np-dms/lcbp3
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
e04ec1243d84da0b0cf67fe6d63325ac1ca275f9
lcbp3/docs/temp.md
admin 047e1b88ce
Some checks failed
Spec Validation / validate-markdown (push) Has been cancelled
Details
Spec Validation / validate-diagrams (push) Has been cancelled
Details
Spec Validation / check-todos (push) Has been cancelled
Details
Main: revise specs to 1.5.0 (completed)
2025-12-01 01:28:32 +07:00

715 lines
21 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# 🚀 GitHub Spec Kit: การใช้งานร่วมกับ Requirements & FullStackJS v1.4.5
## ðŸ" ภาพรวม
GitHub Spec Kit เป็นเครื่องมือที่ช่วยให้คุณสร้าง **Issue Specifications** ที่มีโครงสร้างชัดเจนและครบถ้วนสำหรับโปรเจค LCBP3-DMS โดยอ้างอิง Requirements v1.4.5 และ FullStackJS v1.4.5
---
## 🎯 วัตถุประสงค์หลัก
1. **แปลง Requirements เป็น Actionable Tasks** - แบ่งความต้องการขนาดใหญ่เป็น issues ขนาดเล็กที่ทำได้จริง
2. **รักษา Standards** - ทุก issue ต้องสอดคล้องกับ FullStackJS Guidelines
3. **Traceability** - อ้างอิงกลับไปยัง Requirements ได้ทุกครั้ง
4. **Consistency** - ใช้ template และรูปแบบเดียวกันทั้งโปรเจค
---
## ðŸ"š โครงสร้าง Spec Kit
### 1. **Issue Title Format**
```
[<Module>] <FeatureType>: <ShortDescription>
```
**ตัวอย่าง:**
- `[RFA] Feature: Implement RFA Creation Workflow`
- `[Auth] Security: Add Rate Limiting to Login Endpoint`
- `[File] Refactor: Implement Two-Phase Storage Strategy`
### 2. **Issue Labels**
- **Type:** `feature`, `bug`, `refactor`, `security`, `performance`
- **Priority:** `critical`, `high`, `medium`, `low`
- **Module:** `backend`, `frontend`, `database`, `infrastructure`
- **Status:** `blocked`, `in-progress`, `review-needed`
### 3. **Issue Template Structure**
```markdown
## 📋 Overview
[Brief description of what needs to be done]
## 🎯 Requirements Reference
- **Section:** [Requirements v1.4.5 - Section X.X]
- **Related:** [Link to specific requirement]
## ðŸ'» Technical Specifications
### Backend (NestJS)
- Module: `<ModuleName>`
- Files to modify:
- [ ] `src/modules/<module>/<file>.ts`
- Dependencies: `<npm packages>`
### Frontend (Next.js)
- Pages/Components:
- [ ] `app/<page>/page.tsx`
- Dependencies: `<npm packages>`
### Database
- Tables affected: `<table_names>`
- Migrations needed: [ ] Yes / [ ] No
## ✅ Acceptance Criteria
- [ ] Criterion 1
- [ ] Criterion 2
- [ ] Security checks passed
- [ ] Tests written and passing
- [ ] Documentation updated
## 🧪 Testing Requirements
- [ ] Unit tests (70% coverage minimum)
- [ ] Integration tests
- [ ] E2E tests (if applicable)
## 🔒 Security Checklist
- [ ] Input validation implemented
- [ ] RBAC permissions checked
- [ ] Audit logging added
- [ ] No sensitive data in logs
## ðŸ"— Related Issues
- Blocks: #<issue_number>
- Depends on: #<issue_number>
- Related to: #<issue_number>
## ðŸ"Œ Notes
[Any additional context, decisions, or constraints]
```
---
## ðŸ› ï¸ วิธีการใช้งาน
### **Step 1: ระบุ Feature จาก Requirements**
อ้างอิง: `0_Requirements_V1_4_5.md`
**ตัวอย่าง:**
```
Section 3.3: การจัดการเอกสารขออนุมัติ (RFA)
```
### **Step 2: สร้าง Issue Specification**
**Title:**
```
[RFA] Feature: Implement RFA Creation with Workflow Engine
```
**Overview:**
```markdown
## 📋 Overview
Implement the RFA (Request for Approval) creation workflow that allows
Document Control users to create RFAs with multiple revisions and trigger
the unified workflow engine.
