# Task 018 — Production Readiness

**Status:** done  
**Phase:** 10 — Production

## Objective

Harden the platform for internal use: security, permissions, health checks, logging, deployment docs, smoke tests. No new business features.

## Delivered

- Permission model: read vs manage; viewer read-only
- `api-guards.ts`, enhanced `api-response.ts` (safe errors, logging)
- Permission guards on major mutation routes and key GET routes
- `html-safety.ts` for inbox/template HTML preview
- Enhanced `GET /api/health` (DB, SMTP/IMAP presence, AI, version)
- Fixed duplicate Mongoose index on `users.email`
- `scripts/sync-indexes.ts`
- Docs: `20-production-readiness.md`, `21-smoke-test-checklist.md`

## Acceptance criteria

- [x] `npm run lint` / `npm run build`
- [x] No new feature modules
- [x] Admin settings + data cleanup protected
- [x] Health route improved
- [x] Index warning fixed (user email)
- [x] Production + smoke test docs
- [x] Roadmap/changelog/task index updated

## Next

Internal testing using smoke checklist; address findings before wider rollout.