<!--
  Parsec Sdn. Bhd. · AMIR
  Generated by the Parsec Sdn. Bhd. AI Development Framework v2
  © 2026 Parsec Sdn. Bhd.. All rights reserved.
  Internal use only. Unauthorised reproduction or use outside of
  Parsec Sdn. Bhd.-authorised projects is prohibited.
-->

# AMIR — Pre-Flight Checklist

**Phase:** 12 (Pre-Flight + Bootstrap)
**Document Version:** 1.0
**Last Updated:** 2026-05-05
**Tender Deadline:** 21 May 2026 (16 days)
**v1 Pilot Target:** ~25 August 2026

This document tracks every external dependency, account, registration, and infrastructure setup that must happen *outside* the codebase. Many items have multi-week lead times — start them now, in parallel with development. The principle from Framework §12.7: **only start things when you need them.** Items that block the demo (21 May) start today; items that block v1 production (~25 Aug) start in mid-June; items that block AMIR commercial expansion start in Q4.

---

## How to Use This Document

For every item:
1. Check it against the **Earliest start** column — has the trigger date arrived?
2. Check **Blocks** — what won't ship if this isn't done?
3. Mark the checkbox `[x]` when complete; record the date in the Notes column.
4. If an item slips past its earliest start date, **flag immediately** in the daily standup notes — long-lead items have no recovery path.

**Critical path warning:** Three items have hard external deadlines that cannot be moved:
- **MyInvois Public Key API access (LHDN)** — required for any e-Invoice work; LHDN approval has been ~2-3 weeks historically.
- **WhatsApp Business API approval (Meta)** — required for v1 notifications; 2-4 weeks typical.
- **Domain DNS propagation** — 24-48hr after configuration.

If MyInvois access is not granted by mid-July, S25-S26 (the e-Invoice sprint pair) cannot ship and v1 must defer e-Invoice. Have a fallback plan documented.

---

## GROUP 1 — Day 0: Long Lead Times (start NOW)

These have multi-week approval/registration windows. Submit them this week (5-11 May 2026). They run in the background while demo development proceeds.

| ☐ | Task | Service | Lead Time | Blocks | Earliest Start | Notes |
|---|------|---------|-----------|--------|----------------|-------|
| [ ] | **MyInvois Public Key API access** | LHDN MyInvois Sandbox + Production | 2-3 weeks | S25 (e-Invoice integration), S26 (consolidated invoices) | Today (5 May 2026) | Apply at [sdk.myinvois.hasil.gov.my](https://sdk.myinvois.hasil.gov.my). Sandbox first, then production. Need TIN + SSM cert. |
| [ ] | **WhatsApp Business API verification** | Meta Business | 2-4 weeks | S08 (member notifications), S22 (signal alerts via WhatsApp) | Today | Apply via Meta Business Suite. Submit message templates for member notification + signal alert categories. |
| [ ] | **AWS account (ap-southeast-3 Jakarta region)** | AWS | Same day, but billing verification 1-2 days | S00 demo deploy (Forge needs AWS) | Today | AMIR is Malaysia-residency per Decision D9; ap-southeast-3 Jakarta is the closest region with full service coverage (Singapore acceptable as fallback). |
| [ ] | **Forge account + AWS connection** | Laravel Forge | Same day | S00 D1.15 (demo deploy task) | Today | Connect Forge to AWS account. Forge will provision droplets and managed Postgres. |
| [ ] | **Anthropic API key (production tier)** | Anthropic | Same day | S22 (signal LLM explanations), S39 (analytics narratives) | Today | Per D12. Use Sonnet for production paths, Haiku for cost-sensitive paths. Set spending limits. |
| [ ] | **Sentry account (Team plan)** | Sentry | Same day | S41 (production hardening) | 1 June 2026 | Per D23. Configure PII scrubbing in `beforeSend`. Replays disabled per security review. |
| [ ] | **GitHub organisation + private repo** | GitHub | Same day | bootstrap.sh Path A | Today | Create org `parsec-my` (or similar). Repo `amir`. Enable branch protection on main, staging, prod after first push. |
| [ ] | **Domain registration: amir.com.my (or chosen)** | MyNIC / GoDaddy / Namecheap | 24-48hr DNS propagation | Demo URL, production URL | Today | `.my` domains require Malaysian-entity proof — provide SSM cert. Backup options: `amir.app`, `amir-coop.com`. |
| [ ] | **SSL via Let's Encrypt** | Forge → Let's Encrypt | Automated, same day after DNS | Demo deploy | After domain DNS propagation | Forge automates this entirely. |

---

## GROUP 1.5 — Tender Submission Path (HARD DEADLINE: 21 May 2026)

Tender-specific items. These exist outside the normal pre-flight cycle because they have a fixed deadline and a fixed scope.