## 🎯 Requirements Reference
- **Section:** Requirements v1.4.5 - Section 3.3
- **Page Reference:** Lines 250-275
- **Key Requirements:**
- Support PDF file uploads only [3.3.2]
- Multiple revisions support [3.3.2]
- Draft/Submitted state management [3.3.3]
- Integration with Unified Workflow Engine [3.3.5]
```
### **Step 3: กำหนด Technical Specs ตาม FullStackJS**
อ้างอิง: `1_FullStackJS_V1_4_5.md`
````markdown
## ðŸ'» Technical Specifications
### Backend (NestJS)
- **Module:** `RfaModule` [Section 3.9.7]
- **Files to modify:**
- [ ] `src/modules/rfa/rfa.controller.ts`
- [ ] `src/modules/rfa/rfa.service.ts`
- [ ] `src/modules/rfa/dto/create-rfa.dto.ts`
- [ ] `src/modules/workflow/workflow-engine.service.ts`
- **Dependencies:**
```json
{
"@nestjs/typeorm": "^10.0.0",
"class-validator": "^0.14.0",
"class-transformer": "^0.5.1"
}
```
````
- **Implementation Guidelines:**
- Use Two-Phase Storage for file uploads [Section 3.3]
- Apply Optimistic Locking for race conditions [Section 3.2.1]
- Integrate with DocumentNumberingService [Section 3.9.12]
- Follow RBAC permissions [Section 5.4]
### Frontend (Next.js)
- **Pages/Components:**
- [ ] `app/rfas/new/page.tsx`
- [ ] `components/rfa/rfa-form.tsx`
- [ ] `components/rfa/revision-manager.tsx`
- **Dependencies:**
```json
{
"react-hook-form": "^7.50.0",
"zod": "^3.22.0",
"@tanstack/react-query": "^5.20.0"
}
```
- **State Management:** [Section 4.10]
- Use React Query for server state
- Use React Hook Form for form state
- Implement auto-save drafts to localStorage [Section 4.1.1]
### Database
- **Tables affected:**
- `rfas` - main table
- `rfa_revisions` - revision history
- `rfa_items` - related items
- `workflow_instances` - workflow state
- **Migrations needed:** [ ✓ ] Yes
- Create migration for virtual columns if using JSON [Section 3.2.2]
````
### **Step 4: กำหนด Acceptance Criteria**
```markdown
## ✅ Acceptance Criteria
### Functional Requirements
- [ ] Document Control users can create new RFAs
- [ ] Support PDF file upload (max 50MB) [Section 3.10.1]
- [ ] RFA can have multiple revisions [Section 3.3.2]
- [ ] RFA number auto-generated using format template [Section 3.11]
- [ ] Draft state allows editing, Submitted state is read-only [Section 3.3.3]
- [ ] Triggers workflow engine on submission [Section 3.3.5]
### Non-Functional Requirements
- [ ] API response time < 200ms (excluding file processing) [Section 6.4]
- [ ] Virus scanning implemented for all uploads [Section 3.10.2]
- [ ] File integrity checks (checksum) performed [Section 3.10.3]
- [ ] Audit log entry created for all actions [Section 6.1]
- [ ] RBAC permissions enforced (rfas.create) [Section 5.4.2]
### Security Requirements
- [ ] Input validation using class-validator [Section 2.1]
- [ ] Rate limiting applied (1000 req/hour for Editor) [Section 6.5.1]
- [ ] No sensitive data in error messages [Section 6.5.4]
- [ ] Download links expire after 24 hours [Section 3.10.2]
````
### **Step 5: กำหนด Testing Requirements**
```markdown
## 🧪 Testing Requirements
### Unit Tests (Jest) [Section 3.14]
- [ ] RfaService.create() - success case
- [ ] RfaService.create() - validation failures
- [ ] RfaService.create() - file upload failures
