# Provider Control Tower QA Checklist

## API

- [ ] Unauthenticated users receive 401 on protected provider control endpoints.
- [ ] Tourist and Partner users receive 403 on global provider settings.
- [ ] Support Agent can read provider health but cannot create, update, disable, or health-check integrations.
- [ ] Admin with provider permissions can create and update integrations.
- [ ] Super Admin wildcard access can manage all control tower endpoints.
- [ ] Category mode update creates an `AuditLog` row with resource type `category_mode`.
- [ ] Provider create, update, disable, and health check create `AuditLog` rows with resource type `provider_integration`.
- [ ] Raw secret values and unknown `secretValue` fields are rejected by validators.
- [ ] Only `vaultSecretRef` is persisted.
- [ ] Production provider enablement is blocked without `vaultSecretRef`.
- [ ] Demo providers cannot be marked live ready.
- [ ] Demo providers cannot enable payment, refund, or commission flags.
- [ ] Refund and commission flags are blocked unless payment is enabled.
- [ ] Production live readiness is blocked when health is degraded, down, or disabled.
- [ ] Shared API-client endpoints are exported from `@navi/api-client`.

## Dashboard

- [ ] Category Modes page loads real categories from API.
- [ ] Mode update persists and shows success state.
- [ ] Provider Integrations page lists real integration records.
- [ ] Provider Integrations page shows provider detail, URLs, vault ref name, created by, updated by, and audit-related metadata.
- [ ] Provider Integrations page shows a read-only recent audit timeline per integration when audit permission is available.
- [ ] Provider Integrations page displays safety labels: Demo only, Sandbox ready, Production live, Missing vault reference, Booking disabled, Payment disabled, Refund disabled, Commission disabled.
- [ ] Create integration form persists a record.
- [ ] Save changes updates a record.
- [ ] Disable turns off all capability flags.
- [ ] Mock health check updates health status and creates audit.
- [ ] Payment Provider Settings page shows only payment/refund/commission-enabled providers.
- [ ] Payment Provider Settings page shows readiness blockers for payment/refund/commission combinations.
- [ ] Third-Party API Settings page shows URLs and vault refs, not secret values.
- [ ] Provider Health page is visible to Support Agent and read-only.
- [ ] Provider Audit History page shows control tower audit logs.
- [ ] Empty, loading, error, permission denied, and success states are visible.

## Security

- [ ] No provider raw secret values exist in database exports.
- [ ] Production providers are not marked live ready without human approval.
- [ ] Demo-only providers are not used as production providers.
- [ ] Partner users cannot see global provider settings from forced URL access.