# Staging Environment Runbook

Use this runbook to create the first Vercel + Supabase + Cloudflare staging environment before any production casino traffic.

## Purpose

Staging should prove the real deployment path without real-money traffic:

- Vercel serves the app through `api/index.js`.
- Supabase/Postgres stores operators, sessions, seeds, bets, casino transaction audit, and reconciliation rows.
- Cloudflare DNS points a staging hostname at Vercel.
- Casino wallet callbacks remain HTTPS and use the configured operator currency.

## Vercel Environment

Create a Vercel environment for previews or a dedicated staging deployment with these values:

```txt
APP_ENV=staging
NODE_ENV=production
STORAGE_DRIVER=postgres
DATABASE_URL=<Supabase pooled runtime connection string>
DATABASE_POOL_SIZE=10
OPERATOR_SECRET_STAGING_ROUGE=<staging shared secret>
READINESS_OPERATOR_ID=staging-rouge
CASINO_CALLBACK_TIMEOUT_MS=3000
CASINO_CALLBACK_RETRIES=1
```

Use `APP_ENV=staging` for staging because Vercel may set `NODE_ENV=production` for optimized runtime behavior. Real production must use `APP_ENV=production`.

Do not use `DEMO_OPERATOR_API_SECRET` for staging. Use an operator-specific secret such as `OPERATOR_SECRET_STAGING_ROUGE`.

## Supabase Staging Data

1. Apply the schema from `db/schema.sql` or the committed migrations.
2. Review `docs/staging-operator-seed-template.sql`.
3. Replace callback URL and theme values if needed.
4. Run the SQL against the staging database.
5. Add the matching Vercel secret for the operator id.

The seed template creates:

- `staging-rouge` operator
- Dice, Limbo, and Plinko game config rows
- one operator-currency profile with USD limits by default

Duplicate the seed with a separate operator id, limits, and `currency: 'uBTC'` when staging uBTC alongside USD.

## Cloudflare DNS

Recommended first staging hostname:

```txt
staging-games.rougereels.com
```

Add the hostname to the Vercel project first, then create the DNS record Cloudflare shows as required by Vercel. Start DNS-only until Vercel verifies TLS.

## Smoke Test

After Vercel deploys:

```powershell
npm.cmd run smoke:deployment -- https://staging-games.rougereels.com
```

Expected:

- `/health` returns `status: "ok"`.
- `/health` returns `environment: "staging"`.
- `/health` returns `storageDriver: "postgres"`.
- `/health` returns `currency: "multi"`.
- `/health` returns `supportedCurrencies` including `uBTC`.
- `/ready?operatorId=staging-rouge` returns `status: "ready"` without exposing secrets.
- `/docs/openapi.json` is reachable.

Only use `SMOKE_INCLUDE_SANDBOX=1` if the staging database intentionally includes the local demo operator and sandbox callback path. Real staging operator callbacks should be tested with the casino callback harness instead.

## Promotion Rule

Do not copy staging environment variables into production blindly. Production must use its own operator ids, secrets, callback URLs, database connection string, Cloudflare hostname, and go-live approvals.