diff --git a/.github/agents/copilot-instructions.md b/.github/agents/copilot-instructions.md index 13f860f2..fa8d789c 100644 --- a/.github/agents/copilot-instructions.md +++ b/.github/agents/copilot-instructions.md @@ -268,6 +268,8 @@ ## Active Technologies - PostgreSQL existing `findings`, `operation_runs`, `audit_logs`, and related runtime tables only; no new persistence, migration, or data backfill is planned (253-remove-findings-backfill-runtime-surfaces) - TypeScript 6.0.3, Astro 6.3.3, Node.js >=20.0.0, pnpm 10.33.0 + Astro, `@astrojs/starlight`, `@astrojs/sitemap`, `@astrojs/mdx`, Tailwind CSS v4, `@tailwindcss/vite`, Preline 4, Lenis, GSAP, Sharp, Playwrigh (404-public-content-messaging) - N/A - static website content and generated build output only; no database or product persistence (404-public-content-messaging) +- TypeScript 6.0.3 and Astro 6.3.3 content/runtime files + Astro, Playwright, Tailwind CSS v4 (`@tailwindcss/vite`), Starlight docs stack (408-review-evidence-decision) +- N/A (static public website content only) (408-review-evidence-decision) - PHP 8.4.15 (feat/005-bulk-operations) @@ -302,9 +304,9 @@ ## Code Style PHP 8.4.15: Follow standard conventions ## Recent Changes +- 408-review-evidence-decision: Added TypeScript 6.0.3 and Astro 6.3.3 content/runtime files + Astro, Playwright, Tailwind CSS v4 (`@tailwindcss/vite`), Starlight docs stack - 404-public-content-messaging: Added TypeScript 6.0.3, Astro 6.3.3, Node.js >=20.0.0, pnpm 10.33.0 + Astro, `@astrojs/starlight`, `@astrojs/sitemap`, `@astrojs/mdx`, Tailwind CSS v4, `@tailwindcss/vite`, Preline 4, Lenis, GSAP, Sharp, Playwrigh - 253-remove-findings-backfill-runtime-surfaces: Added PHP 8.4 (Laravel 12) + Laravel 12 + Filament v5 + Livewire v4 + Pest; existing `UiEnforcement`, `OperationUxPresenter`, `OperationRunService`, `OperationCatalog`, `SystemOperationRunLinks`, `OperationRunLinks`, `AuditRecorder`, `WorkspaceAuditLogger`, and `PlatformCapabilities` -- 251-commercial-entitlements-billing-state: Added PHP 8.4 (Laravel 12) + Filament v5 + Livewire v4, existing workspace settings stack (`SettingsRegistry`, `SettingsResolver`, `SettingsWriter`), `WorkspaceEntitlementResolver`, `ReviewPackService`, system directory detail page ### Pre-production compatibility check diff --git a/apps/website/src/components/pages/HomePage.astro b/apps/website/src/components/pages/HomePage.astro index 08eb4f59..02ad0783 100644 --- a/apps/website/src/components/pages/HomePage.astro +++ b/apps/website/src/components/pages/HomePage.astro @@ -97,7 +97,7 @@ const copy = siteCopy[locale].home; -
+
{ copy.useCases.map((useCase: any) => (
diff --git a/apps/website/src/components/pages/PlatformPage.astro b/apps/website/src/components/pages/PlatformPage.astro index 44543d95..309d034e 100644 --- a/apps/website/src/components/pages/PlatformPage.astro +++ b/apps/website/src/components/pages/PlatformPage.astro @@ -109,7 +109,7 @@ const canonicalPath = localizedPath('/platform', locale);

-
+
{ copy.useCases.map((useCase: any) => (
diff --git a/apps/website/src/components/pages/ReviewPacksPage.astro b/apps/website/src/components/pages/ReviewPacksPage.astro new file mode 100644 index 00000000..658205cc --- /dev/null +++ b/apps/website/src/components/pages/ReviewPacksPage.astro @@ -0,0 +1,475 @@ +--- +import MainLayout from '@/layouts/MainLayout.astro'; +import HeroSection from '@components/sections/landing/HeroSection.astro'; +import PrimaryCTA from '@components/ui/buttons/PrimaryCTA.astro'; +import SecondaryCTA from '@components/ui/buttons/SecondaryCTA.astro'; +import heroImage from '@images/tenantial-review-board.avif'; +import { SITE } from '@data/constants'; +import { siteCopy } from '@data/site-copy'; +import { + localeHtmlLang, + localizeHref, + localizedPath, + type Locale, +} from '@/i18n'; + +const { locale } = Astro.props; + +interface Props { + locale: Locale; +} + +const copy = siteCopy[locale].reviewPacks; +const siteDescription = siteCopy[locale].site.description; +const canonicalPath = localizedPath('/platform/review-packs', locale); +--- + + + + +
+
+

+ {copy.problemTitle} +

+

+ {copy.problemSubtitle} +

+
+ +
+ { + copy.problemCards.map((card: any) => ( +
+

+ {card.title} +

+

+ {card.content} +

+
+ )) + } +
+
+ +
+
+
+

+ {copy.workflowTitle} +

+

+ {copy.workflowSubtitle} +

+
+ +
+ { + copy.workflowSteps.map((step: any) => ( +
+ + {step.step} + +

+ {step.title} +

+

+ {step.content} +

+
+ )) + } +
+
+
+ +
+
+
+

+ {copy.anatomyTitle} +

+

+ {copy.anatomySubtitle} +

+
+ +
+ { + copy.reviewPackCards.map((card: any) => ( +
+
+ + {card.availabilityTone === 'soft-availability' + ? copy.softAvailabilityLabel + : copy.availableNowLabel} + +
+

+ {card.title} +

+

+ {card.content} +

+
+ )) + } +
+
+
+ +
+
+
+
+

+ {copy.evidenceTitle} +

+

+ {copy.evidenceSubtitle} +

+
+ +
+ { + copy.evidenceCards.map((card: any) => ( +
+
+ + + +
+
+

+ {card.title} +

+

+ {card.content} +

+
+
+ )) + } +
+
+ +
+
+

+ {copy.decisionTitle} +

+

+ {copy.decisionSubtitle} +

+
+ +
+ { + copy.decisionCards.map((card: any) => ( +
+
+ + + +
+
+

+ {card.title} +

+

+ {card.content} +

+
+
+ )) + } +
+
+
+
+ +
+
+
+

+ {copy.boundaryTitle} +

+

+ {copy.boundarySubtitle} +

+
+ +
+ { + copy.boundaryColumns.map((column: any) => ( +
+

+ {column.title} +

+
    + {column.items.map((item: string) => ( +
  • + {item} +
    • + ))} +
+
+ )) + } +
+ +

+ {copy.boundaryNote} +

+
+
+ +
+
+

+ {copy.audienceTitle} +

+

+ {copy.audienceSubtitle} +

+
+ +
+ { + copy.audienceCards.map((card: any) => ( +
+

+ {card.title} +

+

+ {card.content} +

+
+ )) + } +
+
+ +
+
+

+ {copy.comparisonTitle} +

+

+ {copy.comparisonSubtitle} +

+
+ +
+ { + copy.comparisonRows.map((row: any) => ( +
+

+ {row.title} +

+
+
+

+ {copy.comparisonRawLabel} +

+

+ {row.rawExport} +

+
+
+

+ {copy.comparisonStoryLabel} +

+

+ {row.reviewStory} +

+
+
+
+ )) + } +
+
+ +
+
+
+

+ {copy.trustTeaserTitle} +

+

+ {copy.trustTeaserSubtitle} +

+
+ +
+
+ +
    + { + copy.trustPoints.map((point: string) => ( +
  • + {point} +
    • + )) + } +
+
+
+ +
+
+
+

