Files
alla-tms/plans/audit-employee-training-history.md
2026-07-16 09:53:14 +07:00

494 lines
6.9 KiB
Markdown

# Employee Training History Audit (Read Only)
## Role
You are a Senior Full Stack Engineer, Software Architect, QA Engineer, UX/UI Reviewer, Security Reviewer, and Product Analyst.
Your responsibility is to perform a comprehensive READ-ONLY audit of the Employee Training History flow.
Do NOT modify any source code.
Do NOT generate implementation code.
Do NOT create pull requests.
Only inspect the project and produce documentation.
---
# Before Starting
Read and understand the existing project before reviewing.
Review these documents first (follow project priority):
1. AGENTS.md
2. docs/AI_DEVELOPMENT_GUIDE.md
3. docs/PROJECT_ARCHITECTURE.md
Then inspect the existing implementation and reuse patterns already used throughout the project.
---
# Scope
Review everything related to Employee Training History.
Including but not limited to:
- Route
- Page
- Listing
- Detail / edit flow
- Data table
- Filters
- Sorting
- Search
- Empty state
- Loading UI
- Error UI
- Responsive design
- Action menu
- Create / update / delete affordances
- Review status visibility
- Certificate preview and download visibility
- API
- Queries
- Mutations
- Validation
- Server Components
- Client Components
- Route handlers
- Access control
---
# Functional Review
Verify every feature.
Examples
## Training History Listing
- List own training records
- Search by employee/course text
- Filter by status
- Filter by type
- Sort by date and visible columns
- Pagination
- Empty state
Verify
- Is the displayed data correct?
- Does sorting reflect the visible field?
- Does status/type filtering work correctly?
- Are old records separated correctly by year if required by business rules?
---
## Record Detail / Edit
Review
- Open detail
- Open edit
- Read-only behavior
- Pending record update/delete behavior
- Certificate management visibility
Verify
- Employees can edit only what business rules allow
- HRD / admin actions are separated correctly
- UI affordances match server-side permission outcomes
---
## Submission Flow
Verify
- Create new training history
- Validation messages
- Upload certificate after create
- Redirect and refresh behavior
- Cache invalidation
---
# Business Rule Review
Verify the training history flow follows project requirements.
Examples
- Employee only sees their own training history
- HRD / admin can see organization-scoped records
- Pending / approved / rejected / needs revision statuses are shown correctly
- Training duration values are displayed correctly
- Certificate preview/download is scoped correctly
- Calendar year behavior is handled correctly
Document any inconsistencies.
---
# Role Review
Review every permission.
Employee
Verify the employee can
- View own training history
- View own record detail
- Create own training history
- Edit only records that should remain editable
- Delete only records that should remain deletable
- View own certificates
Verify the employee cannot
- View other employees' records
- Edit approved records
- Review records
- Access HRD-only review flows
Check
- UI permission
- API permission
- Route protection
- Hidden navigation
- Direct URL access
Report every permission issue.
---
# UI Review
Review
- Layout consistency
- Table readability
- Card spacing
- Typography
- Status badges
- Action menu labels
- Empty state clarity
- Mobile layout
- Tablet layout
- Desktop layout
Identify inconsistent UI.
---
# UX Review
Evaluate
- Information hierarchy
- Discoverability of filters
- Readability of record statuses
- Feedback after create/update/delete
- Clarity of detail vs edit flow
- Error message quality
- Empty state quality
Suggest improvements without implementing them.
---
# Accessibility Review
Inspect
- Keyboard navigation
- Focus indicators
- Color contrast
- Screen reader labels
- Button accessibility
- Table accessibility
Report accessibility issues.
---
# Code Review
Inspect
## Architecture
- Folder structure
- Feature separation
- Component organization
## React
- Hooks usage
- State management
- Client vs Server Components
## TypeScript
- Strong typing
- Reusable interfaces
- Nullable handling
## Code Quality
- Duplicate logic
- Dead code
- Naming consistency
- File organization
Do NOT change anything.
---
# API Review
Review
- Query structure
- Response types
- Error handling
- Retry behavior
- Cache
- Query invalidation
- Contract consistency between page, service, and route handler
---
# Performance Review
Inspect
- Query optimization
- Loading strategy
- Suspense usage
- Large table rendering
- Unnecessary payload in listing responses
---
# Security Review
Review
- Authentication
- Authorization
- Route Guard
- Role Guard
- Server validation
- API validation
- Sensitive information exposure
---
# Data Validation Review
Inspect
- Missing values
- Incorrect defaults
- Null handling
- Incorrect formatting
- Date formatting
- Duration calculations
- Status handling
---
# Consistency Review
Compare the training history flow with the rest of the project.
Verify
- Shared DataTable stack
- Shared page layout
- Shared form stack
- Shared dialogs
- Shared badges
- Shared loading UI
- Shared spacing and typography
Document inconsistencies.
---
# Edge Case Review
Check
- New employee with no history
- Employee without linked profile
- Pending record without linked `user_id`
- No certificate
- Unsupported certificate type
- Approved record
- Rejected record
- Needs revision record
- API failure
- Slow network
---
# Deliverables
Create
docs/review/employee-training-history-audit.md
---
# Report Structure
# Employee Training History Audit Report
## Summary
Overall Status
- Excellent
- Good
- Needs Improvement
- Critical
Brief summary of findings.
---
## Architecture Review
---
## Functional Review
| Feature | Status | Notes |
---
## Business Rule Review
---
## Role & Permission Review
---
## UI Review
---
## UX Review
---
## Accessibility Review
---
## Code Quality Review
---
## API Review
---
## Performance Review
---
## Security Review
---
## Consistency Review
---
## Edge Case Review
---
## Problems Found
Categorize issues into
### Critical
### High
### Medium
### Low
Each issue should include
- Description
- File
- Component
- Severity
- Impact
- Recommendation
Do NOT fix the issue.
---
## Missing Features
List missing functionality compared to project requirements.
---
## Improvement Opportunities
Suggest improvements only.
Do NOT implement them.
---
## Final Assessment
Architecture: /10
Functionality: /10
UI: /10
UX: /10
Accessibility: /10
Performance: /10
Security: /10
Maintainability: /10
Overall Score: /10
---
# Important Rules
- READ ONLY
- No code changes
- No refactoring
- No formatting changes
- No new files except the audit report
- Do not modify existing documentation
- Do not implement recommendations
- Only inspect, analyze, and document findings with evidence where possible.