Batch Expiry Management
| Status | Batch Number | Product Name | Expiry Date | Days Remaining | Storage Location | Action |
|---|
Quality Works
Transform Your Quality Control Operations with Smart, Digital Sample Management
📊 Why Choose Our Solution?
Stop losing time with manual registers, Excel sheets, and paper-based tracking. Our system eliminates errors, saves hours of work daily, and ensures you never miss a critical expiry date or calibration deadline.
🔴 The Problem We Solve
❌ Manual Tracking Nightmares
Searching through paper registers, Excel files scattered across computers, samples getting lost or expired without warning.
❌ Audit Failures
Missing documentation, incomplete history, unable to prove who took what sample when - resulting in audit findings.
❌ Equipment Downtime
Missed calibration dates causing production stops, regulatory non-compliance, and costly emergency calibrations.
✅ Our Solution: Complete Digital Control
✓ Instant Sample Tracking
Scan QR codes to find any sample in seconds. Real-time location tracking, automatic expiry alerts, complete transaction history.
✓ 100% Audit Ready
Every action logged automatically with timestamp, user name, and complete details. Generate reports in seconds.
✓ Never Miss Deadlines
Automatic alerts for expiring samples and calibration due dates. Color-coded visual indicators - see critical items instantly.
🚀 Key Features That Save Time & Money
📱 QR Code Scanning
Find samples in 2 seconds by scanning QR labels. Auto-generated labels for samples and equipment with thermal printer support.
⚙️ Equipment Calibration
Automated calibration tracking with advance alerts. Never face production stoppage due to expired calibration again.
📊 Smart Analytics
Visual charts and reports show sample usage patterns, pending vs returned, expiry trends - make informed decisions.
📱 Mobile Friendly
Access from anywhere - desktop, tablet, or smartphone. Responsive design works perfectly on all screen sizes.
🖨️ Thermal Printing
Direct Bluetooth printing to 52mm thermal printers. Print labels instantly without complicated setup.
🔒 Secure Access Control
Role-based permissions ensure only authorized personnel can modify critical data. Complete user tracking for accountability.
💾 Database-Powered
Multiple users work simultaneously without conflicts. MariaDB/MySQL backend ensures data is always safe, never corrupted.
📋 Visual Status System
See critical items at a glance with color-coded icons. Purple = Critical (≤7 days), Red = Expired, Green = Safe.
🦟 Pest Control Management
Complete pest control tracking with device master, readings entry, spray tracking, and meeting management. Comprehensive dashboard and reporting.
📊 Pest Analytics Dashboard
Visual analytics for pest control activities. Track device status, reading trends, spray schedules, and compliance metrics with interactive charts.
⏱️ What You'll Save
Save 2-3 Hours Daily
No more searching through registers. Find any sample in seconds. Automatic data entry and calculations.
Zero Recurring Costs
Local deployment. No monthly subscriptions. No licensing fees. Complete ownership of your data.
Pass Audits Easily
Complete traceability. Every action logged automatically. Generate audit reports in seconds, not days.
Go Paperless
Eliminate thick paper registers. Reduce printing costs. Help environment while improving efficiency.
Zero Sample Loss
Track every sample movement. Automatic alerts prevent expiry. Know exactly where everything is, always.
Multi-User Access
QC team, Lab team, Production - everyone can access simultaneously. No waiting, no conflicts.
🏭 Perfect For These Industries
🎯 How It Works - Simple 3-Step Process
Setup Storage
Configure your Plants, Racks, and Bins in minutes. One-time setup, use forever.
Add Samples
Enter sample details, assign storage location, print QR label. Takes 30 seconds per sample.
Track & Monitor
System alerts you automatically. Scan to find, track transactions, pass audits effortlessly.
⚙️ System Requirements
- Windows 10 or higher
- MariaDB 10.x or MySQL 8.x
- At least 8 GB RAM
- 500 MB free disk space
- Modern web browser (Chrome, Edge, Firefox)
📋 Release Notes
🚀 Version 1.3.0 (Current Release)
Release Date: January 30, 2026
New Features:
- Pest Control Management Module: Complete pest control tracking system
- Dashboard with real-time pest control status overview
- Device Master - Manage pest control devices (bait stations, traps, fly catchers)
- Readings Entry - Record and track device inspection readings
- Spray Tracking - Log pesticide spray activities with chemicals and areas covered
- Meetings Management - Schedule and track pest control review meetings
- Comprehensive Reports - Generate pest control reports and compliance documentation
- Data Visualization - Interactive charts for pest activity trends and device performance
UI/UX Improvements:
- Fixed sidebar icon spacing for Master Data and User Management menu items
- Improved visual consistency across all sidebar navigation elements
Database Schema Updates:
- New Tables:
- pest_control_devices - Device master data (device_id, device_type, location, status)
- pest_control_readings - Device inspection readings (reading_id, device_id, reading_date, findings)
- pest_control_sprays - Spray activity logs (spray_id, chemical_used, area_covered, date)
- pest_control_meetings - Meeting records (meeting_id, date, attendees, action_items)
✨ Version 1.2.0 (Previous Release)
Release Date: January 23, 2026
New Features:
- Multi-Tenant SSO Authentication: Enterprise-grade identity management
- OIDC (OpenID Connect) integration with Okta, Azure AD, and Google Workspace
- Per-tenant authentication configuration (each company chooses their auth method)
- Automatic tenant detection by email domain
