Guidance only: HaqSathi AI is not a government, legal, bank, or official authority. Verify final action on the official portal or with a qualified expert. Disclaimer
Phase 17
After feature build, pass these final checks before production launch.
Final blocker rule
Run live route QA, payment/storage checks, Lighthouse, Playwright and manual approval evidence first. Then run npm run launch:evidence-gate and npm run launch:artifact-manifest. If the evidence gate says BLOCKED/MANUAL_REQUIRED or the artifact manifest finds secret leaks, keep the site in soft launch.
Verify the matching audit page in the admin panel.
Verify the matching audit page in the admin panel.
Verify the matching audit page in the admin panel.
Verify the matching audit page in the admin panel.
This shows what is implemented in code and what still needs live production proof before final launch.
Implemented
Mobile-first shell, polished public pages, motion-safe interactions, install prompts and trust/legal copy are in place.
Implemented
Complaint, chat, UPI, OCR and scheme workflows now use safer prompts, language preference, fallback drafts and official-fraud escalation.
Ready to test
Performance regression scan blocks heavy motion/cache mistakes. Lighthouse and Playwright commands are wired for local and Vercel QA.
Ready to test
Global API origin guard, CSRF helper, Upstash-compatible rate limits, document-vault safety scan, secret redaction and signed downloads are installed.
Implemented
Official scheme catalog, fraud escalation constants, AI safety helper and MVP readiness metadata are centralized instead of duplicated in pages/routes.
Needs live QA
Live Vercel checks still require real production env keys, payment sandbox/live evidence, Supabase bucket test, email test and Lighthouse report.
Run these after deploying to Vercel. They turn your launch into evidence: live route QA, payment/storage readiness, Lighthouse, Playwright, artifact hashes, secret-leak scanning and manual proof.
READY TO RUN
npm install && npm run quality:release && npm run buildEvidence: Terminal screenshot/log with all audits and Next build passing on the same ZIP that is deployed.
Risk if skipped: A stale audit or TypeScript/build error can reach Vercel even if feature routes look fine locally.
READY TO RUN
npm run scan:fullEvidence: artifacts/code-scan/full-project-code-scan.json showing zero blocking issues for imports, literal links, API fetches, env coverage, setup-route exposure and contact persistence.
Risk if skipped: A missing import, exposed setup route, false-success API response or undocumented env can slip past visual QA and break production only after deployment.
READY TO RUN
npm run scan:completeEvidence: artifacts/code-scan/deep-project-code-scan.json plus full-project-code-scan.json showing zero blocking issues across imports, scripts, user-facing dev-copy leaks, password-reset dev links, seed secret logs, client env boundaries, public assets and SEO title suffixes.
Risk if skipped: A release can pass feature audits but still leak local-dev copy, expose reset tokens during email misconfiguration, print seed passwords, reference broken scripts or ship duplicate title suffixes.
READY TO RUN
LAUNCH_QA_BASE_URL=https://haqsathi.site npm run launch:qaEvidence: artifacts/live-launch-qa/live-launch-qa-report.json with zero blockers for public routes, SEO titles, fraud blocks and prompt-leak checks.
Risk if skipped: Live deployment can serve wrong env/cached pages even when local code is correct.
READY TO RUN
npm run launch:payment-storage-checkEvidence: artifacts/live-launch-qa/payment-storage-readiness.json showing Razorpay, Supabase storage and webhook config are present and masked.
Risk if skipped: Paid users or document vault users can fail after launch due to missing env keys, unsafe public secrets or bucket misconfiguration.
READY TO RUN
LIGHTHOUSE_BASE_URL=https://haqsathi.site npm run lighthouse:batchEvidence: Mobile + desktop Lighthouse HTML reports saved under artifacts/lighthouse for home, tools, complaint, UPI help and pricing.
Risk if skipped: Slow first load, layout shifts or SEO/accessibility regressions can hurt conversion and indexing.
READY TO RUN
PLAYWRIGHT_BASE_URL=https://haqsathi.site npm run test:e2eEvidence: Playwright report/screenshots showing no horizontal overflow, correct SEO titles, public legal pages and fraud escalation visibility.
