# Commercial Launch Execution Status Updated: 2026-05-25 This file records what has been completed locally and what still requires the deployed server, real credentials, or human launch-owner action. Do not paste secrets into this file. ## Completed Locally - Production/staging environment templates exist: - `.env.staging.example` - `.env.production.example` - Real environment filenames are protected from accidental commit: - `.env` - `.env.local` - `.env.*.local` - `.env.staging` - `.env.production` - Production-safe defaults are in the templates: - `APP_ENV=production` - `APP_DEBUG=false` - `APP_FORCE_HTTPS=true` - `APP_LAUNCH_PROFILE=ticket-selling-v1` - `MVP_RUNTIME_SCHEMA_REPAIR=false` - `PAYMENT_MOCK_ENABLED=false` - `STRIPE_CONNECT_CHARGE_MODEL=direct_charge` - `bin/generate-production-secrets` exists and prints secrets only; it does not write to disk. - `bin/install-database` refuses seeded demo users/data when `APP_ENV=production` or `APP_ENV=prod`. - Local XAMPP CLI PHP has GD enabled. - Local XAMPP Apache was restarted after enabling GD. - Composer PHAR was downloaded locally as `composer.phar`; it is ignored by Git. - Composer validation passed. - Composer audit passed with no security vulnerability advisories. - Full PHPUnit suite passed after the latest launch-slice changes. ## Still Requires Target Server Or Credentials 1. Create the real server `.env`. - Copy `.env.staging.example` or `.env.production.example` to `.env` on the server. - Replace every placeholder outside Git. - Generate secrets on the target server with `php bin/generate-production-secrets`. 2. Configure Stripe test mode. - Add real `STRIPE_SECRET_KEY`. - Add real `STRIPE_PUBLISHABLE_KEY`. - Add real `STRIPE_WEBHOOK_SECRET`. - Keep `STRIPE_MODE=test` for staging rehearsal. - Keep `PAYMENT_MOCK_ENABLED=false`. 3. Configure a connected organiser Stripe account. - Onboarding complete. - Charges enabled. - Payouts enabled. - Stored in `stripe_connected_accounts`. 4. Run one real Stripe test checkout through signed webhook. - Use hosted Stripe Checkout. - Confirm browser redirect alone does not issue tickets. - Confirm webhook marks payment/order complete. - Confirm tickets, QR tokens, seat status, ledger, platform fee, tax/VAT, and organiser proceeds. 5. Configure ClamAV or approved equivalent on the server. - Set `MEDIA_MALWARE_SCAN_REQUIRED=true`. - Set `CLAMAV_CLAMSCAN_PATH` to an executable scanner path. - Run `php bin/check-production-launch`. 6. Repeat mobile/tablet/manual QA on the deployed server. - Use the checklist in `docs/mobile-tablet-qa.md`. - Capture evidence for customer, organiser, and platform admin workflows. ## Current Go/No-Go - Local development confidence: green. - Staging rehearsal: ready once real server `.env`, Stripe test keys, ClamAV, and connected organiser account are configured. - Real paid commercial launch: not approved until the signed Stripe checkout evidence and deployed mobile/tablet QA are complete.