# VACKRON Installation Guide

## Requirements

- PHP 8.2 with PDO MySQL
- MySQL 8 or MariaDB 10.6+
- Apache `mod_rewrite` or equivalent Nginx rewrites
- Flutter 3.x and Android SDK for APK/AAB builds
- HTTPS in production

## Database

```sql
CREATE DATABASE odspeco2_vackron CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;
CREATE USER 'odspeco2_vackron'@'localhost' IDENTIFIED BY 'strong-password';
GRANT ALL PRIVILEGES ON odspeco2_vackron.* TO 'odspeco2_vackron'@'localhost';
FLUSH PRIVILEGES;
```

Import:

```bash
mysql -u odspeco2_vackron -p odspeco2_vackron < database/schema.sql
```

Create the first admin with an Argon2id password hash and insert it into `admins`.

## Environment

Copy `.env.example` to `.env` and set:

- `APP_URL`
- `APP_SECRET`
- `JWT_SECRET`
- `DB_PASS`
- `FAST2SMS_API_KEY`
- `SHIPROCKET_API_KEY`
- `SHIPROCKET_SECRET_KEY`
- `SHIPROCKET_WEBHOOK_SECRET`
- `SHIPROCKET_CHECKOUT_BASE_URL`

The local workspace `.env` is ignored by git. Rotate keys before launch if they were shared through screenshots or chat.

## Web Roots

- Website: `public/`
- Admin panel: `admin/`
- API: `app_api/`

For single-domain hosting, expose `/public`, `/admin`, and `/app_api` as aliases and keep the repository root outside public web access.

## Shiprocket Checkout Flow

1. Customer logs in with OTP.
2. Customer adds products to cart.
3. Customer creates/selects an address.
4. Website/app calls `POST /checkout/shiprocket-token`.
5. Backend signs the Shiprocket token request with HMAC SHA256.
6. Website opens the returned checkout URL in the iframe.
7. Shiprocket posts to `/shiprocket/order-webhook`.
8. Backend updates order/payment/shipping status and logs the webhook.

Configure these callback URLs in the Shiprocket Checkout dashboard:

- Product update: `{APP_URL}/app_api/shiprocket/product-webhook`
- Collection update: `{APP_URL}/app_api/shiprocket/collection-webhook`
- Order webhook: `{APP_URL}/app_api/shiprocket/order-webhook`
- Product feed: `{APP_URL}/app_api/shiprocket/products`
- Collection feed: `{APP_URL}/app_api/shiprocket/collections`

## Flutter Android

Set `android_app/android/local.properties`:

```properties
flutter.sdk=C:\\Users\\Ashmit\\development\\flutter
sdk.dir=C:\\Users\\Ashmit\\AppData\\Local\\Android\\Sdk
```

Build:

```bash
cd android_app
flutter pub get
flutter analyze
flutter build apk --release --dart-define=API_BASE_URL=https://your-domain.com/app_api
flutter build appbundle --release --dart-define=API_BASE_URL=https://your-domain.com/app_api
```

Outputs:

- APK: `android_app/build/app/outputs/flutter-apk/app-release.apk`
- AAB: `android_app/build/app/outputs/bundle/release/app-release.aab`

## Production Checklist

- Enable HTTPS/HSTS.
- Set `SESSION_SECURE=true`.
- Rotate `.env` secrets before launch.
- Rotate Android signing keys if they were exposed.
- Configure Fast2SMS approved templates and sender ID.
- Configure Shiprocket webhook secrets and callback URLs.
- Schedule MySQL backups and restore tests.
- Run `php -l` on PHP files and `flutter analyze` before every release.