This document details every feature area that needs to be tested for the QuickTrust GRC platform, covering backend API endpoints, frontend UI, AI agents, integrations, and cross-cutting concerns.
- User can log in via Keycloak OIDC/PKCE flow
- Callback handler correctly exchanges code for tokens
- JWT token includes correct claims (sub, email, roles)
- Token auto-refresh every 60 seconds works
- Expired/invalid tokens return 401
- Logout clears session and redirects to login
-
super_admincan access all endpoints across all orgs -
admincan access all endpoints within their org -
compliance_managercan manage frameworks, controls, policies, risks, audits -
control_ownercan only manage assigned controls and their evidence -
employeecan only view training assignments and complete them -
executivehas read-only access to dashboards and reports -
auditor_internalcan view all compliance data within org -
auditor_externalcan only access auditor portal with valid token - Unauthenticated requests return 401
- Unauthorized role access returns 403
- RoleChecker dependency correctly enforces role requirements
- User from Org A cannot access Org B's data via API
-
verify_org_access()blocks cross-org URL manipulation - All query results are scoped to
org_id - Bulk operations (e.g., bulk approve controls) respect org boundaries
- Tenant provisioning creates org + admin user correctly
-
POST /api/v1/organizationscreates an organization with slug -
GET /api/v1/organizations/{org_id}returns org details -
PATCH /api/v1/organizations/{org_id}updates org settings - Slug uniqueness is enforced
- JSON fields (cloud_providers, tech_stack, settings) serialize/deserialize correctly
-
POST /api/v1/organizations/{org_id}/userscreates a user linked to Keycloak -
GET /api/v1/organizations/{org_id}/userslists users for org -
GET /api/v1/organizations/{org_id}/users/{id}returns user details -
PATCH /api/v1/organizations/{org_id}/users/{id}updates user role/department -
DELETE /api/v1/organizations/{org_id}/users/{id}deactivates user - Email uniqueness is enforced
- Keycloak ID uniqueness is enforced
- List all active frameworks
- Get framework details with nested domains and requirements
- Create custom framework with name, version, category
- Update framework details
- Deactivate framework (soft delete via
is_active)
- CRUD for domains within a framework
- Sort order is maintained
- Domain codes are unique within framework
- CRUD for requirements within a domain
- Requirements load with their parent domain
- Sort order is maintained
-
POSTcreates a control with title, description, owner -
GETlist supports filtering by status, owner, framework -
GETdetail includes framework mappings and evidence -
PATCHupdates control status, effectiveness, implementation details -
DELETEremoves control and cascades to mappings
- Status transitions:
draft->not_implemented->in_progress->implemented - Effectiveness can be set once status is
implemented:effective,partially_effective,not_effective - Automation level tracks as:
manual,semi_automated,automated
-
/statsendpoint returns correct counts by status - Compliance percentage calculation is accurate
- Stats respect org_id scope
- Bulk approve controls changes status correctly
- Bulk operations are transactional (all-or-nothing)
- Controls can be mapped to framework requirements
- A control can map to multiple requirements
- Mappings are returned in control detail response
- Create evidence linked to a control
- List evidence filtered by control, status
- Update evidence status:
pending->collected->stale - Evidence
datafield stores JSON correctly
- Upload file via multipart form data
- SHA-256 hash is computed and stored
- File stored in MinIO and URL returned
- File download via
file_urlworks
- Evidence older than threshold is flagged as
stale - Monitoring rule correctly identifies stale evidence
- Alerts fire for stale evidence
- Trigger collection via integration endpoint
- Collection job status updates:
pending->running->completed/failed - Result data is stored in collection job
- Evidence record is created from collection result
- Failed collections store error message
- Create policy with title, content, owner
- List policies with status filter
- Get policy detail with linked frameworks and controls
- Update policy content, version
-
draft->pending_review: Submit for approval -
pending_review->approved: Admin approves, recordsapproved_by_idandapproved_at -
pending_review->draft: Rejection returns to draft -
approved->published: Publish setspublished_at -
published->archived: Archive end-of-life policies - Only authorized roles can approve policies
-
next_review_dateis set on publish - Monitoring rule fires when review date approaches/passes
- Notification sent for upcoming review
- Create risk with title, category, likelihood, impact
- Risk score is auto-calculated as
likelihood * impact - Risk level is derived: low (1-4), medium (5-9), high (10-15), critical (16-25)
- Update risk details, scoring, treatment plan
-
/matrixendpoint returns 5x5 risk distribution - Risks are correctly plotted by likelihood and impact
- Filtering by category works
- Treatment types:
mitigate,transfer,accept,avoid - Treatment status:
not_started->in_progress->completed - Treatment due date tracking
