e798468e4c
Create/update all Sprint 6 documentation: - CHANGELOG.md: document GOO-33 and recent audit findings - CONTRIBUTING.md: add branching, PR, commit conventions - docs/ci-cd.md: GitHub Actions pipeline documentation - docs/onboarding.md: developer setup & onboarding guide - docs/mcp-servers.md: MCP servers API documentation - docs/PROJECT_TRACKER.md: mark GOO-33 as in_progress - docs/QA_TRACKER.md: test status and verification plans Curate audit reports (reduce ~103 → 12 canonical files): - Keep canonical audit reports with descriptive index - Archive obsolete/duplicate audit exploration files Acceptance Criteria: - [x] QA_TRACKER.md exists with current test status - [x] CHANGELOG.md updated to today - [x] PROJECT_TRACKER.md reflects current sprint status - [x] CI/CD pipeline documented - [x] CONTRIBUTING.md has branching, PR, commit conventions - [x] docs/audits/ reduced to canonical reports Co-Authored-By: Paperclip <noreply@paperclip.ing>
3.0 KiB
3.0 KiB
GoodGo Platform — QA Tracker
Cập nhật lần cuối: 2026-04-22 Nguồn: GOO-2 Lead Orchestrator Audit
Baseline QA Status (từ audit 2026-04-12)
| Metric | Kết quả |
|---|---|
| Lint (ESLint) | PASS — 0 lỗi |
| TypeScript | 7 lỗi (thiếu kiểu vitest trong web test files) |
| Unit tests | 232 files, 1454 tests — ALL PASS |
| Build | ALL 3 packages build thành công |
| E2E | Chưa chạy lại sau audit |
Blocker Findings (BƯỚC 1 Audit — cần QA sau fix)
| ID | Mô tả | Task | Trạng thái QA | Mức ảnh hưởng |
|---|---|---|---|---|
| BLOCKER-1 | Double CSRF middleware — login/register broken in prod | GOO-3 ✅ | Cần verify | Critical |
| BLOCKER-2 | UsageRecord race condition — quota bypass | GOO-4 | Chờ fix | Critical |
| BLOCKER-3 | exchange-token no rate limit | GOO-5 | Chờ fix | Critical |
| GAP-03 | MoMo IPN URL points to frontend | GOO-6 | Chờ fix | Critical |
| A-19 | MCP search returns 0 results (status case) | GOO-9 | Chờ fix | Critical |
Security Findings (cần QA sau fix)
| ID | Mô tả | Task | Trạng thái QA |
|---|---|---|---|
| HIGH-1 | JWT doesn't check banned users | GOO-7 | Chờ fix |
| HIGH-2 | AI API key stored plaintext | GOO-8 | Chờ fix |
| HIGH-4 | $queryRawUnsafe in project search | GOO-14 | Chờ fix |
| MED-9 | Soft-deleted users can login | GOO-15 | Chờ fix |
Test Plan — Sprint 1 Verification
API Tests (curl)
- POST /auth/login without CSRF token → 200 (not 403)
- POST /auth/register without CSRF token → 200
- POST /payments/callback/vnpay without CSRF → 200
- POST /payments/callback/momo → verifies IPN reaches backend
- POST /auth/exchange-token 6x in 60s → 429 on 6th
- Login with banned user (isActive=false) → 401
- Login with soft-deleted user (deletedAt set) → 401
- 5 concurrent listing creates → quota not exceeded
- MCP property-search tool → returns ACTIVE listings
UI Tests (Playwright)
- Login page loads without CSRF error
- Registration flow completes
- Search returns results (Vietnamese diacritics — Sprint 2)
- Admin dashboard loads for admin user, redirects for non-admin
Test Plan — Sprint 2 Verification
- Phone OTP login: request → receive → verify → authenticated
- legalStatus dropdown shows enum values (not free text)
- Search "chung cu quan 7" matches "chung cư quận 7"
- District dropdown shows "Thủ Đức" (not Quận 2/9)
Bug Tracking
| Bug ID | Mô tả | Task liên quan | Severity | Trạng thái |
|---|---|---|---|---|
| (none yet) | — | — | — | — |
Notes
- QA sẽ chạy full regression sau khi Sprint 1 hoàn thành
- E2E tests cần Playwright config update cho new auth flows (Sprint 2)
- Performance benchmarks sẽ chạy sau Sprint 4 (revenue stats, dashboard queries)