# Navi Staging Smoke Test

Date: 2026-05-04

Run this checklist for every staging candidate.

## API

- `GET /v1/health` returns `status: ok`.
- Prisma migrations are applied with `pnpm --filter @navi/api prisma:migrate:deploy`.
- Seed data exists for UAE country, cities, roles, permissions, emergency numbers, and demo listings.
- Login, refresh, OTP verify, and password reset return expected responses.
- Invalid webhook signature returns unauthorized.
- Duplicate idempotency key replays or rejects according to request hash.

## Dashboard

- Unauthenticated user redirects to `/login`.
- Super admin can open Overview, Users, Roles, Permissions, Businesses, Listings, Bookings, Payments, Reports, Content, Audit Logs, and Settings.
- Partner/support users cannot render pages without required permissions.
- Sidebar only shows allowed navigation.
- `/memberships` exists and does not 404.

## Website

- `/en`, `/ar`, `/en/privacy`, `/ar/privacy`, `/en/terms`, `/ar/terms` build and render.
- `/sitemap.xml` and `/robots.txt` return valid responses.
- Arabic pages render with RTL direction.

## Mobile

- Login stores session.
- Expired access token refreshes once and retries the request.
- Signup OTP verify requires API success.
- Forgot password sends reset code and reset password path works.
- Profile and Settings links all open valid routes.
- Payment methods page clearly says production provider is not connected yet.

## Release Decision

- Mark as pass only when every critical check has a named evidence link.
- Any payment, webhook, auth, or RBAC failure is a no-go.