Skip to content

QA / Review: Cloud Quest MVP — full multi-event platform (SP1–SP3, 20 PRs) #21

Description

@lesquel

Summary

The Cloud Quest gamified-event MVP is feature-complete: a multi-event platform where an admin builds events (map, stands, activities, badges, prizes, staff), participants register + show a unique QR, and staff scan players at their stand to award points server-side. Built as 20 squash-merged PRs (#1#20) across three sub-projects, every slice with a fresh adversarial review. All acceptance criteria CA-01 … CA-10 are met, and the core flow was verified live end-to-end (browser + DB).

Authoritative spec: docs/specs/2026-06-21-mvp-scope-reconciled.md. Live schema: supabase/migrations/0001–0009 (supabase/schema.sql is DEPRECATED).


⚠️ Required setup before testing

  1. Disable email confirmation in Supabase → Authentication → Sign In / Providers → Email → turn OFF "Confirm email". Otherwise registration shows "Revisa tu email" and never logs in.
  2. Use real email domains for test accounts (@gmail.com etc.) — GoTrue rejects @example.com.
  3. .env.local needs NEXT_PUBLIC_SUPABASE_URL, NEXT_PUBLIC_SUPABASE_ANON_KEY, SUPABASE_SERVICE_ROLE_KEY (server-only), ADMIN_EMAILS (server-only). Run npm run seed:admin to populate the admin allowlist.
  4. Current DB is stan_aws (dev/test). A separate Supabase project + Vercel deploy is recommended for the real event.
npm install && npm run dev   # http://localhost:3000

How to test (per role)

  • Participant: "Comenzar" → register (name + real email + password) → map (DB stands) → open a stand (read-only, "show QR to staff") → "Mostrar mi código QR" → Ranking.
  • Admin: register with an email in ADMIN_EMAILS → "Panel del organizador" / /admin → create/edit events, stands (+ visual map editor), activities, badges, prizes; create staff & manage participant accounts; correct points; validate winners.
  • Staff: admin creates + assigns them to a stand → they log in (→ /staff) → pick station → scan a participant's QR (or enter the code manually) → player is credited.

Review / QA checklist

SP1 — Foundation (#1–5)

  • Signup creates a profile; allowlisted email → admin; catalog loads from DB; per-event progress via participations; auto-join single active event.

SP2 — Admin (#6–9, #18)

  • CA-10: create/edit event, stands (map editor place/drag), activities, badges, prizes.
  • CA-09: admin creates staff accounts + assigns; lists/edits/deletes participant accounts. Non-admin blocked (RLS + route guard).

SP3 — Staff scan & scoring (#10–17, #19)

  • CA-03/04: staff scans QR → +points/badge/piece once; re-scan → "Ya participó" (no double credit).
  • CA-06: leaderboard ranks by points. CA-07: point corrections with audit history. CA-08: winner validation by QR (top-3 / all-badges). Prize claim deducts tickets + stock server-side.
  • Integrity: all scoring/claiming is server-side (SECURITY DEFINER RPCs); a direct client `update participations set tickets=9999` is rejected (grant revoked).

Cross-cutting

  • Realtime: player screen updates live after a staff scan. Redirects by role. Neutral-Spanish copy. npm test per-file green (~95 integration tests against live Supabase).

Known non-blocking findings (from the live E2E)

  • Setup: email confirmation is currently ON in stan_aws (see Required setup feat(db): SP1 multi-event foundation — schema, RLS, test harness #1).
  • Test infra: running the full suite at once trips Supabase auth's signup rate limit — run per-file (npx vitest run test/<file>).
  • Security (LOW): TOCTOU window on participant delete; no Next-layer rate limit on admin endpoints (platform-inherent).
  • Schema: completions.approved_by has no on delete cascade → deleting a staff member who approved completions is blocked (audit guard; fine in practice since CA-09 delete is participant-scoped).
  • Both UI findings surfaced by the E2E (map per-stand count showing /3, leaderboard VOS voseo) were already fixed in fix: map per-stand count from DB catalog + neutral leaderboard self-marker #20.

Generated after an autonomous Gentleman-mode build + live E2E verification.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions