env_lock
Environment lock
All production variables are in Vercel, test keys are separated, and secrets are not in code or logs.
Can I show this list without exposing keys?
production launch signoff
Owner tower before the real launch
This internal chamber connects checkout-delivery, persistence, support, rollback, incident log, and the first 30 days. Its job is simple: do not open real money and ads until the owner sees the whole path from payment to support.
owner signoff console
Launch permission panel
This live checklist measures not site beauty, but owner readiness to open real payments, delivery, support, and the first 30 days of watch.
Signoff stages
✓ Environment lock
Can I show this list without exposing keys?
✓ Supabase schema applied
Do tables exist for purchase links, delivery jobs, artifacts, consent, and deletion?
○ Live test order
Is payment proven by webhook, not just the redirect page?
✓ Webhook idempotency
What happens when the Stripe event id repeats?
✓ Delivery verified
Can access be recovered without exposing the private question?
✓ Account archive and recovery
Will the user avoid losing a paid scroll after closing the tab?
✓ Support macros
Does support sound calm and avoid impossible promises?
✓ Refund / recreate
What do we do if AI did not produce an answer but Stripe confirmed payment?
✓ Deletion dry run
Can we complete a deletion request without breaking accounting trail?
○ Monitoring watch
Who sees a failure first and where do they log it?
○ Owner signature
Am I ready to open real traffic and own support?
Risk ledger
No env lock
Verify Vercel Production Environment Variables and redeploy after changes.
Schema not applied
Apply migrations 0010, 0011, and 0012, then verify RLS and indexes.
No live test order
Run a minimal owner live order and record its id in the runbook.
Webhook not source of truth
Unlock only after verified webhook and idempotency claim.
Delivery unproven
Verify delivery job, receipt, recovery, and fallback support.
No recovery
Enable lookup by email, purchase link, reading id, and safe summary.
No support macros
Prepare 6 templates and forbid private data in subject/preview.
Refund/recreate unclear
Write the decision tree and owner-only macros.
schema_applied
Supabase schema applied
Persistence and checkout-delivery migrations are applied, RLS is enabled, and direct anon/authenticated access is closed.
Do tables exist for purchase links, delivery jobs, artifacts, consent, and deletion?
live_test_order
Live test order
One controlled live order passed from product to payment and record without manual repair.
Is payment proven by webhook, not just the redirect page?
webhook_verified
Webhook idempotency
A repeated webhook does not create a second scroll, job, or delivery.
What happens when the Stripe event id repeats?
delivery_verified
Delivery verified
PDF, email, receipt, recovery, and private/public artifact contract are verified on one order.
Can access be recovered without exposing the private question?
archive_recovery
Account archive and recovery
The purchase is visible in account, recovery flow works, and support sees safe summary and lookup fields.
Will the user avoid losing a paid scroll after closing the tab?
support_macros
Support macros
Templates are ready: lost link, email missing, refund, recreate, delete/export, bug report.
Does support sound calm and avoid impossible promises?
refund_recreate
Refund / recreate
There is a decision tree: recreate scroll, refund, escalate, or close without action.
What do we do if AI did not produce an answer but Stripe confirmed payment?
deletion_dry_run
Deletion dry run
Deletion/anonymization of user archive is tested while preserving minimal accounting ledger.
Can we complete a deletion request without breaking accounting trail?
monitoring_watch
Monitoring watch
The first 24-hour watch exists: Stripe, Supabase, OpenAI, Resend, errors, costs, support inbox.
Who sees a failure first and where do they log it?
owner_signature
Owner signature
Owner signed date, build, domain, live-test id, blockers=0, and first 30 days plan.
Am I ready to open real traffic and own support?
stop ledger
What blocks launch
No env lock
Verify Vercel Production Environment Variables and redeploy after changes.
Schema not applied
Apply migrations 0010, 0011, and 0012, then verify RLS and indexes.
No live test order
Run a minimal owner live order and record its id in the runbook.
Webhook not source of truth
Unlock only after verified webhook and idempotency claim.
Delivery unproven
Verify delivery job, receipt, recovery, and fallback support.
Blind launch
Enable a 24-hour watch and incident log.
Private text leak
Public payload must be redacted; full answer only in private artifact/account.
Secrets in logs
Sanitize logs, rotate keys, and forbid process.env output.
Unsafe checkout bypass
Send all such questions to the safe-question clinic before checkout.
No rollback
Record last stable build, env diff, and paid-flow kill switch.
first 30 days
Post-launch rhythm
Day 0-1
First 24 hours
What broke for the first real user?
Day 2-7
First week
What repeated twice and needs a product fix?
Day 8-14
Second week
Where does the site lose trust or clarity?
Day 15-30
First month
What must be hardened before scaling?
support macros
Lost link: verify email/order lookup, resend recovery link, do not expose the full question in email.
Email missing: check delivery job, bounce status, spam guidance, fallback account access.
Paid but no answer: check webhook, purchase link, delivery job, recreate if needed or refund.
Refund: explain decision, refer to policy, do not argue over symbolic content.
Delete/export: verify email/account ownership, scope, timing, accounting exceptions.
Bug report: acknowledge, ask for device/browser/time/order id, never request secrets or card data.
rooms
Launch signoff standardOwner standard: the site is ready only after proven live path, recovery, support, rollback, and monitoring.Owner runbookWhat the owner does on day one, first failure, first refund, and first privacy request.Live test order signoffA minimal owner paid order that proves product → checkout → webhook → delivery → archive.Environment signoffFinal verification of Vercel, Stripe, Supabase, Resend, OpenAI, site URL, and webhook secrets.Incident logOne place for failures: time, symptom, severity, affected order, safe summary, fix, owner note.First support macrosSix templates for first real tickets without excess privacy and without magical outcome promises.Refund / recreate macrosWhat to do if payment passed, answer was not created, email missing, or user is unhappy.Owner dashboard gatesWhat the owner must see: paid orders, delivery jobs, failed webhooks, support reasons, costs.First 24 hours watchFirst-day watch order: checkout, email, errors, support, AI cost, mobile path.First 30 days rhythmPost-launch rhythm: observation, fixes, support insights, costs, conversion, without adding new halls.Ads scale gateWhen ads can start: blockers=0, refund/recreate clear, support can keep up, costs controlled.Post-launch auditControl review after first real users: what to fix, sell, or hide.