- SSO users auto-provisioned on first login
- Local password fallback option per tenant
- MFA support via corporate identity providers
- Redis Session Persistence: Enterprise session management
- Sessions survive server restarts and deployments
- Shared session store for horizontal scaling
- Instant session revocation capability
- Graceful fallback to memory store if Redis unavailable
- SSO Admin Panel: UI-based SSO configuration (Master Admin only)
- View and manage all tenant authentication configs
- One-click SSO enable/disable toggle per tenant
- Test Connection button to verify IdP connectivity
- Add/edit/delete tenant configurations
- Accessible via Administration > SSO Configuration
Security Enhancements:
- OIDC state and nonce validation for CSRF protection
- Tenant isolation middleware prevents cross-company data access
- Secure cookie configuration (httpOnly, secure, sameSite: lax)
- OIDC client secrets stored server-side only (never exposed to frontend)
- Admin API endpoints restricted to Master Admin (access_level = 1)
- SSO user passwords set to NULL (no local password stored)
Database Schema Updates:
- 2 New Tables:
- tenant_auth_config - Per-company authentication settings (auth_type, OIDC credentials, domain)
- external_identities - SSO user identity mappings (external_id, provider, last_login)
- Modified: users table - password column now nullable, added auth_type column
Technical Updates:
- New auth routes: /auth/login, /auth/callback, /auth/logout, /auth/api/tenant/check
- Admin API: /api/admin/tenants (CRUD + toggle + test)
- Tenant detection middleware (query, email domain, session, header)
- OIDC discovery endpoint caching for performance
- Redis connection with connect-redis v8
- Docker Compose updated with Redis service
- Development mock SSO for testing (/auth/dev-login)
✨ Version 1.1.5
Release Date: January 22, 2026
New Features:
- Quality Walkabout Module: Complete quality observation and CAPA tracking system
- Create and submit quality walkabouts with reporter and action person assignment
- Dashboard showing Open, My Actions, and Walkabout History tabs
- Due date tracking with color-coded alerts (Overdue, Critical, Warning, On Track)
- CAPA Details editable by action person when walkabout is Open
- File attachments support for both reporter and action person
- Comments section for discussion between reporter and action person
- Complete audit trail with history tracking (created, submitted, closed, reopened)
- Reopen functionality with reopen count badge display
- Closure authority management for plant-level control
- Real-time notifications for new and pending walkabouts
- Multi-Region Timezone Support: UTC-based storage with local timezone display
- Database stores all timestamps in UTC for consistency
- Client automatically converts to user's local timezone
- Supports users in India, Dubai, Middle East, South Africa, and other regions
- Login time displays correctly in user's local timezone
- Walkabout Notification System: iOS-style notification popup
- Shows count of Overdue, Critical, and Warning walkabouts
- Lists pending walkabouts assigned to current user
- Quick access to My Actions tab from notification
Improvements:
- Red View History button for better visibility in walkabout detail modal
- Centered button alignment in all walkabout tables (Open, View, View/Update)
- Orange reopen count badge displayed next to walkabout UID
- Date-only display for Batch Expiry and Calibration dates (no unnecessary time)
- DateTime display with local timezone for history logs and audit trails
- Removed Info button from Walkabout Register for cleaner UI
Bug Fixes:
- Fixed walkabout history showing UTC time instead of local time
- Fixed comment Add button not responding to clicks
- Fixed file upload not showing confirmation notification
- Fixed reopened walkabouts not appearing in My Actions tab
- Fixed notification popup 404 error on session API
- Fixed Equipment Calibration History showing unnecessary time on date-only fields
Database Schema Updates:
- 5 New Tables for Quality Walkabout:
- quality_walkabouts - Main walkabout records with status, dates, reporter/action person
- quality_walkabout_attachments - File uploads (reporter + action person)
- quality_walkabout_comments - Discussion comments with role tracking
- quality_walkabout_history - Complete audit trail of all actions
- quality_walkabout_closure_authority - Users authorized to close walkabouts
- New Column: reopenCount INT DEFAULT 0 in quality_walkabouts table
Technical Updates:
- Database connection configured with timezone: 'Z' for UTC storage
- formatWalkaboutDateTime() function appends 'Z' suffix for proper UTC to local conversion
- formatDateTime() and formatDate() functions for consistent date/time display
- 15+ new API endpoints for walkabout CRUD operations
- Email notifications for walkabout assignment and status changes
✨ Version 1.1.4 (Previous Release)
Release Date: December 5, 2024
New Features:
- Equipment Status Management: Track equipment operational state
- Two status types: 🔴 Not in Use | 🟠 Gone for Calibration
- Automatic timestamp capture when status is changed
- Status date display in Edit modal showing when status was last set
- Smart status display: Shows equipment status OR calibration alert (not both)
- Clean single-line status column for better UI/UX
- Forgot Password System: Complete OTP-based password reset via email
- Three-step reset flow: Email → OTP Verification → New Password
- 6-digit OTP sent to registered email with 10-minute expiration
- Rate limiting: 3 requests per hour, 5 verification attempts
- Professional HTML email template with company branding
- SMTP integration with Hostinger email server
