# Unified Login Suite 1.1.0 — Automated Test Report

**Validation date:** 16 July 2026 UTC  
**Result:** PASS for all executable static and database-free checks in this build environment

## Release components

- Unified User Portal 1.1.0
- Staff Compliance Portal 1.3.0
- Store Audit System 1.1.0
- Price Label Maker 1.2.0

## Environment

- PHP CLI 8.4.16
- Node.js 22.16.0
- Python 3.13.5
- Available relevant PHP modules: PDO core, Fileinfo, JSON and OpenSSL
- Unavailable here: PDO MySQL, PDO SQLite, GD, a MySQL/MariaDB server, cPanel/Apache configuration and an authenticated browser/tablet environment

## Passed checks

| Check | Result |
|---|---|
| PHP syntax | PASS — 104 PHP files |
| JavaScript syntax | PASS — 1 JavaScript file |
| TOTP implementation | PASS — 18 Base32, RFC 6238, clock-window and provisioning-URI checks |
| Store Audit source audit | PASS — v1.1.0, 69 routes, 26 views, 22 tables, 11 headings and 92 criteria |
| Store Audit recurrence regression | PASS — day/week/month cadence, completion windows, overdue claimability and inactive suppression |
| Cross-suite release validation | PASS — 432 source-tree checks; 433 in the packaged suite including its file manifest, with 44 function permissions and six protected account levels |
| Patch whitespace/integrity | PASS — `git diff --check` |
| Shared authentication client consistency | PASS — all four copies have SHA-256 `84556a6f2798ed5b1b878ac58cb7647fd411869d705db9c4786c12624e92caa1` |

## Security and integration invariants covered

The cross-suite validator checks, among other items:

- the six fixed levels and 44 central permission keys;
- byte-for-byte identical authentication clients in all four folders;
- private-config discovery outside the public document root;
- registered-URL and cookie-scope controls;
- application setup/installer permission gates;
- removal of local password-verification paths;
- POST/CSRF logout and mutation protection;
- Store Audit route mapping that fails closed when unmapped;
- HTTPS, CSP and restrictive browser headers;
- denied private folders and script-disabled upload folders;
- Argon2id support, password history, rate limits, lockouts and unknown-user timing equalisation;
- TOTP replay prevention and recent reauthentication;
- final-Super-Administrator and delegated-access safeguards;
- database-port validation and non-repopulation of database passwords;
- absence of source backups, private central configuration or compiled Python artifacts.

## Required live acceptance

This report does not claim a successful production deployment. Before launch, complete `ACCEPTANCE_CHECKLIST.md` on a staging copy or backed-up target cPanel account. The live test must cover:

- central and Store Audit MySQL/MariaDB installation/upgrade;
- Price Label SQLite migration and transactions;
- cPanel filesystem ownership and writable-directory permissions;
- Apache `.htaccess`, HTTPS, HSTS and cookie behavior at the final URLs;
- browser sign-in, TOTP, recovery codes, password reset/change and cross-application logout;
- role-by-role direct URL and submitted-action authorization;
- legacy-user dry run and reviewed apply against copies of real data;
- concurrent audit claims/revisions and price-review processing;
- tablet camera uploads, signatures, PDFs and document downloads;
- coordinated backup and rollback restoration.
