KA26 Pre-Launch QA Checklist

Target launch: Thursday/Friday this week (2026-04-23 / 04-24) Owner: Siddu Last updated: 2026-04-18

This is the master pre-launch verification checklist. Every item is a real action you (or a tester) takes against production (ka26.shop, docs.ka-26.com, the v16 APK from ka-26.com/downloads/ka26-latest.apk). Check items off as you verify them. Items marked 🚨 BLOCKER must pass before going live; everything else is nice-to-have.

How to use this doc

Pick a section. Run through every item. Replace [ ] with [x] when verified.

If something fails, file it as a ### Bug block at the bottom of this file with: surface, steps, expected vs actual, severity. Then fix or hand off.

Re-run the section after every fix to catch regressions.

Three full clean passes through this doc = ship.

0. Pre-flight (do this once, before any QA session)

Confirm hourly health cron is green: https://github.com/sidgk/ka26-marketplace/actions/workflows/health-check.yml — last 24h all green
Confirm Sentry has zero unresolved Critical issues for ka26-marketplace and ka26-mobile projects
Confirm Cloud Run service ka26-marketplace (us-central1) is on the latest revision (gcloud run services describe ka26-marketplace --region us-central1 --format="value(status.latestReadyRevisionName)")
APK at https://ka-26.com/downloads/ka26-latest.apk reports v16 in the page UI AND is at least 89 MB (smaller = corrupted)
DB has zero stuck pending orders older than 1 hour (SELECT id, createdAt FROM "Order" WHERE status='pending' AND "createdAt" < NOW() - INTERVAL '1 hour')
No env-var drift: gcloud run services describe ka26-marketplace --region us-central1 --format="value(spec.template.spec.containers[0].env[].name)" includes all of: DATABASE_URL, JWT_SECRET, SMTP_USER, SMTP_PASS, EMAIL_FROM_ADDRESS, SENTRY_DSN, NEXT_PUBLIC_SENTRY_DSN, SENTRY_ENV, PAYMENTS_ONLINE_ENABLED, REELS_COMMERCE_ENABLED
Confirm PAYMENTS_ONLINE_ENABLED=false (we go live with offline payments only) and REELS_COMMERCE_ENABLED=false

1. Consumer registration + auth (web AND mobile, both surfaces)

1A. Web (https://ka26.shop)

1B. Mobile (v16 APK, fresh install)

Repeat all of section 1A on the mobile app. Specifically check:

🚨 BLOCKER Password hint reads "8+ chars, A-Z, a-z, 0-9" (NOT "min 6 characters")
OTP screen accepts pasting the full 6-digit code from the email
No crash on backgrounding the app mid-OTP and returning
Sentry mobile project shows no new errors during this flow
If you intentionally trigger an error (e.g., turn off WiFi mid-submit), the error renders as readable text — never [object Object] or a raw stack trace

2. Consumer browse + discovery

2A. Shop tab

🚨 BLOCKER /shop loads within 5 sec on first visit (cold start), 1 sec subsequent
All store cards have non-broken images (look for the broken-image icon or empty squares)
Tap a store card → store detail loads, products visible, prices visible
"My Ads" filter pill works (shows your own ads if you have any, empty state if not — NOT [object Object])
Categories filter pills work (tap → list narrows)
Search bar filters in real-time

2B. Reels tab

First reel autoplays
Swipe down → next reel plays
Tap a reel → like, comment, share buttons work
Comment input opens keyboard (mobile), keyboard doesn't cover the input
If REELS_COMMERCE_ENABLED=false, no product/store tag UI visible in any reel

2C. Requests tab (community)

List loads, filter pills work (Newest/All/My Requests/I Helped)
Public discussion requests show "PUBLIC" badge AND "Open Discussion" CTA (emerald)
Private requests show "X/3" supporters count
Tap a request → detail opens
Post a new request → choose Public OR Private → posts successfully
On a private request, tap "Help" → get added as supporter
Receive push notification when someone comments on your request (if push permission granted)

2D. Profile tab

Edit profile → save → reflected immediately
My Ads tab in profile shows your ads (mobile bug fix from yesterday — verify field is ads not products)
My Orders tab shows your past orders
Settings → notifications → can toggle push on/off
Language switcher (6 languages) — pick Kannada → all UI strings render in Kannada (no English fallbacks except brand names)

3. Order flow (end-to-end, BLOCKER for launch)

This is the revenue funnel. Every step must work.

