# Zavvion Events Commercial Lite - Production Readiness Report Date: 2026-05-26 Workspace reviewed: `C:\Users\chama\Documents\ZavvionEvents\zavvion-events` Served copy synced/tested: `C:\xampp\htdocs\zavvion-events` Branch: `codex-lite-launch-slice` Latest observed commit: `e9e3876 Update handoff for lite launch branch` Status: **CONDITIONAL for local/demo and staging workflow review; NOT READY for real paid commercial production until environment, Stripe, upload scanning, and deployed mobile QA are completed.** ## Executive Verdict The commercial-lite codebase is much stronger after the current pass: - Full PHPUnit is now green: `732 tests / 2703 assertions`. - Frontend link checker is green: `424 checked, 0 issues`. - Core syntax checks are green. - Public organiser application page now uses Zavvion site styling. - Production Stripe Connect hardening was added so browser payloads cannot mark connected-account readiness in production. - XAMPP served copy has been synced for the latest changes. Commercial launch is still blocked by operational setup rather than normal application code: - Real staging/production `.env` is not configured in this workspace. - Stripe test keys, webhook signing secret, and connected organiser account are not configured. - A signed Stripe test checkout has not been proven end-to-end on the deployed server. - ClamAV or equivalent media malware scanning is not configured. - Public local review/showcase pages must be removed, blocked, or excluded from a production build. - Manual mobile/tablet/browser role testing must be repeated on the deployed server. ## Agent Workstreams Used - Scout Current-State Mapper: codebase, route, workflow, and architecture discovery. - Sable Commercial-Lite Security Reviewer: auth/RBAC/payment/upload/security review. - Vale Responsive UX Reviewer: responsive, mobile, accessibility, and focus-management review. - Kepler Commercial-Lite QA Architect: test inventory, checks, role testing strategy, and gaps. - Nova Deployment Readiness Engineer: environment, deployment, Stripe, rollback, and server-readiness review. - Main Codex: integration, fixes, test execution, XAMPP sync, and handoff packaging. ## Current Architecture Map Active runtime is a custom PHP MVP front controller, not a full Yii request lifecycle. - `public/index.php`: front controller, env loading, security headers, API routing for public events, checkout drafts, Stripe webhooks, and fallback page rendering. - `public/mvp.php`: large MVP dispatcher and procedural adapter layer for auth, organiser, admin, media, checkout, seat holds, scanner, finance, role review, and launch profile gates. - `src/*`: focused service classes used by `public/index.php` and `public/mvp.php`. - `public/*.html`: primary browser pages for public, account, organiser, admin, checkout, scanner, role showcase. - `public/assets/js/zavvion-ui.js`: shared API client, CSRF handling, theme/session helpers, shell behavior. - `public/assets/js/organiser-page.js`: organiser console workflow. - `public/assets/js/admin-page.js`: platform admin console workflow. - `public/assets/js/event-page.js`: public event booking, reserved/non-reserved sections, basket, seat maps. - `public/assets/js/checkout-page.js`: checkout draft, payment-return, customer details, order summary. - `docs/schema.sql` and `migrations/*.php`: canonical DB schema/migrations. Important architecture caveat: `config/routes.php` contains Yii-style routes, but the served local app path is currently `public/index.php` + `mvp_dispatch()`. ## Current Functionality Map Commercial-lite scope: - Public visitors browse events, view event detail, select reserved seats, buy non-reserved ticket quantities, and create checkout drafts. - Customers can log in, view account/wallet/order/privacy screens, and manage basic account actions. - Organisers can manage events, venues, reusable seat maps, reserved/non-reserved sections, event-level ticket allocations, event pricing/quantity/max order, media, Stripe readiness, and finance summaries. - Platform organiser can access organiser workspaces globally but must not receive platform-admin APIs. - Platform admin can manage organiser review, fee/tax/admin settings, finance/readiness, roles, site settings, health, and reports. - Scanner/cashier/event-manager richer flows remain present in code but are deferred/guarded in the `ticket-selling-v1` launch profile. ## API Map Highlights Public/front-controller routes: - `GET /api/v1/events` - `GET /api/v1/events/{slug}` - `POST /api/v1/checkout/session` - `GET /api/v1/checkout/drafts/{id}` - `POST /api/v1/checkout/drafts/{id}/edit` - `POST /api/v1/promo/validate` - `POST /api/v1/webhooks/stripe` MVP dispatcher route families: - Auth/session: login/logout/register/current user/CSRF/MFA/password reset/local role review login. - Account: tickets/orders/wallet/profile/privacy/export/consents. - Organiser: contexts, events, venues, seat maps, ticket catalog/types, section rules, Stripe account/onboarding/sync, media, finance, reports. - Admin: organiser applications, users/roles/permissions, fees/tax, payments, finance, readiness, media, health, audit, settings. - Checkout: free confirmation, mock local success, seat holds/release/expiry. - Scanner: device registration, manifest, validate, offline sync, launch-profile gated. - Media: upload, floor-plan/PDF asset storage, scan/rescan, retention. ## Payment And Payout Flow - Public paid ticket checkout must use server-calculated totals and event currency. - Public online checkout does not expose cash/counter methods server-side. - Stripe webhook handling uses signed webhook validation for actionable events. - Browser redirects alone do not issue paid tickets. - Ticket/QR issuance occurs after trusted Stripe completion, safe local mock/free confirmation, or recorded box-office payment. - Stripe Connect account selection requires `onboarding_status='complete'`, `charges_enabled=1`, and `payouts_enabled=1`. - New hardening: in production, platform admins cannot mark connected-account readiness from browser payload fields; readiness must be preserved from existing Stripe-synced state or remain pending until sync. ## Security Findings Critical: - None confirmed in code after this pass. High / launch blockers: - Public local review/showcase pages remain in `public/` and must be removed/protected/excluded for production. The production launch gate already blocks this. - Stripe Connect is not configured and no signed webhook checkout has been proven on deployment. Medium: - Scanner audit attribution is client-controlled when scanner APIs are enabled; acceptable for lite launch because scanner APIs are deferred, must be fixed before scanner launch. - Same-origin public PDF floor-plan serving should be hardened before broad organiser-upload rollout. - Mobile drawer/focus management has accessibility risks that should be improved before public beta. Useful controls observed: - CSRF route policy exists for state-changing web/API routes. - Webhooks reject unsigned actionable Stripe events. - Checkout completion validates provider reference, amount, currency, and paid status. - Production example disables debug/mock/runtime repair and requires malware scanning. ## UX And Responsive Audit Launch-impact items found: - Mobile event filters need stronger focus management (`inert`, focus restore, Escape behavior). - Event card grid can clip at `320px-360px` because of minimum column size plus clipped overflow. - Mobile basket/bottom-sheet pattern needs focus trap/inert background while open. - Dense reserved seat map touch targets are below ideal 44px; this is a real-device usability risk. - Some console/mobile nav patterns need consistent focus movement/trapping. - Checkout validation errors should use `role=alert`, `aria-invalid`, and field error linkage. Current response: these are documented as remediation items. Do not treat them as fully solved until browser/device testing confirms them. ## Device Compatibility Matrix Must retest on deployment: - 320px phone: public events list, filters, event cards, event booking, basket. - 360/375/390/414/430px phones: login/register, event detail, reserved seat selection, non-reserved tickets, checkout, account wallet. - 768/820px tablets: organiser dashboard, event editor, ticketing, seat-plan builder, admin fee/readiness screens. - 1024px tablet landscape: organiser/admin consoles, tables, sidebars, modals. - 1280/1440/1920 desktop: public browse spacing, event detail/basket columns, organiser/admin data tables, seat maps. ## Role-Based Testing Matrix Public buyer: - Browse events, filter events, view event detail, select reserved seats, buy non-reserved ticket quantities, create checkout draft, attempt invalid/cash payment paths, refresh/interruption. Customer: - Register/login/logout, account profile, tickets/orders, wallet, privacy export/delete, cannot access organiser/admin APIs. Organiser: - Create venue, create seat map, create reserved/non-reserved sections, upload floor-plan/PDF per seat map, create event, attach exact seat map, add event-level ticket prices/quantities/max-order, remove event allocations, preview/publish, Stripe readiness page. Platform