Full roadmap & checklist

▶Start here

You are here: Playbook → Roadmap & checklist This page is for you if: you want the whole setup-new workflow in one scroll — phases, steps, gate items, and links — without hopping through the sidebar. Power-user mode. Not this? Overview = narrative intro · sidebar = one phase at a time.

One page, one workflow: 12 phases as toggles, numbered steps with a short summary and a link to the full page, and gate items (from each step’s checklist) as substeps you can tick off. Progress saves on this device.

12 phases · 88 steps · 432 gates 0 / 520 done

Expand all Collapse all Reset progress

01 AI System

Open phase hub →

1. Phase 1 overview ~1-2 hours (first time), ~15 min once you know it

   Stand up the agent operating system for a CodeCanyon Laravel app — the constitution, permission modes, rules, skills, and IDE wiring that every later phase relies on.

2. 1 · Create the project & code ~15 min

   Start here — create the project folder, stage the CodeCanyon download in _source/, bootstrap an anchored .gitignore + git init, promote the Laravel app to the root, prove nothing was missed with a filesystem completeness gate, commit the pristine vendor baseline on author/v* + tag, then write .vscode/ for the AI layer (committed at C2 · machine setup).

   • 👤 Folder open — the project folder is the workspace root in your IDE, with Claude Code running *inside* it.
   • 👤 Staged in _source/ — CodeCanyon ZIP, extracted folder, and license .txt files are in _source/.
   • 🤖 App path verified — the folder inside _source/ that contains artisan + composer.json is identified.
   • 🤖 _source/ fully gitignored — /_source/ in bootstrap .gitignore; git check-ignore -v _source/ _source/license.txt matches; no !_source/… negation; git status shows nothing under _source/.
   • 🤖 Anchored bootstrap git — leading-slash anchors + /_source/; then git init; git status shows no vendor/, node_modules/, .env, or .env.*.
   • 🤖 App copied to root — artisan + composer.json sit at the project root; the ZIP + extracted tree + license files remain in _source/ on disk (copied, not moved; never committed).
   • 🤖 Completeness gate passes — rsync -ain --exclude='/.gitignore' "$APP_DIR"/ ./ prints zero >f lines; bootstrap .gitignore header still present; nested Laravel .gitignore files at root; .env/dotfiles at root. Verified by filesystem, not git add.
   • 🤖 Pristine baseline frozen — one commit with vendor + .gitignore only; global-excludes hard-stop passed (or no core.excludesFile); staged with git -c core.excludesFile=/dev/null add -A; app-critical index cross-check OK (phpunit.xml etc. when on disk); author/vX.X.X branch + author-vX.X.X tag exist; develop is current; git log --oneline -1 is the import message.
   • 🤖 Editor config on disk — .vscode/settings.json + .vscode/extensions.json written (uncommitted until C2 at machine setup), including the Blade formatter extension + [blade] formatter setting.
   • 🤖 No composer install yet — dependency install waits for local development.
3. 2 · Machine setup ~15-20 min (first machine), seconds if already set up

   Authenticate the GitHub CLI, register MCP servers, and install the permission-mode switcher and deploy orchestrator — once per machine (your user account), reused by every project.

   • 🤖 gh authenticated — gh auth status shows Logged in to github.com as <name>.
   • 🤖 jq installed — command -v jq succeeds (needed for [Claude config](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/01-ai-system/04-claude-config/) permission-mode + personal-default merges).
   • 🤖 Editor CLI verified — §2 resolved $CODE to an executable (not a silent no-op).
   • 🤖 Canonical six extensions installed — §7 verify prints PASS: canonical six extensions for at least one detected editor, or SKIP: no GUI editor CLI for terminal-only / non-VS-Code-family workflows. Manual check: --list-extensions matches §2 table byte-for-byte with [Create the project §7](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/01-ai-system/01-project-setup/#7-write-editor-config-for-this-repo--one-clean-php-language-server).
   • 🤖 Single PHP LSP — §7 verify prints PASS: single PHP LSP; no zobo.php-intellisense, felixfbecker.php-intellisense, or devsense.phptools-vscode.
   • 🤖 ZajLibrary MCP registered + responds — §7 verify prints PASS: zajlibrary MCP registered; agent session can list_contents / search_library / get_document.
   • 🔀 Other chosen MCPs respond in an agent session (zones / screenshot / docs / Stripe) — or explicitly skipped.
   • 👤 OAuth authorized in the browser for every OAuth MCP added (no "needs authorization" prompts left).
   • 👤 API tokens present + hidden — [ -n "$CF_API_TOKEN" ] passes (if Cloudflare is used); verified by length, never printed.
   • 🤖 claude-mode in project — ./.claude/claude-mode/bin/set-claude-mode.sh exists after kit copy (§4); §7 verify script prints PASS: claude-mode in project.
   • 🤖 Orchestrator skill installed *(optional)* — handbook/ and SKILL.md under ~/.claude/skills/zaj-laravel-codecanyon/ and/or .claude/skills/ (full tree — not kit README stub); §7 prints PASS: … orchestrator — or explicitly skipped (ZajLibrary MCP + pages only).
   • 🤖 C2 committed on develop — .vscode/ + claude-mode + orchestrator skill; git log -2 shows C2 atop C1; author/v* untouched.
4. 3 · Project constitution ~15 min (interview + files)

   Write the cross-tool contract (AGENTS.md), the thin CLAUDE.md pointer, and the gitignored CLAUDE.local.md — the persistent project knowledge every agent loads at session start.

   • 🔀 Interview answers recorded — app identity (name/type/author), business, vendor family, stack, infra, integrations, and team size captured in a scratch note after stack + feature/business recon.
   • 🤖 AGENTS.md written — at the repo root, tech-stack line matches the auto-detected stack; C3 committed.
   • 🤖 CLAUDE.md written — thin pointer only; no duplicated stack/conventions; included in C3.
   • 👤 CLAUDE.local.md created — personal env filled in; references (not values) for credentials.
   • 🤖 CLAUDE.local.md gitignored — git check-ignore CLAUDE.local.md echoes the filename.
   • 👤 Credential store chosen — Option A (1Password, default), B (vault templates), or C (credentials.md) recorded in CLAUDE.local.md.
   • 🔀 Constitution verified — a fresh agent session references the stack/conventions unprompted.
   • 🤖 C3 committed on develop — AGENTS.md + CLAUDE.md + .gitignore (+ .env.tpl when Option A); CLAUDE.local.md gitignored.
5. 4 · Claude config ~10 min

   Write the project-wide settings.json, pick a permission mode (strict/medium/yolo), set personal model/thinking/compact defaults in settings.local.json, and wire the hard-block + vendor-edit guard hooks that no mode can override.

   • 🔀 settings.json on disk — trimmed project MCP list using disabledMcpjsonServers where needed; C4 committed.
   • 🤖 .claude/.gitignore in place — ignores settings.local.json and *.bak.*; git status no longer surfaces them.
   • 🔀 Personal defaults merged — .claude/settings.local.json has your chosen model, autoCompactEnabled, and env.MAX_THINKING_TOKENS via jq merge; global ~/.claude/settings.json untouched; permissions from §3 intact.
   • 🔀 Permission mode applied + verified — set-claude-mode.sh show reports the mode in a new session; a borderline command behaves correctly.
   • 🤖 Block-destructive hook tested — php artisan migrate:fresh exits 2, git status exits 0 via the standalone JSON-payload test.
   • 🤖 Vendor-edit guard wired (optional) — touching a vendor/ file triggers the advisory reminder.
   • 🤖 C4 committed on develop — .claude/settings.json + .claude/.gitignore; settings.local.json gitignored.
6. 5 · Rules & skills ~10 min

   Seed .claude/rules/ with the universal behavioral + reference rule set, install the stack skills and deploy orchestrator into .claude/skills/, then restart so the new context loads.

   • 🤖 Rules seeded — bash .claude/rules/seed-project-rules.sh ran; .claude/rules/ holds the feedback_* + reference_* set.
   • 🤖 Project context added — .claude/rules/project_context.md exists with this project's type, vendor family, stack, and environments.
   • 🤖 Skills installed — .claude/skills/zaj-laravel-codecanyon/handbook/ (per-project download) or global ~/.claude/skills/zaj-laravel-codecanyon/handbook/; plus any stack/Stripe skills.
   • 🤖 Review subagent plan recorded — either .claude/agents/ holds real vendor-update / security / flow-auditor reviewer files, or the placeholders explicitly say the project will dispatch global reviewers as needed.
   • 🤖 Tracking files seeded — _CUSTOMIZATIONS.md, guide-hiccups-log.md, and task-ledger.md exist at the repo root / Admin-Local/ (later phases write to them).
   • 🤖 C5 committed on develop — .claude/rules/, stack skills, and .claude/agents/ tracked (git log shows C5); orchestrator already from C2.
   • 👤 Session restarted — a fresh session was started after seeding.
   • 🔀 Rules confirmed loaded — the fresh session lists the feedback_* + reference_* set plus project_context.md.
7. 6 · Cursor & other IDEs ~10 min

   Wire the project MCP servers (.mcp.json with Laravel Boost) and make Cursor, Gemini, and Codex read the same constitution via a boot rule and thin mirrors.

