Home / Documentation / QA Tester Tasks

KODA QA Tester Tasks

Complete Task Breakdown & Specifications

Created: October 31, 2025
Team: Quality Assurance
Total Hours: 488
Total Tasks: 29

Table of Contents

Overview

The QA team is responsible for comprehensive testing of all 7 KODA applications to ensure quality, security, and performance standards are met before each release.

Testing Scope

  • Functional testing (all features and user flows)
  • Integration testing (API and inter-application)
  • Security testing (SAST/DAST, penetration testing)
  • Performance testing (load and stress testing)
  • Usability and accessibility testing
  • Cross-browser and cross-device testing
  • Production validation and smoke testing

Testing Tools

  • API Testing: Postman/Newman
  • Web Automation: Selenium/Cypress
  • Mobile Automation: Appium
  • Security: OWASP ZAP, Burp Suite
  • Performance: Apache Bench, K6, JMeter
  • Test Management: TestRail

Phase 1 - Core Functionality Testing

Comprehensive testing of all 7 KODA applications covering functional, integration, and security aspects.

Milestone 1: Backend API Testing (M1)

Backend API Testing Suite (64H)

64 Hours 5 Tasks
QA-M1-001 16H Critical Path

API Endpoints Testing - Authentication & User Management

Authentication Endpoints:

  • Test user registration API (valid/invalid data, duplicate phone numbers)
  • Test login API (valid credentials, invalid credentials, locked accounts)
  • Test logout API
  • Test token refresh API
  • Test password reset flow
  • Verify multi-tenant API key validation
  • Test branch selection API

User Profile APIs:

  • Test get user profile API
  • Test update user profile API (all fields, partial updates)
  • Test profile photo upload API
  • Test user search API (by name, phone, email)
  • Test user listing API with pagination and filters

Test Cases:

  • Positive test cases (happy path)
  • Negative test cases (invalid inputs, missing required fields)
  • Boundary test cases (max length fields, special characters)
  • Security test cases (SQL injection attempts, XSS attempts)

Tools:

  • Postman/Newman for API testing
  • Create automated test collection
Milestone: M1 - Backend API Foundation Blocked by: BE-M1-020, DV-M1-005
QA-M1-002 12H Critical Path

API Endpoints Testing - Phone Management & Verification

Phone Management APIs:

  • Test add phone number API
  • Test set primary phone API (for calls, for messages)
  • Test delete phone number API
  • Test get user phones API
  • Verify phone number validation (format, duplicates)

OTP Verification APIs:

  • Test send OTP API
  • Test verify OTP API (valid OTP, invalid OTP, expired OTP)
  • Test OTP rate limiting
  • Test OTP resend functionality
  • Verify OTP expiry time

Multi-Tenant Phone Testing:

  • Test phone verification sync between main and sub-app databases
  • Verify global_phone_id linking
  • Test phone deduplication across sub-apps
Milestone: M1 - Backend API Foundation Blocked by: BE-M1-025, BE-M1-026, DV-M1-005
QA-M1-003 14H Critical Path

API Endpoints Testing - Multi-Tenant Architecture

Multi-Tenant Testing:

  • Test API key validation middleware
  • Test sub-application creation API
  • Test database connection switching
  • Test user deduplication across sub-apps
  • Test identity verification API (Core Admin only)
  • Test user-to-application assignment API

Data Isolation Testing:

  • Verify data isolation between sub-apps
  • Test that sub-app A cannot access sub-app B data
  • Verify global_id linking works correctly
  • Test activity log includes correct app_id and api_key_id
  • Test client transactions include correct app_id

Performance Testing:

  • Verify API key cache performance (<2ms validation)
  • Test database connection pooling
  • Verify sub-app database queries only access correct database
Milestone: M1 - Backend API Foundation Blocked by: BE-M1-031, BE-M1-032, BE-M1-033, DV-M1-005
QA-M1-004 12H High Priority

API Endpoints Testing - Permissions System

Permission APIs:

  • Test get all permissions API
  • Test get permission categories API
  • Test assign permission category to user API
  • Test revoke permission category API
  • Test check permission API

Authorization Testing:

  • Verify users with permission can access protected endpoints
  • Verify users without permission receive 403 Forbidden
  • Test permission inheritance (category-based)
  • Test granular permissions (view_own, view_all, create, update, delete)
  • Test Core Admin override permissions

Edge Cases:

  • Test permission check with deleted user
  • Test permission check with invalid permission name
  • Test concurrent permission assignments
Milestone: M1 - Backend API Foundation Blocked by: BE-M1-036, BE-M1-037, DV-M1-005
QA-M1-005 10H High Priority

Database Testing & Data Integrity

Database Integrity:

  • Verify all migrations run successfully
  • Test foreign key constraints
  • Test unique constraints
  • Test default values
  • Verify indexes are created
  • Test database seeding

