Notion AI Prompt — OdontoX End-to-End Test Workspace
Copy everything inside the--- PROMPT START --- / --- PROMPT END --- block below and paste it into Notion AI (a blank page works best). Notion will scaffold the whole QA workspace from this single prompt. The prompt embeds the OdontoX codebase context inline so Notion does not need repo access.
After Notion generates the structure, you’ll have:
- A Test Plan Hub (the page Notion creates)
- 7 linked databases (Test Cases, Bugs, Modules, Roles, Emails, Cron Jobs, Integrations)
- Pre-seeded entries for every module, role, email template, cron, and integration in the actual codebase
- Test case templates for each role × module combination
- Severity, status, and assignment columns ready for you to fill in as you test
--- PROMPT START ---
You are setting up a comprehensive end-to-end QA test workspace for OdontoX, an AI-first dental clinic operating system built for the Pakistan market. I’m going to manually test every module across every role and need a structured Notion workspace to record what works, what’s broken, and what needs to be fixed before launch. Build the following Notion structure exactly. Do not summarize, do not omit items, do not add commentary. Create real Notion databases (not just bullet lists) with the columns I specify, and pre-seed each database with the rows I provide.CODEBASE CONTEXT (use this as the source of truth)
Product: OdontoX — multi-tenant dental clinic SaaS. Pakistan market, PKR currency, English UI. Built on Cloudflare Workers (backend), React + Vite + Tailwind v4 (frontend), PostgreSQL (Neon), Cloudflare R2 (file storage). Tenancy: Multi-clinic. Every record carriesclinicId. Users may belong to multiple clinics via userClinicAssignments.
Roles (6 total): superadmin, admin, doctor, receptionist, patient, pending.
Plans (3 tiers): Standard (free 14-day trial, 1 user, 50 patients), Pro (5 users, unlimited patients, 50 GB), Pro+ (10 users, unlimited patients, 500 GB, WhatsApp, X-ray Bridge).
Onboarding: No self-serve clinic creation. Sign-ups land in userOnboardingRequests with status='pending'. A superadmin must manually approve. Approval provisions a clinic with 14-day trial, default rooms, default appointment types, default procedures library, default medications library.
Auth methods: Email + password (Argon2), TOTP 2FA, email OTP 2FA, backup codes, WebAuthn passkeys, password reset via OTP. Single-session enforcement (users.lastSessionId). JWT with 7-day expiry, refresh tokens with rotation.
Modules shipped (10): patients, appointments, clinical, billing, inventory, lab, reports, ai_insights, whatsapp_api, bridge.
Integrations: Stripe (subscriptions + invoices), Zepto (transactional email), DeepSeek V3.2 (AI), Langfuse HIPAA cloud (AI tracing + prompt management), Cloudflare R2 (files), Meta WhatsApp Cloud API, Cloudflare Turnstile (bot protection), OdontoX Bridge desktop app (DICOM uploads).
Cron schedule: Cloudflare Workers triggers at 04:00, 09:00, 14:00, 16:00 UTC daily.
NOTION STRUCTURE TO BUILD
Build a top-level page titled “OdontoX E2E Test Plan — v1.4 Launch Readiness” containing:- A short intro section with: scope, test environment URL placeholder, tester name placeholder, target launch date placeholder, and a legend for severity (S0 Blocker, S1 Critical, S2 High, S3 Medium, S4 Low).
- A “How to test” section with 5 numbered steps: (a) sign in as the role, (b) navigate to module, (c) walk through happy path, (d) walk through edge cases, (e) log every defect in the Bugs database.
- The 7 databases listed below, each as a full-page database (not inline). Each database should have a “By Status” view (group by Status) and a “By Module” view (group by Module) where applicable.
