the installer ran," not a follow-up nicety.
:::

### 5. Re-harden permissions

Walk back the temporary 777 from page 3 to least-privilege.

<Steps>

1. **Restore least-privilege on storage and `.env`.**

   ```bash
   # storage: dirs 775, files 664
   ssh <staging-alias> "cd ~/domains/staging.yourapp.com/deploy/shared/storage && \
     find . -type d -exec chmod 775 {} \; && find . -type f -exec chmod 664 {} \;"

   # .env: 640
   ssh <staging-alias> "chmod 640 ~/domains/staging.yourapp.com/deploy/shared/.env"
   # Expected: storage dirs 775 / files 664; .env 640
   ```

   - ✅ Storage dirs are `775`, files `664`, and `.env` is `640`.

</Steps>

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Wizard completed** — `/install` reachable (200), wizard completed, "Installation Complete" shown.
- [ ] **👤 App verified** — all five post-install checks pass; admin login works.
- [ ] **🔀 Routes re-blocked** — `/install` re-blocked (403); Cloudflare WAF rule restored.
- [ ] **🤖 Permissions re-hardened** — storage dirs `775` / files `664`; `.env` `640`.

:::next[Next step]
[Schedule, migrations + schema](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/05-secure-verify-schema/)
:::

TL;DR

Objective — install the app the CodeCanyon way (a web wizard, not artisan migrations): temporarily unblock /install, run the wizard against the staging DB, verify the app loads, then immediately re-block /install + /update and re-harden permissions — because you opened a writable, installable surface to the public web.

Background

CodeCanyon apps install through a web wizard, not artisan migrations. Phase 3 blocked /install and /update for safety, so this page temporarily unblocks them, runs the wizard, then re-blocks and re-hardens. The harden step is not optional — you opened a writable, installable surface to the public web.

Steps

1. Temporarily unblock the `/install` route

Phase 3 added .htaccess rules (and possibly a Cloudflare WAF rule) blocking /install, /update, and /upgrade-script. Comment them out so the wizard can load.

Unblock the install routes and remove any stale lock.

# Is /install currently blocked?
ssh <staging-alias> "grep 'RewriteRule ^install' ~/domains/staging.yourapp.com/deploy/current/public/.htaccess 2>/dev/null"

# Comment out the blocking rules (idempotent — skip lines already commented)
ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current/public && \
  grep -q "^RewriteRule ^install" .htaccess && \
  sed -i "s/^RewriteRule ^install/# RewriteRule ^install/" .htaccess; \
  grep -q "^RewriteRule ^update" .htaccess && \
  sed -i "s/^RewriteRule ^update/# RewriteRule ^update/" .htaccess; \
  grep -q "^RewriteRule ^upgrade-script" .htaccess && \
  sed -i "s/^RewriteRule ^upgrade-script/# RewriteRule ^upgrade-script/" .htaccess; \
  echo "install/update unblocked"'

# Remove any stale install lock
ssh <staging-alias> "rm -f ~/domains/staging.yourapp.com/deploy/shared/storage/installed 2>/dev/null && echo 'lock removed'"
# Expected: "install/update unblocked" and "lock removed"

✅ The blocking rules are commented out and any stale installed lock is removed.

Confirm the wizard is reachable.

curl -sI https://staging.yourapp.com/install 2>&1 | head -1   # expect HTTP/2 200
# Expected: HTTP/2 200

✅ /install returns HTTP/2 200.

If you created a Cloudflare WAF rule in Phase 3, toggle it OFF now (👤): Cloudflare → Security → WAF → “Block install and update routes” → OFF.

2. Run the installer wizard

The wizard is browser-only — an agent can’t click through it. Open https://staging.yourapp.com/install and walk the screens.

Requirements — all checks green → Next. (Reds usually mean a missing PHP extension or a permission the page-3 chmod 777 should have fixed.)
- ✅ Every requirement check is green.
Database — Host localhost; database / username / password from .env.staging; Test Connection → Next.
- ✅ Test Connection succeeds against the staging DB.
Admin account — name, a staging admin email, and a strong password saved to your password manager now.
- ✅ The admin account is created and its password is in the vault.
Settings — app name (e.g. “Your App — Staging”), URL https://staging.yourapp.com.
- ✅ App name and URL are set for staging.
Install / Finish → confirm “Installation Complete”.
- ✅ The wizard reports “Installation Complete”.

