## WeShare production checklist

### App config
- **APP_ENV**: `production`
- **APP_DEBUG**: `false`
- **APP_URL**: set to your canonical HTTPS URL
- **APP_KEY**: generated (`php artisan key:generate`)
- **LOG_LEVEL**: `info` (or stricter)

### Database
- **DB_CONNECTION**: `mysql`
- Ensure migrations are up to date: `php artisan migrate --force`

### Storage (receipts + assets)
- **FILESYSTEM_DISK**: `public` (recommended)
- Create symlink: `php artisan storage:link`
- Ensure web server serves `/storage/*`

### Scheduler / queues
- Run scheduler (cron): `* * * * * php /path/to/artisan schedule:run >> /dev/null 2>&1`
- Run queue worker (Supervisor/systemd): `php artisan queue:work --tries=3`
- FX sync: schedule `weshare:fx-sync` (hourly/daily depending on plan)

### Realtime
- Not used (built-in broadcasting is set to `BROADCAST_CONNECTION=log`).

### Push notifications (Web Push)
- Configure env:
  - `VAPID_PUBLIC_KEY`, `VAPID_PRIVATE_KEY`
  - `VITE_VAPID_PUBLIC_KEY`
- Ensure HTTPS in production (required for Push).

### Security
- Set secure cookies:
  - `SESSION_SECURE_COOKIE=true` (HTTPS)
  - `SESSION_SAME_SITE=lax` (or stricter)
- Ensure CORS / CSRF are correct for your domain.

### Build / deploy
- Build assets: `npm ci && npm run build`
- Cache configs/routes/views:
  - `php artisan config:cache`
  - `php artisan route:cache`
  - `php artisan view:cache`