Authentication
0 / 7
auth-01
Admin login with valid credentials
Untested
▾
Steps
Go to /ada/admin/ → Enter admin username + password → Click Login
Expected Result
Dashboard loads; role shown as Admin; sidebar shows Agencies, Licenses, etc.
auth-02
Agency login with valid credentials
Untested
▾
Steps
Go to /ada/admin/ → Enter agency username + password → Click Login
Expected Result
Dashboard loads; role shown as Agency; sidebar limited to Licenses, Report, Settings
auth-03
Login with wrong password
Untested
▾
Steps
Enter any username + incorrect password → Click Login
Expected Result
"Invalid username or password" error shown; no session created
auth-04
Login with disabled account
Untested
▾
Steps
Disable an agency or admin account → attempt login with that account
Expected Result
Login rejected with "account is disabled" message
auth-05
Logout
Untested
▾
Steps
While logged in → click Logout link
Expected Result
Session cleared; redirected to login page
auth-06
Session persists on page reload
Untested
▾
Steps
Login → refresh the page
Expected Result
User remains logged in; dashboard still visible
auth-07
Direct URL access without session
Untested
▾
Steps
While logged out → navigate directly to /ada/admin/?tab=licenses
Expected Result
Redirected to login page; no data exposed
Dashboard & Overview
0 / 4
ov-01
Overview tab loads for Admin role
Untested
▾
Steps
Login as Admin → confirm Overview tab is the default landing page
Expected Result
Stats visible: total agencies, licenses, active installs; no errors
ov-02
Overview tab loads for Agency role
Untested
▾
Steps
Login as Agency → confirm Overview tab loads
Expected Result
Agency-scoped stats shown; no other agencies' data visible
ov-03
Nav sidebar items match role permissions
Untested
▾
Steps
Login as Agency → inspect sidebar navigation items
Expected Result
Admins tab is NOT visible; Agencies tab is NOT visible; own sections are shown
ov-04
Stat counts are accurate
Untested
▾
Steps
Add one agency and one license → return to Overview
Expected Result
Agency count and license count increment correctly
Agency Management (Admin)
0 / 13
ag-01
Admin can see Agencies tab
Untested
▾
Steps
Login as Admin → click Agencies in sidebar
Expected Result
Agencies list page loads with table of agencies
ag-02
Create new agency
Untested
▾
Steps
Agencies tab → click Create Agency → fill name, username, email, password, license limit → Save
Expected Result
Agency appears in list; welcome email sent to provided address
ag-03
Create agency with duplicate username
Untested
▾
Steps
Try to create agency with a username that already exists
Expected Result
Error message shown; no duplicate created
ag-04
Edit agency details
Untested
▾
Steps
Click Edit on an agency → update name or email → Save
Expected Result
Changes reflected immediately in the list
ag-05
Change agency password
Untested
▾
Steps
Edit an agency → enter new password (≥6 chars) → Save
Expected Result
Agency can log in with the new password
ag-06
Password too short rejected
Untested
▾
Steps
Edit an agency → enter a 3-character password → Save
Expected Result
"Password min 6 chars" warning shown; password unchanged
ag-07
Enable ADA Report Generator for agency
Untested
▾
Steps
Agencies list → click "Report On" toggle for an agency
Expected Result
Button toggles to "Report Off"; agency can now access Report tab
ag-08
Disable ADA Report Generator for agency
Untested
▾
Steps
Agencies list → click "Report Off" toggle for an agency
Expected Result
Button toggles to "Report On"; Report tab locked for that agency
ag-09
Set report limit for agency
Untested
▾
Steps
Edit agency → enter a Report Limit value (e.g. 5) → Save
Expected Result
Agency is blocked from generating more than 5 reports; error shown on limit breach
ag-10
Set Anthropic API key for agency
Untested
▾
Steps
Edit agency → enter a valid Anthropic API key → Save
Expected Result
Agency report generation uses this key instead of the platform default
ag-11
Delete agency
Untested
▾
Steps
Click Delete on an agency that has no active licenses → confirm
Expected Result
Agency removed from list; login with that account fails
ag-12
Agency pagination
Untested
▾
Steps
Ensure more agencies exist than the default page size → visit Agencies tab
Expected Result
Pagination controls appear; next/previous navigation works correctly
ag-13
Agency tab hidden from Agency role
Untested
▾
Steps
Login as Agency → attempt to navigate to ?tab=agencies
Expected Result
Access denied or tab not rendered; no agency data exposed
License Management
0 / 10
lic-01
Admin can view Licenses tab
Untested
▾
Steps
Login as Admin → click Licenses in sidebar
Expected Result
Full license list shown with domain, status, assigned agency, created date
lic-02
