AZ Azerbaijan / AZN
MUPZA OperatorOwner accountMU
M
MUPZAOSRestaurant OS command
AWS Staging

AWS staging bootstrap checklist

A value-free operator checklist for creating the first MUPZAOS staging server, proving health checks and keeping production, MUPZAAI and LAN authority untouched.

Bootstrap statusItems: 12Stages: 6Route checks: 7Env families: 3
Staging onlytrue
Production untouchedtrue
AWS mutation falsetrue
GitHub push falsetrue
Secrets redactedtrue
Env values redactedtrue
LAN authority preservedtrue
MUPZAAI read-onlytrue

Stages

repo1 required
Total: 1
server2 required
Total: 2
runtime5 required
Total: 5
proxy1 required
Total: 1
smoke2 required
Total: 2
rollback0 required
Total: 1

Env families

FirebaseAWS server env or managed secret store, never Git.
NEXT_PUBLIC_FIREBASE_API_KEYNEXT_PUBLIC_FIREBASE_PROJECT_IDFIREBASE_SERVICE_ACCOUNT_BASE64
NotificationsProvider dashboards plus AWS server env, never runbook values.
OTP_PROVIDERWHATSAPP_ACCESS_TOKENTELEGRAM_BOT_TOKENSMTP_PASS
Cloudflare and tagsCloudflare/GitHub/AWS settings with public IDs only where intended.
NEXT_PUBLIC_GTM_IDNEXT_PUBLIC_METRICS_ENABLEDBACKEND_PUBLIC_URL

Bootstrap checklist

Confirm local release gates are greenrepo

AWS staging starts only after local evidence says the source pack is push-safe.

cd D:\mupza-business-os; powershell -NoProfile -ExecutionPolicy Bypass -File .\scripts\qa\run-local-release-readiness-index-qa-smoke-v1.ps1
Create a fresh staging serverserver

Production stays untouched and staging can be rebuilt without business risk.

Create one new AWS EC2 staging instance with an operator-owned SSH key.
Restrict inbound accessserver

SSH stays limited while web traffic remains reachable for health checks.

Open 22 only to operator IP, 80 and 443 to internet.
Install runtime packagesruntime

MUPZAOS frontend can build and run behind a stable reverse proxy.

Install Node.js LTS, Git, Nginx and a process manager on the staging server.
Clone the new MUPZAOS reporuntime

Server receives only the clean GitHub source pack, not local generated folders.

git clone <NEW_GITHUB_REPO_URL> mupza-business-os
Configure server env outside Gitruntime

Firebase, notification, Cloudflare and tag values are never committed.

Create server-side env config from operator-owned secrets, never from source files.
Install dependencies and buildruntime

Staging server proves the pushed source builds in its real runtime.

cd mupza-business-os/frontend; npm ci; npm run typecheck; npm run build
Start the app processruntime

The app listens locally before Nginx exposes it.

cd mupza-business-os/frontend; npm run start -- -p 3000
Put Nginx in frontproxy

Cloudflare and browser traffic hit Nginx, while the app stays private on localhost.

Proxy 80/443 to 127.0.0.1:3000 and keep /api/health reachable.
Run staging health smokesmoke

Public health returns value-free readiness before DNS/proxy changes are trusted.

Invoke-WebRequest -Uri https://<staging-domain>/api/health -UseBasicParsing
Check operator routessmoke

Core operator, POS and release screens are reachable on staging.

Open /, /release-evidence, /operator-push-pack, /staging-health and /pos-desktop.
Record rollback pathrollback

The operator can back out without touching production.

Keep previous process config and DNS unchanged until health and route smoke pass.

Staging smoke routes

/MUPZAOS

Owner/admin shell loads.

/api/healthmupzaos_staging_health_endpoint_v1

Public health is value-free.

/release-evidenceAll sprint evidence in one dashboard

QA evidence is visible.

/operator-push-packGitHub push pack manifest

Push boundary is visible.

/staging-healthStaging health for AWS and Cloudflare

Staging health page is visible.

/pos-desktopPOS Desktop

Cashier desktop route remains reachable.

/communicationsCommunication

Notification contracts remain reachable.