# Tasks: DACH Trust, Datenschutz & Security Website Surface **Input**: Design documents from `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/` **Prerequisites**: `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/plan.md`, `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/spec.md`, `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/research.md`, `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/data-model.md`, `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/contracts/public-trust-routes.openapi.yaml` **Tests**: Browser/static website validation is required for this feature. Use the existing Astro build and Playwright smoke suite in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/`. **Scope**: Implement Spec 405 in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/` only. Do not edit `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/platform/`, root workspace contracts, dependencies, or generated build artifacts unless the verified workflow requires rerendered output. ## Phase 1: Setup (Project Initialization) **Purpose**: Confirm the active website contracts, route mirrors, and validation surface before implementation starts. - [X] T001 [P] Verify workspace website contracts in `/Users/ahmeddarrazi/Documents/projects/wt-website/package.json`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/package.json`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/playwright.config.ts`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/i18n.ts` - [X] T002 [P] Audit current trust and homepage content seams in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro` - [X] T003 [P] Audit current browser validation coverage in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts` --- ## Phase 2: Foundational (Blocking Prerequisites) **Purpose**: Establish the shared trust data structure and page/test scaffolding that all user stories depend on. **⚠️ CRITICAL**: No user story work should start until this phase is complete. - [X] T004 Refactor the shared trust data shape for both locales in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` to support claim statuses, trust topics, data categories, permission posture, and real handoff CTA data - [X] T005 Update `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` to consume the new shared trust data shape and reserve section slots for all required trust topics - [X] T006 [P] Extend reusable trust-claim and real-handoff assertions in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts` for both German and English trust-route coverage **Checkpoint**: Shared trust data, page scaffolding, and reusable smoke helpers are ready. --- ## Phase 3: User Story 1 - DACH Evaluator Reviews Trust Posture (Priority: P1) 🎯 MVP **Goal**: Deliver the core trust page so a DACH evaluator can understand the main trust posture without unsupported legal or certification claims. **Independent Test**: Open `/trust` and `/en/trust`; confirm the page shows the trust hero, trust principles, hosting posture, privacy posture, auditability, retention/export/deletion/support posture, claim-safe localized metadata, and primary trust copy that remains visible with JavaScript disabled. ### Tests for User Story 1 - [X] T007 [US1] Add failing core trust-route coverage for evaluator-facing sections and conservative metadata in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts` - [X] T008 [P] [US1] Add failing desktop/mobile and no-JavaScript trust-route readability checks in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts` ### Implementation for User Story 1 - [X] T009 [US1] Populate localized core evaluator-facing trust copy in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` - [X] T010 [US1] Implement the trust hero, trust principles, hosting/privacy posture, auditability, and retention/export/deletion/support summary sections in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` - [X] T011 [US1] Align `/trust` and `/en/trust` page-title and meta-description strings in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` **Checkpoint**: User Story 1 is independently functional and can be validated from the trust route alone. --- ## Phase 4: User Story 2 - Procurement Or Privacy Reviewer Requests Documents Safely (Priority: P1) **Goal**: Show document readiness and request-safe handoff so procurement and privacy reviewers can evaluate AVV/DPA, TOM, subprocessors, and security follow-up without fake downloads or dead links. **Independent Test**: Open `/trust`; confirm AVV/DPA, TOM, subprocessors, support access, and security-contact topics show explicit status language and only real request destinations. ### Tests for User Story 2 - [X] T012 [US2] Add failing document-readiness, status-language, and trust-request CTA assertions in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts` - [X] T013 [P] [US2] Add failing fake-download and placeholder-request-link coverage in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts` ### Implementation for User Story 2 - [X] T014 [US2] Add localized AVV/DPA, TOM, subprocessor, support-access, and security-contact readiness copy in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` - [X] T015 [US2] Render document-readiness status sections and real request handoffs in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` - [X] T016 [US2] Preserve the existing trust-request handoff through real contact destinations in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` **Checkpoint**: User Story 2 is independently functional and document-readiness review can proceed without hidden dependencies on other stories. --- ## Phase 5: User Story 3 - Technical Reviewer Understands Data And Permission Boundaries (Priority: P2) **Goal**: Explain data categories, what Tenantial does not aim to store unnecessarily, and provider-permission posture with clear read/write and least-privilege distinctions. **Independent Test**: Open `/trust`; confirm the data-category, provider-permission, RBAC/least-privilege, and encryption/secrets sections make the governance/evidence boundaries and read/write distinction understandable in one pass. ### Tests for User Story 3 - [X] T017 [US3] Add failing data-category, provider-permission, RBAC/least-privilege, and encryption/secrets expectations in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts` - [X] T018 [P] [US3] Add failing overclaim coverage for provider support and data-minimization wording in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts` ### Implementation for User Story 3 - [X] T019 [US3] Add localized data-category and productive-content-avoidance copy in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` - [X] T020 [US3] Add localized provider-permission, read/write, RBAC/least-privilege, and encryption/secrets posture copy in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` - [X] T021 [US3] Render the data-category, provider-permission, RBAC/least-privilege, encryption/secrets, and claim-status-legend sections in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` **Checkpoint**: User Story 3 is independently functional and technical reviewers can assess data and permission boundaries without stale implementation detail. --- ## Phase 6: User Story 4 - Public Visitor Can Reach The Trust Surface Easily (Priority: P3) **Goal**: Make the trust surface easy to discover from homepage, footer, and navigation without duplicating the full trust content outside the canonical route. **Independent Test**: Visit the homepage on desktop and mobile, open the navigation/footer links, and confirm the trust page is reachable in one click with localized destinations for both route