# Phase 10: PWA & Deployment

**Goal:** Deploy to production as Progressive Web App
**Priority:** High
**Status:** Not Started
**Last Updated:** November 29, 2025

---

## Overview

Prepare the application for production deployment as a Progressive Web App (PWA) with offline support, proper infrastructure, monitoring, and security hardening.

**Key Goals:**
- PWA with installability and offline support
- Production server setup (Nginx + Gunicorn)
- Monitoring and alerting (Sentry, uptime)
- Backup and disaster recovery
- Security audit and hardening

---

## Task Groups

### PWA Setup (4 tasks)

| Task ID | Task | Status | Notes |
|---------|------|--------|-------|
| 10.1 | Create PWA manifest | ⬜ | `static/manifest.json` - name, icons, theme |
| 10.2 | Create service worker | ⬜ | `static/sw.js` - caching strategy, offline support |
| 10.3 | Create PWA icons | ⬜ | Various sizes: 72, 96, 128, 144, 152, 192, 384, 512 |
| 10.4 | **Checkpoint:** Test PWA installation | ⬜ | Install on mobile, verify offline behavior |

**Manifest Example:**
```json
{
  "name": "Code of Conquest",
  "short_name": "CoC",
  "description": "AI-powered D&D adventure game",
  "start_url": "/",
  "display": "standalone",
  "background_color": "#1a1a2e",
  "theme_color": "#c9a227",
  "icons": [
    { "src": "/static/icons/icon-192.png", "sizes": "192x192", "type": "image/png" },
    { "src": "/static/icons/icon-512.png", "sizes": "512x512", "type": "image/png" }
  ]
}
```

**Deliverable:** Installable PWA

---

### Production Environment (4 tasks)

| Task ID | Task | Status | Notes |
|---------|------|--------|-------|
| 10.5 | Set up production server | ⬜ | VPS/cloud instance, domain, SSL |
| 10.6 | Configure Nginx reverse proxy | ⬜ | SSL termination, static file serving |
| 10.7 | Configure Gunicorn | ⬜ | 4+ workers, production settings |
| 10.8 | Set up production Redis | ⬜ | Persistent storage, proper auth |

**Nginx Configuration (Example):**
```nginx
server {
    listen 443 ssl http2;
    server_name codeofconquest.com;

    ssl_certificate /etc/letsencrypt/live/codeofconquest.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/codeofconquest.com/privkey.pem;

    location /static {
        alias /var/www/coc/public_web/static;
        expires 1y;
    }

    location /api {
        proxy_pass http://127.0.0.1:5000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }

    location / {
        proxy_pass http://127.0.0.1:5001;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}
```

**Deliverable:** Production server running

---

### Background Workers (3 tasks)

| Task ID | Task | Status | Notes |
|---------|------|--------|-------|
| 10.9 | Set up RQ workers (production) | ⬜ | Systemd services, auto-restart |
| 10.10 | Configure worker monitoring | ⬜ | RQ dashboard or custom monitoring |
| 10.11 | Test job processing under load | ⬜ | Verify workers handle concurrent AI tasks |

**Systemd Service (Example):**
```ini
[Unit]
Description=RQ Worker for Code of Conquest
After=redis.service

[Service]
User=www-data
WorkingDirectory=/var/www/coc/api
ExecStart=/var/www/coc/api/venv/bin/rq worker ai_tasks combat_tasks
Restart=always

[Install]
WantedBy=multi-user.target
```

**Deliverable:** Reliable background job processing

---

### Monitoring & Alerting (4 tasks)

| Task ID | Task | Status | Notes |
|---------|------|--------|-------|
| 10.12 | Set up Sentry for error tracking | ⬜ | API and web frontend integration |
| 10.13 | Set up uptime monitoring | ⬜ | External service (UptimeRobot, Better Uptime) |
| 10.14 | Configure AI cost monitoring | ⬜ | Daily spend alerts, tier limit tracking |
| 10.15 | **Checkpoint:** Verify alerting works | ⬜ | Trigger test alert, verify notification |