   • 🤖 C6 committed on develop — .mcp.json valid with Laravel Boost disabled/parked until installed, or live only after Boost exists; .cursor/ mirrors tracked (git log shows C6).
   • 🤖 Cursor boot rule in place — .cursor/rules/000-boot.mdc with alwaysApply: true points at AGENTS.md.
   • 🤖 Cursor layers mirrored — .cursor/skills/, .cursor/commands/, .cursor/agents/, and .cursor/hooks.json stay in sync with .claude/.
   • 🤖 .cursorignore in place — real secrets (.env, .env.*, *.key, *.pem, auth.json, /secrets/) excluded from Cursor's index; safe templates (.env.example, .env.tpl) remain visible.
   • 🔀 Mirrors are thin pointers — GEMINI.md (and any .codex/ note) redirect to AGENTS.md, never a copy.
   • 🔀 Tools converge — opening Cursor acknowledges the constitution without prompting; search-docs returns version-specific Laravel docs after local dev.
8. 7 · Verify & gate ~5 min

   Run the AI System verification checklist, confirm the gate condition, and hand off to Code & repository setup with the AI System fully wired.

   • 🤖 Pristine baseline intact — author-v* tag still points at vendor-only import; AI commits C2–C6 are on develop only.
   • 🤖 Bootstrap git OK — anchored .gitignore from Create the project; git check-ignore CLAUDE.local.md and .env succeed; /_source/ ignored.
   • 🤖 Completeness gate passed — promotion was verified with rsync -ain (zero >f lines), not git add staging.
   • 🤖 Editor config committed — .vscode/settings.json + .vscode/extensions.json committed in C2 on develop.
   • 🤖 Single PHP LSP — Intelephense only; zobo.php-intellisense uninstalled; php.suggest.basic / php.validate.enable false in settings.
   • 🤖 Constitution committed — AGENTS.md + CLAUDE.md in C3; CLAUDE.local.md gitignored.
   • 🤖 Claude config committed — .claude/settings.json valid (C4); settings.local.json gitignored; permission mode applied.
   • 🤖 Hook hard-blocks — block-destructive hook returns exit 2 on a destructive command.
   • 🤖 Rules seeded — .claude/rules/ has the universal set + project_context.md (count 10+) committed in C5.
   • 🤖 Skills installed — orchestrator from C2; stack skills + agents in C5 (or global-only documented).
   • 🤖 Other IDEs wired — .cursor/rules/000-boot.mdc + .mcp.json committed in C6; ZajLibrary MCP reachable (see [machine setup §3](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/01-ai-system/02-machine-setup/)).
   • 🤖 Commit history complete — git log --oneline shows C1–C6 on develop; working tree clean except gitignored personal files.
   • 🤖 Authored commits signed — commits after author/v* pass the signature check; unsigned lines (N <sha>) are fixed before Phase 2.
   • 🔀 Secrets safe — a credential store chosen (1Password or credentials.md) and recorded; .env gitignored.
   • 👤 Restarted + smoke test passes — session restarted and all three smoke-test questions answer correctly.

02 Code Repo

Open phase hub →

1. 1 · Prerequisites ~25–30 min

   Verify the local toolchain, then create the private GitHub repo, hosting sites, and databases — and wire passwordless SSH to both servers — before anything depends on them.

   • 🤖 Toolchain verified — php, composer, node, git all report supported versions.
   • 🤖 Repo created — a private, empty GitHub repo exists (gh repo create or dashboard fallback) and you have its SSH URL.
   • 🤖 Sites reachable — staging + production both resolve over HTTPS, IPs recorded (hosting MCP default, or panel Option 2).
   • 👤 Databases created — empty local + staging + production DBs, creds in the password manager (distinct per env).
   • 🔀 SSH works both ways — hop A: passwordless from your machine to both servers; hop B: both servers can ssh -T git@github.com.
2. 2 · Branch strategy ~10 min

   Choose Option A (solo/small team — one setup branch, one commit per phase) or Option B (a branch per phase, merged via PR), then learn the branch model the rest of the playbook commits against.

   • 👤 Model chosen — Option A or B picked, and any team agrees.
   • 👤 Choice recorded — the option and its reason are in the project log.
   • 👤 Project strategy recorded — build strategy, repo architecture, deploy pipeline, deploy tool, and branch model all in ProjectStrategy.md.
   • 🔀 Model understood — you know develop is created at init and the working branch after the first commit.
3. Phase 2 overview 90–120 min

   Extract the CodeCanyon vendor ZIP cleanly, initialize git with a frozen vendor snapshot and branch strategy, and wire .env templates — so every later vendor update diffs cleanly.

4. 3 · Extract & snapshot ~25–35 min

   Extract the CodeCanyon ZIP into a verified Laravel root, capture vendor docs, back up a pristine copy, and identify any author patches inside vendor/ — before a single file is touched.

   • 🔀 Laravel root verified — all essential files/dirs present, no nesting, no unextracted inner ZIPs.
   • 🤖 Vendor docs captured — copied to Admin-Local/2-Docs/1-VendorDocs/; key facts in CLAUDE.md.
   • 🤖 Pristine backup taken — originals in Admin-Local/3-Versions/1-v<VERSION>/1-Originals/.
   • 🤖 Author patches identified — documented in _CUSTOMIZATIONS.md (or confirmed: 0 differences).
   • 🤖 Shipped vendor/ intact — no composer install run yet.
5. 4 · Initialize the repo ~15 min

   Set session variables, write .gitignore BEFORE git init so secrets and installed dependencies never enter history, then initialize git on develop and lock down per-directory storage ignores.

   • 🤖 Session variables exported — PROJECT_NAME, VERSION, GITHUB_REPO, identity.
   • 🤖 .gitignore merged — AI System bootstrap anchors preserved; Code & repository setup patterns added; lock files not ignored.
   • 🤖 Tree clean — git status shows no vendor/, node_modules/, or .env.
   • 🤖 On develop — user.name / user.email configured.
   • 🤖 Storage ignores in place — each storage/ directory carries a .gitignore.
6. 5 · .env templates ~20 min

   Back up the vendor's env into the project vault, lay down local/staging/production templates, activate local and generate the app key, then verify the per-environment values that differ.

   • 🤖 Vendor env backed up — .env / .env.example copied to the vault.
   • 🔀 Templates created — .env.local / .env.staging / .env.production exist in the vault.
   • 🤖 Local active + keyed — .env active and a unique APP_KEY generated (grep "^APP_KEY=base64:" .env).
   • 👤 Off-local debug off — staging + production templates set APP_DEBUG=false.
   • 🤖 No secrets staged — git status shows no real .env files staged.
7. 6 · Commit & freeze ~15 min

   Verify the pristine vendor baseline from AI System setup, push develop + author/vX + tag to the private remote, cut your working branch, and prove the seam is clean — without recreating the vendor import.

   • 🤖 Baseline verified — author/vX.X.X + author-vX.X.X exist locally (created at Create the project).
   • 🤖 develop pushed to the private remote (includes C1–C6 after Verify & gate).
   • 👤 Signed-commit protection enabled — GitHub requires signed commits on develop and later main.
   • 🤖 Snapshot on remote — author/vX.X.X branch and author-vX.X.X tag pushed.
   • 🤖 Working branch checked out — Setup/Initial-Launch (or your Option B branch).
   • 🤖 Seam clean — git log --all -- .env vendor/ returns nothing.
8. 7 · Optional ~20–40 min if adopted

   Project-structure scaffolding (Admin-Local vault + docs), commit & documentation standards with the Zaj customization strategy, and version management (SemVer + CHANGELOG) — SHOULD, not skip-by-default.

   • 👤 Topics surfaced — each optional topic was presented and the operator's choice recorded.
   • 🤖 Scaffold (if adopted) — Admin-Local/ + gitignored vault exist.
   • 🔀 Standards (if adopted) — commit format + Zaj customization strategy understood.
   • 🔀 Versioning (if adopted) — CHANGELOG.md started and package metadata set.

