Qubictry Docs

Production readiness checklist

Operational checklist for moving Qubictry from demo state into live production use.

Return to demo hubOpen trust guidance
# Production Readiness Checklist

The current build ships with mock data + local walkthroughs. Use this checklist to graduate the project from demo mode to production.

## 1. Infrastructure & Environment
- [ ] Provision managed PostgreSQL (e.g., Neon, RDS, Supabase) and set `DATABASE_URL` in `.env`.
- [ ] Generate a secure `NEXTAUTH_SECRET` and configure at least one NextAuth provider (email magic link, OAuth, etc.).
- [ ] Store secrets in your deployment platform (Vercel/Render/Docker Swarm) and never commit `.env`.

## 2. Authentication & RBAC
- [ ] Replace the mock `getSession()` helper in `lib/auth.ts` with NextAuth session checks.
- [ ] Gate internal routes (`/dashboards`, `/leaderboard`, `/contact` submissions) behind role-based middleware (ADMIN/TRUST_OPS).
- [ ] Add session-aware UI states (e.g., show login vs. admin tools).

## 3. Data sources
- [ ] Replace static JSON (`data/guild-members.ts`, `data/site.ts`, `app/dashboards/page.tsx` metrics) with Prisma queries or API fetches.
- [ ] Build CRUD flows for Guild members, Jobs, protected payment, and reviews using `/api` routes backed by Prisma models.
- [ ] Add pagination/search endpoints so Directory + Leaderboard can query real datasets.

## 4. Payments & Webhooks
- [ ] Set real `PAYSTACK_SECRET_KEY` / `FLUTTERWAVE_SECRET_KEY` and verify signature handling in `/api/webhooks/payments`.
- [ ] Integrate capture/release flows (`lib/payments.ts`) with provider SDKs and persist ledger rows.
- [ ] Configure Qubicweb fraud sync URL + token, and enable retry/backoff for outbound webhook posting.

## 5. Q-Verity & Integrations
- [ ] Connect `QVERITY_API_BASE` to the actual QR service and hydrate scan events via API.
- [ ] Wire leaderboard/Curator incentives to live Curator + Review data instead of fixtures.

## 6. Security & Observability
- [ ] Add rate-limits per route (current helper is in-memory; replace with Redis/upstash for distributed deployments).
- [ ] Implement logging/monitoring (OpenTelemetry, Datadog, etc.) for API + webhook routes.
- [ ] Enforce HTTPS/CSRF protections and sanitize user input before persisting.

## 7. Testing & CI/CD
- [ ] Expand Vitest coverage to include Prisma-backed integration tests (guard with `if (!process.env.DATABASE_URL) vi.skip()`).
- [ ] Configure GitHub Actions (or similar) to run `npm run lint`, `npm run test`, and `npm run db:generate` on PRs.
- [ ] Add end-to-end smoke tests (Playwright/Cypress) for key flows: onboarding, trust dashboard, payments webhook.

## 8. Deployment
- [ ] Package the app with your hosting provider (Vercel, Docker, etc.).
- [ ] Apply DB migrations (`npm run db:migrate`) during deploys; follow with `npm run db:seed` only in staging.
- [ ] Set up blue/green or canary releases for safer rollouts.

Once these boxes are checked, the application will run on real data with full auth, payments, and observability—ready for production workloads.