# Claude Code Prompt - Zavvion Events Commercial Lite Production Testing

You are Claude Code acting as an independent senior software architect, QA lead, security reviewer, payment-flow reviewer, database reviewer, responsive UX reviewer, and deployment-readiness tester.

Project: Zavvion Events commercial-lite ticket-selling MVP.

Mode: **Audit/review first. Do not patch until Cham explicitly approves a patching phase.**

## Workspace And Context

Primary repo to review:

`C:\Users\chama\Documents\ZavvionEvents\zavvion-events`

Served XAMPP copy:

`C:\xampp\htdocs\zavvion-events`

Local base URL:

`http://localhost/zavvion-events/public/`

Branch:

`codex-lite-launch-slice`

Important: review the local working tree, not GitHub only. The working tree is intentionally dirty with many commercial-lite changes.

## Read First

1. `handoff/commercial-lite-production-readiness-report-20260526.md`
2. `handoff/claude-code-commercial-lite-testing-prompt-20260526.md`
3. `docs/commercial-launch-readiness.md`
4. `docs/commercial-launch-execution-status.md`
5. `docs/lite-launch-developer-brief.md`
6. `docs/light-mvp-functional-testing-plan.md`
7. `docs/mobile-tablet-qa.md`
8. `docs/schema.sql`
9. `public/index.php`
10. `public/mvp.php`
11. `public/assets/js/zavvion-ui.js`
12. `public/assets/js/event-page.js`
13. `public/assets/js/organiser-page.js`
14. `public/assets/js/admin-page.js`
15. `public/assets/css/zavvion-ui.css`

Do not expose secrets from any `.env` file.

## Codex-Reported Current Status To Verify

Codex reports:

- Full PHPUnit green: `732 tests / 2703 assertions`.
- Frontend links green: `424 checked, 0 issues`.
- `composer validate --strict` green.
- Composer audit blocked locally by network/proxy to `127.0.0.1:9`.
- Stripe readiness not ready because keys/webhook/connected account are missing.
- Production launch gate blocked by 5 deployment warnings.
- `/organiser/apply` now uses Zavvion site styling.
- Production Stripe Connect readiness no longer trusts browser payload fields.

Do not trust those claims without verifying evidence.

## Discovery Commands

Run or inspect:

```powershell
git status --short --branch
git log -5 --oneline
C:\xampp\php\php.exe -l public\index.php
C:\xampp\php\php.exe -l public\mvp.php
node --check public\assets\js\zavvion-ui.js
node --check public\assets\js\event-page.js
node --check public\assets\js\organiser-page.js
node --check public\assets\js\admin-page.js
C:\xampp\php\php.exe composer.phar validate --strict
C:\xampp\php\php.exe composer.phar audit
C:\xampp\php\php.exe vendor\bin\phpunit
C:\xampp\php\php.exe bin\check-frontend-links --base-url=http://localhost/zavvion-events/public
C:\xampp\php\php.exe bin\check-mvp-smoke --base-url=http://localhost/zavvion-events/public
C:\xampp\php\php.exe bin\check-local-live-run --base-url=http://localhost/zavvion-events/public
C:\xampp\php\php.exe bin\check-stripe-readiness
C:\xampp\php\php.exe bin\check-deployment-readiness
C:\xampp\php\php.exe bin\check-production-launch
```

If commands cannot run, report the exact reason and what evidence is missing.

## Workflows To Test Like A Human

Public buyer:

- Browse all events.
- Filter events.
- Open each demo/test event.
- Use Booking tab.
- Use Seat-map tab.
- Select reserved seats by section tab.
- Buy non-reserved ticket quantities.
- Assign selected seat ticket types.
- Attempt checkout with incomplete assignments.
- Continue to checkout and confirm server draft.
- Tamper with totals/currency in browser and verify server rejects/ignores.