03 Local Dev

Open phase hub →

1. 1 · Dependencies & assets ~20–40 min

   Authenticate Composer to dodge the rate limit, install PHP and JS dependencies without clobbering vendor patches, audit .env.example for fail-loud placeholders, then build and commit frontend assets.

   • 🤖 Composer authenticated — no rate-limit failures.
   • 🤖 Dependencies installed — composer install and npm install succeeded.
   • 🤖 Vendor patches noted — any shipped-vendor/ patches flagged for the page-6 comparison.
   • 🤖 Placeholders loud — .env.example values are blank or REPLACE_ME_*.
   • 🤖 Build force-tracked — public/build/manifest.json built and git add -f'd.
   • 🤖 Audit baseline recorded — npm audit / composer audit counts captured.
   • 🤖 Stripe architecture verified — _CUSTOMIZATIONS.md updated with VERIFIED strategy, or skipped and no_stripe: true noted.
2. 2 · Local database ~10 min

   Start the local MySQL/MariaDB service, create an empty utf8mb4 schema for the installer, and point .env at it with every secret double-quoted.

   • 👤 DB service running — green dot in Herd, or brew services.
   • 🤖 Connects over TCP — mysql -h 127.0.0.1 connects without a socket error.
   • 🤖 Empty schema created — with utf8mb4 / utf8mb4_unicode_ci.
   • 🤖 .env wired — DB_* set and every secret double-quoted.
   • 🤖 0 tables confirmed — db:show (or the direct query) shows an empty schema.
3. 3 · Storage, symlinks & SSL ~15 min

   Create the storage symlink, detect and wire your app's addon system (Modules vs packages vs addons), then link the project to Herd over HTTPS and prove the installer route is reachable.

   • 🤖 Storage symlink present — public/storage linked and target verified.
   • 🤖 Addon system identified — Modules / packages / addons / uploads.
   • 🤖 Addon symlinks created — or correctly skipped for Modules/.
   • 🤖 Herd + TLS done — herd link + herd secure; cert file present.
   • 🔀 Routes verified — curl shows /install = HTTP 200; browser (👤) shows the welcome page with a valid padlock.
4. Phase 3 overview 75–180 min

   Install dependencies, build assets locally, run the CodeCanyon installer, and get the app booting at a local HTTPS domain with login working — the first time you see it run.

5. 4 · Run the installer ~20–30 min

   Raise the PHP-FPM and nginx timeouts so big migration runs don't 504, pre-flight four preconditions, complete the web installer wizard, then capture the admin credentials safely.

   • 🤖 Timeouts raised — public/.user.ini and nginx fastcgi_read_timeout both = 300s.
   • 🤖 Pre-flight green — the check shows 4× ✅.
   • 👤 Wizard complete — storage/installed marker present after the browser flow.
   • 🤖 Install verified — User::count() > 0 and no errors in laravel.log.
   • 🤖 Credentials stored — in 1Password / credentials.md and flagged for Phase 6 rotation.
6. 5 · Verify migrations & schema ~20–35 min

   Confirm every migration ran (modules included), troubleshoot pending ones the right way, capture a normalized schema baseline for cross-environment diffs, then run the 11-point gate that proves the app actually works.

   • 🤖 No pending migrations — migrate:status clean, modules counted.
   • 🤖 Vendor duplicates resolved — via the migrations table, not file edits.
   • 🤖 Baseline written — normalized local.sql; 0 noise lines; CREATE TABLE count matches DB.
   • 🤖 11-point gate green — all eleven checks pass.
   • 👤 Browser verified — login + dashboard confirmed; laravel.log clean.
7. 6 · Commit & secure ~30–45 min

   Commit the installer's output (especially the storage/installed marker), document any author patches in the shipped vendor tree, verify deploy symlinks and shared_files, then lock down /install and /update with layered defense.

   • 🤖 Marker tracked — storage/installed tracked; all storage//.gitignore files present.
   • 🤖 Committed + pushed — Phase-3 changes committed and pushed; working tree clean.
   • 🤖 Patches documented — _CUSTOMIZATIONS.md records vendor patches (or the documented skip reason).
   • 🤖 Deploy paths verified — every deploy.php shared_files entry exists; storage symlink passes the HTTP content test.
   • 🔀 Routes locked — /install and /update return 403 / are blocked at both layers (👤 WAF + 🤖 .htaccess).
8. 7 · Optional tooling ~varies

   Optional power-ups for the local environment — Atlas schema management, a database GUI (Bytebase), Redis caching via Herd Pro, and a right-sized debug-tools stack. None block launch; each has a free fallback.

   • 🔀 Per-tool decision made — installed where it adds value, or skipped with the free fallback noted.
   • 🔀 Redis (if added) — redis-cli ping → PONG and tinker returns "Redis works!".
   • 🤖 No duplicate inspectors — not both debugbar and Telescope.
   • 🤖 Phase 3 complete — local environment installed, verified, committed, and secured.

04 Deploy Pipeline

Open phase hub →

1. 1 · Deployer ~30–45 min

   Install Deployer and author deploy.php for atomic releases — symlinked current → timestamped releases, shared storage and .env, retention, hooks, server binary paths, and an SSH-verified dry run.

   • 🤖 Deployer installed — dep --version returns Deployer 7.x; php -l deploy.php clean; dep list shows 20+ tasks.
   • 🤖 Shared state correct — deploy.php shares storage/ + .env via add() (never set([])), with retention and migrate/cache/queue hooks.
   • 🤖 PHP pinned — bin/php set to the version composer.json requires.
   • 🤖 First-deploy migrations off — the migrate hook is commented out.
   • 🔀 SSH + dry run — both hosts reachable; dep deploy staging --plan reaches the symlink step.
2. 2 · Subdomains + SSL ~20–40 min (+ DNS propagation)

   Plan the subdomain map, add A/CNAME records, provision SSL/TLS certificates, force HTTP→HTTPS, and confirm everything with a five-check CLI verification (dig, HEAD, redirect, proxy, cert details).

   • 🤖 Hostnames resolve — every environment hostname resolves via dig to the correct IP.
   • 🤖 HTTPS + redirect — HTTPS returns 200/301 and HTTP force-redirects to HTTPS.
   • 👤 Cert valid + auto-renew — certificate is valid, covers the host, and auto-renewal is on.
   • 🔀 Canonical matches APP_URL — apex vs www decision matches the planned APP_URL.
3. 3 · Production .env ~30–45 min

   Assemble a safe production .env — bidirectional drift check against .env.example, a Git-history secret scan, production flags and caches, directory permissions, and a verification pass. The .env lives server-side and is shared by Deployer.

   • 🤖 Drift resolved — .env ↔ .env.example resolved in both directions (same key set).
   • 🔀 History clean — no secret ever committed (or rotated + scrubbed).
   • 🔀 Production flags set — APP_ENV=production, APP_DEBUG=false, APP_URL matches the canonical host.
   • 🤖 Quoted + writable — all values double-quoted; storage/ + bootstrap/cache writable by the web user.
   • 🤖 Caches warmed — production config/route/view/event caches warmed after .env finalized.
4. 4 · CI + ServerSync ~40–60 min

   Wire GitHub Actions for deploys and ServerSync — author the workflow, set the GitHub Secrets (PAT, SSH key), keep clear_paths ↔ GIT_ONLY_PATHS symmetric, validate with actionlint, and confirm the run.

   • 🤖 Workflow customized — .github/workflows/deploy.yml customized (host, branch, PHP version) and passes actionlint.
   • 👤 Secrets set — SSH key, ServerSync PAT (min scope), known_hosts — none echoed in logs.
   • 🤖 Paths symmetric — clear_paths and GIT_ONLY_PATHS mirror each other.
   • 🔀 Green run — a pushed commit triggers a green Actions run that reaches the deploy/symlink step.
   • 🔀 Git hooks active — Husky installed; pre-commit blocks a staged secret, pre-push runs Pint + actionlint, post-merge warns on new migrations.
5. Phase 4 overview 6–10 hr

   Stand up everything that makes deployment possible — Deployer for zero-downtime releases, subdomains + SSL, production .env, and (recommended) CI, DNS email records, and a CDN — so `dep deploy staging` just works.

6. 5 · DNS email records ~20–30 min (+ propagation)

   Make transactional email deliverable — verify the email provider, add SPF, DKIM, and DMARC records (plus MX), defer CAA to Phase 7, and confirm everything with dig.

   • 👤 Provider verified — email provider verified; MAIL_* recorded in production .env.
   • 🔀 Records resolve — SPF (single record), DKIM selector, and DMARC (p=none to start) all resolve via dig.
   • 👤 MX correct — MX records correct if the domain receives mail.
   • 🤖 CAA deferred — CAA deliberately not added — deferred to Phase 7.
   • 🔀 Test passes — test email shows spf=pass, dkim=pass, dmarc=pass.
7. 6 · Cloudflare CDN ~45–60 min (+ nameserver propagation)

   Front the app with Cloudflare on the Free plan — nameserver cutover, API-driven DNS, Full (Strict) SSL + HSTS, WAF and rate limiting, cache rules, DNSSEC, and a final API verification probe. Rocket Loader stays OFF for Laravel.