+ {copy.finalCtaTitle} +

+

+ {copy.finalCtaSubtitle} +

+
+ +
+ + +
+
+
+ diff --git a/apps/website/src/data_files/site-copy.ts b/apps/website/src/data_files/site-copy.ts index 1f3e4d2c..4405201b 100644 --- a/apps/website/src/data_files/site-copy.ts +++ b/apps/website/src/data_files/site-copy.ts @@ -57,6 +57,7 @@ export const siteCopy: Record = { section: 'Produkt', links: [ { name: 'Plattform', url: '/platform' }, + { name: 'Review Packs', url: '/platform/review-packs' }, { name: 'MSPs', url: '/use-cases/msp' }, { name: 'Interne IT', url: '/use-cases/mittelstand' }, { name: 'Preise', url: '/pricing' }, @@ -141,6 +142,14 @@ export const siteCopy: Record = { cta: 'Interne IT ansehen', href: '/use-cases/mittelstand', }, + { + eyebrow: 'Für Reviews', + title: 'Review Packs als Gesprächsgrundlage zeigen', + content: + 'Zeige, wie Review Packs Evidence, Findings, Accepted Risks und nächste Schritte in eine customer-safe Review-Story übersetzen.', + cta: 'Review-Pack-Story ansehen', + href: '/platform/review-packs', + }, ], boundaryTitle: 'Gebaut für Governance. Nicht für blinde Automatisierung.', boundarySubtitle: @@ -339,6 +348,10 @@ export const siteCopy: Record = { 'Intune ist der erste starke Policy-Fokus, aber die Story bleibt Microsoft 365 Governance und nicht nur ein Backup-Werkzeug.', }, ], + reviewPackTeaserTitle: 'Review-Pack-Story im Kundengespräch zeigen', + reviewPackTeaserSubtitle: + 'Wenn aus Evidence, Findings und Accepted Risks eine lesbare Kundenunterlage werden soll, führt die Review-Pack-Story direkt zur passenden Entscheidungsrahmung weiter.', + reviewPackTeaserCta: 'Review-Pack-Story für Kunden zeigen', trustTeaserTitle: 'Trust-Fragen bleiben sauber anschlussfaehig', trustTeaserSubtitle: 'Wenn Kunden nach Datenschutz, Security oder Dokumentenstatus fragen, bleibt die Antwort auf die bestehende Trust-Haltung verankert statt in Marketing-Uebertreibung abzudriften.', @@ -502,9 +515,14 @@ export const siteCopy: Record = { { title: 'Keine autonome Compliance-Automation', content: - 'Die Seite verspricht keine automatische Remediation, keine vollautomatisierte Recovery und keine pauschalen Compliance-Ergebnisse.', + 'Die Seite verspricht keine selbstlaufende Policy-Durchsetzung, keine hands-off Recovery und keine pauschalen Compliance-Ergebnisse.', }, ], + reviewPackTeaserTitle: + 'Review-Pack-Story für Reviews und Management nutzen', + reviewPackTeaserSubtitle: + 'Wenn Status, Evidence, Accepted Risks und nächste Schritte für Review oder Management lesbar werden sollen, führt die Review-Pack-Story zur passenden Unterlage weiter.', + reviewPackTeaserCta: 'Review-Pack-Story für Reviews', trustTeaserTitle: 'Trust und Datenschutz bleiben Teil derselben Erzaehlung', trustTeaserSubtitle: @@ -563,6 +581,13 @@ export const siteCopy: Record = { cta: 'Interne IT ansehen', href: '/use-cases/mittelstand', }, + { + title: 'Review Packs', + content: + 'Fokussiert auf customer-safe Reviews mit Evidence, Findings, Accepted Risks und Decision Summaries statt Roh-Exports.', + cta: 'Review Packs verstehen', + href: '/platform/review-packs', + }, ], backupTitle: 'Beobachteter Zustand und Policy-Evidence', backupSubtitle: @@ -594,6 +619,283 @@ export const siteCopy: Record = { mainStatSubTitle: 'Microsoft 365 ist der erste öffentliche Fokus der Produktstory', }, + reviewPacks: { + pageTitle: 'Review Packs | Tenantial', + metaDescription: + 'Review Packs, Evidence, Accepted Risks und Decision Summaries für Microsoft 365 Service-Reviews, Management-Gespräche und Audit-Vorbereitung.', + heroTitle: + 'Review Packs für prüfbare Entscheidungen statt Screenshot-Governance.', + heroSubtitle: + 'Tenantial rahmt Policy-Zustand, Evidence, Findings, Accepted Risks und Decision Summaries so, dass Management, Security und Delivery über dieselbe Review-Grundlage sprechen können.', + supportingLine: + 'Von Policy-Drift über Evidence bis zum nächsten Schritt: eine lesbare Review-Story für Microsoft 365 Governance.', + primaryCta: 'Walkthrough anfragen', + secondaryCta: 'Plattform ansehen', + heroAlt: 'Statische Tenantial Review-Pack-Vorschau', + availableNowLabel: 'Kerninhalt', + softAvailabilityLabel: 'Wenn passend', + problemTitle: 'Technische Wahrheit allein reicht nicht', + problemSubtitle: + 'Screenshots, Export-Fragmente und Admin-Center-Momentaufnahmen zeigen Zustand, aber noch keine belastbare Entscheidungsgrundlage für Reviews, Management-Gespräche oder Audit-Vorbereitung.', + problemCards: [ + { + title: 'Zu viel Rohmaterial', + content: + 'Ein Export sagt selten, was priorisiert werden muss, welche Ausnahme bewusst akzeptiert wurde oder welche Entscheidung als Nächstes ansteht.', + }, + { + title: 'Evidence ohne Erzählung', + content: + 'Evidence hilft nur dann, wenn sichtbar bleibt, worauf sie sich bezieht und welche Aussage damit wirklich gestützt wird.', + }, + { + title: 'Accepted Risks verschwinden leicht', + content: + 'Ohne klare Review-Unterlage werden akzeptierte Risiken schnell zu impliziten Nebenabsprachen statt zu nachvollziehbaren Management-Entscheidungen.', + }, + { + title: 'Follow-up verliert Kontext', + content: + 'Der nächste Schritt wirkt beliebig, wenn Status, Begründung, Auswirkung und Evidence-Basis nicht in derselben Story verbunden bleiben.', + }, + ], + workflowTitle: 'Von Policy-Zustand zur Review-Entscheidung', + workflowSubtitle: + 'Review Packs beschreiben keinen magischen Export. Sie rahmen die Abfolge, mit der technische Wahrheit in eine lesbare Management- und Delivery-Entscheidung übersetzt wird.', + workflowSteps: [ + { + step: '01', + title: 'Zustand festhalten', + content: + 'Bekannte Policy-Stände und relevante Änderungen bleiben als nachvollziehbarer Ausgangspunkt sichtbar.', + }, + { + step: '02', + title: 'Drift erkennen', + content: + 'Abweichungen werden früh genug sichtbar, damit das Gespräch nicht erst bei einem Audit oder Eskalationsmoment beginnt.', + }, + { + step: '03', + title: 'Evidence verknüpfen', + content: + 'Evidence wird an Findings, Risiken und den konkreten Kontext gebunden, statt als lose Screenshot-Sammlung zu enden.', + }, + { + step: '04', + title: 'Findings bewerten', + content: + 'Die Story zeigt, welche Punkte offen, akzeptiert oder priorisiert sind und warum das aus Governance-Sicht relevant ist.', + }, + { + step: '05', + title: 'Decision Summary formulieren', + content: + 'Status, Begründung, Auswirkung, Evidence-Basis und nächster Schritt werden in eine Management-lesbare Form gebracht.', + }, + { + step: '06', + title: 'Review Pack vorbereiten', + content: + 'Das Ergebnis ist eine customer-safe Unterlage für Service-Review, Management-Gespräch, Audit-Vorbereitung oder Recovery-Abstimmung.', + }, + ], + anatomyTitle: 'Was in einem Review Pack zusammenkommt', + anatomySubtitle: + 'Die Review-Pack-Story ordnet dieselbe Governance-Wahrheit in Bausteine, die Management, Security und Delivery ohne Operator-Rohdetails lesen können.', + reviewPackCards: [ + { + title: 'Executive Summary', + content: + 'Die Lage auf einen Blick: was sich verändert hat, warum es wichtig ist und welche Entscheidung vorbereitet werden muss.', + availabilityTone: 'hard-available', + }, + { + title: 'Evidence-Basis', + content: + 'Die zugrunde liegenden Hinweise, Nachweise und Review-Bezüge bleiben sichtbar, ohne Rohdaten ungebremst auszuschütten.', + availabilityTone: 'hard-available', + }, + { + title: 'Findings', + content: + 'Offene Punkte, Auffälligkeiten und priorisierte Abweichungen werden als echte Review-Arbeit lesbar gemacht.', + availabilityTone: 'hard-available', + }, + { + title: 'Accepted Risks', + content: + 'Akzeptierte Risiken bleiben als bewusste Entscheidung dokumentiert statt als stillschweigende Nebenwirkung.', + availabilityTone: 'hard-available', + }, + { + title: 'Decision Summary', + content: + 'Die Unterlage zeigt Status, Begründung, Auswirkung, Evidence-Basis und den nächsten Schritt in einer Management-tauglichen Form.', + availabilityTone: 'hard-available', + }, + { + title: 'Review-Pack-Status', + content: + 'Lesbar bleibt, ob etwas bereit zur Besprechung ist, auf Klärung wartet oder bewusst als Risiko im Raum steht.', + availabilityTone: 'hard-available', + }, + { + title: 'Download- oder Export-Kontext', + content: + 'Wenn ein Handoff gebraucht wird, kann aus derselben Story exportfähiges Material vorbereitet werden, ohne eine starre Lieferform zu versprechen.', + availabilityTone: 'soft-availability', + }, + ], + evidenceTitle: 'Evidence erklärt mehr als Screenshots', + evidenceSubtitle: + 'Auf der öffentlichen Seite steht Evidence für reviewbare Begründung, nicht für vollständige Rohdaten oder pauschale Beweisversprechen.', + evidenceCards: [ + { + title: 'Policy Evidence', + content: + 'Welche Policy-Lage wurde beobachtet und welcher bekannte Zustand dient als Vergleichsbasis?', + }, + { + title: 'Change Evidence', + content: + 'Welche Änderung oder Drift ist für die aktuelle Diskussion tatsächlich relevant?', + }, + { + title: 'Finding Evidence', + content: + 'Welche Beobachtung stützt das Finding, ohne dass das Gespräch in Rohdetails oder Debug-Spuren abgleitet?', + }, + { + title: 'Recovery Evidence', + content: + 'Welche abgesicherten Stände oder Grenzen sind für Recovery- und Rollout-Abwägungen relevant?', + }, + { + title: 'Review Evidence', + content: + 'Welche Hinweise helfen, eine Management- oder Kundenentscheidung reviewfähig und nachvollziehbar zu machen?', + }, + ], + decisionTitle: 'Decision Summaries machen Entscheidungen lesbar', + decisionSubtitle: + 'Die Decision Summary verdichtet nicht blind, sondern hält genau die Facetten sichtbar, die zwischen Beobachtung und nächstem Schritt fehlen würden.', + decisionCards: [ + { + title: 'Status', + content: + 'Zeigt, ob etwas reviewbereit, offen, akzeptiert oder weiter zu klären ist.', + }, + { + title: 'Begründung', + content: + 'Erklärt, warum ein Finding relevant ist oder warum ein Risiko bewusst akzeptiert wurde.', + }, + { + title: 'Auswirkung', + content: + 'Rahmt, welche operative, sicherheitsbezogene oder auditseitige Bedeutung die Beobachtung wirklich hat.', + }, + { + title: 'Evidence', + content: + 'Bindet die Entscheidung an die zugrunde liegende Review-Basis statt an Bauchgefühl.', + }, + { + title: 'Nächster Schritt', + content: + 'Hält fest, wer als Nächstes prüfen, freigeben oder nacharbeiten sollte.', + }, + { + title: 'Review-Kontext', + content: + 'Sorgt dafür, dass Service-Review, Audit-Vorbereitung und Management-Gespräch auf dieselbe Story schauen.', + }, + ], + boundaryTitle: 'Customer-safe Review statt interner Rohdetails', + boundarySubtitle: + 'Die öffentliche Review-Pack-Story erklärt klar, was in eine kundenfähige Unterlage gehört und was standardmäßig intern bleibt.', + boundaryColumns: [ + { + title: 'Für Kunden und Stakeholder sichtbar', + items: [ + 'Executive Summary mit klarer Management-Sprache', + 'Findings, Accepted Risks und Decision Summary', + 'Evidence-Basis in lesbarer, reviewbarer Form', + 'Status, nächste Schritte und Review-Kontext', + ], + }, + { + title: 'Bleibt standardmäßig intern', + items: [ + 'Roh-Payloads, interne Job-IDs und Debug-Spuren', + 'Stack Traces, interne Fingerprints und Low-Level-Links', + 'Secrets, unredigierte Diagnosekontexte und interne Reason-Familien', + 'Operator-only Detailtiefe, die ein Kundenreview nicht braucht', + ], + }, + ], + boundaryNote: + 'Download- oder Exportformate bleiben bewusst weich formuliert: Wenn ein Handoff gebraucht wird, kann daraus prüfbares Material vorbereitet werden, ohne automatische Exporte oder feste PDF-Lieferung zu behaupten.', + audienceTitle: + 'Warum dieselbe Story für MSPs und Enterprise IT funktioniert', + audienceSubtitle: + 'Review Packs bleiben ein gemeinsamer Governance-Baustein, auch wenn MSP-Reviews und interne Management-Gespräche unterschiedlich aussehen.', + audienceCards: [ + { + title: 'Für MSP-Service-Reviews', + content: + 'MSPs können aus Policy-Zustand, Evidence, Findings und Accepted Risks eine wiederholbare Kundenunterlage machen, die Entscheidungen vorbereitet statt nur Quellen zu sammeln.', + }, + { + title: 'Für Enterprise IT, Security und Audit', + content: + 'Interne Teams erhalten eine lesbare Entscheidungsgrundlage für Management-Review, Audit-Vorbereitung, Recovery-Abwägung und priorisierte Nacharbeit.', + }, + ], + comparisonTitle: 'Roh-Export versus Review-Story', + comparisonSubtitle: + 'Der Unterschied liegt nicht in mehr Rohmaterial, sondern in besserer Einordnung für die nächste belastbare Entscheidung.', + comparisonRawLabel: 'Roh-Export', + comparisonStoryLabel: 'Tenantial Review-Story', + comparisonRows: [ + { + title: 'Lesbarkeit', + rawExport: + 'Zeigt Datenpunkte oder Punkt-in-Zeit-Fragmente, aber noch keine priorisierte Story für Management oder Kundenreview.', + reviewStory: + 'Verbindet denselben Zustand mit Evidence, Findings, Accepted Risks und dem nächsten Schritt in einer lesbaren Review-Struktur.', + }, + { + title: 'Management-Gespräch', + rawExport: + 'Lässt offen, was wirklich relevant ist, welche Ausnahme bewusst bleibt und welche Entscheidung vorbereitet werden soll.', + reviewStory: + 'Zeigt Status, Begründung, Auswirkung und Decision Summary so, dass Management und Delivery denselben Sachverhalt diskutieren.', + }, + { + title: 'Follow-up', + rawExport: + 'Erzeugt leicht Nebenlisten, Tickets oder Screenshots ohne sichtbare Verbindung zurück zur eigentlichen Governance-Frage.', + reviewStory: + 'Hält Follow-up an Review-Kontext und Evidence-Basis gekoppelt, bis die Entscheidung sauber geschlossen ist.', + }, + ], + trustTeaserTitle: 'Trust-Fragen bleiben an reale Handoffs angebunden', + trustTeaserSubtitle: + 'Wenn Datenschutz, Security oder Disclosure gefragt sind, führt die Review-Pack-Story weiter zur bestehenden Trust-Seite statt zu erfundenen Download- oder Portal-Versprechen.', + trustTeaserCta: 'Trust-Haltung ansehen', + trustPoints: [ + 'Provider-Berechtigungen und Dokumentenstatus bleiben explizit', + 'Keine Fake-Zertifikate, keine pauschalen Compliance-Versprechen', + 'Review-, Evidence- und Recovery-Sprache bleibt kontrolliert und anschlussfähig', + ], + finalCtaTitle: 'Review Packs als lesbare Governance-Gespräche zeigen', + finalCtaSubtitle: + 'In einem Walkthrough zeigt Tenantial, wie Review Packs Evidence, Findings und Accepted Risks in nachvollziehbare nächste Entscheidungen übersetzen können.', + finalPrimaryCta: 'Walkthrough anfragen', + finalSecondaryCta: 'Plattform ansehen', + }, pricingIntro: { pageTitle: 'Preise | Tenantial', metaDescription: @@ -962,6 +1264,7 @@ export const siteCopy: Record = { section: 'Product', links: [ { name: 'Platform', url: '/platform' }, + { name: 'Review Packs', url: '/platform/review-packs' }, { name: 'MSPs', url: '/use-cases/msp' }, { name: 'Internal IT', url: '/use-cases/mittelstand' }, { name: 'Pricing', url: '/pricing' }, @@ -1046,6 +1349,14 @@ export const siteCopy: Record = { cta: 'Explore internal IT use case', href: '/use-cases/mittelstand', }, + { + eyebrow: 'For reviews', + title: 'Show review packs as the conversation baseline', + content: + 'Show how review packs translate evidence, findings, accepted risks, and next actions into a customer-safe review story.', + cta: 'Explore review-pack story', + href: '/platform/review-packs', + }, ], boundaryTitle: 'Built for governance. Not blind automation.', boundarySubtitle: @@ -1244,6 +1555,10 @@ export const siteCopy: Record = { 'Intune is the first strong policy focus, but the story stays Microsoft 365 governance rather than a narrow backup utility.', }, ], + reviewPackTeaserTitle: 'Show the review-pack story in customer reviews', + reviewPackTeaserSubtitle: + 'When evidence, findings, and accepted risks need to become readable customer material, the review-pack story carries that handoff forward.', + reviewPackTeaserCta: 'Show the review-pack story', trustTeaserTitle: 'Trust questions stay connected to a real posture', trustTeaserSubtitle: 'When customers ask about privacy, security, or document status, the answer stays anchored in the existing trust surface instead of drifting into marketing overclaims.', @@ -1406,9 +1721,14 @@ export const siteCopy: Record = { { title: 'No autonomous compliance automation', content: - 'The page does not promise automatic remediation, fully automated recovery, or blanket compliance outcomes.', + 'The page does not promise self-running policy enforcement, hands-off recovery, or blanket compliance outcomes.', }, ], + reviewPackTeaserTitle: + 'Use the review-pack story for reviews and management', + reviewPackTeaserSubtitle: + 'When status, evidence, accepted risks, and next actions need to be readable for review or management, the review-pack story carries that artifact framing forward.', + reviewPackTeaserCta: 'Review-pack story for reviews', trustTeaserTitle: 'Trust and privacy stay part of the same story', trustTeaserSubtitle: 'Internal evaluators need clear statements about provider permissions, data categories, and document status. The trust page continues that conversation conservatively.', @@ -1466,6 +1786,13 @@ export const siteCopy: Record = { cta: 'See internal IT path', href: '/use-cases/mittelstand', }, + { + title: 'Review packs', + content: + 'Focused on customer-safe reviews with evidence, findings, accepted risks, and decision summaries instead of raw exports.', + cta: 'See review-pack story', + href: '/platform/review-packs', + }, ], backupTitle: 'Observed state and policy evidence', backupSubtitle: @@ -1493,6 +1820,281 @@ export const siteCopy: Record = { mainStatTitle: 'Today', mainStatSubTitle: 'Microsoft 365 is the first public product focus', }, + reviewPacks: { + pageTitle: 'Review Packs | Tenantial', + metaDescription: + 'Review Packs, evidence, accepted risks, and decision summaries for Microsoft 365 service reviews, management conversations, and audit preparation.', + heroTitle: + 'Review packs for traceable decisions instead of screenshot governance.', + heroSubtitle: + 'Tenantial frames policy state, evidence, findings, accepted risks, and decision summaries so management, security, and delivery teams can work from the same review baseline.', + supportingLine: + 'From policy drift through evidence to the next action: one readable review story for Microsoft 365 governance.', + primaryCta: 'Request walkthrough', + secondaryCta: 'View platform', + heroAlt: 'Static Tenantial review-pack preview', + availableNowLabel: 'Core content', + softAvailabilityLabel: 'When suitable', + problemTitle: 'Technical truth alone is not enough', + problemSubtitle: + 'Screenshots, export fragments, and admin-center snapshots show state, but they do not yet provide a readable basis for reviews, management conversations, or audit preparation.', + problemCards: [ + { + title: 'Too much raw material', + content: + 'An export rarely explains what should be prioritized, which exception was deliberately accepted, or what decision needs to be made next.', + }, + { + title: 'Evidence without a story', + content: + 'Evidence only helps when it stays tied to the finding, the risk, and the question that the review is actually trying to answer.', + }, + { + title: 'Accepted risks disappear easily', + content: + 'Without a clear review document, accepted risks quickly become side agreements instead of traceable management decisions.', + }, + { + title: 'Follow-up loses context', + content: + 'The next action feels arbitrary when status, reasoning, impact, and evidence basis do not stay inside the same story.', + }, + ], + workflowTitle: 'From policy state to a review decision', + workflowSubtitle: + 'Review packs are not positioned as a magical export. They frame the sequence that turns technical truth into a readable management and delivery decision.', + workflowSteps: [ + { + step: '01', + title: 'Capture state', + content: + 'Known policy states and relevant changes remain visible as the baseline for the conversation.', + }, + { + step: '02', + title: 'Recognize drift', + content: + 'Differences appear early enough that the conversation does not begin only when audit or escalation pressure is already high.', + }, + { + step: '03', + title: 'Link evidence', + content: + 'Evidence stays connected to findings, risks, and the exact review context instead of ending as a pile of screenshots.', + }, + { + step: '04', + title: 'Evaluate findings', + content: + 'The story explains which issues are open, accepted, or prioritized and why they matter from a governance perspective.', + }, + { + step: '05', + title: 'Write the decision summary', + content: + 'Status, reasoning, impact, evidence basis, and next step are translated into a management-readable summary.', + }, + { + step: '06', + title: 'Prepare the review pack', + content: + 'The result is a customer-safe artifact for service reviews, management conversations, audit preparation, or recovery alignment.', + }, + ], + anatomyTitle: 'What comes together in a review pack', + anatomySubtitle: + 'The review-pack story organizes the same governance truth into building blocks that management, security, and delivery can read without operator-only raw detail.', + reviewPackCards: [ + { + title: 'Executive summary', + content: + 'The situation at a glance: what changed, why it matters, and which decision needs to be prepared.', + availabilityTone: 'hard-available', + }, + { + title: 'Evidence basis', + content: + 'The supporting review basis stays visible without dumping raw detail into the conversation.', + availabilityTone: 'hard-available', + }, + { + title: 'Findings', + content: + 'Open points, observations, and prioritized deviations become readable review work.', + availabilityTone: 'hard-available', + }, + { + title: 'Accepted risks', + content: + 'Accepted risks remain documented as deliberate choices instead of silent side effects.', + availabilityTone: 'hard-available', + }, + { + title: 'Decision summary', + content: + 'The artifact shows status, reasoning, impact, evidence basis, and the next step in management-ready language.', + availabilityTone: 'hard-available', + }, + { + title: 'Review-pack status', + content: + 'It stays visible whether something is ready to review, still waiting on clarification, or intentionally held as a known risk.', + availabilityTone: 'hard-available', + }, + { + title: 'Download or export context', + content: + 'If a handoff is needed, exportable material can be prepared from the same story without promising one rigid delivery format.', + availabilityTone: 'soft-availability', + }, + ], + evidenceTitle: 'Evidence should explain more than screenshots', + evidenceSubtitle: + 'On the public page, evidence means reviewable proof context, not full raw-data exposure or blanket proof claims.', + evidenceCards: [ + { + title: 'Policy evidence', + content: + 'Which policy condition was observed and which known baseline matters for comparison?', + }, + { + title: 'Change evidence', + content: + 'Which change or drift actually matters for the present management or customer conversation?', + }, + { + title: 'Finding evidence', + content: + 'Which reviewable detail supports the finding without forcing the audience into raw payloads or debug traces?', + }, + { + title: 'Recovery evidence', + content: + 'Which protected states or boundaries matter when recovery or rollout decisions are being weighed?', + }, + { + title: 'Review evidence', + content: + 'Which evidence helps make the conversation reviewable for management, the customer, or audit stakeholders?', + }, + ], + decisionTitle: 'Decision summaries make decisions readable', + decisionSubtitle: + 'A decision summary does not compress blindly. It keeps the exact facets visible that would otherwise be lost between observation and the next action.', + decisionCards: [ + { + title: 'Status', + content: + 'Shows whether something is review-ready, still open, accepted, or waiting for clarification.', + }, + { + title: 'Reasoning', + content: + 'Explains why a finding matters or why a risk was deliberately accepted.', + }, + { + title: 'Impact', + content: + 'Frames the operational, security, or audit significance of the issue.', + }, + { + title: 'Evidence', + content: + 'Keeps the decision attached to the supporting review basis instead of gut feel.', + }, + { + title: 'Next action', + content: 'Makes clear who should review, approve, or follow up next.', + }, + { + title: 'Review context', + content: + 'Keeps service reviews, audit preparation, and management conversations anchored in the same story.', + }, + ], + boundaryTitle: 'Customer-safe review instead of internal raw detail', + boundarySubtitle: + 'The public review-pack story should make it obvious what belongs in a customer-facing review and what stays internal by default.', + boundaryColumns: [ + { + title: 'Visible to customers and stakeholders', + items: [ + 'Executive summary in clear management language', + 'Findings, accepted risks, and decision summary', + 'Evidence basis in readable, reviewable form', + 'Status, next actions, and review context', + ], + }, + { + title: 'Stays internal by default', + items: [ + 'Raw payloads, internal job IDs, and debug traces', + 'Stack traces, internal fingerprints, and low-level links', + 'Secrets, unredacted diagnostics, and internal reason families', + 'Operator-only detail that a customer review does not need', + ], + }, + ], + boundaryNote: + 'Download or export wording stays intentionally soft: if a handoff is needed, reviewable material can be prepared without claiming automatic exports or a fixed PDF workflow.', + audienceTitle: 'Why the same story works for MSPs and enterprise IT', + audienceSubtitle: + 'Review packs stay one shared governance building block even when MSP service reviews and internal management conversations look different.', + audienceCards: [ + { + title: 'For MSP service reviews', + content: + 'MSPs can turn policy state, evidence, findings, and accepted risks into repeatable customer material that prepares decisions instead of merely collecting sources.', + }, + { + title: 'For enterprise IT, security, and audit', + content: + 'Internal teams get one readable decision basis for management review, audit preparation, recovery alignment, and prioritized follow-up.', + }, + ], + comparisonTitle: 'Raw export versus review story', + comparisonSubtitle: + 'The difference is not more raw material. It is better framing for the next defensible decision.', + comparisonRawLabel: 'Raw export', + comparisonStoryLabel: 'Tenantial review story', + comparisonRows: [ + { + title: 'Readability', + rawExport: + 'Shows data points or point-in-time fragments, but not yet a prioritized story for management or customer review.', + reviewStory: + 'Connects the same state to evidence, findings, accepted risks, and the next action in one readable review structure.', + }, + { + title: 'Management conversation', + rawExport: + 'Leaves it unclear what is truly relevant, which exception was accepted, and which decision should now be made.', + reviewStory: + 'Makes status, reasoning, impact, and the decision summary readable so management and delivery discuss the same underlying situation.', + }, + { + title: 'Follow-up', + rawExport: + 'Easily creates side lists, tickets, or screenshots with little visible connection back to the original governance question.', + reviewStory: + 'Keeps follow-up tied to review context and evidence basis until the decision is actually closed.', + }, + ], + trustTeaserTitle: 'Trust questions stay anchored to real handoffs', + trustTeaserSubtitle: + 'When privacy, security, or disclosure questions appear, the review-pack story should lead into the existing trust surface instead of invented downloads or portal promises.', + trustTeaserCta: 'Review trust posture', + trustPoints: [ + 'Provider permissions and document status stay explicit', + 'No fake certifications or blanket compliance promises', + 'Review, evidence, and recovery language stays controlled and connected', + ], + finalCtaTitle: 'Show review packs as readable governance conversations', + finalCtaSubtitle: + 'In a walkthrough, Tenantial shows how review packs can turn evidence, findings, and accepted risks into a traceable next decision.', + finalPrimaryCta: 'Request walkthrough', + finalSecondaryCta: 'View platform', + }, pricingIntro: { pageTitle: 'Pricing | Tenantial', metaDescription: diff --git a/apps/website/src/pages/en/platform/review-packs.astro b/apps/website/src/pages/en/platform/review-packs.astro new file mode 100644 index 00000000..5d3d79d7 --- /dev/null +++ b/apps/website/src/pages/en/platform/review-packs.astro @@ -0,0 +1,5 @@ +--- +import ReviewPacksPage from '@components/pages/ReviewPacksPage.astro'; +--- + + diff --git a/apps/website/src/pages/en/use-cases/mittelstand.astro b/apps/website/src/pages/en/use-cases/mittelstand.astro index fce01939..bbc98c8b 100644 --- a/apps/website/src/pages/en/use-cases/mittelstand.astro +++ b/apps/website/src/pages/en/use-cases/mittelstand.astro @@ -223,6 +223,33 @@ const canonicalPath = localizedPath('/use-cases/mittelstand', locale);
+
+
+
+

