# Testing Sign-Off Rules

## Scope
This file defines required validation for pull requests and release candidates.

## How To Use This File
1. Use this as the test acceptance checklist for code review.
2. `Must` items are required before merge.
3. `Should` items are expected unless approved as exceptions.
4. `Could` items are optional test maturity improvements.

## Must (Merge Gate)

### Navigation And Routing
- [ ] Open each affected page directly by URL.
- [ ] Open each affected page via AJAX navigation.
- [ ] Verify browser back/forward behavior.
- [ ] Verify unknown routes fail gracefully.

### UI Behavior
- [ ] Active nav and breadcrumb match the current page.
- [ ] Toast, spinner, and progress indicators do not get stuck.
- [ ] Sidebar toggle works on desktop and mobile.
- [ ] Fullscreen behavior and icon state remain correct.
- [ ] Scroll arrow visibility and actions remain correct.

### Security Validation
- [ ] Invalid page key input is handled safely.
- [ ] New dynamic output is escaped correctly.
- [ ] Error views do not expose sensitive internals or local paths.
- [ ] No secrets appear in client-visible output or console.

### Accessibility Baseline
- [ ] Keyboard users can reach actionable controls.
- [ ] Interactive controls have meaningful labels.
- [ ] Focus visibility remains intact after style changes.

### Quality Evidence
- [ ] Browser console is checked for changed flows.
- [ ] Behavior or contract changes are documented.
- [ ] Related security checks in [../SECURITY.md](../SECURITY.md) are completed.

## Should (Expected Coverage)
- [ ] Validate responsive behavior on desktop, tablet, and mobile breakpoints.
- [ ] Re-test regression matrix for dashboard and analytics routes.
- [ ] Confirm repeated navigation does not duplicate listeners or break charts.
- [ ] Include screenshots or short notes for visible UI changes.

## Could (Optional Maturity)
- [ ] Add automated smoke tests for route loading and navigation.
- [ ] Add lightweight accessibility checks to CI.
- [ ] Add performance budget checks for fragment load times.
- [ ] Add dependency/network failure simulation in automated runs.

## Regression Matrix (Core Flows)
1. Dashboard route and analytics route.
2. Sidebar toggle desktop and mobile.
3. Fullscreen button behavior and icon state.
4. Scroll arrow visibility and actions.
5. Footer links and basic toasts.

## Sign-Off Record
- [ ] Must items complete.
- [ ] Any Should exceptions documented and approved.
- [ ] Open defects captured with severity and owner.
- [ ] Reviewer sign-off recorded.