# Testing / QA Checklist

A quick manual pass to confirm a healthy deployment. Log in as `admin@reevadrive.in`.

## Smoke test
- [ ] `/login` renders, wrong password is rejected, correct password logs in.
- [ ] Dashboard loads with KPIs + revenue/status charts (no console errors).
- [ ] Sidebar shows all 21 module groups (Super Admin sees everything).
- [ ] Log out returns to `/login`.

## Masters (create → edit → list)
- [ ] Customer: create, appears as a card, edit persists **all** fields (phone, GSTIN, address, credit).
- [ ] Vendor / Vehicle / Driver / Warehouse / Company / Branch / Employee: same round-trip.
- [ ] Freight Rate: create a Pune→Mumbai per-kg rate.
- [ ] Delete a throwaway record (confirm dialog fires, row disappears).

## Operations
- [ ] Booking: create, then **Pickup** button flips status to *picked up*.
- [ ] Consignment: create → LR number auto-generates → **Label** opens print sheet with a **barcode + QR**.
- [ ] Scan a package code on `/scan`; it shows in Recent Scans.
- [ ] Tracking: search an LR → timeline renders; public `/track?lr=...` works logged-out.
- [ ] POD: open a pending delivery, capture receiver + date → moves to Delivered.
- [ ] Trip: create, then change status inline from the list.

## Billing & Accounting
- [ ] Invoice: add line items → live totals update → toggle **inter-state** switches CGST/SGST ↔ IGST.
- [ ] Save invoice → **Print** shows GST breakup, round-off, amount-in-words.
- [ ] Record a payment on the print page → status flips to *paid/partial*.
- [ ] Credit/Debit Note: create one from `/notes`.
- [ ] Journal: post a **balanced** voucher (Dr = Cr shows green); unbalanced is rejected.
- [ ] Ledger / Cash Book / Bank Book / GST / P&L pages render for a date range.

## Reports & Settings
- [ ] Reports: open each report, change dates, **Export CSV** downloads a file.
- [ ] Settings: save prefixes/GST; create an **API token** (shown once).
- [ ] Audit Logs list recent actions.

## Security
- [ ] Submitting a POST without the CSRF field returns **419**.
- [ ] Visiting a module you lack permission for (test with a non-admin role) returns **403**.
- [ ] Uploaded files land in `storage/`, are **not** directly executable.
- [ ] `<script>` typed into a text field renders as text, not executed (XSS-escaped).

## RBAC roles (optional)
Create users for Manager / Operator / Accountant / Driver and confirm each sees only its permitted modules.