- [ ] RfaService.create() - race condition handling
- [ ] DocumentNumberingService integration
- **Target Coverage:** 70% minimum [Section 7.1]
### Integration Tests (Supertest) [Section 7.2]
- [ ] POST /api/rfas - with valid file upload
- [ ] POST /api/rfas - with invalid file type
- [ ] POST /api/rfas - with virus-infected file
- [ ] POST /api/rfas - without required permissions
- [ ] Workflow engine integration test
### E2E Tests (Playwright) [Section 7.3]
- [ ] Complete RFA creation flow
- [ ] File upload with drag-and-drop
- [ ] Form auto-save and recovery
- [ ] Error handling and user feedback
### Security Tests [Section 7.4]
- [ ] SQL injection attempts blocked
- [ ] XSS attacks prevented
- [ ] File upload security bypass attempts
- [ ] Rate limiting enforcement
```
### **Step 6: Security Checklist**
```markdown
## 🔒 Security Checklist [Section 6.5]
### Input Validation
- [ ] All DTOs use class-validator [Section 3.1]
- [ ] File type white-list enforced (PDF only) [Section 3.10.1]
- [ ] File size limit checked (50MB max) [Section 3.10.1]
- [ ] JSON schema validation for details field [Section 3.12]
### Authentication & Authorization
- [ ] JWT token validation [Section 5.1]
- [ ] RBAC permission check (rfas.create) [Section 5.4]
- [ ] Organization scope validation [Section 4.2]
- [ ] Session tracking implemented [Section 6.5.4]
### Data Protection
- [ ] Audit log entry created [Section 8.1]
- [ ] Sensitive data not logged [Section 6.5.4]
- [ ] File integrity checksum stored [Section 3.10.3]
- [ ] Virus scanning completed [Section 3.10.2]
### Rate Limiting [Section 6.5.1]
- [ ] Editor: 1000 req/hour
- [ ] File Upload: 50 req/hour
- [ ] Fallback for rate limiter failures
```
---
## ðŸ"Š ตัวอย่าง Issue ที่สมบูรณ์
### Issue #1: [RFA] Feature: Implement RFA Creation with Workflow Engine
````markdown
## 📋 Overview
Implement the RFA (Request for Approval) creation workflow that allows
Document Control users to create RFAs with multiple revisions and trigger
the unified workflow engine.
## 🎯 Requirements Reference
- **Section:** Requirements v1.4.5 - Section 3.3
- **Lines:** 250-275
- **Key Requirements:**
- วัตถุประสงค์: เอกสารขออนุมัติ (RFA) ภายใน โครงการ [3.3.1]
- ประเภทเอกสาร: รองรับเอกสารรูปแบบ ไฟล์ PDF [3.3.2]
- รองรับ Multiple Revisions [3.3.2]
- Draft/Submitted State Management [3.3.3]
- Unified Workflow Integration [3.3.5]
## ðŸ'» Technical Specifications
### Backend (NestJS)
**Module:** `RfaModule` [FullStackJS Section 3.9.7]
**Files to create/modify:**
- [ ] `src/modules/rfa/rfa.controller.ts`
- [ ] `src/modules/rfa/rfa.service.ts`
- [ ] `src/modules/rfa/dto/create-rfa.dto.ts`
- [ ] `src/modules/rfa/entities/rfa.entity.ts`
- [ ] `src/modules/rfa/entities/rfa-revision.entity.ts`
- [ ] `src/modules/workflow/workflow-engine.service.ts`
**Dependencies:**
```json
{
"@nestjs/typeorm": "^10.0.0",
"class-validator": "^0.14.0",
"class-transformer": "^0.5.1",
"uuid": "^9.0.0"
}
```
````
**Implementation Guidelines:**
1. **File Storage:** Use Two-Phase Storage Strategy [FullStackJS 3.3]
- Phase 1: Upload to `temp/` with virus scan
- Phase 2: Move to `permanent/{YYYY}/{MM}/` on commit
2. **Concurrency:** Apply Optimistic Locking [FullStackJS 3.2.1]
