Phase 10 · Audit & QA

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: Phase 10 · Audit & QA
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 10
- est_time: 8–16 hr
- description: The full pre-launch audit — static code & dependency checks, a security re-check, performance/DB/SEO/accessibility audits, functional QA across roles, debugger review, and a pre-launch sign-off gate.
- tags: codecanyon, laravel, qa, audit

## Execution rules (binding)
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# Phase 10 · Audit & QA

:::start
**You are here:** [Playbook](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/) → **Phase 10 · Audit & QA**
**This phase is for you if:** you need proof the app is secure, fast, accessible, and complete before launch.
**Not this phase?** [Phase 9](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/09-growth-polish/) = polish · [Phase 11](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/11-pre-customer/) = business go/no-go.
:::

Run the end-to-end audit before anyone pays: prove the app is **secure, fast, accessible, and functionally complete**, then sign off. This phase is the last wide net — everything that follows assumes a clean bill of health.

<StageFlow
  title="Phase 10 — the audit & QA pipeline"
  caption="Each stage gates the next. Sign-off is a hard stop: any unresolved CRITICAL keeps the launch closed."
  stages={[
    { label: 'Static audit', sub: 'code · deps · git', tone: 'core' },
    { label: 'Security', sub: 'headers · CVEs' },
    { label: 'Performance', sub: 'CWV · DB · SEO' },
    { label: 'Accessibility', sub: 'WCAG · cookies' },
    { label: 'Functional QA', sub: 'flows · runtime' },
    { label: 'Sign-off', sub: 'pre-launch gate', tone: 'good' },
  ]}
/>

:::note[Gate]
**The app is verified running** (Phase 3) with all intended features present. You're auditing a complete app, not building one. The exit gate is a clean pre-launch checklist with **zero unresolved CRITICAL items**.
:::

## How this phase runs

The audit splits into three movements: a **static audit** of the code and supply chain, a set of **deep audits** (security, performance, database, SEO, accessibility, cookies), and **functional QA + debugger review** that drives the running app. Treat them as gates in order — a passing static audit makes the deep audits trustworthy, and clean deep audits make functional sign-off meaningful.

:::tip[Inspect → Plan → Approve → Fix]
For any audit that changes code (performance, SEO, accessibility), **inspect and document first, propose a fix plan, get approval, then fix**. Never let an agent rewrite Blade views or run package updates unattended on a CodeCanyon tree.
:::

Optional (SHOULD / OPTIONAL) tasks are **never silently skipped**. Surface what you're skipping and let the operator decide; list skips at the end even in fast mode.

## Pages in this phase

<CardGrid>
  <LinkCard title="1 · Static audit" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/01-static-audit/" description="Project structure, Composer audit, git hygiene, secrets scan — plus migration analysis and FVDUT storage classification." />
  <LinkCard title="2 · Security audit" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/02-security-audit/" description="Headers, ownership-aware vulnerability decisions, exposed files, admin + storage hardening, vulnerability register." />
  <LinkCard title="3 · Performance, DB & SEO" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/03-performance-db-seo/" description="Core Web Vitals, index coverage + N+1 hunting, indexing/canonical/robots fixes." />
  <LinkCard title="4 · Accessibility & cookies" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/04-accessibility-cookies/" description="WCAG 2.1 AA checks and GDPR/CCPA cookie inventory + consent verification." />
  <LinkCard title="5 · Functional QA + debugger" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/05-functional-qa/" description="Drive every journey/role (Playwright MCP), runtime security, then mine Telescope/Sentry/logs for hidden bugs." />
  <LinkCard title="6 · Pre-launch sign-off" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/06-sign-off/" description="The final checklist + the launch sequence. Any unresolved high-risk item = do not launch." />
</CardGrid>

Start with the **[Static audit](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/01-static-audit/)**.