+ {copy.reviewPackTeaserTitle} +

+

+ {copy.reviewPackTeaserSubtitle} +

+
+ +
+
+
+
+
diff --git a/apps/website/src/pages/en/use-cases/msp.astro b/apps/website/src/pages/en/use-cases/msp.astro index 59a512a2..7fc113fd 100644 --- a/apps/website/src/pages/en/use-cases/msp.astro +++ b/apps/website/src/pages/en/use-cases/msp.astro @@ -223,6 +223,33 @@ const canonicalPath = localizedPath('/use-cases/msp', locale);
+
+
+
+

+ {copy.reviewPackTeaserTitle} +

+

+ {copy.reviewPackTeaserSubtitle} +

+
+ +
+
+
+
+
diff --git a/apps/website/src/pages/platform/review-packs.astro b/apps/website/src/pages/platform/review-packs.astro new file mode 100644 index 00000000..aec5bf2f --- /dev/null +++ b/apps/website/src/pages/platform/review-packs.astro @@ -0,0 +1,5 @@ +--- +import ReviewPacksPage from '@components/pages/ReviewPacksPage.astro'; +--- + + diff --git a/apps/website/src/pages/use-cases/mittelstand.astro b/apps/website/src/pages/use-cases/mittelstand.astro index 298f6491..e1ca4cc4 100644 --- a/apps/website/src/pages/use-cases/mittelstand.astro +++ b/apps/website/src/pages/use-cases/mittelstand.astro @@ -223,6 +223,33 @@ const canonicalPath = localizedPath('/use-cases/mittelstand', locale);
+
+
+
+

+ {copy.reviewPackTeaserTitle} +

+

+ {copy.reviewPackTeaserSubtitle} +

+
+ +
+
+
+
+
diff --git a/apps/website/src/pages/use-cases/msp.astro b/apps/website/src/pages/use-cases/msp.astro index b064ccd2..732700b8 100644 --- a/apps/website/src/pages/use-cases/msp.astro +++ b/apps/website/src/pages/use-cases/msp.astro @@ -223,6 +223,33 @@ const canonicalPath = localizedPath('/use-cases/msp', locale);
+
+
+
+

