# Public Surface Deployment Checklist

This checklist prevents accidental public exposure of app-only commerce surfaces.

## Required Production Settings

1. `edut.ai` serves landing + legal + trust pages only.
2. `/store` route disabled or restricted for production public domain.
3. `/store/offers.json` not publicly served in production.
4. Marketplace APIs enforce app/session authentication.
5. Robots headers enforce noindex for any preview-only routes.

## Header and Caching Controls

1. Preview routes return `X-Robots-Tag: noindex, nofollow, noarchive, nosnippet`.
2. Catalog manifests use short cache TTL.
3. Quote responses disable shared cache and include anti-replay headers.

## Verification Steps

1. Run anonymous request to `/store` and confirm checkout is disabled.
2. Run anonymous request to `/store/offers.json` and confirm blocked/unavailable.
3. Confirm launcher-authenticated session can fetch catalog.
4. Confirm public web page has no links to active checkout surface.

## Release Blockers

1. Any production route exposes active catalog without app/session auth.
2. Any production route allows quote creation anonymously.
3. Any production route indexes preview checkout content.