# Phase 10 · Audit & QA

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/

:::start
**You are here:** [Playbook](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/) → **Phase 10 · Audit & QA**
**This phase is for you if:** you need proof the app is secure, fast, accessible, and complete before launch.
**Not this phase?** [Phase 9](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/09-growth-polish/) = polish · [Phase 11](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/11-pre-customer/) = business go/no-go.
:::

Run the end-to-end audit before anyone pays: prove the app is **secure, fast, accessible, and functionally complete**, then sign off. This phase is the last wide net — everything that follows assumes a clean bill of health.

<StageFlow
  title="Phase 10 — the audit & QA pipeline"
  caption="Each stage gates the next. Sign-off is a hard stop: any unresolved CRITICAL keeps the launch closed."
  stages={[
    { label: 'Static audit', sub: 'code · deps · git', tone: 'core' },
    { label: 'Security', sub: 'headers · CVEs' },
    { label: 'Performance', sub: 'CWV · DB · SEO' },
    { label: 'Accessibility', sub: 'WCAG · cookies' },
    { label: 'Functional QA', sub: 'flows · runtime' },
    { label: 'Sign-off', sub: 'pre-launch gate', tone: 'good' },
  ]}
/>

:::note[Gate]
**The app is verified running** (Phase 3) with all intended features present. You're auditing a complete app, not building one. The exit gate is a clean pre-launch checklist with **zero unresolved CRITICAL items**.
:::

## How this phase runs

The audit splits into three movements: a **static audit** of the code and supply chain, a set of **deep audits** (security, performance, database, SEO, accessibility, cookies), and **functional QA + debugger review** that drives the running app. Treat them as gates in order — a passing static audit makes the deep audits trustworthy, and clean deep audits make functional sign-off meaningful.

:::tip[Inspect → Plan → Approve → Fix]
For any audit that changes code (performance, SEO, accessibility), **inspect and document first, propose a fix plan, get approval, then fix**. Never let an agent rewrite Blade views or run package updates unattended on a CodeCanyon tree.
:::

Optional (SHOULD / OPTIONAL) tasks are **never silently skipped**. Surface what you're skipping and let the operator decide; list skips at the end even in fast mode.

## Pages in this phase

<CardGrid>
  <LinkCard title="1 · Static audit" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/01-static-audit/" description="Project structure, Composer audit, git hygiene, secrets scan — plus migration analysis and FVDUT storage classification." />
  <LinkCard title="2 · Security audit" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/02-security-audit/" description="Headers, ownership-aware vulnerability decisions, exposed files, admin + storage hardening, vulnerability register." />
  <LinkCard title="3 · Performance, DB & SEO" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/03-performance-db-seo/" description="Core Web Vitals, index coverage + N+1 hunting, indexing/canonical/robots fixes." />
  <LinkCard title="4 · Accessibility & cookies" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/04-accessibility-cookies/" description="WCAG 2.1 AA checks and GDPR/CCPA cookie inventory + consent verification." />
  <LinkCard title="5 · Functional QA + debugger" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/05-functional-qa/" description="Drive every journey/role (Playwright MCP), runtime security, then mine Telescope/Sentry/logs for hidden bugs." />
  <LinkCard title="6 · Pre-launch sign-off" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/06-sign-off/" description="The final checklist + the launch sequence. Any unresolved high-risk item = do not launch." />
</CardGrid>

Start with the **[Static audit](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/01-static-audit/)**.

You are here: Playbook → Phase 10 · Audit & QA This phase is for you if: you need proof the app is secure, fast, accessible, and complete before launch. Not this phase? Phase 9 = polish · Phase 11 = business go/no-go.

Run the end-to-end audit before anyone pays: prove the app is secure, fast, accessible, and functionally complete, then sign off. This phase is the last wide net — everything that follows assumes a clean bill of health.

Phase 10 — the audit & QA pipeline

Each stage gates the next. Sign-off is a hard stop: any unresolved CRITICAL keeps the launch closed.

How this phase runs

The audit splits into three movements: a static audit of the code and supply chain, a set of deep audits (security, performance, database, SEO, accessibility, cookies), and functional QA + debugger review that drives the running app. Treat them as gates in order — a passing static audit makes the deep audits trustworthy, and clean deep audits make functional sign-off meaningful.

