Evidence Log
Purpose
This page tracks the evidence required before the Maqsafy technical documentation can move from an internal preliminary baseline to an approved internal technical baseline.
Evidence should be concise and sanitized. Do not include production secrets, customer data, private keys, access tokens, raw payment payloads, or unmasked screenshots.
Evidence Status
| Status | Meaning |
|---|---|
| Needed | Evidence has not been provided yet |
| Provided | Evidence was provided and is linked or summarized |
| Reviewed | Evidence was reviewed and accepted for documentation purposes |
| Rejected | Evidence was not sufficient or was unsafe to include |
Required Evidence Register
| ID | Area | Evidence Needed | Suggested Evidence Format | Owner | Status | Notes |
|---|---|---|---|---|---|---|
| EVD-RBAC-001 | RBAC | Permission test evidence for Admin, School Manager, Supplier, and Operator | Test case names, screenshots with data masked, or CI output | CTO / Backend | Needed | Include both positive and negative cases |
| EVD-TENANT-001 | Tenant isolation | School user cannot access another school's data | Negative API test result or code reference | Backend | Needed | Must include expected 403 or equivalent denial |
| EVD-TENANT-002 | Tenant isolation | Supplier cannot access another supplier's products, orders, invoices | Negative API test result or code reference | Backend | Needed | High priority |
| EVD-TENANT-003 | Tenant isolation | Operator cannot access another operator's cafeteria records | Negative API test result or code reference | Backend | Needed | High priority |
| EVD-CRED-001 | Credentials | Credential cancellation is Admin-only | Test case or permission config evidence | Backend / Product | Needed | Separate cancellation from activation/deactivation |
| EVD-CRED-002 | Credentials | Manager, Parent, and Student activation/deactivation behavior | Permission config or tested workflows | Backend / Product | Needed | Must define exact allowed actions |
| EVD-BACKUP-001 | Backup | Last database backup confirmation | Backup job output or monitoring screenshot | CTO / Operations | Needed | Must not include credentials |
| EVD-RESTORE-001 | Restore | Last restore test date, environment, result, and validation checklist | Restore test record | CTO / Operations | Needed | Required before final approval |
| EVD-RPO-001 | Recovery target | Formal RPO wording | Approved technical wording | CTO | Needed | Current wording: zero data loss target |
| EVD-RTO-001 | Recovery target | RTO confirmation | Approved technical wording | CTO | Needed | Current target: less than 1 hour |
| EVD-PAY-001 | Payment idempotency | Duplicate callbacks/retries cannot duplicate wallet or ledger impact | Test case, code reference, or reconciliation evidence | Backend / Finance | Needed | High priority financial control |
| EVD-API-001 | API documentation | OpenAPI / Swagger status | /openapi.yaml draft and OpenAPI / Swagger documentation page | Backend | Partial | Needs backend validation and hosted Swagger UI decision |
| EVD-SEC-001 | Security controls | Cloudflare Access, auth, RBAC, rate limiting, and logging evidence | Sanitized control checklist | CTO / Security | Needed | No secrets |
| EVD-MON-001 | Monitoring | Laravel logs and Sentry operational evidence | Screenshot or alert configuration summary | CTO / Operations | Needed | Mask project DSNs |
| EVD-REL-001 | Release process | Deployment, rollback, hotfix, and approval flow | Approved process summary | CTO / Product | Needed | Required for operational readiness |
Evidence Entry Template
Use this format when evidence is added.
## EVD-AREA-000 - Evidence Title
| Field | Details |
|---|---|
| Area | RBAC / Tenant Isolation / Backup / Restore / Payment / API / Security |
| Source | Test / Screenshot / Code reference / Team confirmation |
| Environment | Production / Staging / Local / Not applicable |
| Date | YYYY-MM-DD |
| Owner | Name or role |
| Result | Passed / Failed / Under Review |
| Sanitization | Sensitive data removed / Not applicable |
| Notes | Short summary only |
Evidence Rules
- Do not attach real production secrets.
- Do not include raw customer data.
- Mask emails, phone numbers, names, tokens, payment references, and private URLs where possible.
- Prefer test names, summaries, and screenshots over raw logs.
- Evidence should support the documentation, not replace detailed internal operational records.