Data Consistency:

  • Verify user data syncs between main and sub-app databases
  • Test phone verification status sync
  • Test identity verification flag sync
  • Verify activity logs are created with correct app_id
  • Test client transaction logging

Backup & Recovery:

  • Test database backup procedure
  • Test database restoration
  • Verify data integrity after restoration
Milestone: M1 - Backend API Foundation Blocked by: BE-M1-001, DV-M1-003

Summary

Total Hours by Phase

Phase Milestone(s) Hours Tasks
Phase 1 M1-M5 236 13
Phase 1 Security M5 30 1
Phase 2 M11-M12 66 5
Phase 2 Security M12 16 1
Phase 3 M16-M18 120 8
Phase 3 Security M18 20 1
GRAND TOTAL - 488 29

Critical Testing Focus Areas

  1. Multi-tenant data isolation - MUST NOT FAIL
  2. Payment processing security - CRITICAL
  3. User authentication security - HIGH PRIORITY
  4. Golden Opportunities race condition - Important
  5. Data migration accuracy - 55,000+ records

Test Coverage Targets

  • Backend API: > 80% code coverage
  • Frontend: > 70% code coverage
  • User Stories: 100% tested
  • Security: OWASP Top 10 - 100% coverage
Previous: DevOps Engineer Tasks Next: UI/UX Designer Tasks

Milestone 2: Website Testing (M2)

KODA Website Testing (34H)

34 Hours 3 Tasks
QA-M2-001 14H High Priority

KODA Website - Functional Testing

Homepage Testing:

  • Test hero section loads correctly
  • Verify all links work (services, about, contact)
  • Test CTA buttons
  • Verify images load and lazy loading works
  • Test testimonials carousel
  • Test statistics counter animation

Services Page:

  • Test service listing displays correctly
  • Test service filtering by category
  • Test service detail modal opens
  • Verify pricing information displays
  • Test "Book Now" CTA redirects to app download

About & Contact Pages:

  • Test about page content loads
  • Test contact form submission (valid/invalid data)
  • Test form validation (required fields, email format)
  • Verify Google Maps integration works
  • Test reCAPTCHA functionality
Milestone: M2 - Website Launch Blocked by: RE-M2-005, DV-M2-002
QA-M2-002 12H High Priority

KODA Website - Cross-Browser & Responsive Testing

Browser Compatibility:

  • Test on Chrome (latest)
  • Test on Firefox (latest)
  • Test on Safari (latest)
  • Test on Edge (latest)
  • Test on mobile browsers (Chrome Mobile, Safari iOS)

Responsive Design:

  • Test on desktop (1920x1080, 1366x768)
  • Test on tablet (iPad, Android tablet)
  • Test on mobile (iPhone, Android phone)
  • Verify navigation transforms to hamburger menu on mobile
  • Test touch interactions on mobile

Performance:

  • Run Lighthouse audit (Performance, SEO, Accessibility > 90)
  • Verify page load time < 2 seconds
  • Test lazy loading of images
  • Verify CDN caching works
Milestone: M2 - Website Launch Blocked by: RE-M2-006, DV-M11-003
QA-M2-003 8H Medium Priority

KODA Website - SEO & Accessibility Testing

SEO Testing:

  • Verify meta tags on all pages (title, description, Open Graph)
  • Test structured data (JSON-LD)
  • Verify sitemap.xml exists and is valid
  • Test robots.txt
  • Verify canonical URLs
  • Test social media preview (Open Graph)

Accessibility Testing:

  • Run WAVE accessibility checker
  • Verify WCAG 2.1 AA compliance
  • Test keyboard navigation
  • Verify alt text on all images
  • Test screen reader compatibility (NVDA, VoiceOver)
  • Verify color contrast ratios (> 4.5:1)
  • Test form labels and ARIA attributes
Milestone: M2 - Website Launch Blocked by: RE-M2-006

Milestone 3: Mobile App Testing (M3)

KODA Mobile App Testing (52H)

52 Hours 4 Tasks
QA-M3-001 14H Critical Path

KODA Mobile App - Onboarding & Authentication Testing

Onboarding Flow:

  • Test splash screen displays correctly
  • Test onboarding slides (swipe, skip, get started)
  • Verify app permissions requests (camera, storage, notifications)

Registration:

  • Test registration flow (multi-step form)
  • Verify phone number validation
  • Test OTP sending and verification
  • Test profile photo upload
  • Verify duplicate phone number detection
  • Test registration with existing user (deduplication)

Login:

  • Test login with phone number
  • Test OTP verification for login
  • Test biometric login setup (fingerprint, Face ID)
  • Test "Remember Me" functionality
  • Test login with invalid credentials

Test on Devices:

  • Android (multiple versions: 11, 12, 13, 14)
  • iOS (multiple versions: 15, 16, 17)
Milestone: M3 - Mobile App Core Blocked by: FL-M3-008, DV-M2-002
QA-M3-002 16H Critical Path

