diff --git a/docs/production-todo.md b/docs/production-todo.md
new file mode 100644
index 0000000..4be500c
--- /dev/null
+++ b/docs/production-todo.md
@@ -0,0 +1,52 @@
+# Production Todo
+
+Checklist of things to do before going live. Items are roughly in dependency order.
+
+---
+
+## Grav 2.0 upgrade on production
+
+- [ ] Update `make remote-upgrade-grav` to use the direct download method (GPM still reports 1.7.x as latest — see CLAUDE.md §2 for the correct curl + copy steps)
+- [ ] Install Admin2 (`admin2` plugin) on production from the grav-admin bundle
+- [ ] Disable old `admin` plugin on production (`enabled: false` in `user/plugins/admin/admin.yaml`)
+
+## Infrastructure
+
+- [ ] Set `accounts.type: flex` and `pages.type: flex` in production `system.yaml` (required for Admin2)
+- [ ] Ensure production user account has `api.super: true` and `api.access: true`
+- [ ] Verify `session.save_path` is set to a writable path in production PHP config
+- [ ] Confirm JWT secret auto-generates on production (`jwt_secret: ''` in api.yaml is correct — Grav generates one on first run)
+
+## Config
+
+- [ ] Set `twig.cache: true` in `user/config/system.yaml`
+- [ ] Run pre-launch smoke test: submit one post via `/post`, confirm entry appears in `/trips/japan-korea-2026/dailies` immediately (verifies cache-on-save plugin works with Twig cache enabled)
+- [ ] Set `custom_base_url` in `system.yaml` to the production domain (currently set to `http://100.96.115.96:8081`)
+- [ ] Confirm `post-form.md` `pageconfig.parent` matches `active_trip` in `site.yaml`
+
+## Plugins
+
+- [ ] Audit `plugins.txt` — it is manually maintained; verify it includes all plugins currently installed (admin2, api, flex-objects, form, add-page-by-form, cache-on-save, etc.)
+- [ ] Run `make remote-install-plugins` after Grav 2.0 upgrade
+
+## Map tiles
+
+- [ ] Register a Carto account and review terms for production traffic — free tier requires registration for higher-volume usage
+- [ ] Decide whether to stay on CartoDB or switch to a paid provider (Stadia, Mapbox) with an API key
+
+## Content
+
+- [ ] Upload actual GPX route file(s) to the Japan & Korea 2026 trip page media (currently no GPX files — map renders no route)
+- [ ] Set `date_start` on the trip page (`user/pages/01.trips/japan-korea-2026/trip.md`)
+- [ ] Add `cover_image` to the trip page
+
+## Security
+
+- [ ] Change admin password from the dev password to a strong production password
+- [ ] Confirm `/post` form requires login (`access: site.login: true` enforced — unauthenticated users cannot post)
+- [ ] Review `custom_base_url` — ensure it uses HTTPS on production
+
+## Testing
+
+- [ ] Run full test suite (`make test-config && make test-post && make test-ui`) after Grav 2.0 production upgrade
+- [ ] Manual smoke test all pages: `/trips/japan-korea-2026/dailies`, `/trips/japan-korea-2026/map`, `/trips/japan-korea-2026/stats`, `/post`, `/admin`