commit
This commit is contained in:
510
plans/employee-create-training-record-audit.md
Normal file
510
plans/employee-create-training-record-audit.md
Normal file
@@ -0,0 +1,510 @@
|
||||
# Employee Create Training Record Audit (Read Only)
|
||||
|
||||
## Role
|
||||
|
||||
You are a Senior Full Stack Engineer, QA Engineer, UX/UI Reviewer, Security Reviewer, and Product Analyst.
|
||||
|
||||
Your task is to perform a comprehensive READ-ONLY audit of the Employee Create Training Record page.
|
||||
|
||||
Do NOT modify any source code.
|
||||
Do NOT refactor code.
|
||||
Do NOT format files.
|
||||
Do NOT create pull requests.
|
||||
Do NOT implement fixes.
|
||||
|
||||
Only inspect, analyze, and create an audit report.
|
||||
|
||||
---
|
||||
|
||||
## Before Starting
|
||||
|
||||
Review:
|
||||
|
||||
1. AGENTS.md
|
||||
2. docs/AI_DEVELOPMENT_GUIDE.md
|
||||
3. docs/PROJECT_ARCHITECTURE.md
|
||||
|
||||
Then inspect the existing implementation and follow existing project patterns.
|
||||
|
||||
---
|
||||
|
||||
## Scope
|
||||
|
||||
Review everything related to the Employee Create Training Record page, including:
|
||||
|
||||
- Route
|
||||
- Page
|
||||
- Layout
|
||||
- Form components
|
||||
- Input fields
|
||||
- Select fields
|
||||
- Date picker
|
||||
- Time / hour input
|
||||
- Training type
|
||||
- Location type
|
||||
- Provider / institute
|
||||
- Note
|
||||
- Online URL
|
||||
- Certificate / evidence upload
|
||||
- Submit button
|
||||
- Cancel / back button
|
||||
- Validation
|
||||
- Duplicate warning
|
||||
- Loading state
|
||||
- Error state
|
||||
- Success feedback
|
||||
- API
|
||||
- Mutation
|
||||
- Server action
|
||||
- Services
|
||||
- Types
|
||||
- Role guards
|
||||
- Navigation menu
|
||||
|
||||
---
|
||||
|
||||
## Functional Review
|
||||
|
||||
Verify whether the page correctly supports:
|
||||
|
||||
- Employee can create own training record
|
||||
- Employee cannot create record for another employee
|
||||
- Required fields are validated
|
||||
- Course name is required
|
||||
- Training date is required
|
||||
- Training hours support hour and minute format
|
||||
- Training type works correctly
|
||||
- Location type works correctly
|
||||
- Provider / institute works correctly
|
||||
- Note works correctly
|
||||
- Online URL works correctly
|
||||
- Certificate / evidence upload works correctly
|
||||
- Duplicate training warning works correctly
|
||||
- Submit loading state works correctly
|
||||
- Submit success message works correctly
|
||||
- Submit error message works correctly
|
||||
- Redirect or refresh after submit works correctly
|
||||
- Created record status is correct
|
||||
- Created record waits for HRD review
|
||||
- Employee cannot set K / S / A category
|
||||
- Employee cannot set approval status
|
||||
|
||||
Document all missing or incorrect behavior.
|
||||
|
||||
---
|
||||
|
||||
## Business Rule Review
|
||||
|
||||
Verify the page follows Training System requirements:
|
||||
|
||||
- Employee submits training records for themselves only
|
||||
- Employee cannot edit HRD-only fields
|
||||
- HRD assigns K / S / A later
|
||||
- HRD verifies and approves later
|
||||
- Employee cannot approve own record
|
||||
- Employee cannot change approval status
|
||||
- Calendar year is handled correctly
|
||||
- Training hours support hours and minutes
|
||||
- Certificate attachment allows 1 file only
|
||||
- Certificate/evidence rules match project requirements
|
||||
- Online training URL rules are consistent
|
||||
- Duplicate course behavior is warn but allow save
|
||||
- New record should appear in Pending Review / History correctly
|
||||
|
||||
---
|
||||
|
||||
## Role Review
|
||||
|
||||
Review Employee permissions.