DATABASE 1 — “Test Cases”
Properties:- Test ID (Title) — format
TC-<module>-<role>-<###> - Module (Select) — patients, appointments, clinical, billing, inventory, lab, reports, ai_insights, whatsapp_api, bridge, auth, onboarding, settings, audit, mobile
- Role (Select) — superadmin, admin, doctor, receptionist, patient, pending
- Plan (Multi-select) — Standard, Pro, Pro+
- Scenario (Text) — short title
- Steps (Text) — numbered steps to reproduce
- Expected (Text)
- Actual (Text)
- Status (Select) — Not Tested, Pass, Fail, Blocked, N/A
- Severity (Select) — S0, S1, S2, S3, S4
- Linked Bug (Relation → Bugs database)
- Tested On (Date)
- Tester (Person)
- Notes (Text)
- Login with email + password
- Login with passkey (Touch ID / Face ID / Windows Hello)
- Enable TOTP 2FA, scan QR, verify code
- Enable email OTP 2FA, receive code, verify
- View backup codes (one-time), download
- Reset password using forgot-password OTP
- Lockout after 5 failed login attempts (15-min lock)
- Session timeout after 7 days idle
- Single-session enforcement: log in on second device, first session invalidated
- Logout — JWT cookie cleared, session terminated
- Sign up as new user → lands on
/pending-request→ email confirmation received
- Superadmin views pending onboarding requests at
/onboarding/details - Approve a pending request → clinic created, trial starts (14 days), approval email sent
- Deny a pending request → user notified
- New clinic provisioned with: default rooms, default appointment types, default procedures (~50), default medications (~100)
- Trial countdown visible in UI
- Trial-expiring email sent 2 days before expiry
- Post-expiry: clinic blocked, redirected to
/account-status?code=TRIAL_EXPIRED
- Roles: superadmin (cross-clinic), admin, doctor, receptionist (CRUD); patient (own record only)
- Create patient with full demographics + medical history + dental history
- Edit patient fields, see audit log entry
- Upload patient file (PDF, image) → stored in R2, accessible via signed URL
- Search/filter patients by name, phone, MRN
- Merge two patient records (admin only)
- Invite patient to portal — email sent with sign-in link
- Patient logs in to portal, sees own appointments, treatment plans, invoices, receipts
- Bulk import patients from CSV — validate, preview, execute, verify legacy ID mapping
- Plan limit: Standard plan blocks creation past 50 patients, prompts upgrade
- Cross-clinic isolation: clinic A user cannot read clinic B patient (even via direct ID URL)
- Roles: admin, doctor, receptionist (full); patient (own only); superadmin (read all)
- Create appointment, assign room + doctor + appointment type
- Reschedule appointment → reschedule email sent to patient
- Cancel appointment → cancellation email + WhatsApp message
- Mark appointment complete → completion email with summary
- Mark appointment as no-show → no-show email
- Block doctor time off (block-time)
- View calendar by day / week / month
- Receptionist sees clinic-wide appointments; doctor sees own
- 24h reminder email sent (cron-driven)
- 1h WhatsApp reminder sent (cron-driven)
- Patient receives appointment confirmation on creation
- Patient can request appointment via portal — appears in admin queue
- Patient can reschedule via mobile app
reschedule.tsx - Export appointments CSV
- Roles: doctor (full), admin (full), receptionist (limited), patient (read own)
- Create dental chart entry per tooth using FDI numbering (Q1: 18-11, Q2: 21-28, Q3: 31-38, Q4: 41-48)
- Mark tooth condition: healthy, decayed, filled, crown, missing, implant, root canal, extracted (each color-coded)
- Create treatment plan with multiple procedures
- Send treatment plan to patient via email + WhatsApp + shareable link
- Patient accepts treatment plan via shared link → notification + email back to doctor
- Create clinical note (SOAP format), use AI to generate from transcript
- Create prescription with multiple medications, dosages, durations
- Use prescription template, save as new template
- Record vital signs
- Record consent form, capture digital signature
