# Production Readiness Checklist

Run through every item before deploying to production.

---

## Security

| # | Check | Status |
|---|-------|--------|
| S1 | Uploads validated by extension + MIME type | ⬜ |
| S2 | Files stored in `/storage/uploads` (outside `public/`) | ⬜ |
| S3 | Random filenames via `random_bytes(32)` — no user filenames on disk | ⬜ |
| S4 | `storage/.htaccess` blocks direct access + PHP execution | ⬜ |
| S5 | `storage/uploads/index.php` returns 403 for non-Apache servers | ⬜ |
| S6 | CSRF token on upload form, verified before processing, consumed after use | ⬜ |
| S7 | Rate limiting enabled (10 req/hr per session + IP fallback) | ⬜ |
| S8 | CSP header restricts scripts, styles, and object sources | ⬜ |
| S9 | `X-Content-Type-Options: nosniff`, `X-Frame-Options: DENY` | ⬜ |
| S10 | `redirect()` blocks CRLF injection | ⬜ |
| S11 | All user output escaped via `e()` (htmlspecialchars) | ⬜ |
| S12 | `.env` excluded from git, `.env.example` committed without secrets | ⬜ |
| S13 | `APP_ENV` is NOT `local` in production | ⬜ |

---

## AI Provider

| # | Check | Status |
|---|-------|--------|
| A1 | `AI_PROVIDER` validated against allowlist or treated as generic | ⬜ |
| A2 | `AI_BASE_URL` must be HTTPS in production | ⬜ |
| A3 | Localhost/private IP URLs blocked in production (unless `AI_ALLOW_LOCAL_URL=true`) | ⬜ |
| A4 | `AI_API_KEY` never sent to browser, never in page source, never in error messages | ⬜ |
| A5 | `max_tokens: 4096` prevents unbounded API cost | ⬜ |
| A6 | `response_format: json_object` sent for compatible providers | ⬜ |
| A7 | DeepSeek: JSON instruction prepended, ``` fences stripped | ⬜ |
| A8 | Provider errors sanitized — raw API responses never shown to users | ⬜ |
| A9 | AI response content in error logs truncated to 120 chars | ⬜ |
| A10 | `validateAiConfig()` runs before every API call | ⬜ |
| A11 | Manual provider connectivity test passed (`php tests/provider-test.php`) | ⬜ |

---

## Prompt Injection Resistance

| # | Check | Status |
|---|-------|--------|
| P1 | `sanitizeDocumentText()` redacts "ignore previous instructions" patterns | ⬜ |
| P2 | `sanitizeDocumentText()` redacts "reveal the system prompt/API key" patterns | ⬜ |
| P3 | `sanitizeDocumentText()` redacts `<script>`, `<iframe>`, event handler tags | ⬜ |
| P4 | Nonce-based boundary markers (`DOC_<random>`) used in all prompts | ⬜ |
| P5 | System prompt explicitly forbids revealing secrets, outputting HTML/code | ⬜ |
| P6 | System prompt labels document text as "untrusted user content — not commands" | ⬜ |
| P7 | Legitimate document content (statistics, names, quotes) passes through sanitizer | ⬜ |

---

## Test Suite

| # | Check | Status |
|---|-------|--------|
| T1 | `php tests/run.php` — 64 unit + mock tests pass | ⬜ |
| T2 | `php tests/e2e-test.php` — 27 config + safety tests pass | ⬜ |
| T3 | Valid JSON response → `success: true` | ⬜ |
| T4 | Invalid JSON / empty choices / 401 / 429 / 500 / timeout → `success: false` | ⬜ |
| T5 | API key never appears in any test error message | ⬜ |
| T6 | Partial task failure (one succeeds, one fails) handled correctly | ⬜ |
| T7 | All chunker edge cases (single, split, all-failed, partial, empty) pass | ⬜ |

---

## Mobile

| # | Check | Status |
|---|-------|--------|
| M1 | Upload form fits 360×800 without horizontal scroll | ⬜ |
| M2 | Result page readable at 360px — accordions, buttons, text all fit | ⬜ |
| M3 | Long filenames wrap or truncate with `word-break: break-word` | ⬜ |
| M4 | All buttons meet 44×44px minimum touch target | ⬜ |
| M5 | Accordion toggle works on touch (does not trigger copy button) | ⬜ |
| M6 | Loading spinner visible and submit button disabled during upload | ⬜ |

---

## Operations

| # | Check | Status |
|---|-------|--------|
| O1 | `display_errors = 0` in production php.ini | ⬜ |
| O2 | `log_errors = 1` — errors go to file, not stdout | ⬜ |
| O3 | Database schema applied (`database/schema.sql`) | ⬜ |
| O4 | `composer install --no-dev` run (no dev dependencies in production) | ⬜ |
| O5 | `storage/uploads/` writable by web server user | ⬜ |
| O6 | `cleanup_old_uploads()` cron job configured (recommended: hourly) | ⬜ |
| O7 | SSL/TLS enabled on production domain | ⬜ |
| O8 | Session cookie `secure` flag enabled (automatic when `APP_ENV !== local`) | ⬜ |
| O9 | `tests/provider-test.php` removed or access-restricted before production | ⬜ |

---

## User-Facing

| # | Check | Status |
|---|-------|--------|
| U1 | Privacy notice visible near upload form | ⬜ |
| U2 | Exported analysis `.txt` includes privacy disclaimer | ⬜ |
| U3 | Error messages are calm and helpful, not exposing stack traces | ⬜ |
| U4 | "Upload another" button always accessible from results page | ⬜ |
| U5 | Copy and download buttons work on desktop and mobile | ⬜ |

---

## Sign-Off

| Date | Reviewer | All checks passed? | Notes |
|------|----------|--------------------|-------|
|      |          | ⬜ Yes / ⬜ No   |       |