Skip to content

E-Commerce — Checklists

OWNER: aimee (scoping) ALSO_USED_BY: anna (spec), faye (PM Alfa), sytske (PM Bravo), floris, floor (frontend), urszula, maxim (backend) LAST_VERIFIED: 2026-03-26

Overview

Machine-parseable checklists for every phase of an e-commerce project. Aimee uses the scope checklist during client calls. Developers use the implementation checklist during build. PMs use the pre-launch checklist before go-live.

SCOPE CHECKLIST (for Aimee — client scoping calls)

Business Model

  • [ ] CHECK: Identified business model (B2C / D2C / subscription / marketplace-lite) IF_SKIPPED: Wrong archetype variant selected, scope misaligned
  • [ ] CHECK: Physical products, digital products, or both? IF_SKIPPED: Missing shipping/fulfillment scope
  • [ ] CHECK: Target market defined (NL only, EU, international) IF_SKIPPED: Wrong payment methods, wrong shipping, wrong VAT config
  • [ ] CHECK: Number of products estimated (<100, 100-1000, 1000+) IF_SKIPPED: Wrong search strategy (Postgres vs Meilisearch)
  • [ ] CHECK: Subscription/recurring revenue model needed? IF_SKIPPED: Missing recurring billing scope

Product Catalog

  • [ ] CHECK: Product variants needed? How many axes? (size, color, material) IF_SKIPPED: Schema redesign mid-project
  • [ ] CHECK: Category structure discussed (flat, hierarchical, how deep) IF_SKIPPED: Navigation architecture wrong
  • [ ] CHECK: Inventory management approach (manual, POS sync, warehouse sync) IF_SKIPPED: Stock accuracy issues at launch
  • [ ] CHECK: Multi-language needed? IF_SKIPPED: Late i18n is 3x more expensive than from-start
  • [ ] CHECK: Multi-currency needed? IF_SKIPPED: Late currency support is complex migration

Checkout & Payments

  • [ ] CHECK: Payment methods identified (iDEAL, cards, Bancontact, Klarna, PayPal, SEPA) IF_SKIPPED: Wrong Mollie configuration, missing methods at launch
  • [ ] CHECK: Guest checkout confirmed as requirement (always yes for B2C) IF_SKIPPED: 35% cart abandonment from forced registration
  • [ ] CHECK: Shipping zones and methods defined IF_SKIPPED: Wrong shipping cost calculation
  • [ ] CHECK: Free shipping threshold discussed? IF_SKIPPED: Missing marketing lever
  • [ ] CHECK: Invoice generation needed? IF_SKIPPED: Manual invoicing burden on client

Integrations

  • [ ] CHECK: Shipping carrier identified (PostNL, DHL, aggregator) IF_SKIPPED: No label generation, manual shipping
  • [ ] CHECK: Accounting software identified (Exact, Moneybird, other, none) IF_SKIPPED: Missing integration scope or manual data entry
  • [ ] CHECK: Email marketing platform identified (Brevo (FR) preferred — EU-hosted. Mailchimp (US) only if client demands — sovereignty warning. Klaviyo (US) — sovereignty warning.) IF_SKIPPED: No subscriber sync, manual newsletter management
  • [ ] CHECK: Analytics requirements discussed (Plausible (EU) preferred — cookie-free. GA4 (US) only if client requires Google Ads integration — sovereignty warning.) IF_SKIPPED: No conversion tracking at launch
  • [ ] CHECK: Existing systems that need integration? (POS, ERP, warehouse, CRM) IF_SKIPPED: Late-discovered integration = scope creep

Marketing Features

  • [ ] CHECK: Discount codes / coupons needed? IF_SKIPPED: Missing at launch, client asks for it week 1
  • [ ] CHECK: Reviews and ratings needed? IF_SKIPPED: Missing social proof
  • [ ] CHECK: Wishlist needed? IF_SKIPPED: Lower engagement metric
  • [ ] CHECK: Referral program needed? IF_SKIPPED: Missing growth lever (usually not MVP)
  • [ ] CHECK: Abandoned cart recovery needed? IF_SKIPPED: Lost revenue recovery opportunity