Agency sees only their own licenses
Untested
▾
Steps
Login as Agency → click Licenses tab
Expected Result
Only licenses assigned to this agency are shown; no other agencies' licenses visible
lic-03
Create a new license (Admin)
Untested
▾
Steps
Licenses tab → Create License → fill domain, customer name, email, assign agency → Save
Expected Result
License appears in list with a generated key; welcome email sent to customer
lic-04
Create license when agency is at limit
Untested
▾
Steps
Set agency license_limit to 2; give it 2 licenses → try to add a 3rd
Expected Result
"License limit reached" error; new license not created
lic-05
Widget key serves correctly for valid domain
Untested
▾
Steps
Copy a license key → load /ada/widget.php?key=KEY in a browser
Expected Result
Widget JS is served (200 OK); content-type is application/javascript
lic-06
Widget blocked for suspended/inactive license
Untested
▾
Steps
Deactivate a license → load /ada/widget.php?key=KEY
Expected Result
Suspended script (suspended.js) served or empty response; widget does not initialise
lic-07
Resend welcome email for a license
Untested
▾
Steps
Find a license → click "Resend Email"
Expected Result
Flash "email resent" confirmation shown; customer receives email
lic-08
Remove a license
Untested
▾
Steps
Find a license → click Remove → confirm
Expected Result
License removed from list; widget.php?key=KEY returns blocked response
lic-09
License count badge in sidebar updates
Untested
▾
Steps
Add a license → check sidebar Licenses badge
Expected Result
Badge count increments by 1
lic-10
Access log records widget loads
Untested
▾
Steps
Embed widget on a test page → load that page
Expected Result
Access log (Access Log tab) shows an entry for the domain
ADA Report Generator
0 / 13
rpt-01
Report tab visible when enabled for agency
Untested
▾
Steps
Login as Agency with Report Generator enabled → click Report tab
Expected Result
Report generation form loads with URL and Client Name fields
rpt-02
Report tab locked when disabled for agency
Untested
▾
Steps
Login as Agency with Report Generator disabled → check sidebar
Expected Result
Report tab appears greyed out / locked; form not accessible
rpt-03
Generate ADA report for a valid URL
Untested
▾
Steps
Report tab → enter a public URL (e.g. https://example.com) + Client Name → Generate
Expected Result
Loading spinner shown; report PDF generated and saved; appears in history list
rpt-04
Generate report with empty URL
Untested
▾
Steps
Leave URL field blank → click Generate
Expected Result
Validation error shown; no API call made
rpt-05
Generate report for unreachable URL
Untested
▾
Steps
Enter a non-existent URL → click Generate
Expected Result
"Could not fetch site" or similar error shown; no corrupt PDF created
rpt-06
Download a saved report
Untested
▾
Steps
Report tab → find a previously generated report → click Download
Expected Result
PDF downloads successfully; file opens correctly in a PDF viewer
rpt-07
Delete a report
Untested
▾
Steps
Report tab → find a report → click Remove
Expected Result
Report removed from dashboard (soft-deleted); file no longer downloadable
rpt-08
Agency cannot access another agency's reports
Untested
▾
Steps
Get a report ID belonging to Agency B → login as Agency A → attempt to download it
Expected Result
403 or "not found" response; report not served
rpt-09
Admin sees all reports across agencies
Untested
▾
Steps
Login as Admin → open Report tab
Expected Result
Reports from all agencies listed; agency column identifies each owner
rpt-10
Report limit enforcement for agency
Untested
▾
Steps
Set agency report_limit=2 → generate 2 reports → attempt a 3rd
Expected Result
"Report limit reached" error on 3rd attempt; count does not increment
rpt-11
Report uses agency's own Anthropic API key when set
Untested
▾
Steps
Set a valid agency-level API key → generate a report as that agency
Expected Result
Report generated successfully; audit log shows GENERATE_REPORT event
rpt-12
Report PDF content is correct
Untested
▾
Steps
Download a generated report PDF → open it
Expected Result
PDF contains: report title, client name, domain, ADA findings, scoring sections
rpt-13
Report history pagination
Untested
▾
Steps
Generate more reports than the default page size
Expected Result
Pagination controls appear; navigation between pages works correctly
Audit Log
0 / 6
aud-01
Admin can view full audit log
Untested
▾
Steps
Login as Admin → click Audit Log tab
Expected Result
Log entries shown: actor, role, action, detail, timestamp
aud-02
Login events logged
Untested
▾
Steps
Log in as agency → go to Audit Log (as Admin)
Expected Result
LOGIN entry appears for that agency username and role
aud-03
Logout events logged
Untested
▾
Steps