Use the table to recover from a wizard that won’t load or stalls:

Installer result	Action
Wizard loads	Continue
403 Forbidden	`.htaccess` still blocking — re-run section 1
404	Installer route missing — confirm the app ships one
500	`tail -50 …/deploy/current/storage/logs/laravel.log`
504 Gateway Timeout	PHP timeout too low — confirm `shared/.user.ini` has `max_execution_time = 300` (page 1, step 7), then retry
”Access Denied” mid-wizard	Stale cached config with old DB values — `optimize:clear` with the versioned PHP binary (page 3, step 2), then retry
”Already installed”	Remove `storage/installed` (section 1)

Broken-state 500 on /install — first install only

If a partial/failed migration leaves the database half-built, a 500 can persist. Only on a first install with no real data, reset and retry:

# GUARD FIRST — refuse to wipe a DB that already holds users. `--force` skips
# the interactive prompt, so prose like "first install only" is not a safeguard
# on a shared/re-run staging DB. Abort unless the users table is empty (0 rows).
ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current && \
  USERS=$(php artisan tinker --execute="echo \DB::table(\"users\")->count();" 2>/dev/null | tail -1) && \
  if [ "${USERS:-1}" != "0" ]; then echo "ABORT: users table has $USERS row(s) — not a clean first install"; exit 1; fi && \
  php artisan db:wipe --force'
ssh <staging-alias> "rm -f ~/domains/staging.yourapp.com/deploy/shared/storage/installed"
# then reload /install in the browser

Use db:wipe, not migrate:fresh — the web installer builds the schema correctly, while migrate:fresh can trip over CodeCanyon migration-ordering bugs. This destroys all data — the guard above blocks it once the app holds users; never lift the guard on a DB you care about.

3. Verify the installation

Sign in at /login and walk the post-install checks.

Visit https://staging.yourapp.com/login and sign in with the admin account.

Check Pass
Dashboard loads [ ]
Navigation works [ ]
No PHP errors [ ]
CSS/JS loading [ ]
SSL padlock shows [ ]
- ✅ Admin login works and all five post-install checks pass.

Check	Pass
Dashboard loads	[ ]
Navigation works	[ ]
No PHP errors	[ ]
CSS/JS loading	[ ]
SSL padlock shows	[ ]

4. Re-block `/install` and `/update`

The writable, installable surface must close as soon as the wizard finishes.

Re-comment the blocking rules and confirm /install is forbidden.

ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current/public && \
  grep -q "^# RewriteRule ^install" .htaccess && \
  sed -i "s/^# RewriteRule ^install/RewriteRule ^install/" .htaccess; \
  grep -q "^# RewriteRule ^update" .htaccess && \
  sed -i "s/^# RewriteRule ^update/RewriteRule ^update/" .htaccess; \
  grep -q "^# RewriteRule ^upgrade-script" .htaccess && \
  sed -i "s/^# RewriteRule ^upgrade-script/RewriteRule ^upgrade-script/" .htaccess; \
  echo "install/update re-blocked"'

curl -sI https://staging.yourapp.com/install 2>&1 | head -1   # expect HTTP/2 403
# Expected: "install/update re-blocked" then HTTP/2 403

✅ The rules are restored and /install returns HTTP/2 403.

Re-enable the Cloudflare WAF rule if you toggled it off (👤).

5. Re-harden permissions

Walk back the temporary 777 from page 3 to least-privilege.

Restore least-privilege on storage and .env.

# storage: dirs 775, files 664
ssh <staging-alias> "cd ~/domains/staging.yourapp.com/deploy/shared/storage && \
  find . -type d -exec chmod 775 {} \; && find . -type f -exec chmod 664 {} \;"

# .env: 640
ssh <staging-alias> "chmod 640 ~/domains/staging.yourapp.com/deploy/shared/.env"
# Expected: storage dirs 775 / files 664; .env 640

✅ Storage dirs are 775, files 664, and .env is 640.