Customer:

- Register/login/logout.
- My tickets/orders/profile/privacy.
- Verify customer cannot access organiser/admin APIs.
- Verify profile/account save behavior is either functional or clearly reported.

Organiser:

- Login as organiser.
- Create venue.
- Create seat map with multiple sections.
- Mix reserved and non-reserved sections.
- Upload or replace PDF/image floor plan against a specific seat map.
- Edit seat map labels safely.
- Create event and select exact seat map.
- Save draft, preview, publish where allowed.
- Create reusable ticket catalogue entries.
- Add event-level ticket prices/quantity/max-order.
- Remove an event allocation without deleting reusable type.
- Enable/disable section-specific ticket allocation.
- Confirm public event only shows allocated tickets.
- Confirm media shown in edit event belongs only to the edited event.

Platform organiser:

- Login/access global organiser workspace.
- Switch organiser context if data exists.
- Confirm no platform-admin-only APIs or menus are accessible.

Platform admin:

- Review organiser applications.
- Fee rule create/edit/delete conflict checks.
- Platform settings/readiness/health.
- Stripe readiness page.
- Role boundaries: no platform admin can assign/edit platform super admin unless explicitly permitted.

Scanner/cashier/event-manager:

- Verify current Lite Launch profile hides or blocks deferred workspaces.

## Security Areas To Audit

- Auth/session/cookie security.
- CSRF route policy.
- Role and tenant isolation.
- Platform organiser versus platform admin.
- Public checkout cash/counter method exclusion.
- Browser redirect cannot issue tickets.
- Signed webhook required for paid ticket issuance.
- Checkout drafts require token or admin role.
- Stripe Connect readiness from Stripe sync, not browser payload in production.
- Upload validation for image/PDF floor plans.
- XSS escaping in OCR/upload labels, event names, section names, ticket names.
- QR uniqueness, duplicate scan, wrong-event scan, revoked/cancelled tickets.
- Logs/audit should not expose secrets or excessive customer data.

## Responsive/Accessibility Areas To Audit

Test at:

`320, 360, 375, 390, 414, 430, 768, 820, 1024, 1280, 1440, 1920`

Focus areas:

- Event list filters and cards.
- Event detail basket and section tabs.
- Reserved seat map tap targets and text wrapping.
- Checkout form and order summary.
- Login/register/organiser apply.
- Organiser console event editor, ticketing, venues, seat-plan builder.
- Admin tables/fees/readiness.
- Keyboard navigation and focus management.

Known Codex/Vale risks to verify:

- Mobile event filters may need `inert` and focus trap.
- Basket drawer may not trap focus.
- Event cards may clip at 320-360px.
- Dense seat buttons may be hard to tap on real devices.

## Highest-Risk Questions Claude Must Answer

1. Is the commercial-lite branch safe for staging deployment?
2. What exactly blocks real paid public launch?
3. Can any non-admin role access platform admin APIs?
4. Can platform organiser access only organiser functions, not admin functions?
5. Can public checkout ever use cash/external terminal?
6. Can paid tickets/QRs ever issue from browser redirect alone?
7. Does Stripe Connect route money to the correct organiser account only after verified readiness?
8. Do event public ticket lists show only event-allocated tickets?
9. Does event seat map selection use the exact organiser-selected seat map?
10. Are reserved and non-reserved sections usable in one event?
11. Are uploads safe enough for staging?
12. Are mobile/tablet layouts usable enough for beta?

## Expected Output

Return:

- Scope confirmation.
- Commands run and results.
- Architecture map.
- API route map.
- Role matrix.
- Workflow integrity table.
- Security findings by severity.
- UX/responsive findings by severity.
- Payment/Stripe/Connect findings.
- Database/schema findings.
- Deployment blockers.
- Exact remediation roadmap.
- Go/no-go recommendation for local demo, staging, public beta, and real paid events.

Use “Not verified” where evidence is missing.

Do not patch unless Cham separately approves.