- Dark Theme UI: Modern dark interface for login and password reset
- Dark background (#2b2b2b) with dark gray containers (#4a4a4a)
- White Starengts logo (70% container width)
- Green accent color (#32c800) for buttons and links
- Dark input fields with green focus states
- Fully responsive design for desktop, tablet, and mobile
- Permanent Auto-Fill for User Name Fields: All "By" fields automatically populate with logged-in user's name
- Multi-Trigger Auto-Fill: Works on page load, section navigation, and field focus
- Calibration Document Upload: Server configuration for PDF uploads (up to 10MB)
- HTTPS Server Support: Dual HTTP/HTTPS server configuration with SSL certificates
Improvements:
- Simplified status column display - shows only one status at a time for cleaner interface
- Enhanced Edit modal with status date tracking and orange-themed display
- Enhanced login page with modern dark theme and improved UX
- Better mobile responsiveness with proper margins (80% width on mobile)
- Improved input field styling with consistent dark backgrounds
- User name fields persist after form submission
- Enhanced workflow efficiency across all QC sections
- Professional email notifications for password reset
Security Enhancements:
- OTP-based password reset with expiration and attempt limits
- Rate limiting to prevent abuse (3 requests/hour)
- Secure password hashing with bcrypt (10 rounds)
- HTTPS support for encrypted connections
- Session-based OTP verification
Bug Fixes:
- Fixed calibration update history 404 error by reordering API routes
- Fixed calibration_updates INSERT error with automatic updateID generation
- Corrected equipment status date tracking with conditional SQL queries
- Fixed calibration dates calculation issue
- Corrected number of days remaining calculation for equipment calibration
- Fixed modal positioning on mobile devices
- Resolved input field autofill background color issues
Database Schema Updates:
- New Columns Added to equipment_calibrations table:
- location - Physical location of equipment (e.g., Lab Room A, Storage Area B)
- verification_method_accuracy - Description of verification method used for calibration
- certification - Certification status (Yes/No/N/A)
- equipment_status_date - Automatic timestamp tracking for equipment status changes
Technical Updates:
- Implemented conditional SQL queries for status date management
- Fixed Express route order: /updates endpoint now before /:id parameter route
- Automatic updateID generation using timestamp + random string pattern
- Enhanced Edit modal with 4 new fields for better equipment tracking
- Added nodemailer package (v7.0.10) for email functionality
- Implemented in-memory OTP storage with automatic cleanup
- Generated self-signed SSL certificates for HTTPS
- API endpoints: /api/forgot-password, /api/verify-otp, /api/reset-password
- Enhanced CSS with dark theme variables and responsive breakpoints
📦 Version 1.1.3
Release Date: November 2025
Major Updates:
- Database Backend: Migrated from Excel to MariaDB/MySQL for improved reliability and concurrent access
- Multi-User Authentication: Secure login system with role-based access control
- Visual Status System: Color-coded icons (Critical=Purple, Warning=Orange, Caution=Yellow, Expired=Red, Safe=Green)
- Enhanced UI: Compact legends, mobile-responsive design, status icons in all tables
- Thermal Printer: Fixed duplicate printing, automatic 90° rotation for 52mm printers
- Scrapped Material Tracking: Separate counting and display of scrapped batches
- User Profile: Display actual user information with login timestamp
- Data Visualization: Fixed sidebar overlap issue on charts page
Bug Fixes:
- Fixed database "updateID missing" error in expiry_updates table
- Corrected API to include scrapped samples in summary counts
- Resolved login window width issue on iPhone/mobile devices
- Fixed user profile modal showing "Guest" instead of actual user data
📦 Version 1.1.2
Release Date: April 2025
Features:
- Equipment Calibration Management with QR codes
- Bin-to-Bin Transfer functionality
- Excel-based local storage
- QR code label generation
- Basic transaction history and logging
- Data visualization with charts
🏢 Developed by Starengts
Quality Works | Version 1.3.0
Ready to transform your QC operations? Contact us today! 🚀
Version 1.3.0 | Developed by: Starengts
Master Data Management
Companies
| Company Name | Actions |
|---|
Countries
| Company | Country | Actions |
|---|
States/Regions
| Company | Country | State/Region | Actions |
|---|
Plants/Sites
| Company | Country | State | Plant Code | Plant Name | Actions |
|---|
Departments
| Company | Country | State | Plant Code | Plant Name | Department | Actions |
|---|
User Management
Add New User
- ✗ 8 characters
- ✗ 1 uppercase letter
- ✗ 1 lowercase letter
- ✗ 1 number
- ✗ 1 special character
Module Access Permissions
Control which application modules this user can access. Changes take effect on the user's next login.
| Module | No Access | View Only | Full Edit |
|---|
Existing Users
| Full Name | Company | Plant/Location | Department | Access Level | Role | Actions |
|---|
User Roles
| Role Name | Access Level | Description | Actions |
|---|
SSO Configuration
Manage Single Sign-On settings for each tenant. Only Master Admin can access this page.
Loading tenant configurations...
Printer Configuration
Configure network printer settings for label printing. Only Master Admin can modify settings.
Printer Settings
Label Settings
Connection Status
No test performed yet.
Email Configuration
View SMTP settings and send a test email to verify the email system is working correctly.
SMTP Settings
Send Test Email
Send a real test email to confirm delivery is working end-to-end.
