# Acceptance Criteria # Acceptance Criteria: {{PROJECT_NAME}} > **Project:** {{PROJECT_NAME}} > **Version:** {{VERSION}} > **Date:** {{DATE}} > **Author:** {{AUTHOR}} > **Status:** Draft | In Review | Approved > **Reviewers:** {{REVIEWERS}} ## Document History | Version | Date | Author | Changes | |---------|------|--------|---------| | 0.1 | {{DATE}} | {{AUTHOR}} | Initial draft | --- ## 1. Purpose & Methodology ### 1.1 What Are Acceptance Criteria? Acceptance criteria are the conditions that a system must satisfy to be accepted by a stakeholder. They answer the question: **"How will we know when this feature is done?"** Good acceptance criteria are: - **Testable** — Can be verified with a specific test procedure - **Clear** — Unambiguous; no room for interpretation - **Complete** — Cover happy path, error paths, and edge cases - **Agreed** — Signed off by the business BEFORE development begins ### 1.2 Format: Given / When / Then (Gherkin-Style) ``` Given [an initial context / precondition that is true] When [an action or event occurs] Then [the expected outcome is observed] And [additional expected outcomes, chained] ``` **Example — User Login:** ``` Given a registered user with valid credentials When the user submits the login form Then the user is redirected to the dashboard And a session token is created and stored in a secure cookie And the last login timestamp is updated in the database ``` ### 1.3 Categories of Acceptance Criteria | Category | Description | Example | |----------|-------------|---------| | **Positive (Happy Path)** | System works as expected with valid inputs | Successful login | | **Negative (Sad Path)** | System handles invalid inputs gracefully | Wrong password error | | **Edge Case** | Boundary conditions and unusual but valid scenarios | Login at exact session timeout | | **Integration** | System works correctly with external services | Payment processed via Stripe | | **Non-Functional** | Performance, accessibility, security criteria | Page loads in < 2 seconds | | **Data** | Correct data storage, retrieval, and validation | Fields saved with correct types | --- ## 2. Feature Acceptance Criteria --- ### Module: {{MODULE_1_NAME}} --- #### Feature: {{FEATURE_1_NAME}} (FR-{{XXX}}) **Feature Description:** {{BRIEF_DESCRIPTION}} **Business Requirement:** BR-{{XXX}} **Linked User Stories:** US-{{XXX}}, US-{{XXX}} **Positive Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-001 | {{SCENARIO_NAME}} | {{PRECONDITION}} | {{ACTION}} | {{EXPECTED_RESULT}} | | AC-002 | | | | | **Negative Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-003 | {{INVALID_INPUT_SCENARIO}} | {{PRECONDITION_WITH_BAD_DATA}} | {{ACTION}} | {{ERROR_MESSAGE_OR_BEHAVIOR}} | | AC-004 | | | | | **Edge Cases:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-005 | {{BOUNDARY_CONDITION}} | {{EDGE_CONDITION}} | {{ACTION}} | {{EXPECTED_RESULT}} | **Non-Functional Acceptance Criteria:** | # | Category | Criterion | |---|----------|-----------| | AC-006 | Performance | Feature completes in < {{X}} seconds under normal load | | AC-007 | Accessibility | Feature is fully operable by keyboard; ARIA labels present | | AC-008 | Security | {{SECURITY_CRITERION_IF_APPLICABLE}} | --- #### Feature: User Registration (FR-020) **Feature Description:** New users can create accounts using email and password. **Business Requirement:** BR-{{XXX}} **Linked User Stories:** US-{{XXX}} **Positive Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-010 | Successful registration | A user visits /register with a valid, unregistered email | User submits form with valid email, strong password, and required fields | Account is created; confirmation email sent; user redirected to email verification page | | AC-011 | Email verification sent | Account was just created | System processes registration | Verification email arrives within 2 minutes with unique, expiring link | | AC-012 | Verification link works | User receives verification email | User clicks verification link | Email verified; user redirected to login; account marked as verified | **Negative Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-013 | Duplicate email | An account already exists with email@example.com | User submits registration with email@example.com | Error "An account with this email already exists" shown; no new account created | | AC-014 | Weak password | User is on registration form | User submits password "abc123" | Inline error shown: "Password must be at least 8 characters and include uppercase, number, and special character" | | AC-015 | Invalid email format | User is on registration form | User submits "notanemail" in email field | Inline validation error shown before form submission | | AC-016 | Empty required field | User is on registration form | User submits with required field empty | Inline error shown; form not submitted | **Edge Cases:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-017 | Email with plus addressing | User submits user+tag@example.com | Registration submitted | Account created; treated as valid email | | AC-018 | Verification link expiry | Verification link generated 25+ hours ago | User clicks expired link | Error "Verification link has expired"; option