# Phase 1 Manual Test Checklist

## Routing

- [ ] `/public/index.php` redirects to the dashboard.
- [ ] `/public/page.php?p=dashboard` loads the dashboard.
- [ ] `/public/page.php?p=system_health` loads health checks.
- [ ] `/public/page.php?p=random_bad_route` shows the 404 template.

## Design separation

- [ ] Dashboard display logic is in `/templates/dashboard/index.php`.
- [ ] Dashboard data preparation is in `/modules/dashboard/controller.php`.
- [ ] Shared shell design is in `/templates/layouts/app.php` and `/templates/partials`.
- [ ] CSS is in `/public/assets/css/kyn-pos.css`.
- [ ] JS is in `/public/assets/js/kyn-pos.js`.

## Security foundation

- [ ] No request parameter is used as a raw include path.
- [ ] CSRF token exists in the page meta tag.
- [ ] Foundation login POST requires CSRF.
- [ ] `/inc/config.local.php` is ignored by Git.
- [ ] `/storage/logs` is outside public webroot.

## Database

- [ ] App works even before DB credentials are configured.
- [ ] Health page reports DB status without exposing credentials.
- [ ] Migration SQL uses InnoDB and utf8mb4.