Risk if skipped: Mobile UI, title tags, critical public copy or navigation can break only in the browser.
MANUAL EVIDENCE REQUIRED
Use /complaint, /chat and /tools/ocr-autofill on production with test-safe data only.Evidence: Screenshots of a complaint draft, chat response and OCR output showing redaction, safe disclaimers and no OTP/PIN/CVV leakage.
Risk if skipped: Fallback mode may hide broken real AI keys, or live prompts may produce unsafe output without redaction evidence.
MANUAL EVIDENCE REQUIRED
Open Vercel project → Settings → Environment Variables and compare against .env.example.Evidence: Masked screenshot/checklist for production-only env values: AUTH_SECRET, DB, Supabase, Razorpay, Resend, AI and Upstash.
Risk if skipped: A missing or preview-only variable can break auth, payment, storage, email or rate-limits only after deploy.
READY TO RUN
npm run launch:artifact-manifestEvidence: artifacts/live-launch-qa/launch-artifact-manifest.json and CSV with SHA-256 hashes for QA, payment/storage, Lighthouse, Playwright and final evidence files.
Risk if skipped: Without artifact hashes and secret scanning, screenshots/reports can be mixed from different runs or shared with leaked secrets.
READY TO RUN
OPS_HEALTH_BASE_URL=https://haqsathi.site npm run launch:ops-snapshotEvidence: artifacts/live-launch-qa/production-ops-snapshot.json and CSV showing /api/health, /api/ready, /status and /launch-readiness status, latency, cache headers and blockers.
Risk if skipped: A site can pass build and still be operationally unsafe if readiness, DB connectivity or health cache headers fail after deploy.
READY TO RUN
npm run launch:rollback-drillEvidence: artifacts/live-launch-qa/rollback-drill.json and CSV showing last known-good deployment, owners, backup confirmation, rollback test and maintenance notice readiness.
Risk if skipped: A failed production deploy can become a long outage if no owner, backup, rollback target or maintenance message is ready.
READY TO RUN
POSTLAUNCH_SUPPORT_BASE_URL=https://haqsathi.site npm run launch:postlaunch-supportEvidence: artifacts/live-launch-qa/postlaunch-support-check.json and CSV showing support email, contact page, urgent abuse lane, safe reply macros and first-24h review ownership.
Risk if skipped: Users can hit payment, login, fraud or document-vault problems after launch without a tested human support path.
READY TO RUN
npm run launch:final-readyEvidence: artifacts/final-deploy/final-deploy-ready-check.json showing version sync, pinned dependencies, patched lockfile, safe dev-link defaults and final deploy files.
Risk if skipped: A final ZIP can look complete but still ship an out-of-sync lockfile, unsafe local-dev verification links, stale service-worker cache or unpinned dependency updates.
READY TO RUN
npm run launch:evidence-gateEvidence: artifacts/live-launch-qa/final-evidence-gate.json and CSV showing GO only after live QA, payment/storage, Lighthouse, Playwright, owners and manual approvals are complete.
Risk if skipped: Without a final no-go gate, you can accidentally launch with missing production artifacts, untested payment/storage, or no rollback owner.
After every Vercel production deploy, run the ops snapshot so health, readiness, latency, cache headers and blocker evidence are saved with the launch proof.
Deployment owner
curl -s https://haqsathi.site/api/healthEvidence: Returns ok=true, current version, environment and no-cache headers without touching the database.
Launch rule: Must be green before Vercel traffic is moved to the final domain.
Backend owner
curl -s https://haqsathi.site/api/readyEvidence: Returns ok=true only when required env values and database connectivity are usable.
Launch rule: A 503 means soft-launch only; do not announce publicly until fixed.
Launch owner
OPS_HEALTH_BASE_URL=https://haqsathi.site npm run launch:ops-snapshotEvidence: artifacts/live-launch-qa/production-ops-snapshot.json and CSV with endpoint latency, status codes, cache headers and blockers.
Launch rule: Run after every production deploy and keep the artifact with the final launch proof bundle.
