511 lines
8.3 KiB
Markdown
511 lines
8.3 KiB
Markdown
# Employee Create Training Record Audit (Read Only)
|
|
|
|
## Role
|
|
|
|
You are a Senior Full Stack Engineer, QA Engineer, UX/UI Reviewer, Security Reviewer, and Product Analyst.
|
|
|
|
Your task is to perform a comprehensive READ-ONLY audit of the Employee Create Training Record page.
|
|
|
|
Do NOT modify any source code.
|
|
Do NOT refactor code.
|
|
Do NOT format files.
|
|
Do NOT create pull requests.
|
|
Do NOT implement fixes.
|
|
|
|
Only inspect, analyze, and create an audit report.
|
|
|
|
---
|
|
|
|
## Before Starting
|
|
|
|
Review:
|
|
|
|
1. AGENTS.md
|
|
2. docs/AI_DEVELOPMENT_GUIDE.md
|
|
3. docs/PROJECT_ARCHITECTURE.md
|
|
|
|
Then inspect the existing implementation and follow existing project patterns.
|
|
|
|
---
|
|
|
|
## Scope
|
|
|
|
Review everything related to the Employee Create Training Record page, including:
|
|
|
|
- Route
|
|
- Page
|
|
- Layout
|
|
- Form components
|
|
- Input fields
|
|
- Select fields
|
|
- Date picker
|
|
- Time / hour input
|
|
- Training type
|
|
- Location type
|
|
- Provider / institute
|
|
- Note
|
|
- Online URL
|
|
- Certificate / evidence upload
|
|
- Submit button
|
|
- Cancel / back button
|
|
- Validation
|
|
- Duplicate warning
|
|
- Loading state
|
|
- Error state
|
|
- Success feedback
|
|
- API
|
|
- Mutation
|
|
- Server action
|
|
- Services
|
|
- Types
|
|
- Role guards
|
|
- Navigation menu
|
|
|
|
---
|
|
|
|
## Functional Review
|
|
|
|
Verify whether the page correctly supports:
|
|
|
|
- Employee can create own training record
|
|
- Employee cannot create record for another employee
|
|
- Required fields are validated
|
|
- Course name is required
|
|
- Training date is required
|
|
- Training hours support hour and minute format
|
|
- Training type works correctly
|
|
- Location type works correctly
|
|
- Provider / institute works correctly
|
|
- Note works correctly
|
|
- Online URL works correctly
|
|
- Certificate / evidence upload works correctly
|
|
- Duplicate training warning works correctly
|
|
- Submit loading state works correctly
|
|
- Submit success message works correctly
|
|
- Submit error message works correctly
|
|
- Redirect or refresh after submit works correctly
|
|
- Created record status is correct
|
|
- Created record waits for HRD review
|
|
- Employee cannot set K / S / A category
|
|
- Employee cannot set approval status
|
|
|
|
Document all missing or incorrect behavior.
|
|
|
|
---
|
|
|
|
## Business Rule Review
|
|
|
|
Verify the page follows Training System requirements:
|
|
|
|
- Employee submits training records for themselves only
|
|
- Employee cannot edit HRD-only fields
|
|
- HRD assigns K / S / A later
|
|
- HRD verifies and approves later
|
|
- Employee cannot approve own record
|
|
- Employee cannot change approval status
|
|
- Calendar year is handled correctly
|
|
- Training hours support hours and minutes
|
|
- Certificate attachment allows 1 file only
|
|
- Certificate/evidence rules match project requirements
|
|
- Online training URL rules are consistent
|
|
- Duplicate course behavior is warn but allow save
|
|
- New record should appear in Pending Review / History correctly
|
|
|
|
---
|
|
|
|
## Role Review
|
|
|
|
Review Employee permissions.