Checklist

Do not mark this step done until every box below is checked.

👤 Wizard completed — /install reachable (200), wizard completed, “Installation Complete” shown.
👤 App verified — all five post-install checks pass; admin login works.
🔀 Routes re-blocked — /install re-blocked (403); Cloudflare WAF rule restored.
🤖 Permissions re-hardened — storage dirs 775 / files 664; .env 640.

Schedule, migrations + schema

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: 4 · Installer + harden
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/04-installer-smoke/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 5
- step_number: 4
- est_time: ~20 min
- description: Temporarily unblock /install, run the CodeCanyon web installer wizard, verify the app loads, then immediately re-block /install + /update and re-harden storage and .env permissions from the installer's insecure 777 state.
- tags: codecanyon, laravel, installer, hardening

## Execution rules (binding)
- This is step 4 of phase 5 (~20 min) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# 4 · Installer + harden

## TL;DR

**Objective** — install the app the CodeCanyon way (a web wizard, not artisan migrations): temporarily unblock `/install`, run the wizard against the staging DB, verify the app loads, then immediately re-block `/install` + `/update` and re-harden permissions — because you opened a writable, installable surface to the public web.

:::note[User part + done-when]
**👤 User part** — running the installer wizard is browser work: open `/install`, walk the requirements/database/admin/settings screens, and **save the admin password to your password manager**. Toggling the optional Cloudflare WAF rule is also a dashboard action. An agent drives the `.htaccess` unblock/re-block and the permission harden over SSH.

**Done when** the wizard reports "Installation Complete", admin login works, `/install` is re-blocked (403), the Cloudflare WAF rule is restored, and permissions are walked back to least-privilege. &nbsp;·&nbsp; **⏱ ~20 min** &nbsp;·&nbsp; 🔀 mixed (👤 wizard + WAF, 🤖 SSH).
:::

## Background

CodeCanyon apps install through a web wizard, not artisan migrations. Phase 3 blocked `/install` and `/update` for safety, so this page **temporarily** unblocks them, runs the wizard, then re-blocks and re-hardens. The harden step is not optional — you opened a writable, installable surface to the public web.

## Steps

### 1. Temporarily unblock the `/install` route

Phase 3 added `.htaccess` rules (and possibly a Cloudflare WAF rule) blocking `/install`, `/update`, and `/upgrade-script`. Comment them out so the wizard can load.

<Steps>

1. **Unblock the install routes and remove any stale lock.**

   ```bash
   # Is /install currently blocked?
   ssh <staging-alias> "grep 'RewriteRule ^install' ~/domains/staging.yourapp.com/deploy/current/public/.htaccess 2>/dev/null"

   # Comment out the blocking rules (idempotent — skip lines already commented)
   ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current/public && \
     grep -q "^RewriteRule ^install" .htaccess && \
     sed -i "s/^RewriteRule ^install/# RewriteRule ^install/" .htaccess; \
     grep -q "^RewriteRule ^update" .htaccess && \
     sed -i "s/^RewriteRule ^update/# RewriteRule ^update/" .htaccess; \
     grep -q "^RewriteRule ^upgrade-script" .htaccess && \
     sed -i "s/^RewriteRule ^upgrade-script/# RewriteRule ^upgrade-script/" .htaccess; \
     echo "install/update unblocked"'

   # Remove any stale install lock
   ssh <staging-alias> "rm -f ~/domains/staging.yourapp.com/deploy/shared/storage/installed 2>/dev/null && echo 'lock removed'"
   # Expected: "install/update unblocked" and "lock removed"
   ```

   - ✅ The blocking rules are commented out and any stale `installed` lock is removed.

2. **Confirm the wizard is reachable.**

   ```bash
   curl -sI https://staging.yourapp.com/install 2>&1 | head -1   # expect HTTP/2 200
   # Expected: HTTP/2 200
   ```

   - ✅ `/install` returns `HTTP/2 200`.

