# 08 Final QA — aieditorrsp

- tenant: site-aieditorrsp-20260528
- project_slug: aieditorrsp
- domain: https://aieditorrsp.net
- primary_keyword: AI image editor with prompt
- product_name: AI Editor RSP
- qa_owner: 墨测
- checked_at_utc: 2026-06-02
- repo: /root/projects/aieditorrsp
- verified_commit: 28ed7086dc3b3c8b5415038ba08b12ca0f3d5401
- production_url: https://aieditorrsp.net
- conclusion: QA_NO_GO

## Bottom line

QA_NO_GO. The post-08F2 Stitch visual restoration is live, route/SEO/build checks pass, and the public UI now exposes upload + prompt + generate controls across desktop and mobile. However the core user task still fails: safe image generation through production `/api/generate-image` returned `503 PROVIDER_FAILURE` twice, including a browser-driven upload/generate attempt and direct API smoke with a 512px JPG. Lighthouse also regressed below launch threshold: Performance 57 and LCP about 9.1s on two runs.

This is not launch-ready. Do not hand to launch ops until provider generation and performance are repaired and rechecked.

## Gate results

| Area | Status | Evidence |
|---|---:|---|
| Source/build sync | GO | `git rev-parse HEAD` = `28ed7086dc3b3c8b5415038ba08b12ca0f3d5401`; `git status --short --branch` = `## main...origin/main`; `npm run verify`, `npm run seo:audit`, `npm run build` passed. |
| Required routes/API smoke | GO | `/`, editor, prompt-library, SEO pages, pricing, legal pages, `robots.txt`, `sitemap.xml`, `/api/health`, `/api/credits`, `/api/prompt-templates` returned 200/valid responses. Artifact: `08-production-smoke.json`. |
| SEO basics | GO | Local `seo:audit` passed all 11 routes; production sampled title/meta/canonical/single H1/OG/JSON-LD; sitemap contains 11 URLs and all sampled URLs returned 200 without `noindex`. |
| Design fidelity after 08F2 | GO | Desktop visual check confirms industrial Stitch-style dark studio, amber CTA, mint status/prompt accents, editor console, prompt stack, pricing cards, and footer. No obvious first-viewport overlap or horizontal overflow. |
| Desktop real user UI | GO | Homepage exposes visible nav, CTA, file input, textarea, template buttons, generate button, account/credits links. Pricing page cards and checkout CTAs are readable/aligned. |
| Mobile 390px | GO with P2 polish | 390px homepage is single-column, no detected horizontal overflow, nav links are visible, upload/prompt/generate controls are usable. Text is dense/small in the header/editor console, but not launch-blocking compared with core failure. |
| Core safe generation | FAIL / P0 | Browser-driven upload + prompt + generate ended in `PROVIDER_FAILURE`. Direct API safe generation with `qa-source.png` returned 503, then with a 512px portrait-like JPG returned 503: `{"ok":false,"code":"PROVIDER_FAILURE","provider":"fal","model":"fal-ai/flux-pro/kontext"}`. |
| Unsafe prompt gate | GO | Direct multipart unsafe prompt returned 400 `UNSAFE_PROMPT_BLOCKED`; safe prompt without image returned 400 `IMAGE_REQUIRED`, confirming validation path. |
| Auth/checkout redirect | PARTIAL GO | Anonymous `/api/checkout/stripe?plan=monthly` returns 302 to login; `/api/auth/login?return_to=/pricing` returns 302 to Google OAuth with callback `https://aieditorrsp.net/api/auth/callback/google`. No authenticated checkout/payment E2E session available. |
| Analytics | P1 | Production homepage includes Plausible and Clarity signals, but no GA4 script or Google site verification hint detected in HTML during this QA run. Dashboards/GSC/Bing/Crawler Hints were not available to verify from this task. |
| Security headers | P1 | HTTPS works, no obvious public secret strings in homepage HTML, but response scan found no CSP/HSTS/X-Frame-Options/X-Content-Type-Options/Referrer-Policy headers on `/`. |
| Console errors | GO | Browser console after visual/user-flow checks: 0 console messages, 0 JS errors. |
| Performance | FAIL / P1 | Lighthouse run 1: Performance 57, A11y 98, BP 100, SEO 100, LCP 9105ms, CLS 0.044. Rerun: Performance 57, LCP 9211ms, CLS 0. Both fail QA target Performance >=80 and LCP <2.5s. |

## P0 blockers

### QA-P0-001 — Core provider generation fails in production

Normal users can upload and click generate, but production returns provider failure before any usable result URL is produced.