```typescript
@VersionColumn()
version: number;
```
3. **Document Numbering:** [FullStackJS 3.9.12]
- Inject `DocumentNumberingService`
- Use Redis distributed lock for counter
- Format: `{ORG}-RFA-{DISCIPLINE}-{SEQ:4}-{REV}`
4. **Workflow Integration:** [FullStackJS 3.9.14]
- Call `WorkflowEngineService.createInstance()`
- Set initial state to 'DRAFT'
- Transition to workflow on submission
### Frontend (Next.js)
**Pages/Components:**
- [ ] `app/rfas/new/page.tsx` - Main creation page
- [ ] `components/rfa/rfa-form.tsx` - Form component
- [ ] `components/rfa/revision-manager.tsx` - Revision UI
- [ ] `components/file-upload/multi-file-upload.tsx` - File upload
**Dependencies:**
```json
{
"react-hook-form": "^7.50.0",
"zod": "^3.22.0",
"@tanstack/react-query": "^5.20.0",
"react-dropzone": "^14.2.3"
}
```
**State Management:** [FullStackJS 4.10]
- **Server State:** React Query for RFA data
- **Form State:** React Hook Form + Zod validation
- **Auto-save:** LocalStorage for drafts [FullStackJS 4.1.1]
**File Upload UX:** [FullStackJS 5.7]
```typescript
// Multi-file drag-and-drop
// Distinguish between "Main Document" and "Supporting Attachments"
// Show virus scan progress
// Display file type icons and security warnings
```
### Database
**Tables affected:**
- `rfas` - Main RFA table
- `rfa_revisions` - Revision history
- `rfa_items` - Related items
- `workflow_instances` - Workflow state
- `attachments` - File metadata
- `rfa_attachments` - Junction table
**Migrations needed:** [ ✓ ] Yes
```sql
-- Example migration structure
CREATE TABLE rfas (
rfa_id INT PRIMARY KEY AUTO_INCREMENT,
project_id INT NOT NULL,
rfa_number VARCHAR(100) UNIQUE NOT NULL,
current_state VARCHAR(50),
version INT DEFAULT 1,
created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
deleted_at TIMESTAMP NULL,
FOREIGN KEY (project_id) REFERENCES projects(project_id)
);
```
## ✅ Acceptance Criteria
### Functional Requirements
- [ ] Document Control users can create new RFAs
- [ ] Support PDF file upload (max 50MB) [Req 3.10.1]
- [ ] RFA can have multiple revisions [Req 3.3.2]
- [ ] RFA number auto-generated: `{ORG}-RFA-{DISCIPLINE}-{SEQ:4}-{REV}` [Req 3.11]
- [ ] Draft state allows editing, Submitted state is read-only [Req 3.3.3]
- [ ] Admin can cancel/revert submitted RFAs [Req 3.3.3]
- [ ] Triggers unified workflow engine on submission [Req 3.3.5]
- [ ] Can reference Shop Drawings in RFA [Req 3.3.4]
### Non-Functional Requirements
- [ ] API response time < 200ms (excluding file processing) [Req 6.4]
- [ ] File upload completes < 30 seconds for 50MB [Req 6.4]
- [ ] Virus scanning implemented (ClamAV) [Req 3.10.2]
- [ ] File integrity checks (checksum) performed [Req 3.10.3]
- [ ] Audit log entry created for all actions [Req 6.1]
- [ ] RBAC permissions enforced (rfas.create, rfas.respond) [Req 5.4.2]
### UI/UX Requirements [FullStackJS 5.7]
- [ ] Form uses React Hook Form + Zod validation
- [ ] Multi-file drag-and-drop interface
- [ ] Clear distinction between main document and attachments
- [ ] Real-time virus scan feedback
- [ ] File type indicators and security warnings
- [ ] Auto-save draft to localStorage every 30 seconds
- [ ] Mobile-responsive (Card View on small screens)