to resend verification email shown | | AC-019 | Double registration attempt | User submits form; due to slow network submits twice | Two identical POST requests sent | Only one account created; second request returns appropriate error | --- #### Feature: User Login (FR-021) **Positive Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-020 | Successful login | A verified user with valid credentials | User submits login form | Authenticated; redirected to dashboard; session created | | AC-021 | Remember me | A verified user checks "Remember Me" | User submits login form | Session persists for 30 days; user stays logged in after browser close | **Negative Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-022 | Wrong password | A registered user exists | User submits incorrect password | Generic error "Invalid email or password" (no enumeration); login not granted | | AC-023 | Non-existent email | No account for this email | User submits login | Same generic error "Invalid email or password" (prevent user enumeration) | | AC-024 | Account locked | User has made 5 failed attempts | User attempts login again | Message: "Account temporarily locked. Try again in 15 minutes." | **Edge Cases:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-025 | Session expiry | User has been idle for 31 minutes | User attempts to navigate | Redirected to login; session cleared; unsaved work warning shown | | AC-026 | Login on unverified account | Account created but email not verified | User attempts to log in | Error "Please verify your email before logging in" with option to resend | --- #### Feature: {{NEXT_FEATURE_NAME}} (FR-{{XXX}}) **Positive Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-{{NEXT}} | | | | | **Negative Scenarios:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-{{NEXT}} | | | | | **Edge Cases:** | # | Scenario | Given | When | Then | |---|----------|-------|------|------| | AC-{{NEXT}} | | | | | --- ## 3. Integration Scenarios | # | Integration | Scenario | Expected Behavior | Test Environment | |---|------------|---------|------------------|-----------------| | INT-001 | {{EXTERNAL_SERVICE}} | {{SCENARIO}} | {{EXPECTED}} | Sandbox / Mock | | INT-002 | Email provider | Transactional email delivery | Email received within 2 minutes | Mailtrap / staging | | INT-003 | {{PAYMENT_PROVIDER}} | Successful payment | Transaction recorded; confirmation shown; webhook received | Stripe test mode | | INT-004 | {{PAYMENT_PROVIDER}} | Payment declined | User sees friendly error; no order created; no double-charge | Stripe test mode | | INT-005 | {{THIRD_PARTY_API}} | API timeout | System shows user-friendly error; request logged; no data corruption | Mocked timeout | | INT-006 | {{THIRD_PARTY_API}} | API unavailable | System degrades gracefully; non-dependent features still work | Service unavailable mock | --- ## 4. Non-Functional Acceptance Criteria ### 4.1 Performance | # | Criterion | Target | Test Method | |---|-----------|--------|-------------| | NF-AC-001 | All pages load within target time | < 3s initial, < 1.5s subsequent | Lighthouse on staging | | NF-AC-002 | All API endpoints respond within target | < 500ms at p95 under normal load | k6 load test | | NF-AC-003 | Core Web Vitals pass | LCP < 2.5s, CLS < 0.1, FCP < 1.8s | Lighthouse | ### 4.2 Accessibility | # | Criterion | Target | Test Method | |---|-----------|--------|-------------| | NF-AC-010 | No critical accessibility violations | 0 critical violations | axe-core automated scan | | NF-AC-011 | Keyboard navigation complete | All features operable without mouse | Manual test | | NF-AC-012 | Color contrast compliant | ≥ 4.5:1 text/background | Contrast checker | ### 4.3 Security | # | Criterion | Target | Test Method | |---|-----------|--------|-------------| | NF-AC-020 | No OWASP Top 10 vulnerabilities | 0 critical/high findings | OWASP ZAP scan | | NF-AC-021 | All user inputs sanitized | No XSS/injection vulnerabilities | SAST + manual testing | | NF-AC-022 | No sensitive data in client-side code | No API keys, tokens in browser | Code review + browser DevTools | --- ## 5. UAT Scenario Mapping | AC ID | AC Description | UAT Scenario ID | UAT Tester | Status | |-------|---------------|-----------------|-----------|--------| | AC-010 | Successful registration | UAT-001 | {{TESTER}} | Not Started | | AC-011 | Email verification sent | UAT-002 | | | | AC-020 | Successful login | UAT-003 | | | | INT-003 | Payment success | UAT-010 | | | | NF-AC-001 | Page load performance | UAT-P01 | | | --- ## 6. Traceability to Requirements | AC ID | Acceptance Criterion | FR Reference | BR Reference | US Reference | |-------|---------------------|-------------|-------------|-------------| | AC-001 | {{CRITERION}} | FR-{{XXX}} | BR-{{XXX}} | US-{{XXX}} | | AC-010 | Successful registration | FR-020 | BR-{{XXX}} | US-{{XXX}} | > Full traceability: `[requirements-traceability-matrix.md](requirements-traceability-matrix.md)` --- ## Approval | Role | Name | Date | Signature | |------|------|------|-----------| | Author | | | | | Reviewer | | | | | Business Analyst | | | | | Product Owner | | | | | QA Engineer | | | | | AI Director (John) | | | | | Client Representative | | | |