> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tattoo.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# Production Readiness And Control Plane

> How TattooAPI reports production readiness, provider dependencies, release posture, and safety boundaries.

# Production Readiness And Control Plane

TattooAPI is the governed API control plane. Readiness means the hosted API can receive governed intake, private worker, and approved portfolio workflows without giving vendors or private workers direct write authority.

## Health Layers

| Check                                        | Use it for                      | Success means                                                    |
| -------------------------------------------- | ------------------------------- | ---------------------------------------------------------------- |
| `GET /api/v1/health/live`                    | API liveness                    | The API process is running.                                      |
| `GET /api/v1/health/ready`                   | Production dependency readiness | Required providers and safety posture are configured.            |
| `npm run smoke:api-production-release-ready` | Release gate                    | Live and ready endpoints are both safe for production promotion. |

`/live` can be green while `/ready` is blocked. Use `/ready` for production decisions.

## Required Provider Families

`/ready` reports dependency names, not secret values:

* public API hosting
* private staging for portfolio intake media
* communications buffer
* TattooAPI identity evidence lookup, not legal KYC
* outbound private worker configuration
* approved portfolio storage
* runtime and actor mapping store
* partner auth and machine access
* metadata-only observability

## Release Ready

`releaseReady=true` means the strict release smoke saw:

* `/api/v1/health/live` return `200`
* `/api/v1/health/ready` return `200` with `status="ready"`
* no missing readiness dependency envs
* no production loopback runtime URLs
* communications and partner-auth direct probes accepted
* safety posture still blocks public writes and direct private-worker writes

It does not mean SMS/MMS A2P is approved. A2P approval remains required before launching SMS/MMS intake to artists.

## Safety Posture

Production readiness keeps the boundary strict:

* public writes are blocked
* direct private-worker writes to approved portfolio storage are blocked
* direct private-worker mutations to runtime records are blocked
* communications providers cannot publish directly
* staged media is private
* observability traces are metadata-only and not write authority

## Operator Use

Before a production change, run:

```bash theme={"dark"}
npm run audit:production-external-envs
npm run smoke:api-production-readiness
npm run smoke:api-production-release-ready
```

Do not paste secret values into docs, chat, screenshots, source packs, prompts, or repo files.
