The backlog file docs/backlog/qa-plan-unit-test-candidates.md was moved
into Gitea issue #139 and removed, so repoint the only reference to it.
Docs-only.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The standalone gap-audit doc was a working artifact (never part of this
PR branch) and has been removed; all its cases now live in Section V, so
the "full rationale in docs/qa-plan-gaps-pr136.md" pointer is dropped to
avoid referencing a deleted file.
Docs-only.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The first pass dropped 8 gap-audit findings "to keep it tight" — but those
ARE forgotten cases, so they belong in the plan. Add them with full context
(scenario → expected, file:line, defect caught):
- TC-DICT-12 encodeWavPcm16 WAV header/clipping (unit)
- TC-EMBED-05 getEmbedUrlAndProvider 11-provider URL parsing (unit+manual)
- TC-LINK-03 sanitizeUrl/isInternalFileUrl XSS gate (unit+manual, security)
- TC-SPACE-12 space slug @IsAlphanumeric rejects hyphen/underscore/unicode [BUG?]
- TC-ATT-DEDUP-01 diagram attachmentId overwrite authorization
- TC-STOR-DIV-01 local vs S3 missing-file behavior divergence
- TC-LIMIT-QUOTA-01 no per-workspace storage quota (verify-only)
- TC-CMT-09 realtime commentCreated appends only to last loaded page
Docs-only.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Append Section V — ~75 additional manual/integration cases surfaced by a
code-grounded gap audit (8 read-only zone audits) of this plan, and correct
two now-stale cases:
- TC-TRASH-01: no confirm dialog / "30-day note" anymore — delete is
immediate with an 8s Undo toast (page-query.ts:132-144).
- TC-SPACE-03: server slugExists does not exclude self (bug to verify),
see new TC-SPACE-11.
New cases cover the fork's recently shipped, uncovered behavior (AI-chat
message queue / stopped-notice / partial-answer persistence, streaming
dictation via Silero VAD, trash undo-toast, MCP write-only headers) and
code-grounded server branches (notification CASL count leak, 3s
restriction-cache realtime leak, MovePageDto bound vs fractional-index
keys, to_tsquery 500, import zip-bomb / HTML-XSS, attachment download
authZ). Cases tagged [BUG?] double as candidate defects. Full rationale in
docs/qa-plan-gaps-pr136.md.
Docs-only.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Add docs/manual-qa-test-plan.md — the structured manual test plan used for the
full-product QA pass against develop: ~190 cases across auth, spaces, pages/tree,
editor & blocks, media/embeds, comments, search, notifications, AI chat &
dictation, public sharing, permission matrix, cross-feature interactions, and a
cross-cutting UI/consistency sweep. Intended as a reusable manual-QA checklist.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
