# Coursepedia Final Test Checklist

Complete this checklist in a staging environment that uses production-like PostgreSQL, HTTPS,
storage, SMTP, and payment sandbox accounts. Record the tester, date, evidence, and result for every
item. Repeat payment smoke tests with low-value live transactions immediately before launch.

## Automated gate

- [ ] `pnpm check` passes.
- [ ] `pnpm security:audit` reports no credential fields in application data.
- [ ] `pnpm seo:check-links` reports no broken public links.
- [ ] `pnpm db:migrate -- --dry-run` reports expected source counts.
- [ ] `pnpm db:reconcile` reports balanced PostgreSQL counts.
- [ ] `pnpm production:validate` passes using production secrets.
- [ ] `pnpm production:build` creates a package without `.env`, runtime data, logs, backups, or tests.

## Public website and SEO

- [ ] Homepage loads correctly on desktop and mobile.
- [ ] Course catalogue pagination loads and remains responsive.
- [ ] Course search finds exact and partial titles.
- [ ] Category, level, price, certificate, and rating filters work together.
- [ ] Course cards and course detail pages show accurate information.
- [ ] Old course and category URLs redirect to the matching new location.
- [ ] Footer links open the intended public pages.
- [ ] Page titles, descriptions, canonical URLs, Open Graph tags, and course structured data are valid.
- [ ] `/sitemap.xml` contains the intended public URLs.
- [ ] `/robots.txt` allows public pages and blocks private areas.
- [ ] The not-found page offers course search, certificate verification, and support links.

## Accounts and access

- [ ] Registration creates a student account by default.
- [ ] Login accepts current and preserved WordPress password hashes.
- [ ] Password reset token expires, is single-use, and invalidates existing sessions.
- [ ] Email verification completes successfully.
- [ ] Logout clears the browser cookie and server session.
- [ ] Inactive users cannot sign in.
- [ ] Student users cannot open admin or instructor-only tools.
- [ ] Instructor users cannot open full administration tools.
- [ ] Only authorised admins can manage users, payments, email templates, reports, and certificates.
- [ ] Sessions expire after the configured inactivity period.

## Student learning

- [ ] Student dashboard identifies the correct next lesson.
- [ ] Enrolled and completed courses are accurate.
- [ ] Course player works on desktop and mobile.
- [ ] Lesson text, YouTube, Google Drive, downloads, and attachments render correctly.
- [ ] Lesson completion updates progress once.
- [ ] Quiz questions are readable, randomised, and correctly graded.
- [ ] A failed quiz can be retried and blocks the next required lesson.
- [ ] A passing quiz unlocks the next required lesson.
- [ ] Certificate readiness clearly explains any remaining requirements.

## Payments and enrollment

- [ ] Paystack sandbox payment succeeds.
- [ ] Flutterwave sandbox payment succeeds.
- [ ] Failed payment does not grant access.
- [ ] Abandoned payment does not grant access and can be retried.
- [ ] Wrong amount is rejected.
- [ ] Wrong currency is rejected.
- [ ] Wrong course, user, order reference, or gateway reference is rejected.
- [ ] Repeated callback and webhook events create one payment and one enrollment.
- [ ] Invalid webhook signatures are rejected.
- [ ] Payment confirmed without enrollment is visible to reconciliation and can be repaired once.
- [ ] Payment row stores user, course or bundle, amount, currency, gateway and internal references,
      status, timestamps, and failure reason where applicable.
- [ ] Receipt and enrollment emails are queued only after trusted backend confirmation.
- [ ] Refund and reversal behavior removes or updates access according to the approved policy.

## Certificates

- [ ] A completed eligible course can issue one certificate.
- [ ] Certificate PDF is one landscape page with no overlap for a long learner or course name.
- [ ] QR code opens the public verification URL with the correct code.
- [ ] A new certificate code verifies.
- [ ] Several previous Coursepedia certificate codes verify.
- [ ] Invalid and revoked codes show the correct safe response.
- [ ] Public verification reveals no email, phone, payment, user ID, or internal notes.
- [ ] Admin certificate search, reissue, revoke, export, and audit history work.

## Instructor and administration

- [ ] Instructor can create, autosave, preview, and publish a complete course.
- [ ] Incomplete courses cannot be published.
- [ ] Cover upload accepts supported images and rejects oversized or unsafe input.
- [ ] Admin user search, edit, history, role, status, pagination, and delete/deactivate actions work.
- [ ] Orders, payments, enrollments, certificates, reports, and exports are accurate.
- [ ] Important admin actions appear in audit logs.

## Email Manager

- [ ] SMTP connection succeeds with the production sender domain.
- [ ] Test email renders the Coursepedia brand on desktop and mobile clients.
- [ ] Registration, verification, password reset, payment, enrollment, and certificate emails arrive.
- [ ] Failed delivery records the reason and retries up to the configured limit.
- [ ] Template edit and test-send actions appear in audit logs.
- [ ] Marketing preferences are respected; critical transactional emails remain enabled.
- [ ] Suppressed addresses are not sent non-required email.

## Operations and launch

- [ ] HTTPS, HSTS, secure cookies, CSP, and proxy settings are correct.
- [ ] Rate limits return `429` without blocking ordinary learning.
- [ ] Database and media backups complete and a restore drill succeeds.
- [ ] Authentication, payment, certificate, email, admin-action, and system-error alerts reach operators.
- [ ] Production package contains no real `.env`, raw exports, logs, backups, screenshots, or test data.
- [ ] Google and Facebook OAuth production redirect URLs are approved.
- [ ] Paystack and Flutterwave production webhook URLs and signatures are verified.
- [ ] Monitoring, uptime checks, error alerts, and an incident owner are active.
- [ ] Rollback owner, release owner, support owner, and launch window are confirmed.
