# Public Launch Checklist

## A) Infrastructure Baseline
- [ ] Domain DNS points to public IP.
- [ ] Router forwards only `80` and `443`.
- [ ] Host firewall denies all inbound except `80/443` and restricted `22`.
- [ ] `SSH_ALLOW_CIDR` policy validated.
- [ ] Postgres port `5432` is not public.

## B) App and Deployment
- [ ] Dokploy project connected to Gitea repo.
- [ ] Secrets configured:
  - [ ] `DATABASE_URL`
  - [ ] `DATABASE_SSL`
  - [ ] `ALLOWED_DB_NAMES`
  - [ ] `SESSION_COOKIE_NAME`
  - [ ] `SESSION_TTL_DAYS`
  - [ ] `DEBUG_API=0`
  - [ ] `DOKPLOY_DEPLOY_HOOK`
  - [ ] `DOKPLOY_HEALTHCHECK_URL`
- [ ] Deploy workflow passes build/test/push/deploy.
- [ ] Post-deploy health gate passes (`scripts/wait-for-health.sh`).
- [ ] Manual smoke passes (`scripts/smoke-public-launch.sh`).

## C) Security Controls
- [ ] Nginx TLS/headers/rate limits enabled (`docker/nginx/fiddy.conf`).
- [ ] Request-id propagation enabled (`X-Request-Id` in responses).
- [ ] Server-side rate limits active (auth/write/ip limiters).
- [ ] Fail2ban or CrowdSec configured from `docker/security/`.
- [ ] No secrets/full invite codes in logs.

## D) Observability
- [ ] Loki, Promtail, Grafana, Uptime Kuma running.
- [ ] Promtail ingests `job="nginx"`.
- [ ] Dashboards show request IDs for incident triage.
- [ ] Alerts configured for 5xx/auth spikes/DB failures/resource pressure.

## E) Backup and Recovery
- [ ] Daily logical backup scheduled (`scripts/backup-postgres.sh`).
- [ ] Periodic base backup scheduled (`scripts/basebackup-postgres.sh`).
- [ ] Latest restore drill succeeded (`scripts/restore-drill-postgres.sh`).
- [ ] Drill logged (`scripts/log-restore-drill.sh` -> `docs/restore-drill-log.csv`).
- [ ] Measured RTO is acceptable.

## F) Rollback Readiness
- [ ] Previous stable release retained in Dokploy.
- [ ] Rollback runbook tested once in staging or low-risk window.
- [ ] Rollback smoke check verified.