5.4 KiB
5.4 KiB
title, tags, created, status
| title | tags | created | status | ||||||
|---|---|---|---|---|---|---|---|---|---|
| Task 5.9 QA, Rollout, Analytics, and Launch Runbooks |
|
2026-05-24 | draft |
Task 5.9 QA, Rollout, Analytics, and Launch Runbooks
Source: /.taskmaster/docs/prd-telegram-native-app-bot-wallet.md
1) QA scope for launch readiness
1.1 Client matrix (required)
- Telegram iOS
- Telegram Android
- Telegram Desktop
- Telegram Web
- Light / dark themes
- Compact / fullscreen modes
- Normal and slow network
- Blocked bot scenario
- Expired / stale session scenario
- Payment cancellation and abort
- Unlinked user and re-link path
1.2 Functional QA checklist
- Identity and linking
- Request listing/detail in both bot and Mini App
- Offer review flow
- Payment initiation and cancel path
- Delivery evidence upload
- Dispute open/respond and status progression
- Notification quiet/error state
- Error and blocked-bot behavior
- Support escalation handoff
1.3 Security/abuse QA
- forged/invalid
initDatarejection - callback replay replayed twice: one success one no-op
- deep-link tampering
- wallet proof mismatch
- callback processing under invalid provider secrets
- admin override behavior and audit event capture
2) Environments and rollout
2.1 Environment separation
telegram-dev-botandtelegram-prod-bottokens and webhook endpoints must be distinct.- No shared webhook secret between environments.
- QA and production payment fixtures remain isolated.
2.2 Feature flag sequence
- Development flag off: no surface exposed
- Internal allowlist: selected users only (buyer/seller/admin)
- Beta cohort: controlled percentage and fixed org list
- Production enablement: after runbook and KPI thresholds pass
2.3 Deployment safety
- If new surface increases payment mismatch or callback failure, immediately pause
TELEGRAM_SURFACE_ENABLEDand keep providers in read-only mode. - Use existing rollback flow from incident operations and deployment runbooks.
3) Analytics and launch KPIs
Track these metrics daily for 14 days after stage advancement:
- activation rate (
activatedTelegramUsers / startedTelegramUsers) - link completion rate (
linkedUsers / startedLink) - request creation from Telegram (
telegramRequestsCreated) - offer response completion (
offerResponses / offersOpened) - payment started / payment completed (
telegramPaymentStart,telegramPaymentComplete,telegramPaymentFail) - dispute activity (
disputesOpened,disputesResolvedInTelegram) - release approvals from Telegram context (
telegramReleaseApprovals) - notification opt-outs (
notificationsOptOutRate) - callback duplicate ratio (
callbackReplay / callbackTotal) - average context resume latency (min and p95)
Reporting destinations
- Sentry for exception and failure spikes
- application logs for workflow events
- existing monitoring dashboards for rate/latency anomalies
4) Launch runbooks
All runbooks are mandatory for Stage-1 rollout and post-launch incidents.
4.1 Bot outage
- Validate webhook endpoint response health.
- Switch status to notification-only mode where possible.
- Confirm bot token and webhook URL.
- Re-route urgent flows to web fallback.
- Restore Telegram webhook + replay backlog after recovery.
4.2 Telegram API outage
- Confirm external Telegram API status.
- Temporarily disable deep-link / in-app actions that require Telegram callbacks.
- Notify users of delayed updates.
- Keep pending payment states in read-only mode until callback channel is restored.
4.3 Payment provider outage
- Identify affected provider via provider mode and provider health flags.
- Switch to read-only or alternative provider mode where configured.
- Run reconciliation before re-enabling full writes.
- Track stale pending payment age and contact support workflow.
4.4 Stuck payment
- Check payment reconciliation queue and provider status.
- Verify callback proof and on-chain confirmation.
- Manually reconcile if allowed by protocol and policy.
- Escalate if stale > 24h in funded or processing state.
4.5 Duplicate callback
- Validate idempotency path executed correctly.
- Confirm callback dedupe key retention window.
- Compare event fingerprint for payload divergence.
- Mark one path as duplicate no-op and keep audit trail.
4.6 Suspicious wallet proof
- Block automated release/refund for the request.
- Flag payment and mark for manual ops review.
- Verify recipient, amount, and tx hash against chain/provider data.
- Resume only after explicit approval.
4.7 Compromised bot token
- Rotate bot token immediately.
- Disable bot endpoints and clear webhook secret for 1 hour.
- Validate callback signatures with new secret.
- Resume in staged rollout mode with monitoring for 24h.
5) Stage exit criteria
- All required QA scenarios pass on iOS/Android/desktop/web.
- No critical webhook/payload mismatch regressions in 24h observation window.
- No unresolved payment stuck items > 24h after manual triage.
- Incident owners can execute all seven runbooks.
- Rollout metrics show non-degrading trend for the first two days.
6) Known rollout gaps
- Fine-grained feature toggles for Telegram in existing observability dashboards are pending.
- Admin analytics for Telegram-originated releases are schema-dependent and need implementation wiring.
- Deep-link recovery behavior after prolonged Telegram link expiry still needs UX polishing.