📋 System Documentation
IT Governance & Technical Reference Guide
📑 Table of Contents
1. Data Access & Integration
1.1 Database Schema
Database Type: MariaDB 10.x (MySQL-compatible)
Database Name: qcsample
| Table Name | Purpose | Key Fields |
|---|---|---|
| users | User accounts and authentication | id, email, password, access_level, company_id, plant_id |
| companies | Organization hierarchy (top level) | company_id, company_name, created_at |
| countries | Geographic organization level | country_id, country_name, company_id |
| states | Regional organization level | state_id, state_name, country_id |
| plants | Physical site locations | plantID, plantName, state_id |
| departments | Organizational units within plants | department_id, department_name, plant_id |
| roles | User role definitions | role_id, role_name, access_level, permissions |
| samples | QC sample tracking records | batchID, productName, dateManufactured, dateExpiry, binID |
| equipment_calibrations | Equipment calibration records | equipmentID, equipmentName, lastCalibrationDate, nextCalibrationDate |
| calibration_documents | PDF calibration certificates | doc_id, equipmentID, file_path, upload_date |
| calibration_updates | Calibration history/audit trail | updateID, equipmentID, oldDate, newDate, updatedBy, timestamp |
| racks | Storage rack configuration | rackID, plantID, rackName, description |
| bins | Storage bin configuration | binID, rackID, binNumber, maxCapacity, currentOccupancy |
| transactions | Sample movement audit log | transactionID, batchID, action, performedBy, timestamp |
| expiry_updates | Sample expiry modification history | updateID, batchID, oldExpiry, newExpiry, updatedBy, timestamp |
| licenses | System licensing information | license_id, license_key, valid_from, valid_until |
1.2 Access Control Matrix
The system implements an 8-level hierarchical access control system:
| Level | Role | Scope | Key Permissions |
|---|---|---|---|
| 1 | Master Admin | All Companies | Full system access, user management, system configuration |
| 2 | Company Admin | Company-wide | Manage all data within company, create users |
| 3 | Country Admin | Country-wide | Manage all data within country |
| 4 | State Admin | State/Region-wide | Manage all data within state/region |
| 5 | Plant Admin | Single Plant | Manage samples and equipment at assigned plant |
| 6 | Department Manager | Department | Manage department-specific samples and equipment |
| 7 | Regular User | Limited | Add/edit samples, view equipment, generate reports |
| 8 | Viewer | Read-only | View-only access, no modifications |
1.3 External Services & APIs
Email Service: Hostinger SMTP (via Nodemailer)
Purpose: Password reset OTP delivery, system notifications
Protocol: SMTP with TLS encryption
Configuration: Defined in environment variables (EMAIL_HOST, EMAIL_PORT, EMAIL_USER)
1.4 System Dependencies
Backend Dependencies
- express ^4.18.2
- mariadb ^3.4.5
- express-session ^1.18.1
- bcryptjs ^2.4.3
- nodemailer ^7.0.10
- multer ^1.4.5-lts.2
- exceljs ^4.3.0
- cors ^2.8.5
- dotenv ^17.2.3
- axios ^1.13.2
Frontend Dependencies
- Vanilla JavaScript (ES6+)
- Chart.js (via CDN)
- QRCode.js (via CDN)
- JsBarcode (local library)
- HTML5 & CSS3
1.5 Integration Capabilities
✅ Supported Integrations:
- REST API: JSON-based endpoints for CRUD operations
- Excel Export: Sample and equipment data export to .xlsx format
- PDF Generation: QR code labels and calibration certificates
- Thermal Printers: ESC/POS compatible printers for label printing
- Email Notifications: SMTP-based automated alerts
- File Uploads: PDF document storage for calibration certificates
2. Security & Compliance
2.1 Storage Architecture
Server Specifications:
- Hosting: VPS (Virtual Private Server)
- RAM: 8GB DDR4
- CPU: 2 vCPU Cores
- Storage: 100GB SSD
- OS: Linux-based
File Storage Structure:
- /app/data/ - Application data directory
- /app/data/backups/ - Database backup files
- /app/data/logs/ - System log files
- /app/uploads/ - User-uploaded files
- /app/uploads/calibration-docs/ - Calibration PDF certificates
2.2 Enterprise Authentication
Multi-Tenant Authentication Architecture
Our platform supports multiple authentication methods per tenant, allowing each company to use their preferred identity provider while maintaining a unified user experience.
Email & Password
bcrypt hashing
Okta, Azure AD
Google Workspace
Per-company config
Domain-based detection
Redis-backed sessions
Instant revocation
Platform Security Stack
Authentication:
- Session-based with Redis persistence
- OIDC (OpenID Connect) for SSO
- bcrypt password hashing (10 salt rounds)
- Per-tenant auth configuration
Transport & Network:
- TLS 1.2+ (HTTPS enforced)
- Secure, httpOnly session cookies
- CORS policy configured
- Firewall + VPN access control
Supported Identity Providers
| Provider | Protocol | Features | Status |
|---|---|---|---|
| Okta | OIDC | SSO, MFA, auto user provisioning | ✅ Supported |
| Microsoft Azure AD | OIDC | SSO, MFA, directory sync | ✅ Supported |
| Google Workspace | OIDC | SSO, Google account login | ✅ Supported |
| Local Authentication | Email/Password | bcrypt hashing, password reset via OTP | ✅ Default |
| Custom OIDC Provider | OIDC | Any OIDC-compliant identity provider | ✅ Supported |
How Multi-Tenant Authentication Works
Step 1: Tenant Detection
When a user enters their email, the system automatically detects their company (tenant) by the email domain (e.g., @henkel.com, @starengts.com).
Step 2: Auth Method Selection
Based on the tenant configuration, the system either shows the password field (local auth) or redirects to the company's identity provider (SSO).
Step 3: Authentication
For SSO: User authenticates with their corporate IdP (Okta/Azure/Google). For local: Password is verified against bcrypt hash in database.
Step 4: Session Created
A secure server-side session is created (stored in Redis) with user's access level, company scope, and permissions. Session cookie is httpOnly and secure.