   • 👤 Zone Active — nameservers are Cloudflare's; imported records audited (esp. email DNS).
   • 👤 SSL hardened — SSL = Full (Strict), Always Use HTTPS on, HSTS set.
   • 👤 WAF within budget — WAF rules + 1 rate-limit rule within Free-plan budget.
   • 🔀 Cache rule live — static-asset cache rule live; app/auth routes bypass cache.
   • 🔀 Rocket Loader OFF; DNSSEC active — DS added at registrar.
   • 🤖 Probe green — verification probe shows cf-ray, HSTS header, and "status":"active".
8. 7 · Release + incident ~30–45 min

   Close the phase — bootstrap or update the changelog and version, tag the release, then stand up an incident-response runbook (Sentry, uptime, SSL expiry, severities, contacts) wired into the repo as dev-only.

   • 🔀 Version + changelog — version determined (SemVer); CHANGELOG.md bootstrapped or updated (both files if dual-file).
   • 🤖 Release tagged — release committed and tagged vX.Y.Z; only that tag pushed (not --tags).
   • 🔀 Runbook complete — strategy chosen; INCIDENT.md covers detection, severities, contacts, rollback, pre-deploy checks.
   • 🤖 Dev-only wiring — INCIDENT.md present in both clear_paths and GIT_ONLY_PATHS.
   • 🤖 Rollback ready — dep rollback confirmed available as the recovery path.

05 Deploy Staging

Open phase hub →

1. 1 · Pre-flight & provision host ~45 min

   Run the canonical pre-flight (Deployer plan preview + PHP triple-check), prepare and push the staging branch, then scaffold the server — deploy tree, .user.ini limits, and the shared .env with APP_KEY left empty.

   • 🤖 Plan previewed — dep deploy staging --plan pipeline shape looks right.
   • 🔀 PHP triple-check passes — web SAPI / hPanel satisfy composer.json (👤 upgrade in panel if needed).
   • 🤖 Deploy-safety flags confirmed — artisan:migrate disabled, clear_paths_strict true.
   • 🤖 Optional tasks guarded — each carries a graceful-skip guard (no unguarded hard-fail).
   • 🤖 staging branch ready — merged from develop and pushed; SSH + host config verified.
   • 🤖 Cache cleared + snapshot taken — composer cache cleared (first deploy); pre-deploy snapshot saved.
   • 🤖 Server scaffolded — deploy/shared/storage tree exists; shared/.user.ini sets installer limits.
   • 🤖 shared/.env placed — chmod 640, no placeholders, APP_KEY empty, APP_DEBUG=false.
2. 2 · DNS + SSL ~20 min

   Confirm the staging subdomain resolves to the server and serves a valid TLS chain before the first release lands — a deploy onto an unresolved or untrusted host wastes a round-trip.

   • 🤖 Resolution verified — staging.yourapp.com resolves to the server (dig +short).
   • 🤖 TLS verified — curl -sI returns a response over a valid TLS chain (green padlock).
3. 3 · First release ~30–45 min

   Run the atomic first deploy, confirm APP_KEY and clear caches with the versioned PHP binary, verify the Deployer directory tree and the .env symlink (a 5-second check that prevents a 90-minute outage), confirm demo content, then loosen permissions for the installer.

   • 🤖 Release deployed — dep deploy staging completed; current symlinks to the new release.
   • 🤖 Key + caches — APP_KEY present (44+ chars); install lock removed; caches cleared with the versioned PHP.
   • 🤖 Deployer tree correct — current, releases/, shared/, .dep/.
   • 🤖 .env symlink resolves — current/.env is a symlink into shared/.env; Laravel resolves your cache/session/queue values.
   • 🤖 Demo content present — in the right shared dirs.
   • 🤖 Installer permissions set — 777 for the installer (re-hardened on page 4).
4. 4 · Installer + harden ~20 min

   Temporarily unblock /install, run the CodeCanyon web installer wizard, verify the app loads, then immediately re-block /install + /update and re-harden storage and .env permissions from the installer's insecure 777 state.

   • 👤 Wizard completed — /install reachable (200), wizard completed, "Installation Complete" shown.
   • 👤 App verified — all five post-install checks pass; admin login works.
   • 🔀 Routes re-blocked — /install re-blocked (403); Cloudflare WAF rule restored.
   • 🤖 Permissions re-hardened — storage dirs 775 / files 664; .env 640.
5. Phase 5 overview 2–4 hr active + 24–48 hr monitoring

   Take the app from "runs locally" to "runs on a real server" — provision the staging host, point DNS, ship the first atomic release, run the web installer, verify the schema, and prove rollback before a 24–48h monitoring window.

6. 5 · Schedule, migrations + schema ~30 min

   Install and verify the every-minute schedule:run cron (catching the hPanel "once per minute" preset trap that silently inserts 0 * * * *), then verify migrations and export + diff the staging schema against your local baseline.

   • 🔀 Cron installed correctly — crontab -l shows a schedule:run entry with five asterisks (* * * * *), absolute PHP path, pointing at deploy/current/artisan (👤 panel preset fix if needed).
   • 🤖 Scheduler firing — log mtime updates; schedule:list runs clean; cron documented in _CUSTOMIZATIONS.md.
   • 🤖 Migrations verified — migrate:status all "Ran"; migrate --pretend matches ProjectLog; vendor migration counts reconciled.
   • 🤖 Schema diffed — staging schema exported and diffed against local — no unexpected drift; staging.sql committed.
7. 6 · Rollback + monitor ~30 min active + 24–48 hr

   Prove a one-command rollback restores the previous release, then run the full post-deploy monitoring sweep — auth, features, integrations, mobile, performance, DB integrity, logs, security, and three end-to-end journeys — across a 24–48h window, log findings, and clear the Phase 5 gate.

   • 🤖 Rollback proven — one-command rollback proven, then redeployed to current.
   • 👤 Sweeps pass — auth + core features + integrations + mobile all pass.
   • 🔀 Performance + DB — performance within targets; DB baseline recorded.
   • 🔀 Logs + integrity — logs clean; security quick-check passes; data integrity confirmed.
   • 👤 Journeys + window — three user journeys complete end-to-end; 24–48h window observed.
   • 🔀 Gate cleared — final checklist complete; ProjectLog updated.
8. 7 · ServerSync capture ~20 min

   Capture server-side changes the web installer made (config, storage markers, generated files) back into Git via the ServerSync GitHub Actions workflow — verifying workflow availability and version parity, re-auditing clear_paths ↔ GIT_ONLY_PATHS, triggering the run, and reviewing the resulting PR file-by-file.

   • 🤖 Workflow available — ServerSync workflow available on main; version parity checked (--ref staging if drift).
   • 🤖 Audit clean — clear_paths ↔ GIT_ONLY_PATHS audit returns clean.
   • 🔀 PR reviewed — workflow run succeeded; PR reviewed file-by-file.
   • 🤖 Protected files preserved — wanted changes committed; .env.example + lockfiles preserved.
9. 8 · Deep codebase audit ~1–2 hr

   A staging-time deep audit of the codebase — project structure, composer security audit, Git hygiene, FVDUT storage persistence, secret + debug-code scans (with the word-boundary fix for dd()), storage-tracked-file triage, CodeCanyon frontend anti-patterns, and an optional schema audit.

   • 🤖 Structure + audit — structure verified; composer audit clean of Critical/High.
   • 🤖 Git history clean — vendor/, node_modules/, .env absent from Git history.
   • 🤖 Storage persists — shared_dirs persists storage + uploads; symlinks present on server.
   • 🤖 No secrets / debug — no hardcoded secrets; no debug code in staging paths; APP_DEBUG=false.
   • 🤖 Triage + anti-patterns — storage/-tracked files triaged (default KEEP); frontend anti-patterns logged.
   • 🤖 Fixes redeployed — any fixes committed and redeployed.
10. 9 · Atlas Cloud (optional) ~20–30 min

    Optionally register your schema with Atlas Cloud for versioned migration tracking — open the SSH tunnel, build a baseline migration from the staging schema, push it to Atlas Cloud, apply the baseline to staging, and wire up GitHub CI. Requires an active Atlas Cloud license; free alternatives noted.

