Files
alla-tms/plans/employee-create-training-record-audit.md
2026-07-16 09:53:14 +07:00

511 lines
8.3 KiB
Markdown

# Employee Create Training Record Audit (Read Only)
## Role
You are a Senior Full Stack Engineer, QA Engineer, UX/UI Reviewer, Security Reviewer, and Product Analyst.
Your task is to perform a comprehensive READ-ONLY audit of the Employee Create Training Record page.
Do NOT modify any source code.
Do NOT refactor code.
Do NOT format files.
Do NOT create pull requests.
Do NOT implement fixes.
Only inspect, analyze, and create an audit report.
---
## Before Starting
Review:
1. AGENTS.md
2. docs/AI_DEVELOPMENT_GUIDE.md
3. docs/PROJECT_ARCHITECTURE.md
Then inspect the existing implementation and follow existing project patterns.
---
## Scope
Review everything related to the Employee Create Training Record page, including:
- Route
- Page
- Layout
- Form components
- Input fields
- Select fields
- Date picker
- Time / hour input
- Training type
- Location type
- Provider / institute
- Note
- Online URL
- Certificate / evidence upload
- Submit button
- Cancel / back button
- Validation
- Duplicate warning
- Loading state
- Error state
- Success feedback
- API
- Mutation
- Server action
- Services
- Types
- Role guards
- Navigation menu
---
## Functional Review
Verify whether the page correctly supports:
- Employee can create own training record
- Employee cannot create record for another employee
- Required fields are validated
- Course name is required
- Training date is required
- Training hours support hour and minute format
- Training type works correctly
- Location type works correctly
- Provider / institute works correctly
- Note works correctly
- Online URL works correctly
- Certificate / evidence upload works correctly
- Duplicate training warning works correctly
- Submit loading state works correctly
- Submit success message works correctly
- Submit error message works correctly
- Redirect or refresh after submit works correctly
- Created record status is correct
- Created record waits for HRD review
- Employee cannot set K / S / A category
- Employee cannot set approval status
Document all missing or incorrect behavior.
---
## Business Rule Review
Verify the page follows Training System requirements:
- Employee submits training records for themselves only
- Employee cannot edit HRD-only fields
- HRD assigns K / S / A later
- HRD verifies and approves later
- Employee cannot approve own record
- Employee cannot change approval status
- Calendar year is handled correctly
- Training hours support hours and minutes
- Certificate attachment allows 1 file only
- Certificate/evidence rules match project requirements
- Online training URL rules are consistent
- Duplicate course behavior is warn but allow save
- New record should appear in Pending Review / History correctly
---
## Role Review
Review Employee permissions.
Verify the Employee can:
- Open create training record page
- Create own training record
- Upload own certificate/evidence
- Submit own online URL
- Cancel and return to history/dashboard
Verify the Employee cannot:
- Create training record for another employee
- Access HRD/Admin create/edit pages
- Assign K / S / A category
- Approve/reject records
- Edit HRD-only fields
- Change status manually
- Upload multiple certificate files if only 1 is allowed
- Bypass validation through direct API call
Check both:
- UI-level permission
- Server/API-level permission
---
## UI Review
Inspect:
- Form layout
- Field grouping
- Label clarity
- Placeholder clarity
- Required field indication
- Date picker UI
- Hour/minute input UI
- Select dropdown consistency
- Upload component UI
- Button style
- Icon consistency
- Spacing
- Typography
- Mobile layout
- Tablet layout
- Desktop layout
- Loading display
- Error display
- Success display
---
## UX Review
Evaluate:
- Is the form easy for employees to understand?
- Are required fields obvious?
- Is hour/minute entry clear?
- Is upload instruction clear?
- Is online URL instruction clear?
- Is duplicate warning understandable?
- Is submit feedback clear?
- Is error feedback helpful?
- Is cancel/back behavior clear?
- Does the page prevent accidental duplicate submission?
Suggest improvements only.
Do not implement.