|
|
|
|
Verify the Employee can:
|
|
|
|
- Open create training record page
|
|
- Create own training record
|
|
- Upload own certificate/evidence
|
|
- Submit own online URL
|
|
- Cancel and return to history/dashboard
|
|
|
|
Verify the Employee cannot:
|
|
|
|
- Create training record for another employee
|
|
- Access HRD/Admin create/edit pages
|
|
- Assign K / S / A category
|
|
- Approve/reject records
|
|
- Edit HRD-only fields
|
|
- Change status manually
|
|
- Upload multiple certificate files if only 1 is allowed
|
|
- Bypass validation through direct API call
|
|
|
|
Check both:
|
|
|
|
- UI-level permission
|
|
- Server/API-level permission
|
|
|
|
---
|
|
|
|
## UI Review
|
|
|
|
Inspect:
|
|
|
|
- Form layout
|
|
- Field grouping
|
|
- Label clarity
|
|
- Placeholder clarity
|
|
- Required field indication
|
|
- Date picker UI
|
|
- Hour/minute input UI
|
|
- Select dropdown consistency
|
|
- Upload component UI
|
|
- Button style
|
|
- Icon consistency
|
|
- Spacing
|
|
- Typography
|
|
- Mobile layout
|
|
- Tablet layout
|
|
- Desktop layout
|
|
- Loading display
|
|
- Error display
|
|
- Success display
|
|
|
|
---
|
|
|
|
## UX Review
|
|
|
|
Evaluate:
|
|
|
|
- Is the form easy for employees to understand?
|
|
- Are required fields obvious?
|
|
- Is hour/minute entry clear?
|
|
- Is upload instruction clear?
|
|
- Is online URL instruction clear?
|
|
- Is duplicate warning understandable?
|
|
- Is submit feedback clear?
|
|
- Is error feedback helpful?
|
|
- Is cancel/back behavior clear?
|
|
- Does the page prevent accidental duplicate submission?
|
|
|
|
Suggest improvements only.
|
|
|
|
Do not implement.
|
|
|
|
---
|
|
|
|
## Accessibility Review
|
|
|
|
Inspect:
|
|
|
|
- Keyboard navigation
|
|
- Focus state
|
|
- Input labels
|
|
- Error message association
|
|
- Button labels
|
|
- Icon-only button accessibility
|
|
- File upload accessibility
|
|
- Date picker accessibility
|
|
- Select accessibility
|
|
- Color contrast
|
|
- Screen reader text
|
|
|
|
---
|
|
|
|
## Code Review
|
|
|
|
Inspect:
|
|
|
|
### Architecture
|
|
|
|
- Folder structure
|
|
- Feature separation
|
|
- Component reuse
|
|
- Shared form usage
|
|
- Shared validation usage
|
|
- Shared upload usage
|
|
|
|
### React
|
|
|
|
- Client vs Server Components
|
|
- Hooks usage
|
|
- Form state handling
|
|
- Mutation state handling
|
|
- Memoization
|
|
- Unnecessary rerenders
|
|
|
|
### TypeScript
|
|
|
|
- Strong typing
|
|
- Nullable fields
|
|
- Enum usage
|
|
- Form types
|
|
- API response types
|
|
- Validation schema types
|
|
|
|
### Code Quality
|
|
|
|
- Duplicate logic
|
|
- Dead code
|
|
- Naming consistency
|
|
- Import consistency
|
|
- Unused files
|
|
- Unused components
|
|
- Overly large components
|
|
|
|
Do NOT change anything.
|
|
|
|
---
|
|
|
|
## API Review
|
|
|
|
Inspect:
|
|
|
|
- Create mutation
|
|
- Request body
|
|
- Response shape
|
|
- Error handling
|
|
- Validation
|
|
- File upload handling
|
|
- Duplicate check handling
|
|
- Authorization checks
|
|
- Server-side employee ownership check
|
|
- Cache invalidation after create
|
|
- Redirect/refresh behavior after create
|
|
|
|
---
|
|
|
|
## Security Review
|
|
|
|
Review:
|
|
|
|
- Authentication
|
|
- Authorization
|
|
- Role guard
|
|
- Route guard
|
|
- API protection
|
|
- Server-side validation
|
|
- Employee ownership validation
|
|
- File upload validation
|
|
- File type validation
|
|
- File size validation
|
|
- Direct API call protection
|
|
- Sensitive data exposure
|
|
|
|
---
|
|
|
|
## Performance Review
|
|
|
|
Inspect:
|
|
|
|
- Form rendering performance
|
|
- Upload performance
|
|
- Large file handling
|
|
- Mutation handling
|
|
- Query invalidation
|
|
- Unnecessary client rendering
|
|
- Heavy components
|
|
- Lazy loading opportunities
|
|
|
|
---
|
|
|
|
## Data Validation Review
|
|
|
|
Check:
|
|
|
|
- Missing course name
|
|
- Missing training date
|
|
- Missing training hours
|
|
- Invalid hour/minute format
|
|
- Zero hour behavior
|
|
- Over 30 hours behavior
|
|
- Missing training type
|
|
- Missing location type
|
|
- Missing provider
|
|
- Invalid online URL
|
|
- Missing certificate when required
|
|
- Multiple file upload
|
|
- Invalid file type
|
|
- Invalid file size
|
|
- Null handling
|
|
- Incorrect defaults
|
|
|
|
---
|
|
|
|
## Edge Case Review
|
|
|
|
Check behavior for:
|
|
|
|
- New employee
|
|
- Employee profile missing
|
|
- No course master
|
|
- Course name duplicate
|
|
- Training date in future
|
|
- Training date in previous year
|
|
- 00:00 hours
|
|
- 00:15 hours
|
|
- 01:45 hours
|
|
- 30:00 hours
|
|
- More than 30 hours
|
|
- Online training without URL
|
|
- Offline training with URL
|
|
- File upload failed
|
|
- API failure
|
|
- Slow network
|
|
- Double submit
|
|
- Permission denied
|
|
|
|
---
|
|
|
|
## Deliverable
|
|
|
|
Create this report only:
|
|
|
|
docs/review/employee-create-training-record-audit.md
|
|
|
|
Do not create or modify any other file.