Per-Tenant Configuration
Each company can be independently configured with their preferred authentication method:
| Company | Domain | Auth Method | Fallback |
|---|---|---|---|
| Henkel | henkel.com | Local (SSO-ready for Okta) | Local password |
| Starengts | starengts.com | Local authentication | - |
| [New Company] | company.com | OIDC / Local / SAML | Configurable |
🔒 Why Session-Based + Redis?
Enterprise-Grade Session Management:
- Immediate Revocation: Sessions can be terminated instantly if unauthorized access is detected - critical for laboratory environments
- Server-Side Control: Session data stays on server (Redis), reducing client-side attack surface
- Persistence: Redis-backed sessions survive server restarts - users stay logged in during deployments
- Scalability: Shared Redis store enables horizontal scaling with multiple app instances
- Audit Trail: Complete visibility into active sessions and concurrent users for compliance
- SSO Compatible: Works seamlessly with both OIDC SSO and local authentication
Authentication Flows
🔑 Local Authentication Flow
1. User enters email + password ↓ 2. System detects tenant by email domain ↓ 3. Tenant auth_type = 'local' → Show password field ↓ 4. POST /api/login → bcrypt.compare(password, hash) ↓ 5. Session created in Redis → Secure cookie set ↓ 6. User redirected to dashboard (access filtered by level)
🔐 SSO (OIDC) Authentication Flow
1. User enters email ↓ 2. System detects tenant by email domain ↓ 3. Tenant auth_type = 'oidc' → Redirect to IdP (Okta/Azure/Google) ↓ 4. User authenticates at IdP → MFA if configured by company ↓ 5. IdP redirects back with auth code → Server exchanges code for tokens ↓ 6. User matched/created in database → Session created in Redis ↓ 7. User redirected to dashboard (access filtered by level)
8-Level Hierarchical Access Control
| Level | Role | Scope | Data Access |
|---|---|---|---|
| 1 | Master Admin | All companies | Full system access, SSO configuration, user management across tenants |
| 2 | Company Admin | Own company | All data within their company, user management |
| 3 | Country Admin | Country-wide | All plants and departments in their country |
| 4 | State Admin | State-wide | All plants and departments in their state |
| 5 | Plant Admin | Plant-level | All departments within their plant |
| 6 | Department Manager | Department only | Own department data, team management |
| 7 | Regular User | Limited | Create/edit own records within assigned scope |
| 8 | Viewer | Read-only | View data only, no modifications allowed |
IT Governance Q&A
❓ How are passwords stored?
Passwords are hashed using bcrypt with 10 salt rounds before storage. Plain text passwords are never stored. SSO users have no local password at all - authentication is delegated to their corporate identity provider.
❓ Does the system support Single Sign-On (SSO)?
Yes. The platform supports OIDC (OpenID Connect) SSO with any compliant identity provider including Okta, Microsoft Azure AD, and Google Workspace. Each tenant can be independently configured with their preferred IdP. SSO can be enabled/disabled per company at any time without affecting other tenants.
❓ Can sessions be forcibly terminated?
Yes. Server-side sessions (stored in Redis) can be destroyed instantly by administrators. This is critical for security incidents or when employee access needs immediate revocation - regardless of whether they logged in via SSO or local credentials.
❓ What happens if the server restarts?
Sessions are stored in Redis (persistent key-value store), so users remain logged in during server restarts and deployments. Redis data is persisted to disk with append-only file (AOF) mode.
❓ How is tenant data isolated?
Every database query is filtered by the user's company_id and access_level. A user from Company A cannot access or modify data belonging to Company B. This is enforced at the server-side query level, not just the UI. The access control middleware validates tenant ownership on every API request.
❓ How is brute-force attack prevented?
Password reset OTPs have rate limiting (3 requests/hour, 5 verification attempts). Additional rate limiting is implemented at the reverse proxy level (nginx). SSO users are protected by their IdP's own security policies (MFA, lockout, etc.).
❓ Can our company use MFA (Multi-Factor Authentication)?
Yes. When using SSO with Okta, Azure AD, or Google, MFA is enforced by your corporate identity provider. This means your existing MFA policies (SMS, authenticator app, hardware keys) are automatically applied to Quality Works logins.
❓ How are user permissions enforced?
Hierarchical access control is enforced at the database query level. Each user has an access_level (1-8) and associated organizational scope (company, country, state, plant, department). Queries automatically filter results based on user context. SSO users are assigned appropriate access levels during provisioning.
❓ Can we enable SSO without disrupting existing users?
Yes. SSO can be enabled with a "local fallback" option, meaning users who haven't been migrated to SSO can still log in with their email/password. When ready, local fallback can be disabled to enforce SSO-only access for your company.
