# Production Readiness Checklist

## Before first pilot

- Configure Supabase URL, anon key, and service role key in Vercel.
- Enable Google and GitHub OAuth providers in Supabase.
- Run `docs/supabase-schema.sql`, then `docs/rls-policies.sql`.
- Create the first organization through `/onboarding`.
- Register one site and one node.
- Generate a node API key and install the node agent.
- Register at least one model runtime under `/runtimes`.
- Send test telemetry to `/api/telemetry/ingest`.
- Verify `/ops`, `/usage`, `/incidents`, and `/admin/audit`.

## Security controls

- Rotate node keys before sharing the pilot with partners.
- Keep `SUPABASE_SERVICE_ROLE_KEY` server-side only.
- Add rate limiting before exposing the gateway to public traffic.
- Add signed telemetry payloads before production node deployment.
- Add model allowlists and tenant quotas before enabling paid inference.

## Operational controls

- Define SLA policy per pilot organization.
- Define maintenance windows for each node.
- Confirm incident escalation owners.
- Review audit logs weekly during pilot.
- Compare estimated inference revenue against power and connectivity costs.