    • 🤖 Baseline created — baseline migration created from the staging schema.
    • 🤖 Pushed to Atlas Cloud — ERD renders correctly.
    • 🤖 Staging synced — staging registered and showing "Synced" (migrate status: OK).
    • 🔀 CI configured — GitHub CI token configured (ATLAS_CLOUD_TOKEN) (👤 copy token from Atlas Cloud).

06 Superadmin

Open phase hub →

1. 1 · Concepts ~15 min read

   Separate the in-app superadmin from the three-tier ops model, adopt the inspect-then-configure pattern that makes this phase work on any CodeCanyon app, and learn the Playwright + Livewire traps before you touch a single form.

   • 🤖 Two meanings clear — both senses of "admin" are clear; the three ops tiers are understood (you can name which tier a path belongs to).
   • 🤖 Check-first internalized — CHECK → configure-or-defer → verify → log.
   • 🤖 Map pass planned — if using Playwright, a read-only map pass is planned before any change.
   • 🤖 Livewire pre-flight understood — the 30-second component check is understood before touching any form.
2. 2 · Survey & brand 60–120 min

   Run the up-front discovery that every later task depends on — a vendor capabilities inventory (what's admin-editable vs hardcoded, what's tier-gated), a vendor-docs digest with the APP_ENV gotcha scan, and a one-page brand profile that answers every "what colour / name / plan?" question before it's asked.

   • 🤖 Capabilities inventory complete — vendor-capabilities.md exists, is >100 lines, and the prerequisite matrix has zero blank/"needs investigation" rows.
   • 🤖 Audience recorded — operator vs tenant is recorded for every settings page found.
   • 🤖 Docs digest written — vendor docs sources + digest are in _CUSTOMIZATIONS.md, including the APP_ENV scan result.
   • 👤 Brand profile filled — name, colours, timezone, currency, plan tiers, legal posture.
   • 🤖 Execution plan written — ## Phase 6 Execution Plan table in _CUSTOMIZATIONS.md, one row per task 58–72.
   • 🔀 Committed — capabilities doc + screenshots + _CUSTOMIZATIONS.md all committed.
3. 3 · Credentials & branding 90–180 min

   Lock the admin account first (default superadmin@example.com / 123456 is publicly known), generate and upload a coherent brand asset kit, resolve the correct PHP binary for every SSH command, then audit and replace the vendor's seeded demo content before any public URL goes live.

   • 👤 Creds rotated — admin email + password rotated on every environment with a DB; old credentials confirmed dead; new secret stored in 1Password or credentials.md (header fixed if plaintext).
   • 🔀 Users audited — demo/test users deleted, kept users re-passworded, audit logged in credentials.md.
   • 👤 Branding uploaded — brand asset kit generated/collected and uploaded; logo, favicon, login logo, invoice logo, and og:image all verified in incognito (light + dark, desktop + mobile).
   • 🤖 PHP binary resolved — STAGING_PHP_BIN resolved and persisted to CLAUDE.local.md.
   • 🔀 Demo content handled — inventoried; observer + blade-@else traps scanned; fake testimonials replaced (not deleted); replacement verified to survive an observer trigger.
   • 🤖 Staging clean — curl of the staging landing page returns 0 demo markers; deferred blocks logged for Phase 9.
4. 4 · Email 20–45 min

   Wire transactional email through the admin panel, and learn the Froiden-family trap where a CustomConfigProvider loads SMTP from the database regardless of APP_ENV — meaning the panel's "APP_ENV changed" warning banner lies and .env MAIL_* values are ignored at runtime.

   • 🤖 Source confirmed — where SMTP resolves at runtime (DB-via-provider vs .env) is confirmed; the Froiden banner was verified against source, not trusted.
   • 👤 Panel SMTP saved — "Test SMTP" passes and the dashboard error banner is gone.
   • 👤 Reset email received — a real password-reset email arrived end-to-end.
   • 🤖 .env fallback set — shared/.env carries real MAIL_* fallback values; no SMTP secrets in git.
   • 👤 Templates reviewed — sender, logo, footer reviewed if the vendor exposes them.
5. 5 · Payments & plans 60–120 min

   Stand up the payment gateway and subscription plans — pick a Stripe account strategy, discover the REAL webhook URL and event list (never assume /stripe/webhook), grab sandbox keys with the three-actor model, paste them into the admin panel (verifying columns with DESCRIBE first), and create plans only after market research unblocks the pricing.

   • 👤 Strategy chosen — Stripe account strategy (A/B/C/D) with rationale + migration trigger recorded in _CUSTOMIZATIONS.md.
   • 🤖 Webhook discovered — real webhook URL + exact event list discovered from the app (not assumed); endpoint created; whsec_… copied.
   • 👤 Keys grabbed — sandbox confirmed via key-suffix match; statement descriptor set; app keys copied.
   • 🔀 Three-actor model honoured — app key in panel/server only; agent key in MCP; dev key in shell; human-gate understood.
   • 🔀 Keys verified — saved in the admin panel; columns verified via DESCRIBE-first with expected lengths (107/107/38); test payment fires the webhook with 200.
   • 👤 Plans from research — created only from approved market research, or explicitly marked [!] BLOCKED; tier gating matches schema; checkout opens with a recurring price; gotchas logged.
6. 6 · Legal & consent 30–60 min

   Stand up the three legal essentials — a cookie/GDPR consent banner, a Privacy Policy, and Terms of Service — using the check-first pattern. Each is either an admin-panel field to fill or a deferral to the security/compliance phase, and the consent banner has a hard dependency on the analytics tag from the next page.

   • 👤 Banner enabled — cookie/GDPR banner enabled (or deferred to Phase 7 and logged); incognito shows the banner on first visit and "reject" is honoured.
   • 🔀 GDPR boundary checked — the public funnel's consent is configured separately from any tenant-facing vendor module.
   • 👤 Privacy Policy live — populated with real generated text; /privacy-policy renders correctly.
   • 👤 Terms live — populated; /terms-of-service renders and is linked from footer + signup.
   • 🔀 Dependency queued — Task 66 → Task 63 (consent gates analytics before production) is queued in the follow-ups ledger.
7. Phase 6 overview 1–3 hr (most tasks are 5-min panel toggles)

   Log in as the superadmin and configure everything the vendor exposes in the admin panel — branding, theme, email, payments, plans, legal pages, and analytics — using a check-first pattern that adapts to any CodeCanyon app.

8. 7 · Theme & pages 20–40 min

   Apply your brand colours through the admin panel (or defer to code), confirm the error pages (404/500/503) are branded rather than raw Laravel defaults, and prepare a branded maintenance-mode page you can flip on safely with a bypass token.

   • 👤 Colours applied — brand colours applied in-panel, or explicitly deferred to Phase 8 and logged in the task ledger.
   • 🤖 Error pages branded — at least 404 + 500 are branded; a nonexistent URL renders the branded 404.
   • 🤖 Maintenance ready — 503.blade.php is branded; php artisan down --secret=… / up tested; bypass token stored in _CUSTOMIZATIONS.md.
9. 8 · Engagement & SEO 30–90 min

   Wire the growth surfaces — GA4 analytics via the universal 3-file Safe Vendor Deviation Pattern (the canonical example), plus the lighter check-first tasks for a chat widget, social login, the blog system, and the sitemap. Most CodeCanyon scripts ship zero built-in analytics, so the deviation path is the common case.

   • 🔀 GA4 wired — built-in field or the 3-file deviation; curl | grep -c returns ≥1 for the real Measurement ID; Realtime shows traffic; deviation recorded in _CUSTOMIZATIONS.md.
   • 🔀 Consent dependency queued — GA4 consent-gating (page 6) is queued for production launch.
   • 👤 Chat configured — chat widget configured or deferred (LATER).
   • 👤 Social login handled — configured or deferred — existing SocialLoginController checked before any new build.
   • 🤖 Blog status confirmed — ready / deferred.
   • 👤 Sitemap handled — /sitemap.xml verified and submitted to Search Console or deferred.

07 Security Monitoring

Open phase hub →

1. 1 · Harden first ~1–2 hr

   Treat every shipped secret as compromised — rotate vendor defaults, lock down file permissions, throttle sensitive endpoints, and audit mass assignment + session cookies before anything watches the app.

   • 🔀 Every vendor default rotated — admin login (👤), APP_KEY, demo tokens, demo data all gone.
   • 🤖 Endpoints + files locked — auth throttled, CORS scoped to your domains (no *), .env/storage//backups confirmed not web-reachable.
   • 🤖 Mass-assignment audit done — no $guarded = []; vendor findings tracked in _CUSTOMIZATIONS.md.
   • 🤖 Session cookies hardened — secure + http_only + same_site=lax; SESSION_SECURE_COOKIE=true on the server.
2. 2 · Headers & packages ~1 hr

   Enforce HTTPS with HSTS + the standard header set in .htaccess, back it with a SecurityHeaders middleware, force HTTPS in production, encrypt high-risk PII fields, and require strong passwords — for Grade A at securityheaders.com (unsafe-inline caps at A until CSP nonces/hashes).

