# v1.0 Production Hardening

This hardening pass closes local runtime gates and records the remaining external infrastructure bindings that require real customer or operator credentials.

## Completed Locally

- Portable PHP 8.3 runtime is installed at `tools/php83/php.exe`.
- Local Composer is installed at `tools/composer.phar`.
- PHP extensions required for Composer and Laravel-style runtime checks are enabled.
- Backend Composer dependencies install with scripts disabled.
- Optimized Composer autoload generation passes.
- Strict Phase 9 release gate passes with PHP syntax scan enabled.
- Frontend production build passes.
- Local smoke test passes.
- Signed release manifest verification passes.
- Package cleanliness passes.

## Formal npm Advisory Decision

`npm audit` reports 2 moderate advisories from `postcss` bundled under `next`. The suggested npm fix downgrades `next` to `9.3.3`, which is not compatible with the current Next 16 application. The risk is formally accepted until a compatible Next.js security patch is available.

## External Bindings

The following cannot be completed without real operator credentials and target infrastructure:

- Database endpoint and credentials
- Redis endpoint
- Object storage bucket
- Mail provider
- SMS provider
- AI provider credentials
- Payment gateway credentials
- SaaS, self-hosted, white-label, and marketplace deployment targets
- Docker or Kubernetes runtime

These bindings are contract-ready and must be completed per customer environment before production traffic.