- Residual likelihood/impact/score can be set post-treatment
- Residual values are independent of inherent values
- Map risks to controls
- Multiple controls can mitigate one risk
- Risk detail includes linked controls
- Create incident with title, severity (P1-P4), category
- List incidents with status/severity filtering
- Update incident status, assigned_to, severity
- Incident detail includes timeline events
-
open->investigating->resolved->closed -
resolved_attimestamp set on resolution - Post-mortem notes added before closing
- Add timeline events:
status_change,note,assignment - Events include actor, timestamp, description
- Timeline displayed in chronological order
- Incidents can link to related control IDs
- Cross-reference visible in both incident and control views
- Create audit with title, type (internal/external), framework, dates
- List audits with status filter
- Update audit details, status, readiness score
-
planning->fieldwork->review->completed->closed
- Create finding linked to audit
- Finding severity levels work correctly
- Finding status:
open->remediation_in_progress->closed - Remediation plan and due date tracking
- Calculation: Controls (40%) + Evidence (30%) + Policies (20%) + Risks (10%)
- Score updates reflect current data state
- Generate time-limited access token for an audit
- Token grants read-only access to audit's controls, evidence, policies
- Token validated via
X-Auditor-Tokenheader - Expired tokens return 401
- External auditor cannot modify any data
- Portal UI displays correct data scope
- Create vendor with name, category, risk_tier, contact info
- List vendors with status/risk_tier filter
- Update vendor details and contract dates
- Vendor status:
active,under_review,terminated
- Create assessment for a vendor with score and questionnaire data
- Assessment updates vendor's
assessment_scoreandrisk_tier - Assessment history maintained per vendor
- Contract start/end dates tracked
-
next_assessment_datetriggers reminder notifications
- CRUD for training courses
- Course types:
video,document,quiz -
required_rolesfield correctly scopes assignments -
is_requiredflag marks mandatory courses
- Assign course to user with due date
- Assignment status:
assigned->in_progress->completed/overdue - Completion records score and
completed_at - Overdue detection based on
due_date - Attempts counter increments
- Completion rate per course
- Overdue assignments per user
- Training completion report generation
- Create access review campaign with title, reviewer, due_date
- Campaign status:
draft->active->completed/cancelled - List campaigns with status filter
- Add entries: user_name, system, resource, current_access
- Entry decisions:
approved,revoked,modified - Decision records
decided_by_idanddecided_at - Undecided entries are flagged
- Campaign auto-completes when all entries have decisions
-
completed_attimestamp set
- CRUD for monitoring rules
- Check types:
evidence_staleness,control_status,policy_expiry,manual - Schedule options:
hourly,daily,weekly - Rule activation/deactivation via
is_active
- Rules execute on schedule via APScheduler
-
evidence_stalenesschecks evidence age against threshold -
control_statusdetects controls stuck in draft/not_implemented -
policy_expirydetects policies past review date -
last_checked_atandlast_resultupdate after execution
- Alerts created when rule check fails
- Alert severity:
critical,high,medium,low - Alert status:
open->acknowledged->resolved - Acknowledge records user and timestamp
- Resolved alerts record
resolved_at
- CRUD for integrations (AWS, GitHub, Okta, Prowler)
- Integration status:
connected,disconnected,error - Config JSON stores provider-specific settings
- Credentials stored securely (reference only in DB)
-
aws_iam_mfa: Returns IAM MFA enrollment report -
aws_cloudtrail: Returns CloudTrail status -
aws_encryption_check: Returns encryption at rest status - Mock fallback works when credentials unavailable
-
github_branch_protection: Returns branch protection status -
github_dependabot: Returns Dependabot alert summary - Mock fallback works when token unavailable
-
okta_mfa_enrollment: Returns MFA enrollment report - Mock fallback works when API key unavailable
-
prowler_full_scan: Full AWS security scan -
prowler_service_scan: Service-specific scan -
prowler_compliance_scan: Compliance framework scan - Results include findings with severity and status
- Mock fallback for testing
- Job status transitions:
pending->running->completed/failed -
result_datastored on completion -
error_messagestored on failure - Evidence record created from successful collection
- Loads framework requirements for selected frameworks
- Matches requirements to control templates
- LLM customizes control descriptions (or fallback to template substitution)
- Deduplication removes similar controls
- Owner suggestion assigns controls to users
- Created controls stored in DB with
agent_run_id - Agent run status tracked:
pending->running->completed/failed
- Identifies required policies from framework domains
- Matches to policy templates
- LLM generates policy content with org context
- Created policies stored in DB
- Loads controls for org
- Matches to evidence templates
