Cartly /
QA / QA-002-Sprint1-Test-Plan
QA-002: Sprint 1 Test Plan — Auth, RBAC, Company/Store Setup
Status: Draft (Blocked by CAR-15)
Issue: CAR-16
Owner: QA (8d0de613)
Created: 2026-07-03
Blocked by: CAR-15 (Sprint 1 Implementation), CAR-24 (GitHub Repository — prerequisite for DEV)
Note: Complementary to knowledge/testing/CAR-16-Test-Plan.md which contains the full 47 TC sheets. This document is the executive summary + Gherkin mapping.
1. Overview
This test plan covers all Phase 1 MVP features per PRD-001 Gherkin Acceptance Criteria.
Test Scope: REST API (backend) da kein Frontend in Phase 1.
Ziel: ≥ 80% automatisiert (48/60 Szenarien), alle Critical-Path-Szenarien in CI.
2. Test Environment
2.1 Prerequisites
2.2 Required Tools
- Test Framework: Jest oder Vitest
- HTTP Client: Supertest oder Playwright API
- DB: Prisma Test Instance oder Testcontainers
- CI: GitHub Actions (nach CAR-22/CAR-23 repo-Setup)
3. Feature Test Matrix
F1 — Authentication (8 Must-Have, 5 Edge-Case = 13 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-001 |
Erfolgreicher Login mit gültigen Credentials |
Must-Have |
P0 |
Pending |
| AC-002 |
Login scheitert bei falschem Passwort |
Must-Have |
P0 |
Pending |
| AC-003 |
Login scheitert bei nicht-existierendem User |
Must-Have |
P0 |
Pending |
| AC-004 |
Login scheitert bei leerem Email-Feld |
Edge |
P1 |
Pending |
| AC-005 |
Login scheitert bei ungültigem Email-Format |
Edge |
P1 |
Pending |
| AC-006 |
Refresh Token liefert neuen Access Token |
Must-Have |
P0 |
Pending |
| AC-007 |
Refresh Token abgelaufen → 401 |
Edge |
P1 |
Pending |
| AC-008 |
Login bindet User an Company |
Edge |
P2 |
Pending |
F1.2 Registration (1 Must-Have, 3 Edge = 4 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-010 |
Erfolgreiche Registration mit Email-Verifikation |
Must-Have |
P0 |
Pending |
| AC-011 |
Registration mit existierender Email → 409 |
Edge |
P1 |
Pending |
| AC-012 |
Registration mit schwachem Passwort → 400 |
Edge |
P1 |
Pending |
| AC-013 |
Email-Verifikation erfolgreich |
Edge |
P1 |
Pending |
| AC-014 |
Email-Verifikation mit ungültigem Token → 400 |
Edge |
P1 |
Pending |
F1.3 Password Reset (1 Must-Have, 3 Edge = 4 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-020 |
Password Reset Email angefordert |
Must-Have |
P0 |
Pending |
| AC-021 |
Reset für nicht-existierenden User → 200 (Security) |
Edge |
P0 |
Pending |
| AC-022 |
Passwort mit gültigem Token zurücksetzen |
Edge |
P0 |
Pending |
| AC-023 |
Passwort-Reset mit abgelaufenem Token → 400 |
Edge |
P1 |
Pending |
F2 — RBAC Roles & Permissions (5 Must-Have, 3 Edge = 8 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-030 |
Admin kann alle Ressourcen verwalten |
Must-Have |
P0 |
Pending |
| AC-031 |
Manager kann keine Admin-Operationen |
Must-Have |
P0 |
Pending |
| AC-032 |
Sales kann nur POS-Operationen |
Must-Have |
P0 |
Pending |
| AC-033 |
Unauthenticated User → 401 |
Must-Have |
P0 |
Pending |
| AC-034 |
User aus anderem Company → 403 |
Must-Have |
P0 |
Pending |
| AC-040 |
Admin kann Rolle eines Users ändern |
Must-Have |
P0 |
Pending |
| AC-041 |
Manager kann keine Rollen ändern |
Edge |
P1 |
Pending |
| AC-042 |
Admin kann User aus Company entfernen |
Edge |
P1 |
Pending |
| AC-043 |
User kann eigene Rolle nicht ändern |
Edge |
P1 |
Pending |
F3 — Company & Store Setup (4 Must-Have, 3 Edge = 7 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-050 |
Admin kann Company-Daten bearbeiten |
Must-Have |
P0 |
Pending |
| AC-051 |
Nicht-Admin kann Company nicht bearbeiten |
Must-Have |
P0 |
Pending |
| AC-052 |
Company mit leerem Namen → 400 |
Edge |
P1 |
Pending |
| AC-060 |
Admin kann neuen Store anlegen |
Must-Have |
P0 |
Pending |
| AC-061 |
Manager kann keinen Store anlegen |
Must-Have |
P0 |
Pending |
| AC-062 |
Admin kann Store bearbeiten |
Must-Have |
P0 |
Pending |
| AC-063 |
Admin kann Store deaktivieren (Soft Delete) |
Must-Have |
P0 |
Pending |
| AC-064 |
Multi-Store: User sieht nur eigene Stores |
Edge |
P1 |
Pending |
F4 — User Management (3 Must-Have, 2 Edge = 5 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-070 |
Admin kann neuen User einladen |
Must-Have |
P0 |
Pending |
| AC-071 |
Admin kann alle Users der Company auflisten |
Must-Have |
P0 |
Pending |
| AC-072 |
Manager sieht nur Users eigener Stores |
