Kordant/android/docs/play-console-checklist.md

Play Console Release Checklist

Track all Play Console configuration items for Kordant release.

Phase 1: Preparation

Keystore & Signing

• Generate release keystore (./scripts/generate-release-key.sh)
• Back up keystore to password manager
• Back up keystore to offline secure storage
• Create key.properties from template
• Verify key.properties is in .gitignore
• Test signed build: ./gradlew bundleProdRelease
• Verify R8 obfuscation: check mapping.txt in build outputs

App Assets

• App icon (512×512 PNG, non-transparent)
• Feature graphic (1024×500, JPG or PNG)
• Phone screenshots (2-8, 16:9 or 9:16)
• Tablet screenshots (2-8, if supporting tablets)
• Promo video (optional, 30-120 seconds)
• Privacy policy URL live and accessible
• Terms of service URL live and accessible

Certificate Pins

• Replace placeholder pins in network_security_config.xml
• Extract production cert hash:

  echo | openssl s_client -connect api.kordant.com:443 -servername api.kordant.com 2>/dev/null \
    | openssl x509 -pubkey -noout \
    | openssl pkey -pubin -outform der 2>/dev/null \
    | openssl dgst -sha256 -binary \
    | openssl enc -base64
  

• Add backup pin for rotation

---

Phase 2: Play Console Setup

App Creation

• Create app in Play Console
• App name: Kordant
• Default language: English (US)
• Type: App
• Pricing: Free

App Signing

• Upload upload key certificate
• Enable Google Play App Signing
• Download and backup the Google-managed app signing key
• Record SHA-256 fingerprint for Firebase/Google Sign-In

Default App Information

• Contact email: support@kordant.ai
• Website: https://kordant.ai
• Privacy policy URL: https://kordant.ai/privacy

---

Phase 3: Store Listing

Main Store Listing

• Title: Kordant
• Short description (80 chars)
• Full description (4000 chars)
• Category: Tools
• App icon uploaded
• Feature graphic uploaded
• Phone screenshots uploaded
• Tablet screenshots uploaded (if applicable)

Localization

• English (US) — default
• Additional languages (plan for later)

---

Phase 4: Distribution

Pricing & Distribution

• Price: Free
• Countries: Select target markets
• Age rating: Complete IARC questionnaire

Content Rating (IARC)

• In-Game Purchases: Yes (subscriptions)
• Users Interact: Yes
• Shares Info: Yes
• All other content questions answered
• Expected rating: Everyone or Everyone 10+

Data Safety Form

• Data types declared
• Collection purposes explained
• Data sharing disclosed
• Encryption practices documented
• Data deletion option described

---

Phase 5: Testing

Internal Testing Track

• Internal testing track created
• Testers added (minimum 20)
• Testers accepted invitations
• First AAB uploaded
• AAB processing complete
• Testers can install from testing link
• App functions correctly on test devices

Firebase Test Lab

• Robo tests passing on Pixel 6
• Robo tests passing on Samsung Galaxy S21
• Robo tests passing on Xiaomi Redmi
• Instrumentation tests passing on all devices
• No crashes across device matrix
• Cold start under 1.5s on Pixel 6

---

Phase 6: Monetization (if applicable)

Subscriptions

• Pro Monthly (pro_monthly)
• Pro Annual (pro_annual)
• Family Monthly (family_monthly)
• Family Annual (family_annual)

Managed Products

• Single Scan (single_scan)
• Removal Pack (removal_pack)

Promo Codes

• Internal testing codes generated
• Beta tester codes generated

---

Phase 7: Security & Integrity

Play Integrity API

• Play Integrity enabled in Play Console
• PlayIntegrityManager integrated in app
• Server-side verification configured
• Nonce-based replay protection implemented

App Integrity

• Certificate pinning active (real hashes)
• Root detection blocking/degrading gracefully
• EncryptedSharedPreferences for sensitive data
• Network security config blocks cleartext
• Backup disabled (android:allowBackup="false")

---

Phase 8: Pre-Release Verification

Build Verification

• Release build: ./gradlew bundleProdRelease
• No R8/ProGuard crashes
• All TRPC endpoints functional
• Google Sign-In working with production SHA-256
• FCM push notifications working
• Deep links routing correctly
• Offline queue resolving sync conflicts
• Token refresh working silently

Play Console Verification

• All sections show green/complete
• No policy violations
• Store listing preview looks correct
• All screenshots display properly
• Feature graphic displays correctly

Final Checks

• Version code incremented
• Version name updated
• Release notes written
• ProGuard mapping.txt saved
• Keystore backed up

---

Notes

• Keystore: If lost, you can still upload new versions with a new key, but existing users won't be able to update. Google Play App Signing mitigates this risk.
• Version codes: Must be strictly increasing. Never reuse a versionCode.
• Processing time: AAB processing can take 10-30 minutes after upload.
• Review time: First-time app review can take up to 7 days. Subsequent updates are faster.
• Internal testing: Fastest distribution method. Testers get immediate access after rollout.