**Deliverable:** Comprehensive monitoring

---

### Backup & Security (4 tasks)

| Task ID | Task | Status | Notes |
|---------|------|--------|-------|
| 10.16 | Set up daily Appwrite backups | ⬜ | Automated backup to cloud storage |
| 10.17 | Perform security audit | ⬜ | OWASP checklist, endpoint review |
| 10.18 | Configure rate limiting (production) | ⬜ | Flask-Limiter with production limits |
| 10.19 | Harden server security | ⬜ | Firewall, SSH keys, fail2ban |

**Security Checklist:**
- [ ] All endpoints require authentication where needed
- [ ] Input validation on all user inputs
- [ ] SQL/NoSQL injection prevention
- [ ] XSS prevention (output encoding)
- [ ] CSRF protection
- [ ] Rate limiting on AI endpoints
- [ ] Secrets in environment variables (not code)
- [ ] HTTPS enforced everywhere
- [ ] Security headers (CSP, HSTS, etc.)

**Deliverable:** Secured production environment

---

### Deployment Automation (3 tasks)

| Task ID | Task | Status | Notes |
|---------|------|--------|-------|
| 10.20 | Create deployment script | ⬜ | `scripts/deploy.sh` - pull, build, restart |
| 10.21 | Write deployment documentation | ⬜ | Update `/docs/DEPLOYMENT.md` |
| 10.22 | **Final Checkpoint:** Deploy to production | ⬜ | Go live! |

**Deployment Script (Example):**
```bash
#!/bin/bash
set -e

echo "Pulling latest code..."
git pull origin master

echo "Updating API..."
cd /var/www/coc/api
source venv/bin/activate
pip install -r requirements.txt
sudo systemctl restart coc-api
sudo systemctl restart coc-worker

echo "Updating Web..."
cd /var/www/coc/public_web
source venv/bin/activate
pip install -r requirements.txt
sudo systemctl restart coc-web

echo "Deployment complete!"
```

**Deliverable:** Automated deployment process

---

## Files to Create/Modify

**New Files:**
- `/public_web/static/manifest.json`
- `/public_web/static/sw.js`
- `/public_web/static/icons/*.png` (various sizes)
- `/scripts/deploy.sh`
- `/scripts/backup.sh`
- `/config/nginx/coc.conf` (example Nginx config)
- `/config/systemd/coc-api.service`
- `/config/systemd/coc-web.service`
- `/config/systemd/coc-worker.service`

**Modified Files:**
- `/public_web/templates/base.html` - PWA meta tags, manifest link
- `/docs/DEPLOYMENT.md` - Production deployment guide
- `/api/app/__init__.py` - Sentry integration
- `/public_web/app/__init__.py` - Sentry integration

---

## Testing Criteria

### PWA Testing
- [ ] Manifest loads correctly
- [ ] Service worker registers
- [ ] App installable on mobile
- [ ] Offline page displays when disconnected
- [ ] PWA icons display correctly

### Production Testing
- [ ] HTTPS works correctly
- [ ] API accessible via domain
- [ ] Web frontend accessible via domain
- [ ] Static files served correctly
- [ ] Background workers processing jobs

### Security Testing
- [ ] Unauthorized access blocked
- [ ] Rate limiting working
- [ ] No sensitive data in responses
- [ ] Security headers present

### Monitoring Testing
- [ ] Sentry capturing errors
- [ ] Uptime monitoring active
- [ ] Alerts trigger correctly

---

## Success Criteria

- [ ] PWA installable and functional
- [ ] Production server running with SSL
- [ ] Background workers processing reliably
- [ ] Monitoring and alerting active
- [ ] Daily backups running
- [ ] Security audit passed
- [ ] Deployment automated

---

## Dependencies

**Requires (from earlier phases):**
- All core features complete
- Frontend polish complete

---

## Task Summary

| Group | Tasks | Checkpoints |
|-------|-------|-------------|
| PWA Setup | 3 | 1 |
| Production Environment | 4 | 0 |
| Background Workers | 3 | 0 |
| Monitoring & Alerting | 3 | 1 |
| Backup & Security | 4 | 0 |
| Deployment Automation | 2 | 1 |
| **Total** | **19** | **3** |