# KYN POS Phase 5 — Hardening + Install Readiness

## Purpose

Phase 5 prepares the master base app for the first real upload/install test before payments are added.

This phase does **not** add payments. It hardens the foundation so the app can be installed, verified, and safely rebuilt/upgraded.

## Added

- Installer lock file: `storage/install.lock`.
- Migration ledger table: `pos_schema_migrations`.
- Migration checksum tracking.
- Idempotent migration execution.
- Storage folder creation/checks.
- Upload/install preflight route: `page.php?p=system_preflight`.
- Convenience wrapper: `public/preflight.php`.
- Expanded system health checks.
- Safer installer configuration options.
- Updated private config example.
- Server upload checklist.

## Installer safety rule

The browser installer runs only when:

```php
'install' => [
    'enabled' => true,
]
```

After install, immediately set:

```php
'install' => [
    'enabled' => false,
]
```

After the first successful browser install, the installer writes:

```text
/storage/install.lock
```

To intentionally rerun the browser installer for an upgrade/rebuild:

```php
'install' => [
    'enabled' => true,
    'allow_locked_reinstall' => true,
]
```

Then turn both back to false.

## Why this matters

Shared cPanel hosting makes it very easy to accidentally leave `/public/install.php` exposed. The lock file gives us a second guardrail beyond the config switch.

## Phase 5 acceptance

- `inc/config.local.php` remains private.
- `/public/install.php` refuses to run unless enabled.
- `/public/install.php` refuses accidental rerun after lock file exists.
- Migrations are tracked in `pos_schema_migrations`.
- Storage folders exist and are writable.
- `page.php?p=system_preflight` shows non-secret readiness checks.
- PHP syntax check passes.