KODA Mobile App - Booking & Services Testing

Services Listing:

  • Test services display correctly
  • Test service categories tabs
  • Test service search functionality
  • Verify service images load
  • Test service details screen

Golden Opportunities:

  • Verify Golden Opportunity slots display with gold highlight
  • Test booking Golden Opportunity slot
  • Test payment for Golden Opportunity (20 JD)
  • Verify slot disappears after booking
  • Test "Opportunity Found" notification

Booking Flow:

  • Test service selection
  • Test date and time picker
  • Test staff selection (if applicable)
  • Test package selection (if user has packages)
  • Test payment methods (card, Apple Pay, Google Pay, balance, points)
  • Verify booking confirmation
  • Test booking with insufficient balance/points

Reservations:

  • Test upcoming reservations display
  • Test reservation details screen
  • Test cancel reservation
  • Test reschedule reservation
  • Test reservation history
Milestone: M3 - Mobile App Core Blocked by: FL-M3-009, FL-M3-010, BE-M4-002, DV-M2-002
QA-M3-003 10H High Priority

KODA Mobile App - Profile & Settings Testing

Profile Management:

  • Test view profile screen
  • Test edit profile (name, photo, date of birth)
  • Test update phone numbers
  • Test update email addresses
  • Test change password
  • Verify profile updates sync with backend

Settings:

  • Test notification settings (enable/disable)
  • Test language switch (AR/EN)
  • Test theme toggle (light/dark)
  • Test logout functionality
  • Test delete account functionality

App Functionality:

  • Test deep linking (from notifications)
  • Test push notifications (booking confirmation, reminders)
  • Test app version check and update prompt
  • Test offline mode behavior
  • Test app crashes and error handling
Milestone: M3 - Mobile App Core Blocked by: FL-M3-011, DV-M2-002
QA-M3-004 12H High Priority

KODA Mobile App - Device & OS Compatibility Testing

Android Testing:

  • Test on Samsung devices (Galaxy S21, S22, S23)
  • Test on Google Pixel (6, 7, 8)
  • Test on Xiaomi devices
  • Test on Huawei devices (without Google Services)
  • Test on different screen sizes (small, medium, large)
  • Test on Android versions (11, 12, 13, 14)

iOS Testing:

  • Test on iPhone (12, 13, 14, 15)
  • Test on different screen sizes (iPhone SE, iPhone Pro Max)
  • Test on iOS versions (15, 16, 17)

Performance Testing:

  • Measure app startup time (< 2 seconds)
  • Test app responsiveness (smooth scrolling, animations)
  • Monitor memory usage
  • Test app behavior with poor network (2G, 3G, 4G, 5G, WiFi)
  • Test offline mode and data syncing
Milestone: M3 - Mobile App Core Blocked by: FL-M3-012, DV-M2-002

Milestone 4: KODA CORE Admin Testing (M4)

KODA CORE Admin Testing (62H)

62 Hours 4 Tasks
QA-M4-001 8H High Priority

KODA CORE - Dashboard & Navigation Testing

Dashboard:

  • Test dashboard loads correctly after login
  • Verify widgets display correct data
  • Test quick actions work
  • Verify user profile dropdown
  • Test notification bell (display notifications, mark as read)

Navigation:

  • Test sidebar menu navigation
  • Test breadcrumb navigation
  • Test nested menu items
  • Verify active menu item highlighting
  • Test sidebar collapse/expand
  • Test responsive navigation on tablet

Branch Selection:

  • Test branch selection dropdown
  • Verify switching branches updates data
  • Test user with single branch (no dropdown shown)
  • Test user with no branches (error message)
Milestone: M4 - Admin Panel Foundation Blocked by: RE-M3-001, DV-M2-002
QA-M4-002 20H Critical Path

KODA CORE - Customer Management Testing

Customer Listing:

  • Test customer list displays correctly
  • Test search functionality (name, phone, ID)
  • Test filters (status, tier, tags)
  • Test sorting (by name, ID, join date)
  • Test pagination
  • Test bulk selection and bulk actions

Add/Edit Customer:

  • Test add customer form (all fields)
  • Verify form validation (required fields, phone format, email format)
  • Test multi-language name inputs (Arabic + English)
  • Test duplicate customer detection
  • Test edit customer functionality
  • Test quick add customer

Customer Profile Tabs:

  • Basic Info Tab: Test view and edit basic information
  • Phones Tab: Test add/edit/delete phones, set primary phones, verify phone
  • Emails Tab: Test add/edit/delete emails
  • Addresses Tab: Test add/edit/delete addresses
  • Balance Tab: Test view balance, add payment, cancel payment, refund, cash return
  • Packages Tab: Test view packages, add package, cancel package, adjust sessions, extend expiry, freeze package, transfer package
  • Reservations Tab: Test view reservations, add reservation, edit/cancel reservation, check-in, complete, no-show
  • Notes Tab: Test add/edit/delete notes (public/private)
  • Tags Tab: Test assign/remove tags
  • Files Tab: Test upload/view/delete files, view gallery
  • Forms Tab: Test view signed forms, send form to customer

