# FieldOps Cloud Release Checklist

## Web SaaS

- Confirm production domain, HTTPS, HSTS, cookies, and public `public/` document root.
- Populate Gate 7 deployment variables: `FIELDOPS_PUBLIC_URL`, `FIELDOPS_TRUSTED_PROXIES`, `FIELDOPS_LOG_DIR`, `FIELDOPS_LOG_RETENTION_DAYS`, `FIELDOPS_BACKUP_VERIFIED_AT`, `FIELDOPS_RESTORE_DRILL_VERIFIED_AT`, `FIELDOPS_UPTIME_MONITOR_URL`, alert target, release versions, rollback runbook URL, and `FIELDOPS_CI_RELEASE_GATE=1`.
- Open `/platform-admin/health` and confirm the Deployment hardening table is `Ready` before public launch.
- Keep `APP_DEBUG=0`, `DEMO_ENABLED=0`, and a unique high-entropy `APP_SECRET` in production.
- Run `composer install --no-interaction --no-progress`, `composer validate --no-check-publish`, `composer audit`, `composer test`, and `composer check`.
- Run `composer http-route-harness` and attach `docs/HTTP_ROUTE_HARNESS_REPORT.md` when validating route/security-contract changes.
- Run `composer form-flow-harness` and attach `docs/FORM_FLOW_HARNESS_REPORT.md` when validating controller/form side-effect changes.
- Run `composer release-gate` and attach `docs/RELEASE_GATE_REPORT.md` to the release record.
- Run `composer mysql-isolation-smoke` against a disposable MySQL database, or set `FIELDOPS_RELEASE_GATE_MYSQL=1` before `composer release-gate`, and attach `docs/MYSQL_TENANT_ISOLATION_SMOKE_REPORT.md`.
- Run `composer mysql-volume-profile` against a disposable MySQL database, or set `FIELDOPS_RELEASE_GATE_MYSQL=1` before `composer release-gate`, and attach `docs/MYSQL_VOLUME_PROFILE_REPORT.md`.
- Run `php tools\qa-inventory.php` and confirm `docs/QA_ROUTE_ACTION_INVENTORY.md` has zero findings.
- Run the XAMPP browser smoke command in `docs/COMMANDS.md`; confirm public, tenant-owner, and platform-admin scenarios pass on mobile, tablet, and desktop.
- Run the XAMPP role/RBAC browser walkthrough in `docs/COMMANDS.md`; confirm allowed routes, forbidden 403 routes, sidebar visibility, and support login-as return flow pass.
- Confirm tenant isolation, RBAC, CSRF, audit logging, import validation, accounting/calendar sandbox settings, and offline sync validation.
- Review `docs/PRODUCTION_READINESS_QA_REPORT.md` and close all production-blocking gates before launch.
- Review `docs/ROLLBACK_RUNBOOK.md` and confirm current/previous release versions are recorded before launch.

## Mobile App Store Readiness

- Confirm final app name, icon, bundle ID/application ID, support URL, privacy policy URL, terms URL, and account deletion URL.
- Replace placeholder hosted URL `https://app.fieldops.cloud` if the production URL is different.
- Run `composer mobile-readiness` and confirm the report has zero failures before native release work proceeds.
- Run `npm install`, `npm run mobile:add:android`, `npm run mobile:add:ios`, and `npm run mobile:sync` after native tooling is available.
- Configure Android signing in Android Studio without committing keystores or passwords.
- Configure iOS signing, provisioning profiles, privacy manifest, and App Store Connect metadata in Xcode/App Store Connect.
- Capture store screenshots for phone and tablet sizes.
- Test login, tenant switching, job detail, offline technician queue, sync recovery, quote/invoice portal links, support, privacy, terms, and account deletion request pages on physical Android and iOS devices.

## Public Legal and Support URLs

- Privacy policy: `/privacy`
- Terms of service: `/terms`
- Support: `/support`
- Account deletion request: `/account/delete-request`

## Owner Confirmation Required

- Legal entity name and address.
- Production support email/ticketing system.
- Privacy processor/subprocessor list.
- Retention periods.
- Production app URL.
- App store developer accounts and signing assets.