   • 🤖 HSTS + redirect in .htaccess — forwarded-proto rule if behind Cloudflare.
   • 🔀 Headers verified — all six present via curl; Grade A at securityheaders.com; SSL Labs (TLS) A or A+ (👤 browser check).
   • 🤖 SecurityHeaders middleware — created + registered (or existing one confirmed).
   • 🤖 Production HTTPS + passwords — URL::forceScheme('https') in production; strong-password defaults set.
   • 🤖 PII encrypted (if applicable) — high-risk fields use the 'encrypted' cast; APP_KEY rotation caveat noted.
   • 🔀 CAA records (deferred from Phase 4) — issuance locked to the real CA(s); dig CAA confirms; renewal still succeeds — or explicitly skipped + logged.
3. 3 · Activity logging ~2–4 hr

   Give security-relevant events a durable audit trail — install Spatie Activity Log, capture model changes, log auth and GDPR actions, and auto-prune old records so an incident always has a paper trail.

   • 🤖 Activity log installed — Spatie installed (or vendor logger confirmed); ACTIVITY_LOG_ENABLED=true.
   • 🤖 Model changes logged — LogsActivity on key models, logging only-dirty selected fields.
   • 🤖 Auth events logged — login / logout / failed-login listeners registered, capturing IP + user agent.
   • 🤖 GDPR actions logged — export + deletion-request recorded (deletion logged before data removal).
   • 🤖 Retention scheduled — activitylog:clean daily; server cron drives schedule:run.
4. 4 · Off-server backups ~1.5–2 hr

   The one MUST of observability — assess what already exists, wire Spatie Laravel Backup to run daily, and ship to an S3-compatible off-site destination (S3 / Spaces / B2 / R2) under one BACKUP_AWS_* env prefix with the 3-2-1 rule.

   • 🤖 Existing state audited — monitoring/backup state recorded in CLAUDE.local.md.
   • 🤖 Spatie backup runs — backup:run --only-db completes with non-zero size in backup:list.
   • 🤖 Schedule + alerts set — daily + weekly schedule; server cron drives schedule:run; failure notifications route somewhere.
   • 🔀 Off-site provider wired — one private bucket (👤 created), [PROJECT_NAME]-backups-[YYYY-MM], lifecycle rule applied.
   • 🤖 Pipeline backup live — test backup visible in the cloud console; deploy:backup_database enabled.
5. 5 · Observability ~2 hr

   Extend the basic Sentry DSN into cron monitors, performance, and release health; add rotated + structured logs; expose a health endpoint with external uptime monitoring; and define alert escalation backed by a quarterly restore drill.

   • 🔀 Sentry extended — cron monitors green; performance data visible; releases tagged with the git SHA (👤 auth token generated).
   • 🤖 Logs aggregated — LOG_STACK=daily,sentry_logs + LOG_LEVEL=warning on the server; warnings reach Sentry.
   • 🔀 Health + uptime wired — /health (or /up) returns 200 with JSON; external uptime monitors wired (👤, production).
   • 🤖 Escalation documented — severity → channel matrix routed via the shared webhook config.
   • 🔀 Restore drill done — quarterly drill scheduled; first drill passed; monitoring-state.md current.
6. 6 · Legal & GDPR ~3–5 hr

   Decide which legal pages you need, generate and host Privacy + Terms via one generator (GetTerms / Termly / Iubenda), wire a cookie-consent banner, build GDPR data export + deletion-with-grace-period, and finalize with ROPA + DPAs.

   • 🔀 Generator embedded — pages decided; one generator chosen (👤) and embedded as the first <head> script (@production).
   • 🔀 Policies live — /privacy + /terms load; privacy policy names every third-party data recipient.
   • 🤖 GDPR export + deletion — export downloads JSON; deletion schedules a cancellable 30-day job (both logged).
   • 🔀 Cookie banner verified — Accept/Reject persist (👤 incognito check); manage-preferences link in footer.
   • 🤖 Footer + consent — footer links + signup consent checkbox live; terms_accepted_at recorded on registration.
   • 🔀 GDPR finalized — ROPA documented, DPAs filed for all subprocessors (👤), data-protection contact designated.
7. 7 · Compliance tracks ~30 min read

   Reference for when SOC 2 and HIPAA enter the picture — applicability tests, cost and timeline, what each involves, and the platforms that automate evidence collection. Most CodeCanyon SaaS launches skip both.

   • 👤 HIPAA test run — applicability test done; confirmed HIPAA does not apply (or flagged that it does).
   • 👤 SOC 2 decided — confirmed whether any client contractually requires SOC 2; if not, deferred.
   • 🔀 Track in motion (if live) — platform selected, policy docs drafted, BAAs/evidence collection underway.
   • 👤 Decision documented — otherwise: the decision to skip and the trigger that would reopen it is written down.
8. Overview 6–10 hr

   Harden the deployed app (rotate vendor defaults, TLS/HSTS, security headers, rate limits, session/mass-assignment audit), add an audit trail, then make it observable — off-server backups, Sentry, uptime, logs — and close out the legal layer (GDPR, cookie consent) and compliance tracks (SOC 2 / HIPAA).

08 Configure App

Open phase hub →

1. 1 · MUST path ~2–3 hr (the MUST items only)

   The non-negotiable critical path — brand & core settings, transactional mail with DNS auth, a payment gateway with verified webhooks, plans & feature flags, then a full seed + verify pass before launch.

   • 🔀 Brand applied — set in the admin panel and saved as reproducible reference files.
   • 🔀 Test mail lands — arrives in the inbox with spf/dkim/dmarc=pass.
   • 🔀 Payment gateway connected — test keys wired; webhook signature verified.
   • 👤 Plans render — /pricing shows correct prices; gateway Products/Prices exist.
   • 🔀 Every flow proven in staging — upgrade, decline, emails, live charge + refund.
2. 2 · Brand kit ~4–8 hr first time, ~1–2 hr refinements

   Build the single source of truth for visual identity — brand name, logo variations, a WCAG-checked color palette, typography (including bilingual RTL), reference files committed to the repo, and marketing assets.

   • 👤 Brand name + domain confirmed — availability checked, no trademark conflicts.
   • 👤 Logo set exported — light, dark, icon, favicon, OG — legible on both backgrounds.
   • 👤 Palette defined — every combination passes WCAG 4.5:1.
   • 👤 Typography chosen — CSS variables prepared (with RTL fonts if bilingual).
   • 🤖 Reference files committed — under Admin-Local/1-Project/0-Brand/.
   • 👤 Core marketing assets exported — hero, screenshots, banners.
3. 3 · Payments & billing ~2–4 hr (varies heavily by gateway count)

   Choose a payment approach from the gateway matrix (Stripe built-in vs from-scratch, PayPal, Tap for MENA, LemonSqueezy as Merchant of Record), then add the production billing depth — model, plans, verified webhooks, tax, dunning, and lifecycle documentation.

   • 🔀 At least one gateway connected — test payment succeeds and a declined card is rejected.
   • 👤 Billing model decision record filled in.
   • 🔀 Plans exist in both the DB and the provider dashboard — /pricing renders correctly.
   • 🔀 Webhook endpoint returns 200 — signature verification confirmed.
   • 🔀 Tax approach chosen — Stripe Tax (if applicable) verified on EU + US test purchases.
   • 🔀 Dunning configured + tested — post-failure behavior documented.
   • 🤖 billing-lifecycle.md written — state machine, test matrix, and alert rules.
4. 4 · Email ~1–3 hr

   Confirm and test the transactional mail path, choose a provider from the deliverability matrix, customize the core template set, and (optionally) add drip campaigns and a newsletter — all with SPF/DKIM/DMARC passing.

   • 🔀 Test mail lands in the inbox — with spf=pass, dkim=pass, dmarc=pass.
   • 👤 A dedicated provider is wired — if shared SMTP deliverability was weak.
   • 🔀 The six core templates render — correctly in Gmail, Outlook, and iOS, on-brand.
   • 🔀 Drip campaigns and newsletter configured — or consciously deferred, not silently skipped.
5. 5 · Performance ~2–3 hr

   Capture a Lighthouse baseline, then layer .htaccess browser caching + compression, tune the PHP runtime (OpCache, memory, extensions), verify Redis, enable Cloudflare, and apply accessibility/CSP quick wins — with realistic targets for a vendor-bundled app.