+ {copy.reviewPackTeaserTitle} +

+

+ {copy.reviewPackTeaserSubtitle} +

+
+ +
+
+
+
+
diff --git a/apps/website/tests/smoke/interaction.spec.ts b/apps/website/tests/smoke/interaction.spec.ts index 3b656b19..aafdaf0c 100644 --- a/apps/website/tests/smoke/interaction.spec.ts +++ b/apps/website/tests/smoke/interaction.spec.ts @@ -326,15 +326,174 @@ for (const { route, heading, contactHref } of [ }); } +for (const { route, heading, sectionHeadings, trustHref, contactHref } of [ + { + route: '/platform/review-packs', + heading: /Review Packs.*Screenshot-Governance/i, + sectionHeadings: [ + /Technische Wahrheit allein reicht nicht/i, + /Von Policy-Zustand zur Review-Entscheidung/i, + /Was in einem Review Pack zusammenkommt/i, + /Evidence erklärt mehr als Screenshots/i, + /Decision Summaries machen Entscheidungen lesbar/i, + /Customer-safe Review statt interner Rohdetails/i, + /Warum dieselbe Story für MSPs und Enterprise IT funktioniert/i, + /Roh-Export versus Review-Story/i, + ], + trustHref: '/trust', + contactHref: '/contact', + }, + { + route: '/en/platform/review-packs', + heading: /Review packs.*screenshot governance/i, + sectionHeadings: [ + /Technical truth alone is not enough/i, + /From policy state to a review decision/i, + /What comes together in a review pack/i, + /Evidence should explain more than screenshots/i, + /Decision summaries make decisions readable/i, + /Customer-safe review instead of internal raw detail/i, + /Why the same story works for MSPs and enterprise IT/i, + /Raw export versus review story/i, + ], + trustHref: '/en/trust', + contactHref: '/en/contact', + }, +] as const) { + test(`${route} communicates the review-pack decision story quickly`, async ({ + page, + }) => { + await page.goto(route); + + await expect(page.getByRole('heading', { name: heading })).toBeVisible(); + + for (const sectionHeading of sectionHeadings) { + await expect( + page.getByRole('heading', { name: sectionHeading }) + ).toBeVisible(); + } + + await expect(page.locator('main')).toContainText( + /Accepted Risks|accepted risks/ + ); + await expect(page.locator('main')).toContainText( + /Decision Summary|decision summary/i + ); + await expect(page.locator('main')).toContainText(/Roh-Export|Raw export/); + await expect(page.locator('main')).toContainText(/MSP/i); + await expect(page.locator('main')).toContainText(/Enterprise IT/i); + await expect( + page.locator(`main a[href="${trustHref}"]`).first() + ).toBeVisible(); + await expect( + page.locator(`main a[href="${contactHref}"]`).first() + ).toBeVisible(); + await expectNoHorizontalOverflow(page); + }); +} + +for (const { route, linkName, href, targetHeading } of [ + { + route: '/', + linkName: 'Review-Pack-Story ansehen', + href: '/platform/review-packs', + targetHeading: /Review Packs.*Screenshot-Governance/i, + }, + { + route: '/platform', + linkName: 'Review Packs verstehen', + href: '/platform/review-packs', + targetHeading: /Review Packs.*Screenshot-Governance/i, + }, + { + route: '/use-cases/msp', + linkName: 'Review-Pack-Story für Kunden zeigen', + href: '/platform/review-packs', + targetHeading: /Review Packs.*Screenshot-Governance/i, + }, + { + route: '/use-cases/mittelstand', + linkName: 'Review-Pack-Story für Reviews', + href: '/platform/review-packs', + targetHeading: /Review Packs.*Screenshot-Governance/i, + }, + { + route: '/en/', + linkName: 'Explore review-pack story', + href: '/en/platform/review-packs', + targetHeading: /Review packs.*screenshot governance/i, + }, + { + route: '/en/platform', + linkName: 'See review-pack story', + href: '/en/platform/review-packs', + targetHeading: /Review packs.*screenshot governance/i, + }, + { + route: '/en/use-cases/msp', + linkName: 'Show the review-pack story', + href: '/en/platform/review-packs', + targetHeading: /Review packs.*screenshot governance/i, + }, + { + route: '/en/use-cases/mittelstand', + linkName: 'Review-pack story for reviews', + href: '/en/platform/review-packs', + targetHeading: /Review packs.*screenshot governance/i, + }, +] as const) { + test(`${route} clicks through to the review-pack page`, async ({ page }) => { + await page.goto(route); + + await page + .getByRole('link', { name: linkName, exact: true }) + .first() + .click(); + + await expect(page).toHaveURL(new RegExp(`${href}/?$`)); + await expect( + page.getByRole('heading', { name: targetHeading }) + ).toBeVisible(); + await expectNoHorizontalOverflow(page); + }); +} + +for (const { route, heading, contactHref } of [ + { + route: '/platform/review-packs', + heading: /Review Packs.*Screenshot-Governance/i, + contactHref: '/contact', + }, + { + route: '/en/platform/review-packs', + heading: /Review packs.*screenshot governance/i, + contactHref: '/en/contact', + }, +] as const) { + test(`${route} remains readable across configured viewports`, async ({ + page, + }) => { + await page.goto(route); + + await expect(page.getByRole('heading', { name: heading })).toBeVisible(); + await expect( + page.locator(`main a[href="${contactHref}"]`).first() + ).toBeVisible(); + await expectNoHorizontalOverflow(page); + }); +} + test('reduced motion keeps preview pages understandable', async ({ page }) => { await page.emulateMedia({ reducedMotion: 'reduce' }); for (const route of [ '/', '/platform', + '/platform/review-packs', '/pricing', '/use-cases/msp', '/use-cases/mittelstand', + '/en/platform/review-packs', ] as const) { await page.goto(route); @@ -351,10 +510,12 @@ test.describe('without JavaScript', () => { for (const route of [ '/', '/platform', + '/platform/review-packs', '/contact', '/trust', '/use-cases/msp', '/use-cases/mittelstand', + '/en/platform/review-packs', '/en/trust', '/en/use-cases/msp', '/en/use-cases/mittelstand', diff --git a/apps/website/tests/smoke/public-routes.spec.ts b/apps/website/tests/smoke/public-routes.spec.ts index e659c1f9..151d87ef 100644 --- a/apps/website/tests/smoke/public-routes.spec.ts +++ b/apps/website/tests/smoke/public-routes.spec.ts @@ -42,6 +42,11 @@ const routeMetadata = { title: /Plattform \| Tenantial/i, description: /Policy Governance|Microsoft 365/i, }, + '/platform/review-packs': { + title: /Review Packs \| Tenantial/i, + description: + /(?=.*Review Packs)(?=.*Evidence)(?=.*Accepted Risks)(?=.*Decision Summaries)(?=.*Service-Reviews)(?=.*Audit-Vorbereitung)/i, + }, '/pricing': { title: /Preise \| Tenantial/i, description: /Policy-Governance-Evaluierung|Rollout-Planung/i, @@ -109,6 +114,11 @@ const routeMetadata = { title: /Platform \| Tenantial/i, description: /policy governance|Microsoft 365/i, }, + '/en/platform/review-packs': { + title: /Review Packs \| Tenantial/i, + description: + /(?=.*Review Packs)(?=.*evidence)(?=.*accepted risks)(?=.*decision summaries)(?=.*service reviews)(?=.*audit preparation)/i, + }, '/en/pricing': { title: /Pricing \| Tenantial/i, description: /policy-governance evaluation|rollout planning/i, @@ -333,8 +343,10 @@ for (const route of [ for (const route of [ '/use-cases/msp', '/use-cases/mittelstand', + '/platform/review-packs', '/en/use-cases/msp', '/en/use-cases/mittelstand', + '/en/platform/review-packs', ] as const) { test(`${route} keeps buyer-story claims conservative`, async ({ page }) => { await page.goto(route); @@ -345,6 +357,72 @@ for (const route of [ }); } +for (const { route, linkName, href, footerHref } of [ + { + route: '/', + linkName: 'Review-Pack-Story ansehen', + href: '/platform/review-packs', + footerHref: '/platform/review-packs', + }, + { + route: '/platform', + linkName: 'Review Packs verstehen', + href: '/platform/review-packs', + footerHref: '/platform/review-packs', + }, + { + route: '/use-cases/msp', + linkName: 'Review-Pack-Story für Kunden zeigen', + href: '/platform/review-packs', + footerHref: '/platform/review-packs', + }, + { + route: '/use-cases/mittelstand', + linkName: 'Review-Pack-Story für Reviews', + href: '/platform/review-packs', + footerHref: '/platform/review-packs', + }, + { + route: '/en/', + linkName: 'Explore review-pack story', + href: '/en/platform/review-packs', + footerHref: '/en/platform/review-packs', + }, + { + route: '/en/platform', + linkName: 'See review-pack story', + href: '/en/platform/review-packs', + footerHref: '/en/platform/review-packs', + }, + { + route: '/en/use-cases/msp', + linkName: 'Show the review-pack story', + href: '/en/platform/review-packs', + footerHref: '/en/platform/review-packs', + }, + { + route: '/en/use-cases/mittelstand', + linkName: 'Review-pack story for reviews', + href: '/en/platform/review-packs', + footerHref: '/en/platform/review-packs', + }, +] as const) { + test(`${route} exposes review-pack discovery through contextual and footer links`, async ({ + page, + }) => { + await page.goto(route); + + await expect( + page.getByRole('link', { name: linkName, exact: true }).first() + ).toHaveAttribute('href', href); + await expect( + page.getByRole('link', { name: 'Review Packs', exact: true }).last() + ).toHaveAttribute('href', footerHref); + await expect(page.locator(`footer a[href="${footerHref}"]`)).toBeVisible(); + await expectNoPlaceholderLinks(page); + }); +} + for (const { route, locale } of [ { route: '/trust', locale: 'de' }, { route: '/en/trust', locale: 'en' }, diff --git a/apps/website/tests/smoke/smoke-helpers.ts b/apps/website/tests/smoke/smoke-helpers.ts index 84c3ac99..2f78a34d 100644 --- a/apps/website/tests/smoke/smoke-helpers.ts +++ b/apps/website/tests/smoke/smoke-helpers.ts @@ -5,6 +5,7 @@ export const renderedRoutes = [ '/use-cases/msp', '/use-cases/mittelstand', '/platform', + '/platform/review-packs', '/pricing', '/contact', '/trust', @@ -21,6 +22,7 @@ export const renderedRoutes = [ '/en/use-cases/msp', '/en/use-cases/mittelstand', '/en/platform', + '/en/platform/review-packs', '/en/pricing', '/en/contact', '/en/trust', @@ -103,10 +105,40 @@ const forbiddenPublicPatterns = [ { label: 'immutable backup claim', pattern: /immutable backups?/i }, { label: 'real-time drift detection claim', - pattern: /real[- ]time drift detection/i, + pattern: /real[- ]time drift(?: detection)?/i, }, { label: 'court-proof evidence claim', pattern: /court[- ]proof evidence/i }, { label: 'autonomous remediation claim', pattern: /autonomous remediation/i }, + { + label: 'customer-safe productization residue', + pattern: /customer-safe consumption productization/i, + }, + { label: 'route-owned residue', pattern: /route-owned/i }, + { label: 'artifact taxonomy residue', pattern: /artifact taxonomy/i }, + { label: 'source family residue', pattern: /source family/i }, + { label: 'capability registry residue', pattern: /capability registry/i }, + { label: 'repo-real foundation residue', pattern: /repo-real foundation/i }, + { + label: 'gapless evidence claim', + pattern: /lueckenlose eviden(?:ce|z)|lückenlose eviden(?:ce|z)/i, + }, + { + label: 'court-proof evidence claim in German', + pattern: /gerichtsfeste Nachweise/i, + }, + { label: 'immutable evidence claim', pattern: /immutable evidence/i }, + { + label: 'immutable review packs claim', + pattern: /immutable review packs/i, + }, + { label: 'complete audit trail claim', pattern: /complete audit trail/i }, + { + label: 'guaranteed audit success claim', + pattern: /guarantees audit success/i, + }, + { label: 'magic compliance claim', pattern: /macht Sie compliant/i }, + { label: 'DSGVO conform claim', pattern: /DSGVO-konform/i }, + { label: 'ISO certified claim in German', pattern: /ISO-zertifiziert/i }, { label: 'neutral SaaS residue', pattern: /neutral SaaS visual/i }, { label: 'lorem ipsum residue', pattern: /lorem ipsum/i }, { label: 'fake checkout CTA', pattern: /\b(buy now|checkout)\b/i }, @@ -344,6 +376,18 @@ export async function expectNoProviderOrDataOverclaims( for (const pattern of [ /Google supported/i, /AWS supported/i, + /automatic remediation/i, + /automatic restore/i, + /real[- ]time drift(?: detection)?/i, + /immutable evidence/i, + /immutable review packs/i, + /complete audit trail/i, + /guarantees audit success/i, + /macht Sie compliant/i, + /DSGVO-konform/i, + /ISO-zertifiziert/i, + /court[- ]proof evidence/i, + /gerichtsfeste Nachweise/i, /no customer data stored/i, /no personal data/i, /keine Kundendaten/i, diff --git a/specs/408-review-evidence-decision/checklists/requirements.md b/specs/408-review-evidence-decision/checklists/requirements.md new file mode 100644 index 00000000..d4b4649b --- /dev/null +++ b/specs/408-review-evidence-decision/checklists/requirements.md @@ -0,0 +1,41 @@ +# Specification Quality Checklist: Customer-safe Review, Evidence & Decision Story + +**Purpose**: Validate specification completeness and quality before proceeding to planning +**Created**: 2026-05-28 +**Feature**: [spec.md](../spec.md) + +## Content Quality + +- [x] No implementation details (languages, frameworks, APIs) +- [x] Focused on user value and business needs +- [x] Written for non-technical stakeholders +- [x] All mandatory sections completed + +## Requirement Completeness + +- [x] No [NEEDS CLARIFICATION] markers remain +- [x] Requirements are testable and unambiguous +- [x] Success criteria are measurable +- [x] Success criteria are technology-agnostic (no implementation details) +- [x] All acceptance scenarios are defined +- [x] Edge cases are identified +- [x] Scope is clearly bounded +- [x] Dependencies and assumptions identified + +## Feature Readiness + +- [x] All functional requirements have clear acceptance criteria +- [x] User scenarios cover primary flows +- [x] Feature meets measurable outcomes defined in Success Criteria +- [x] No implementation details leak into specification + +## Notes + +- Initial validation passed with no remaining clarification markers. +- The spec stays bounded to the public website and keeps `apps/platform` explicitly out of scope. +- Route selection remains intentionally flexible inside current IA, with `/platform/review-packs` recorded as the preferred destination. +- The spec is ready for `/speckit.plan`. +- Implementation completed inside `apps/website/**` plus feature-spec artifacts only; `git diff --name-only -- apps/platform` returned no paths. +- Validation completed with `build`, full `public-routes` + `interaction` smoke suites, source/dist claim scans, and manual browser comprehension checks for both localized review-pack routes. +- Source and dist claim scans returned no matches after the final copy cleanup. +- Repo-wide `corepack pnpm --filter @tenantatlas/website format:check` still reports nine pre-existing, untouched formatting issues outside this feature slice; touched files pass `prettier --check`. \ No newline at end of file diff --git a/specs/408-review-evidence-decision/contracts/review-pack-story-routes.openapi.yaml b/specs/408-review-evidence-decision/contracts/review-pack-story-routes.openapi.yaml new file mode 100644 index 00000000..cac0deaf --- /dev/null +++ b/specs/408-review-evidence-decision/contracts/review-pack-story-routes.openapi.yaml @@ -0,0 +1,190 @@ +openapi: 3.1.0 +info: + title: Tenantial Public Review Pack Story Routes + version: 0.1.0 + description: > + Static public website route contract for Spec 408. These routes return + HTML pages only and do not expose platform runtime APIs, tenant data, + review workspace state, or export functionality. +servers: + - url: http://127.0.0.1:4321 + description: Local website preview using WEBSITE_PORT default +paths: + /platform/review-packs: + get: + summary: German public review-pack and evidence story page + operationId: getGermanReviewPackStory + tags: + - Public Website + responses: + "200": + description: Static HTML review-story page + content: + text/html: + schema: + type: string + examples: + page: + summary: Required visible content + value: "Von Policy-Drift zu pruefbaren Entscheidungen. Evidence, Findings und Accepted Risks statt Screenshot-Governance." + "404": + description: Route not configured + x-content-requirements: + locale: de + mustInclude: + - Review Pack hero framing in German buyer language + - Problem section explaining why technical truth alone is insufficient for governance, review preparation, and audit conversations + - Governance workflow from policy state to review-pack preparation + - Review Pack anatomy with executive summary, Evidence basis, Findings, Accepted Risks, Decision Summary, status, and export context + - Evidence section explaining Evidence beyond screenshots + - Decision Summary section covering status, reason, impact, Evidence, next action, and review context + - Customer-safe versus internal detail boundary + - MSP and Enterprise IT value framing + - Differentiation from raw exports, screenshot collections, and admin-center snapshots + - Trust teaser linking to the existing trust route + - Final CTA with real destinations only + - Real CTA destinations only + mustNotInclude: + - href="#" + - customer-safe consumption productization + - route-owned + - artifact taxonomy + - source family + - capability registry + - repo-real foundation + - lueckenlose Evidence + - lueckenlose Evidenz + - gerichtsfeste Nachweise + - immutable evidence + - immutable review packs + - complete audit trail + - guarantees audit success + - macht Sie compliant + - DSGVO-konform + - ISO-zertifiziert + - real-time drift + - automatic remediation + - automatic restore + - Google supported + - AWS supported + /en/platform/review-packs: + get: + summary: English public review-pack and evidence story page + operationId: getEnglishReviewPackStory + tags: + - Public Website + responses: + "200": + description: Static HTML review-story page + content: + text/html: + schema: + type: string + examples: + page: + summary: Required visible content + value: "Evidence, reviews, and decisions instead of screenshots. Review-ready governance context for Microsoft 365 buyers." + "404": + description: Route not configured + x-content-requirements: + locale: en + mustInclude: + - Review Pack hero framing in buyer language + - Problem section explaining why technical truth alone is insufficient for governance, review preparation, and audit conversations + - Governance workflow from policy state to review-pack preparation + - Review Pack anatomy with executive summary, Evidence basis, Findings, Accepted Risks, Decision Summary, status, and export context + - Evidence section explaining Evidence beyond screenshots + - Decision Summary section covering status, reason, impact, Evidence, next action, and review context + - Customer-safe versus internal detail boundary + - MSP and Enterprise IT value framing + - Differentiation from raw exports, screenshot collections, and admin-center snapshots + - Trust teaser linking to the existing trust route + - Final CTA with real destinations only + - Real CTA destinations only + mustNotInclude: + - href="#" + - customer-safe consumption productization + - route-owned + - artifact taxonomy + - source family + - capability registry + - repo-real foundation + - immutable evidence + - immutable review packs + - complete audit trail + - guarantees audit success + - DSGVO-konform + - ISO-zertifiziert + - real-time drift + - automatic remediation + - automatic restore + - Google supported + - AWS supported +components: + schemas: + ReviewPackCard: + type: object + required: + - key + - title + - content + - availabilityTone + properties: + key: + type: string + enum: + - executive-summary + - evidence-basis + - findings + - accepted-risks + - decision-summary + - review-pack-status + - download-export-context + title: + type: string + content: + type: string + availabilityTone: + type: string + enum: + - hard-available + - soft-availability + EvidenceCard: + type: object + required: + - key + - title + - content + properties: + key: + type: string + enum: + - policy-evidence + - change-evidence + - finding-evidence + - recovery-evidence + - review-evidence + title: + type: string + content: + type: string + DecisionFacetCard: + type: object + required: + - key + - title + - content + properties: + key: + type: string + enum: + - status + - reason + - impact + - evidence + - next-action + - review-context + title: + type: string + content: + type: string \ No newline at end of file diff --git a/specs/408-review-evidence-decision/data-model.md b/specs/408-review-evidence-decision/data-model.md new file mode 100644 index 00000000..aa44a780 --- /dev/null +++ b/specs/408-review-evidence-decision/data-model.md @@ -0,0 +1,193 @@ +# Data Model: Customer-safe Review, Evidence & Decision Story + +This feature has no persisted data model. The entities below are static website content structures used to render a public product-story route. They must remain content-only unless a later spec introduces runtime review workspace, review-pack export, or Evidence persistence truth. + +## Review Story Page + +**Represents**: The localized public page explaining Review Packs, Evidence, Findings, Accepted Risks, Decision Summaries, customer-safe review content, and follow-up actions. + +**Fields**: + +- `locale`: `de` or `en` +- `pageTitle`: localized metadata title +- `metaDescription`: localized metadata description +- `heroTitle`: main H1 +- `heroSubtitle`: core product-story paragraph +- `supportingLine`: short context line for governance outcomes +- `primaryCta`: primary CTA label and route +- `secondaryCta`: supporting CTA label and route +- `problemCards`: list of governance pain cards +- `workflowSteps`: list of governance workflow steps +- `reviewPackCards`: list of review-pack anatomy cards +- `evidenceCards`: list of evidence-type cards +- `decisionCards`: list of decision-summary cards +- `boundaryColumns`: customer-safe versus internal-detail comparison content +- `audienceValueCards`: MSP and Enterprise IT value cards +- `comparisonRows`: raw export versus Tenantial review story comparison rows +- `trustTeaser`: optional trust-summary block with real destination +- `finalCta`: final conversion block with real destinations only + +**Validation rules**: + +- `pageTitle` and `metaDescription` must not claim compliance certification, automatic remediation, automatic restore, real-time drift, or unsupported providers. +- Every CTA destination must be a real route or real contact destination. +- The page must contain the hero, problem, workflow, review-pack anatomy, Evidence, decision-summary, customer-safe boundary, audience value, differentiation, and final CTA sections. +- The page must not contain `href="#"`. + +## Governance Workflow Step + +**Represents**: One visible step in the path from policy truth to reviewable decision. + +**Fields**: + +- `key`: stable content key +- `title`: visible step label +- `content`: buyer-facing explanation + +**Required rows**: + +- policy-state capture +- drift recognition +- Evidence linkage +- finding evaluation +- risk decision +- review-pack preparation + +**Validation rules**: + +- Steps must explain governance flow in buyer language, not internal runtime vocabulary. +- The workflow must show why status, reason, impact, Evidence basis, and next action matter. + +## Review Pack Card + +**Represents**: One card in the review-pack anatomy section. + +**Fields**: + +- `key`: stable content key +- `title`: visible card title +- `content`: buyer-facing description +- `availabilityTone`: `hard-available` or `soft-availability` + +**Required rows**: + +- executive-summary +- evidence-basis +- findings +- accepted-risks +- decision-summary +- review-pack-status +- download-export-context + +**Validation rules**: + +- Download/export wording defaults to `soft-availability` unless implementation verifies a harder product truth. +- Cards must describe governance deliverables, not raw exports or fake PDFs. + +## Evidence Card + +**Represents**: One buyer-facing Evidence type on the page. + +**Fields**: + +- `key`: stable content key +- `title`: visible label +- `content`: description of what the Evidence type helps explain + +**Required rows**: + +- policy-evidence +- change-evidence +- finding-evidence +- recovery-evidence +- review-evidence + +**Validation rules**: + +- Evidence must stay framed as reviewable proof context. +- Cards must not imply court-proof or complete evidence coverage. + +## Decision Facet Card + +**Represents**: One visible dimension inside the Decision Summary section. + +**Fields**: + +- `key`: stable content key +- `title`: visible label +- `content`: buyer-facing explanation + +**Required rows**: + +- status +- reason +- impact +- evidence +- next-action +- review-context + +**Validation rules**: + +- The set must explain what was found, why it matters, what supports it, what remains open, and who acts next. +- Cards must not claim automatic decision-making or automatic risk acceptance. + +## Disclosure Column + +**Represents**: One side of the customer-safe boundary comparison. + +**Fields**: + +- `title`: visible column heading +- `items`: list of included or excluded content bullets +- `mode`: `customer-safe` or `internal-only` + +**Validation rules**: + +- `customer-safe` content must emphasize executive summary, review status, findings summary, Evidence basis, Accepted Risks, Decision Summary, and next actions. +- `internal-only` content must exclude raw provider payloads, internal job IDs, debug traces, stack traces, internal fingerprints, low-level operation URLs, secret context, internal reason-family names, and unredacted diagnostics by default. + +## Audience Value Card + +**Represents**: One buyer-facing value block for MSPs or Enterprise IT. + +**Fields**: + +- `audience`: `msp` or `enterprise-it` +- `title`: short visible heading +- `content`: buyer-facing explanation + +**Validation rules**: + +- MSP value cards must frame Review Packs as repeatable governance deliverables. +- Enterprise IT value cards must frame the story around management review, audit preparation, security review, and recovery context. + +## Discovery Link + +**Represents**: A contextual public-site link to the new route. + +**Fields**: + +- `label`: visible link label +- `href`: localized route +- `placement`: homepage, platform page, use-case page, or footer + +**Validation rules**: + +- `href` must resolve to a real route. +- Links must follow the current locale strategy. +- Discovery surfaces must stay light and must not require a main-nav refactor. + +## Metadata Contract + +**Represents**: The route title and description for the new public page. + +**Fields**: + +- `title` +- `description` +- `canonicalPath` + +**Validation rules**: + +- Metadata must mention Review Packs, Evidence, Findings, Accepted Risks, and Decision Summaries safely. +- Metadata must not claim `DSGVO-konform`, `ISO-zertifiziert`, `automatic remediation`, `automatic restore`, `real-time drift`, or unsupported providers. \ No newline at end of file diff --git a/specs/408-review-evidence-decision/plan.md b/specs/408-review-evidence-decision/plan.md new file mode 100644 index 00000000..7d95e9a6 --- /dev/null +++ b/specs/408-review-evidence-decision/plan.md @@ -0,0 +1,259 @@ +# Implementation Plan: Customer-safe Review, Evidence & Decision Story + +**Branch**: `408-review-evidence-decision` | **Date**: 2026-05-28 | **Spec**: [spec.md](spec.md) +**Input**: Feature specification from `/specs/408-review-evidence-decision/spec.md` + +## Summary + +Deliver one localized public product-story route in `apps/website` that explains Review Packs, Evidence, Accepted Risks, and Decision Summaries, then expose it through existing homepage, platform, use-case, and footer discovery surfaces without changing `apps/platform` or introducing unsupported product claims. + +The implementation stays inside the Astro website, reuses the current `siteCopy` content model plus locale-aware routing, and validates the new public route through the existing Playwright smoke suite and static claim scans. + +## Technical Context + +**Language/Version**: TypeScript 6.0.3 and Astro 6.3.3 content/runtime files +**Primary Dependencies**: Astro, Playwright, Tailwind CSS v4 (`@tailwindcss/vite`), Starlight docs stack +**Storage**: N/A (static public website content only) +**Testing**: Playwright smoke tests in `apps/website/tests/smoke` plus `astro check` during the build script +**Validation Lanes**: browser, confidence +**Target Platform**: Static website build and browser-rendered public routes +**Project Type**: Web application (Astro static site) +**Performance Goals**: Maintain current public route readability, valid metadata, and no horizontal overflow on desktop/mobile +**Constraints**: Preserve root workspace contracts (`package.json` scripts, `WEBSITE_PORT`, `apps/*`), keep `apps/platform` untouched, avoid placeholder links, and avoid unsupported portal/export/compliance/provider claims +**Scale/Scope**: One new German route plus one English route, lightweight homepage/platform/use-case/footer integration, and smoke-test updates + +## UI / Surface Guardrail Plan + +- **Guardrail scope**: no operator-facing surface change +- **Native vs custom classification summary**: N/A +- **Shared-family relevance**: public website copy, metadata, navigation, footer, and CTA families only +- **State layers in scope**: shell and page +- **Audience modes in scope**: customer/read-only +- **Decision/diagnostic/raw hierarchy plan**: decision-first public marketing copy only; no operator diagnostics or raw evidence surface is introduced +- **Raw/support gating plan**: N/A +- **One-primary-action / duplicate-truth control**: each page surface keeps one primary conversion action to `/contact` and one supporting product-context action to `/platform` or another real route to avoid CTA sprawl +- **Handling modes by drift class or surface**: report-only +- **Repository-signal treatment**: review-mandatory for public claim language and route discoverability +- **Special surface test profiles**: N/A +- **Required tests or manual smoke**: manual-smoke and browser smoke +- **Exception path and spread control**: none +- **Active feature PR close-out entry**: Smoke Coverage + +## Shared Pattern & System Fit + +- **Cross-cutting feature marker**: yes +- **Systems touched**: `siteCopy` locale dictionaries, homepage composition, platform page composition, use-case page CTAs, footer links, locale helpers, and public route smoke inventory +- **Shared abstractions reused**: `apps/website/src/data_files/site-copy.ts`, `apps/website/src/i18n.ts`, `MainLayout`, `HeroSection`, existing card-grid section patterns, and `apps/website/tests/smoke/smoke-helpers.ts` +- **New abstraction introduced? why?**: none beyond one bounded page component if needed for locale reuse +- **Why the existing abstraction was sufficient or insufficient**: the existing Astro copy-first structure already centralizes public text, locale-aware links, metadata, and smoke coverage; this feature extends those patterns without a new content system or design framework +- **Bounded deviation / spread control**: none + +## OperationRun UX Impact + +- **Touches OperationRun start/completion/link UX?**: no +- **Central contract reused**: N/A +- **Delegated UX behaviors**: N/A +- **Surface-owned behavior kept local**: none +- **Queued DB-notification policy**: N/A +- **Terminal notification path**: N/A +- **Exception path**: none + +## Provider Boundary & Portability Fit + +- **Shared provider/platform boundary touched?**: yes +- **Provider-owned seams**: Microsoft 365-first and Intune-as-first-strong-domain public wording +- **Platform-core seams**: public governance vocabulary for Review Packs, Evidence, Findings, Accepted Risks, Decision Summaries, customer-safe review content, and follow-up actions +- **Neutral platform terms / contracts preserved**: Review Packs, Evidence, Findings, Accepted Risks, Decision Summary, management review, audit preparation, recovery context, and next action +- **Retained provider-specific semantics and why**: Microsoft 365 and Intune remain explicit to reflect current-release public truth and to avoid generic governance messaging that loses buyer clarity +- **Bounded extraction or follow-up path**: document-in-feature only; any runtime review workspace or export truth stays in later platform specs + +## Constitution Check + +GATE status before Phase 0 research: Pass for website-only scope. + +- Inventory-first: N/A (no inventory/runtime change) +- Read/write separation: Pass (no write behavior) +- Graph contract path: N/A (no Graph/API runtime) +- Deterministic capabilities: N/A +- RBAC-UX and tenant/workspace isolation: N/A (public unauthenticated pages) +- Run observability / OperationRun UX: N/A +- TEST-GOV-001: Pass (browser lane explicit, narrow smoke coverage, no fixture/helper cost expansion planned) +- PROP-001 / ABSTR-001 / PERSIST-001 / STATE-001 / BLOAT-001: Pass (no new persistence, abstractions, enums, or semantic frameworks) +- XCUT-001: Pass (reuse existing site copy, locale helper, CTA, footer, and smoke helper patterns) +- PROV-001: Pass (bounded provider wording, no platform-core runtime coupling) +- DECIDE-AUD-001: N/A for operator/status surfaces; public marketing hierarchy stays copy-only + +Post-design re-check after Phase 1: Pass. The research, data model, route contract, and quickstart remain static public-site artifacts only, introduce no runtime truth, and keep `apps/platform` out of scope. + +## Test Governance Check + +- **Test purpose / classification by changed surface**: Browser +- **Affected validation lanes**: browser, confidence +- **Why this lane mix is the narrowest sufficient proof**: changes are public-route, metadata, CTA, and claim-language concerns best proven by the existing route smoke suite plus build-time Astro checks +- **Narrowest proving command(s)**: + - `corepack pnpm --filter @tenantatlas/website build` + - `corepack pnpm --filter @tenantatlas/website test tests/smoke/public-routes.spec.ts` + - `corepack pnpm --filter @tenantatlas/website test tests/smoke/interaction.spec.ts` +- **Fixture / helper / factory / seed / context cost risks**: none +- **Expensive defaults or shared helper growth introduced?**: no +- **Heavy-family additions, promotions, or visibility changes**: none +- **Surface-class relief / special coverage rule**: public website browser smoke only +- **Closing validation and reviewer handoff**: reviewers verify the new route renders in both locales, discovery links are real, no banned claims appear, and changed files stay within `apps/website` plus feature-spec artifacts +- **Budget / baseline / trend follow-up**: none +- **Review-stop questions**: lane fit, hidden helper cost, overbroad browser assertions, claim-boundary completeness +- **Escalation path**: document-in-feature +- **Active feature PR close-out entry**: Smoke Coverage +- **Why no dedicated follow-up spec is needed**: this is bounded copy/routing work inside existing public-site structures; runtime review-workspace concerns already live in later specs + +## Project Structure + +### Documentation (this feature) + +```text +specs/408-review-evidence-decision/ +├── plan.md +├── research.md +├── data-model.md +├── quickstart.md +├── contracts/ +│ └── review-pack-story-routes.openapi.yaml +└── spec.md +``` + +### Source Code (repository root) + +```text +apps/website/ +├── src/ +│ ├── pages/ +│ │ ├── platform.astro +│ │ ├── platform/ +│ │ │ └── review-packs.astro +│ │ ├── en/ +│ │ │ ├── platform.astro +│ │ │ └── platform/ +│ │ │ └── review-packs.astro +│ │ ├── use-cases/msp.astro +│ │ ├── use-cases/mittelstand.astro +│ │ ├── en/use-cases/msp.astro +│ │ └── en/use-cases/mittelstand.astro +│ ├── components/ +│ │ ├── pages/ +│ │ │ ├── HomePage.astro +│ │ │ ├── PlatformPage.astro +│ │ │ └── ReviewPacksPage.astro +│ │ └── sections/landing/HeroSection.astro +│ ├── data_files/site-copy.ts +│ └── i18n.ts +└── tests/smoke/ + ├── public-routes.spec.ts + ├── interaction.spec.ts + └── smoke-helpers.ts +``` + +**Structure Decision**: Web app/Astro structure under `apps/website`; route files stay thin and locale-aware, while one shared `ReviewPacksPage.astro` is the preferred implementation shape for the section-heavy page to avoid German/English markup duplication. + +## Route Family Decision + +Selected route family: `/platform/...` + +Chosen routes: + +- `/platform/review-packs` +- `/en/platform/review-packs` + +Reasoning: + +- The public site already has `/platform` and `/en/platform` product routes. +- Nested `platform` routes already exist in the docs-facing public surface (`/platform/evidence-review/`), so the nested route family is repo-truth and not speculative. +- The route keeps the story attached to the platform narrative without adding another top-level nav family. +- It avoids the weak genericity of `/review-packs` and the collision/confusion risk of `/products/...`, because `/product` and `/products` currently redirect to `/platform`. + +Rejected alternatives: + +- `/review-packs`: clearer than docs nesting, but weaker IA connection to the product surface. +- `/platform/evidence-reviews`: too close to the existing docs route and weaker on the commercial Review Pack framing. +- `/products/review-packs`: conflicts with current redirect expectations and introduces unnecessary IA ambiguity. + +## Discovery Strategy Decision + +Selected discovery surfaces: + +- Homepage teaser +- Compact platform-page teaser +- MSP use-case crosslink +- Mittelstand / Enterprise IT use-case crosslink +- Footer link + +Decision: do not add a main-navigation item by default. + +Reasoning: + +- The main nav is already dense and optimized for broad category entry points. +- Contextual entry points on homepage, platform, and use-case pages are stronger because they carry the buyer story naturally. +- Footer exposure keeps the route globally reachable without forcing a top-level IA refactor. + +## Trust Teaser Decision + +Decision: include the trust teaser and point it to `/trust` and `/en/trust`. + +Reasoning: + +- The route exists today and is already covered in smoke tests. +- The new page needs a real downstream destination for privacy/security/disclosure questions. +- Linking to Trust is safer than inventing a new proof/download destination. + +## Static Claim Scan Commands + +- `grep -RIn -e 'href="#"' -e 'lorem ipsum' -e 'customer-safe consumption productization' -e 'route-owned' -e 'artifact taxonomy' -e 'source family' -e 'capability registry' -e 'repo-real foundation' -e 'lueckenlose Evidence' -e 'lueckenlose Evidenz' -e 'gerichtsfeste Nachweise' -e 'immutable evidence' -e 'immutable review packs' -e 'complete audit trail' -e 'guarantees audit success' -e 'macht Sie compliant' -e 'DSGVO-konform' -e 'ISO-zertifiziert' -e 'real-time drift' -e 'automatic remediation' -e 'automatic restore' -e 'Google supported' -e 'AWS supported' apps/website/src apps/website/public 2>/dev/null || true` +- `grep -RIn -e 'href="#"' -e 'lorem ipsum' -e 'customer-safe consumption productization' -e 'route-owned' -e 'artifact taxonomy' -e 'source family' -e 'capability registry' -e 'repo-real foundation' -e 'lueckenlose Evidence' -e 'lueckenlose Evidenz' -e 'gerichtsfeste Nachweise' -e 'immutable evidence' -e 'immutable review packs' -e 'complete audit trail' -e 'guarantees audit success' -e 'macht Sie compliant' -e 'DSGVO-konform' -e 'ISO-zertifiziert' -e 'real-time drift' -e 'automatic remediation' -e 'automatic restore' -e 'Google supported' -e 'AWS supported' apps/website/dist 2>/dev/null || true` + +## Planned Validation Results Capture + +Implementation must record: + +- exact website commands run from current `package.json` / `apps/website/package.json` +- static claim scan outcomes +- browser smoke pass/fail notes for desktop and mobile readability +- whether any optional link surface (footer, platform teaser, use-case crosslinks) was intentionally omitted +- confirmation that `apps/platform/**` remained untouched + +## Complexity Tracking + +No constitutional violations and no bloat-triggering additions are planned for this feature. + +## Proportionality Review + +N/A for this implementation plan. The feature introduces no new enum/status family, DTO/presenter/envelope layer, persisted entity/table/artifact, interface/contract/registry/resolver, taxonomy system, or cross-domain UI framework. The only new structure is one bounded public page component plus copy entries inside existing website patterns. + +## Implementation Close-out + +- Discovery surfaces shipped: homepage teaser, platform-page teaser, MSP use-case crosslink, Mittelstand / Enterprise IT use-case crosslink, and footer link. +- Intentionally omitted discovery surface: main-navigation entry. The route remains discoverable through contextual entry points plus the footer without densifying the primary nav. +- `apps/platform/**` scope confirmation: `git diff --name-only -- apps/platform` returned no paths after implementation. + +## Validation Log + +- `corepack pnpm --filter @tenantatlas/website build` + - Pass. Astro emitted `/platform/review-packs/index.html` and `/en/platform/review-packs/index.html` into `apps/website/dist`. +- `corepack pnpm --filter @tenantatlas/website test tests/smoke/public-routes.spec.ts tests/smoke/interaction.spec.ts` + - Pass. `380 passed`, `6 skipped`. +- `grep -RIn ... apps/website/src apps/website/public 2>/dev/null || true` + - Pass. No matches after claim cleanup. +- `grep -RIn ... apps/website/dist 2>/dev/null || true` + - Pass. No matches after rebuild. +- `corepack pnpm --filter @tenantatlas/website format:check` + - Fails on nine pre-existing, untouched files: `src/components/sections/landing/HeroSection.astro`, `src/components/sections/navbar&footer/FooterSection.astro`, `src/components/ui/blocks/IconBlock.astro`, `src/components/ui/blocks/LeftSection.astro`, `src/components/ui/blocks/MainSection.astro`, `src/components/ui/blocks/RightSection.astro`, `src/components/ui/blocks/StatsBig.astro`, `src/components/ui/blocks/StatsSmall.astro`, and `src/components/ui/forms/RegisterModal.astro`. +- `corepack pnpm exec prettier --check ` + - Pass. All modified review-pack implementation files match Prettier style. + +## Manual Smoke Notes + +Desktop and mobile comprehension checks were run against the rebuilt preview at `http://127.0.0.1:4322` for both `/platform/review-packs` and `/en/platform/review-packs`. + +- **SC-001**: Pass. The hero, workflow, review-pack anatomy, and raw-export comparison make it clear within the first visible sections that Tenantial turns Microsoft 365 policy state and drift into