Addendum to the RFP - Milestone 1a - Call for Expert Audit and Baseline Metrics.
This addendum defines the mandatory minimum scope for the MS1a Expert Audit. It ensures that all proposals cover the same baseline while leaving room for bidders to propose additional scope. The mandatory minimum is the acceptance threshold - bidders may exceed it but must not fall below it.
The Joomla view inventory for this audit comprises 152 views across 34 backend and 9 frontend components. These have been grouped into 17 audit units based on shared UI patterns. Auditing a representative view per pattern allows findings to propagate across all views sharing that pattern, making the audit efficient without sacrificing coverage.
Reference Installation
The audit will be conducted on a standard Joomla 6.1 installation with the following configuration:
- Atum admin template, Cassiopeia frontend template, TinyMCE as default editor
- All components and features active by default - no manual activation
- Pre-configured user accounts for required roles: Super User, Administrator, Editor, Author (backend access); Registered User, Author, Editor (frontend access)
- At least one user account with Multi-Factor Authentication (MFA) enabled
- Representative sample content: articles, categories, menu items, contacts, media files
- Guided Tours enabled (default on first login)
- Captcha (Proof-of-Work) enabled
Mandatory Audit Units
- 01 Backend Template (Atum) ¹
- 02 Frontend Template (Cassiopeia) ¹
- 03 Authentication Flows (FE + BE Login)
- 04 MFA Captive View (FE + BE)
- 05 MFA Setup - Method / Methods Views
- 06 Media Manager (com_media)
- 07 Installer Wizard (com_installer/Install)
- 08 Backend List View Pattern
- 09 Backend Edit Form Pattern
- 10 Frontend User Forms
- 11 Backend Options including Permissions
- 12 Update Joomla
- 13 Install Joomla
¹ Template audit units cover the shared global elements that appear on every page: header, sidebar navigation, toolbar, footer, skip links, landmark structure, and global focus styles. Content-area findings are covered by the other audit units. Findings on template-level elements propagate to all views rendered within that template.
Unit 10 includes: com_users/Profile, com_contact/Form, com_content/Form (frontend article submission). Frontend article submission is included because logged-in Authors and Editors can create articles from the frontend by default.
Optional Audit Units
Bidders may include these at additional cost. Not required for acceptance.
- 14 - Workflow Graph (com_workflow/Graph)
- Priority: Moderate
- 15 - Template Code Editor (com_templates)
- Priority: Moderate
- 16 - Frontend Content Listing Pattern
- Priority: High
- 17 - Frontend Content Detail + Utilities
- Priority: High
Representative Views per Pattern
For pattern-based units (09 and 10), the auditor tests one primary view in full depth and spot-checks a second view to confirm findings generalise across the pattern.
| Unit | Primary Representative | Spot-Check View | Covers |
|---|---|---|---|
| 09 | com_content/Articles | com_menus/Items | ~55 list views |
| 10 | com_content/Article (edit) | com_menus/Item (edit) | ~40 form views |
com_menus/Item is chosen deliberately: the menu type selection opens a modal dialog, adding the dialog UI pattern to the edit form audit without requiring a separate unit.
UI Patterns Checklist
Within the audit units, the auditor must evaluate these cross-cutting UI patterns wherever encountered:
- Forms (labels, inputs, validation)
- Data tables (headers, sorting)
- Dialogs / Modals (focus trap, escape)
- Navigation (sidebar, menus, breadcrumbs)
- Tabs / Accordions (keyboard, ARIA)
- Toolbar / Buttons (target size, labels)
- Drag & Drop (single-pointer alternative)
- Status messages (live regions, toasts)
- TinyMCE Editor (keyboard trap)
- Guided Tours (focus, keyboard, AT)
Mandatory User Journeys
| No. | Journey | Path (indicative) | Tests |
|---|---|---|---|
| J1 | Backend Login & Orientation | Login → Credentials → Submit → Dashboard → Guided Tour triggers → Navigate sidebar to Content > Articles | Auth, Dashboard, Navigation, Focus, Guided Tour |
| J2 | Create & Publish Article | Articles list → New → Title → Editor text → Category → Insert image via Media → Save & Close | Edit form, TinyMCE, Media integration, Validation |
| J3 | Filter List & Batch Action | Articles list → Category filter → Select multiple via checkbox → Toolbar "Unpublish" → Perceive feedback | List view, Filters, Checkboxes, Toolbar, Status |
| J4 | Create Menu Item (incl. Dialog) | Menus → Items → New → Select type (modal) → Choose type → Fill form → Save & Close | Dialog focus trap, Form, Nested interaction |
| J5 | Frontend Login & Edit Profile | Frontend login → Credentials → Submit → Profile → Edit fields → Save | Frontend auth, Cassiopeia, Frontend forms |
| J6 | Change Global Configuration | Dashboard → System → Global Configuration → Switch tab → Change setting → Save | Tab navigation, Complex form, Save feedback |
Optional User Journeys
Bidders may propose additional journeys at additional cost. Recommended candidates:
| No. | Journey | Path (indicative) | Tests |
|---|---|---|---|
| J7 | Install Extension | System → Install → Upload → Wizard | Installer, Error handling, Progress feedback |
| J8 | Media Manager Standalone | Content → Media → Upload → Create folder → Move file | Drag & drop alternative, File operations |
| J9 | Frontend Contact Form | Contact page → Fill form → Solve captcha (PoW) → Submit → Perceive confirmation | Frontend form, Captcha (PoW), Validation, Feedback |
| J10 | Set Up MFA | Profile → MFA → Add method → Complete setup | MFA flow, QR code alternative |
| J11 | Create User Account | Frontend registration → Fill form → Submit → Confirmation / activation email | Registration form, Validation, Captcha (PoW), Feedback |
Browser Matrix
The minimum AT/browser matrix specified in the RFP is updated as follows:
Desktop:
- NVDA + Chrome and Firefox (may be tested as a combined pass)
- JAWS + Edge
- VoiceOver + Safari (macOS)
Mobile (minimum one combination):
- VoiceOver + Safari (iOS)
or - TalkBack + Chrome (Android)
Mobile testing applies to both the frontend (Cassiopeia) and the backend (Joomla admin). For the backend, the primary target environments are desktop and tablet. Full mobile conformance is not required for the backend; contractors should verify basic operability for the core user journeys on mobile and reflect this distinction in their methodology and effort estimate.
Contractors are welcome to propose an extended matrix with rationale and cost breakdown.