|
|
|
|
---
|
|
|
|
## Report Structure
|
|
|
|
# Employee Create Training Record Audit Report
|
|
|
|
## Executive Summary
|
|
|
|
Overall Status:
|
|
|
|
- Excellent
|
|
- Good
|
|
- Needs Improvement
|
|
- Critical
|
|
|
|
Brief summary of findings.
|
|
|
|
---
|
|
|
|
## Scope Reviewed
|
|
|
|
List reviewed routes, files, components, APIs, and permissions.
|
|
|
|
---
|
|
|
|
## Functional Review
|
|
|
|
| Feature | Status | Notes |
|
|
| ------- | ------ | ----- |
|
|
|
|
---
|
|
|
|
## Business Rule Review
|
|
|
|
| Rule | Status | Notes |
|
|
| ---- | ------ | ----- |
|
|
|
|
---
|
|
|
|
## Role & Permission Review
|
|
|
|
| Permission | Status | Notes |
|
|
| ---------- | ------ | ----- |
|
|
|
|
---
|
|
|
|
## UI Review
|
|
|
|
---
|
|
|
|
## UX Review
|
|
|
|
---
|
|
|
|
## Accessibility Review
|
|
|
|
---
|
|
|
|
## Code Quality Review
|
|
|
|
---
|
|
|
|
## API Review
|
|
|
|
---
|
|
|
|
## Security Review
|
|
|
|
---
|
|
|
|
## Performance Review
|
|
|
|
---
|
|
|
|
## Data Validation Review
|
|
|
|
---
|
|
|
|
## Edge Case Review
|
|
|
|
---
|
|
|
|
## Problems Found
|
|
|
|
Group by severity.
|
|
|
|
### Critical
|
|
|
|
### High
|
|
|
|
### Medium
|
|
|
|
### Low
|
|
|
|
For each issue include:
|
|
|
|
- Description
|
|
- File
|
|
- Component
|
|
- Severity
|
|
- Impact
|
|
- Recommendation
|
|
|
|
Do NOT fix the issue.
|
|
|
|
---
|
|
|
|
## Missing Features
|
|
|
|
List missing or incomplete functionality.
|
|
|
|
---
|
|
|
|
## Improvement Opportunities
|
|
|
|
Suggest improvements only.
|
|
|
|
Do NOT implement them.
|
|
|
|
---
|
|
|
|
## Final Assessment
|
|
|
|
Architecture: /10
|
|
Functionality: /10
|
|
Role & Permission: /10
|
|
UI: /10
|
|
UX: /10
|
|
Accessibility: /10
|
|
Security: /10
|
|
Performance: /10
|
|
Maintainability: /10
|
|
Overall Score: /10
|
|
|
|
---
|
|
|
|
## Important Rules
|
|
|
|
- READ ONLY
|
|
- No source code changes
|
|
- No refactoring
|
|
- No formatting changes
|
|
- No implementation
|
|
- No automatic fixes
|
|
- No pull request
|
|
- Only create `docs/review/employee-create-training-record-audit.md`
|
|
- Every issue should include file path and evidence where possible
|