### Security Requirements [Req 6.5]
- [ ] Input validation using class-validator
- [ ] Rate limiting: Editor 1000 req/hour, File Upload 50 req/hour
- [ ] No sensitive data in error messages
- [ ] Download links expire after 24 hours
- [ ] Files stored outside web root
- [ ] Access control checks before file download
## 🧪 Testing Requirements
### Unit Tests (Jest) [FullStackJS 3.14]
```typescript
describe('RfaService', () => {
describe('create', () => {
it('should create RFA with valid data');
it('should reject invalid file types');
it('should handle race conditions with optimistic locking');
it('should generate correct RFA number');
it('should trigger workflow on submission');
});
});
```
- **Target Coverage:** 70% minimum [Req 7.1]
### Integration Tests (Supertest) [FullStackJS 3.14]
```typescript
describe('POST /api/rfas', () => {
it('should create RFA with file upload');
it('should reject virus-infected files');
it('should enforce RBAC permissions');
it('should create workflow instance');
});
```
### E2E Tests (Playwright) [FullStackJS 4.9]
```typescript
test('Complete RFA creation flow', async ({ page }) => {
// Login as Document Control user
// Navigate to RFA creation page
// Fill form with test data
// Upload main document (PDF)
// Upload supporting attachment
// Verify auto-save works
// Submit RFA
// Verify workflow starts
});
```
### Security Tests [Req 7.4]
- [ ] SQL injection attempts blocked
- [ ] XSS attacks prevented
- [ ] File upload security bypass attempts
- [ ] Rate limiting enforcement
- [ ] Unauthorized access attempts blocked
## 🔒 Security Checklist [Req 6.5]
### Input Validation
- [ ] All DTOs use class-validator decorators
- [ ] File type white-list enforced (PDF only)
- [ ] File size limit checked (50MB max)
- [ ] JSON schema validation for details field
- [ ] Sanitize all user inputs
### Authentication & Authorization
- [ ] JWT token validation on all endpoints
- [ ] RBAC permission check (rfas.create, rfas.respond)
- [ ] Organization scope validation
- [ ] Project membership validation
- [ ] Session tracking and concurrent session limits
### Data Protection
- [ ] Audit log entry for: create, update, submit, cancel
- [ ] Sensitive data not logged (file contents, user emails)
- [ ] File integrity checksum stored in database
- [ ] Virus scanning before file is accessible
- [ ] Encrypted storage for sensitive metadata
### Rate Limiting [Req 6.5.1]
- [ ] Document Control: 2000 req/hour
- [ ] File Upload: 50 req/hour per user
- [ ] Graceful degradation if Redis unavailable
- [ ] Alert on rate limit violations
## ðŸ"— Related Issues
- **Depends on:**
- #<issue> FileStorageService implementation
- #<issue> WorkflowEngine implementation
- #<issue> DocumentNumberingService implementation
- **Blocks:**
- #<issue> RFA Response/Approval workflow
- #<issue> RFA Reports and Analytics
- **Related to:**
- #<issue> Shop Drawing reference system
- #<issue> Unified Workflow Engine
## ðŸ"Œ Notes
### Design Decisions
1. **Why Two-Phase Storage?**
- Prevents orphan files if transaction fails
- Allows virus scanning before commitment
- Reference: FullStackJS Section 3.3
2. **Why Application-level Locking?**
- More portable than database stored procedures