4. Seller app (web, since you said `/seller` redirects)

4A. Seller registration + onboarding

Open https://ka26.shop/seller/register in incognito
Sign up as a brand new seller — no "Restaurant" picker should appear (Eats was archived)
Receive verification email
Enter OTP, lands in seller dashboard
If your seller plan from yesterday's deferred work was implemented, follow the onboarding wizard — otherwise log into the existing test seller account

4B. Store management

Create a new store with name + address + phone
Upload a store logo (≤ 5 MB JPEG)
Edit store hours
Set store discount (e.g., 10% off)
Save → discount badge appears on consumer side
Mark store as "Coming soon" → consumer side shows "Coming soon" not "Live"

4C. Product management

Add a new product: name, price, description, image
Image uploads (≤ 5 MB, gets compressed to 1200x1200)
Add 2nd, 3rd image — carousel works on consumer detail page
Edit product price → reflects on consumer side within 30 sec (Cloud Run cache)
Mark product "Out of Stock" → consumer side shows greyed-out + "Back in Stock soon" — NOT removed
Delete product → confirmation dialog → product gone from consumer side
Set per-product discount (originalPrice) → strikethrough renders correctly

4D. Orders

Orders tab shows the order from section 3
Mark order Ready → consumer notified
Mark order Picked Up → consumer notified
Filter by date range works
Earnings tab shows correct total

4E. Notifications

Bell icon in seller header shows unread count
Click bell → notification list opens
Mark all read → count clears
Browser push notification received when test consumer places an order (if permission granted)

5. Admin app

6. Delivery partner app

Login at /delivery_partner
Toggle online → become available for assignments
Test assignment from a delivery-mode order (NOT pickup) — if delivery is enabled
Accept order → see pickup address, navigation link
Mark picked up → consumer notified
Mark delivered → order completes

Note: If delivery is disabled for launch (offline-only), skip section 6 — but verify there's no leaked delivery UI on consumer side.

7. Cross-surface parity (web ↔ mobile)

For each feature, confirm the same data + behavior appears on both web and mobile (we caught 3 silent mismatches in one day last week):

My Ads — same ads visible on both
My Orders — same orders, same statuses, same details
Public Discussion — same PUBLIC badge logic on requests
Categories — same list of categories
A store's products — exact same list, prices, stock states
Profile data — name, phone, avatar all match

8. Performance + load

🚨 BLOCKER Cold homepage load < 5 sec (first visit, fresh tab) on a 4G phone
🚨 BLOCKER Warm homepage load < 1 sec
No layout shift during load (CLS < 0.1)
Mobile app launch (cold) < 4 sec
APK install size < 100 MB (currently 89 MB ✓)
No memory leak: leave the mobile app open for 30 min, switch tabs frequently — RAM should stabilize, not grow unbounded

9. Security smoke (BLOCKER)

🚨 BLOCKER /api/health?key=wrong returns 401, not the health payload
🚨 BLOCKER Cannot SQL-inject anywhere (try ' OR '1'='1 in search, login email, address fields)
🚨 BLOCKER XSS attempts on profile name <script>alert(1)</script> get escaped, not executed
🚨 BLOCKER Logged-out consumer cannot hit /api/orders (401)
🚨 BLOCKER Consumer A cannot read consumer B's orders by guessing IDs (/api/orders/123 returns 403/404)
🚨 BLOCKER Seller cannot edit another seller's products
All forms have CSRF protection (web) or token-based auth (mobile)
HTTPS enforced — http:// redirects to https://
No secrets visible in browser dev tools (Network tab response bodies, console)

10. Mobile-specific edge cases

App handles airplane mode gracefully — readable error, not crash
App handles slow 2G — loading spinners, no infinite hang
App handles backgrounding mid-action — state preserved on return
App handles permission denied (camera, location) — graceful fallback UI
App handles being killed by Android OOM killer — relaunches into a sensible screen
OTP autofill works on Android (read SMS permission, if granted)
Deep links work: tapping a notification → opens correct screen, not just the home
Back button on Android exits the app (or shows confirm) from home, never crashes

11. Email deliverability (post-cutover sanity check)

OTP email arrives in inbox (not spam) at gmail.com, outlook.com, yahoo.com — test all three
Order confirmation email arrives within 5 min of placing order
Password reset email arrives within 5 min of request
All emails render correctly on mobile email clients (Gmail mobile, Apple Mail)
All emails contain unsubscribe link (legal requirement) — broken? Add one before launch
No emails contain [object Object] or undefined text anywhere
DMARC report (rua=mailto:siddugkattimani@gmail.com) — confirm zero failures in the last 24h

