Skip to main content

Non-Functional Requirements

Performance

  • Support concurrent check-ins at shift start (burst of ~1,000 requests within 5 minutes for a 10k-employee tenant).
  • p95 check-in latency < 500 ms at the API; < 2 s end-to-end from the mobile client.
  • Report generation for 30-day × 2,000 employees < 30 s for CSV/XLSX.
  • Attendance recalculation for a single day < 5 s.

Scalability

  • Horizontal scaling of Laravel via multiple PHP-FPM containers behind Nginx.
  • Queue workers scale independently (Horizon).
  • Read replicas for reporting (post-MVP).
  • Sharding by organization_id when a single tenant exceeds 50k employees.

Security

  • Role-based access control with row-level scope enforcement via Laravel policies + global scopes.
  • OAuth-style token auth (Sanctum personal access tokens + mobile device-bound tokens).
  • TLS everywhere; HSTS on web; certificate pinning on mobile.
  • Password hashing with bcrypt (Laravel default, 12 rounds).
  • PII fields encrypted at rest for aadhaar, pan, phone using Crypt cast.
  • Rate limits on login, check-in, and export endpoints.
  • Device fingerprint (platform + model + OS + install ID) required on mobile.
  • Geo coordinates stored with 6-decimal precision; historical fences preserved for audit.

Auditability

Every one of the following events is recorded in audit_logs with actor, before/after snapshots, and timestamps:

  • Attendance edits (create, update, delete).
  • Approval/rejection of leave, regularization, device binding, Telegram linking.
  • Shift-assignment changes.
  • Role or scope changes on a user.
  • Lock / unlock of an attendance month.
  • Login events (success/failure).

Availability

  • Target 99.5% monthly uptime.
  • Zero-downtime deploys (rolling updates via Docker + Traefik).
  • Degraded mode: if the punch-processing queue is down, the ingestion endpoint still accepts raw punches and persists them to a retry buffer.

Usability

  • Mobile-first design for the Flutter app; one-tap check-in/out.
  • Web UI optimized for managers — dense tables, keyboard shortcuts, bulk edits.
  • Telegram bot has a minimal command surface: /in, /out, /leave, /status.
  • Accessibility: WCAG 2.1 AA for the web UI.

Observability

  • Structured JSON logs → Loki / Elastic.
  • Metrics via Prometheus scrape of a /metrics endpoint (queue depth, punch throughput, red-flag counts).
  • Distributed tracing via OpenTelemetry (post-MVP).

Maintainability

  • 80% test coverage target on the server/app/Services namespace.
  • All public API routes have contract tests.
  • ADRs (architecture decision records) stored alongside this site.
  • Feature flags for high-risk toggles (geo enforcement, device binding, Telegram).

Internationalization

  • English in MVP.
  • All user-facing strings go through __() / i18next to enable future locales.
  • Dates stored in UTC, rendered in the unit's timezone.