Log out → log back in as Admin → check Audit Log
Expected Result
LOGOUT entry appears for the previous session
aud-04
Report generation events logged
Untested
▾
Steps
Generate a report → check Audit Log
Expected Result
GENERATE_REPORT entry shows URL and client name
aud-05
Agency sees only their own audit entries
Untested
▾
Steps
Login as Agency → go to Audit Log
Expected Result
Only entries for this agency's username are shown; admin/other agency entries hidden
aud-06
Audit log search works
Untested
▾
Steps
Audit Log tab → type a username or action keyword in search box
Expected Result
Log filters to matching entries in real time
Access Log
0 / 4
acc-01
Admin can view full access log
Untested
▾
Steps
Login as Admin → click Access Log tab
Expected Result
Raw widget access log lines displayed (IP, domain, timestamp)
acc-02
Agency sees only their domains in access log
Untested
▾
Steps
Login as Agency → go to Access Log
Expected Result
Only log lines containing domains owned by this agency are shown
acc-03
Widget access creates a log entry
Untested
▾
Steps
Load /ada/widget.php?key=VALID_KEY → check Access Log
Expected Result
New entry for the request appears in the log
acc-04
Access log search works
Untested
▾
Steps
Type a domain name in the search box
Expected Result
Log filters to entries containing that domain
Settings & Profile
0 / 8
set-01
Admin can access Settings tab
Untested
▾
Steps
Login as Admin → click Settings in sidebar
Expected Result
Settings page loads with sections: Platform API Key, AI Model, password change
set-02
Save Anthropic API key (platform-level)
Untested
▾
Steps
Settings → paste a valid Anthropic API key → Save Settings
Expected Result
"Settings saved" flash shown; key stored; report generation works
set-03
Save AI model override
Untested
▾
Steps
Settings → select or type a model name → Save Settings
Expected Result
Model saved; new reports use this model
set-04
Change own password (Admin)
Untested
▾
Steps
Settings → enter current password + new password + confirm → Change
Expected Result
"Password changed" confirmation; old password no longer works
set-05
Change password with wrong current password
Untested
▾
Steps
Settings → enter incorrect current password → Change
Expected Result
Error shown; password not changed
set-06
Change password too short
Untested
▾
Steps
Settings → enter new password shorter than 6 chars → Change
Expected Result
"Password min 6 chars" error; password not changed
set-07
Agency can change their own password
Untested
▾
Steps
Login as Agency → Settings → change password → verify login with new password
Expected Result
Password changed successfully; agency can log in with new credentials
set-08
Database connectivity status shown
Untested
▾
Steps
Settings tab → check DB status indicator
Expected Result
Green/OK status shown for database connection
Widget Delivery
0 / 6
wid-01
Widget script served for valid key
Untested
▾
Steps
curl https://yourdomain.com/ada/widget.php?key=VALID_KEY
Expected Result
200 OK; Content-Type: application/javascript; widget JS code returned
wid-02
Widget loads on correct domain
Untested
▾
Steps
Embed the widget script on the licensed domain; open the page
Expected Result
ADA widget initialises without console errors
wid-03
Widget blocked on wrong domain
Untested
▾
Steps
Use a valid key but embed it on a different (unlicensed) domain
Expected Result
Widget does not initialise; access log records the blocked attempt
wid-04
Widget script served without key (public)
Untested
▾
Steps
Load /ada/widget.php with no key parameter
Expected Result
Generic or empty widget response; no crash; access logged
wid-05
Suspended key returns suspended script
Untested
▾
Steps
Suspend a license → load widget.php?key=THAT_KEY
Expected Result
suspended.js content returned; widget does not activate
wid-06
Widget caches correctly (CACHE_TTL)
Untested
▾
Steps
Load the widget twice within CACHE_TTL seconds
Expected Result
Response headers include cache-related headers; no double DB query
Email Notifications
0 / 4
em-01
Welcome email sent on agency creation
Untested
▾
Steps
Create a new agency with a real email address
Expected Result
Welcome email delivered with login URL, username, and temporary password
em-02
Welcome email sent on license creation
Untested
▾
Steps
Create a new license with a customer email address
Expected Result
Customer receives license key and widget embed instructions
em-03
Resend license email works
Untested
▾
Steps
Licenses tab → Resend Email on a license
Expected Result
Email re-delivered to customer; flash message confirmed
em-04
Email contains correct branding / sender
Untested
▾
Steps
Check inbox of a received email
Expected Result
From name and address match configured SMTP settings (ADA Widget Licences)