   • 👤 Baseline scores recorded — mobile + desktop, before/after.
   • 🤖 .htaccess caching/compression live — curl confirms Cache-Control on assets.
   • 🔀 OpCache enabled — PHP limits and required extensions set.
   • 🤖 Redis confirmed — as cache + session driver (write/read passes).
   • 👤 Cloudflare Brotli + page rule live — cf-cache-status: HIT.
   • 🤖 Quick wins applied — cached landing page sub-second.
6. 6 · Integrations ~2–3 hr (all three)

   Surface (don't silently skip) the optional integrations — Slack notifications for errors/deploys/backups, GitHub project management (labels, issue forms, project board, PR template), and privacy-first Rybbit analytics.

   • 🔀 Slack webhook test posts — Deployer notifies #<app>-deploys (or consciously deferred).
   • 🔀 GitHub labels, issue forms, project board, PR template — in place (or deferred).
   • 🔀 Rybbit live and recording hits — admin paths skipped and inputs masked (or deferred).
   • 👤 Every deferred item was surfaced — to the operator, not silently skipped.
7. 7 · Post-launch ~45–90 min (identity) + ~20–30 min/release

   Two post-launch tasks — claim social-media handles early (even before you post) and wire the dual changelog (internal + public) so every stable release ships with an announcement.

   • 👤 Target handle chosen — availability checked, fallbacks noted.
   • 🔀 Accounts created — on-brand avatar/banner/bio; ProjectCard.md + .env updated.
   • 🔀 Dual changelog files exist — and are current for the latest tag.
   • 👤 Per-release flow documented — so each future release is repeatable.
   • 🔀 GitHub Release + public "What's New" wired.
8. Phase 8 overview 4–8 hr

   Wire the live product end-to-end — branding, mail, payment gateways, integrations, and plan/feature flags — then seed and verify every flow before launch.

09 Growth Polish

Open phase hub →

1. 1 · SEO (9A) ~2 hr

   SEO needs a reachable URL, so it leads — sitemap + robots, per-page meta + schema + titles, then Search Console verification and a PageSpeed pass.

   • 🤖 Sitemap + robots — /sitemap.xml valid and referenced from /robots.txt.
   • 🤖 Vendor defaults audited — you know which meta/canonical/OG tags the app already ships before overriding.
   • 🤖 Meta + schema + social cards — per-page titles/descriptions, Open Graph/Twitter cards, and JSON-LD in place.
   • 🤖 Canonical URLs (Critical) — base, paginated, and filtered pages each resolve to one correct canonical.
   • 🤖 Page titles unique — base-layout fallback set; every view extending a layout defines a Page | App title.
   • 👤 Search Console verified — property verified and sitemap submitted.
   • 🤖 PageSpeed pass — Core Web Vitals hit targets (Desktop ≥ 90, Mobile ≥ 80, LCP ≤ 2.5s, INP ≤ 200ms, CLS ≤ 0.1).
2. 2 · Engagement (9B) ~varies

   Onboarding, a public changelog, a feedback collection channel, and an optional blog — the streams that keep new users reaching value and existing users informed.

   • 👤 Onboarding — first-run guidance so new users reach value fast.
   • 🤖 Onboarding — modal + migration — has_seen_welcome column migrated; modal fires on first login and is dismissed without reappearing.
   • 🤖 Onboarding — checklist widget — checklist widget visible after modal dismissed; completed tasks show a tick.
   • 🔀 Changelog — a public record of what shipped (pairs with the Phase 8 changelog item).
   • 🤖 Changelog — "What's New" link — link/icon in app nav opens the ProductLift changelog panel.
   • 🔀 Feedback — a collection channel (widget/form) is reachable.
   • 🤖 Feedback — widget installed — ProductLift snippet in layout; test submission appears in dashboard with correct user identity.
   • 👤 Blog (optional) — content surface for SEO + announcements, if chosen.
3. 3 · Support (9C) ~varies

   Two customer-facing systems with several alternatives each — a live chat widget and a help center / knowledge base. Pick one tool per row and record the choice.

   • 👤 Chat decision — provider assessed and chosen; recorded in _CUSTOMIZATIONS.md.
   • 👤 Help center decision — approach chosen; recorded in _CUSTOMIZATIONS.md.
   • 🤖 SEO foundation — valid sitemap + robots; meta/schema/titles in place.
   • 👤 Search Console — verified, sitemap submitted, PageSpeed pass run.
   • 🔀 Engagement — onboarding + changelog + feedback path exists.
   • 👤 Support — chat widget + help center chosen and wired.
4. Overview 6–12 hr

   The pass that makes the product feel finished — SEO (sitemap, meta, schema, Search Console), onboarding/changelog/feedback/blog, and customer-facing chat + help center. Mostly SHOULD with many alternatives.

10 Audit QA

Open phase hub →

1. 1 · Static audit ~45 min

   Fast, deterministic checks that need no browser — project structure, Composer security audit, git hygiene, code-quality/secrets scan — plus migration analysis and FVDUT storage classification.

   • 🤖 Project structure verified — 9 core dirs + bootstrap/cache/ present; custom dirs noted.
   • 🤖 Composer audit clean — manifest valid, no advisories, autoload present.
   • 🤖 Git hygiene confirmed — vendor//node_modules/ untracked; lock files tracked.
   • 🤖 Secrets scan clean — routes compile, no leaked secrets, APP_DEBUG=false in .env.example.
   • 🤖 Fixes committed — staged diff reviewed, no credentials staged, commit pushed.
   • 🤖 SHOULD companions done — migration analysis recorded and storage FVDUT classified.
2. 2 · Security audit ~1 hr

   The full security pass — header grading, ownership-aware vulnerability decisions, blocked sensitive files, admin + storage hardening, and a vulnerability register.

   • 🤖 Headers graded — all six required headers present; Grade A at securityheaders.com; SSL Labs (TLS) A or A+ recorded.
   • 🤖 Sensitive files blocked — .env, .git/config, composer.json, logs all return 403/404.
   • 🔀 Vulnerabilities decided — each finding mapped to an ownership-aware action.
   • 👤 Admin hardened — default creds changed, 2FA on, rate-limiting confirmed, storage at 775.
   • 🤖 Vulnerability register written — owner + decision + 30-day review date per finding.
3. 3 · Performance, DB & SEO ~1.5 hr

   Measure Core Web Vitals (inspect before changing), audit the live database for index coverage and N+1 queries, and fix anything that blocks Google from indexing public pages.

   • 👤 Core Web Vitals on target — Mobile > 80 · Desktop > 90; LCP < 2.5s; CLS < 0.1; TTFB < 800ms.
   • 🤖 Database indexed — FK + searched columns indexed; no N+1 hotspots.
   • 🤖 DB hygiene confirmed — no prod data in staging, sensitive columns encrypted, backup runs.
   • 🤖 SEO unblocked — canonicals added, noindex/robots.txt/sitemap correct, meta/OG complete.
4. 4 · Accessibility & cookies ~1 hr

   WCAG 2.1 AA checks (automated scanners + manual verification) and GDPR/CCPA cookie inventory with consent gating that actually blocks non-essential cookies.

   • 👤 WCAG 2.1 AA passes — scanners clean; keyboard, focus, contrast, and structure verified by hand.
   • 🤖 Cookies inventoried — every cookie listed with attributes and a category.
   • 🤖 Session cookies secure — runtime config('session') has secure, http_only, same_site=lax.
   • 👤 Banner gates non-essential — incognito test confirms Accept/Reject and editable preferences.
   • 🔀 One consent mechanism — built-in disabled if a third-party manager is used; policy page matches.
5. 5 · Functional QA + debugger ~2–3 hr

   Drive every critical journey and role (automate with Playwright MCP), run live security tests, triage by severity, then mine Telescope/Sentry/logs and check for unmerged fixes.

   • 🔀 MUST suites pass — functional, runtime security, performance, and UAT all green.
   • 👤 Payments + emails verified — test-card lifecycle works; transactional emails land (9–10/10).
   • 🤖 Failures triaged — every failure tagged CRITICAL / MEDIUM / LOW.
   • 🤖 Debugger review done — Telescope/Sentry/logs mined; slow queries fixed.
   • 🤖 No unmerged fixes — every fix commit confirmed on develop.
   • 🔀 SHOULD suites run (staging) — cross-browser (4 browsers), mobile (4 breakpoints + real devices), and load test all pass on staging.
   • 🤖 ZajModules verified or skipped — zajmodsys:list clean, or no packages/ZajModSys/ so skipped.
6. 6 · Pre-launch sign-off ~45 min

   The final gate — walk the pre-launch checklist across blockers, infra, security, monitoring, payments, comms, legal, content, and team readiness, then execute the launch sequence.

