# RIOTZ Deployment Guide (Android + iOS)

This guide prepares RIOTZ for production releases with Flutter + Supabase.

## 1) Environment setup

Use `--dart-define` in release builds:

```bash
--dart-define=SUPABASE_URL=https://YOUR_PROJECT_ID.supabase.co
--dart-define=SUPABASE_ANON_KEY=YOUR_SUPABASE_ANON_KEY
--dart-define=ADMIN_USER_IDS=uuid-1,uuid-2
```

Optional: use `--dart-define-from-file=env.production.json`.

Example `env.production.json`:

```json
{
  "SUPABASE_URL": "https://YOUR_PROJECT_ID.supabase.co",
  "SUPABASE_ANON_KEY": "YOUR_SUPABASE_ANON_KEY",
  "ADMIN_USER_IDS": "uuid-1,uuid-2"
}
```

## 2) Supabase production checklist

- Apply migration in `supabase/migrations/20260506170000_riotz_production_schema.sql`.
- Confirm buckets exist: `avatars`, `post-images`, `tracks`.
- Confirm RLS policies are enabled and tested.
- Add at least one admin user in `admin_users`.

## 3) Android release

### 3.1 Create upload keystore

```bash
keytool -genkey -v -keystore ~/riotz-upload-keystore.jks -keyalg RSA -keysize 2048 -validity 10000 -alias upload
```

### 3.2 Configure `android/key.properties`

Copy `android/key.properties.example` to `android/key.properties` and fill values.

### 3.3 Build artifacts

```bash
flutter pub get
flutter build appbundle --release --dart-define-from-file=env.production.json
flutter build apk --release --dart-define-from-file=env.production.json
```

Output:
- AAB: `build/app/outputs/bundle/release/app-release.aab`
- APK: `build/app/outputs/flutter-apk/app-release.apk`

## 4) iOS release

### 4.1 Xcode signing

- Open `ios/Runner.xcworkspace`
- Target `Runner` -> Signing & Capabilities
- Set Team, Bundle Identifier (`com.riotz.app`), and provisioning profiles

### 4.2 Build and archive

```bash
flutter pub get
flutter build ipa --release --dart-define-from-file=env.production.json
```

Or archive from Xcode and upload via Organizer / Transporter.

## 5) Pre-release quality gate

- `flutter analyze`
- `flutter test`
- Smoke test auth/profile/feed/music/discover/admin on physical devices
- Verify upload, playback, logout/login, banned-user behavior
- Verify crash-free startup with production Supabase keys

## 6) Security reminders

- Never commit `android/key.properties`, keystores, or private keys
- Do not expose service-role Supabase keys in Flutter app
- Rotate anon keys only through Supabase config if leaked