- Schedule recall (e.g. 6-month cleaning)
- Roles: admin (full), doctor (full), receptionist (limited), patient (own read)
- Create invoice with line items, taxes, discounts; verify PKR currency, “Rs” prefix
- Send invoice email with payment link
- Record payment (cash, card, bank transfer, online via Stripe)
- Generate receipt automatically; share via email
- Create quotation, send to patient, patient accepts
- Convert quotation to invoice
- Set up installment plan (3, 6, 12 months); installment reminders sent
- Mark invoice as paid / partial / overdue / void
- Verify status colors: green (paid), amber (open/pending), red (overdue), muted (void)
- AI-generated payment reminder with tone selection (friendly / firm / final) — verify Banknote icon used, never DollarSign
- Create expense entry, attach receipt
- Process payroll for staff member
- Create insurance claim (Pro+ only)
- Document numbering: invoice/receipt/quotation prefixes + sequence integrity
- Public document share link expires correctly; logs view in
documentViews
- Roles: admin (full); receptionist (Pro: view + adjust; Pro+: full); doctor (none)
- Create inventory item with reorder level, cost, selling price, expiry date, supplier
- Adjust stock (use / receive / correction); verify
stockTransactionsrow created - Trigger low-stock alert: drop quantity below reorder level → next cron sends email + in-app notification
- Trigger expiry alert: 30-day, 7-day pre-expiry warnings
- Create supplier, link to items (Pro+ receptionist only)
- Plan gating: Pro receptionist cannot create items; Pro+ receptionist can
- Roles: admin, doctor (full); receptionist (case creation only)
- Create lab case (crown, bridge, denture, implant, veneer)
- Assign to laboratory
- Track status: sent → in_progress → ready → delivered
- Lab receives notification on case creation
- Doctor notified on status changes
- Configure custom lab service with pricing
- Roles: admin, doctor; receptionist (limited)
- Financial report (revenue, expenses, profit/loss) by date range
- Revenue trends chart (verify Recharts rendering, no pie charts >5 slices)
- Doctor performance report (appointments, revenue per doctor)
- Treatment plan acceptance rate
- Patient demographics (new, churned, retained)
- Inventory usage trends
- Export to CSV / Excel
- AI-generated daily brief (cron-driven, sent to admins)
- AI-generated monthly summary (admin only)
- AI revenue forecast (admin only)
- Roles: doctor, admin (full); receptionist (limited — appointment_nudges, daily_brief, payment_reminder)
- Patient brief generation
- Clinical note from transcript
- DICOM/X-ray analysis (Pro+: unlimited; Pro: 10/month, then quota block)
- Treatment plan presentation rewrite
- Recall message generation
- Appointment nudges
- Churn risk identification
- Grammar / shorten / expand / rewrite text utilities
- Verify “Generated by Ruby” attribution on all AI outputs
- Verify shimmer animation while streaming
- Verify Ruby icon used (never generic AI/robot icon)
- Verify offline failure state (“Ruby is offline — falling back to manual entry”)
- Verify Langfuse trace recorded for each call
- Role: admin (config); all roles (use)
- Configure WhatsApp: phoneNumberId, businessAccountId, accessToken, appSecret, webhookVerifyToken
- Verify credentials encrypted in
clinicModules.config - Send appointment confirmation template
- Send appointment reminder (1h before)
- Send treatment plan with approval link
- Send payment reminder
- Send custom bulk message
- Inbound: patient texts “CANCEL” → matched to next appointment, cancelled, staff + doctor notified
- Inbound: patient sends media (image, document) — stored, attached to thread
- Webhook signature verification (HMAC-SHA256)
- Phone normalization: handle +92 country code variations
- Role: doctor, admin (
bridge.managepermission) - Install OdontoX Bridge desktop client
- Configure clinic API key
- Bridge watches local folder, detects new DICOM
- Auto-match patient by name → upload to
/api/v1/bridge/upload-dicom - Verify DICOM stored in R2 at
dicom/<patientId>/<studyUid>/ - Verify
