diff --git a/add_admin_country.php b/add_admin_country.php
deleted file mode 100644
index ad94989a..00000000
--- a/add_admin_country.php
+++ /dev/null
@@ -1,10 +0,0 @@
-<?php
-require_once __DIR__ . '/backend/core/bootstrap.php';
-try {
-    $con = Database::get('main');
-    $con->exec("ALTER TABLE adminUser ADD COLUMN country VARCHAR(100) DEFAULT 'Jordan'");
-    echo "SUCCESS: Added country column to adminUser\n";
-} catch (Exception $e) {
-    echo "INFO: " . $e->getMessage() . "\n";
-}
-unlink(__FILE__);
diff --git a/backend/.env.example b/backend/.env.example
index 5dbb693e..a5e0bd8e 100644
--- a/backend/.env.example
+++ b/backend/.env.example
@@ -120,9 +120,10 @@ NABEH_API_KEY=<CHANGE_ME_SHARED_SECRET>
 SECRET_KEY_HMAC=<CHANGE_ME_HMAC_SECRET_FOR_SIGNED_URLS>
 
 # =============================================================================
-# Security Configuration - Fingerprint
+# Security Configuration - Fingerprint & Testers
 # =============================================================================
 FP_PEPPER=<CHANGE_ME_FINGERPRINT_PEPPER>
+ALLOWED_TESTER_EMAILS=driver_tester@siromove.com,passenger_tester@siromove.com
 
 # =============================================================================
 # Gemini AI Configuration
diff --git a/backend/auth/captin/loginUsingCredentialsWithoutGoogle.php b/backend/auth/captin/loginUsingCredentialsWithoutGoogle.php
index 4440edc2..8ea6ef50 100644
--- a/backend/auth/captin/loginUsingCredentialsWithoutGoogle.php
+++ b/backend/auth/captin/loginUsingCredentialsWithoutGoogle.php
@@ -11,6 +11,31 @@ $password = filterRequest('password');
 $audience = filterRequest('aud') ?? 'siro-driver-android'; // الافتراضي
 $fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
 
+// 1. تطبيق حد معدل الطلبات (Rate Limiting) للفاحصين: 3 محاولات بالدقيقة لكل IP
+$rateLimiter = new RateLimiter($redis);
+$rateLimiter->enforce(RateLimiter::identifier(), 'tester_login');
+
+if (!$email || !$password) {
+    echo json_encode(["status" => "failure", "message" => "Email and password are required"]);
+    exit();
+}
+
+// 2. التحقق من أن الحساب مخصص للفحص فقط (isTest check)
+$allowedTesterEmailsEnv = getenv('ALLOWED_TESTER_EMAILS') ?: '';
+$allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmailsEnv)));
+if (empty($allowedEmails)) {
+    $allowedEmails = [
+        'driver_tester@siromove.com',
+        'passenger_tester@siromove.com',
+    ];
+}
+$cleanEmail = strtolower(trim($email));
+$isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com';
+if (!$isTester) {
+    echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]);
+    exit();
+}
+
 // تشفير الإيميل لاستخدامه في الاستعلام
 $encryptedEmail = $encryptionHelper->encryptData($email);
 
diff --git a/backend/auth/loginUsingCredentialsWithoutGooglePassenger.php b/backend/auth/loginUsingCredentialsWithoutGooglePassenger.php
index 376651e2..7367426e 100644
--- a/backend/auth/loginUsingCredentialsWithoutGooglePassenger.php
+++ b/backend/auth/loginUsingCredentialsWithoutGooglePassenger.php
@@ -9,11 +9,27 @@ $password = filterRequest("password");
 $fingerprint = filterRequest('fingerPrint') ?? filterRequest('fingerprint');
 $audience = filterRequest('aud') ?: 'siro_passenger';
 
+// 1. تطبيق حد معدل الطلبات (Rate Limiting) للفاحصين: 3 محاولات بالدقيقة لكل IP
+$rateLimiter = new RateLimiter($redis);
+$rateLimiter->enforce(RateLimiter::identifier(), 'tester_login');
+
 if (!$email || !$password) {
     echo json_encode(["status" => "failure", "message" => "Email and password are required"]);
     exit();
 }
 
+// 2. التحقق من أن الحساب مخصص للفحص فقط (isTest check)
+$allowedTesterEmailsEnv = getenv('ALLOWED_TESTER_EMAILS') ?: '';
+$allowedEmails = array_filter(array_map('trim', explode(',', $allowedTesterEmailsEnv)));
+
+
+$cleanEmail = strtolower(trim($email));
+$isTester = in_array($cleanEmail, $allowedEmails) || substr($cleanEmail, -13) === '@siromove.com';
+if (!$isTester) {
+    echo json_encode(["status" => "failure", "message" => "Access denied. Only tester accounts are allowed."]);
+    exit();
+}
+
 try {
     $con = Database::get('main');
     
diff --git a/backend/core/Auth/RateLimiter.php b/backend/core/Auth/RateLimiter.php
index 2457d9f0..8c97ec9c 100644
--- a/backend/core/Auth/RateLimiter.php
+++ b/backend/core/Auth/RateLimiter.php
@@ -10,12 +10,13 @@ class RateLimiter
 
     // حدود مختلفة لكل نوع endpoint
     private const LIMITS = [
-        'login'      => ['requests' => 5,   'window' => 60],   // 5 محاولات / دقيقة
-        'otp'        => ['requests' => 3,   'window' => 300],  // 3 محاولات / 5 دقائق
-        'register'   => ['requests' => 3,   'window' => 3600], // 3 محاولات / ساعة
-        'api'        => ['requests' => 120, 'window' => 60],   // 120 طلب / دقيقة
-        'ride'       => ['requests' => 30,  'window' => 60],   // 30 طلب / دقيقة
-        'upload'     => ['requests' => 10,  'window' => 300],  // 10 رفع / 5 دقائق
+        'login'        => ['requests' => 5,   'window' => 60],   // 5 محاولات / دقيقة
+        'tester_login' => ['requests' => 3,   'window' => 60],   // 3 محاولات / دقيقة
+        'otp'          => ['requests' => 3,   'window' => 300],  // 3 محاولات / 5 دقائق
+        'register'     => ['requests' => 3,   'window' => 3600], // 3 محاولات / ساعة
+        'api'          => ['requests' => 120, 'window' => 60],   // 120 طلب / دقيقة
+        'ride'         => ['requests' => 30,  'window' => 60],   // 30 طلب / دقيقة
+        'upload'       => ['requests' => 10,  'window' => 300],  // 10 رفع / 5 دقائق
     ];
 
     public function __construct(?Redis $redis)