Files
alla-tms/plans/employee-create-training-record-audit.md
2026-07-16 09:53:14 +07:00

8.3 KiB

Employee Create Training Record Audit (Read Only)

Role

You are a Senior Full Stack Engineer, QA Engineer, UX/UI Reviewer, Security Reviewer, and Product Analyst.

Your task is to perform a comprehensive READ-ONLY audit of the Employee Create Training Record page.

Do NOT modify any source code. Do NOT refactor code. Do NOT format files. Do NOT create pull requests. Do NOT implement fixes.

Only inspect, analyze, and create an audit report.


Before Starting

Review:

  1. AGENTS.md
  2. docs/AI_DEVELOPMENT_GUIDE.md
  3. docs/PROJECT_ARCHITECTURE.md

Then inspect the existing implementation and follow existing project patterns.


Scope

Review everything related to the Employee Create Training Record page, including:

  • Route
  • Page
  • Layout
  • Form components
  • Input fields
  • Select fields
  • Date picker
  • Time / hour input
  • Training type
  • Location type
  • Provider / institute
  • Note
  • Online URL
  • Certificate / evidence upload
  • Submit button
  • Cancel / back button
  • Validation
  • Duplicate warning
  • Loading state
  • Error state
  • Success feedback
  • API
  • Mutation
  • Server action
  • Services
  • Types
  • Role guards
  • Navigation menu

Functional Review

Verify whether the page correctly supports:

  • Employee can create own training record
  • Employee cannot create record for another employee
  • Required fields are validated
  • Course name is required
  • Training date is required
  • Training hours support hour and minute format
  • Training type works correctly
  • Location type works correctly
  • Provider / institute works correctly
  • Note works correctly
  • Online URL works correctly
  • Certificate / evidence upload works correctly
  • Duplicate training warning works correctly
  • Submit loading state works correctly
  • Submit success message works correctly
  • Submit error message works correctly
  • Redirect or refresh after submit works correctly
  • Created record status is correct
  • Created record waits for HRD review
  • Employee cannot set K / S / A category
  • Employee cannot set approval status

Document all missing or incorrect behavior.


Business Rule Review

Verify the page follows Training System requirements:

  • Employee submits training records for themselves only
  • Employee cannot edit HRD-only fields
  • HRD assigns K / S / A later
  • HRD verifies and approves later
  • Employee cannot approve own record
  • Employee cannot change approval status
  • Calendar year is handled correctly
  • Training hours support hours and minutes
  • Certificate attachment allows 1 file only
  • Certificate/evidence rules match project requirements
  • Online training URL rules are consistent
  • Duplicate course behavior is warn but allow save
  • New record should appear in Pending Review / History correctly

Role Review

Review Employee permissions.

Verify the Employee can:

  • Open create training record page
  • Create own training record
  • Upload own certificate/evidence
  • Submit own online URL
  • Cancel and return to history/dashboard

Verify the Employee cannot:

  • Create training record for another employee
  • Access HRD/Admin create/edit pages
  • Assign K / S / A category
  • Approve/reject records
  • Edit HRD-only fields
  • Change status manually
  • Upload multiple certificate files if only 1 is allowed
  • Bypass validation through direct API call

Check both:

  • UI-level permission
  • Server/API-level permission

UI Review

Inspect:

  • Form layout
  • Field grouping
  • Label clarity
  • Placeholder clarity
  • Required field indication
  • Date picker UI
  • Hour/minute input UI
  • Select dropdown consistency
  • Upload component UI
  • Button style
  • Icon consistency
  • Spacing
  • Typography
  • Mobile layout
  • Tablet layout
  • Desktop layout
  • Loading display
  • Error display
  • Success display

UX Review

Evaluate:

  • Is the form easy for employees to understand?
  • Are required fields obvious?
  • Is hour/minute entry clear?
  • Is upload instruction clear?
  • Is online URL instruction clear?
  • Is duplicate warning understandable?
  • Is submit feedback clear?
  • Is error feedback helpful?
  • Is cancel/back behavior clear?
  • Does the page prevent accidental duplicate submission?

