Production Readiness

AWS deployment checklist, secrets, backups, and go-live runbook.

Environment

Aws

us-west-2

Documents

cascadequotecloud-documents

S3-ready storage

Backups

cascadequotecloud-backups

Backup target

Ready7

Configured or implemented

Action Needed3

Must finish before live customers

Planned6

Queued production setup

Backups0

Recent snapshots

Enterprise Controls

Security3 / 7 ready
Monitoring5 / 5 ready
DR1 / 5 ready
Tenant Proof5 / 5 ready
ReadinessPending

Security Hardening

ControlStatusEvidenceOwner
Role based access Ready SecurityPermissions gates each menu and page by role. Developer
Audit trails Ready AuditLog captures sign-ins, admin activity, approvals, warranty rules, and report access. Admin
Secrets management Ready Production secrets should live in AWS Secrets Manager, not appsettings or source files. Admin
Data encryption Planned Use encrypted RDS storage, encrypted S3 buckets, TLS, and protected ASP.NET data protection keys. Admin
MFA and password policy Action Needed Add MFA for admins, minimum password strength, password rotation policy, and lockout reporting. Admin
Network boundary Planned Put production services behind AWS WAF, private RDS subnets, security groups, and least-privilege IAM. Admin
Session/key persistence Action Needed Move data protection keys out of ephemeral memory before multi-instance production. Developer

Backup Snapshots

BackupTypeCreatedSizeStatusLocationNotes

Monitoring Probes

ProbeTargetStatusCheckedNotes
Health endpoint /health Ready 07/13/2026 01:09 Load balancer can verify application health.
Readiness endpoint /ready Ready 07/13/2026 01:09 Reports readiness counts without exposing secret values.
Tenant database connectivity SQLite preview database Ready 07/13/2026 01:09 Tenant admin database connection string is present.
Backup target cascadequotecloud-backups Ready 07/13/2026 01:09 At least one backup snapshot or backup bucket should exist.
Document storage cascadequotecloud-documents Ready 07/13/2026 01:09 Production should use encrypted S3 storage with versioning.

Disaster Recovery

#ScenarioRecovery ActionRTORPOStatus
1 Single app instance failure Restart App Runner/ECS service and verify /health. 30 minutes No data loss expected Planned
2 Tenant database corruption Restore latest RDS automated backup or local snapshot, then reconcile audit log. 4 hours 15 minutes Action Needed
3 Accidental document deletion Restore S3 version or backup bucket object. 4 hours 24 hours Ready
4 Region outage Promote warm standby stack in secondary AWS region. 24 hours 24 hours Planned
5 Security incident Disable affected accounts, rotate secrets, export audit log, restore clean backup if needed. 2 hours 15 minutes Planned

Tenant Isolation Proof

ProofStatusEvidenceRisk Note
Company scoped identity Ready 2 companies have unique CompanyID values. Do not allow users to switch company context without re-authentication.
Tenant database keys Ready Each company has a distinct database key in the tenant registry. Production should resolve each key to a separate RDS database or schema secret.
Role scoped access Ready CurrentTenantSession carries one Company and one User for page/service operations. Continue adding service-level guards for new modules.
Operational CompanyID filters Ready Existing SQLite services query and save records with CompanyID filters. Automated integration tests should be added for cross-tenant access attempts.
Audit boundary Ready AuditLog entries are queried by CompanyID. Exported audit evidence should be retained per tenant.