Bulk Operations:

  • Test bulk import customers (CSV/Excel)
  • Test bulk export customers
  • Test bulk tag assignment
  • Test bulk SMS/email sending
  • Test duplicate detection and merge
Milestone: M4 - Admin Panel Foundation Blocked by: RE-M3-012, BE-M3-011, DV-M2-002
QA-M4-003 16H Critical Path

KODA CORE - Reservations Calendar Testing

Calendar View:

  • Test calendar displays correctly (day, week, month views)
  • Test resource columns (by staff, by room, by service)
  • Verify reservations display as colored blocks
  • Test color-coding by status (confirmed, completed, cancelled, no-show)
  • Test legend displays correctly

Add/Edit Reservation:

  • Test add reservation dialog
  • Test customer search and selection
  • Test service selection
  • Test staff selection (filtered by service capability)
  • Test room selection (filtered by availability)
  • Test date and time picker
  • Verify duration auto-calculated from service
  • Test package selection (if customer has packages)
  • Verify price calculation
  • Test conflict detection (double booking)
  • Test recurring reservation option

Drag & Drop:

  • Test drag reservation to new time slot
  • Test drag reservation to different staff/room
  • Verify drag-and-drop updates backend
  • Test conflict detection during drag

Reservation Management:

  • Test click on reservation opens details
  • Test status change (confirmed, checked-in, completed, cancelled, no-show, late)
  • Test cancellation with reason
  • Test rescheduling
  • Test send reminder (SMS/WhatsApp)
  • Test convert to follow-up

Filters:

  • Test filter by branch
  • Test filter by service
  • Test filter by staff
  • Test filter by room
  • Test filter by date range
Milestone: M4 - Admin Panel Foundation Blocked by: RE-M4-004, BE-M4-004, DV-M2-002
QA-M4-004 18H Critical Path

KODA CORE - POS Testing

POS Interface:

  • Test customer search and selection
  • Test product/service grid display
  • Test category filtering
  • Test product search
  • Test barcode scanner input

Cart Management:

  • Test add item to cart
  • Test increase/decrease quantity
  • Test remove item from cart
  • Test edit item price (with permission check)
  • Test add discount (percentage/fixed amount)
  • Verify discount approval workflow
  • Test package selection and session deduction
  • Test add notes to line item
  • Test tax calculation
  • Test cart total calculation

Payment:

  • Test payment dialog opens
  • Test cash payment with change calculation
  • Test card payment
  • Test customer balance payment
  • Test points redemption payment
  • Test mixed payment (multiple methods)
  • Verify payment summary displays correctly
  • Test insufficient balance/points error
  • Test print receipt
  • Test email receipt

Transaction Management:

  • Test hold transaction
  • Test retrieve held transaction
  • Test cancel invoice
  • Test refund processing
  • Test invoice listing and search
  • Test invoice details view

Cash Drawer:

  • Test open cash drawer with starting balance
  • Test cash count interface (bills and coins)
  • Test close cash drawer with final count
  • Test discrepancy resolution
  • Verify cash drawer history
Milestone: M4 - Admin Panel Foundation Blocked by: RE-M5-005, BE-M5-005, DV-M2-002

Milestone 5: Team App Testing (M5)

KODA Team App Testing (12H)

12 Hours 1 Task
QA-M5-001 12H High Priority

KODA Team App - Core Functionality Testing

Team Member Login:

  • Test team member login (phone + OTP)
  • Test biometric login
  • Test logout

Daily Schedule:

  • Test view daily schedule
  • Verify appointments display correctly
  • Test appointment details view
  • Test filter by date

Client Check-In:

  • Test scan QR code to check-in client
  • Test manual check-in by client search
  • Verify check-in timestamp recorded

Session Management:

  • Test start session
  • Test add session notes
  • Test log consumables used
  • Test complete session
  • Verify session completion updates backend

Break Time:

  • Test start break
  • Test end break
  • Verify break time logged

Performance Dashboard:

  • Test view team member statistics
  • Verify completed sessions count
  • Test view revenue generated

Device & OS Testing:

  • Test on Android (11, 12, 13, 14)
  • Test on iOS (15, 16, 17)
  • Test on various devices
Milestone: M5 - Team App Core Blocked by: FL-M5-006, BE-M5-001, DV-M2-002

Phase 1 Security Testing

Phase 1 Comprehensive Security Testing (30H)

30 Hours 1 Task
QA-M5-002-SECURITY 30H CRITICAL - Security

Phase 1 Comprehensive Security Testing

Authentication Security:

  • Test brute-force protection on login
  • Test account lockout after failed attempts
  • Test OTP brute-force protection
  • Test OTP expiry time
  • Test token expiry and refresh
  • Test session hijacking prevention
  • Test logout invalidates tokens

Authorization Security:

  • Test unauthorized access to admin endpoints
  • Test permission bypass attempts
  • Test horizontal privilege escalation (access other user's data)
  • Test vertical privilege escalation (access admin functions)
  • Test Core Admin isolation

Multi-Tenant Security (CRITICAL):

  • CRITICAL: Test sub-app data isolation (sub-app A cannot access sub-app B data)
  • Test API key validation
  • Test API key brute-force protection
  • Test invalid API key rejection
  • Test expired API key rejection
  • Verify app_id is correctly set in all operations
  • Test global_id linking security (cannot manipulate global_id)

Input Validation:

  • Test SQL injection on all inputs
  • Test XSS attempts on all text fields
  • Test CSRF protection on forms
  • Test file upload vulnerabilities (malicious files, size limits)
  • Test command injection attempts
  • Test XXE attacks on XML inputs (if any)

API Security:

  • Test API rate limiting
  • Test API authentication
  • Test API authorization
  • Test API input validation
  • Test API error handling (no sensitive data leakage)
  • Test CORS configuration

Data Security:

  • Verify passwords are hashed (bcrypt)
  • Verify sensitive data is encrypted at rest
  • Verify HTTPS is enforced
  • Verify secure cookie flags (HttpOnly, Secure, SameSite)
  • Test data exposure in logs
  • Test PII data handling

OWASP Top 10 Testing:

  • 1. Broken Access Control
  • 2. Cryptographic Failures
  • 3. Injection
  • 4. Insecure Design
  • 5. Security Misconfiguration
  • 6. Vulnerable and Outdated Components
  • 7. Identification and Authentication Failures
  • 8. Software and Data Integrity Failures
  • 9. Security Logging and Monitoring Failures
  • 10. Server-Side Request Forgery (SSRF)

Tools:

  • OWASP ZAP for vulnerability scanning
  • Burp Suite for manual testing
  • SQLMap for SQL injection testing
  • Manual penetration testing

Deliverables:

  • Security test report
  • Vulnerabilities list with severity ratings
  • Remediation recommendations
Milestone: M5 - Phase 1 Security Validation Blocked by: QA-M5-001, QA-M4-004, QA-M3-004, QA-M2-003, DV-M2-004

Phase 2 - Advanced Features Testing

Testing loyalty program, Golden Opportunities, Passport system, and partner integrations.

Milestone 11: Loyalty System Testing (M11)

Loyalty System Testing (38H)

38 Hours 3 Tasks
QA-M11-001 14H High Priority

Loyalty Program - Points & Tiers Testing

Points Earning:

  • Test points earned on purchase (1 point = 1 JD for laser)
  • Test double points on beauty services (2 points = 1 JD)
  • Test points earned on referral (200 points)
  • Test points earned on pre-booking (50 points)
  • Test points earned on social media share (25 points)
  • Test points earned on subscription (500 points for program, 250 for annual package)
  • Verify points calculation is correct

Points Redemption:

  • Test redeem points for discount
  • Verify points deduction
  • Test insufficient points error
  • Test points expiry (after 6 months inactivity)

Tier System:

  • Test tier progression (Insider → Ambassador → Royal)
  • Verify tier thresholds (0-749, 750-1999, 2000+)
  • Test tier benefits unlock on promotion
  • Verify tier benefits (discounts, priority booking, concierge, etc.)
  • Test tier downgrade (if applicable)
  • Verify tier upgrade notification

Mobile App & Admin:

  • Test loyalty dashboard displays correctly
  • Test points balance display
  • Test tier badge display
  • Test manual points adjustment (admin)
Milestone: M11 - Loyalty & Rewards Blocked by: FL-M11-004, RE-M11-003, BE-M11-003, DV-M2-002
QA-M11-002 12H Critical Path

Golden Opportunities System Testing

Golden Opportunity Creation:

  • Test manual conversion of slot to Golden Opportunity (admin)
  • Test automatic conversion based on rules
  • Verify Golden Opportunity slots display in gold color
  • Test maximum slots per day limit (15)
  • Test pricing (20 JD for Golden Opportunity)

Customer Booking:

  • Test customer sees Golden Opportunity in app
  • Test booking Golden Opportunity slot
  • Test payment for Golden Opportunity (immediate, full payment)
  • Verify slot disappears after booking
  • Test slot becomes unavailable after booking
  • Test "Opportunity Found" notification

Edge Cases (CRITICAL):

  • Test two customers trying to book same slot simultaneously (race condition)
  • Test Golden Opportunity expiry (if not booked)
  • Test cancel Golden Opportunity booking (refund policy)
  • Verify no-show policy for Golden Opportunity