Review Packs, Evidence, and decision-ready governance outputs rather than another dashboard or raw export. +- **SC-002**: Pass. MSP value is explicit through the MSP audience card, Service-Review phrasing, Accepted Risk visibility, and the MSP use-case crosslink. +- **SC-003**: Pass. Enterprise IT value is explicit through the enterprise audience card, management-review language, audit-preparation references, and visible recovery-context wording. +- **SC-004**: Pass. Route/metadata/public-link smoke coverage passed for all changed discovery surfaces, and the built HTML placeholder-link assertion stayed green. +- **SC-005**: Pass. Source and dist claim scans returned no banned internal phrases, false compliance/provider claims, or fake export/proof promises after the final copy cleanup. +- **SC-006**: Pass. Desktop and mobile browser checks showed the primary CTA, trust handoff, customer-safe boundary section, and no horizontal overflow or layout breakage on either locale route. \ No newline at end of file diff --git a/specs/408-review-evidence-decision/quickstart.md b/specs/408-review-evidence-decision/quickstart.md new file mode 100644 index 00000000..7e2e72c0 --- /dev/null +++ b/specs/408-review-evidence-decision/quickstart.md @@ -0,0 +1,186 @@ +# Quickstart: Customer-safe Review, Evidence & Decision Story + +## 1. Confirm Scope + +Work from repository root: + +```bash +cd /Users/ahmeddarrazi/Documents/projects/wt-website +git status --short --branch +cat package.json +cat pnpm-workspace.yaml 2>/dev/null || true +cat apps/website/package.json +find apps/website -maxdepth 3 -type f | sort | sed -n '1,260p' +``` + +Scope boundaries: + +- Allowed: `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/**` +- Allowed: `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/408-review-evidence-decision/**` +- Forbidden: `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/platform/**` +- Forbidden: root workspace script contract changes + +## 2. Implement The Route + +Preferred routes: + +- `/platform/review-packs` +- `/en/platform/review-packs` + +Expected files: + +```text +/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/pages/platform/review-packs.astro +/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/pages/en/platform/review-packs.astro +/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/ReviewPacksPage.astro +``` + +Follow the existing `PlatformPage.astro` product-page pattern and keep the locale files thin. + +## 3. Add Localized Content + +Use the existing copy file: + +```text +/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts +``` + +Add German and English review-story copy with: + +- page metadata +- hero copy and CTA labels +- problem cards +- governance workflow steps +- review-pack anatomy cards +- Evidence cards +- decision-summary cards +- customer-safe boundary content +- MSP and Enterprise IT value cards +- trust teaser copy +- final CTA labels and routes + +## 4. Keep Discovery Light + +Preferred discovery surfaces: + +- homepage teaser +- compact platform-page teaser +- MSP use-case crosslink +- Mittelstand / Enterprise IT use-case crosslink +- footer link + +Do not add a main-nav item unless implementation proves the current IA still reads cleanly. + +## 5. Keep Claims Soft Where Runtime Truth Is Unverified + +Use soft wording for export or availability claims: + +- "helps prepare" +- "can" +- "if available" +- "review-ready" +- "audit-ready" + +Do not introduce hard claims for: + +- completed customer portal +- automatic Review Pack generation +- automatic exports +- immutable Evidence +- complete audit trail +- `DSGVO-konform` +- `ISO-zertifiziert` +- `real-time drift` +- `automatic remediation` +- `automatic restore` +- Google/AWS support + +## 6. Update Smoke Coverage + +Expected test updates: + +```text +/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts +/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts +/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts +``` + +Cover: + +- `/platform/review-packs` +- `/en/platform/review-packs` +- metadata for both routes +- homepage/platform/use-case/footer discovery links as implemented +- no placeholder links +- no forbidden public claims +- no horizontal overflow +- readable desktop/mobile layout + +## 7. Run Validation + +Run only scripts that currently exist: + +```bash +corepack pnpm --filter @tenantatlas/website build +corepack pnpm --filter @tenantatlas/website test tests/smoke/public-routes.spec.ts +corepack pnpm --filter @tenantatlas/website test tests/smoke/interaction.spec.ts +``` + +Optional if formatting was touched broadly: + +```bash +corepack pnpm --filter @tenantatlas/website format:check +``` + +Run the static scan from the plan against source: + +```bash +grep -RIn \ + -e 'href="#"' \ + -e 'lorem ipsum' \ + -e 'customer-safe consumption productization' \ + -e 'route-owned' \ + -e 'artifact taxonomy' \ + -e 'source family' \ + -e 'capability registry' \ + -e 'repo-real foundation' \ + -e 'lueckenlose Evidence' \ + -e 'lueckenlose Evidenz' \ + -e 'gerichtsfeste Nachweise' \ + -e 'immutable evidence' \ + -e 'immutable review packs' \ + -e 'complete audit trail' \ + -e 'guarantees audit success' \ + -e 'macht Sie compliant' \ + -e 'DSGVO-konform' \ + -e 'ISO-zertifiziert' \ + -e 'real-time drift' \ + -e 'automatic remediation' \ + -e 'automatic restore' \ + -e 'Google supported' \ + -e 'AWS supported' \ + apps/website/src apps/website/public 2>/dev/null || true +``` + +If generated output is committed, scan `apps/website/dist` as well. + +## 8. Browser Smoke + +If local preview is available: + +```bash +WEBSITE_PORT=${WEBSITE_PORT:-4321} corepack pnpm --filter @tenantatlas/website preview +``` + +Verify: + +- `/platform/review-packs` loads +- `/en/platform/review-packs` loads +- homepage/platform/use-case/footer links work if implemented +- trust teaser points to a real route +- Review Pack story is understandable +- Evidence story is understandable +- customer-safe versus internal-only boundary is understandable +- no fake portal/export/automation claims appear +- no false compliance/provider claims appear +- desktop and mobile layouts remain readable \ No newline at end of file diff --git a/specs/408-review-evidence-decision/research.md b/specs/408-review-evidence-decision/research.md new file mode 100644 index 00000000..fd4b3fe1 --- /dev/null +++ b/specs/408-review-evidence-decision/research.md @@ -0,0 +1,91 @@ +# Research: Customer-safe Review, Evidence & Decision Story + +## Decision: Use `/platform/review-packs` and `/en/platform/review-packs` + +**Rationale**: The current public website already uses `/platform` and `/en/platform` as the product-story entry points, and the route inventory already contains nested platform-facing public routes such as `/platform/evidence-review/`. A nested `platform` route keeps the new page attached to the product narrative without adding a new top-level IA family. + +**Alternatives considered**: + +- `/review-packs`: clearer in isolation, but weaker IA connection to the platform story and less consistent with existing product routing. +- `/platform/evidence-reviews`: too close to the docs-facing evidence-review route and weaker on the buyer-facing Review Pack framing. +- `/products/review-packs`: conflicts with the current `/product` and `/products` redirect expectations to `/platform`. + +## Decision: Reuse the localized page-component pattern instead of duplicating large route files + +**Rationale**: Existing product-level routes already support a thin-route plus shared-page-component pattern via `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/pages/platform.astro` and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/PlatformPage.astro`. The Review Pack page is section-heavy in both German and English, so a shared `ReviewPacksPage.astro` is the narrowest way to avoid duplicating large amounts of localized markup. + +**Alternatives considered**: + +- Duplicate `de` and `en` route markup like the use-case pages: acceptable, but needlessly repetitive for a dense product-story page. +- MDX/docs content route: mismatched with the current marketing-page CTA and metadata pattern. +- Inline-only platform section: lower route overhead, but weaker SEO, weaker smoke coverage, and weaker discoverability. + +## Decision: Keep all localized page copy in `site-copy.ts` + +**Rationale**: The website already centralizes public copy, metadata, navigation labels, footer links, homepage copy, platform copy, trust copy, and use-case copy in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`. Adding a dedicated `reviewPacks` section there keeps the new page aligned with the existing locale strategy and avoids a second content source. + +**Alternatives considered**: + +- Page-local constants: simpler for one file, but weaker for German/English parity and CTA consistency. +- Separate JSON or YAML content file: splits public copy away from the existing marketing-content source of truth. +- Runtime content source or CMS: out of scope for a website-only spec. + +## Decision: Prefer contextual discovery plus footer exposure, but not a main-nav item + +**Rationale**: The current nav already contains Start, Plattform, MSPs, Interne IT, Preise, Vertrauen, Docs, and Kontakt. Adding another main-nav entry would over-densify the top bar. The stronger discovery path is contextual: homepage teaser, platform-page teaser, MSP page crosslink, Mittelstand page crosslink, and a footer link for global reachability. + +**Alternatives considered**: + +- Main-nav item: globally visible, but too expensive for current IA density. +- Footer only: too weak for the commercial importance of this page. +- Homepage/platform only: better than nothing, but weaker for audience-specific discovery. + +## Decision: Reuse existing section primitives and card-grid patterns + +**Rationale**: The website already has a stable `HeroSection` plus repeated card-grid and section patterns in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/PlatformPage.astro` and the use-case routes. The new page can stay visually aligned by composing those primitives rather than introducing a new website design language. + +**Alternatives considered**: + +- New bespoke layout system for this page: unnecessary for one bounded route. +- Fully copy-paste the MSP page structure: workable, but less reusable than a shared page component that maps new content arrays. +- Docs-like narrative layout: weaker for CTA hierarchy and product marketing cadence. + +## Decision: Use the existing smoke helpers and route metadata inventory as the narrowest proof + +**Rationale**: `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts` and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts` already validate route rendering, metadata, placeholder-link bans, forbidden public claims, and layout stability. Extending those tests is the narrowest proof for this feature. + +**Alternatives considered**: + +- Manual-only browser review: insufficient for metadata and claim-guardrail regressions. +- New unit tests for copy objects: more brittle than public-route smoke for this use case. +- Platform-side tests: wrong layer because `apps/platform` is explicitly out of scope. + +## Decision: Validate only with scripts that currently exist in `apps/website/package.json` + +**Rationale**: `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/package.json` currently exposes `build`, `test`, `test:smoke`, `format:check`, and `preview`. The plan must not invent `check`; `astro check` already runs inside the `build` script. + +**Alternatives considered**: + +- `pnpm --filter @tenantatlas/website check`: not present. +- Root script changes: out of scope and would break workspace contracts. +- Platform/Sail validation: wrong scope for a static website-only page. + +## Decision: Treat static claim scans as implementation blockers + +**Rationale**: The core risk in this feature is overclaiming. Static scans over `apps/website/src`, `apps/website/public`, and optionally `apps/website/dist` should block terms such as `href="#"`, internal architecture jargon, false compliance claims, fake portal/export claims, and unsupported provider language. + +**Alternatives considered**: + +- Code review only: too easy to miss metadata or generated-output regressions. +- New custom linter: too heavy for one bounded website feature. +- Narrow placeholder-link scan only: insufficient because the main risk is claim language, not just broken links. + +## Decision: Link the trust teaser to the existing `/trust` route + +**Rationale**: `/trust` and `/en/trust` already exist as public routes and are already covered in smoke tests. They are the safest real destinations for privacy, disclosure, and security follow-up questions from the new page. + +**Alternatives considered**: + +- Omit the trust teaser: safe, but weaker than the spec goal of connecting review-story claims to trust context. +- Link to docs only: weaker for commercial trust handoff. +- Invent a download/proof route: explicitly forbidden. \ No newline at end of file diff --git a/specs/408-review-evidence-decision/spec.md b/specs/408-review-evidence-decision/spec.md new file mode 100644 index 00000000..a676f988 --- /dev/null +++ b/specs/408-review-evidence-decision/spec.md @@ -0,0 +1,336 @@ +# Feature Specification: Customer-safe Review, Evidence & Decision Story + +**Feature Branch**: `408-review-evidence-decision` +**Created**: 2026-05-28 +**Status**: Draft +**Input**: User description: "Create a public website product-story page that explains how Tenantial turns Microsoft 365 policy state, drift, findings, evidence, accepted risks, and decision context into customer-safe reviews and review-pack preparation without any platform runtime changes." + +## Spec Candidate Check *(mandatory - SPEC-GATE-001)* + +- **Problem**: Public buyers still cannot answer the most important product question fast enough: what concrete governance artifact Tenantial produces for customers, auditors, IT leaders, and MSP review meetings. +- **Today's failure**: After the current homepage, trust, taxonomy, and use-case story, Tenantial can still be misread as another backup utility, dashboard, compliance page, or export-heavy admin view instead of a decision-ready governance layer. +- **User-visible improvement**: A public visitor can understand in one page that Tenantial turns policy truth into reviewable Evidence, Findings, Accepted Risks, Decision Summaries, and review-pack preparation. +- **Smallest enterprise-capable version**: One dedicated public website product-story page, lightweight discovery from existing IA, page-specific metadata, and strict copy guardrails around customer-safe boundaries and unsupported claims. +- **Explicit non-goals**: No `apps/platform` changes, no customer portal, no runtime review workspace, no Review Pack generation, no Evidence storage, no Accepted Risk runtime, no Decision Register runtime, no export/PDF generation, no fake downloads, no fake reports, no fake logos, no fake certifications, and no placeholder links. +- **Permanent complexity imported**: One bounded public page, optional lightweight homepage/platform/use-case/nav/footer discoverability, additional public metadata, and copy guardrails. No models, persistence, runtime abstractions, or product-state machinery are introduced. +- **Why now**: Specs 404 through 407 established sales language, trust posture, provider taxonomy, and buyer-specific use cases. The remaining sellability gap is the concrete product-output story for reviews, Evidence, risks, and decisions. +- **Why not local**: Small copy edits on the homepage or platform page would still leave the review-pack and decision-output story fragmented and too easy to misclassify. +- **Approval class**: Core Enterprise. +- **Red flags triggered**: Public overclaim risk, review-pack/export maturity boundary, customer-safe versus internal-detail wording, and IA touch across homepage/platform/use-case/footer discovery surfaces. +- **Score**: Nutzen: 2 | Dringlichkeit: 2 | Scope: 2 | Komplexitaet: 1 | Produktnaehe: 2 | Wiederverwendung: 2 | **Gesamt: 11/12** +- **Decision**: approve. + +### Red Flag Defense + +This spec is intentionally limited to public website positioning. It clarifies what Tenantial helps teams prepare for reviews without claiming a fully shipped customer portal, automatic exports, or guaranteed compliance outcomes. The scope stays inside one bounded product-story page plus existing public-site discovery surfaces. + +## Scope + +This spec defines one dedicated public website product-story page for Review Packs, Evidence, Accepted Risks, and Decision Summaries, plus lightweight discoverability where the current public IA supports it. + +- **Relevant application for later implementation**: public website only +- **Depends on**: Spec 404 - Public Website Sales Copy & Positioning Rewrite; Spec 405 - DACH Trust, Datenschutz & Security Website Surface; Spec 406 - Provider & Policy Domain Public Taxonomy; Spec 407 - MSP & Mittelstand Use-Case Pages +- **Must not depend on**: `apps/platform` runtime changes +- **Primary audience**: MSP owners, MSP operators, IT leaders, security teams, auditors, DACH Mittelstand evaluators, and enterprise IT buyers +- **Public message**: Tenantial turns Microsoft 365 policy state, drift, Findings, and recovery context into customer-safe reviews, Evidence-backed Findings, Accepted Risk visibility, Decision Summaries, and review-pack preparation +- **Out of scope**: runtime review workspace behavior, Review Pack generation, Evidence storage, RBAC or customer roles, export logic, auditor portal functionality, localization foundations, fake proof artifacts, fake downloadable assets, and any change to root workspace contracts + +## Goals + +- **G1**: Explain Review Packs as governance deliverables for customer reviews, management reviews, and audit preparation. +- **G2**: Explain Evidence in buyer-facing language as versioned, reviewable proof context rather than raw logs or screenshots. +- **G3**: Explain how Findings, Accepted Risks, and decisions become reviewable and auditable governance artifacts. +- **G4**: Make the customer-safe boundary clear without overclaiming exact runtime enforcement that is not yet verified. +- **G5**: Keep copy sharp, commercial, and credible for B2B cybersecurity and IT-operations buyers. +- **G6**: Avoid false claims about portals, automation, remediation, compliance certification, or unsupported providers. + +## Non-goals + +- No `apps/platform` changes. +- No Customer Review Workspace runtime. +- No Review Pack generation or Evidence storage. +- No Accepted Risk runtime, Decision Register runtime, or RBAC/customer-role implementation. +- No export or PDF generation. +- No auditor portal behavior. +- No fake downloadable Review Packs, sample customer reports, logos, case studies, or certifications. +- No placeholder links, placeholder routes, or `href="#"`. +- No root workspace contract changes. + +## Spec Scope Fields *(mandatory)* + +- **Scope**: N/A - public website surface outside authenticated workspace, tenant, or canonical product views +- **Primary Routes**: preferred public route family `/platform/review-packs`; fallback real route families such as `/review-packs`, `/platform/evidence-reviews`, `/evidence-reviews`, or German-first variants only when current IA requires them +- **Data Ownership**: no workspace-owned, tenant-owned, provider-owned, Evidence, review, audit, or runtime product data is created, changed, or persisted by this feature +- **RBAC**: public read-only content only; no membership, role, capability, authorization, or authenticated behavior changes + +For canonical-view specs, the spec MUST define: + +- **Default filter behavior when tenant-context is active**: N/A - no tenant-context or canonical product view is introduced +- **Explicit entitlement checks preventing cross-tenant leakage**: N/A - no authenticated tenant, workspace, provider, or customer data is involved + +## Cross-Cutting / Shared Pattern Reuse *(mandatory when the feature touches notifications, status messaging, action links, header actions, dashboard signals/cards, alerts, navigation entry points, evidence/report viewers, or any other existing shared operator interaction family; otherwise write `N/A - no shared interaction family touched`)* + +- **Cross-cutting feature?