Suggest improvements only.

Do not implement.


Accessibility Review

Inspect:

  • Keyboard navigation
  • Focus state
  • Input labels
  • Error message association
  • Button labels
  • Icon-only button accessibility
  • File upload accessibility
  • Date picker accessibility
  • Select accessibility
  • Color contrast
  • Screen reader text

Code Review

Inspect:

Architecture

  • Folder structure
  • Feature separation
  • Component reuse
  • Shared form usage
  • Shared validation usage
  • Shared upload usage

React

  • Client vs Server Components
  • Hooks usage
  • Form state handling
  • Mutation state handling
  • Memoization
  • Unnecessary rerenders

TypeScript

  • Strong typing
  • Nullable fields
  • Enum usage
  • Form types
  • API response types
  • Validation schema types

Code Quality

  • Duplicate logic
  • Dead code
  • Naming consistency
  • Import consistency
  • Unused files
  • Unused components
  • Overly large components

Do NOT change anything.


API Review

Inspect:

  • Create mutation
  • Request body
  • Response shape
  • Error handling
  • Validation
  • File upload handling
  • Duplicate check handling
  • Authorization checks
  • Server-side employee ownership check
  • Cache invalidation after create
  • Redirect/refresh behavior after create

Security Review

Review:

  • Authentication
  • Authorization
  • Role guard
  • Route guard
  • API protection
  • Server-side validation
  • Employee ownership validation
  • File upload validation
  • File type validation
  • File size validation
  • Direct API call protection
  • Sensitive data exposure

Performance Review

Inspect:

  • Form rendering performance
  • Upload performance
  • Large file handling
  • Mutation handling
  • Query invalidation
  • Unnecessary client rendering
  • Heavy components
  • Lazy loading opportunities

Data Validation Review

Check:

  • Missing course name
  • Missing training date
  • Missing training hours
  • Invalid hour/minute format
  • Zero hour behavior
  • Over 30 hours behavior
  • Missing training type
  • Missing location type
  • Missing provider
  • Invalid online URL
  • Missing certificate when required
  • Multiple file upload
  • Invalid file type
  • Invalid file size
  • Null handling
  • Incorrect defaults

Edge Case Review

Check behavior for:

  • New employee
  • Employee profile missing
  • No course master
  • Course name duplicate
  • Training date in future
  • Training date in previous year
  • 00:00 hours
  • 00:15 hours
  • 01:45 hours
  • 30:00 hours
  • More than 30 hours
  • Online training without URL
  • Offline training with URL
  • File upload failed
  • API failure
  • Slow network
  • Double submit
  • Permission denied

Deliverable

Create this report only:

docs/review/employee-create-training-record-audit.md

Do not create or modify any other file.


Report Structure

Employee Create Training Record Audit Report

Executive Summary

Overall Status:

  • Excellent
  • Good
  • Needs Improvement
  • Critical

Brief summary of findings.


Scope Reviewed

List reviewed routes, files, components, APIs, and permissions.


Functional Review

Feature Status Notes

Business Rule Review

Rule Status Notes

Role & Permission Review

Permission Status Notes

UI Review


UX Review


Accessibility Review


Code Quality Review


API Review


Security Review


Performance Review


Data Validation Review


Edge Case Review


Problems Found

Group by severity.

Critical

High

Medium

Low

For each issue include:

  • Description
  • File
  • Component
  • Severity
  • Impact
  • Recommendation

Do NOT fix the issue.


Missing Features

List missing or incomplete functionality.


Improvement Opportunities

Suggest improvements only.

Do NOT implement them.


Final Assessment

Architecture: /10
Functionality: /10
Role & Permission: /10
UI: /10
UX: /10
Accessibility: /10
Security: /10
Performance: /10
Maintainability: /10
Overall Score: /10


Important Rules

  • READ ONLY
  • No source code changes
  • No refactoring
  • No formatting changes
  • No implementation
  • No automatic fixes
  • No pull request
  • Only create docs/review/employee-create-training-record-audit.md
  • Every issue should include file path and evidence where possible