System Testing Checklist

Verify the staging VPC, IAM roles, and database credentials do not overlap with production. A common gotcha: a staging Lambda still pointing at the prod RDS endpoint because someone copied an env var. Spot-check the secrets manager paths and the outbound network ACLs before kicking off tests.

Confirm OS version, Postgres major version, Redis version, Kubernetes node image, and feature flag defaults match prod. Drift on minor versions (PG 15.4 vs 15.7) is fine; drift on major versions invalidates the test run.

Pull the fix-version filter for the release candidate and walk the linked PRs. Flag any story without acceptance criteria back to the PM before writing test cases — a fuzzy AC is the most common reason a defect gets bounced as 'works as designed' later.

Add or amend Playwright / Cypress cases for new user stories; mark superseded cases as deprecated rather than deleting (audit trail). Tag flaky cases with a quarantine label so they run but don't gate the suite.

Trigger the suite from CI against the tagged release candidate (e.g., v2024.45.0-rc.1), not against latest main. Capture the run ID and any quarantined-test results separately so the report is reproducible.

Time-box charters at 60-90 minutes per tester per feature. Take notes in a session log; file any unexpected behavior as a defect even if it doesn't violate a written AC — the AC may be incomplete.

Hit 2x peak prod RPS for 15 minutes against the critical user paths. Watch p95 and p99 latency, error rate, and DB connection pool saturation in Datadog. A green load test where p99 doubles is still a fail — eyeball the dashboard, don't trust the exit code.

Trigger Semgrep / CodeQL on the RC sha and review Snyk or Dependabot output for new criticals. Any new CVE rated CVSS 7.0+ blocks the release unless the AppSec lead signs off on a documented exception.

Hit Stripe, Auth0/Okta, Segment, and any sandbox endpoints used in the changed code paths. Confirm webhooks deliver and signatures verify; a silent webhook failure won't show in the regression suite.

Publish synthetic events through SQS / Kafka / RabbitMQ and confirm consumers process them with the expected schema. Check the DLQ count before and after — silent schema drift surfaces here first.

Each ticket needs build sha, browser/OS, exact repro steps, expected vs actual, and a screenshot or HAR. Tickets without a sha get bounced — the first thing engineering will ask is which build it reproduced on.

SEV1 = data loss or auth bypass, blocks release. SEV2 = critical path broken, blocks release unless workaround exists. SEV3 = ships with a follow-up. Triage with the release captain and a PM in the room — severity is a business call, not a QA call.

If any SEV1/SEV2 remains open, the release does not promote — the team cuts a new RC. If all blockers are closed or accepted, proceed to closure.

Tag the next RC (e.g., v2024.45.0-rc.2), notify the release captain in #engineering, and restart functional regression against the new sha. Do not cherry-pick fixes onto the prior RC tag — re-cut from the release branch.

Post to Confluence: cases run, pass rate, defects opened by severity, accepted-with-follow-up tickets, performance deltas vs prior release. Link the CI run, the load test dashboard, and the migration timing.

QA lead signs off only after the summary is reviewed by the release captain. This signature is the SOC 2 change-management artifact auditors ask for; do not skip it even on a quiet release.