Launch owner
npm run launch:rollback-drillEvidence: rollback-drill.json records last-good deployment, backup confirmation, owners, rollback test and maintenance notice readiness.
Launch rule: Must be saved before final evidence gate; unresolved manual-required items mean soft launch only.
Support owner
POSTLAUNCH_SUPPORT_BASE_URL=https://haqsathi.site npm run launch:postlaunch-supportEvidence: postlaunch-support-check.json proves support email, contact page, urgent abuse owner, safe macros and first-24h review are ready.
Launch rule: Must be saved before public traffic or paid campaigns.
Founder
Set LAUNCH_INCIDENT_OWNER and LAUNCH_ROLLBACK_OWNER before final gate.Evidence: Named owner/contact is present in final-evidence-gate.json.
Launch rule: No owner means no public launch.
Before public launch, prove that a bad deploy can be handled: last known-good deployment, rollback owner, incident owner, backup confirmation and maintenance communication must be ready.
launch blocker
Owner: Launch owner
npm run launch:rollback-drillEvidence: artifacts/live-launch-qa/rollback-drill.json and CSV with rollback owner, incident owner, backup confirmation and last-good deployment URL.
Action: Do this before public launch so a bad deploy can be reverted without panic.
launch blocker
Owner: Deployment owner
Set LAUNCH_LAST_GOOD_DEPLOYMENT_URL="https://...vercel.app"Evidence: Previous stable Vercel deployment URL is saved and does not expose tokens or preview-only secrets.
Action: Use this target if final production deployment shows severe auth/payment/AI/storage failures.
launch blocker
Owner: Backend owner
Set LAUNCH_BACKUP_CONFIRMED=true only after backup proof existsEvidence: Masked Supabase/Postgres backup screenshot or restore-point note saved with launch artifacts.
Action: Do not run marketing launch before a fresh restore point exists.
high
Owner: Support owner
Set LAUNCH_MAINTENANCE_NOTICE_READY=true after message is preparedEvidence: Short user-facing notice is prepared for status page, WhatsApp/social post, support replies and footer banner if needed.
Action: Use it if checkout, login, AI or document vault is degraded.
Before public traffic, prove that users can reach support, urgent fraud/payment/login/document issues have an owner, and support replies stay privacy-safe.
Support owner
POSTLAUNCH_SUPPORT_BASE_URL=https://haqsathi.site npm run launch:postlaunch-supportEvidence: postlaunch-support-check.json records /contact reachability, support email visibility and contact/ticket readiness controls.
Launch rule: Do not run paid traffic until users have a tested path to ask for help.
Abuse review owner
Set LAUNCH_ABUSE_REVIEW_OWNER and LAUNCH_ABUSE_REPORT_FLOW_TESTED=true after review.Evidence: Support intake can classify fraud, payment, login and vault issues as urgent support tickets without exposing secrets.
Launch rule: UPI fraud, payment failure, account access and document-vault reports need same-day human review.
Founder / support owner
Set LAUNCH_SUPPORT_MACROS_REVIEWED=true after checking reply templates.Evidence: Macros remind users not to share OTP/PIN/CVV/passwords and avoid legal/financial outcome guarantees.
Launch rule: Every reply must stay guidance-only and privacy-safe.
Launch owner
Set LAUNCH_FIRST_24H_REVIEW_CONFIRMED=true when a real person is watching support after launch.Evidence: Named owner, response SLA and review window are recorded in postlaunch-support-check.json.
Launch rule: Public launch needs someone watching early fraud/payment/login failures.
X-Frame-Options
Protects against clickjacking.
Content type nosniff
Reduces MIME confusion risk.
Referrer policy
Controls referrer leakage.
Permissions policy
Blocks camera/mic/geolocation by default.
HTTP-only session cookie
Session token not readable by browser JS.
Password reset token model
Reset flow can store one-time tokens.
Privacy center route
User consent and deletion request flow exists.
Service role not public
Service role key must stay server-only.
Rate limit helper exists
AI/search endpoints can throttle abuse.
Global disclaimer banner
Non-legal-advice warning is visible.