# Banking Practice App — Transfer & Security Regression Checklist

High-risk workflow checklist. Treat every row as release-blocking until proven.

## Authentication
- [ ] Valid login succeeds; invalid password fails
- [ ] Account locks after repeated failed attempts (counted correctly)
- [ ] Lockout message is clear
- [ ] MFA simulation completes; invalid code is rejected
- [ ] Logout fully clears the session

## Accounts & transactions
- [ ] Dashboard shows the correct accounts
- [ ] Balance matches the transaction history
- [ ] Date filter includes same-day records
- [ ] Statement download balance matches the UI

## Transfers
- [ ] Transfer between own accounts updates both balances
- [ ] Transfer to a saved payee succeeds
- [ ] Transfer above available balance is blocked (UI **and** API)
- [ ] Invalid amount is rejected
- [ ] Refresh / retry does not submit the payment twice
- [ ] Confirmation page and history entry are accurate

## Authorization & session
- [ ] A user cannot access another user's account ID
- [ ] Session expires after inactivity
- [ ] Back button does not reveal data after logout
- [ ] Sensitive values are masked where appropriate

## Notifications & audit
- [ ] Transfer confirmation notification is generated
- [ ] Every action is recorded in the audit history