Deployment Checklist
DigitalOcean, GitHub, and live-gate readiness checklist for safe paper-first operations.
Runtime Readiness
Waiting for readiness payload.
Database connection is required for orders, audit logs, and risk settings.
Redis is required for BullMQ order execution.
Worker heartbeat is mandatory only when live trading is enabled.
First Trade Readiness
7 required first-trade gate(s) are not ready.
AI may read and produce typed proposals or autonomy decisions only; server and worker gates own order queuing, approval, broker calls, and risk settings.
Provider-backed proposal generation is not required for the first real trade and cannot approve or place orders.
Paper/demo autonomy is locked by AUTONOMY_MODE or provider configuration.
Live autonomy is separately opt-in, phrase-gated, expiring, and blocked by default.
Live readiness audit must pass before a real-money order attempt.
Run the live cutover env switch only after deploy, broker, and smoke readiness pass.
PostgreSQL, Redis, and the order execution worker are ready.
Rotated IG live credentials, credential metadata, denylist freshness, and IG_ALLOWED_LIVE_ACCOUNT_ID are ready.
Risk settings revision missing must be persisted and live-bounded.
No active or unknown IG live orders are blocking execution.
Dashboard unlock, first-live confirmation, deterministic risk approval, and per-order manual approval are required for the first real trade.
Live Readiness Audit
Loading live readiness audit.
Waiting for audit payload.
Next Live Cutover Actions
Waiting for audit payload.
Live Readiness Gates
Default-safe mode: live trading is disabled.
Dashboard-only live gates loaded from /risk.
Admin password, session, CSRF, and encryption secrets must not use defaults.
Exposed credentials must be revoked/rotated after the latest exposure cutoff.
IG_CREDENTIAL_SET_FINGERPRINTS_RECORDED_AT must be recorded at or after the latest exposure cutoff.
Retired IG credential-set fingerprints are recorded after known exposure, forbidden fingerprints are clear, and the current credentials do not match them.
IG_ALLOWED_LIVE_ACCOUNT_ID must pin live trading to one expected account.
Revision: missing.
Active or unknown IG live local orders must be completed or reconciled first.
Unlock is intentionally short-lived and scoped to the live account, risk-settings revision, and credential scope.
The first live IG order requires a second confirmation phrase for the same account, risk revision, and credential scope.
This should remain locked until every live prerequisite is intentionally satisfied.
Final Human Unlock
Run the live env switch before recording human live confirmations.
Use the scoped phrase shown on the Risk page. This confirmation is short-lived and audit logged.
Record the separate scoped first-order phrase on the Risk page before the first real order can be approved.
Run strict smoke only after both human confirmations are recorded.
Each real order still requires deterministic risk approval and the scoped per-order approval phrase before worker execution.
Manual Deployment Tasks
Enable repository secret scanning and push protection before publishing.
Use local env or DigitalOcean managed secrets only; never commit broker credentials.
Run the authenticated production monitor after every deploy. In the post-env-switch phase it should expect live env enabled, live locked, and live-ready false.
After dashboard unlock and first-order confirmation, run strict smoke with live locked false and live-ready true before any real order approval.
Enable Managed PostgreSQL backups and test restore before live trading.
Know how to revoke IG, Trading 212, and app secrets before enabling live gates.
This page is a readiness dashboard, not live order approval. Live orders still require deterministic risk checks, fresh dashboard unlock, first-order confirmation, manual per-order approval, and worker-side broker validation.