- Generates placeholder evidence data (deterministic)
- Created evidence stored in DB
- Evaluates org risks using LLM with company context
- Suggests risk scores and treatment plans
- Output stored in agent run
- Processes vendor questionnaire data
- Assigns risk tier based on assessment
- Output stored in agent run
- Suggests remediation for failed controls
- Maps to evidence collection activities
- Prepares evidence packages for auditor review
- Generates readiness reports
- Coordinates security testing workflows
- Integrates with external tools
-
input_dataandoutput_datarecorded -
tokens_usedtracked -
error_messagecaptured on failure - Duration tracked via
started_at/completed_at
- Create questionnaire with title, source, questions JSON
- List questionnaires with status filter
- Status:
draft->in_progress->completed->submitted -
total_questionsandanswered_countmaintained
- Pass 1: Keyword matching finds relevant controls/policies
- Pass 2: LLM refinement generates accurate answers
- Confidence scores returned per answer
- Source type tracked:
control,policy,manual - Source ID links to the originating entity
- Responses flagged for review
- Approval sets
is_approvedandapproved_by_id - Only authorized users can approve responses
- Create/update trust center config: slug, headline, description, branding
- Slug uniqueness enforced
-
is_publishedtoggle controls visibility
- CRUD for trust center documents
- Document types:
policy,certification,soc2,pentest,report -
is_publiccontrols visibility without NDA -
requires_ndaflag for restricted documents - Sort order maintained
-
GET /api/v1/trust/{slug}returns published trust center - No authentication required for public endpoint
- Only published config is accessible
- Only public documents returned (NDA documents excluded from response)
-
compliance_summary: Control + risk + policy + evidence stats -
risk_report: Risk register data -
evidence_audit: Evidence collection status -
training_completion: Course completion rates
- PDF generation via ReportLab
- CSV export with correct headers and data
- JSON format for programmatic access
- Status:
pending->generating->completed/failed - File stored in MinIO on completion
-
file_urlreturned for download - Error message captured on failure
- Notifications created for relevant events
- List notifications for current user
- Mark individual notification as read
- Mark all notifications as read
- Unread count returned correctly
-
policy_expiry: Triggered when policy review is due -
evidence_stale: Triggered when evidence ages out -
incident: Triggered on incident assignment -
monitoring_alert: Triggered by monitor rule failure -
access_review: Triggered for pending review decisions -
training: Triggered for overdue training
- SMTP integration sends emails correctly
- Email template formatting correct
- Fallback when SMTP not configured
- Webhook integration sends Slack messages
- Correct formatting for Slack blocks
- Category filtering per webhook config
- User can configure per-category/per-channel preferences
- Disabled categories don't generate notifications
- All CRUD operations logged with actor, action, entity type/id
- Changes stored as JSON diff (old/new values)
- IP address captured from request
- Timestamps accurate
- Append-only: no updates or deletes to audit_logs table
- Filter by org_id, actor, action, entity_type, date range
- Pagination works correctly
- Results ordered by timestamp descending
- Returns coverage percentage for each framework domain
- Shows requirements mapped vs unmapped to controls
- Identifies controls not mapped to any requirement
- Shows overlap between frameworks
- Highlights shared controls across frameworks
- Identifies unique requirements per framework
- Trigger full AWS security scan
- Trigger service-specific scan
- Trigger compliance framework scan (CIS, SOC 2, PCI, HIPAA)
- Scan results stored with severity and resource details
- Aggregate pass/fail rate by compliance framework
- Service-level breakdown of findings
- Severity distribution (critical, high, medium, low)
- Scan results auto-linked to relevant controls
- Evidence records created from scan findings
- Embeddings generated for controls, policies, evidence descriptions
- Model: all-MiniLM-L6-v2 (384-dimensional vectors)
- Vectors stored correctly (JSON or pgvector)
- Search returns semantically similar entities
- Results ranked by cosine similarity
- Cross-entity search works (find policies related to a control)
- Step 1: Org setup (name, industry, size, cloud providers)
- Step 2: Framework selection (multi-select)
- Step 3: AI agent generation (controls, policies, evidence)
- Step 4: Review and dashboard redirect
- Onboarding session created on start
-
current_stepandsteps_completedupdated correctly -
metadatastores selections and generation results - Status:
pending->in_progress->completed
- Register auditor profile with certifications, specialties
- Verification workflow for auditor credentials
- Search auditors by specialty, certification, location
- Filter by framework expertise
- Filter by industry experience
- Contact/request flow
- Sidebar renders with correct menu items per role
- Top bar shows user info and notifications
- Responsive design works on mobile/tablet
