# Furt API-Gateway Production Deployment Checklist

## 🔐 Security Configuration

### API Keys
- [ ] Generate secure API keys (32+ characters)
- [ ] Set HUGO_API_KEY in .env.production
- [ ] Set ADMIN_API_KEY in .env.production
- [ ] Remove/change all development keys
- [ ] Verify API key permissions in config/server.lua

### CORS Configuration
- [ ] Set production domains in CORS_ALLOWED_ORIGINS
- [ ] Remove localhost/development origins
- [ ] Test CORS with production domains

### Endpoints
- [ ] Disable test endpoint (ENABLE_TEST_ENDPOINT=false)
- [ ] Remove any debug endpoints
- [ ] Verify only required endpoints are exposed

## 📧 SMTP Configuration

- [ ] Configure production SMTP server
- [ ] Test SMTP authentication
- [ ] Set proper FROM and TO addresses
- [ ] Verify mail delivery works
- [ ] Test mail sending with rate limits

## 🔧 Server Configuration

### Environment
- [ ] Copy .env.production to .env
- [ ] Set GATEWAY_HOST (127.0.0.1 for internal)
- [ ] Set GATEWAY_PORT (8080 default)
- [ ] Set LOG_LEVEL to "warn" or "error"

### Performance
- [ ] Verify rate limits are appropriate
- [ ] Test concurrent load handling
- [ ] Monitor memory usage under load
- [ ] Test restart behavior

## 🛡️ Security Testing

### Authentication
- [ ] Test invalid API keys return 401
- [ ] Test missing API keys return 401
- [ ] Test permission system works correctly
- [ ] Test IP restrictions (if configured)

### Rate Limiting
- [ ] Test rate limits trigger at correct thresholds
- [ ] Test 429 responses are returned
- [ ] Test rate limit headers are present
- [ ] Test rate limit cleanup works

## 🚀 Deployment

### File Permissions
- [ ] Lua files readable by server user
- [ ] .env file protected (600 permissions)
- [ ] Log directory writable
- [ ] No world-readable sensitive files

### Process Management
- [ ] Configure systemd service (if applicable)
- [ ] Test automatic restart on failure
- [ ] Configure log rotation
- [ ] Set up monitoring/health checks

### Reverse Proxy (if applicable)
- [ ] Configure nginx/apache reverse proxy
- [ ] Set up SSL termination
- [ ] Configure rate limiting at proxy level
- [ ] Test proxy → furt communication

## 📊 Monitoring

### Health Checks
- [ ] /health endpoint responds correctly
- [ ] Set up external monitoring (e.g., Uptime Kuma)
- [ ] Configure alerting for service down
- [ ] Test health check under load

### Logging
- [ ] Configure appropriate log level
- [ ] Set up log rotation
- [ ] Monitor log file sizes
- [ ] Review error patterns

### Metrics
- [ ] Monitor request rates
- [ ] Monitor response times
- [ ] Monitor memory usage
- [ ] Monitor SMTP connection health

## 🧪 Integration Testing

### Hugo Integration
- [ ] Test contact forms submit successfully
- [ ] Test error handling displays correctly
- [ ] Test rate limiting shows user-friendly messages
- [ ] Test CORS works with production domains

### Mail Delivery
- [ ] Send test emails through all forms
- [ ] Verify emails arrive correctly formatted
- [ ] Test email content encoding
- [ ] Test attachment handling (if applicable)

## 📝 Documentation

- [ ] Document API endpoints for other developers
- [ ] Document configuration options
- [ ] Document troubleshooting procedures
- [ ] Document backup/restore procedures

## 🔄 Backup & Recovery

- [ ] Document configuration files to backup
- [ ] Test service restart procedures
- [ ] Document rollback procedures
- [ ] Test recovery from configuration errors

## ✅ Final Verification

- [ ] All API endpoints respond correctly
- [ ] All security measures tested
- [ ] Performance meets requirements
- [ ] Monitoring and alerting configured
- [ ] Documentation complete
- [ ] Team trained on operations

---

**Last Updated:** $(date +%Y-%m-%d)  
**Deployed By:** _______________  
**Deployment Date:** _______________