# Master Public Release Gate 36 - Production Workflow Browser Smoke

Date: 2026-06-17

Status: PASS for the local DB-backed production workflow browser smoke and XAMPP served-copy portal regression.

## Scope

Gate 36 expands the production-mode browser smoke from owner CRUD and role-route checks into customer-facing portal flows and XAMPP base-path correctness. It verifies that a production-mode, demo-disabled app can run high-risk DB-backed workflows in a browser with disposable data and that the XAMPP served copy does not double-prefix customer portal form actions.

This gate does not enable live payment capture, live accounting/calendar/payroll sync, live provider webhooks, hosted background workers, native app-store builds, or hosted-scale load testing.

## What Changed

- Added `composer production-workflow-smoke` for the DB-backed production workflow browser harness.
- Wired the production workflow browser smoke into the release-gate runner as an optional Gate 36 check behind `FIELDOPS_RELEASE_GATE_PRODUCTION_WORKFLOW=1`.
- Extended the production workflow smoke seed data with portal quote/invoice records, subscription plan records, support tenant records, appointments, and import/export persistence tables.
- Extended the production workflow browser smoke to cover:
  - customer portal quote view and approval;
  - customer portal invoice overpayment/email validation;
  - customer portal sandbox invoice payment recording;
  - customer portal booking request recording;
  - DB-backed owner CRUD and payment workflows;
  - import preview, commit, undo, retry-safe state, and Basic-plan export blocking;
  - tenant-isolation negative checks;
  - platform-admin support login-as/return;
  - DB-backed route access matrices for Owner, Manager, Supervisor, Team Member, Trainee, and Platform Admin.
- Fixed XAMPP customer portal form actions so renderer base URL prefixing cannot produce `/FieldOps-Cloud/public/FieldOps-Cloud/public/api/...`.
- Added request/template regression coverage for duplicated XAMPP base-path normalization and portal form action rendering.
- Extended the XAMPP role interaction smoke to click through customer portal quote approval and invoice sandbox payment flows against the served copy.

## Security And Data Rules

- The production smoke creates disposable local runtime data only under `runtime/production-workflow-smoke`.
- Portal quote, invoice, payment, and booking flows continue to use signed portal tokens.
- Quote approval, invoice payment, and booking requests remain tenant-scoped and do not activate live provider side effects.
- Sandbox invoice payments are explicit placeholder records and are not claimed as real payment processing.
- Support access still requires a reason, creates a timed support session, and keeps the return-to-platform-admin path.

## Tests Run

- `C:\xampp\php\php.exe -l src\Infrastructure\Http\Request.php`: PASS.
- `C:\xampp\php\php.exe -l src\Portal\Controller\CustomerPortalController.php`: PASS.
- `C:\xampp\php\php.exe -l templates\portal\view.php`: PASS.
- `C:\xampp\php\php.exe -l tests\run.php`: PASS.
- Bundled Node syntax check for `tools\production-workflow-smoke.cjs`: PASS.
- `C:\composer\composer.bat validate --no-check-publish`: PASS.
- `C:\composer\composer.bat test`: PASS.
- `C:\composer\composer.bat check`: PASS.
- `tools\production-workflow-smoke.cjs` with bundled Node/Playwright and system Chrome: PASS, `failureCount: 0`.
- XAMPP served-copy `C:\composer\composer.bat validate --no-check-publish`: PASS.
- XAMPP served-copy `C:\composer\composer.bat test`: PASS.
- XAMPP served-copy `C:\composer\composer.bat check`: PASS.
- XAMPP served-copy `tools\role-interaction-smoke.cjs` with bundled Node/Playwright and system Chrome: PASS, `failureCount: 0`.

## Remaining Blockers

- Live payment capture remains blocked until a real payment provider, webhook secrets, idempotency evidence, financial reconciliation, and owner approval are available.
- Live accounting, calendar, payroll, SMS/email, and LLM provider sync remains blocked until real sandbox credentials and callback/webhook infrastructure are available.
- Hosted import/report worker proof and hosted-scale load proof still require the final hosting environment.
- Signed Android/iOS native app-store builds, physical-device QA, app-store metadata, and privacy manifest evidence remain blocked until owner tooling/evidence is available.
- Real hosted CI evidence remains required even though the local release-gate runner now has an optional Gate 36 browser check.