Production Security Checklist
| Security Control | Status |
|---|---|
| SSL/TLS Certificate (HTTPS) | ✅ ACTIVE |
| Password Hashing (bcrypt, 10 rounds) | ✅ ACTIVE |
| Secure Session Cookies (httpOnly, secure, sameSite) | ✅ ACTIVE |
| Redis Session Persistence | ✅ ACTIVE |
| Multi-Tenant SSO (OIDC) | ✅ ACTIVE |
| Tenant Data Isolation | ✅ ACTIVE |
| SQL Injection Protection (Parameterized Queries) | ✅ ACTIVE |
| CORS Policy Configured | ✅ ACTIVE |
| Firewall + VPN Access Control | ✅ ACTIVE |
| Environment Variables (secrets in .env) | ✅ ACTIVE |
| 8-Level Hierarchical Access Control | ✅ ACTIVE |
| MFA Support (via IdP) | ✅ ACTIVE |
| Rate Limiting (login/OTP) | ✅ ACTIVE |
| Automated Vulnerability Scanning | ⚠️ RECOMMEND |
2.3 Data Encryption & Protection
✅ In Transit
- TLS 1.2+ for all HTTPS traffic
- Secure WebSocket connections
- SMTP TLS for email
⚠️ At Rest
- Database: MariaDB default (upgradeable to encrypted tablespaces)
- Files: Server filesystem (upgradeable to encrypted volumes)
- Backups: Cloud VPS storage
2.4 Backup & Disaster Recovery
Backup Strategy
Frequency: Weekly (upgradeable to daily)
Method: MariaDB mysqldump
Storage: Cloud VPS
Retention: 4 weeks (recommended)
Recovery Plan
RTO (Recovery Time Objective): < 4 hours
RPO (Recovery Point Objective): 7 days (weekly backup)
Procedure: Automated restore script available
Testing: Quarterly restore drills recommended
2.5 Compliance & Audit Trails
Audit Logging
The system maintains comprehensive audit trails for:
- Sample Transactions: All movements logged in transactions table with timestamp, user, and action
- Expiry Updates: Complete history in expiry_updates table (who, when, old value, new value)
- Calibration Changes: Full audit trail in calibration_updates table
- User Actions: Login/logout events, access attempts
- Data Modifications: Timestamp and user tracking on all critical tables
Compliance Readiness
- ✅ Data integrity controls (foreign keys, constraints)
- ✅ User authentication and authorization
- ✅ Audit trail for all modifications
- ✅ Role-based access control (8 levels)
- ⚠️ GDPR: Data retention policies recommended
- ⚠️ ISO 27001: Additional controls may be required
3. System Lifecycle & Maintenance
3.1 Development Workflow
Development → Testing → Staging → Production 1. LOCAL DEVELOPMENT - Developer workstation with Node.js - Local MariaDB instance for testing - npm run dev (nodemon for hot reload) 2. VERSION CONTROL - Git repository for source control - Branch strategy: main (production), dev (development) - Commit messages follow conventional commits 3. TESTING - Manual QA testing - Database migration scripts tested in isolation - User acceptance testing (UAT) 4. DEPLOYMENT - VPS deployment via Git pull - Environment variables configured via .env - npm start for production mode - Process manager (PM2/systemd) for auto-restart
3.2 Maintenance Schedule
| Task | Frequency | Responsible | Notes |
|---|---|---|---|
| Database Backup | Weekly | IT Admin | Automated via cron job |
| Backup Verification | Monthly | IT Admin | Test restore procedure |
| Security Updates | Monthly | IT Admin | npm audit, OS patches |
| Log Review | Weekly | IT Admin | Check for errors/anomalies |
| Database Optimization | Quarterly | Database Admin | OPTIMIZE TABLE, index review |
| Disk Space Monitoring | Weekly | IT Admin | Alert at 80% capacity |
| SSL Certificate Renewal | Annually | IT Admin | 90-day reminder |
| User Account Audit | Quarterly | Master Admin | Remove inactive users |
| Performance Review | Semi-Annually | IT Admin | Query optimization, caching |
3.3 Documentation Locations
| README.md | Project overview and quick start guide |
| API-DOCUMENTATION.md | API endpoints and usage examples |
| CHANGELOG.md | Version history and release notes |
| .env.example | Environment configuration template |
| qcsample.sql | Complete database schema |
| This Page | System Documentation (IT governance reference) |
3.4 Support Model
📧 Contact Information
Support Email: info@starengts.com
Company: STARENGTS
Product: Quality Works
Version: 1.3.0
⏰ Support Hours
Response Time: Business hours
Critical Issues: 24-hour SLA
Non-Critical: 48-hour SLA
Escalation: Email support team
3.5 Incident Response Procedure
🚨 Emergency Response
- Identify: Determine severity (Critical, High, Medium, Low)
- Isolate: If security breach suspected, isolate affected systems
- Notify: Alert Master Admin and IT team via info@starengts.com
- Document: Log all details, actions taken, timeline
- Resolve: Apply fix, restore from backup if necessary
- Verify: Test resolution, confirm system stability
- Review: Post-incident analysis and preventive measures
4. Technical Architecture
4.1 Complete Technology Stack
⚙️ Backend Stack
- Runtime: Node.js v14+
- Framework: Express.js v4.18.2
- Language: JavaScript (ES6+)
- Database: MariaDB v3.4.5
- ORM/Driver: mariadb (native driver)
🎨 Frontend Stack
- Framework: None (Vanilla JS)
- Language: JavaScript ES6+
- Markup: HTML5