| ☐ | Task | Owner | Deadline | Notes |
|---|------|-------|----------|-------|
| [ ] | **Read tender attachments end-to-end** | Founder | 8 May 2026 | LampiranA (spesifikasi), LampiranA5i/A5ii (SLA jaminan + penalti), LampiranA6 (SLA pembangunan), LampiranB (jadual harga), Senarai Semak Cadangan Teknikal. The attachments in `/mnt/project/` are the source. |
| [ ] | **Demo build complete and deployed** | Dev | 18 May 2026 (3-day buffer) | Demo sprint S00 ends 4 June, but tender demo URL must be live by 18 May. Demo scope per SPRINT_PLAN.md. |
| [ ] | **Tender response document drafted** | Founder | 19 May 2026 | Pull content from VIABILITY_REPORT.md, ARCHITECTURE.md, SPRINT_PLAN.md. Tender package is a separate document, not part of the build. |
| [ ] | **Pricing schedule (LampiranB) populated** | Founder | 19 May 2026 | Use the Excel file from `/mnt/project/19_LAMPIRANBJADUALPEMATUHANHARGA.xlsm`. |
| [ ] | **Specification compliance schedule (LampiranA)** | Founder | 19 May 2026 | Use `/mnt/project/4_LAMPIRANAJADUALPEMATUHANSPESIFIKASI.xlsm`. Cross-reference against ARCHITECTURE.md and SPRINT_PLAN.md to mark Yes/No/Partial for each spec line. |
| [ ] | **Senarai Semak (Technical Proposal Checklist)** | Founder | 19 May 2026 | Use `/mnt/project/18_SENARAISEMAKCADANGANTEKNIKALS0052026.pdf` as the master list. Every item has a corresponding deliverable from the planning docs. |
| [ ] | **Tender package send to SKM** | Founder | **21 May 2026 EOD** | This is the immovable deadline. Send-day code budget per SPRINT_PLAN.md is task D3.12 only — clear the afternoon. |

---

## GROUP 2 — Dev Environment (Before running bootstrap.sh, ~1-2 hours)

No lead time. Install missing tools, then run the script.

| ☐ | Task | Command / Action | Notes |
|---|------|------------------|-------|
| [ ] | PHP 8.3 installed | `php --version` → must show 8.3.x | Per Decision D1. Use Herd for macOS (managed installer). |
| [ ] | Composer installed | `composer --version` | |
| [ ] | Node.js 22 LTS installed | `node --version` → must show v22.x | Per dispatch.sh PATH config. NVM recommended. |
| [ ] | npm | `npm --version` | Bundled with Node. |
| [ ] | Git installed and configured | `git config --global user.name`, `user.email` | |
| [ ] | Claude Code installed | `npm install -g @anthropic-ai/claude-code` | Login via `claude /login`. |
| [ ] | tmux installed | `brew install tmux` (macOS) or apt equivalent | Required for L4+ multi-agent sessions. |
| [ ] | gh (GitHub CLI) installed | `brew install gh` (macOS) | Required by `commit-push-pr.md` for PR creation. |
| [ ] | **Run `bootstrap.sh`** | `bash bootstrap.sh` (interactive — answers two questions) | Scaffolds the project, writes all framework files, makes initial commit. |
| [ ] | Git worktrees verified | `git worktree list` shows 5 entries (primary + 4 agents) | bootstrap.sh creates these. |
| [ ] | Shell aliases sourced | `which za` returns the alias path | bootstrap.sh appends to `~/.zshrc`. Open a new terminal tab. |
| [ ] | **Laravel Boost installed** | `composer require laravel/boost --dev` | Per Framework §12.4. Boost provides MCP tools for schema introspection. |
| [ ] | **Boost installer run** | `php artisan boost:install` | Auto-detects Claude Code. Configures MCP. |
| [ ] | **Boost MCP connection verified** | `claude mcp list` → must show `laravel-boost` | Without this, agents cannot use `database_schema`, `tinker`, etc. |
| [ ] | Query detector installed | `composer require beyondcode/laravel-query-detector --dev` | Catches N+1 queries in dev/test. |

---

## GROUP 3 — Before the Hardening Sprint (S41, ~end July 2026)

Set up production infrastructure 2-3 sprints before pilot launch. Earlier means paying for unused capacity.

### Infrastructure

| ☐ | Task | Earliest Start | Notes |
|---|------|----------------|-------|
| [ ] | **Production AWS droplet** (separate from staging) | Sprint 38 (~mid-July) | Forge provisions. 4 vCPU / 8 GB RAM minimum for v1 pilot. |
| [ ] | **Production Postgres 16 (managed)** | Sprint 38 | AWS RDS or Forge-managed. Backups on, retention 7 days. |
| [ ] | **Production Redis 7 (managed)** | Sprint 38 | Forge-managed or ElastiCache. |
| [ ] | **S3-compatible storage bucket** | Sprint 38 | AWS S3, ap-southeast-3. Per D9. |
| [ ] | **CI/CD: production deploy hook** | Sprint 38 | GitHub Actions on `prod` branch merge → Forge webhook. Per D21 (4-branch model). |
| [ ] | **Secrets management** | Sprint 38 | Forge environment variables for prod. Anthropic API key, Sentry DSN, MyInvois creds, etc. |
| [ ] | **Sentry production project** | Sprint 38 | Separate from staging. Configure `beforeSend` PII scrubbing. |
| [ ] | **Email delivery (AWS SES)** | Sprint 38 | Per D11. Verify sending domain (DKIM/SPF). Backup provider: Postmark or SendGrid. |
| [ ] | **Monitoring: UptimeRobot or equivalent** | Sprint 38 | Pings every 5 min on production health endpoint. |
| [ ] | **Daily database backup verified** | Sprint 39 | Forge-managed backups + manual restore test. |
| [ ] | **DNS pointing to production** | Sprint 41 (launch week) | Until then, `amir.com.my` points to staging. |

