# Customer Surface Contracts

Status: implemented and browser-verified.

## Customer Review Workspace

| Field | Contract |
|---|---|
| Page | Customer Review Workspace |
| Primary audience | customer, auditor, operator-as-facilitator |
| Primary question | What needs customer decision, and what is ready to review? |
| Implemented first viewport | Review output state, reason/impact, latest released review, one primary action, subordinate supporting actions, limitations, acknowledgement, findings, and evidence/review-pack side proof. |
| Allowed default content | Customer-safe outcome, evidence snapshot, review pack state, decision trail, accepted-risk summary, limitations, visible environment filter. |
| Collapsed/hidden content | Technical details, diagnostics, raw/support detail, and operation proof. |
| Primary action | State-specific customer-safe action such as open review or download qualified review pack. |
| Secondary actions | Supporting download/evidence links only when URL/action is available. |
| Evidence access | Evidence snapshot, review pack, and decision trail remain clear in the side panel. |
| Diagnostics access | Collapsed diagnostics panel. |
| Customer-safety notes | Default path no longer exposes `Operation proof` or operation initiator. |

## Environment Review View

| Field | Contract |
|---|---|
| Page | Environment Review View |
| Primary audience | customer, auditor, operator-as-facilitator |
| Primary question | What is the review outcome, and what proof/limitations support it? |
| Implemented first viewport | Outcome summary, output guidance, executive posture, evidence basis, then collapsed technical details. |
| Allowed default content | Outcome, output readiness, publication/sharing boundary, review summary, tenant/generated/published dates, evidence snapshot completeness, and current export state. |
| Collapsed/hidden content | Review status/completeness/fingerprint and deeper section payload details. |
| Primary action | Existing header actions remain source-owned; rendered-report handoff remains the current ready-pack detail action. |
| Secondary actions | Evidence and review-pack links inside evidence basis. |
| Evidence access | Evidence snapshot and current export links stay visible before technical details. |
| Diagnostics access | Technical details and section details are collapsed. |
| Customer-safety notes | No review lifecycle, accepted-risk, evidence, generation, or action runtime changes. |

## Review Pack View

| Field | Contract |
|---|---|
| Page | Review Pack View |
| Primary audience | customer, auditor, operator |
| Primary question | Is this review pack ready, and what does it include? |
| Implemented first viewport | Outcome summary, output guidance, pack readiness and contents, then collapsed technical pack details. |
| Allowed default content | Pack readiness, environment, generated/expires, download size, finding/report counts, evidence resolution, evidence basis, and released review. |
| Collapsed/hidden content | Options, initiator, customer-workspace link, review status, OperationRun link, operation count, freshness, SHA/fingerprints, and creation timestamp. |
| Primary action | Existing rendered-report/download actions remain in the page header when available. |
| Secondary actions | Evidence and released-review links. |
| Evidence access | Evidence basis and released review links stay visible before technical metadata. |
| Diagnostics access | Collapsed technical pack details; hidden entirely in customer-workspace flow. |
| Customer-safety notes | No generator, renderer, disclosure-policy, or download authorization changes. |

## Stored Report View

| Field | Contract |
|---|---|
| Page | Stored Report View |
| Primary audience | auditor, customer, operator |
| Primary question | What report is this, what is its scope/readiness, and what summary matters? |
| Implemented first viewport | Outcome summary, report scope/readiness, report-specific summary, technical report details collapsed, raw payload collapsed. |
| Allowed default content | Report type, environment, measured time, lifecycle, retention, and permission/role summary. |
| Collapsed/hidden content | Artifact reference, source family/kind/target, control/detector/provider keys, integrity anchors, previous fingerprint, and raw payload. |
| Primary action | Existing read-only current-report navigation remains capability-gated. |
| Secondary actions | None added. |
| Evidence access | Report summary remains readable before raw/source internals. |
| Diagnostics access | Technical report details and raw payload are collapsed. |
| Customer-safety notes | Report is framed as an output artifact, not a storage object. |

## Evidence Snapshot View

| Field | Contract |
|---|---|
| Page | Evidence Snapshot View |
| Primary audience | auditor, customer, operator |
| Primary question | What evidence was captured, and what review/report context does it support? |
| Implemented first viewport | Outcome summary, evidence basis/readiness, coverage summary, related review/report context, then collapsed technical evidence details. |
| Allowed default content | Evidence state, completeness, environment, captured/expires dates, finding/report/missing/stale counts, review-pack link, customer-workspace link, evidence dimensions with summary. |
| Collapsed/hidden content | OperationRun link, fingerprints, operation count, source descriptors, provider source detail, and raw summary JSON. |
| Primary action | Existing refresh evidence / expire snapshot header actions preserved. |
| Secondary actions | Review pack and customer workspace related-context links. |
| Evidence access | Evidence dimensions are readable before technical per-dimension metadata. |
| Diagnostics access | Technical evidence and technical dimension details are collapsed. |
| Customer-safety notes | Evidence Snapshot was reachable in Spec 372 browser smoke; operation-run related context was removed. |