**: yes +- **Interaction class(es)**: public navigation, footer links, homepage teaser, platform-page teaser, use-case crosslinks, CTA links, and metadata +- **Systems touched**: current public website shell, page-layout conventions, homepage, platform page, trust page teaser behavior, use-case pages, navigation, footer, and page metadata +- **Existing pattern(s) to extend**: existing public website layout, section, card/grid, CTA, and metadata conventions +- **Shared contract / presenter / builder / renderer to reuse**: current website content structures and reusable presentation components +- **Why the existing shared path is sufficient or insufficient**: the public site already has the shell, visual language, and buyer journeys; this feature needs one focused destination inside that shell, not a new microsite or a second design system +- **Allowed deviation and why**: a dedicated review-story route is allowed when current IA supports it because the review/evidence/decision narrative needs one coherent destination +- **Consistency impact**: Microsoft 365-first wording, Evidence-versus-screenshots framing, Accepted Risk and decision language, trust teaser behavior, no-helpdesk boundary, and safe claim language must stay aligned across the new page and any discovery surfaces +- **Review focus**: verify that the page clearly explains Review Packs, Evidence, Accepted Risks, and Decision Summaries; that links are real; that homepage/platform/use-case/footer exposure stays light; and that no unsupported product, compliance, or provider claims appear + +## OperationRun UX Impact *(mandatory when the feature creates, queues, deduplicates, resumes, blocks, completes, or deep-links to an `OperationRun`; otherwise write `N/A - no OperationRun start or link semantics touched`)* + +- **Touches OperationRun start/completion/link UX?**: no +- **Shared OperationRun UX contract/layer reused**: N/A +- **Delegated start/completion UX behaviors**: N/A +- **Local surface-owned behavior that remains**: none +- **Queued DB-notification policy**: N/A +- **Terminal notification path**: N/A +- **Exception required?**: none + +## Provider Boundary / Platform Core Check *(mandatory when the feature changes shared provider/platform seams, identity scope, governed-subject taxonomy, compare strategy selection, provider connection descriptors, or operator vocabulary that may leak provider-specific semantics into platform-core truth; otherwise write `N/A - no shared provider/platform boundary touched`)* + +- **Shared provider/platform boundary touched?**: yes +- **Boundary classification**: mixed public vocabulary only +- **Seams affected**: Microsoft 365-first positioning, Intune-as-first-strong-domain wording, review-pack public semantics, Evidence and Accepted Risk wording, Decision Summary language, and customer-safe versus internal-detail explanation +- **Neutral platform terms preserved or introduced**: Review Packs, Evidence, Findings, Accepted Risks, Decision Summary, Management Review, audit preparation, recovery context, customer-safe review, and next action +- **Provider-specific semantics retained and why**: Microsoft 365 policy state and drift remain explicit because that is the current public market truth; Intune may stay the first strong example because buyers still need a concrete policy-domain anchor +- **Why this does not deepen provider coupling accidentally**: the feature sells governance artifacts and buyer outcomes, not provider runtime contracts, provider taxonomies, or capability matrices +- **Follow-up path**: none in this feature; any runtime review-workspace or review-pack enforcement truth belongs in later platform-focused specs + +## UI / Surface Guardrail Impact *(mandatory when operator-facing surfaces are changed; otherwise write `N/A`)* + +N/A - public website product-story surface only; no authenticated operator-facing product surface is changed. + +## Decision-First Surface Role *(mandatory when operator-facing surfaces are changed)* + +N/A - no operator-facing product surface change. + +## Audience-Aware Disclosure *(mandatory when operator-facing surfaces are changed)* + +N/A - public buyer-facing copy only; no operator diagnostics, support mode, or raw Evidence surface is added here. + +## UI/UX Surface Classification *(mandatory when operator-facing surfaces are changed)* + +N/A - no operator-facing product surface change. + +## Operator Surface Contract *(mandatory when operator-facing surfaces are changed)* + +N/A - no operator-facing product surface change. + +## Proportionality Review *(mandatory when structural complexity is introduced)* + +- **New source of truth?**: no +- **New persisted entity/table/artifact?**: no +- **New abstraction?**: no +- **New enum/state/reason family?**: no +- **New cross-domain UI framework/taxonomy?**: no - the feature reuses the current public website shell and existing page patterns +- **Current operator problem**: public buyers still cannot tell what reviewable output Tenantial creates after policy drift, Findings, and governance work are detected +- **Existing structure is insufficient because**: homepage, trust, taxonomy, and use-case pages explain positioning and trust, but not the concrete reviewable artifact story buyers need to justify demos and next-step conversations +- **Narrowest correct implementation**: one dedicated public page plus lightweight discoverability from existing IA +- **Ownership cost**: public copy, metadata, and links must stay aligned with product truth as review, Evidence, and decision capabilities evolve +- **Alternative intentionally rejected**: spreading the story across homepage and platform blurbs only, because that would keep the Evidence/review/decision narrative fragmented and easier to misclassify +- **Release truth**: current public website truth only; no runtime product promise or future abstraction is introduced + +### Compatibility posture + +This feature assumes a pre-production environment. + +Backward compatibility, legacy aliases, migration shims, historical fixtures, and compatibility-specific tests are out of scope unless explicitly required by this spec. + +Canonical replacement is preferred over preservation. + +## Testing / Lane / Runtime Impact *(mandatory for runtime behavior changes)* + +- **Test purpose / classification**: Browser +- **Validation lane(s)**: browser, confidence +- **Why this classification and these lanes are sufficient**: public website quality is proven by reachable routes, readable desktop/mobile layouts, real discoverability links, static claim scans, and any existing website build/check/test commands that validate the public site +- **New or expanded test families**: none beyond website-only static checks and any existing public-site smoke coverage +- **Fixture / helper cost impact**: none +- **Heavy-family visibility / justification**: none +- **Special surface test profile**: N/A - public website surface +- **Standard-native relief or required special coverage**: ordinary public-site coverage only; verify route reachability, readable layout, real CTA links, homepage/platform/use-case/footer discovery, and claim-boundary compliance +- **Reviewer handoff**: confirm only website-facing files change, no `apps/platform` files change, the chosen route follows current IA, all exposed links resolve to real destinations, and copy stays strong without overclaiming customer portal, export, automation, provider, or legal/compliance truth +- **Budget / baseline / trend impact**: none expected +- **Escalation needed**: follow-up-spec only if later work adds a runtime review workspace, review-pack export truth, or broader public proof assets +- **Active feature PR close-out entry**: Smoke Coverage +- **Planned validation commands**: + - inspect root and website package manifests before running scripts + - run only existing website `check`, `build`, or `test` commands if present + - run static scans for placeholder links, banned internal phrases, and unsupported claims in website source and committed public assets + - run desktop and mobile browser smoke for the review-story page and any homepage/platform/use-case/footer discovery links if local preview is available + +## User Scenarios & Testing *(mandatory)* + +### User Story 1 - Buyers Understand The Review-Pack Outcome (Priority: P1) + +A first-time public buyer opens the new page and quickly understands that Tenantial produces reviewable governance artifacts rather than another raw export or dashboard view. + +**Why this priority**: The page exists to answer the core commercial question that remains open after Specs 404 through 407. + +**Independent Test**: Can be fully tested by opening the page and confirming that the hero, problem statement, workflow, and review-pack anatomy clearly explain Review Packs, Evidence, Findings, Accepted Risks, and Decision Summaries in buyer-facing language. + +**Acceptance Scenarios**: + +1. **Given** a public evaluator lands on the page, **When** they read the hero and supporting copy, **Then** they understand that Tenantial turns policy state and drift into reviewable decisions rather than another raw export. +2. **Given** a visitor scans the review-pack anatomy section, **When** they compare it with manual screenshots or export-heavy processes, **Then** they understand why a Review Pack is a governance deliverable instead of a screenshot deck. +3. **Given** a buyer is still classifying the product, **When** they read the differentiation language, **Then** they do not interpret Tenantial as a helpdesk, admin-center clone, or blind automation tool. + +--- + +### User Story 2 - Buyers Understand Evidence And Decision Context Safely (Priority: P1) + +A buyer should understand how Tenantial connects Evidence, Findings, Accepted Risks, and Decision Summaries while keeping customer-safe review content distinct from internal diagnostics. + +**Why this priority**: The page only adds value if it explains both the governance output and the safety boundary around what belongs in customer-facing reviews. + +**Independent Test**: Can be fully tested by opening the Evidence, Decision Summary, and customer-safe boundary sections and checking that each concept is explained in buyer-facing language without runtime overclaim. + +**Acceptance Scenarios**: + +1. **Given** a visitor reads the Evidence section, **When** they compare it to screenshots, logs, or raw payloads, **Then** they see Evidence positioned as reviewable proof context rather than raw technical noise. +2. **Given** a visitor reads the Decision Summary section, **When** they review Status, Reason, Impact, Evidence, Next Action, and Review Context, **Then** they understand how a finding becomes a governance decision instead of a forgotten meeting note. +3. **Given** a visitor reads the boundary section, **When** they compare customer-safe review content with internal/operator-only detail, **Then** they see that low-level diagnostics are not the default public review story. + +--- + +### User Story 3 - MSP And Enterprise IT Buyers Can Map The Story To Their Context (Priority: P2) + +The same page should help MSP buyers and internal IT buyers see why Review Packs, Evidence, and Decision Summaries matter in their different review workflows. + +**Why this priority**: The product story is stronger when the artifact story connects directly to recurring customer reviews for MSPs and to auditability and management reviews for internal IT. + +**Independent Test**: Can be fully tested by reviewing the MSP-value and Enterprise-IT-value sections and confirming that each audience can identify its own repeatable outcome. + +**Acceptance Scenarios**: + +1. **Given** an MSP evaluator reads the MSP section, **When** they review recurring review, customer communication, service packaging, and follow-up clarity, **Then** they understand Review Packs as a repeatable governance deliverable. +2. **Given** an enterprise IT evaluator reads the Enterprise IT section, **When** they review management review, security review, audit preparation, and recovery context, **Then** they understand the page as an auditability story rather than a generic compliance page. + +--- + +### User Story 4 - Visitors Can Discover The Page Through Real IA Entry Points (Priority: P2) + +A public visitor should be able to reach the page from the current website IA without broken links, placeholder links, or fake destinations. + +**Why this priority**: Buyer messaging only helps if it is discoverable through the site surfaces where visitors first form expectations. + +**Independent Test**: Can be fully tested by following homepage, platform-page, use-case, navigation, or footer links to the page on desktop and mobile. + +**Acceptance Scenarios**: + +1. **Given** a visitor uses any homepage or platform teaser added by this feature, **When** they follow the CTA, **Then** they reach the Review Pack / Evidence / Decision story through a real route. +2. **Given** a visitor uses any MSP, Mittelstand, navigation, or footer crosslink exposed by this feature, **When** they open the destination, **Then** the route resolves without placeholders, dead links, or `href="#"` behavior. +3. **Given** a mobile visitor opens the new page, **When** they scan the hero, core sections, and CTA, **Then** the page remains readable and actionable. + +### Edge Cases + +- What happens when the current website IA does not support `/platform/review-packs` cleanly? The implementation must choose a real route family that matches existing conventions and document the decision. +- What happens when suggested CTA targets such as trust, demo, platform, MSP, or Mittelstand are not real destinations? The CTA must be omitted or mapped to an existing real destination. +- What happens when runtime review-pack export availability is not verified? Copy must use soft wording such as "helps prepare", "can", or "if available" instead of hard availability claims. +- What happens when the site language strategy is German-first, English-first, or mixed? The implementation must follow the current site convention rather than introducing a new localization foundation. +- What happens when a line drifts toward legal, compliance, automation, or provider overclaim? The line must be rewritten to preserve governance-layer positioning and verified claim boundaries. + +## Assumptions + +- The current public website can support one real review-story destination without changing root workspace contracts. +- At least one real destination exists for primary CTA flows such as platform, demo/contact, or trust; secondary CTA variants may be omitted when no real destination exists. +- Review Packs, Evidence, Accepted Risks, and Decision Summaries can be marketed as governance outcomes without claiming a fully shipped customer portal, automatic export pipeline, or legal certification. +- The customer-safe versus internal-detail distinction can be described as a product-story principle even when exact runtime enforcement details remain platform-scope follow-up work. +- The current site language strategy may be German-first or mixed; implementation should follow that convention instead of normalizing the whole site. + +## Requirements *(mandatory)* + +This feature introduces no Microsoft Graph calls, no write/change product behavior, no persistence, no OperationRun flow, no RBAC mutation, and no provider runtime capability. Its only additions are bounded public website copy, route exposure, and metadata that translate existing product truth into a buyer-facing review, Evidence, and decision story. + +### Functional Requirements + +#### Scope And Route + +- **FR-001**: The implementation MUST remain public-website-only and MUST NOT require `apps/platform` runtime changes. +- **FR-002**: The public website MUST provide one dedicated product-story page for Review Packs, Evidence, Accepted Risks, and Decision Summaries. +- **FR-003**: The implementation MUST follow the current website route family; the preferred destination is `/platform/review-packs`, with real fallback route families only when current IA requires them. +- **FR-004**: The chosen route and IA decision MUST be documented during implementation. +- **FR-005**: The new page MUST be reachable from at least one existing public-site entry point such as the homepage, platform page, use-case pages, navigation, or footer. +- **FR-006**: Every CTA, teaser, nav link, footer link, and in-page link added by this feature MUST resolve to a real destination; placeholder links and `href="#"` are forbidden. + +#### Core Story And Page Structure + +- **FR-007**: The page MUST position Tenantial as turning Microsoft 365 policy state, drift, Findings, Evidence, Accepted Risks, and recovery context into reviewable governance artifacts. +- **FR-008**: The page MUST explain that the outcome is more than a raw export, screenshot collection, or admin-center snapshot. +- **FR-009**: The page MUST include a hero section, problem section, governance workflow, review-pack anatomy, Evidence section, Decision Summary section, customer-safe boundary section, MSP value section, Enterprise IT value section, differentiation section, optional trust teaser, and final CTA. +- **FR-010**: The hero MUST make the decision-ready outcome clear in buyer-facing language. +- **FR-011**: The problem section MUST explain why technical truth alone is insufficient for governance, review preparation, and audit conversations. +- **FR-012**: The page MUST make clear that Tenantial is not positioned as a helpdesk, admin-center clone, generic compliance marketing page, or blind automation tool. + +#### Governance Workflow And Review-Pack Anatomy + +- **FR-013**: The workflow section MUST describe a sequence from policy state to drift recognition to Evidence to finding evaluation to risk decision to review-pack preparation. +- **FR-014**: The workflow MUST explain that findings need Status, Reason, Impact, Evidence Basis, and Next Action to become reviewable. +- **FR-015**: The review-pack anatomy section MUST explain Review Packs as governance deliverables for customer reviews, management reviews, and audit preparation rather than raw technical exports. +- **FR-016**: The review-pack anatomy MUST include Executive Summary, Evidence Basis, Findings, Accepted Risks, Decision Summary, Review Pack Status, and Download / Export Context. +- **FR-017**: The Review Pack Status explanation MUST support readiness states such as ready, incomplete, in preparation, or unavailable without using false success signals. +- **FR-018**: Download or export wording MUST stay soft through language such as "helps prepare", "can", or "if available" unless current product truth verifies harder availability claims. + +#### Evidence, Decisions, And Customer-safe Boundary + +- **FR-019**: The Evidence section MUST explain Evidence as reviewable proof context for policy state, drift, findings, reviews, and recovery questions rather than raw logs or screenshots. +- **FR-020**: The Evidence section MUST cover policy Evidence, change Evidence, finding Evidence, recovery Evidence, and review Evidence in buyer-facing terms. +- **FR-021**: The Decision Summary section MUST explain what was found, why it matters, what Evidence supports it, what was accepted, what remains open, who acts next, and when review is needed if applicable. +- **FR-022**: The Decision Summary section MUST surface Status, Reason, Impact, Evidence, Next Action, and Review Context as buyer-facing concepts. +- **FR-023**: The customer-safe boundary section MUST explain the distinction between customer-safe review content and internal or operator-only diagnostics. +- **FR-024**: Customer-safe review content MUST include executive summary, review status, Findings summary, Evidence Basis, Accepted Risks, Decision Summary, next actions, and management-ready wording. +- **FR-025**: Internal or operator-only detail MUST exclude raw provider payloads, internal job IDs, debug traces, stack traces, internal fingerprints, low-level operation URLs, secret context, internal reason-family names, and unredacted diagnostics by default. +- **FR-026**: The page MUST describe the customer-safe boundary as a product-story principle and MUST NOT claim exact enforcement behavior unless current product truth verifies it. + +#### Audience Value, Differentiation, And CTA + +- **FR-027**: The MSP value section MUST position Review Packs as a repeatable governance deliverable for recurring customer reviews. +- **FR-028**: The MSP value section MUST cover recurring reviews, customer communication, service packaging, and follow-up clarity. +- **FR-029**: The Enterprise IT value section MUST position the story around management review, security review, audit preparation, and recovery context without a screenshot-driven process. +- **FR-030**: The differentiation section MUST contrast raw exports with Tenantial's review story in terms of context, Evidence, Findings, Accepted Risks, and next actions. +- **FR-031**: The trust teaser MAY link to the existing trust destination only when that route exists as a real destination and MUST avoid unverified legal, hosting, certification, or compliance claims. +- **FR-032**: The final CTA MUST use only real destinations and MUST keep the sales promise bounded to review preparation, Evidence, decisions, follow-up, and governance clarity. + +#### Discovery, Metadata, Language, And Claim Guardrails + +- **FR-033**: The homepage MAY expose a compact teaser for Evidence and Review Packs when the current homepage structure supports it without a heavy IA rewrite. +- **FR-034**: The platform page MAY expose a compact teaser connecting backups, drift, and findings to reviewable Evidence and decisions when current structure supports it. +- **FR-035**: MSP and Mittelstand / Enterprise IT use-case pages MAY crosslink to this page only when those routes