- Better observability with Redis
- Reference: FullStackJS Section 3.9.12
3. **Why Optimistic Locking?**
- Better performance than pessimistic locks
- Handles concurrent updates gracefully
- Reference: FullStackJS Section 3.2.1
### Implementation Order
1. Backend: Entity, DTO, Service (with tests)
2. Backend: Controller, Guards, Interceptors
3. Database: Migration scripts
4. Frontend: Form component (with validation)
5. Frontend: File upload component
6. Frontend: Integration with API
7. E2E: Complete user flow test
### Risk Mitigation
- **File Upload Failures:** Implement retry with exponential backoff
- **Virus Scan Downtime:** Queue files for later scanning, block download
- **Database Contention:** Redis lock + Optimistic lock dual protection
- **Large Files:** Stream uploads, show progress indicator
---
## ðŸ"Œ Labels
`feature` `backend` `frontend` `database` `high-priority` `requires-testing`
## 👤 Assignment
- **Backend:** @backend-team
- **Frontend:** @frontend-team
- **QA:** @qa-team
## ⏱ï¸ Estimated Effort
- **Backend:** 5 days
- **Frontend:** 3 days
- **Testing:** 2 days
- **Total:** 10 days
````
---
## ðŸ"§ Best Practices
### 1. **ความละเอียดที่เหมาะสม**
- ✅ **DO:** แบ่ง issue ให้ทำเสร็จภายใน 1-2 สัปดาห์
- ❌ **DON'T:** สร้าง issue ขนาดใหญ่ที่ใช้เวลาเป็นเดือน
### 2. **การอ้างอิง**
- ✅ **DO:** อ้างอิง section และ line numbers จาก Requirements
- ✅ **DO:** อ้างอิง section จาก FullStackJS Guidelines
- ❌ **DON'T:** Copy-paste ข้อความยาวๆ ทั้งหมด
### 3. **Acceptance Criteria**
- ✅ **DO:** เขียนเป็นข้อๆ ที่ตรวจสอบได้ (testable)
- ✅ **DO:** แยก functional และ non-functional requirements
- ❌ **DON'T:** เขียนคลุมเครือ เช่น "ระบบต้องเร็ว"
### 4. **Testing**
- ✅ **DO:** ระบุ test cases ที่ต้องเขียนชัดเจน
- ✅ **DO:** ระบุ coverage target (70% minimum)
- ❌ **DON'T:** ปล่อยให้ "เขียน test ภายหลัง"
### 5. **Security**
- ✅ **DO:** มี Security Checklist ทุก issue ที่เกี่ยวกับ user input
- ✅ **DO:** ระบุ permission ที่ต้องใช้ชัดเจน
- ❌ **DON'T:** คิดว่า "จะเพิ่ม security ทีหลัง"
---
## ðŸ"Š Issue Workflow
```mermaid
graph LR
A[Create Issue from Req] --> B[Add Technical Specs]
B --> C[Define Acceptance Criteria]
C --> D[Add Testing Requirements]
D --> E[Security Checklist]
E --> F[Link Related Issues]
F --> G[Assign & Estimate]
G --> H[Ready for Development]
````
---
## ✅ สรุป: ขั้นตอนการสร้าง Issue ที่สมบูรณ์
1. **ระบุ Requirement** - เลือก section จาก Requirements v1.4.5
2. **สร้าง Title** - ใช้รูปแบบ `[Module] Type: Description`
3. **เขียน Overview** - สรุปสั้นๆ ว่าต้องทำอะไร
4. **อ้างอิง Requirements** - ระบุ section และ line numbers
5. **กำหนด Technical Specs** - แยกเป็น Backend, Frontend, Database
6. **ใช้ FullStackJS Guidelines** - อ้างอิง section ที่เกี่ยวข้อง
7. **เขียน Acceptance Criteria** - แยก functional/non-functional
8. **ระบุ Testing Requirements** - Unit, Integration, E2E
9. **Security Checklist** - ครอบคลุม OWASP Top 10
10. **Link Related Issues** - ระบุ dependencies และ blockers
11. **เพิ่ม Labels & Assignment** - ใส่ label และมอบหมายงาน
12. **Estimate Effort** - ประมาณการเวลาที่ใช้
---
**เอกสารนี้เป็น Living Document และจะถูกปรับปรุงตามความต้องการของทีมพัฒนา**
Reference in New Issue View Git Blame Copy Permalink