</Steps>

If you created a Cloudflare WAF rule in Phase 3, toggle it **OFF** now (👤): *Cloudflare → Security → WAF → "Block install and update routes" → OFF*.

:::note[A 500 on `/` is still expected here]
The database is empty until the wizard runs — the homepage may 500. You're only confirming `/install` returns 200.
:::

### 2. Run the installer wizard

The wizard is browser-only — an agent can't click through it. Open `https://staging.yourapp.com/install` and walk the screens.

:::note[Who does this]
👤 **User** runs the web wizard in a browser and saves the admin password to a password manager — interactive, in-browser steps an agent can't perform.
:::

<Steps>

1. **Requirements** — all checks green → Next. (Reds usually mean a missing PHP extension or a permission the page-3 `chmod 777` should have fixed.)

   - ✅ Every requirement check is green.

2. **Database** — Host `localhost`; database / username / password from `.env.staging`; **Test Connection** → Next.

   - ✅ Test Connection succeeds against the staging DB.

3. **Admin account** — name, a staging admin email, and a **strong password saved to your password manager now**.

   - ✅ The admin account is created and its password is in the vault.

4. **Settings** — app name (e.g. "Your App — Staging"), URL `https://staging.yourapp.com`.

   - ✅ App name and URL are set for staging.

5. **Install / Finish** → confirm "Installation Complete".

   - ✅ The wizard reports "Installation Complete".

</Steps>

Use the table to recover from a wizard that won't load or stalls:

| Installer result | Action |
|---|---|
| Wizard loads | Continue |
| 403 Forbidden | `.htaccess` still blocking — re-run section 1 |
| 404 | Installer route missing — confirm the app ships one |
| 500 | `tail -50 …/deploy/current/storage/logs/laravel.log` |
| 504 Gateway Timeout | PHP timeout too low — confirm `shared/.user.ini` has `max_execution_time = 300` (page 1, step 7), then retry |
| "Access Denied" mid-wizard | Stale cached config with old DB values — `optimize:clear` with the versioned PHP binary (page 3, step 2), then retry |
| "Already installed" | Remove `storage/installed` (section 1) |

:::danger[Broken-state 500 on `/install` — first install only]
If a partial/failed migration leaves the database half-built, a 500 can persist. **Only on a first install with no real data**, reset and retry:

```bash
# GUARD FIRST — refuse to wipe a DB that already holds users. `--force` skips
# the interactive prompt, so prose like "first install only" is not a safeguard
# on a shared/re-run staging DB. Abort unless the users table is empty (0 rows).
ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current && \
  USERS=$(php artisan tinker --execute="echo \DB::table(\"users\")->count();" 2>/dev/null | tail -1) && \
  if [ "${USERS:-1}" != "0" ]; then echo "ABORT: users table has $USERS row(s) — not a clean first install"; exit 1; fi && \
  php artisan db:wipe --force'
ssh <staging-alias> "rm -f ~/domains/staging.yourapp.com/deploy/shared/storage/installed"
# then reload /install in the browser
```

Use `db:wipe`, not `migrate:fresh` — the web installer builds the schema correctly, while `migrate:fresh` can trip over CodeCanyon migration-ordering bugs. This **destroys all data** — the guard above blocks it once the app holds users; never lift the guard on a DB you care about.
:::

### 3. Verify the installation

Sign in and confirm the app is healthy after the wizard.

:::note[Who does this]
👤 **User** signs in at `/login` with the admin account and walks the dashboard in a browser — interactive verification an agent can't drive.
:::

<Steps>

1. **Sign in at `/login` and walk the post-install checks.**

   Visit `https://staging.yourapp.com/login` and sign in with the admin account.

   | Check | Pass |
   |---|---|
   | Dashboard loads | [ ] |
   | Navigation works | [ ] |
   | No PHP errors | [ ] |
   | CSS/JS loading | [ ] |
   | SSL padlock shows | [ ] |

   - ✅ Admin login works and all five post-install checks pass.

</Steps>

### 4. Re-block `/install` and `/update`

The writable, installable surface must close as soon as the wizard finishes.