|
||||
|
||||
Verify the Employee can:
|
||||
|
||||
- Open create training record page
|
||||
- Create own training record
|
||||
- Upload own certificate/evidence
|
||||
- Submit own online URL
|
||||
- Cancel and return to history/dashboard
|
||||
|
||||
Verify the Employee cannot:
|
||||
|
||||
- Create training record for another employee
|
||||
- Access HRD/Admin create/edit pages
|
||||
- Assign K / S / A category
|
||||
- Approve/reject records
|
||||
- Edit HRD-only fields
|
||||
- Change status manually
|
||||
- Upload multiple certificate files if only 1 is allowed
|
||||
- Bypass validation through direct API call
|
||||
|
||||
Check both:
|
||||
|
||||
- UI-level permission
|
||||
- Server/API-level permission
|
||||
|
||||
---
|
||||
|
||||
## UI Review
|
||||
|
||||
Inspect:
|
||||
|
||||
- Form layout
|
||||
- Field grouping
|
||||
- Label clarity
|
||||
- Placeholder clarity
|
||||
- Required field indication
|
||||
- Date picker UI
|
||||
- Hour/minute input UI
|
||||
- Select dropdown consistency
|
||||
- Upload component UI
|
||||
- Button style
|
||||
- Icon consistency
|
||||
- Spacing
|
||||
- Typography
|
||||
- Mobile layout
|
||||
- Tablet layout
|
||||
- Desktop layout
|
||||
- Loading display
|
||||
- Error display
|
||||
- Success display
|
||||
|
||||
---
|
||||
|
||||
## UX Review
|
||||
|
||||
Evaluate:
|
||||
|
||||
- Is the form easy for employees to understand?
|
||||
- Are required fields obvious?
|
||||
- Is hour/minute entry clear?
|
||||
- Is upload instruction clear?
|
||||
- Is online URL instruction clear?
|
||||
- Is duplicate warning understandable?
|
||||
- Is submit feedback clear?
|
||||
- Is error feedback helpful?
|
||||
- Is cancel/back behavior clear?
|
||||
- Does the page prevent accidental duplicate submission?
|
||||
|
||||
Suggest improvements only.
|
||||
|
||||
Do not implement.
|
||||
|
||||
---
|
||||
|
||||
## Accessibility Review
|
||||
|
||||
Inspect:
|
||||
|
||||
- Keyboard navigation
|
||||
- Focus state
|
||||
- Input labels
|
||||
- Error message association
|
||||
- Button labels
|
||||
- Icon-only button accessibility
|
||||
- File upload accessibility
|
||||
- Date picker accessibility
|
||||
- Select accessibility
|
||||
- Color contrast
|
||||
- Screen reader text
|
||||
|
||||
---
|
||||
|
||||
## Code Review
|
||||
|
||||
Inspect:
|
||||
|
||||
### Architecture
|
||||
|
||||
- Folder structure
|
||||
- Feature separation
|
||||
- Component reuse
|
||||
- Shared form usage
|
||||
- Shared validation usage
|
||||
- Shared upload usage
|
||||
|
||||
### React
|
||||
|
||||
- Client vs Server Components
|
||||
- Hooks usage
|
||||
- Form state handling
|
||||
- Mutation state handling
|
||||
- Memoization
|
||||
- Unnecessary rerenders
|
||||
|
||||
### TypeScript
|
||||
|
||||
- Strong typing
|
||||
- Nullable fields
|
||||
- Enum usage
|
||||
- Form types
|
||||
- API response types
|
||||
- Validation schema types
|
||||
|
||||
### Code Quality
|
||||
|
||||
- Duplicate logic
|
||||
- Dead code
|
||||
- Naming consistency
|
||||
- Import consistency
|
||||
- Unused files
|
||||
- Unused components
|
||||
- Overly large components
|
||||
|
||||
Do NOT change anything.
|
||||
|
||||
---
|
||||
|
||||
## API Review
|
||||
|
||||
Inspect:
|
||||
|
||||
- Create mutation
|
||||
- Request body
|
||||
- Response shape
|
||||
- Error handling
|
||||
- Validation
|
||||
- File upload handling
|
||||
- Duplicate check handling
|
||||
- Authorization checks
|
||||
- Server-side employee ownership check
|
||||
- Cache invalidation after create
|
||||
- Redirect/refresh behavior after create
|
||||
|
||||
---
|
||||
|
||||
## Security Review
|
||||
|
||||
Review:
|
||||
|
||||
- Authentication
|
||||
- Authorization
|
||||
- Role guard
|
||||
- Route guard
|
||||
- API protection
|
||||
- Server-side validation
|
||||
- Employee ownership validation
|
||||
- File upload validation
|
||||
- File type validation
|
||||
- File size validation
|
||||
- Direct API call protection
|
||||
- Sensitive data exposure
|
||||
|
||||
---
|
||||
|
||||
## Performance Review
|
||||
|
||||
Inspect:
|
||||
|
||||
- Form rendering performance
|
||||
- Upload performance
|
||||
- Large file handling
|
||||
- Mutation handling
|
||||
- Query invalidation
|
||||
- Unnecessary client rendering
|
||||
- Heavy components
|
||||
- Lazy loading opportunities
|
||||
|
||||
---
|
||||
|
||||
## Data Validation Review
|
||||
|
||||
Check:
|
||||
|
||||
- Missing course name
|
||||
- Missing training date
|
||||
- Missing training hours
|
||||
- Invalid hour/minute format
|
||||
- Zero hour behavior
|
||||
- Over 30 hours behavior
|
||||
- Missing training type
|
||||
- Missing location type
|
||||
- Missing provider
|
||||
- Invalid online URL
|
||||
- Missing certificate when required
|
||||
- Multiple file upload
|
||||
- Invalid file type
|
||||
- Invalid file size
|
||||
- Null handling
|
||||
- Incorrect defaults
|
||||
|
||||
---
|
||||
|
||||
## Edge Case Review
|
||||
|
||||
Check behavior for:
|
||||
|
||||
- New employee
|
||||
- Employee profile missing
|
||||
- No course master
|
||||
- Course name duplicate
|
||||
- Training date in future
|
||||
- Training date in previous year
|
||||
- 00:00 hours
|
||||
- 00:15 hours
|
||||
- 01:45 hours
|
||||
- 30:00 hours
|
||||
- More than 30 hours
|
||||
- Online training without URL
|
||||
- Offline training with URL
|
||||
- File upload failed
|
||||
- API failure
|
||||
- Slow network
|
||||
- Double submit
|
||||
- Permission denied
|
||||
|
||||
---
|
||||
|
||||
## Deliverable
|
||||
|
||||
Create this report only:
|
||||
|
||||
docs/review/employee-create-training-record-audit.md
|
||||
|
||||
Do not create or modify any other file.