12. Monitoring + observability (must be set up BEFORE launch)

Hourly health cron green for at least 24h consecutive
Sentry web project receiving events
Sentry mobile project receiving events
UptimeRobot configured (per docs/MONITORING-SETUP.md Layer 1) — at least one human-readable alert channel works
You have phone/email alerts configured for: Cloud Run service down, Cloud SQL instance down, hourly health cron failure
You can find Cloud Run logs in GCP console within 10 sec (bookmarked URL?)
You can roll back to the previous Cloud Run revision in 1 command (rehearse it)

13. Disaster rehearsals (do at least once before launch)

Cold rollback drill: simulate a bad deploy by pushing a commit that throws on /shop → confirm hourly cron alerts you within 1 hour → roll back via gcloud run services update-traffic to previous revision → verify recovery
DB connection loss drill: temporarily revoke the Cloud SQL user's permissions → verify /api/health returns degraded → restore permissions → verify recovery
Email outage drill: rotate SMTP_PASS to a wrong value → verify EmailLog records the failure → restore → verify retries succeed
APK swap drill: build a v17 with a 1-line change, push the website, verify users with v16 can update without losing local data (logged-in state, draft posts, cart contents)

14. Legal / content (must be done before public launch)

/terms page exists and reflects current policies
/privacy page exists and mentions data we collect (name, phone, email, location, payment-method-but-no-payment-data-yet)
/disclaimer page reviewed by lawyer (Tuesday meeting per MEMORY.md)
/grievance page exists with grievance@ka-26.com contact (compliance for India e-commerce)
About page mentions company name, address (registered office), customer support contact

15. Day-of-launch sanity (run this morning of launch day)

Hourly cron last run is green (within last 60 min)
Sentry critical issue count = 0
Cold load https://ka26.shop in incognito — < 5 sec
APK download from ka-26.com/downloads — installs cleanly, opens to login
Place a real test order end-to-end as a fresh consumer
Send a test OTP email — arrives within 2 min
WhatsApp number (+918197363421) responds (if you have a bot or person staffing it)
Status page (if you have one) reflects green

If any of the above is red, DO NOT LAUNCH TODAY. Fix and re-run.

Bug log (open issues found during QA)

Use this format for any bug you find:

Bug template

Surface: web / mobile / seller / admin / delivery Severity: blocker / high / medium / cosmetic Steps to reproduce: 1. 2. 3. Expected: Actual: Sentry link (if applicable): Status: open / fixing / fixed (commit hash)

(no bugs found yet — this section will fill up during testing)

Pass log (when each section is fully green)

Section	Pass 1 (date)	Pass 2 (date)	Pass 3 (date)
0. Pre-flight
1. Consumer auth
2. Consumer browse
3. Order flow
4. Seller app
5. Admin app
6. Delivery (skip if offline)
7. Cross-surface parity
8. Performance
9. Security
10. Mobile edge cases
11. Email
12. Monitoring
13. Disaster rehearsals
14. Legal
15. Day-of-launch

Three full clean passes = ship. Two passes = ship cautiously. One pass = absolute minimum.

0. Pre-flight (do this once, before any QA session)​

1. Consumer registration + auth (web AND mobile, both surfaces)​

1A. Web (https://ka26.shop)​

1B. Mobile (v16 APK, fresh install)​

2. Consumer browse + discovery​

2A. Shop tab​

2B. Reels tab​

2C. Requests tab (community)​

2D. Profile tab​

3. Order flow (end-to-end, BLOCKER for launch)​

4. Seller app (web, since you said /seller redirects)​

4A. Seller registration + onboarding​

4B. Store management​

4C. Product management​

4D. Orders​

4E. Notifications​

5. Admin app​

6. Delivery partner app​

7. Cross-surface parity (web ↔ mobile)​

8. Performance + load​

9. Security smoke (BLOCKER)​

10. Mobile-specific edge cases​

11. Email deliverability (post-cutover sanity check)​

12. Monitoring + observability (must be set up BEFORE launch)​

13. Disaster rehearsals (do at least once before launch)​

14. Legal / content (must be done before public launch)​

15. Day-of-launch sanity (run this morning of launch day)​

Bug log (open issues found during QA)​

Bug template​

(no bugs found yet — this section will fill up during testing)​

Pass log (when each section is fully green)​