- Dark/light mode (if applicable)
- Compliance score widget shows correct percentage
- Control status breakdown chart renders
- Recent incidents list populates
- Quick action buttons navigate correctly
- Risk overview widget shows risk level distribution
- TanStack Table renders data correctly
- Pagination controls work
- Sorting by columns works
- Filtering/search works
- Empty state renders when no data
- Create/edit forms validate required fields
- Error messages display correctly
- Form submission triggers API call
- Success/error toast notifications display
- Risk matrix heatmap renders correctly
- Compliance trend line chart renders
- Training completion bar chart renders
- Prowler findings pie chart renders
- Required fields return 422 when missing
- Invalid UUID formats rejected
- String length limits enforced
- Enum values validated (status, severity, role)
- 400: Bad request with descriptive message
- 401: Unauthorized (no/invalid token)
- 403: Forbidden (insufficient role)
- 404: Not found for missing resources
- 422: Validation error with field details
- 500: Internal server error with safe message
- Concurrent updates to same resource don't corrupt data
-
updated_atoptimistic locking works (if implemented)
- Default page size applied
- Custom page size respected
- Total count returned
- Out-of-range page returns empty list (not error)
- All services start successfully: PostgreSQL, Redis, MinIO, Keycloak, FastAPI, Next.js, Traefik
- Services can communicate with each other
- Volume persistence works across restarts
- Health checks pass for all services
- All Alembic migrations run without errors
- Upgrade from scratch creates correct schema
- Downgrade migrations work correctly
- Cache hit returns cached data
- Cache miss queries database and populates cache
- Cache invalidation on data update
- Graceful degradation when Redis unavailable
- File upload to MinIO succeeds
- File download from MinIO succeeds
- File deletion from MinIO succeeds
- Bucket auto-creation on first use
- List endpoints respond under 500ms for 100+ records
- Detail endpoints respond under 200ms
- Report generation completes within 30 seconds
- No N+1 queries in list endpoints
- Indexes exist for frequently filtered columns (org_id, status)
- Large result sets use pagination
- Agent runs execute without blocking API responses
- Collection jobs run asynchronously
- Report generation is non-blocking
The samplesql.sql file provides the following test data:
| Entity | Count | Notes |
|---|---|---|
| Organizations | 3 | Acme Corp, HealthFirst, FinSecure |
| Users | 10 | Across 3 orgs, 6 roles |
| Frameworks | 6 | SOC 2, ISO 27001, HIPAA, PCI, GDPR, NIST |
| Framework Domains | 14 | Across SOC 2, ISO 27001, HIPAA |
| Framework Requirements | 13 | Across SOC 2, ISO 27001, HIPAA |
| Controls | 15 | 12 Acme + 3 HealthFirst |
| Evidence | 11 | Various statuses and collectors |
| Policies | 7 | All lifecycle statuses |
| Risks | 7 | All risk levels and treatment types |
| Incidents | 4 | All severity levels and statuses |
| Timeline Events | 7 | For incident tracking |
| Audits | 3 | Various statuses |
| Audit Findings | 3 | Various severities |
| Vendors | 6 | Various risk tiers and statuses |
| Vendor Assessments | 2 | With questionnaire data |
| Training Courses | 4 | Various course types |
| Training Assignments | 6 | All assignment statuses |
| Access Review Campaigns | 2 | Active and completed |
| Access Review Entries | 5 | Various decisions |
| Monitor Rules | 4 | All check types |
| Monitor Alerts | 3 | All alert statuses |
| Integrations | 5 | AWS, GitHub, Okta, Prowler |
| Collection Jobs | 5 | Completed and failed |
| Questionnaires | 3 | Various statuses |
| Questionnaire Responses | 3 | With confidence scores |
| Trust Center Config | 1 | Published |
| Trust Center Documents | 3 | Public and NDA-required |
| Reports | 4 | Various types and formats |
| Notifications | 5 | Various categories |
| Audit Logs | 8 | Various actions |
| Onboarding Sessions | 3 | Various completion states |
| Agent Runs | 5 | Various agent types and statuses |
The repository has pytest test files in backend/tests/ covering:
| Test File | Coverage Area |
|---|---|
test_health.py |
Health check endpoint |
test_frameworks.py |
Framework CRUD API |
test_controls.py |
Controls CRUD API |
test_control_templates.py |
Control template management |
test_organizations.py |
Organization CRUD API |
test_risks.py |
Risk management API |
test_training.py |
Training courses & assignments |
test_access_reviews.py |
Access review campaigns |
test_incidents.py |
Incident management API |
test_vendors.py |
Vendor management API |
test_questionnaires.py |
Questionnaire API |
test_notifications.py |
Notification system |
test_gap_analysis.py |
Gap analysis API |
test_auditor_marketplace.py |
Auditor marketplace |
test_audit_logs.py |
Audit logging |
test_rbac.py |
RBAC enforcement |
test_tenants.py |
Multi-tenancy isolation |
test_prowler.py |
Prowler integration |
test_trust_center.py |
Trust center |
# Run all tests
cd backend && pytest
# Run with verbose output
cd backend && pytest -v
# Run specific test file
cd backend && pytest tests/test_controls.py
# Run with coverage report
cd backend && pytest --cov=app --cov-report=html