{"ok":true,"readiness":{"version":"2026-07-07-consultation-production-readiness-v3","productionReady":false,"safeToPersistBuyerData":false,"defaultRecommendation":"Keep consultation persistence disabled. Continue polishing demo UX and prepare external Lightsail/Auth credentials separately.","areas":[{"id":"auth","label":"Auth.js login","status":"missing_input","summary":"Login remains disabled until secrets, provider credentials, B2B DB, staff emails, and private storage are ready.","ownerActionRequired":true,"nextAction":"Prepare AUTH_SECRET, AUTH_URL, login provider credentials, and staff/admin email allowlists."},{"id":"database","label":"B2B database","status":"missing_input","summary":"Database connection remains disabled until a separate Lightsail PostgreSQL database is prepared.","ownerActionRequired":true,"nextAction":"Create a separate Lightsail PostgreSQL database and set B2B_DATABASE_URL only in local/server env."},{"id":"room_guard","label":"Room access guard","status":"locked","summary":"Production room access is denied until Auth.js session checks and B2B DB room membership lookups are real.","ownerActionRequired":false,"nextAction":"Implement repository-backed membership checks after auth and DB are configured."},{"id":"consultation_api","label":"Consultation API writes","status":"locked","summary":"Room, message, attachment, quote, sample, and handoff persistence remains locked by design.","ownerActionRequired":false,"nextAction":"Keep write APIs locked until auth, database, room guard, private storage, and audit logging are complete."},{"id":"repository","label":"Repository adapter","status":"locked","summary":"The consultation repository is currently a no-op adapter. It defines the DB boundary but cannot read or write buyer data.","ownerActionRequired":false,"nextAction":"Replace the no-op adapter with a PostgreSQL adapter only after Auth.js, room guards, private storage, and audit logging are ready."},{"id":"private_storage","label":"Private attachment storage","status":"locked","summary":"Buyer image storage is a no-op adapter. Uploaded files are not written to disk, public paths, R2, or S3.","ownerActionRequired":true,"nextAction":"Choose a private local upload directory or private R2/S3 bucket, then keep the adapter locked until room access and audit logging are ready."},{"id":"abuse_protection","label":"Rate limit and abuse protection","status":"locked","summary":"Rate limiting and Turnstile are no-op. Demo routes remain usable, but public production traffic is not protected yet.","ownerActionRequired":true,"nextAction":"Add Redis-backed rate limiting and Turnstile verification before enabling public sign-in, room creation, uploads, or inquiry persistence."},{"id":"security_audit","label":"Security audit logging","status":"locked","summary":"Security audit logging is a no-op adapter. No sign-in, room, upload, handoff, rate-limit, or admin security events are recorded yet.","ownerActionRequired":true,"nextAction":"Add a B2B database-backed audit writer with metadata redaction before enabling real buyer rooms or staff actions."},{"id":"viewer_realtime","label":"Shared viewer realtime","status":"demo_only","summary":"Staff-selected 3D viewer presets sync through memory-only SSE for demo rooms. This is not persistent production realtime.","ownerActionRequired":false,"nextAction":"Move viewer state to B2B DB plus Redis/Socket.IO after room guards exist."},{"id":"retention_backup","label":"Backup and retention","status":"missing_input","summary":"Recommended policy is documented: Lightsail point-in-time backup, manual snapshots before changes, 3-year room retention, 5-year audit retention.","ownerActionRequired":true,"nextAction":"Owner should review the recommended retention policy before storing real buyer conversations."}],"ownerActions":["Prepare AUTH_SECRET, AUTH_URL, login provider credentials, and staff/admin email allowlists.","Create a separate Lightsail PostgreSQL database and set B2B_DATABASE_URL only in local/server env.","Choose a private local upload directory or private R2/S3 bucket, then keep the adapter locked until room access and audit logging are ready.","Add Redis-backed rate limiting and Turnstile verification before enabling public sign-in, room creation, uploads, or inquiry persistence.","Add a B2B database-backed audit writer with metadata redaction before enabling real buyer rooms or staff actions.","Owner should review the recommended retention policy before storing real buyer conversations."],"lockedFlags":{"authEnabled":false,"databaseEnabled":false,"roomGuardEnabled":false,"persistenceEnabled":false,"repositoryEnabled":false,"attachmentStorageEnabled":false,"rateLimitEnabled":false,"turnstileEnabled":false,"securityAuditEnabled":false},"links":{"authStatus":"/api/b2b-auth/status","databaseStatus":"/api/b2b-db/status","roomGuardStatus":"/api/consultation/room-access/status","setupGuide":"docs/B2B_DATABASE_SETUP_GUIDE.md","storageGuide":"docs/CONSULTATION_ATTACHMENT_STORAGE_SCAFFOLD.md","rateLimitGuide":"docs/CONSULTATION_RATE_LIMIT_SCAFFOLD.md","securityAuditGuide":"docs/CONSULTATION_SECURITY_AUDIT_SCAFFOLD.md","roomGuardPlan":"docs/CONSULTATION_ROOM_ACCESS_GUARD_PLAN.md","productionSequence":"docs/CONSULTATION_PRODUCTION_BUILD_SEQUENCE.md"}}}