- Styling: CSS3 (custom)
- Charts: Chart.js (CDN)
- QR Codes: QRCode.js (CDN)
- Barcodes: JsBarcode (local)
🔒 Security & Auth
- Sessions: express-session v1.18.1
- Hashing: bcryptjs v2.4.3
- CORS: cors v2.8.5
- Environment: dotenv v17.2.3
- SSL/TLS: HTTPS enabled
📊 Data & Files
- Excel: exceljs v4.3.0
- Email: nodemailer v7.0.10
- Uploads: multer v1.4.5-lts.2
- HTTP Client: axios v1.13.2
4.2 Infrastructure Details
🖥️ Production Server
| URL: | https://qcapplication.starengts.com |
| Hosting: | VPS |
| RAM: | 8GB |
| CPU: | 2 vCPU cores |
| Storage: | 100GB SSD |
| OS: | Linux |
🗄️ Database Server
| Engine: | MariaDB 10.x |
| Location: | Same VPS |
| Port: | 3306 |
| SSL: | Enabled |
| Connections: | 10 pool limit |
| Charset: | utf8mb4_unicode_ci |
System Architecture Diagram
┌─────────────────────────────────────────────────────────────────┐
│ CLIENT LAYER │
│ ┌───────────────┐ ┌───────────────┐ ┌───────────────┐ │
│ │ Desktop │ │ Tablet │ │ Mobile │ │
│ │ Browser │ │ Browser │ │ Browser │ │
│ └───────┬───────┘ └───────┬───────┘ └───────┬───────┘ │
└──────────┼──────────────────┼──────────────────┼───────────────┘
│ │ │
└──────────────────┴──────────────────┘
│
HTTPS/TLS
│
┌─────────────────────────────┼───────────────────────────────────┐
│ VPS SERVER (8GB RAM, 2 CPU) │
│ │ │
│ ┌───────────────────────────┴────────────────────────┐ │
│ │ NGINX REVERSE PROXY │ │
│ │ (SSL Termination, Load Balancing) │ │
│ └───────────────────────┬────────────────────────────┘ │
│ │ │
│ ┌───────────────────────┴────────────────────────────┐ │
│ │ NODE.JS APPLICATION SERVER │ │
│ │ │ │
│ │ ┌─────────────────────────────────────────────┐ │ │
│ │ │ EXPRESS.JS FRAMEWORK │ │ │
│ │ │ │ │ │
│ │ │ • Session Management (express-session) │ │ │
│ │ │ • Authentication (bcrypt) │ │ │
│ │ │ • API Routes (/api/*) │ │ │
│ │ │ • Static File Serving │ │ │
│ │ │ • Multer (File Uploads) │ │ │
│ │ └─────────────────────────────────────────────┘ │ │
│ └────────────┬────────────────────┬──────────────────┘ │
│ │ │ │
│ ┌────────────┴─────────┐ ┌───────┴──────────┐ │
│ │ MARIADB DATABASE │ │ FILE SYSTEM │ │
│ │ │ │ │ │
│ │ • qcsample DB │ │ • /uploads/ │ │
│ │ • 16 Tables │ │ • /data/ │ │
│ │ • Connection Pool │ │ • /backups/ │ │
│ └──────────────────────┘ └──────────────────┘ │
│ │
│ ┌──────────────────────────────────────────────────────────┐ │
│ │ EXTERNAL SERVICES │ │
│ │ │ │
│ │ • Hostinger SMTP (Email/OTP) │ │
│ │ • Cloud VPS Storage (Backups) │ │
│ └──────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────┘
4.3 Enterprise Alignment
✅ Enterprise-Ready Features
- Multi-Tenancy: Company/Country/State/Plant/Department hierarchy supports multiple organizations
- Role-Based Access: 8-level granular permission system
- Scalability: Database connection pooling, stateless architecture ready
- Security: Industry-standard authentication, encryption, audit trails
- Reliability: Transaction support, referential integrity, automated backups
- Compliance: Complete audit logging, data retention controls
- Integration: REST API, Excel export, email notifications
4.4 Scalability & Performance
| Component | Current Capacity | Upgrade Path |
|---|---|---|
| Concurrent Users | ~50-100 users | Add Redis session store, horizontal scaling |
| Database Size | ~10-50GB | Increase VPS storage, database partitioning |
| File Storage | 100GB SSD | S3-compatible object storage (MinIO, AWS S3) |
| API Performance | ~100 req/sec | Load balancer, CDN for static assets, caching |
| Backup Size | Weekly backups | Incremental backups, cloud backup service |
4.5 Future Roadmap
📅 Planned Enhancements
🔜 Short Term (3-6 months)
- Redis session store for better scalability
- Database encryption at rest
- Automated daily backups
- Advanced search and filtering
- Mobile app (React Native/Flutter)
🎯 Medium Term (6-12 months)
- SSO integration (SAML, OAuth2, LDAP)
- Real-time notifications (WebSockets)
- Advanced analytics dashboard
- API rate limiting and throttling
- Multi-language support (i18n)
🚀 Long Term (12+ months)
- Microservices architecture migration
- Machine learning for predictive analytics
- Blockchain audit trail (optional)
- IoT sensor integration
- Cloud-native deployment (Kubernetes)
4.6 Known Technical Debt
⚠️ Items for Consideration
- Session Store: Using MemoryStore (not suitable for production clusters) - upgrade to Redis recommended
- Frontend Framework: Vanilla JS - consider React/Vue for better maintainability as app grows
- API Versioning: No formal API versioning strategy - implement /api/v1/ structure
- Testing: Limited automated tests - add unit and integration test suite
- Monitoring: No APM (Application Performance Monitoring) - add New Relic, DataDog, or Prometheus
- Error Tracking: Basic logging - consider Sentry or similar for production error tracking
Quality Works v1.3.0
© STARENGTS - All Rights Reserved
For support: info@starengts.com
Document generated:
This document contains confidential and proprietary information.