Admin Management:

  • Test Golden Opportunity calendar view
  • Test Golden Opportunity statistics (booking rate, revenue)
  • Test Golden Opportunity conversion report
Milestone: M11 - Loyalty & Rewards Blocked by: FL-M11-005, RE-M11-005, BE-M11-005, DV-M2-002
QA-M11-003 12H High Priority

Passport Partner System Testing

Partner Directory (Mobile App):

  • Test partner directory displays correctly
  • Test partner filtering by category
  • Test partner search
  • Test partner detail view
  • Test partner location on map
  • Verify passport section unlocked for Ambassador+ tier
  • Verify passport section locked for Insider tier

Benefit Activation:

  • Test "Activate Benefit" generates QR code
  • Test QR code displays correctly
  • Test QR code expiry (5 minutes)
  • Test partner scans QR code for validation
  • Verify benefit usage is logged
  • Test benefit usage limit (e.g., once per month)

Admin - Partner Management:

  • Test add partner (name, category, logo, benefit details)
  • Test edit partner
  • Test activate/deactivate partner
  • Test partner usage statistics
  • Test redemption history per partner
Milestone: M11 - Loyalty & Rewards Blocked by: FL-M11-006, RE-M11-002, BE-M11-004, DV-M2-002

Milestone 12: Partner System Testing (M12)

Influencer Partner Testing (28H)

28 Hours 2 Tasks
QA-M12-001 12H High Priority

Influencer Partner & Promo Code Testing

Promo Code Creation (Admin):

  • Test create promo code (code, discount %, expiry, max uses)
  • Test assign promo code to influencer/partner
  • Test edit promo code
  • Test activate/deactivate promo code
  • Test promo code with unlimited uses
  • Test promo code with limited uses

Promo Code Usage (Customer):

  • Test apply promo code at checkout (mobile app)
  • Test apply promo code on Golden Opportunity booking
  • Verify discount calculation is correct
  • Test invalid promo code error
  • Test expired promo code error
  • Test promo code max uses reached error
  • Verify promo code usage is logged

Influencer Dashboard (Admin):

  • Test view influencer partner list
  • Test view commission earned per partner
  • Test view promo code usage statistics
  • Test view revenue generated per partner
  • Verify commission calculation (10% of revenue)

Partner Payment:

  • Test view pending payouts per partner
  • Test process payment button
  • Test payment batch processing
  • Verify payment history
Milestone: M12 - Partner & Influencer System Blocked by: RE-M12-003, BE-M12-003, DV-M2-002
QA-M12-002-SECURITY 16H CRITICAL - Security

Phase 2 Security Testing - Loyalty & Partners

Loyalty System Security:

  • Test points manipulation attempts (negative points, decimal points)
  • Test tier manipulation (directly upgrade tier without points)
  • Test unauthorized points adjustment
  • Test promo code brute-force protection
  • Test promo code enumeration

Golden Opportunity Security:

  • Test race condition on booking Golden Opportunity (two users booking same slot)
  • Test price manipulation (change price from 20 JD to lower)
  • Test booking without payment
  • Test unauthorized Golden Opportunity creation

Passport System Security:

  • Test unauthorized benefit activation
  • Test QR code replay attacks (reuse same QR code)
  • Test QR code forgery
  • Test benefit activation without proper tier

Partner System Security:

  • Test unauthorized access to influencer dashboard
  • Test commission manipulation
  • Test promo code creation without authorization
  • Test partner data isolation (partner A cannot see partner B data)

Deliverables:

  • Phase 2 security test report
  • Vulnerabilities identified
  • Remediation status
Milestone: M12 - Phase 2 Security Validation Blocked by: QA-M12-001, QA-M11-003, DV-M2-004

Phase 3 - Complete System Testing

Final comprehensive testing including HR, Reports, end-to-end journeys, performance, and production readiness.

Milestone 16: HR Module Testing (M16)

HR Module Testing (28H)

28 Hours 2 Tasks
QA-M16-001 14H High Priority

HR Module - Employee & Attendance Testing

Employee Management:

  • Test add employee (personal info, job details, photo)
  • Test edit employee
  • Test activate/deactivate employee
  • Test employee profile view (tabs: info, attendance, leaves, payroll)
  • Test employee search and filters

Attendance:

  • Test view attendance log
  • Test manual attendance entry
  • Test biometric attendance integration (if applicable)
  • Test attendance status (present, absent, late, early leave)
  • Test attendance filters (date range, employee, branch)
  • Test attendance calendar view per employee
  • Test attendance statistics
  • Test attendance export
  • Test attendance correction workflow
Milestone: M16 - HR & Staff Management Blocked by: RE-M16-002, BE-M16-002, DV-M2-002
QA-M16-002 14H High Priority

HR Module - Leave & Payroll Testing

Leave Management:

