Files
comiaunicaty/ACCEPTANCE_TESTS.md

172 lines
4.6 KiB
Markdown

# ACCEPTANCE_TESTS.md
Codex should use this file as a checklist. Implement automated tests for as many as practical and document any manual checks.
## Smoke tests
- `docker compose up --build` starts backend and frontend.
- Backend health endpoint returns OK.
- Frontend loads without console-breaking errors.
- Seed data can be created with a documented command.
## Accountless join
Automated/backend:
- Creating invite stores only token hash.
- Valid invite preview returns group preview.
- Claiming invite creates/updates member, member device, and session.
- Expired/revoked invite cannot be claimed.
- Limited-use invite increments use count and blocks after max uses.
Manual/frontend:
- Opening invite link shows a polished mobile join screen.
- User can join without email/password.
- User can RSVP immediately after join.
## Structured group behavior
Automated/backend:
- Admin can create announcement.
- Member cannot create official announcement unless permitted.
- Admin can create event.
- Member can RSVP to event.
- Missing RSVP generates action item.
- Task assigned to member generates action item.
- Poll without member vote generates action item.
Manual/frontend:
- Group page defaults to dashboard, not raw chat.
- Announcements/events/files/tasks/polls appear as cards.
- Chat/discussions are available but secondary.
## Home dashboard
Automated/backend:
- `/api/home` returns sections for needs_me, today, changed, official_updates, catch_up.
- Action ordering prioritizes urgent/due items.
- Local and remote objects can be represented consistently.
Manual/frontend:
- Home answers “What needs me?”
- Seed demo shows at least three actionable items across groups.
- Remote items show source server/group badge.
## Multi-device
Automated/backend:
- Device link start creates pending pairing code.
- Existing session can approve pending device.
- New device completes pairing and receives session.
- Device list includes both devices.
- Revoked device cannot use session.
Manual/frontend:
- User can start “Link another device.”
- Code/QR screen is understandable.
- Existing device approval UI is clear.
- Device management page shows current and linked devices.
## Recovery
Automated/backend:
- Recovery request creates hashed recovery token/code.
- Recovery consume creates session or attaches to home profile.
- Expired/revoked recovery token fails.
Manual/frontend:
- Dev-mode recovery shows/logs a usable link or code.
- UI says “Save access”/“Recover access,” not mandatory account creation.
## Migration kit
Automated/backend:
- Admin can fetch migration dashboard.
- Migration status reflects member invite/open/join/verified fields.
- Reminder copy endpoint returns useful text with link and transition date.
- WhatsApp export import accepts a `.txt` file and stores read-only archive messages if implemented.
Manual/frontend:
- Admin migration dashboard is clear.
- Reminder copy is one-click copyable.
- UI explains legacy channel concept.
## Files
Automated/backend:
- Upload enforces auth and file size.
- Download enforces permission.
- Filename is sanitized.
Manual/frontend:
- Files page shows global and by-group files.
- File source group/server is visible.
## Remote/self-hosted aggregation
Automated/backend:
- `/.well-known/group-platform.json` returns manifest.
- `/api/sync` requires valid scoped token.
- Connection token has scopes and expiry.
- Home server can connect to remote server with URL + token.
- Sync stores/caches remote structured objects.
- `/api/home` includes remote action items after sync.
Manual/frontend:
- Connected servers page lists remote server.
- Sync status/errors are visible.
- Remote actions appear on Home.
- No UI claims full federation.
## Responsive UI
Manual:
- 375px-wide mobile viewport is usable.
- Bottom nav appears on mobile.
- Desktop layout uses more horizontal space without becoming sparse.
- Forms are readable and touch targets are adequate.
- Empty/loading/error states are implemented.
## Security checklist
Automated or code review:
- Invite/recovery tokens hashed.
- Sessions use HttpOnly cookies.
- Long-lived tokens not stored in localStorage.
- Role checks on admin endpoints.
- Remote tokens stored server-side.
- Upload validation implemented.
- `.env.example` exists and no secrets are committed.
## README checklist
Root README must include:
- product concept;
- architecture diagram/text;
- setup commands;
- seed demo instructions;
- invite flow instructions;
- device-linking instructions;
- remote aggregation demo instructions;
- known limitations;
- security notes;
- next-step roadmap.