<Steps>

1. **Re-comment the blocking rules and confirm `/install` is forbidden.**

   ```bash
   ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current/public && \
     grep -q "^# RewriteRule ^install" .htaccess && \
     sed -i "s/^# RewriteRule ^install/RewriteRule ^install/" .htaccess; \
     grep -q "^# RewriteRule ^update" .htaccess && \
     sed -i "s/^# RewriteRule ^update/RewriteRule ^update/" .htaccess; \
     grep -q "^# RewriteRule ^upgrade-script" .htaccess && \
     sed -i "s/^# RewriteRule ^upgrade-script/RewriteRule ^upgrade-script/" .htaccess; \
     echo "install/update re-blocked"'

   curl -sI https://staging.yourapp.com/install 2>&1 | head -1   # expect HTTP/2 403
   # Expected: "install/update re-blocked" then HTTP/2 403
   ```

   - ✅ The rules are restored and `/install` returns `HTTP/2 403`.

</Steps>

Re-enable the Cloudflare WAF rule if you toggled it off (👤).

:::danger[Do not skip the re-block]
An installable, world-writable app on the public web can be reinstalled by anyone who finds `/install`, wiping or hijacking the database. Re-blocking and re-hardening are part of "the installer ran," not a follow-up nicety.
:::

### 5. Re-harden permissions

Walk back the temporary 777 from page 3 to least-privilege.

<Steps>

1. **Restore least-privilege on storage and `.env`.**

   ```bash
   # storage: dirs 775, files 664
   ssh <staging-alias> "cd ~/domains/staging.yourapp.com/deploy/shared/storage && \
     find . -type d -exec chmod 775 {} \; && find . -type f -exec chmod 664 {} \;"

   # .env: 640
   ssh <staging-alias> "chmod 640 ~/domains/staging.yourapp.com/deploy/shared/.env"
   # Expected: storage dirs 775 / files 664; .env 640
   ```

   - ✅ Storage dirs are `775`, files `664`, and `.env` is `640`.

</Steps>

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Wizard completed** — `/install` reachable (200), wizard completed, "Installation Complete" shown.
- [ ] **👤 App verified** — all five post-install checks pass; admin login works.
- [ ] **🔀 Routes re-blocked** — `/install` re-blocked (403); Cloudflare WAF rule restored.
- [ ] **🤖 Permissions re-hardened** — storage dirs `775` / files `664`; `.env` `640`.

:::next[Next step]
[Schedule, migrations + schema](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/05-secure-verify-schema/)
:::

# 4 · Installer + harden

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/04-installer-smoke/

## TL;DR

**Objective** — install the app the CodeCanyon way (a web wizard, not artisan migrations): temporarily unblock `/install`, run the wizard against the staging DB, verify the app loads, then immediately re-block `/install` + `/update` and re-harden permissions — because you opened a writable, installable surface to the public web.

:::note[User part + done-when]
**👤 User part** — running the installer wizard is browser work: open `/install`, walk the requirements/database/admin/settings screens, and **save the admin password to your password manager**. Toggling the optional Cloudflare WAF rule is also a dashboard action. An agent drives the `.htaccess` unblock/re-block and the permission harden over SSH.

**Done when** the wizard reports "Installation Complete", admin login works, `/install` is re-blocked (403), the Cloudflare WAF rule is restored, and permissions are walked back to least-privilege. &nbsp;·&nbsp; **⏱ ~20 min** &nbsp;·&nbsp; 🔀 mixed (👤 wizard + WAF, 🤖 SSH).
:::

## Background

CodeCanyon apps install through a web wizard, not artisan migrations. Phase 3 blocked `/install` and `/update` for safety, so this page **temporarily** unblocks them, runs the wizard, then re-blocks and re-hardens. The harden step is not optional — you opened a writable, installable surface to the public web.

## Steps

### 1. Temporarily unblock the `/install` route

Phase 3 added `.htaccess` rules (and possibly a Cloudflare WAF rule) blocking `/install`, `/update`, and `/upgrade-script`. Comment them out so the wizard can load.