dicomMetadatarow created (PHI stripped) - Doctor opens patient file → clicks “Analyze” → AI runs DICOM analysis
- Verify quota decrement (
dicomQuota.analysisCount++) - Modalities to test: panoramic, periapical, bitewings, occlusal, CBCT
- Quota block at 10 (Pro plan); unlimited (Pro+)
- Roles: admin (full)
- Clinic settings: name, address, phone, email, currency (PKR locked), timezone
- Branding: upload logo (light + dark), favicon, primary color (Pro+ only)
- Document settings: invoice/receipt/quotation prefixes, footer text, terms
- Operating hours: set per-day open/close
- Rooms / operatories: create, edit, delete
- Appointment types: create, edit, set duration + color
- Email templates: customize per template
- Digital signatures: upload doctor / clinic signature
- Staff management: invite via email, assign role, set per-user permission overrides
- Verify staff invitation email (
StaffInvitationEmail) received - Invited user accepts → status=‘active’, can log in
- Modify per-user permissions via
userClinicAssignments.permissionsJSONB - Referral program: enable, share code, payout form
- Roles: admin (view own clinic), superadmin (export all)
- View audit log filtered by user, action, entity, date range
- Verify HIPAA fields populated:
accessedPhi,ipAddress,userAgent,status,statusCode - Export audit log CSV (superadmin only)
- Verify 6+ year retention (no auto-delete)
- Patient app: Expo / React Native at
/mobile/odontox-mobile - Passkey registration on iOS / Android
- Push notification opt-in
- View upcoming appointments
- Reschedule appointment
- View document (invoice, receipt, treatment plan)
- Verify responsive web app on iPad: sidebar collapses, inputs auto-scroll into view, touch targets ≥44px
DATABASE 2 — “Bugs”
Properties:- Bug ID (Title) —
BUG-<###> - Title (Text)
- Module (Select) — same options as Test Cases
- Role (Multi-select) — which roles can reproduce
- Plan (Multi-select)
- Severity (Select) — S0 Blocker, S1 Critical, S2 High, S3 Medium, S4 Low
- Status (Select) — Open, In Triage, In Progress, Fixed, Verified, Won’t Fix, Duplicate
- Steps to Reproduce (Text)
- Expected (Text)
- Actual (Text)
- Screenshot / Video (Files & media)
- Browser / Device (Text)
- Linked Test Case (Relation → Test Cases)
- Reported By (Person)
- Assigned To (Person)
- Found On (Date)
- Fixed In (Text — version / commit)
- Fixed On (Date)
- Verified On (Date)
- Notes (Text)
DATABASE 3 — “Modules”
One row per module. Properties:- Module (Title)
- Module Key (Text)
- Plan Tier Required (Multi-select) — Standard, Pro, Pro+
- Roles With Access (Multi-select)
- Backend Routes (Text — list of
/api/v1/...paths) - Frontend Routes (Text)
- Key Permissions (Text — list of permission keys)
- Linked Test Cases (Relation → Test Cases)
- Open Bug Count (Rollup → Bugs, count where Status = Open)
- Pass Rate (Rollup → Test Cases, % where Status = Pass)
- Smoke Test Status (Select) — Not Started, In Progress, Passing, Failing
- Notes (Text)
| Module | Key | Plan | Roles | Backend Routes | Frontend Routes |
|---|---|---|---|---|---|
| Patients | patients | Standard, Pro, Pro+ | superadmin, admin, doctor, receptionist, patient | /api/v1/patients, /api/v1/patient-files, /api/v1/files | /dashboard?view=patients |
| Appointments | appointments | Standard, Pro, Pro+ | superadmin, admin, doctor, receptionist, patient | /api/v1/appointments | /dashboard?view=appointments |
| Clinical | clinical | Standard, Pro, Pro+ | admin, doctor | /api/v1/dental-charts, /api/v1/treatment-plans, /api/v1/clinical-notes, /api/v1/prescriptions, /api/v1/medications, /api/v1/procedures | /dashboard?view=clinical, /doctor/dental-chart, /treatment-planning, /prescription-management |
| Billing | billing | Standard, Pro, Pro+ | admin, doctor, receptionist, patient | /api/v1/invoices, /api/v1/receipts, /api/v1/quotations, /api/v1/payments, /api/v1/installments, /api/v1/expenses, /api/v1/payroll, /api/v1/insurance-claims | /dashboard?view=billing |
| Inventory | inventory | Pro, Pro+ | admin, receptionist (Pro+) | /api/v1/inventory | /dashboard?view=inventory |
