# Video Media Factory Go-Live Credential Checklist

Do not paste real secret values into docs, tickets, screenshots, or reports. Store secrets in VPS/Coolify environment variables or a password vault.

## Current Verified Status

- FFmpeg/FFprobe: required for rendering and already exposed on the VPS worker lane.
- Coqui TTS: required for local voice generation and already running through the Python 3.11 sidecar.
- Analytics: real event ingestion is implemented through the Media Factory API event store. Grafana and Logflare exist on the VPS, but dashboard panels still need final business wiring.
- Postiz: installed on the VPS, but not connected until Joseph approves accounts and integration IDs.
- MCP: repo includes MCP servers for client/agent operation.
- Enterprise API keys: Python auth service supports user keys, but the main Node API still needs customer key portal, scopes, rate limits, usage logs, and route enforcement.

## Required Credentials

| Area | Credential | Required For | Status |
| --- | --- | --- | --- |
| App | `NEXT_PUBLIC_APP_URL`, `API_BASE_URL` | Public links and web/API connection | Required |
| Database | `DATABASE_URL` or `POSTGRES_URL` | Users, projects, jobs, records | Required |
| Supabase | `NEXT_PUBLIC_SUPABASE_URL`, `NEXT_PUBLIC_SUPABASE_ANON_KEY`, `SUPABASE_SERVICE_ROLE_KEY` | Supabase auth/data lane | Required if Supabase is active |
| Supabase deploy | `SUPABASE_ACCESS_TOKEN`, migration Postgres URI | CLI deploy/migrations | Deploy-only |
| Stripe | `STRIPE_SECRET_KEY`, `STRIPE_WEBHOOK_SECRET`, plan price IDs | Checkout and payment delivery | Required before paid launch |
| OpenAI/LLM | `OPENAI_API_KEY`, optional `OPENROUTER_API_KEY`, `ANTHROPIC_API_KEY`, `REPLICATE_API_TOKEN`, `FAL_KEY` | Script, metadata, media generation | Depends on active provider |
| Stock media | `PEXELS_API_KEY`, optional `PIXABAY_API_KEY` | Stock video/image search | Required for stock lane |
| Voice | `TTS_SERVICE_URL`, `TTS_ENGINE`, optional `ELEVENLABS_API_KEY`, `FISH_AUDIO_API_KEY` | Voice generation/dubbing | Coqui proven; cloud optional |
| Storage | `S3_ENDPOINT`/`MINIO_ENDPOINT`, `S3_ACCESS_KEY`/`MINIO_ACCESS_KEY`, `S3_SECRET_KEY`/`MINIO_SECRET_KEY`, bucket | Store outputs/assets | Required for production |
| Publishing | `POSTIZ_API_BASE`, `POSTIZ_API_KEY`, `POSTIZ_INTEGRATION_IDS` | Social publishing | Needs Joseph account approval |
| Analytics | `ANALYTICS_PROVIDER`, `ANALYTICS_DATA_DIR`, `GRAFANA_BASE_URL`, `LOGFLARE_CONTAINER` | Real metrics and dashboards | Event store proven |
| MCP | `MCP_TRANSPORT`, `MCP_HOST`, `MCP_PORT` | Agent/client operation | Implemented |
| Enterprise API | Customer API keys, scopes, rate limit store, usage logs | REST API clients | Must be finished before sale |

## Human Approval Gates

- Which Postiz accounts/integrations Media Factory can publish to.
- Any live Stripe price/payment setting changes.
- Any public MCP exposure.
- Any enterprise API key access given to an outside client.
- DNS, production database reset, secrets rotation, or payment flow changes.

## Go-Live Rule

Self-serve launch needs billing, storage, delivery, analytics, support, and render proof. Enterprise API/MCP launch needs authenticated MCP gateway and full API-key enforcement.