---
## Accessibility Review
Inspect:
- Keyboard navigation
- Focus state
- Input labels
- Error message association
- Button labels
- Icon-only button accessibility
- File upload accessibility
- Date picker accessibility
- Select accessibility
- Color contrast
- Screen reader text
---
## Code Review
Inspect:
### Architecture
- Folder structure
- Feature separation
- Component reuse
- Shared form usage
- Shared validation usage
- Shared upload usage
### React
- Client vs Server Components
- Hooks usage
- Form state handling
- Mutation state handling
- Memoization
- Unnecessary rerenders
### TypeScript
- Strong typing
- Nullable fields
- Enum usage
- Form types
- API response types
- Validation schema types
### Code Quality
- Duplicate logic
- Dead code
- Naming consistency
- Import consistency
- Unused files
- Unused components
- Overly large components
Do NOT change anything.
---
## API Review
Inspect:
- Create mutation
- Request body
- Response shape
- Error handling
- Validation
- File upload handling
- Duplicate check handling
- Authorization checks
- Server-side employee ownership check
- Cache invalidation after create
- Redirect/refresh behavior after create
---
## Security Review
Review:
- Authentication
- Authorization
- Role guard
- Route guard
- API protection
- Server-side validation
- Employee ownership validation
- File upload validation
- File type validation
- File size validation
- Direct API call protection
- Sensitive data exposure
---
## Performance Review
Inspect:
- Form rendering performance
- Upload performance
- Large file handling
- Mutation handling
- Query invalidation
- Unnecessary client rendering
- Heavy components
- Lazy loading opportunities
---
## Data Validation Review
Check:
- Missing course name
- Missing training date
- Missing training hours
- Invalid hour/minute format
- Zero hour behavior
- Over 30 hours behavior
- Missing training type
- Missing location type
- Missing provider
- Invalid online URL
- Missing certificate when required
- Multiple file upload
- Invalid file type
- Invalid file size
- Null handling
- Incorrect defaults
---
## Edge Case Review
Check behavior for:
- New employee
- Employee profile missing
- No course master
- Course name duplicate
- Training date in future
- Training date in previous year
- 00:00 hours
- 00:15 hours
- 01:45 hours
- 30:00 hours
- More than 30 hours
- Online training without URL
- Offline training with URL
- File upload failed
- API failure
- Slow network
- Double submit
- Permission denied
---
## Deliverable
Create this report only:
docs/review/employee-create-training-record-audit.md
Do not create or modify any other file.
---
## Report Structure
# Employee Create Training Record Audit Report
## Executive Summary
Overall Status:
- Excellent
- Good
- Needs Improvement
- Critical
Brief summary of findings.
---
## Scope Reviewed
List reviewed routes, files, components, APIs, and permissions.
---
## Functional Review
| Feature | Status | Notes |
| ------- | ------ | ----- |
---
## Business Rule Review
| Rule | Status | Notes |
| ---- | ------ | ----- |
---
## Role & Permission Review
| Permission | Status | Notes |
| ---------- | ------ | ----- |
---
## UI Review
---
## UX Review
---
## Accessibility Review
---
## Code Quality Review
---
## API Review
---
## Security Review
---
## Performance Review
---
## Data Validation Review
---
## Edge Case Review
---
## Problems Found
Group by severity.
### Critical
### High
### Medium
### Low
For each issue include:
- Description
- File
- Component
- Severity
- Impact
- Recommendation
Do NOT fix the issue.
---
## Missing Features
List missing or incomplete functionality.
---
## Improvement Opportunities
Suggest improvements only.
Do NOT implement them.
---
## Final Assessment
Architecture: /10
Functionality: /10
Role & Permission: /10
UI: /10
UX: /10
Accessibility: /10
Security: /10
Performance: /10
Maintainability: /10
Overall Score: /10
---
## Important Rules
- READ ONLY
- No source code changes
- No refactoring
- No formatting changes
- No implementation
- No automatic fixes
- No pull request
- Only create `docs/review/employee-create-training-record-audit.md`
- Every issue should include file path and evidence where possible