Compliance

  • [ ] CHECK: GDPR requirements reviewed with client IF_SKIPPED: Legal liability, fines up to 4% of revenue
  • [ ] CHECK: Privacy policy — client has one or needs template? IF_SKIPPED: Launch blocked (legally required)
  • [ ] CHECK: Terms & conditions — client has or needs template? IF_SKIPPED: Launch blocked (legally required)
  • [ ] CHECK: Cookie consent implementation discussed IF_SKIPPED: AP (Dutch DPA) enforcement risk
  • [ ] CHECK: EAA accessibility requirement communicated to client IF_SKIPPED: Legal risk (fines up to EUR 500K in Germany, EUR 1M in Spain)
  • [ ] CHECK: Age-restricted products? (alcohol, tobacco) IF_SKIPPED: Legal liability for selling to minors
  • [ ] CHECK: Client aware of 14-day withdrawal obligation? IF_SKIPPED: Client surprised by returns

Design & UX

  • [ ] CHECK: Brand guidelines available? IF_SKIPPED: Design phase delayed
  • [ ] CHECK: Logo and assets available? IF_SKIPPED: Placeholder design, rework later
  • [ ] CHECK: Mobile-first requirement confirmed? IF_SKIPPED: Poor mobile experience (60-70% of e-commerce traffic is mobile)
  • [ ] CHECK: Product photography available or planned? IF_SKIPPED: Launch delayed or poor product presentation

IMPLEMENTATION CHECKLIST (for developers — during build)

Foundation

  • [ ] CHECK: Drizzle schema includes all required tables (products, variants, categories, orders, etc.) IF_SKIPPED: Schema migration mid-sprint
  • [ ] CHECK: Prices stored as integers (cents), not floats IF_SKIPPED: Rounding errors, financial discrepancies
  • [ ] CHECK: All slugs have unique constraints IF_SKIPPED: Duplicate slugs break routing
  • [ ] CHECK: Soft delete on users and orders (deleted_at column) IF_SKIPPED: GDPR deletion breaks order history
  • [ ] CHECK: Environment variables for all API keys and secrets IF_SKIPPED: Credentials in git

Authentication

  • [ ] CHECK: Passwords hashed with bcrypt (cost factor 12) IF_SKIPPED: Weak password storage
  • [ ] CHECK: httpOnly secure cookies for sessions IF_SKIPPED: XSS vulnerability
  • [ ] CHECK: Rate limiting on auth endpoints IF_SKIPPED: Brute force vulnerability
  • [ ] CHECK: Login error message is generic ("Invalid credentials") IF_SKIPPED: Email enumeration vulnerability
  • [ ] CHECK: Email verification flow implemented IF_SKIPPED: Fake email registrations

Cart & Checkout

  • [ ] CHECK: Guest checkout works without login IF_SKIPPED: Forced registration abandonment
  • [ ] CHECK: Cart merges on login (localStorage + DB) IF_SKIPPED: Cart items lost on login
  • [ ] CHECK: Stock validated at cart view, checkout start, and payment creation IF_SKIPPED: Overselling
  • [ ] CHECK: Stock reserved during checkout (15-min window) IF_SKIPPED: Race condition overselling
  • [ ] CHECK: Order button says "Order with obligation to pay" (or equivalent) IF_SKIPPED: EU legal violation
  • [ ] CHECK: Country defaults to Netherlands (not US) IF_SKIPPED: Wrong shipping cost and VAT

Payments

  • [ ] CHECK: Mollie webhook endpoint is publicly accessible IF_SKIPPED: Payments not confirmed, orders stuck in pending
  • [ ] CHECK: Webhook fetches payment from Mollie API (never trusts body) IF_SKIPPED: Payment status spoofing vulnerability
  • [ ] CHECK: Webhook processing is idempotent IF_SKIPPED: Duplicate order confirmations, double stock decrease
  • [ ] CHECK: Payment redirect is async (never assume success from redirect) IF_SKIPPED: Orders confirmed without actual payment
  • [ ] CHECK: All XADD calls have MAXLEN IF_SKIPPED: Unbounded Redis memory growth

Email

  • [ ] CHECK: Order confirmation email includes withdrawal information IF_SKIPPED: EU legal violation, extended withdrawal period
  • [ ] CHECK: Marketing emails have unsubscribe link IF_SKIPPED: GDPR violation, spam complaints
  • [ ] CHECK: Email sending is async (not in DB transaction) IF_SKIPPED: Failed email = failed order