|
||||
|
||||
---
|
||||
|
||||
## Report Structure
|
||||
|
||||
# Employee Create Training Record Audit Report
|
||||
|
||||
## Executive Summary
|
||||
|
||||
Overall Status:
|
||||
|
||||
- Excellent
|
||||
- Good
|
||||
- Needs Improvement
|
||||
- Critical
|
||||
|
||||
Brief summary of findings.
|
||||
|
||||
---
|
||||
|
||||
## Scope Reviewed
|
||||
|
||||
List reviewed routes, files, components, APIs, and permissions.
|
||||
|
||||
---
|
||||
|
||||
## Functional Review
|
||||
|
||||
| Feature | Status | Notes |
|
||||
| ------- | ------ | ----- |
|
||||
|
||||
---
|
||||
|
||||
## Business Rule Review
|
||||
|
||||
| Rule | Status | Notes |
|
||||
| ---- | ------ | ----- |
|
||||
|
||||
---
|
||||
|
||||
## Role & Permission Review
|
||||
|
||||
| Permission | Status | Notes |
|
||||
| ---------- | ------ | ----- |
|
||||
|
||||
---
|
||||
|
||||
## UI Review
|
||||
|
||||
---
|
||||
|
||||
## UX Review
|
||||
|
||||
---
|
||||
|
||||
## Accessibility Review
|
||||
|
||||
---
|
||||
|
||||
## Code Quality Review
|
||||
|
||||
---
|
||||
|
||||
## API Review
|
||||
|
||||
---
|
||||
|
||||
## Security Review
|
||||
|
||||
---
|
||||
|
||||
## Performance Review
|
||||
|
||||
---
|
||||
|
||||
## Data Validation Review
|
||||
|
||||
---
|
||||
|
||||
## Edge Case Review
|
||||
|
||||
---
|
||||
|
||||
## Problems Found
|
||||
|
||||
Group by severity.
|
||||
|
||||
### Critical
|
||||
|
||||
### High
|
||||
|
||||
### Medium
|
||||
|
||||
### Low
|
||||
|
||||
For each issue include:
|
||||
|
||||
- Description
|
||||
- File
|
||||
- Component
|
||||
- Severity
|
||||
- Impact
|
||||
- Recommendation
|
||||
|
||||
Do NOT fix the issue.
|
||||
|
||||
---
|
||||
|
||||
## Missing Features
|
||||
|
||||
List missing or incomplete functionality.
|
||||
|
||||
---
|
||||
|
||||
## Improvement Opportunities
|
||||
|
||||
Suggest improvements only.
|
||||
|
||||
Do NOT implement them.
|
||||
|
||||
---
|
||||
|
||||
## Final Assessment
|
||||
|
||||
Architecture: /10
|
||||
Functionality: /10
|
||||
Role & Permission: /10
|
||||
UI: /10
|
||||
UX: /10
|
||||
Accessibility: /10
|
||||
Security: /10
|
||||
Performance: /10
|
||||
Maintainability: /10
|
||||
Overall Score: /10
|
||||
|
||||
---
|
||||
|
||||
## Important Rules
|
||||
|
||||
- READ ONLY
|
||||
- No source code changes
|
||||
- No refactoring
|
||||
- No formatting changes
|
||||
- No implementation
|
||||
- No automatic fixes
|
||||
- No pull request
|
||||
- Only create `docs/review/employee-create-training-record-audit.md`
|
||||
- Every issue should include file path and evidence where possible
|
||||
Reference in New Issue
Block a user