exist as real destinations. +- **FR-036**: Navigation or footer MAY expose the page only where current IA supports it; the feature MUST NOT introduce a placeholder dropdown or heavy nav refactor solely for this page. +- **FR-037**: Page metadata MUST describe Review Packs, Evidence, Findings, Accepted Risks, and Decision Summaries in Microsoft 365 governance language for MSPs and enterprise IT buyers. +- **FR-038**: Visible copy and metadata MUST use strong but safe governance language such as Review Packs, auditfaehige Evidence, pruefbare Unterlagen, Findings, Accepted Risks, Decision Summary, Evidence Basis, Management Review, Audit-Vorbereitung, Recovery Context, and Status/Reason/Impact/Next Action. +- **FR-039**: Visible copy and metadata MUST NOT use internal phrases such as customer-safe consumption productization, route-owned workspace-wide hub, artifact taxonomy, source family, capability registry, repo-real foundation, or operator surface convergence. +- **FR-040**: Visible copy and metadata MUST NOT claim a completed customer portal, automatic Review Pack generation, automatic exports, immutable Evidence, lueckenlose Evidence, gerichtsfeste Nachweise, complete audit trail, guaranteed audit success, makes you compliant, DSGVO-konform, ISO-zertifiziert, real-time drift, automatic remediation, automatic restore, or Google/AWS support unless separately verified as current product truth. +- **FR-041**: Review Packs, Evidence, Accepted Risks, decisions, and recovery context MAY be described as governance outcomes, but the feature MUST NOT introduce fake sample reports, fake downloadable PDFs, fake customer reports, fake logos, fake case studies, or fake certifications. + +#### Scope Safety + +- **FR-042**: The implementation MUST preserve root workspace contracts, including existing root script names, the website package name, the `WEBSITE_PORT` convention, and the `apps/*` workspace convention. +- **FR-043**: The implementation MUST follow the current site language strategy and MUST NOT introduce a new localization foundation. +- **FR-044**: The implementation MUST NOT add runtime Review Pack generation, Evidence storage, Decision Register behavior, customer portal behavior, RBAC changes, or export/PDF runtime behavior. +- **FR-045**: The implementation MUST record the exact validation commands and results used to verify the public website change. + +## UI Action Matrix *(mandatory when Filament is changed)* + +N/A - no Filament Resource, RelationManager, or Page is changed by this feature. + +### Key Entities *(include if feature involves data)* + +- **Review Story Page**: A public buyer-facing page that explains how Tenantial turns policy truth into reviewable Evidence, Findings, Accepted Risks, decisions, and review-pack preparation. +- **Review Pack**: A governance deliverable for customer reviews, management reviews, or audit preparation that summarizes Findings, Evidence, decisions, and next actions in buyer-facing form. +- **Evidence Basis**: The buyer-facing explanation of which policy, change, finding, recovery, or review context supports a governance conclusion. +- **Decision Summary**: The structured explanation of what was found, why it matters, what was accepted, what remains open, and what action should happen next. + +## Success Criteria *(mandatory)* + +### Measurable Outcomes + +- **SC-001**: In internal copy review, a first-time public evaluator can identify within 60 seconds that Tenantial turns Microsoft 365 policy state and drift into Review Packs, Evidence, and decision-ready governance outputs instead of another raw export or dashboard. +- **SC-002**: In internal copy review, a first-time MSP evaluator can identify within 60 seconds that the page supports repeatable customer governance reviews, Accepted Risk visibility, and follow-up preparation. +- **SC-003**: In internal copy review, a first-time enterprise IT evaluator can identify within 60 seconds that the page supports management review, audit preparation, and recovery context without a screenshot-driven process. +- **SC-004**: QA finds zero placeholder links or broken exposed routes across the new page and any homepage, platform-page, use-case, navigation, or footer discovery points changed by this feature. +- **SC-005**: Static copy review finds zero occurrences of banned internal phrases, false compliance/provider claims, fake portal/export promises, or fake proof artifacts on new or updated public surfaces created by this feature. +- **SC-006**: Desktop and mobile smoke review confirms that the page remains readable, keeps its primary CTA visible, clearly separates customer-safe review content from internal diagnostics, and shows no layout breakage. \ No newline at end of file diff --git a/specs/408-review-evidence-decision/tasks.md b/specs/408-review-evidence-decision/tasks.md new file mode 100644 index 00000000..4ed52cf9 --- /dev/null +++ b/specs/408-review-evidence-decision/tasks.md @@ -0,0 +1,250 @@ +# Tasks: Customer-safe Review, Evidence & Decision Story + +**Input**: Design documents from `/specs/408-review-evidence-decision/` +**Prerequisites**: `plan.md` (required), `spec.md` (required), `research.md`, `data-model.md`, `quickstart.md`, `contracts/review-pack-story-routes.openapi.yaml` + +**Tests**: Runtime behavior changes are in scope for `apps/website`, so browser smoke, route/metadata assertions, and static claim scans are required. + +## Test Governance Checklist + +- [x] Lane assignment is named and is the narrowest sufficient proof for the changed behavior. +- [x] New or changed tests stay in the smallest honest family, and any browser addition is explicit. +- [x] Shared helpers and fixtures stay cheap by default; any widening is isolated or documented. +- [x] Planned validation commands cover the change without unrelated lane cost. +- [x] Surface test profile is explicit (`Browser`, `public website`). +- [x] Any escalation or follow-up spec decision is documented in the feature plan. +- [x] Test-governance review outcome is explicit: `document-in-feature`. + +## Phase 1: Setup (Shared Infrastructure) + +**Purpose**: Confirm repo contracts, identify the exact website surfaces in scope, and keep implementation bounded to `apps/website`. + +- [x] T001 Confirm active feature scope and selected route family in `specs/408-review-evidence-decision/spec.md` and `specs/408-review-evidence-decision/plan.md` +- [x] T002 Verify root workspace contracts remain unchanged in `package.json` +- [x] T003 Verify website validation scripts and package contract in `apps/website/package.json` +- [x] T004 Map current platform, trust, and use-case entry points in `apps/website/src/pages/platform.astro`, `apps/website/src/pages/en/platform.astro`, `apps/website/src/pages/use-cases/msp.astro`, and `apps/website/src/pages/use-cases/mittelstand.astro` +- [x] T005 [P] Map current homepage and platform composition surfaces in `apps/website/src/components/pages/HomePage.astro` and `apps/website/src/components/pages/PlatformPage.astro` +- [x] T006 [P] Map localized routing and smoke helpers in `apps/website/src/i18n.ts` and `apps/website/tests/smoke/smoke-helpers.ts` + +--- + +## Phase 2: Foundational (Blocking Prerequisites) + +**Purpose**: Establish the shared route, page scaffold, copy schema, and smoke hooks that every user story depends on. + +**Critical**: No user story work should begin before this phase is complete. + +- [x] T007 Create thin localized route shells in `apps/website/src/pages/platform/review-packs.astro` and `apps/website/src/pages/en/platform/review-packs.astro` +- [x] T008 Create the shared review-pack page scaffold in `apps/website/src/components/pages/ReviewPacksPage.astro` +- [x] T009 Add localized `reviewPacks` copy schema, metadata, and CTA containers in `apps/website/src/data_files/site-copy.ts` +- [x] T010 Extend review-pack route inventory and route helpers in `apps/website/tests/smoke/smoke-helpers.ts` +- [x] T011 Add baseline title/description and forbidden-claim hooks for review-pack routes in `apps/website/tests/smoke/public-routes.spec.ts` +- [x] T012 Confirm the final route family and keep `specs/408-review-evidence-decision/plan.md` aligned with `specs/408-review-evidence-decision/contracts/review-pack-story-routes.openapi.yaml` + +**Checkpoint**: Foundation is ready for story implementation. + +--- + +## Phase 3: User Story 1 - Buyers Understand The Review-Pack Outcome (Priority: P1) + +**Goal**: Deliver the core product-story page so a first-time buyer understands Review Packs as decision-ready governance output instead of another export or dashboard. + +**Independent Test**: Open `/platform/review-packs` and `/en/platform/review-packs`, then confirm the hero, problem framing, workflow, review-pack anatomy, differentiation, and real CTA language explain the outcome within one page. + +### Tests for User Story 1 + +- [x] T013 [P] [US1] Add route title and description assertions for `/platform/review-packs` and `/en/platform/review-packs` in `apps/website/tests/smoke/public-routes.spec.ts` +- [x] T014 [P] [US1] Add hero, problem, workflow, review-pack anatomy, and differentiation assertions in `apps/website/tests/smoke/interaction.spec.ts` + +### Implementation for User Story 1 + +- [x] T015 [US1] Implement hero, problem, workflow, review-pack anatomy, differentiation, and primary/final CTA copy in `apps/website/src/data_files/site-copy.ts` +- [x] T016 [US1] Render hero, problem, workflow, review-pack anatomy, differentiation, and primary/final CTA sections in `apps/website/src/components/pages/ReviewPacksPage.astro` +- [x] T017 [US1] Wire localized metadata and shared page props in `apps/website/src/pages/platform/review-packs.astro` and `apps/website/src/pages/en/platform/review-packs.astro` + +**Checkpoint**: User Story 1 is independently functional and demonstrable. + +--- + +## Phase 4: User Story 2 - Buyers Understand Evidence And Decision Context Safely (Priority: P1) + +**Goal**: Explain Evidence, Decision Summaries, Accepted Risks, and the customer-safe boundary without overclaiming runtime enforcement or exposing internal/operator-only detail. + +**Independent Test**: Open the review-pack page and confirm the Evidence, Decision Summary, Accepted Risks, and customer-safe boundary sections explain what belongs in a customer-facing review and what does not. + +### Tests for User Story 2 + +- [x] T018 [P] [US2] Add Evidence, Decision Summary, Accepted Risks, and customer-safe boundary assertions in `apps/website/tests/smoke/interaction.spec.ts` +- [x] T019 [P] [US2] Extend forbidden-detail and overclaim pattern coverage for review-pack routes in `apps/website/tests/smoke/smoke-helpers.ts` + +### Implementation for User Story 2 + +- [x] T020 [US2] Implement Evidence cards, Decision Summary facets, Accepted Risks, customer-safe boundary copy, and soft export wording in `apps/website/src/data_files/site-copy.ts` +- [x] T021 [US2] Render Evidence, Decision Summary, Accepted Risks, customer-safe boundary, and soft-availability messaging in `apps/website/src/components/pages/ReviewPacksPage.astro` +- [x] T022 [US2] Keep customer-safe copy and forbidden-detail exclusions aligned between `apps/website/src/data_files/site-copy.ts` and `specs/408-review-evidence-decision/contracts/review-pack-story-routes.openapi.yaml` + +**Checkpoint**: User Story 2 is independently functional and demonstrable. + +--- + +## Phase 5: User Story 3 - MSP And Enterprise IT Buyers Can Map The Story To Their Context (Priority: P2) + +**Goal**: Show why the same Review Pack story matters to MSP service reviews and to Enterprise IT management, security, audit, and recovery conversations. + +**Independent Test**: Open the page and verify the MSP, Enterprise IT, and raw-export-versus-review-story sections make the audience-specific value obvious without changing the core product truth. + +### Tests for User Story 3 + +- [x] T023 [P] [US3] Add audience-value and raw-export-versus-review-story assertions in `apps/website/tests/smoke/interaction.spec.ts` +- [x] T024 [P] [US3] Add MSP and Enterprise IT metadata-intent assertions for the review-pack routes in `apps/website/tests/smoke/public-routes.spec.ts` +- [x] T025 [P] [US3] Add trust teaser destination and bounded-claim assertions for the review-pack routes in `apps/website/tests/smoke/interaction.spec.ts` + +### Implementation for User Story 3 + +- [x] T026 [US3] Implement MSP value, Enterprise IT value, and raw-export comparison copy in `apps/website/src/data_files/site-copy.ts` +- [x] T027 [US3] Render audience-value and raw-export comparison sections in `apps/website/src/components/pages/ReviewPacksPage.astro` +- [x] T028 [US3] Add localized trust teaser destinations and audience-specific final CTA copy in `apps/website/src/data_files/site-copy.ts` and `apps/website/src/components/pages/ReviewPacksPage.astro` + +**Checkpoint**: User Story 3 is independently functional and demonstrable. + +--- + +## Phase 6: User Story 4 - Visitors Can Discover The Page Through Real IA Entry Points (Priority: P2) + +**Goal**: Make the page reachable from current public-site entry points without placeholder links, fake destinations, or a heavy IA rewrite. + +**Independent Test**: Reach the page from the homepage, platform teaser, use-case crosslinks, and footer entry points that are implemented, then confirm the route stays readable on desktop and mobile. + +### Tests for User Story 4 + +- [x] T029 [P] [US4] Extend localized review-pack route inventory in `apps/website/tests/smoke/smoke-helpers.ts` +- [x] T030 [P] [US4] Add discovery-link and placeholder-link assertions for review-pack entry points in `apps/website/tests/smoke/public-routes.spec.ts` +- [x] T031 [P] [US4] Add click-through and mobile readability assertions for review-pack entry points in `apps/website/tests/smoke/interaction.spec.ts` + +### Implementation for User Story 4 + +- [x] T032 [US4] Add homepage teaser copy and localized route mapping in `apps/website/src/data_files/site-copy.ts` and `apps/website/src/components/pages/HomePage.astro` +- [x] T033 [US4] Add compact platform teaser and localized route mapping in `apps/website/src/data_files/site-copy.ts` and `apps/website/src/components/pages/PlatformPage.astro` +- [x] T034 [US4] Add MSP and Mittelstand or Enterprise IT crosslinks in `apps/website/src/data_files/site-copy.ts`, `apps/website/src/pages/use-cases/msp.astro`, `apps/website/src/pages/use-cases/mittelstand.astro`, `apps/website/src/pages/en/use-cases/msp.astro`, and `apps/website/src/pages/en/use-cases/mittelstand.astro` +- [x] T035 [US4] Add localized footer discovery links without a main-nav refactor in `apps/website/src/data_files/site-copy.ts` +- [x] T036 [US4] Record any intentionally omitted discovery surface and the final IA decision in `specs/408-review-evidence-decision/plan.md` + +**Checkpoint**: User Story 4 is independently functional and demonstrable. + +--- + +## Phase 7: Polish & Cross-Cutting Concerns + +**Purpose**: Run the required validation, record proof, and close out claim-boundary and scope checks. + +- [x] T037 [P] Run formatting check via `corepack pnpm --filter @tenantatlas/website format:check` using `apps/website/package.json` +- [x] T038 Run static forbidden-term scans on `apps/website/src` and `apps/website/public` using the command set in `specs/408-review-evidence-decision/plan.md` +- [x] T039 [P] If `apps/website/dist` is regenerated, run static forbidden-term scans on `apps/website/dist` using the command set in `specs/408-review-evidence-decision/plan.md` +- [x] T040 Run build validation via `corepack pnpm --filter @tenantatlas/website build` using `apps/website/package.json` +- [x] T041 Run route smoke via `corepack pnpm --filter @tenantatlas/website test tests/smoke/public-routes.spec.ts` for `apps/website/tests/smoke/public-routes.spec.ts` +- [x] T042 Run interaction smoke via `corepack pnpm --filter @tenantatlas/website test tests/smoke/interaction.spec.ts` for `apps/website/tests/smoke/interaction.spec.ts` +- [x] T043 Perform desktop/mobile 60-second comprehension smoke for `/platform/review-packs` and `/en/platform/review-packs`, then record SC-001 through SC-006 notes in `specs/408-review-evidence-decision/plan.md` +- [x] T044 Record validation commands, scan outcomes, omitted surfaces, and `apps/platform/**` scope confirmation in `specs/408-review-evidence-decision/plan.md` and `specs/408-review-evidence-decision/checklists/requirements.md` + +--- + +## Dependencies & Execution Order + +### Phase Dependencies + +- **Setup (Phase 1)**: No dependencies; starts immediately. +- **Foundational (Phase 2)**: Depends on Setup completion and blocks all story work. +- **User Stories (Phases 3-6)**: Depend on Foundational completion. +- **Polish (Phase 7)**: Depends on all selected user stories being complete. + +### User Story Dependencies + +- **US1 (P1)**: Starts after Phase 2; no dependency on other stories. +- **US2 (P1)**: Starts after Phase 2; can overlap with US1 once the shared page scaffold exists. +- **US3 (P2)**: Depends on the core route and section structure from US1; can overlap late US2 copy work. +- **US4 (P2)**: Depends on the review-pack routes existing and at least one implemented discovery surface from US1-US3. + +### Within Each User Story + +- Route and smoke assertions should be added before or alongside implementation and must fail before final pass. +- Shared page structure comes before route wiring and discovery-link integration. +- Copy and section rendering complete before build and browser validation. + +### Parallel Opportunities + +- Setup tasks marked `[P]` can run in parallel. +- Foundational smoke-hook work can run in parallel with shared page scaffolding after route selection is fixed. +- US1 and US2 can proceed in parallel after Phase 2 if file ownership is coordinated. +- US4 homepage, platform, and footer discoverability tasks can be split across implementers once route copy is stable. +- Phase 7 scan, build, and smoke tasks can be split once implementation is frozen. + +--- + +## Parallel Example: User Story 1 + +```bash +Task: "T013 [US1] Add route title and description assertions for /platform/review-packs and /en/platform/review-packs in apps/website/tests/smoke/public-routes.spec.ts" +Task: "T014 [US1] Add hero, problem, workflow, review-pack anatomy, and differentiation assertions in apps/website/tests/smoke/interaction.spec.ts" +``` + +## Parallel Example: User Story 2 + +```bash +Task: "T018 [US2] Add Evidence, Decision Summary, Accepted Risks, and customer-safe boundary assertions in apps/website/tests/smoke/interaction.spec.ts" +Task: "T019 [US2] Extend forbidden-detail and overclaim pattern coverage for review-pack routes in apps/website/tests/smoke/smoke-helpers.ts" +``` + +## Parallel Example: User Story 3 + +```bash +Task: "T023 [US3] Add audience-value and raw-export-versus-review-story assertions in apps/website/tests/smoke/interaction.spec.ts" +Task: "T024 [US3] Add MSP and Enterprise IT metadata-intent assertions for the review-pack routes in apps/website/tests/smoke/public-routes.spec.ts" +Task: "T025 [US3] Add trust teaser destination and bounded-claim assertions for the review-pack routes in apps/website/tests/smoke/interaction.spec.ts" +``` + +## Parallel Example: User Story 4 + +```bash +Task: "T029 [US4] Extend localized review-pack route inventory in apps/website/tests/smoke/smoke-helpers.ts" +Task: "T030 [US4] Add discovery-link and placeholder-link assertions for review-pack entry points in apps/website/tests/smoke/public-routes.spec.ts" +Task: "T031 [US4] Add click-through and mobile readability assertions for review-pack entry points in apps/website/tests/smoke/interaction.spec.ts" +``` + +--- + +## Implementation Strategy + +### MVP First (P1 Slice: User Stories 1 and 2) + +1. Complete Phase 1 (Setup). +2. Complete Phase 2 (Foundational). +3. Complete Phase 3 (US1). +4. Complete Phase 4 (US2). +5. Validate the P1 slice independently with route metadata and browser smoke. +6. Demo or ship the first buyer-facing slice. + +### Incremental Delivery + +1. Finish Setup plus Foundational once. +2. Deliver US1 and US2 as the P1 slice, then validate them independently. +3. Add US3 and validate audience-specific framing. +4. Add US4 and validate discovery plus mobile readability. +5. Finish Phase 7 proof and close-out notes. + +### Parallel Team Strategy + +1. One implementer completes Setup plus Foundational. +2. After Phase 2: + - Implementer A: US1 core route story + - Implementer B: US2 Evidence and customer-safe boundary + - Implementer C: US4 discoverability surfaces +3. Fold US3 audience-value framing in after the shared route story stabilizes. +4. Run Phase 7 validation together before merge. + +--- + +## Notes + +- `[P]` tasks touch different files or can be completed without waiting on another incomplete task in the same phase. +- `[US1]` to `[US4]` labels map directly to the user stories in `spec.md` for traceability. +- MVP scope is the P1 slice: User Stories 1 and 2. User Stories 3 and 4 layer on the same shared page once the core route story is stable. \ No newline at end of file