   • 🤖 Blockers clear — no unresolved HIGH / open ISSUE / SECURITY items in the project log.
   • 🤖 Infrastructure ready — SSL > 30 days, DNS + www resolve, CDN proxy on, SSL mode Full (strict).
   • 🤖 Security verified — APP_DEBUG=false, .env returns 403/404, no debug toolbar; Grade A at securityheaders.com; SSL Labs (TLS) A or A+.
   • 🤖 Monitoring live — error tracking captures a test event, uptime monitor + backups verified.
   • 🔀 Payments live — live keys, production webhook + secret, test mode off, real charge + refund work.
   • 🤖 Communications working — inbox-delivered welcome/reset/invoice emails, chat widget live.
   • 🤖 Legal published — Privacy, Terms, Cookie, Refund pages published + linked; consent banner enforced.
   • 🤖 Content complete — no placeholder text, favicon, OG/meta, sitemap, robots.txt correct.
   • 👤 Team ready + launched — admin creds vaulted with 2FA, rollback documented, 24h monitor assigned, launch sequence run.
7. Phase 10 overview 8–16 hr

   The full pre-launch audit — static code & dependency checks, a security re-check, performance/DB/SEO/accessibility audits, functional QA across roles, debugger review, and a pre-launch sign-off gate.

11 Pre Customer

Open phase hub →

1. 1 · Technical readiness ~6 hr

   The seven MUST gates that verify the deployed system against reality — git/deploy verification, codebase + security scan, database confidence, env audit, end-to-end testing, monitoring, and final signoff.

   • 🤖 Git & deploy verified — clean tree, current symlink correct, scheduler entry present.
   • 🤖 Security sweep clean — zero vulnerable instances; PHPStan ≤ 5 non-critical.
   • 🤖 Database confidence — migrations at parity, 0 pending, no test data on production.
   • 🤖 Env audit passed — APP_DEBUG=false, base64: key, HTTPS 301, security headers, live keys.
   • 🔀 End-to-end journeys pass — payment test cards clear; 👤 mobile verified on a physical device.
   • 🤖 Monitoring live — test exception captured, uptime monitors green, backups recent.
   • 🤖 Production infra re-verified (SHOULD) — Cloudflare SSL/TLS/HSTS/WAF/DNSSEC match Phase 4 (step 7b); SEO sitemap.xml + robots.txt reachable and SPF/DKIM/DMARC re-checked. Drift fixed before live traffic.
   • 🤖 Signoff ready — Tier 1 confirmed 13/13 on the next page.
2. 2 · Launch signoff ~45 min

   The tiered launch decision — Tier 1 blockers must be 13/13, Tier 2 important items launch with documented exceptions, Tier 3 nice-to-haves can defer.

   • 🤖 Tier 1 is 13/13 — all blockers pass; if any fail, do not launch.
   • 🤖 Tier 2 resolved — green or documented exception for each item.
   • 🤖 Tier 3 handled — completed or knowingly deferred.
   • 👤 Launch signed off — a person has made the go/no-go decision.
3. 3 · Business & legal ~2–3 hr

   A customer needs something to land on, a way to pay, and the legal pages that make billing legitimate — landing page, legal pages, transactional email, pricing & payment, analytics & social meta.

   • 🤖 Landing page — seven sections live; authenticated users redirect to the dashboard.
   • 👤 Legal pages — /privacy, /terms, and contact route live and footer-linked.
   • 🤖 Transactional email — all five core templates deliver; SPF/DKIM/DMARC pass.
   • 🔀 Pricing & payment — products/prices created (👤), integration + webhooks wired and tested.
   • 🤖 Analytics & social meta — sign_up/trial_started/purchase fire; OG/Twitter cards preview.
4. 4 · Support & onboarding ~varies

   Make the path to value short and the path to help obvious — a support surface, a five-minute time-to-first-value flow, and activation funnel tracking.

   • 🤖 Support surface live — help/FAQ, contact form, in-app help icon, and bug-reporting path all reachable.
   • 👤 Time to first value — a five-minute first-run flow exists with a guided first action.
   • 🤖 Activation tracking — the funnel is instrumented from verified through day-7 retention.
5. Phase 11 overview 4–8 hr

   The final go/no-go gate before the first real customer — technical verification, business and legal readiness, support and docs, then a tiered launch signoff.

12 Production

Open phase hub →

1. 1 · Pre-flight (P0) ~45 min

   Never skip this — rotate every test-mode key and staging password that touched a chat or log, migrate plaintext credentials into a secrets manager, re-scope over-privileged service accounts, and record the audit.

   • 👤 Test-mode keys rotated — every test-mode payment key rolled; old keys revoked at the source.
   • 👤 Staging passwords rotated — SMTP, database, and hosting-panel credentials all changed.
   • 👤 Credentials vaulted — plaintext secrets replaced with vault pointers (or deleted + gitignored).
   • 👤 Scopes minimized — every API key and the deploy user narrowed to minimum permissions.
   • 🔀 Audit recorded — rotation/move/re-scope summary committed to the customizations log.
2. 2 · Release & deploy ~1.5 hr

   Cut the changelog and version before deploying, then promote staging → production, stage the production .env, deploy dry-run then real, run the installer (first deploy only), and verify it's live.

   • 🤖 Release prepared (P1) — version picked, internal + public changelogs updated, committed alone.
   • 🤖 Production promoted — staging merged into production and pushed.
   • 🤖 .env staged & clean — uploaded over the SSH alias at mode 640, placeholder check prints Clean.
   • 🤖 Deployed — dry-run plan reviewed, real dep deploy production completed.
   • 👤 Installer done — /install wizard complete, route re-blocked, returns 403; admin login saved to the vault.
   • 👤 Live verified — /login over HTTPS, admin signs in, dashboard clean with a valid padlock.
3. 3 · Harden, verify & sync ~1 hr

   Lock down installer-friendly permissions, verify schema parity against staging, then sync all branches back to a shared base and tag the release as your rollback and audit anchor.

   • 🤖 Permissions locked — storage 775/664, .env 640 on production.
   • 🤖 No pending migrations — migrate --pretend reports nothing unexpected.
   • 🤖 Schema parity verified — staging↔production diff clean, production baseline exported.
   • 🔀 ServerSync reviewed (P4.5) — production ServerSync PR reviewed file-by-file (no blind deletes), symmetry audit passed — or confirmed there were no server-side changes to capture.
   • 🤖 Branches synced — main, staging, develop all fast-forwarded to production.
   • 🤖 Release tagged — v${VERSION} annotated on production and pushed.
   • 🤖 Redeploy check (P7) — git log production..develop is empty, or the changed code was redeployed through staging → production.
   • 🤖 Release recorded (P7) — CHANGELOG.md has a dated [vX.Y.Z] section and ProjectCard.md reads "Live".
   • 🤖 Schema baseline snapshotted (P7) — 2-Snapshots/v${VERSION}-release/production.sql exported.
   • 🤖 Vendor-drift manifest captured (P7) — vendor-drift-v${VERSION}.txt saved; every modified vendor file is recorded in _CUSTOMIZATIONS.md.
4. 4 · Monitor & day-2 ~24–48 hr (watch)

   Watch closely through the first 24–48h — smoke tests, integration checks, performance/security spot-checks, log triage, and baselines — with rollback always one command away, then the abbreviated subsequent-deploy cycle.

   • 👤 Smoke tests pass — registration, login, password reset, logout, and core features work end-to-end.
   • 🔀 Integrations verified — email, key API routes, payment gateway, and queue workers all process.
   • 🤖 Perf/security spot-checked — response times within target, .env returns 403/404, HTTPS/HSTS present, APP_DEBUG=false.
   • 🤖 Logs triaged — app log tailed, every error classified by severity and actioned.
   • 🔀 Baselines recorded — error rate, response time, and uptime captured at 48h with lessons learned.
   • 🤖 Rollback rehearsed — dep rollback production (or tag-based redeploy) ready the whole window.
5. Phase 12 overview 2–6 hr active + 24–48 hr monitoring

   Go live safely — pre-flight security hygiene, the first production release and installer, schema and branch verification, version tagging, and 24–48h post-deploy monitoring with a rollback always ready.

How to use it

• Read top to bottom — expand a phase, skim step summaries, open a step only when you need commands or detail.
• Execute with checkmarks — tick the step when it’s done; ticking a step checks all its gates; ticking every gate auto-completes the step.
• Expand all / Collapse all — scan the full tree or focus one phase at a time.

Same order as the sidebar

Phases and steps follow slug order (01-ai-system … 12-production) — identical to the left nav under 1 · Set up a New App.

→Start Phase 1

Phase 1 · Set up the AI System →