<Steps>

1. **Unblock the install routes and remove any stale lock.**

   ```bash
   # Is /install currently blocked?
   ssh <staging-alias> "grep 'RewriteRule ^install' ~/domains/staging.yourapp.com/deploy/current/public/.htaccess 2>/dev/null"

   # Comment out the blocking rules (idempotent — skip lines already commented)
   ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current/public && \
     grep -q "^RewriteRule ^install" .htaccess && \
     sed -i "s/^RewriteRule ^install/# RewriteRule ^install/" .htaccess; \
     grep -q "^RewriteRule ^update" .htaccess && \
     sed -i "s/^RewriteRule ^update/# RewriteRule ^update/" .htaccess; \
     grep -q "^RewriteRule ^upgrade-script" .htaccess && \
     sed -i "s/^RewriteRule ^upgrade-script/# RewriteRule ^upgrade-script/" .htaccess; \
     echo "install/update unblocked"'

   # Remove any stale install lock
   ssh <staging-alias> "rm -f ~/domains/staging.yourapp.com/deploy/shared/storage/installed 2>/dev/null && echo 'lock removed'"
   # Expected: "install/update unblocked" and "lock removed"
   ```

   - ✅ The blocking rules are commented out and any stale `installed` lock is removed.

2. **Confirm the wizard is reachable.**

   ```bash
   curl -sI https://staging.yourapp.com/install 2>&1 | head -1   # expect HTTP/2 200
   # Expected: HTTP/2 200
   ```

   - ✅ `/install` returns `HTTP/2 200`.

</Steps>

If you created a Cloudflare WAF rule in Phase 3, toggle it **OFF** now (👤): *Cloudflare → Security → WAF → "Block install and update routes" → OFF*.

:::note[A 500 on `/` is still expected here]
The database is empty until the wizard runs — the homepage may 500. You're only confirming `/install` returns 200.
:::

### 2. Run the installer wizard

The wizard is browser-only — an agent can't click through it. Open `https://staging.yourapp.com/install` and walk the screens.

:::note[Who does this]
👤 **User** runs the web wizard in a browser and saves the admin password to a password manager — interactive, in-browser steps an agent can't perform.
:::

<Steps>

1. **Requirements** — all checks green → Next. (Reds usually mean a missing PHP extension or a permission the page-3 `chmod 777` should have fixed.)

   - ✅ Every requirement check is green.

2. **Database** — Host `localhost`; database / username / password from `.env.staging`; **Test Connection** → Next.

   - ✅ Test Connection succeeds against the staging DB.

3. **Admin account** — name, a staging admin email, and a **strong password saved to your password manager now**.

   - ✅ The admin account is created and its password is in the vault.

4. **Settings** — app name (e.g. "Your App — Staging"), URL `https://staging.yourapp.com`.

   - ✅ App name and URL are set for staging.

5. **Install / Finish** → confirm "Installation Complete".

   - ✅ The wizard reports "Installation Complete".

</Steps>

Use the table to recover from a wizard that won't load or stalls:

| Installer result | Action |
|---|---|
| Wizard loads | Continue |
| 403 Forbidden | `.htaccess` still blocking — re-run section 1 |
| 404 | Installer route missing — confirm the app ships one |
| 500 | `tail -50 …/deploy/current/storage/logs/laravel.log` |
| 504 Gateway Timeout | PHP timeout too low — confirm `shared/.user.ini` has `max_execution_time = 300` (page 1, step 7), then retry |
| "Access Denied" mid-wizard | Stale cached config with old DB values — `optimize:clear` with the versioned PHP binary (page 3, step 2), then retry |
| "Already installed" | Remove `storage/installed` (section 1) |

:::danger[Broken-state 500 on `/install` — first install only]
If a partial/failed migration leaves the database half-built, a 500 can persist. **Only on a first install with no real data**, reset and retry:

```bash
# GUARD FIRST — refuse to wipe a DB that already holds users. `--force` skips
# the interactive prompt, so prose like "first install only" is not a safeguard
# on a shared/re-run staging DB. Abort unless the users table is empty (0 rows).
ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current && \
  USERS=$(php artisan tinker --execute="echo \DB::table(\"users\")->count();" 2>/dev/null | tail -1) && \
  if [ "${USERS:-1}" != "0" ]; then echo "ABORT: users table has $USERS row(s) — not a clean first install"; exit 1; fi && \
  php artisan db:wipe --force'
ssh <staging-alias> "rm -f ~/domains/staging.yourapp.com/deploy/shared/storage/installed"
# then reload /install in the browser
```

