Launch Checklist
This checklist covers all the essential steps for launching Tenanto in a production environment.
Table of Contents
- Pre-Launch Preparation
- Infrastructure Setup
- Application Configuration
- Security Hardening
- Billing & Payments
- Monitoring & Alerting
- Testing & Verification
- Go-Live Checklist
- Post-Launch Tasks
Pre-Launch Preparation
Code & Repository
- All code is committed and pushed to main branch
- All tests pass (
php artisan test) - PHPStan analysis passes (
./vendor/bin/phpstan analyse) - Code style is consistent (
./vendor/bin/pint) - No debug code or
dd()statements in production code -
.env.exampleis up-to-date with all required variables - CHANGELOG.md is updated with latest version
- Git tags are created for the release version
Documentation
- README.md is complete and accurate
- UPGRADING.md exists for version migrations
- API documentation is current
- Deployment guide is reviewed
- Security documentation is reviewed
Infrastructure Setup
Server Requirements
- PHP 8.4+ installed with required extensions
- PostgreSQL 16+ configured
- Redis 7+ for cache and sessions
- Nginx or Apache configured
- SSL certificates obtained (Let's Encrypt/commercial)
- Wildcard SSL certificate for tenant subdomains
DNS Configuration
- Primary domain DNS records configured
- Wildcard subdomain DNS record (
*.yourdomain.com) - MX records for email delivery
- SPF/DKIM/DMARC records for email authentication
Server Hardening
- SSH key authentication only (password disabled)
- Firewall configured (only ports 80, 443, 22 open)
- Fail2ban or similar intrusion prevention
- Automatic security updates enabled
- Non-root user for application
Application Configuration
Environment Variables
-
APP_ENV=production -
APP_DEBUG=false -
APP_KEYgenerated and secured -
APP_URLset to production domain - Database credentials configured
- Redis credentials configured
- Mail provider credentials configured
- Stripe production keys configured
- Sentry/error tracking DSN configured
Performance Optimization
- Configuration cached (
php artisan config:cache) - Routes cached (
php artisan route:cache) - Views cached (
php artisan view:cache) - Events cached (
php artisan event:cache) - Composer autoloader optimized (
composer dump-autoload --optimize) - OPcache enabled and configured
- PHP-FPM pool tuned for workload
Queue & Scheduler
- Queue worker configured (Supervisor)
- Horizon configured (if using)
- Scheduler cron job added
- Queue connection set to Redis
Security Hardening
Application Security
- All secrets in environment variables (not code)
- Debug mode disabled
- Error pages don't expose stack traces
- Rate limiting configured on API endpoints
- CSRF protection enabled
- XSS protection via Blade escaping
- SQL injection prevention (Eloquent/prepared statements)
HTTP Security Headers
- HTTPS enforced (redirect HTTP to HTTPS)
- HSTS enabled
- X-Frame-Options set
- X-Content-Type-Options set
- Content-Security-Policy configured
- Referrer-Policy set
File Permissions
- Application files owned by www-data
- Storage directory writable (775)
- Bootstrap/cache directory writable (775)
-
.envfile readable only by application (600)
Database Security
- Database user has minimum required privileges
- Database not accessible from internet
- Database password is strong and unique
Billing & Payments
Stripe Configuration
- Production API keys configured
- Webhook endpoint registered in Stripe dashboard
- Webhook signing secret configured
- All price IDs configured (basic, pro, enterprise)
- Tax settings configured (if applicable)
Subscription Plans
- All plans created in Stripe dashboard
- Price IDs match environment configuration
- Feature limits configured in
config/billing.php - Trial period settings configured
Testing Payments
- Test subscription creation flow
- Test plan upgrade/downgrade
- Test cancellation flow
- Test webhook handling
- Verify invoice generation
Monitoring & Alerting
Error Tracking
- Sentry/Bugsnag configured
- Error notifications configured
- Tenant context included in error reports
Application Monitoring
- Health check endpoint accessible (
/health) - Readiness check endpoint accessible (
/ready) - Log rotation configured
- Log aggregation setup (if using)
Alerting Rules
- High error rate alerts
- Server resource alerts (CPU, memory, disk)
- Database connection alerts
- Queue backup alerts
- SSL certificate expiry alerts
Uptime Monitoring
- External uptime monitor configured
- Status page setup (optional)
- Incident response plan documented
Testing & Verification
Functional Testing
- User registration flow works
- Registration creates tenant + owner role and assigns tenant_id
- User login/logout works
- Email verification works
- Password reset works
- Tenant creation works
- Subdomain routing works
- API authentication works
Tenant Isolation Testing
- Tenant A cannot see Tenant B data
- API endpoints enforce tenant isolation
- Filament resources enforce tenant isolation
- File uploads are tenant-isolated
Performance Testing
- Response times acceptable under load
- Database queries optimized (no N+1)
- Static assets cached properly
- CDN configured (if using)
Browser Testing
- Test in Chrome
- Test in Firefox
- Test in Safari
- Test on mobile devices
- Test responsive layouts
Go-Live Checklist
Final Verification (Day of Launch)
- Fresh database backup created
- All team members notified
- Support channels ready
- Rollback plan documented
DNS Cutover
- DNS TTL lowered 24-48 hours prior
- DNS records updated
- SSL certificate working
- Wildcard subdomain working
Application Deployment
- Maintenance mode enabled
- Latest code deployed
- Migrations run
- Cache cleared and rebuilt
- Queue workers restarted
- Maintenance mode disabled
Verification (Post-Deployment)
- Homepage loads correctly
- Admin panel accessible
- User registration works
- Payment processing works
- Emails being sent
- No errors in logs
Post-Launch Tasks
Immediate (First 24 Hours)
- Monitor error rates
- Monitor server resources
- Monitor response times
- Address any critical issues
- Backup verification
Short-Term (First Week)
- Review user feedback
- Monitor support tickets
- Analyze error patterns
- Performance optimization if needed
- DNS TTL restored to normal
Ongoing
- Regular security updates
- Dependency updates
- Database backups verified
- Log rotation working
- Certificate renewal automated
Emergency Contacts
| Role | Contact |
|---|---|
| Technical Lead | [Your contact] |
| DevOps | [DevOps contact] |
| Stripe Support | https://support.stripe.com |
| Hosting Provider | [Provider support] |
Rollback Procedure
If critical issues are discovered after launch:
-
Enable maintenance mode
php artisan down --secret="emergency-token" -
Revert code
git checkout [previous-stable-tag] composer install --optimize-autoloader --no-dev npm ci && npm run build -
Rollback migrations (if needed)
php artisan migrate:rollback --step=1 -
Clear and rebuild caches
php artisan cache:clear php artisan config:cache php artisan route:cache -
Restart workers
supervisorctl restart tenanto-worker:* -
Disable maintenance mode
php artisan up -
Notify team and investigate
Related Documentation
- Deployment Guide - Production deployment steps
- Security Guide - Security configuration
- Backup & Restore - Backup strategies
- Performance Guide - Optimization
Version History
| Version | Date | Notes |
|---|---|---|
| 1.0.0 | 2025-11-29 | Initial launch |