diff --git a/docs/QA_PLAN.md b/docs/QA_PLAN.md index 6d36ee3..051d319 100644 --- a/docs/QA_PLAN.md +++ b/docs/QA_PLAN.md @@ -104,7 +104,7 @@ before cross-cutting; regression last). Update **Status** and **Findings** every | B13 | API / backend direct | all `/api/*`: auth, CSRF, validation, rate limits, error shape, IDOR, cents | via HTTP client | ✅ | 0 / 1 | | B14 | Non-functional | a11y, performance, PWA/offline, XSS/secrets, timezone/DST | large + adversarial | ✅ | 0 / 4 | | B15 | Regression & sign-off | full smoke on **production build**, exit criteria | seeded | ✅ | 0 / 0 | -| B16 | Migrations, secrets & deploy | migration idempotency/rollback/fresh==migrated, encryption-key lifecycle, `docker-entrypoint` (perms/first-run/migrate), update-check phone-home | scratch + docker | ⬜ | 0 / 0 | +| B16 | Migrations, secrets & deploy | migration idempotency/rollback/fresh==migrated, encryption-key lifecycle, `docker-entrypoint` (perms/first-run/migrate), update-check phone-home | scratch + docker | 🔄 | 1 / 0 | > After B15, if any batch is 🔁 or has open S1/S2, loop back. Then start a new > cycle from B0 against the next build/version. @@ -149,7 +149,7 @@ fixing. Keep only **Open / Fixing / Fixed** rows here. Once a finding is | ID | Sev | Area (`file:line`) | Summary | Status | Notes / repro | |----|-----|--------------------|---------|--------|---------------| -| _(none — all Cycle 1 findings fixed, verified & archived to `HISTORY.md` v0.41.0)_ | | | | | | +| QA-B16-01 | S4 | `services/updateCheckService.js` + `routes/privacy.js` | Privacy policy calls the version check "**optional**", but there is **no opt-out** — it phones a hardcoded host (`dream.scheller.ltd`) whenever About/Status/version is loaded | 🔴 Open | decision needed: add a toggle vs reword | **Finding template** (paste a new row above; keep the full write-up here until archived):