Optional (SHOULD / OPTIONAL) tasks are never silently skipped. Surface what you’re skipping and let the operator decide; list skips at the end even in fast mode.

Pages in this phase

1 · Static audit Project structure, Composer audit, git hygiene, secrets scan — plus migration analysis and FVDUT storage classification.

2 · Security audit Headers, ownership-aware vulnerability decisions, exposed files, admin + storage hardening, vulnerability register.

3 · Performance, DB & SEO Core Web Vitals, index coverage + N+1 hunting, indexing/canonical/robots fixes.

4 · Accessibility & cookies WCAG 2.1 AA checks and GDPR/CCPA cookie inventory + consent verification.

5 · Functional QA + debugger Drive every journey/role (Playwright MCP), runtime security, then mine Telescope/Sentry/logs for hidden bugs.

6 · Pre-launch sign-off The final checklist + the launch sequence. Any unresolved high-risk item = do not launch.

Start with the Static audit.

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: Phase 10 · Audit & QA
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 10
- est_time: 8–16 hr
- description: The full pre-launch audit — static code & dependency checks, a security re-check, performance/DB/SEO/accessibility audits, functional QA across roles, debugger review, and a pre-launch sign-off gate.
- tags: codecanyon, laravel, qa, audit

## Execution rules (binding)
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# Phase 10 · Audit & QA

:::start
**You are here:** [Playbook](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/) → **Phase 10 · Audit & QA**
**This phase is for you if:** you need proof the app is secure, fast, accessible, and complete before launch.
**Not this phase?** [Phase 9](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/09-growth-polish/) = polish · [Phase 11](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/11-pre-customer/) = business go/no-go.
:::

Run the end-to-end audit before anyone pays: prove the app is **secure, fast, accessible, and functionally complete**, then sign off. This phase is the last wide net — everything that follows assumes a clean bill of health.

<StageFlow
  title="Phase 10 — the audit & QA pipeline"
  caption="Each stage gates the next. Sign-off is a hard stop: any unresolved CRITICAL keeps the launch closed."
  stages={[
    { label: 'Static audit', sub: 'code · deps · git', tone: 'core' },
    { label: 'Security', sub: 'headers · CVEs' },
    { label: 'Performance', sub: 'CWV · DB · SEO' },
    { label: 'Accessibility', sub: 'WCAG · cookies' },
    { label: 'Functional QA', sub: 'flows · runtime' },
    { label: 'Sign-off', sub: 'pre-launch gate', tone: 'good' },
  ]}
/>

:::note[Gate]
**The app is verified running** (Phase 3) with all intended features present. You're auditing a complete app, not building one. The exit gate is a clean pre-launch checklist with **zero unresolved CRITICAL items**.
:::

## How this phase runs

The audit splits into three movements: a **static audit** of the code and supply chain, a set of **deep audits** (security, performance, database, SEO, accessibility, cookies), and **functional QA + debugger review** that drives the running app. Treat them as gates in order — a passing static audit makes the deep audits trustworthy, and clean deep audits make functional sign-off meaningful.

:::tip[Inspect → Plan → Approve → Fix]
For any audit that changes code (performance, SEO, accessibility), **inspect and document first, propose a fix plan, get approval, then fix**. Never let an agent rewrite Blade views or run package updates unattended on a CodeCanyon tree.
:::

Optional (SHOULD / OPTIONAL) tasks are **never silently skipped**. Surface what you're skipping and let the operator decide; list skips at the end even in fast mode.

## Pages in this phase

<CardGrid>
  <LinkCard title="1 · Static audit" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/01-static-audit/" description="Project structure, Composer audit, git hygiene, secrets scan — plus migration analysis and FVDUT storage classification." />
  <LinkCard title="2 · Security audit" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/02-security-audit/" description="Headers, ownership-aware vulnerability decisions, exposed files, admin + storage hardening, vulnerability register." />
  <LinkCard title="3 · Performance, DB & SEO" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/03-performance-db-seo/" description="Core Web Vitals, index coverage + N+1 hunting, indexing/canonical/robots fixes." />
  <LinkCard title="4 · Accessibility & cookies" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/04-accessibility-cookies/" description="WCAG 2.1 AA checks and GDPR/CCPA cookie inventory + consent verification." />
  <LinkCard title="5 · Functional QA + debugger" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/05-functional-qa/" description="Drive every journey/role (Playwright MCP), runtime security, then mine Telescope/Sentry/logs for hidden bugs." />
  <LinkCard title="6 · Pre-launch sign-off" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/06-sign-off/" description="The final checklist + the launch sequence. Any unresolved high-risk item = do not launch." />
</CardGrid>