### Compliance & Legal

| ☐ | Task | Lead Time | Notes |
|---|------|-----------|-------|
| [ ] | **PDPA Commissioner notification** (s.13) | 30 days mandatory | Submit before processing first real user data. Required for any koperasi pilot. |
| [ ] | **Privacy Policy drafted + lawyer-reviewed** | 1-2 weeks lawyer | Pull from CONTENT_COPY.md §6 (legal). Section 8 specifically called out for lawyer review. |
| [ ] | **Terms of Service drafted + lawyer-reviewed** | 1-2 weeks lawyer | Section 12 specifically called out for lawyer review. |
| [ ] | **Data Processing Agreement template** | 1 week | For each koperasi pilot, sign a DPA covering tenant_id-scoped data. |
| [ ] | **DBN Guideline 2025 conformance review** | Internal | S38 covers code-side; legal-side conformance documented in `docs/PDPA_COMPLIANCE.md`. |
| [ ] | **Akta Koperasi 1993 retention review** | Internal | 6-year retention for financial records confirmed in DECISIONS_LOG.md. Document and post-launch audit. |
| [ ] | **SKM tender contract finalised** (if won) | Variable | Post-tender award. Negotiate SLA terms (LampiranA5 ref). |

### Content & Assets

| ☐ | Task | Lead Time | Notes |
|---|------|-----------|-------|
| [ ] | **AMIR logo finalised** | 1-2 weeks | Currently placeholder in design system. Lockup for sidebar + login + emails. |
| [ ] | **Favicon + app icon set** | 1 week | 16/32/48/192/512 PNG + SVG. |
| [ ] | **Transactional email templates** | 1-2 weeks | Per CONTENT_COPY.md §7. BM and EN versions. Test render in Litmus or equivalent. |
| [ ] | **WhatsApp message templates submitted to Meta** | 4-6 weeks total approval | Submit in S08 once WhatsApp Business is approved. Review and re-submit any rejections. |
| [ ] | **BM-EN parity QC pass** | 1 week | Native BM speaker reviews every translation key in `lang/ms/`. Catches awkward translations before launch. |
| [ ] | **Demo seed data prepared** | Sprint 1 | Koperasi Wawasan demo tenant with realistic data. Per S00 D1.09 task. |

---

## GROUP 4 — Pilot Launch Week (Sprint 42, ~25 August 2026)

Final cutover items.

| ☐ | Task | Notes |
|---|------|-------|
| [ ] | **Production smoke test** | Full happy-path run-through: login, create transaction, post journal, generate Penyata Trial Balance, log out. |
| [ ] | **First pilot koperasi onboarded** (manual) | Founder onboards in person or via screen share. Document any friction in `docs/living/DEVIATION_LOG.md`. |
| [ ] | **Production seed data loaded** | Master CoA template (GP23 87 accounts), Pack catalogue, default permissions. Per S38-S40 tasks. |
| [ ] | **Backup restored to fresh DB** (test) | Confirm backups are recoverable, not just being taken. |
| [ ] | **Sentry alerts firing on errors** | Verify by intentionally throwing a test error. |
| [ ] | **UptimeRobot alerts to founder phone** | Verify by stopping production for 60 seconds. |
| [ ] | **Documentation handed to first pilot user** | Quick-start guide (BM + EN) covering: login, daily transaction entry, monthly close. Pull content from CONTENT_COPY.md §5 (help text). |

---

## Critical Path Visualisation

```
Today (5 May)                     21 May                  ~25 Aug
    │                               │                        │
    │── MyInvois access ────────────┼────────────────────────│ S25/S26 done
    │── WhatsApp Business ──────────┼────────────────────────│ S22 ready
    │── AWS + Forge + GitHub ──── Demo deploy │──── Production deploy ──│
    │── Domain DNS ────── live │
    │── Sentry account ─────────────────────────── 1 Jun ─── Production tracking ───│
    │                                                                  │
    │── Demo sprint S00 ──────────── Tender Day 21 May ────────────────│
                                     ▲ HARD DEADLINE
```

**Single biggest risk:** MyInvois Public Key API access slip past mid-July. Mitigation: apply today (5 May); follow up weekly; have S25 contingency that defers e-Invoice integration to v1.1 if access doesn't arrive.

---

## Daily Check-In

Suggested daily standup (5 min):
1. What is at risk on this checklist today? (any item past its earliest-start date)
2. Any external response received? (LHDN, Meta, AWS billing, lawyer)
3. Any item that needs founder action today?

Track answers in a daily log file or Slack channel — not in this checklist (this stays a static reference).