# Production readiness — VEGA77 CS Agent > Hosted copy for `docs.ikon168.com`. Canonical path in the project: `docs/operations/PRODUCTION-READINESS.md`. Use this checklist before treating the deployment as **production** (public users, compliance expectations, or SLAs). --- ## 1. DNS and TLS | # | Item | Notes | |---|------|--------| | 1.1 | **Hostname resolves** | `DOMAIN` in `config/.env` must **exactly match** a name in public DNS (e.g. `agent.ikon168.com` or apex `ikon168.com` if only the root A record exists). | | 1.2 | **A/CNAME records** | Point to the current VM **public IPv4**; reserve a **static external IP** on GCP if the instance must survive rebuilds without DNS updates. | | 1.3 | **Ports 80 + 443** | Open on the cloud firewall for Let’s Encrypt (HTTP-01) and HTTPS traffic. | | 1.4 | **Production stack** | `deploy/docker-compose.production.yml` + Caddy; `./scripts/compose_production.sh` (uses `config/.env`). | | 1.5 | **Certificate** | After DNS propagates, Caddy obtains Let’s Encrypt certs; failures usually mean wrong DNS or blocked port 80. | --- ## 2. Secrets and configuration | # | Item | Notes | |---|------|--------| | 2.1 | **`config/.env` on the server** | Not committed to git; contains API keys, Telegram tokens, LiveChat PAT. File permissions restricted on the host (`chmod 600` recommended). | | 2.2 | **Docker builds** | `.dockerignore` excludes `config/.env` so secrets are not copied into image layers. Runtime still uses `env_file: config/.env` from the host. | | 2.3 | **`DASHBOARD_PASSWORD`** | Set for public URLs so the demo UI and JSON API require HTTP Basic Auth; `/health` remains unauthenticated for probes. | | 2.4 | **`DOMAIN`** | Required for Caddy production compose. | --- ## 3. Network exposure | # | Item | Notes | |---|------|--------| | 3.1 | **Prefer 443 only** | With Caddy, users hit **HTTPS**; avoid advertising raw **:8080** in production marketing. | | 3.2 | **Restrict 8080** | Optionally remove `8080:8080` from public access in `deploy/docker-compose.yml` on cloud firewalls once TLS is live. | | 3.3 | **GCP firewall example** | Create a rule allowing `tcp:80,tcp:443` to the VM’s network tag or service account scope; keep SSH (22) restricted to known IPs if possible. | --- ## 4. Application health | # | Item | Notes | |---|------|--------| | 4.1 | **Health endpoint** | `GET /health` → `{"status":"ok"}` — use for uptime checks. | | 4.2 | **Smoke script** | `./scripts/verify_production.sh https://your.hostname` (optional). | | 4.3 | **Logs** | `docker compose -f deploy/docker-compose.yml logs -f` or `logs/` volume; monitor for repeated errors. | --- ## 5. Integrations | # | Item | Notes | |---|------|--------| | 5.1 | **LiveChat** | PAT and account ID valid; widget configured for production site. | | 5.2 | **Telegram** | Bot in groups; bot can post; consider promoting bot if messages were dropped. | | 5.3 | **Gemini API** | Quota and billing appropriate for expected traffic. | --- ## 6. Data and backups | # | Item | Notes | |---|------|--------| | 6.1 | **Volumes** | `./data` on host holds SQLite + Chroma; back up before upgrades. | | 6.2 | **Restore** | Document how to restore `data/` and redeploy the same image tag. | --- ## 7. Testing before sign-off | # | Item | Notes | |---|------|--------| | 7.1 | **Automated** | In the source tree: `./scripts/run_tests.sh` — all tests green. | | 7.2 | **Manual QA** | In the source tree: **`docs/operations/TEST-CASES-CHECKLIST.md`** (not hosted on `docs.ikon168.com`). | --- ## 8. Rollback - Stop production compose: `docker compose --env-file config/.env -f deploy/docker-compose.production.yml down` - Start dev compose on 8080 if needed: `docker compose -f deploy/docker-compose.yml up -d` - **Kill switch** via Telegram or `POST /killswitch` to pause AI without tearing down containers --- ## Related documents - [GCP-DEPLOY-RUNBOOK.md](GCP-DEPLOY-RUNBOOK.md) — firewall, VM deploy, verify - [SYSTEM-ARCHITECTURE.md](SYSTEM-ARCHITECTURE.md) — deployment summary - [00-Production-Domain-ikon168.md](00-Production-Domain-ikon168.md) - Source repository — `docs/operations/` for QA checklists and testing guides