Evidence:

```bash
curl -X POST https://aieditorrsp.net/api/generate-image \
  -F image=@qa-portrait512.jpg \
  -F 'prompt=cinematic editorial portrait with soft side lighting, natural skin texture, clean background, and safe prompt constraints' \
  -F template=editorial
# HTTP 503
# {"ok":false,"code":"PROVIDER_FAILURE","message":"The image provider failed before a usable result was returned. No credits were charged by this site.","provider":"fal","model":"fal-ai/flux-pro/kontext"}
```

Browser UI evidence:

- file input accepted a generated PNG file;
- prompt textarea accepted a safe prompt;
- generate button entered `PENDING`;
- final status: `PROVIDER_FAILURE / Generation blocked`.

Impact: core product promise “upload image + prompt edit + preview/download result” fails. This is launch-blocking.

## P1 blockers / fix-before-launch

### QA-P1-001 — Lighthouse performance below QA threshold

Two Lighthouse runs on homepage both returned Performance 57 and LCP about 9.1s. This regressed from the earlier 08G report and is below QA target Performance >=80 / LCP <2.5s.

Artifacts:

- `/root/.hermes/reports/site-aieditorrsp-20260528/08-lighthouse-home.json`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-lighthouse-summary.json`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-lighthouse-home-rerun.json`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-lighthouse-summary-rerun.json`

### QA-P1-002 — Analytics/webmaster evidence incomplete

Plausible and Clarity script signals are present. GA4 and Google site verification were not detected in production homepage HTML, and this task could not verify GA4 dashboard, GSC, Bing Webmaster, Cloudflare Crawler Hints, or IndexNow state.

Impact: data collection/launch ops chain is incomplete unless another launch task has dashboard/API evidence.

### QA-P1-003 — Security response headers absent in scan

Production `/` did not return CSP, HSTS, X-Frame-Options, X-Content-Type-Options, or Referrer-Policy in the Python HTTP scan. This should be fixed at Worker/Next response-header level before launch or explicitly waived by owner.

## P2 polish

- Mobile header/nav and editor-console text are compact; usable, but denser than ideal for 390px.
- Homepage contains the phrase “there are no unlimited generation claims.” This is safe context, not stale unlimited plan copy, but copy scanners may flag the token “unlimited”; keep wording clear.
- Contact/performance comparison thumbnails remain abstract/self-authored, not final owned before/after photos.

## Verification commands / artifacts

Commands run:

```bash
git -C /root/projects/aieditorrsp rev-parse HEAD
git -C /root/projects/aieditorrsp status --short --branch
npm run verify
npm run seo:audit
npm run build
python3 /root/.hermes/kanban/boards/site-factory/workspaces/t_1ced1a6d/qa_smoke.py
curl multipart unsafe /api/generate-image
curl multipart safe /api/generate-image with qa-source.png
curl multipart safe /api/generate-image with qa-portrait512.jpg
npx lighthouse https://aieditorrsp.net --output=json --output-path=08-lighthouse-home.json --chrome-flags='--headless --no-sandbox' --quiet
npx lighthouse https://aieditorrsp.net --output=json --output-path=08-lighthouse-home-rerun.json --chrome-flags='--headless --no-sandbox' --quiet
browser desktop visual/DOM check
browser 390px visual/DOM check
browser console check
```

Artifacts:

- `/root/.hermes/reports/site-aieditorrsp-20260528/08-qa.md`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-production-smoke.json`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-api-redirect-safety-smoke.json`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-safe-generate-smoke.json`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-safe-generate-smoke-portrait512.json`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-lighthouse-home.json`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-lighthouse-summary.json`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-lighthouse-home-rerun.json`
- `/root/.hermes/reports/site-aieditorrsp-20260528/08-lighthouse-summary-rerun.json`

## Next inputs

For backend/provider owner:

- repair production fal generation path and re-run safe image upload -> result URL with a normal JPG/PNG;
- preserve unsafe prompt blocking before provider call;
- confirm credits are only charged after provider success.

For frontend/infra owner:

- restore Lighthouse Performance >=80 and reduce LCP materially;
- add/verify security headers at Worker/Next response layer;
- add/verify GA4/GSC/Bing/IndexNow/Crawler Hints evidence or provide waiver.

For QA recheck:

- rerun only blocked areas plus quick regression: core upload/generate/result, homepage Lighthouse, route/API/SEO smoke, analytics/security headers, 390px mobile.

## Final verdict

QA_NO_GO