families. ### Tests for User Story 4 - [X] T022 [US4] Add failing homepage, footer, and localized trust-link discoverability assertions in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts` - [X] T023 [P] [US4] Add failing mobile-navigation and keyboard-flow trust-link coverage in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts` ### Implementation for User Story 4 - [X] T024 [US4] Update localized homepage trust-teaser copy and CTA targets in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` - [X] T025 [US4] Update trust-teaser rendering and canonical trust-route linkage in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro` - [X] T026 [US4] Preserve localized trust discoverability for navigation and footer entries in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` **Checkpoint**: User Story 4 is independently functional and trust discoverability works across homepage, footer, and navigation. --- ## Phase 7: Polish & Cross-Cutting Concerns **Purpose**: Final validation, scope protection, and cross-story consistency checks. - [X] T027 [P] Run the forbidden-claim and placeholder-link scan from `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/quickstart.md` against `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/public`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/dist` - [X] T028 Run `corepack pnpm build:website` and `corepack pnpm --filter @tenantatlas/website test` using `/Users/ahmeddarrazi/Documents/projects/wt-website/package.json`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/package.json`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/playwright.config.ts` - [X] T029 Review final localized trust and homepage copy for unsupported hard claims, route parity, and duplicate-truth drift in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro`, and record the exact text, verification source, and publication rationale in PR notes for any retained hard trust claim - [X] T030 Run the final scope and diff check from `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/quickstart.md` against `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/` and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/platform/`, and record any required follow-up spec IDs for deferred permission docs, procurement workflows, or automated claim-guardrail work --- ## Dependencies & Execution Order ### Phase Dependencies - **Phase 1: Setup**: No dependencies, can start immediately. - **Phase 2: Foundational**: Depends on Phase 1 completion and blocks all user stories. - **Phase 3: User Story 1**: Depends on Phase 2 completion. - **Phase 4: User Story 2**: Depends on Phase 2 completion; lowest merge friction comes after US1 because it extends the same trust page. - **Phase 5: User Story 3**: Depends on Phase 2 completion; lowest merge friction comes after US1 because it extends the same trust page. - **Phase 6: User Story 4**: Depends on Phase 2 completion and should land after the trust-page content stories so homepage discoverability points to the finished surface. - **Phase 7: Polish**: Depends on all desired user stories being complete. ### User Story Dependencies - **US1 (P1)**: No dependency on other stories after the foundational phase. - **US2 (P1)**: Independent from US3, but shares `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` with other trust-page stories. - **US3 (P2)**: Independent from US2, but shares the same trust-page files and should be coordinated accordingly. - **US4 (P3)**: Independent in outcome terms, but depends on the canonical trust content being in place to avoid duplicating unfinished messaging. ### Within Each User Story - Tests should be written first and should fail before implementation is considered complete. - Shared localized copy changes in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` should land before Astro rendering tasks that consume them. - Trust-page rendering changes in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` should land before final smoke validation. - Homepage discoverability changes in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro` should land before keyboard/mobile discoverability validation closes. ### Parallel Opportunities - Setup audit tasks `T001`-`T003` can run in parallel. - Foundational helper work `T006` can run in parallel once `T004` and `T005` have clarified the shared shape. - In each user story, the two test tasks can run in parallel because they touch different test files. - `US2` and `US3` can be worked in parallel by different people only if edits to `site-copy.ts` and `TrustPage.astro` are coordinated carefully. - Polish tasks `T027` and `T029` can run in parallel after implementation is complete. --- ## Parallel Example: User Story 1 ```bash # Run the story-specific browser checks in parallel: Task: "T007 Add failing core trust-route coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts" Task: "T008 Add failing desktop/mobile and no-JavaScript trust-route readability checks in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts" ``` ## Parallel Example: User Story 2 ```bash # Prepare document-readiness browser checks in parallel: Task: "T012 Add failing document-readiness assertions in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts" Task: "T013 Add failing fake-download coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts" ``` ## Parallel Example: User Story 3 ```bash # Prepare technical-review trust checks in parallel: Task: "T017 Add failing data-category, provider-permission, RBAC/least-privilege, and encryption/secrets expectations in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts" Task: "T018 Add failing provider-overclaim coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts" ``` ## Parallel Example: User Story 4 ```bash # Prepare discoverability checks in parallel: Task: "T022 Add failing homepage/footer trust-link assertions in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts" Task: "T023 Add failing mobile-navigation and keyboard-flow trust-link coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts" ``` --- ## Implementation Strategy ### MVP First (User Story 1 Only) 1. Complete Phase 1: Setup. 2. Complete Phase 2: Foundational. 3. Complete Phase 3: User Story 1. 4. Stop and validate `/trust` and `/en/trust` independently. 5. Demo or review the core trust surface before adding request/readiness and technical-detail sections. ### Incremental Delivery 1. Finish Setup + Foundational to stabilize the trust data model and page scaffolding. 2. Deliver US1 for core evaluator-facing trust posture. 3. Add US2 for document readiness and safe request handoff. 4. Add US3 for technical reviewer depth on data and permissions. 5. Add US4 for homepage/footer/navigation discoverability. 6. Finish with Phase 7 validation and scope checks. ### Parallel Team Strategy 1. One person completes Phase 1 and Phase 2. 2. After foundational work: - Person A: US1 and US4 flow/discoverability tasks - Person B: US2 document-readiness tasks - Person C: US3 technical-detail tasks 3. Coordinate merges to `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` because they are shared hotspots. --- ## Notes - [P] tasks touch different files and can be executed in parallel. - `[US1]`-`[US4]` labels map directly to the user stories in `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/spec.md`. - Every task includes an exact file path and is scoped tightly enough for direct execution. - Browser tests are required because this feature changes rendered public routes and localized metadata. - `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/platform/` remains out of scope for every phase.