furt/docs/production_checklist.md

# Furt API-Gateway Production Deployment Checklist

## 🔐 Security Configuration

### API Keys
- [ ] Generate secure API keys (32+ characters)
- [ ] Set HUGO_API_KEY in .env.production
- [ ] Set ADMIN_API_KEY in .env.production
- [ ] Remove/change all development keys
- [ ] Verify API key permissions in config/server.lua

### CORS Configuration
- [ ] Set production domains in CORS_ALLOWED_ORIGINS
- [ ] Remove localhost/development origins
- [ ] Test CORS with production domains

### Endpoints
- [ ] Disable test endpoint (ENABLE_TEST_ENDPOINT=false)
- [ ] Remove any debug endpoints
- [ ] Verify only required endpoints are exposed

## 📧 SMTP Configuration

- [ ] Configure production SMTP server
- [ ] Test SMTP authentication
- [ ] Set proper FROM and TO addresses
- [ ] Verify mail delivery works
- [ ] Test mail sending with rate limits

## 🔧 Server Configuration

### Environment
- [ ] Copy .env.production to .env
- [ ] Set GATEWAY_HOST (127.0.0.1 for internal)
- [ ] Set GATEWAY_PORT (8080 default)
- [ ] Set LOG_LEVEL to "warn" or "error"

### Performance
- [ ] Verify rate limits are appropriate
- [ ] Test concurrent load handling
- [ ] Monitor memory usage under load
- [ ] Test restart behavior

## 🛡️ Security Testing

### Authentication
- [ ] Test invalid API keys return 401
- [ ] Test missing API keys return 401
- [ ] Test permission system works correctly
- [ ] Test IP restrictions (if configured)

### Rate Limiting
- [ ] Test rate limits trigger at correct thresholds
- [ ] Test 429 responses are returned
- [ ] Test rate limit headers are present
- [ ] Test rate limit cleanup works

## 🚀 Deployment

### File Permissions
- [ ] Lua files readable by server user
- [ ] .env file protected (600 permissions)
- [ ] Log directory writable
- [ ] No world-readable sensitive files

### Process Management
- [ ] Configure systemd service (if applicable)
- [ ] Test automatic restart on failure
- [ ] Configure log rotation
- [ ] Set up monitoring/health checks

### Reverse Proxy (if applicable)
- [ ] Configure nginx/apache reverse proxy
- [ ] Set up SSL termination
- [ ] Configure rate limiting at proxy level
- [ ] Test proxy → furt communication

## 📊 Monitoring

### Health Checks
- [ ] /health endpoint responds correctly
- [ ] Set up external monitoring (e.g., Uptime Kuma)
- [ ] Configure alerting for service down
- [ ] Test health check under load

### Logging
- [ ] Configure appropriate log level
- [ ] Set up log rotation
- [ ] Monitor log file sizes
- [ ] Review error patterns

### Metrics
- [ ] Monitor request rates
- [ ] Monitor response times
- [ ] Monitor memory usage
- [ ] Monitor SMTP connection health

## 🧪 Integration Testing

### Hugo Integration
- [ ] Test contact forms submit successfully
- [ ] Test error handling displays correctly
- [ ] Test rate limiting shows user-friendly messages
- [ ] Test CORS works with production domains

### Mail Delivery
- [ ] Send test emails through all forms
- [ ] Verify emails arrive correctly formatted
- [ ] Test email content encoding
- [ ] Test attachment handling (if applicable)

## 📝 Documentation

- [ ] Document API endpoints for other developers
- [ ] Document configuration options
- [ ] Document troubleshooting procedures
- [ ] Document backup/restore procedures

## 🔄 Backup & Recovery

- [ ] Document configuration files to backup
- [ ] Test service restart procedures
- [ ] Document rollback procedures
- [ ] Test recovery from configuration errors

## ✅ Final Verification

- [ ] All API endpoints respond correctly
- [ ] All security measures tested
- [ ] Performance meets requirements
- [ ] Monitoring and alerting configured
- [ ] Documentation complete
- [ ] Team trained on operations

---

**Last Updated:** $(date +%Y-%m-%d)  
**Deployed By:** _______________  
**Deployment Date:** _______________
feat(auth): implement complete API-key authentication with modular architecture (#47) - Add comprehensive API-key authentication system with X-API-Key header validation - Implement permission-based access control (mail:send, * for admin) - Add rate-limiting system (60 req/hour per API key, 100 req/hour per IP) - Refactor monolithic 590-line main.lua into 6 modular components (<200 lines each) - Add IP-restriction support with CIDR notation (127.0.0.1, 10.0.0.0/8) - Implement Hugo integration with CORS support for localhost:1313 - Add production-ready configuration with environment variable support - Create comprehensive testing suite (auth, rate-limiting, stress tests) - Add production deployment checklist and cleanup scripts This refactoring transforms the API gateway from a single-file monolith into a biocodie-compliant modular architecture while adding enterprise-grade security features. Performance testing shows 79 RPS concurrent throughput with <100ms latency. Hugo contact form integration tested and working. System is now production-ready for deployment to walter/aitvaras. Resolves #47 2025-06-24 22:01:38 +02:00			`# Furt API-Gateway Production Deployment Checklist`