Use `db:wipe`, not `migrate:fresh` — the web installer builds the schema correctly, while `migrate:fresh` can trip over CodeCanyon migration-ordering bugs. This **destroys all data** — the guard above blocks it once the app holds users; never lift the guard on a DB you care about.
:::

### 3. Verify the installation

Sign in and confirm the app is healthy after the wizard.

:::note[Who does this]
👤 **User** signs in at `/login` with the admin account and walks the dashboard in a browser — interactive verification an agent can't drive.
:::

<Steps>

1. **Sign in at `/login` and walk the post-install checks.**

   Visit `https://staging.yourapp.com/login` and sign in with the admin account.

   | Check | Pass |
   |---|---|
   | Dashboard loads | [ ] |
   | Navigation works | [ ] |
   | No PHP errors | [ ] |
   | CSS/JS loading | [ ] |
   | SSL padlock shows | [ ] |

   - ✅ Admin login works and all five post-install checks pass.

</Steps>

### 4. Re-block `/install` and `/update`

The writable, installable surface must close as soon as the wizard finishes.

<Steps>

1. **Re-comment the blocking rules and confirm `/install` is forbidden.**

   ```bash
   ssh <staging-alias> 'cd ~/domains/staging.yourapp.com/deploy/current/public && \
     grep -q "^# RewriteRule ^install" .htaccess && \
     sed -i "s/^# RewriteRule ^install/RewriteRule ^install/" .htaccess; \
     grep -q "^# RewriteRule ^update" .htaccess && \
     sed -i "s/^# RewriteRule ^update/RewriteRule ^update/" .htaccess; \
     grep -q "^# RewriteRule ^upgrade-script" .htaccess && \
     sed -i "s/^# RewriteRule ^upgrade-script/RewriteRule ^upgrade-script/" .htaccess; \
     echo "install/update re-blocked"'

   curl -sI https://staging.yourapp.com/install 2>&1 | head -1   # expect HTTP/2 403
   # Expected: "install/update re-blocked" then HTTP/2 403
   ```

   - ✅ The rules are restored and `/install` returns `HTTP/2 403`.

</Steps>

Re-enable the Cloudflare WAF rule if you toggled it off (👤).

:::danger[Do not skip the re-block]
An installable, world-writable app on the public web can be reinstalled by anyone who finds `/install`, wiping or hijacking the database. Re-blocking and re-hardening are part of "the installer ran," not a follow-up nicety.
:::

### 5. Re-harden permissions

Walk back the temporary 777 from page 3 to least-privilege.

<Steps>

1. **Restore least-privilege on storage and `.env`.**

   ```bash
   # storage: dirs 775, files 664
   ssh <staging-alias> "cd ~/domains/staging.yourapp.com/deploy/shared/storage && \
     find . -type d -exec chmod 775 {} \; && find . -type f -exec chmod 664 {} \;"

   # .env: 640
   ssh <staging-alias> "chmod 640 ~/domains/staging.yourapp.com/deploy/shared/.env"
   # Expected: storage dirs 775 / files 664; .env 640
   ```

   - ✅ Storage dirs are `775`, files `664`, and `.env` is `640`.

</Steps>

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Wizard completed** — `/install` reachable (200), wizard completed, "Installation Complete" shown.
- [ ] **👤 App verified** — all five post-install checks pass; admin login works.
- [ ] **🔀 Routes re-blocked** — `/install` re-blocked (403); Cloudflare WAF rule restored.
- [ ] **🤖 Permissions re-hardened** — storage dirs `775` / files `664`; `.env` `640`.

:::next[Next step]
[Schedule, migrations + schema](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/05-deploy-staging/05-secure-verify-schema/)
:::