Must-Have |
P0 |
Pending |
| AC-073 |
Admin kann User bearbeiten (Rolle ändern) |
Edge |
P1 |
Pending |
| AC-074 |
Admin kann User deaktivieren |
Edge |
P0 |
Pending |
| AC-075 |
Deaktivierter User → 401 bei Login |
Edge |
P0 |
Pending |
F5 — Product Stammdaten (3 Must-Have, 4 Edge = 7 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-080 |
Admin kann Produkt anlegen |
Must-Have |
P0 |
Pending |
| AC-081 |
Produkt ohne Pflichtfeld "name" → 400 |
Edge |
P1 |
Pending |
| AC-082 |
Produkt mit Fashion-Attributen |
Edge |
P2 |
Pending |
| AC-083 |
Admin kann Produkt bearbeiten |
Must-Have |
P0 |
Pending |
| AC-084 |
Admin kann Produkt deaktivieren (Soft Delete) |
Must-Have |
P0 |
Pending |
| AC-085 |
Manager kann Produkte anlegen |
Edge |
P1 |
Pending |
| AC-086 |
Sales kann keine Produkte anlegen → 403 |
Edge |
P1 |
Pending |
| AC-087 |
User A sieht keine Produkte aus Company B |
Must-Have |
P0 |
Pending |
F5.2 Categories (2 Must-Have, 2 Edge = 4 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-090 |
Admin kann Hauptkategorie anlegen |
Must-Have |
P0 |
Pending |
| AC-091 |
Admin kann Unterkategorie anlegen (Parent-ID) |
Must-Have |
P0 |
Pending |
| AC-092 |
Kategorie mit ungültigem Parent-ID → 400 |
Edge |
P1 |
Pending |
| AC-093 |
Manager kann Kategorien nicht löschen → 403 |
Edge |
P1 |
Pending |
F5.3 SKU & Inventory (1 Must-Have, 3 Edge = 4 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-100 |
SKU-Code muss pro Company eindeutig sein |
Must-Have |
P0 |
Pending |
| AC-101 |
Bestand pro Store unterschiedlich |
Edge |
P1 |
Pending |
| AC-102 |
Bestandsauskunft für nicht-existierenden SKU → 0 |
Edge |
P1 |
Pending |
F6 — Security & Edge Cases (2 Must-Have, 4 Edge = 6 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-110 |
6 fehlgeschlagene Login → Account 30min gesperrt |
Must-Have |
P0 |
Pending |
| AC-111 |
JWT-Token Manipulation → 401 |
Must-Have |
P0 |
Pending |
| AC-112 |
Rate Limiting: 21 Versuche/Min → 429 |
Edge |
P1 |
Pending |
| AC-113 |
XSS im Email-Feld → escaped/400 |
Edge |
P0 |
Pending |
| AC-114 |
SQL Injection in Login → 401 (kein Leak) |
Edge |
P0 |
Pending |
| AC-115 |
Access Token läuft nach 15min ab |
Edge |
P0 |
Pending |
F7 — Multi-Tenant Isolation (1 Must-Have, 3 Edge = 4 Total)
| ID |
Test Case |
Type |
Priority |
Status |
| AC-120 |
User A sieht keine Daten von Company B |
Must-Have |
P0 |
Pending |
| AC-121 |
User mit Store-Zugriff sieht nur eigene Stores |
Edge |
P1 |
Pending |
| AC-122 |
Row-Level Security: DB ohne tenant_id → 0 Rows |
Edge |
P0 |
Pending |
| AC-123 |
IDOR-Angriff → 403, keine Daten Leaks |
Edge |
P0 |
Pending |
4. Critical Path (MUST in CI)
Diese 7 Szenarien dürfen NIEMALS fehlschlagen und müssen in CI integriert werden:
- AC-001 — Erfolgreicher Login
- AC-030 — Admin Full Access
- AC-050 — Company-Daten bearbeiten
- AC-060 — Store anlegen
- AC-070 — User einladen
- AC-080 — Produkt anlegen
- AC-087 — Tenant-Isolation
5. Bug Report Template
## Bug Report — [Kurztitel]
**Severity:** [Critical / High / Medium / Low]
**Feature:** [F1.1 / F2 / etc.]
**Test Case:** [AC-XXX]
**Environment:** [Dev/Staging]
**Reported By:** QA
### Steps to Reproduce
1.
2.
3.
### Expected Behavior
[...]
### Actual Behavior
[...]
### Evidence
[API Response / Logs / Screenshots]
### Impact
[Business Impact]
### Related Issues
CAR-16
6. Test Execution Log
|| Date | Tester | Feature | Passed | Failed | Blocked | Notes |
|------|--------|---------|--------|--------|---------|-------|
| 2026-07-03 | QA | — | — | — | — | Blocked by CAR-15, CAR-24 (no code yet) |
| 2026-07-03 | QA | Doc consolidation | — | — | — | Fixed URL, updated blockers, cross-ref CAR-16-Test-Plan |
7. Document Relationship
| Document |
Role |
knowledge/QA/QA-002-Sprint1-Test-Plan.md |
This file — executive summary + Gherkin matrix + critical path |
knowledge/testing/CAR-16-Test-Plan.md |
Full 47 TC sheets with step-by-step instructions |
knowledge/PRDs/PRD-001-Gherkin-Acceptance-Criteria.md |
Source-of-truth for all Gherkin scenarios |
knowledge/runbooks/DEPLOY-001-Deployment.md |
Deployment reference (Draft — DEV to finalize after Sprint 1) |
Erstellt: 2026-07-03 von QA Agent (8d0de613)
Blockiert durch: CAR-15, CAR-24
Aktualisiert: 2026-07-03 — Konsolidierung, URL-Fix, Cross-References