  • Test submit leave request (type, dates, reason)
  • Test leave request approval workflow
  • Test approve/reject leave with comments
  • Test leave balance calculation
  • Test leave calendar view
  • Test leave history
  • Test leave type configuration
  • Test automatic leave accrual

Payroll:

  • Test generate payroll run
  • Test payroll summary (total salaries, deductions, bonuses)
  • Test employee salary slips view
  • Test print salary slip
  • Verify salary breakdown (base, allowances, deductions, net)
  • Test salary advance tracking
  • Test bonuses and commissions
  • Test deductions
  • Test payroll approval workflow
  • Test payroll payment status
  • Test payroll export
Milestone: M16 - HR & Staff Management Blocked by: RE-M16-004, BE-M16-004, DV-M2-002

Milestone 17: Reports Testing (M17)

Reports Module Testing (18H)

18 Hours 1 Task
QA-M17-001 18H High Priority

Reports Module - All Reports Testing

Report Generation:

  • Test common report filters (date range, branch, staff)
  • Test report generation with various filter combinations
  • Verify report data accuracy against database
  • Test report export to Excel
  • Test report export to PDF
  • Test report print preview
  • Test report pagination and sorting

Sales Reports:

  • Test sales by service, package, category, staff reports
  • Test daily sales summary report
  • Test sales comparison report
  • Test sales by payment method report

Financial Reports:

  • Test revenue, expense, profit & loss reports
  • Test cash flow report
  • Test payment collection report
  • Test refunds and tax reports

Customer & Operational Reports:

  • Test customer reports (new customers, retention, LTV, acquisition source)
  • Test loyalty tier distribution and points reports
  • Test staff performance and utilization reports
  • Test attendance summary and no-show reports

Report Accuracy:

  • Verify all calculations are correct
  • Cross-check report data with database queries
  • Test edge cases (no data, large datasets)
  • Test report performance (load time < 5 seconds)
Milestone: M17 - Reporting & Analytics Blocked by: RE-M17-005, BE-M17-005, DV-M2-002

Milestone 18: Complete System Integration Testing (M18)

Complete System Testing (94H)

94 Hours 6 Tasks
QA-M18-001 20H Critical Path

End-to-End User Journey Testing

Complete Customer Journey (18 steps):

  • Customer discovers KODA through website
  • Customer downloads mobile app
  • Customer registers with phone number (multi-tenant)
  • Customer receives OTP and verifies phone
  • Customer browses services
  • Customer finds Golden Opportunity (20 JD slot)
  • Customer books Golden Opportunity and pays
  • Customer receives booking confirmation (push + SMS)
  • Customer receives reminder before appointment
  • Customer arrives and checks in at reception
  • Staff marks customer as checked-in in Team App
  • Session is completed, customer receives notification
  • Customer earns points for the session
  • Customer checks loyalty dashboard, sees points and tier progress
  • Customer books another service using package (if Ambassador+)
  • Customer uses Passport benefit at partner location
  • Customer refers a friend (earns 200 points)
  • Customer reaches Royal tier, receives exclusive benefits

Verify at each step:

  • Data syncs correctly across all applications
  • Notifications are received
  • Activity logs are created with correct app_id
  • Multi-tenant isolation is maintained

Test on:

  • Different devices (iOS, Android, Desktop)
  • Different browsers (Chrome, Safari, Firefox)
  • Different network conditions (WiFi, 4G, 3G)
Milestone: M18 - System Integration Blocked by: QA-M17-001, QA-M16-002, QA-M12-001, DV-M18-001
QA-M18-002 16H Critical Path

Performance & Load Testing

Performance Benchmarks:

  • API response time < 200ms (p95)
  • Page load time < 2 seconds
  • Database query time < 50ms (p95)
  • Cache hit rate > 80%

Load Testing:

  • Simulate 1000 concurrent users
  • Test 10,000 requests per minute
  • Test sustained load for 30 minutes
  • Test spike load (sudden traffic increase)
  • Monitor server resources (CPU, memory, disk I/O)
  • Monitor database connections and queries
  • Monitor cache performance

Stress Testing:

  • Increase load until system breaks
  • Identify bottlenecks
  • Verify graceful degradation
  • Verify auto-scaling triggers (if configured)

Tools: Apache Bench, Artillery, K6, JMeter, Locust

Deliverables:

  • Performance test report
  • Bottlenecks identified
  • Optimization recommendations
Milestone: M18 - System Integration Blocked by: DV-M11-001, DV-M11-002, DV-M18-001
QA-M18-003 12H CRITICAL - Data

Data Migration & Multi-Tenant Validation Testing

Data Migration Testing (55,000+ records):

  • Test migration of 55,000+ customer records from existing database
  • Verify all customer data migrated correctly (names, phones, emails, addresses)
  • Verify phone numbers normalized correctly (Jordanian format)
  • Test customer deduplication during migration (matching by full name + verified phone)
  • Verify global_id and global_phone_id linking
  • Test user-to-application assignment for Irbid customers

