# Testing Checklist

## Vercel Environment

Confirm these are set on the Payment Gateway API project:

```text
STRIPE_SECRET_KEY
STRIPE_WEBHOOK_SECRET
DATABASE_URL
PUBLIC_BASE_URL
MERCHANT_TOKEN_SECRET
ADMIN_TOKEN
DEFAULT_CHARGE_TYPE
DEFAULT_PLATFORM_FEE_PERCENT
```

## Merchant Config

Confirm the merchant exists in the admin dashboard:

```text
/admin/dashboard
```

Verify the merchant has an active token and callback URL.

## WooCommerce Plugin

Confirm merchant settings:

```text
Payment Gateway API Base URL=https://your-platform-api.example
Payment Gateway Merchant Token=merchant token issued after onboarding or token rotation
```

## Processor

Create a processor webhook endpoint:

```text
https://your-platform-api.example/webhooks/processor
```

Subscribe to:

```text
checkout.session.completed
checkout.session.async_payment_succeeded
checkout.session.async_payment_failed
checkout.session.expired
```

## Test Payment

Use processor test card:

```text
4242 4242 4242 4242
```

Expected result:

1. WooCommerce redirects to Checkout.
2. Customer completes test payment.
3. Processor sends webhook to Payment Gateway API.
4. Payment Gateway API sends signed callback to WooCommerce.
5. WooCommerce order changes from pending to paid.

## Restricted Product Test

Create a test product whose name contains one term from the internal restricted catalog.

Expected result:

1. WooCommerce does not redirect to Checkout.
2. The Payment Gateway API returns HTTP `422` with `code=restricted_item`.
3. The shopper sees a generic checkout denial.
4. No Checkout Session is created.

## Common Failures

`Invalid merchant token`

The WooCommerce token does not hash to the stored `token_hash`.

In the admin dashboard, generate a replacement token for the merchant and paste it into WooCommerce.

`No payable line items`

The order payload contains no positive line item, shipping, fee, or tax values.

WooCommerce order stays pending

processor webhook is missing, webhook secret is wrong, connected-account events are not enabled, callback URL is wrong, or the merchant token differs from the token hash used to sign callbacks.