Enter New Sample
Label Size Configuration
Label Preview (100mm × 40mm)
Transfer Samples Between Bins
Equipment Calibration
Equipment Calibration History
| Status | Equipment ID | Equipment Name | Equipment used for | Location | Verification Method | Certification | Last Calibration Date | Calibration Interval (Days) | Next Calibration Date | Alert Status | Action |
|---|
Calibration Update History
| Status | Equipment ID | Equipment Name | Old Next Calibration Date | New Next Calibration Date | Updated On | Updated By |
|---|
Search Samples
| Status | Batch Number | Product Name | Mfg Date | Expiry | Entered By | Storage | Created On | Action |
|---|
Log Sample Transactions
Log Take Out
Log Return
Retrieval History (One Row per Cycle)
| Batch Number | Product Name | Take Out Date | Take Out By | Return Date | Return By |
|---|
Expiry Date Modification History
| Status | Batch Number | Product Name | Original Expiry | New Expiry | Modified By | Modified On | Reason |
|---|
Retrieval History
| Batch Number | Product Name | Take Out Date | Take Out By | Return Date | Return By |
|---|
📊 Quality Works Analytics
Sample tracking, expiry analysis, and storage utilization insights
Expiry Status Distribution
Top 10 Products by Sample Count
Storage Location Utilization
Sample Transaction Status
Sample Age Distribution
🔧 Equipment Calibration Analytics
Calibration status, overdue tracking, and equipment compliance insights
Calibration Status Overview
Equipment Status
Calibration Frequency Distribution
Monthly Calibration Trends
📋 Quality Walkabout Analytics
Walkabout status, action tracking, and quality observation insights
Status Distribution
Due Date Status
By Observation Location
Monthly Trends
🦟 Pest Control Analytics
Pest activity trends, device monitoring, and treatment effectiveness insights
Device Status Distribution
Monthly Activity Trends
Pest Activity by Location
Treatment Effectiveness
📊 Deep Dive Analytics
Device Type Distribution
Pest Types Detected
Weekly Activity Pattern
Inspection Compliance Rate
📈 Performance Metrics
Year-over-Year Comparison
Activity Severity Index
Top Risk Areas
Device Coverage Analysis
💾 Master Data Analytics
System-wide overview of plants, storage capacity, and user management
Storage Capacity by Plant
Bin Occupancy Rate
Products by Category
User Role Distribution
🎛️ Admin Dashboard - Master Data Analytics
System-wide overview of plants, storage capacity, and user management
📊 Quality Works Analytics
Expiry Status Distribution
Top 10 Products by Sample Count
Storage Location Utilization
Sample Transaction Status
Sample Age Distribution
🔧 Equipment Calibration Analytics
Calibration Status Overview
Equipment Status
Calibration Frequency Distribution
Monthly Calibration Trends
📋 Quality Walkabout Analytics
Status Distribution
Due Date Status
By Observation Location
💾 Master Data Analytics
Storage Capacity by Plant
Bin Occupancy Rate
Products by Category
User Role Distribution
Storage Configuration
Storage Configuration
Note: Plant selection is based on your access permissions
Add Rack
Add Bin
View & Edit Configuration
Quality Walkabout Register
📝 Create New Quality Walkabout
📋 Open Walkabouts
| UID | Date Raised | Reporter | Location | Category | Subject | Action Person | Due Date | Status | Actions |
|---|
Quality Walkabout History
| UID | Date Raised | Reporter | Location | Category | Subject | Action Person | Due Date | Status | Closed By | Closed At | Actions |
|---|
My Walkabout Actions
Walkabouts where you are the assigned Action Person - please review and take action before the due date.
| UID | Date Raised | Reporter | Location | Category | Subject | Description | Due Date | Status | Actions |
|---|
Walkabout Activity Log
Complete audit trail of all walkabout actions — created, submitted, updated, closed, reopened, comments and attachments.
| Time | Walkabout UID | Action | By | Prev Status | Current Status | Details |
|---|
Pest Control Master Plan
| S.No | Activities | Owner | JAN | FEB | MAR | APR | MAY | JUN | JUL | AUG | SEP | OCT | NOV | DEC | Actions |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Loading annual plan... | |||||||||||||||
Pest Control Layout
🗺️ Pest Control Device Layout
No layout image uploaded. Click "Upload Layout" to add one.
📋 Layout Revision Control
Track changes and updates to the pest control layout map
| Rev No | Date | Reason of Review | Actions |
|---|---|---|---|
| Loading revision history... | |||
Pest Control Device Master
| Device ID | Type | Location | Area | Placement | Status | Actions |
|---|---|---|---|---|---|---|
| Loading... | ||||||
Pest Control Readings Entry
Insect Killer - Internal
Click count cell to enter species-wise breakdown
| Device ID | Location | Area | 1st Fortnight (1-15) | 2nd Fortnight (16-31) | ||
|---|---|---|---|---|---|---|
| Count | Remarks | Count | Remarks | |||
| Select month, then click Load Data | ||||||
Pest Control Spray Tracking
💨 Log Spray Activity
Spray History
| Date | Type | Spray Type | Chemical | Done By | Verified By | Areas | Actions |
|---|---|---|---|---|---|---|---|
| Loading... | |||||||
🦎 Lizard Management Service
Service History
| Date | Type | Chemical | Service By | Verified By | Next Service |
|---|---|---|---|---|---|
| Loading... | |||||
Pest Control Meetings
👥 Schedule Meeting
Meeting History
| Date | Type | Title | Created By | Actions |
|---|---|---|---|---|
| Loading... | ||||
📝 Add Action Item
Action Items
| Description | Assigned To | Target Date | Priority | Status | Actions |
|---|---|---|---|---|---|
| Loading... | |||||
Pest Control Reports
Insect Killer Tracking - Internal
Monthly insect count data by device (internal). Green = Low (0-5), Yellow = Medium (6-10), Red = High (>10)
Loading heatmap data...
📋 Custom Report Generator
Report Preview
Select report type and parameters, then click Generate Report
👥 Pest Control Team
| Name | Department | Role | Actions | |
|---|---|---|---|---|
| Loading... | ||||
Comments