Multi-Tenant Data Isolation (CRITICAL):

  • CRITICAL: Test sub-app A cannot access sub-app B data
  • Test API calls with sub-app A API key only return sub-app A data
  • Test API calls with sub-app B API key only return sub-app B data
  • Verify activity logs include correct app_id
  • Verify client transactions include correct app_id
  • Test user belongs to multiple sub-apps (different permissions per sub-app)

Core Admin Testing:

  • Test Core Admin can view all sub-applications
  • Test Core Admin can create/edit/delete sub-applications
  • Test Core Admin can verify user identities (makes names read-only)
  • Test Core Admin cannot be deleted or demoted by IT Admins

Data Consistency:

  • Test user data syncs between main and sub-app databases
  • Test phone verification status syncs bidirectionally
  • Test identity verification flag syncs from main to all sub-apps
  • Verify user name becomes read-only after identity verification
Milestone: M18 - System Integration Blocked by: BE-M1-030, BE-M1-033, DV-M1-003
QA-M18-004 12H High Priority

Accessibility & Usability Testing

Accessibility Testing:

  • Test keyboard navigation on all web pages
  • Test screen reader compatibility (NVDA, JAWS, VoiceOver)
  • Verify WCAG 2.1 AA compliance
  • Test color contrast ratios (> 4.5:1)
  • Test alt text on all images
  • Test form labels and ARIA attributes
  • Test mobile accessibility (TalkBack, VoiceOver)

Usability Testing:

  • Conduct user testing with 5-10 real users
  • Observe users completing key tasks (registration, booking, payment)
  • Identify usability issues and pain points
  • Measure task completion time and error rate
  • Collect user feedback and satisfaction ratings

Localization Testing:

  • Test Arabic language support (RTL layout)
  • Test English language support (LTR layout)
  • Verify all UI text is translatable (no hardcoded text)
  • Test date, time, number formats (Arabic vs English)
  • Test currency display (JOD)
Milestone: M18 - System Integration Blocked by: RE-M18-006, FL-M3-012, DV-M2-002
QA-M18-005 14H CRITICAL - Go-Live

Production Readiness & Go-Live Testing

Pre-Launch Checklist:

  • Verify all servers are operational
  • Verify SSL certificates are installed
  • Verify database migrations completed
  • Verify environment variables are set correctly
  • Verify CDN is configured and working
  • Verify monitoring and alerting are active
  • Verify backups are configured
  • Verify all features tested and approved
  • Verify security testing completed
  • Verify performance testing completed

Smoke Testing in Production:

  • Test user registration (real phone number, real OTP)
  • Test login
  • Test booking a service
  • Test payment processing (small test transaction)
  • Test admin login and basic operations
  • Verify all integrations working (SMS, email, payment gateway)

Monitoring Validation:

  • Verify monitoring dashboards display data
  • Verify alerts are triggering correctly
  • Verify logs are being collected
  • Verify error tracking is working (Sentry)

Rollback Testing & Go-Live Approval:

  • Test rollback procedure
  • Obtain sign-off from stakeholders
  • Prepare incident response plan
  • Monitor for 48 hours after launch
Milestone: M18 - Production Readiness Blocked by: QA-M18-004, DV-M18-004
QA-M18-006-SECURITY 20H CRITICAL - Final Security

Phase 3 & Final Security Audit

Comprehensive Security Audit:

  • Review all security tests from Phase 1 and Phase 2
  • Retest all previously identified vulnerabilities (verify fixes)
  • Conduct final penetration testing on production environment
  • Test disaster recovery procedures
  • Test backup restoration (including data integrity)
  • Test incident response procedures

HR Module Security:

  • Test unauthorized access to employee data
  • Test payroll data protection
  • Test salary information encryption
  • Test HR reports access control

Reports Security:

  • Test report access based on user role
  • Test data filtering by sub-application
  • Test unauthorized report generation
  • Test sensitive data exposure in reports

Settings Security:

  • Test settings modification authorization
  • Test role and permission management security
  • Test multi-tenant admin console isolation
  • Test Core Admin privilege separation

Compliance Validation:

  • Verify GDPR compliance (data protection, right to be forgotten)
  • Verify PCI DSS compliance (if handling card payments)
  • Verify data retention policies
  • Verify audit trail completeness

Final Vulnerability Scan:

  • Run automated vulnerability scan (OWASP ZAP, Nessus)
  • Scan for outdated dependencies
  • Check SSL/TLS configuration
  • Verify security headers

Deliverables:

  • Final security audit report
  • Compliance certification (if applicable)
  • Security recommendations for ongoing monitoring
  • Incident response plan
Milestone: M18 - Phase 3 Security Validation Blocked by: QA-M18-005, DV-M18-004