# Demo to Real Readiness

## Rule

Demo mode can support investor demos and provider acquisition, but production must never accidentally run raw demo providers as live providers.

## Environment Controls

Provider integrations must declare one environment:

- `DEMO`
- `SANDBOX`
- `PRODUCTION`

Categories must declare one operating mode:

- `DISABLED`
- `MARKETING_ONLY`
- `INQUIRY_ONLY`
- `DEMO_ONLY`
- `SANDBOX_READY`
- `LIVE_READY`

Production live flows should require both:

1. Category mode is `LIVE_READY`.
2. Provider integration environment is `PRODUCTION`, enabled, and live ready.

## Secrets

Provider credentials must live in the approved vault such as Doppler, 1Password, AWS Secrets Manager, or Cloudflare Secrets. Navi stores only `vaultSecretRef`, never raw keys, tokens, passwords, or private keys.

The shared validator rejects obvious raw secret values and unknown secret fields.

## Dashboard Workflow

1. Super Admin or authorized Admin creates a provider integration.
2. The integration starts as demo or sandbox unless live approval exists.
3. Admin records API and webhook URLs plus vault reference names.
4. Admin runs the safe mock health check.
5. Production live readiness requires human approval and a future real adapter check.
6. All changes are visible in provider audit history.

## Production Safety

Do not enable `LIVE_READY` for a category or provider until:

- Contract and SLA are approved.
- Sandbox tests pass.
- Vault secret reference exists.
- Webhook verification is implemented.
- Payment/refund/commission behavior is approved.
- Support and rollback runbooks exist.

## Control Tower Enforcement

The current Provider Control Tower enforces the following before a provider can be treated as production-ready:

1. Provider environment must explicitly be `PRODUCTION`.
2. Production providers cannot enable transactional capabilities without `vaultSecretRef`.
3. Demo integrations cannot be marked `liveReady`.
4. Demo integrations cannot enable payment, refund, or commission flags.
5. Refund and commission flags require payment to be enabled.
6. Payment-enabled sandbox integrations must be `sandboxReady`.
7. Payment-enabled production integrations must be `liveReady`.
8. Production live readiness is blocked when health is `DEGRADED`, `DOWN`, or `DISABLED`.

The dashboard shows these rules as clear labels and warnings. A warning label is not a secret, and no raw secret values should ever be entered, logged, exported, or displayed.

## What Remains Mocked

Wave 1 provider health checks are safe mock checks. They validate Navi-side configuration, readiness flags, and environment labels, but they do not call provider APIs. Real adapter health checks require a separate provider-specific PR with signed requests, timeout handling, logging, and rollback behavior.