			`## 🔐 Security Configuration`

			`### API Keys`
			`- [ ] Generate secure API keys (32+ characters)`
			`- [ ] Set HUGO_API_KEY in .env.production`
			`- [ ] Set ADMIN_API_KEY in .env.production`
			`- [ ] Remove/change all development keys`
			`- [ ] Verify API key permissions in config/server.lua`

			`### CORS Configuration`
			`- [ ] Set production domains in CORS_ALLOWED_ORIGINS`
			`- [ ] Remove localhost/development origins`
			`- [ ] Test CORS with production domains`

			`### Endpoints`
			`- [ ] Disable test endpoint (ENABLE_TEST_ENDPOINT=false)`
			`- [ ] Remove any debug endpoints`
			`- [ ] Verify only required endpoints are exposed`

			`## 📧 SMTP Configuration`

			`- [ ] Configure production SMTP server`
			`- [ ] Test SMTP authentication`
			`- [ ] Set proper FROM and TO addresses`
			`- [ ] Verify mail delivery works`
			`- [ ] Test mail sending with rate limits`

			`## 🔧 Server Configuration`

			`### Environment`
			`- [ ] Copy .env.production to .env`
			`- [ ] Set GATEWAY_HOST (127.0.0.1 for internal)`
			`- [ ] Set GATEWAY_PORT (8080 default)`
			`- [ ] Set LOG_LEVEL to "warn" or "error"`

			`### Performance`
			`- [ ] Verify rate limits are appropriate`
			`- [ ] Test concurrent load handling`
			`- [ ] Monitor memory usage under load`
			`- [ ] Test restart behavior`

			`## 🛡️ Security Testing`

			`### Authentication`
			`- [ ] Test invalid API keys return 401`
			`- [ ] Test missing API keys return 401`
			`- [ ] Test permission system works correctly`
			`- [ ] Test IP restrictions (if configured)`

			`### Rate Limiting`
			`- [ ] Test rate limits trigger at correct thresholds`
			`- [ ] Test 429 responses are returned`
			`- [ ] Test rate limit headers are present`
			`- [ ] Test rate limit cleanup works`

			`## 🚀 Deployment`

			`### File Permissions`
			`- [ ] Lua files readable by server user`
			`- [ ] .env file protected (600 permissions)`
			`- [ ] Log directory writable`
			`- [ ] No world-readable sensitive files`

			`### Process Management`
			`- [ ] Configure systemd service (if applicable)`
			`- [ ] Test automatic restart on failure`
			`- [ ] Configure log rotation`
			`- [ ] Set up monitoring/health checks`

			`### Reverse Proxy (if applicable)`
			`- [ ] Configure nginx/apache reverse proxy`
			`- [ ] Set up SSL termination`
			`- [ ] Configure rate limiting at proxy level`
			`- [ ] Test proxy → furt communication`

			`## 📊 Monitoring`

			`### Health Checks`
			`- [ ] /health endpoint responds correctly`
			`- [ ] Set up external monitoring (e.g., Uptime Kuma)`
			`- [ ] Configure alerting for service down`
			`- [ ] Test health check under load`

			`### Logging`
			`- [ ] Configure appropriate log level`
			`- [ ] Set up log rotation`
			`- [ ] Monitor log file sizes`
			`- [ ] Review error patterns`

			`### Metrics`
			`- [ ] Monitor request rates`
			`- [ ] Monitor response times`
			`- [ ] Monitor memory usage`
			`- [ ] Monitor SMTP connection health`

			`## 🧪 Integration Testing`

			`### Hugo Integration`
			`- [ ] Test contact forms submit successfully`
			`- [ ] Test error handling displays correctly`
			`- [ ] Test rate limiting shows user-friendly messages`
			`- [ ] Test CORS works with production domains`

			`### Mail Delivery`
			`- [ ] Send test emails through all forms`
			`- [ ] Verify emails arrive correctly formatted`
			`- [ ] Test email content encoding`
			`- [ ] Test attachment handling (if applicable)`

			`## 📝 Documentation`

			`- [ ] Document API endpoints for other developers`
			`- [ ] Document configuration options`
			`- [ ] Document troubleshooting procedures`
			`- [ ] Document backup/restore procedures`

			`## 🔄 Backup & Recovery`

			`- [ ] Document configuration files to backup`
			`- [ ] Test service restart procedures`
			`- [ ] Document rollback procedures`
			`- [ ] Test recovery from configuration errors`

			`## ✅ Final Verification`

			`- [ ] All API endpoints respond correctly`
			`- [ ] All security measures tested`
			`- [ ] Performance meets requirements`
			`- [ ] Monitoring and alerting configured`
			`- [ ] Documentation complete`
			`- [ ] Team trained on operations`

			`---`

			`Last Updated: $(date +%Y-%m-%d)`
			`Deployed By: _______________`
			`Deployment Date: _______________`