Evidence Log
Purpose
This page tracks the evidence required before the Maqsafy technical documentation can move from an internal preliminary baseline to an approved internal technical baseline.
Evidence should be concise and sanitized. Do not include production secrets, customer data, private keys, access tokens, raw payment payloads, or unmasked screenshots.
Evidence Status
| Status | Meaning |
|---|---|
| Needed | Evidence has not been provided yet |
| Provided | Evidence was provided and is linked or summarized |
| Reviewed | Evidence was reviewed and accepted for documentation purposes |
| Rejected | Evidence was not sufficient or was unsafe to include |
Required Evidence Register
| ID | Area | Evidence Needed | Suggested Evidence Format | Owner | Status | Notes |
|---|---|---|---|---|---|---|
| EVD-RBAC-001 | RBAC | Permission test evidence for Admin, School Manager, Supplier, and Operator | Test case names, screenshots with data masked, or CI output | CTO / Backend | Partial | Technical team confirmed automated/manual test cases cover denial scenarios; attach screenshots or test output before final approval |
| EVD-SCOPE-001 | Scope / account isolation | School Manager cannot access another school's data | Negative API test result or code reference | Backend | Partial | Technical team clarified Maqsafy is not SaaS; use scope/account isolation terminology. Tests confirmed; evidence attachment pending |
| EVD-SCOPE-002 | Scope / account isolation | Supplier cannot access another supplier's orders or data | Negative API test result or code reference | Backend | Partial | Tests confirmed by technical team; attach evidence before final approval |
| EVD-SCOPE-003 | Scope / account isolation | Operator cannot access cafeteria records outside assigned scope | Negative API test result or code reference | Backend | Partial | Tests confirmed by technical team; attach evidence before final approval |
| EVD-CRED-001 | Credentials | Credential cancellation and replacement are Admin-only | Test case or permission config evidence | Backend / Product | Confirmed by technical team; Evidence Pending | Technical team confirmed replacement is Admin-only; attach permission/test evidence |
| EVD-CRED-002 | Credentials | Manager, Parent, and Student activation/deactivation behavior | Permission config or tested workflows | Backend / Product | Needed | Must define exact allowed actions |
| EVD-BACKUP-001 | Backup | Last database backup confirmation | Backup job output or monitoring screenshot | CTO / Operations | Needed | Must not include credentials |
| EVD-RESTORE-001 | Restore | Last restore test date, environment, result, and validation checklist | Restore test record | CTO / Operations | Partial | Technical team confirmed restore test was performed approximately during the last month; exact date, environment, and result still needed |
| EVD-RPO-001 | Recovery target | Formal RPO wording | Approved technical wording | CTO | Partial | Backups confirmed in two places: Linode and system-level backup; daily cadence confirmed, but formal measurable RPO wording still needed |
| EVD-RTO-001 | Recovery target | RTO confirmation | Approved technical wording | CTO | Needed | Current target: less than 1 hour |
| EVD-PAY-001 | Payment idempotency | Duplicate callbacks/retries cannot duplicate wallet or ledger impact | Test case, code reference, or reconciliation evidence | Backend / Finance | Confirmed by technical team; Evidence Pending | Technical team confirmed server-to-server status checks and single-update enforcement; attach code/test evidence |
| EVD-API-001 | API documentation | API documentation status | Postman collection, /openapi.yaml draft, and OpenAPI / Swagger documentation page | Backend | Partial | Technical team confirmed API documentation exists in Postman; OpenAPI draft exists; hosted Swagger UI still optional/pending |
| EVD-SEC-001 | Security controls | Cloudflare Access, auth, RBAC, rate limiting, and logging evidence | Sanitized control checklist | CTO / Security | Needed | No secrets |
| EVD-MON-001 | Monitoring | Laravel logs and Sentry operational evidence | Screenshot or alert configuration summary | CTO / Operations | Needed | Mask project DSNs |
| EVD-REL-001 | Release process | Deployment, rollback, hotfix, and approval flow | Approved process summary | CTO / Product | Needed | Required for operational readiness |
Evidence Entry Template
Use this format when evidence is added.
## EVD-AREA-000 - Evidence Title
| Field | Details |
|---|---|
| Area | RBAC / Tenant Isolation / Backup / Restore / Payment / API / Security |
| Source | Test / Screenshot / Code reference / Team confirmation |
| Environment | Production / Staging / Local / Not applicable |
| Date | YYYY-MM-DD |
| Owner | Name or role |
| Result | Passed / Failed / Under Review |
| Sanitization | Sensitive data removed / Not applicable |
| Notes | Short summary only |
Evidence Rules
- Do not attach real production secrets.
- Do not include raw customer data.
- Mask emails, phone numbers, names, tokens, payment references, and private URLs where possible.
- Prefer test names, summaries, and screenshots over raw logs.
- Evidence should support the documentation, not replace detailed internal operational records.