| Lab | lab | Pro, Pro+ | admin, doctor, receptionist | /api/v1/lab-cases, /api/v1/lab-services, /api/v1/laboratories | /dashboard?view=lab |
| Reports | reports | Pro, Pro+ | admin, doctor | /api/v1/reports, /api/v1/stats, /api/v1/analytics | /dashboard?view=reports |
| AI Insights (Ruby) | ai_insights | Pro, Pro+ | admin, doctor, receptionist (limited) | /api/v1/ai/* (16 agents) | embedded across modules |
| whatsapp_api | Pro+ | admin (config); all (use) | /api/v1/whatsapp/config, /api/v1/whatsapp/webhook, /api/v1/messages, /api/v1/bulk-messages | embedded | |
| Bridge (X-ray) | bridge | Pro, Pro+ | admin, doctor | /api/v1/bridge/*, /api/v1/clinic-api-keys | desktop client |
| Auth | auth | all | all | /api/v1/auth, /api/v1/twofactor, /api/v1/passkeys | /auth/login, /auth/signup, /auth/callback, /set-password |
| Onboarding | onboarding | all | superadmin, pending | /api/v1/admin/onboard/*, /api/v1/upgrade-requests | /onboarding, /onboarding/details, /pending-request |
| Settings | settings | all | admin | /api/v1/clinics, /api/v1/staff, /api/v1/branding, /api/v1/email-templates, /api/v1/signatures, /api/v1/rooms, /api/v1/referrals, /api/v1/clinic-modules | /dashboard?view=settings |
| Audit | audit | all | admin (own), superadmin (all) | /api/v1/audit-logs, /api/v1/activity | /dashboard?view=settings (audit tab) |
| Notifications | notifications | all | all | /api/v1/notifications, /api/v1/sse | embedded |
| Mobile | mobile | all | patient, staff | mobile app endpoints | Expo: /app/* |
DATABASE 4 — “Roles”
Properties:- Role (Title)
- Permission Count (Number)
- Scope (Text)
- Can Test On Plan (Multi-select)
- Test Cases Assigned (Relation → Test Cases)
- Coverage % (Rollup)
| Role | Permission Count | Scope | Description |
|---|---|---|---|
| superadmin | 178+ | platform-wide | Manage clinics, modules, licenses, alerts, all impersonation. Cannot be plan-restricted. |
| admin | 178 | current clinic | All clinic operations: staff, inventory, payroll, settings, branding. Per-user permission overrides via userClinicAssignments.permissions. |
| doctor | 120+ | current clinic | Clinical: charts, plans, notes, Rx, meds. Appointments, patient mgmt, vitals, consent. Billing. Lab full. AI access (full agents). NO inventory mgmt, NO payroll, NO expenses, NO insurance claims. |
| receptionist | 75+ (Standard) / 78 (Pro) / 80 (Pro+) | current clinic | Appointments, patients view/create/edit, billing view, lab case create, communication, consent, recalls. Pro adds inventory view + adjust. Pro+ adds inventory create/edit + supplier mgmt + signatures. AI: limited (appointment_nudges, daily_brief, payment_reminder). |
| patient | 13 | own records only | View own appointments, treatment plans, invoices, receipts, payments, quotations, dental chart, clinical notes. Accept treatment plans. View consent, prescriptions. Patient portal only. |
| pending | 0 | none | Awaiting superadmin approval. Lands on /pending-request. No app access. |
DATABASE 5 — “Email Templates”
Properties:- Template (Title)
- Category (Select) — Auth, Onboarding, Trial, Appointment, Billing, Clinical, Communication, Operations, Referral
- Trigger Event (Text)
- Recipient Role (Multi-select)
- Subject Line (Text)
- Test Status (Select) — Not Tested, Sent, Received, Content OK, Content Issues, Failed to Send
- Content Verified (Checkbox) — links work, vars rendered, branding correct
- Mobile Render OK (Checkbox)
- Verified On (Date)
- Linked Bug (Relation → Bugs)
- Notes (Text)
- OTPEmail → 2FA login or password reset
- PasswordResetConfirmationEmail → POST /auth/forgot-password
- WelcomeEmail → first successful login
- OnboardingConfirmationEmail → POST /auth/signup (non-superadmin)
- OnboardingNotificationEmail → same trigger, sent to superadmin
- ApprovalEmail → superadmin approves request
- TrialExpiringEmail → cron, 2 days before trialEndDate
- AppointmentScheduledEmail → POST /appointments
- AppointmentReminderEmail → cron, 24h before
- InvoiceEmail → POST /invoices/send
- PaymentReminderEmail → AI agent, manually triggered or cron