Start with the **[Static audit](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/01-static-audit/)**.

# Phase 10 · Audit & QA

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/

:::start
**You are here:** [Playbook](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/) → **Phase 10 · Audit & QA**
**This phase is for you if:** you need proof the app is secure, fast, accessible, and complete before launch.
**Not this phase?** [Phase 9](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/09-growth-polish/) = polish · [Phase 11](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/11-pre-customer/) = business go/no-go.
:::

Run the end-to-end audit before anyone pays: prove the app is **secure, fast, accessible, and functionally complete**, then sign off. This phase is the last wide net — everything that follows assumes a clean bill of health.

<StageFlow
  title="Phase 10 — the audit & QA pipeline"
  caption="Each stage gates the next. Sign-off is a hard stop: any unresolved CRITICAL keeps the launch closed."
  stages={[
    { label: 'Static audit', sub: 'code · deps · git', tone: 'core' },
    { label: 'Security', sub: 'headers · CVEs' },
    { label: 'Performance', sub: 'CWV · DB · SEO' },
    { label: 'Accessibility', sub: 'WCAG · cookies' },
    { label: 'Functional QA', sub: 'flows · runtime' },
    { label: 'Sign-off', sub: 'pre-launch gate', tone: 'good' },
  ]}
/>

:::note[Gate]
**The app is verified running** (Phase 3) with all intended features present. You're auditing a complete app, not building one. The exit gate is a clean pre-launch checklist with **zero unresolved CRITICAL items**.
:::

## How this phase runs

The audit splits into three movements: a **static audit** of the code and supply chain, a set of **deep audits** (security, performance, database, SEO, accessibility, cookies), and **functional QA + debugger review** that drives the running app. Treat them as gates in order — a passing static audit makes the deep audits trustworthy, and clean deep audits make functional sign-off meaningful.

:::tip[Inspect → Plan → Approve → Fix]
For any audit that changes code (performance, SEO, accessibility), **inspect and document first, propose a fix plan, get approval, then fix**. Never let an agent rewrite Blade views or run package updates unattended on a CodeCanyon tree.
:::

Optional (SHOULD / OPTIONAL) tasks are **never silently skipped**. Surface what you're skipping and let the operator decide; list skips at the end even in fast mode.

## Pages in this phase

<CardGrid>
  <LinkCard title="1 · Static audit" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/01-static-audit/" description="Project structure, Composer audit, git hygiene, secrets scan — plus migration analysis and FVDUT storage classification." />
  <LinkCard title="2 · Security audit" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/02-security-audit/" description="Headers, ownership-aware vulnerability decisions, exposed files, admin + storage hardening, vulnerability register." />
  <LinkCard title="3 · Performance, DB & SEO" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/03-performance-db-seo/" description="Core Web Vitals, index coverage + N+1 hunting, indexing/canonical/robots fixes." />
  <LinkCard title="4 · Accessibility & cookies" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/04-accessibility-cookies/" description="WCAG 2.1 AA checks and GDPR/CCPA cookie inventory + consent verification." />
  <LinkCard title="5 · Functional QA + debugger" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/05-functional-qa/" description="Drive every journey/role (Playwright MCP), runtime security, then mine Telescope/Sentry/logs for hidden bugs." />
  <LinkCard title="6 · Pre-launch sign-off" href="/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/06-sign-off/" description="The final checklist + the launch sequence. Any unresolved high-risk item = do not launch." />
</CardGrid>

Start with the **[Static audit](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/10-audit-qa/01-static-audit/)**.