diff --git a/scripts/payment-e2e-walkthrough.sh b/scripts/payment-e2e-walkthrough.sh
index 8de3ce22e..b924ee5b8 100755
--- a/scripts/payment-e2e-walkthrough.sh
+++ b/scripts/payment-e2e-walkthrough.sh
@@ -42,6 +42,17 @@ OPERATOR_EMAIL=${OPERATOR_EMAIL:-?}
 OPERATOR_PASSWORD=${OPERATOR_PASSWORD:-?}
 ORDER_POLL_TIMEOUT=${ORDER_POLL_TIMEOUT:-300}
 ORDER_POLL_INTERVAL=${ORDER_POLL_INTERVAL:-5}
+# v1.0.10 polish safety guards:
+#   DRY_RUN=1            — skip the POST /orders + payment steps; rehearse
+#                          the login + product-listing + license-poll path
+#                          end-to-end on staging without spending a euro.
+#   CONFIRM_PRODUCTION=1 — required when STAGING_URL points at the live
+#                          environment. Without it the script refuses to
+#                          run, so a typo (`STAGING_URL=https://veza.fr`
+#                          on a sandbox-targeted command) can't accidentally
+#                          charge a real card.
+DRY_RUN=${DRY_RUN:-0}
+CONFIRM_PRODUCTION=${CONFIRM_PRODUCTION:-0}
 
 SESSION_DATE="$(date +%Y%m%d-%H%M)"
 SESSION_LOG="${REPO_ROOT}/docs/PAYMENT_E2E_LIVE_REPORT.md.session-${SESSION_DATE}.log"
@@ -64,6 +75,43 @@ require jq
 [ "$OPERATOR_EMAIL"     = "?" ] && fail "OPERATOR_EMAIL env var required" 3
 [ "$OPERATOR_PASSWORD"  = "?" ] && fail "OPERATOR_PASSWORD env var required" 3
 
+# Heuristic: any URL that doesn't include the substring "staging" is
+# treated as production. Operators on a non-veza-domain (custom env)
+# can still run the script; they just have to pass CONFIRM_PRODUCTION=1.
+TARGET_LOOKS_LIKE_PROD=0
+if [[ ! "$STAGING_URL" =~ staging ]] && [[ ! "$STAGING_URL" =~ localhost ]] && [[ ! "$STAGING_URL" =~ 127\.0\.0\.1 ]]; then
+  TARGET_LOOKS_LIKE_PROD=1
+fi
+
+if [ "$TARGET_LOOKS_LIKE_PROD" = "1" ] && [ "$CONFIRM_PRODUCTION" != "1" ]; then
+  cat >&2 <<EOF
+
+================================================================
+ABORTING — production target detected without explicit confirmation
+================================================================
+
+STAGING_URL=$STAGING_URL does not contain "staging", "localhost" or
+"127.0.0.1", so this script will refuse to run by default to prevent
+an accidental real-card charge.
+
+If you genuinely want to run against production, re-invoke with:
+
+    CONFIRM_PRODUCTION=1 \\
+    STAGING_URL=$STAGING_URL \\
+    OPERATOR_EMAIL=$OPERATOR_EMAIL \\
+    OPERATOR_PASSWORD=... \\
+    bash scripts/payment-e2e-walkthrough.sh
+
+Or set DRY_RUN=1 to rehearse the flow without making the actual charge.
+================================================================
+EOF
+  exit 3
+fi
+
+if [ "$DRY_RUN" = "1" ]; then
+  log "DRY_RUN=1 — order creation + payment + refund steps will be SKIPPED"
+fi
+
 # api wrapper that tee's request + response to the session log so the
 # operator can copy-paste the full trace into the report.
 api() {
@@ -134,8 +182,39 @@ log "  ✓ price      : $PRODUCT_PRICE"
 # --------------------------------------------------------------------
 # Step 3 : POST /orders.
 # --------------------------------------------------------------------
+if [ "$DRY_RUN" = "1" ]; then
+  log ""
+  log "step 3 : POST /api/v1/marketplace/orders — SKIPPED (dry-run)"
+  log "================================================================"
+  log "DRY-RUN PASS : login + product list + license-mine endpoints reached"
+  log "Run without DRY_RUN to exercise the real charge + refund flow."
+  log "================================================================"
+  exit 0
+fi
+
 log ""
 log "step 3 : POST /api/v1/marketplace/orders"
+
+# v1.0.10 polish: confirm prompt before the actual charge so a typo'd
+# product_id or wrong operator account can't quietly burn 5 EUR.
+if [ "$TARGET_LOOKS_LIKE_PROD" = "1" ]; then
+  log ""
+  log "================================================================"
+  log "FINAL CONFIRMATION — about to charge a real card on production"
+  log "================================================================"
+  log "  product_id : $PRODUCT_ID"
+  log "  price      : $PRODUCT_PRICE"
+  log "  operator   : $OPERATOR_EMAIL"
+  log "  endpoint   : ${STAGING_URL}/api/v1/marketplace/orders"
+  log ""
+  prompt "Type the literal word 'CHARGE' to proceed (anything else aborts) :"
+  read -r confirm_word
+  if [ "$confirm_word" != "CHARGE" ]; then
+    fail "operator did not confirm the charge ($confirm_word) — aborting" 2
+  fi
+  log "  operator confirmed CHARGE — proceeding"
+fi
+
 order_body="{\"items\":[{\"product_id\":\"${PRODUCT_ID}\"}]}"
 order_resp=$(api POST /api/v1/marketplace/orders "$order_body" 2>/dev/null)
 ORDER_ID=$(echo "$order_resp" | jq -r '.data.order.id // .data.id // .id // ""')