SEO & Performance

  • [ ] CHECK: Meta titles and descriptions on all pages IF_SKIPPED: Poor search engine visibility
  • [ ] CHECK: Open Graph tags for social sharing IF_SKIPPED: Ugly link previews on social media
  • [ ] CHECK: Images lazy-loaded with proper dimensions IF_SKIPPED: Poor Core Web Vitals (CLS)
  • [ ] CHECK: Product images served via CDN (BunnyCDN) with WebP IF_SKIPPED: Slow page loads, high bandwidth cost

PRE-LAUNCH CHECKLIST (for PM — before go-live)

  • [ ] CHECK: Privacy policy published and linked from footer IF_SKIPPED: Launch blocked — legally required
  • [ ] CHECK: Terms & conditions published and linked from footer IF_SKIPPED: Launch blocked — legally required
  • [ ] CHECK: Cookie policy published IF_SKIPPED: GDPR non-compliance
  • [ ] CHECK: Accessibility statement published IF_SKIPPED: EAA non-compliance
  • [ ] CHECK: Imprint / business details page (required in NL/DE) IF_SKIPPED: Legal requirement missed

Payments

  • [ ] CHECK: Mollie switched from test to live mode IF_SKIPPED: Payments fail silently
  • [ ] CHECK: All payment methods tested with live credentials IF_SKIPPED: Specific method fails at launch
  • [ ] CHECK: Webhook URL updated to production domain IF_SKIPPED: Payment confirmations not received
  • [ ] CHECK: Refund flow tested end-to-end IF_SKIPPED: First refund fails, customer frustrated

Shipping

  • [ ] CHECK: Carrier API switched to production credentials IF_SKIPPED: Test labels generated, not real shipments
  • [ ] CHECK: Shipping rates verified for all zones IF_SKIPPED: Under/overcharging customers
  • [ ] CHECK: Tracking email templates tested IF_SKIPPED: Broken tracking links

Compliance

  • [ ] CHECK: Cookie consent banner functional (blocks non-essential before consent) IF_SKIPPED: GDPR violation from first visitor
  • [ ] CHECK: Withdrawal button present on order pages (if launching after June 2026) IF_SKIPPED: EU Directive 2023/2673 violation
  • [ ] CHECK: VAT-inclusive prices displayed on all product pages IF_SKIPPED: Price Indication Directive violation
  • [ ] CHECK: Omnibus Directive — strikethrough prices use 30-day lowest IF_SKIPPED: Fake discount violation, up to 4% revenue fine

Performance & Monitoring

  • [ ] CHECK: Error monitoring configured (Sentry or equivalent) IF_SKIPPED: Silent failures in production
  • [ ] CHECK: Uptime monitoring configured IF_SKIPPED: Downtime undetected
  • [ ] CHECK: Database backups configured and tested IF_SKIPPED: Data loss risk
  • [ ] CHECK: SSL certificate valid and auto-renewing IF_SKIPPED: "Not secure" warning, trust destroyed

SECURITY CHECKLIST (for developers — security review)

  • [ ] CHECK: No raw card data stored or logged anywhere IF_SKIPPED: PCI DSS violation
  • [ ] CHECK: All user input sanitized (XSS prevention) IF_SKIPPED: XSS vulnerability
  • [ ] CHECK: SQL injection prevented (parameterized queries via Drizzle) IF_SKIPPED: SQL injection vulnerability
  • [ ] CHECK: CSRF protection on all state-changing endpoints IF_SKIPPED: CSRF vulnerability
  • [ ] CHECK: Rate limiting on login, registration, password reset, checkout IF_SKIPPED: Brute force / DDoS vulnerability
  • [ ] CHECK: File upload validation (type, size, dimensions) IF_SKIPPED: Malicious file upload
  • [ ] CHECK: Admin routes protected by authentication and authorization IF_SKIPPED: Unauthorized admin access
  • [ ] CHECK: API keys and secrets in environment variables only IF_SKIPPED: Credentials exposed in git
  • [ ] CHECK: HTTP security headers set (CSP, HSTS, X-Frame-Options, X-Content-Type-Options) IF_SKIPPED: Various attack vectors open
  • [ ] CHECK: Dependencies audited for known vulnerabilities IF_SKIPPED: Known CVE exploitation

Cross-References

READ_ALSO: wiki/docs/archetypes/e-commerce/index.md READ_ALSO: wiki/docs/archetypes/e-commerce/feature-tree.md READ_ALSO: wiki/docs/archetypes/e-commerce/compliance.md READ_ALSO: wiki/docs/archetypes/e-commerce/payments.md READ_ALSO: wiki/docs/archetypes/e-commerce/cart-checkout.md