# Production Todo Checklist of things to do before going live. Items are roughly in dependency order. --- ## Grav 2.0 upgrade on production - [ ] Update `make remote-upgrade-grav` to use the direct download method (GPM still reports 1.7.x as latest — see CLAUDE.md §2 for the correct curl + copy steps) - [ ] Install Admin2 (`admin2` plugin) on production from the grav-admin bundle - [ ] Disable old `admin` plugin on production (`enabled: false` in `user/plugins/admin/admin.yaml`) ## Infrastructure - [ ] Set `accounts.type: flex` and `pages.type: flex` in production `system.yaml` (required for Admin2) - [ ] Ensure production user account has `api.super: true` and `api.access: true` - [ ] Verify `session.save_path` is set to a writable path in production PHP config - [ ] Confirm JWT secret auto-generates on production (`jwt_secret: ''` in api.yaml is correct — Grav generates one on first run) ## Config - [ ] Set `twig.cache: true` in `user/config/system.yaml` - [ ] Run pre-launch smoke test: submit one post via `/post`, confirm entry appears in `/trips/japan-korea-2026/dailies` immediately (verifies cache-on-save plugin works with Twig cache enabled) - [ ] Set `custom_base_url` in `system.yaml` to the production domain (currently set to `http://100.96.115.96:8081`) - [ ] Confirm `post-form.md` `pageconfig.parent` matches `active_trip` in `site.yaml` ## Plugins - [ ] Audit `plugins.txt` — it is manually maintained; verify it includes all plugins currently installed (admin2, api, flex-objects, form, add-page-by-form, cache-on-save, etc.) - [ ] Run `make remote-install-plugins` after Grav 2.0 upgrade ## Map tiles - [ ] Register a Carto account and review terms for production traffic — free tier requires registration for higher-volume usage - [ ] Decide whether to stay on CartoDB or switch to a paid provider (Stadia, Mapbox) with an API key ## Content - [ ] Upload actual GPX route file(s) to the Japan & Korea 2026 trip page media (currently no GPX files — map renders no route) - [ ] Set `date_start` on the trip page (`user/pages/01.trips/japan-korea-2026/trip.md`) - [ ] Add `cover_image` to the trip page ## Security - [ ] Change admin password from the dev password to a strong production password - [ ] Confirm `/post` form requires login (`access: site.login: true` enforced — unauthenticated users cannot post) - [ ] Review `custom_base_url` — ensure it uses HTTPS on production ## Testing - [ ] Run full test suite (`make test-config && make test-post && make test-ui`) after Grav 2.0 production upgrade - [ ] Manual smoke test all pages: `/trips/japan-korea-2026/dailies`, `/trips/japan-korea-2026/map`, `/trips/japan-korea-2026/stats`, `/post`, `/admin`