- StockAlertEmail → cron, when item.quantity ≤ reorderLevel
- EODReportEmail → cron, end of day
- StaffInvitationEmail → POST /staff/invite
- (etc. — fill in remaining triggers)
DATABASE 6 — “Cron Jobs”
Properties:- Job Name (Title)
- Cron Expression (Text)
- UTC Time (Text)
- PKT Time (Text — UTC+5)
- Description (Text)
- Last Run Status (Select) — Not Tested, Ran OK, Ran with errors, Did not run
- Last Run At (Date)
- Output Verified (Checkbox)
- Linked Bug (Relation → Bugs)
- Notes (Text)
| Job | When | What it does |
|---|---|---|
| Appointment 24h reminders | 09:00 UTC daily | Email + WhatsApp to patients with appointment in next 24h |
| Appointment 1h reminders | 14:00 UTC daily (frequency may vary) | WhatsApp to patients with appointment in next 1h |
| Stock low-level alert | 04:00 UTC daily | Find items where quantity ≤ reorderLevel; email admin + create in-app notification |
| Stock expiry alert | 04:00 UTC daily | 30-day and 7-day pre-expiry warnings |
| EOD report | 16:00 UTC daily | Generate AI daily brief, send EODReportEmail to admins |
| Trial-expiring alert | 04:00 UTC daily | Find clinics where trialEndDate ≤ now+2d and unsent; send TrialExpiringEmail |
| Trial-expired enforcement | 04:00 UTC daily | Block clinics where trialEndDate < now; flip subscriptionStatus |
| Subscription renewal | continuous (Stripe webhooks, not cron) | charge.succeeded → extend currentPeriodEnd |
| Payment overdue reminder | 09:00 UTC daily | Find overdue invoices, AI-generate reminder, send (tone escalates: friendly → firm → final) |
| Recall reminders | 09:00 UTC daily | Find patients due for recall (e.g. 6-month cleaning); send reminder |
| Database backup | scheduled via .github/workflows/db-backup.yml | pg_dump → encrypted → S3 |
DATABASE 7 — “Integrations”
Properties:- Integration (Title)
- Provider (Text)
- Required For (Multi-select) — list of modules
- Env Vars (Text)
- Test Status (Select) — Not Tested, Working, Working with issues, Broken
- Smoke Test (Text — what to do to verify it works)
- Last Tested (Date)
- Linked Bug (Relation → Bugs)
- Notes (Text)
| Integration | Provider | Required For | Env Vars | Smoke Test |
|---|---|---|---|---|
| Database | Neon PostgreSQL | everything | DATABASE_URL | Connect, run SELECT 1 |
| File Storage | Cloudflare R2 | patient files, branding, DICOM, public docs | R2 bindings | Upload + download a file |
| Zepto | all transactional email | ZEPTO_*, ZEPTO_FROM_EMAIL | Send test welcome email, confirm receipt | |
| Payments | Stripe | subscriptions, invoices | STRIPE_SECRET_KEY, STRIPE_WEBHOOK_SECRET | Run test card 4242, verify webhook event recorded |
| AI | DeepSeek V3.2 | AI agents | DEEPSEEK_API_KEY | POST /api/v1/ai/grammar with sample text |
| AI Tracing | Langfuse HIPAA cloud | AI observability + prompts | LANGFUSE_PUBLIC_KEY, LANGFUSE_SECRET_KEY | Run an AI call, confirm trace appears in Langfuse dashboard |
| Bot Protection | Cloudflare Turnstile | signup, contact form | TURNSTILE_* | Submit signup form, verify token validation |
| Meta WhatsApp Cloud API | whatsapp_api module | per-clinic encrypted in clinicModules.config | Send template message, receive inbound test message | |
| Bridge (DICOM) | OdontoX Bridge desktop | bridge module | clinic API key | Drop DICOM in watched folder, confirm upload + metadata |
| Authentication | Argon2 + JWT + WebAuthn | auth | JWT_SECRET, SESSION_TIMEOUT | Login, refresh, register passkey |
TOP-LEVEL PAGE SECTIONS
After the 7 databases, add these sections to the top-level page: Section: “Cross-Tenant Data Isolation Tests” A checklist:- User in Clinic A cannot fetch Clinic B patient by direct API call
- User in Clinic A cannot fetch Clinic B file from R2 even with file ID
- User in Clinic A cannot view Clinic B audit logs
- Switching clinics issues new JWT with updated clinicId claim
- Multi-clinic user sees correct clinic data after each switch
- Superadmin impersonation logs
impersonatorIdon every action - Exiting impersonation clears impersonator state
- Standard plan blocks 51st patient
- Standard plan blocks 2nd staff invitation