organiser: - Switch/access organiser workspaces, manage organiser flows, confirm no platform-admin-only data or APIs are accessible. Platform admin: - Review organiser applications, fee/tax rules, finance/readiness, platform settings, role/permission restrictions, health/deployment checks. Scanner/cashier/event-manager: - Deferred for lite launch. Verify they are blocked or hidden under `APP_LAUNCH_PROFILE=ticket-selling-v1`. ## Checks Run And Results Passed: - `C:\xampp\php\php.exe -l public\index.php` - `C:\xampp\php\php.exe -l public\mvp.php` - `node --check public\assets\js\zavvion-ui.js` - `node --check public\assets\js\organiser-page.js` - `node --check public\assets\js\event-page.js` - `node --check public\assets\js\checkout-page.js` - `C:\xampp\php\php.exe composer.phar validate --strict` - `C:\xampp\php\php.exe vendor\bin\phpunit` -> `732 tests / 2703 assertions` - `C:\xampp\php\php.exe bin\check-frontend-links --base-url=http://localhost/zavvion-events/public` -> `424 checked, 0 issues` - `C:\xampp\php\php.exe bin\check-mvp-smoke --base-url=http://localhost/zavvion-events/public` -> warning only - `C:\xampp\php\php.exe bin\check-local-live-run --base-url=http://localhost/zavvion-events/public` -> warning only - XAMPP served focused regression: `12 tests / 78 assertions` - `http://localhost/zavvion-events/public/organiser/apply?fresh=apply-style-20260526b` -> `200` Failed/blocked as expected: - `C:\xampp\php\php.exe composer.phar audit` failed because this environment routes Packagist to `127.0.0.1:9`; rerun on a normal networked machine/server. - `C:\xampp\php\php.exe bin\check-stripe-readiness` not ready because Stripe keys/webhook/connected account are not configured. - `C:\xampp\php\php.exe bin\check-production-launch` blocked on 5 deployment warnings: production env/debug, cookie secret, QR signing secret, media malware scanner, Stripe webhook/keys. ## Fixes Completed In This Pass - Styled `/organiser/apply` with Zavvion gala shell and panels. - Added `tests/OrganiserApplyPageStyleTest.php`. - Fixed stale organiser seat-map editor copy regression. - Updated frontend link checker to support dynamic `PageController` routes via HTTP when `--base-url` is supplied, and added `/organiser/apply` to HTTP smoke checks. - Hardened production Stripe Connect readiness so browser payload cannot mark accounts ready in production. - Added production hardening regression coverage for Stripe Connect readiness. - Synced changed files into `C:\xampp\htdocs\zavvion-events`. ## Deployment Blockers 1. Create real staging/production `.env` on server. 2. Set `APP_ENV=production`, `APP_DEBUG=false`, `APP_FORCE_HTTPS=true`, strong secrets, `APP_LAUNCH_PROFILE=ticket-selling-v1`, and `MVP_RUNTIME_SCHEMA_REPAIR=false`. 3. Configure Stripe test keys, webhook signing secret, and a connected organiser account. 4. Run one signed Stripe test checkout through webhook and confirm order, tickets, QR token, wallet visibility, ledger and fee/tax rows. 5. Install/configure ClamAV or approved equivalent and set `MEDIA_MALWARE_SCAN_REQUIRED=true`. 6. Ensure PHP GD is active in web runtime, not only CLI. 7. Remove/protect local review/showcase pages from production public web root. 8. Run Composer validate/audit on a networked machine. 9. Repeat manual role/device testing on deployed server. ## Priority Remediation Roadmap Critical before real paid launch: - Server `.env` and secrets. - Stripe signed webhook checkout proof. - Connected organiser account readiness from Stripe sync. - Production launch gate green. - Public review/showcase pages blocked in production. High before public beta: - Mobile filter/basket focus management. - Real-device reserved seat map tap testing. - ClamAV/PDF media hardening. - Full role-by-role manual browser testing on server. Medium: - Playwright browser automation pack. - Scanner audit attribution hardening before scanner launch. - Checkout validation ARIA improvements. - Fee/tax seed coverage for all money breakdowns. Low/post-MVP: - Extract `public/mvp.php` into smaller controllers/use cases. - Add visual regression screenshots. - Improve public media delivery through a controlled media route or CDN. ## Final Go-Live Recommendation - Local demo: **Ready with known warnings.** - Human architect review/handover: **Ready.** - Staging on a server: **Ready to deploy for testing after `.env` and DB setup.** - Public MVP beta: **Conditional**, after deployment blockers and mobile/manual testing. - Real paid events: **Not ready yet**, until Stripe, webhook, ClamAV, production secrets, and deployed end-to-end tests are complete.