AWS Readiness Checklist

AreaRequirementStatusNotes
Hosting Docker image and App Runner/ECS hosting plan Ready Dockerfile exposes port 8080 and uses the Aws environment.
Health App health endpoint Ready /health is available for load balancer and App Runner health checks.
Readiness Production readiness endpoint Ready /ready reports configuration readiness without exposing secrets.
Database Move tenant admin database to RDS Action Needed Current local/AWS starter configuration uses SQLite. Move this to Amazon RDS before paying customers.
Tenant Isolation One tenant data boundary per company Ready Existing services scope records by CompanyID and tenant database keys.
Secrets AWS Secrets Manager names configured Ready Use Secrets Manager for tenant admin DB, tenant DBs, Stripe, SES, QuickBooks, and data protection keys.
Files S3 document and backup buckets Planned Current document storage is local/S3-ready. S3 provider should be enabled for production.
Email Amazon SES identity and sending domain Planned Email Center queues messages and is SES-ready, but real sending is not enabled.
Payments Stripe Checkout live credentials Planned Online payments run in preview mode until Stripe live keys and webhooks are connected.
Accounting QuickBooks Online OAuth app Planned QBO queue previews payloads. Real OAuth/API transmission still needs Intuit app setup.
Backups Automated RDS and S3 backup policy Action Needed Define retention, restore test cadence, and who receives backup failure alerts.
Monitoring CloudWatch logs and alarms Planned Add alarms for failed health checks, app errors, high latency, failed jobs, and backup failures.
Disaster Recovery Documented restore and failover runbook Action Needed Define RTO/RPO, restore owners, and quarterly recovery drills.
Security Hardening Enterprise controls for auth, secrets, encryption, and audit Planned Core role-based access exists. Production hardening should add MFA, WAF, persistent data protection keys, and least-privilege IAM.
Tenant Isolation Proof Evidence that company data cannot cross tenant boundaries Ready Company records carry tenant database keys and operational records are CompanyID-scoped.
Database Migrations Schema version history and startup migrations Ready 4 schema migration record(s) found.

Secrets Checklist

SecretUsed ForStatusNotes
cascadequotecloud/tenant-admin-db Tenant admin database connection Named Store the RDS connection string here.
cascadequotecloud/tenants/<tenant-slug> Per-company tenant database connection Named Each company should resolve to its own database secret.
cascadequotecloud/stripe/live Stripe Checkout and webhook signing secret Needed Do not store Stripe live keys in appsettings.
cascadequotecloud/qbo/oauth QuickBooks Online OAuth client secret and refresh token Needed Use the QBO preview queue until OAuth is enabled.
cascadequotecloud/ses/smtp Amazon SES sending identity or SMTP credentials Needed Used by Email Center when real sending is enabled.
cascadequotecloud/dataprotection ASP.NET data protection key store Needed Use persistent shared keys for multiple app instances.

Deployment Runbook

#StepOwnerStatusNotes
1 Create AWS account, IAM roles, and least-privilege deploy user Admin Planned Limit production access to deployment and support roles.
2 Create ECR repository and push Docker image Developer Ready Starter script exists in the aws folder.
3 Create RDS database and migrate tenant admin data Developer Action Needed SQLite is fine for preview, but not final SaaS production.
4 Create S3 buckets for documents, reports, exports, and backups Admin Planned Enable versioning, encryption, and lifecycle rules.
5 Create Secrets Manager entries Admin Planned Populate DB, Stripe, SES, QBO, and data protection secrets.
6 Create App Runner or ECS Fargate service Developer Ready Use port 8080 and /health.
7 Configure custom domain and TLS Admin Planned Use Route 53 and AWS Certificate Manager.
8 Run smoke tests Developer Planned Sign in, create quote, invoice, payment request, document upload, QBO preview queue.
9 Run restore drill Admin Action Needed Confirm database and document restore before live users.
10 Go-live with one pilot company Owner Planned Start with Western Cascade before onboarding outside customers.

Database Migrations

MigrationDescriptionAppliedStatusNotes
2026-07-06-004-import-export-readiness Add customer indexes used by legacy data import/export validation. 07/11/2026 14:49 Applied Migration applied successfully.
2026-07-06-003-operational-reporting-indexes Add indexes used by dashboards, payroll, and dispatch reports. 07/11/2026 14:49 Applied Migration applied successfully.
2026-07-06-002-audit-indexes Add audit log lookup indexes for enterprise audit trails. 07/11/2026 14:49 Applied Migration applied successfully.
2026-07-06-001-baseline-history Create schema migration history and mark baseline. 07/11/2026 14:49 Applied Migration applied successfully.

Current Configuration

Tenant DBData Source=/app/data/CascadeQuoteCloudTenants.db
Health/health
Ready/ready
Container Port8080
AWS Regionus-west-2
An unhandled error has occurred. Reload 🗙

Rejoining the server...

Rejoin failed... trying again in seconds.

Failed to rejoin.
Please retry or reload the page.

The session has been paused by the server.

Failed to resume the session.
Please retry or reload the page.