- Pro plan caps at 5 staff users
- Pro+ plan caps at 10 staff users
- Storage cap enforced (R2 upload rejected past quota)
- DICOM analysis quota: Pro 10/month then blocked; Pro+ unlimited
- Trial expiry blocks all access
- Doctor cannot create inventory item
- Receptionist cannot run payroll
- Patient cannot view another patient
- Doctor cannot create insurance claim
- Receptionist (Standard) cannot view inventory
- Receptionist (Pro) can view but cannot create inventory
- Receptionist (Pro+) can manage suppliers
- Admin cannot impersonate (only superadmin)
- Pending user cannot access app
- Patient cannot view dental chart of another patient
- Login lockout triggers after 5 failed attempts
- Password reset OTP single-use (cannot replay)
- Refresh token reuse detected → invalidates token family
- CSRF token required on state-changing requests
- All AI prompts pass through Langfuse (no leakage to OpenAI/etc.)
- WhatsApp webhook rejects invalid HMAC signatures
- Sensitive secrets (WhatsApp accessToken, Stripe key) never logged
- PHI never logged in audit
accessedPhipayload (only field names, not values)
- Dashboard loads under 2s on 4G connection
- Patient list paginates correctly past 1000 patients
- DICOM file upload streams (no full memory load)
- Module switching does not refetch full sidebar (keepalive working)
- iPad input focus auto-scrolls into view
- Toast position adapts: top-center mobile, top-right desktop
- Sidebar collapses by default on tablet (768–1023px)
- Last successful DB backup exists and is < 24h old
- Restore-to-staging dry run completes successfully
- R2 bucket versioning enabled
- Documented RTO < 1h, RPO < 24h verified
- All S0 / S1 bugs resolved or accepted
- Pass rate ≥95% across all test cases
- All transactional emails verified (content + delivery)
- All cron jobs ran successfully at least once
- All integrations Working
- Security sanity checks all pass
- DR drill completed
- Sign-off by: QA Lead, Engineering Lead, Product Lead
Generate the entire structure now. Create the databases as full-page databases, populate every row I listed, and add all checklists. Do not stop early. Do not collapse rows into prose. After you finish, give me a one-line “Done — open the Test Plan Hub” confirmation and nothing else.
--- PROMPT END ---
How to use this
- Open Notion, create a blank page where you want the QA workspace to live.
- Open Notion AI on that page (
Spacekey or the AI icon). - Paste only the content between
--- PROMPT START ---and--- PROMPT END ---(everything inside that block). - Wait for Notion AI to generate. It may take a few minutes — it has to create 7 databases and ~80+ rows.
- If Notion AI stops midway (it does this for very long generations), tell it: “Continue from where you left off — keep building the structure exactly as specified.”
- Once done, you’ll have a full QA workspace. Start with the Test Cases database, work module by module, role by role.
- Log every defect to Bugs and link it back to the failing Test Case.
- Use the Email Templates and Cron Jobs databases as you trigger the relevant flows — those need real-world testing, not just unit checks.
Tips while testing
- Test in this role order: superadmin → admin → doctor → receptionist → patient → pending. This mirrors a real clinic onboarding sequence and catches privilege-escalation issues fast.
- Test in this plan order: Standard → Pro → Pro+. Plan limits and permission deltas are the most common bug surface.
- Use distinct browser profiles (or incognito windows) per role so you don’t accidentally hit single-session enforcement and lose state.
- Capture screenshots of every failure and attach to the Bug row. The “Files & media” property accepts paste from clipboard.
- Don’t fix as you go. Log everything, batch-fix at the end. Switching contexts mid-session corrupts test coverage.
- Cron jobs and emails are time-dependent. For the 24h reminder cron, create an appointment for tomorrow and check the next morning. Don’t try to artificially trigger crons — test them as the user would experience them.