--- name: tenantpilot-customer-output-gate description: Hard-gate customer-safe output, review/report downloads, and customer/auditor visibility boundaries. --- ## Purpose Use this skill to prevent internal evidence, permissions, OperationRun details, raw payloads, and technical diagnostics from being exposed as customer-safe output or product-default proof. ## Activate When - Touching review packs, environment reviews, stored reports, rendered reports, management PDFs, customer review workspace, customer/auditor routes, report downloads, or review publication. - Adding output labels such as customer-safe, ready, blocked, publishable, downloadable, complete, or current. - Changing controller-backed downloads, signed links, streamed reports, or internal preview paths. ## Do Not Activate When - The task has no customer/auditor output, report, download, review, or rendered product proof behavior. - The task is an internal-only docs/tooling change and cannot alter runtime output. ## Maturity L4 hard gate. ## Gate Type hard-gate. ## Source Evidence - `docs/product/standards/product-surface-contract.md` - `docs/security-guidelines.md` - `specs/400-product-contract-spec-completeness-audit/spec.md` - `specs/402-resource-policy-authorization-proof-matrix/implementation-report.md` - `apps/platform/app/Support/ReviewPacks/CustomerOutputGate.php` - `apps/platform/app/Support/ReviewPacks/CustomerOutputGateDecision.php` - `apps/platform/app/Http/Controllers/ReviewPackDownloadController.php` - `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php` - `apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php` - `apps/platform/tests/Feature/ReviewPack/Spec392CustomerOutputRouteGateTest.php` - `apps/platform/tests/Unit/Support/ReviewPacks/Spec392CustomerOutputGateTest.php` ## External Anchors Not applicable. ## Required Repo Context - Output route/controller and authorization path. - `CustomerOutputGate` decision logic. - Source evidence and currentness contract for the output. - Audience mode: customer/read-only, operator/MSP, or support/platform. - Default-visible content and hidden technical detail boundaries. - Download/streaming tests and route tests. ## Execution Checklist - Gate output through explicit customer-output decision logic, not permissions alone. - Confirm workspace/managed-environment scope before streaming or downloading. - Keep raw JSON, payloads, fingerprints, source keys, provider request details, and internal reason ownership out of customer defaults. - Demote OperationRun, raw evidence, and technical audit details to authorized internal paths. - Use canonical customer-safe status vocabulary from Product Surface Contract. - Preserve one dominant customer/operator next action. - Add tests for authorized output, denied output, blocked output, and internal-preview behavior where runtime output changes. ## Stop Conditions - Output is allowed solely because the actor has permission. - Blocked output can still be streamed or downloaded. - Customer-safe label is applied without evidence/currentness proof. - Customer CTA points directly to internal-only technical detail as the primary path. - Page-local readiness logic duplicates or bypasses `CustomerOutputGate`. - Raw provider/evidence payloads are default-visible to customer/read-only users. ## Required Evidence After Use - Route/controller and gate decision proof. - Scope and authorization proof. - Customer-visible default content summary. - Technical/internal detail demotion proof. - Tests or explicit N/A for docs-only work. ## Common Failure Modes - Treating report existence as publishability. - Exposing internal preview links in customer paths. - Letting OperationRun or evidence snapshot IDs become customer proof. - Adding download verbs without blocked-state tests. - Using stale or internal readiness labels as customer-facing truth. ## Quarantined Rules Full Spec 416 quarantine list applies. Especially quarantined here: OperationRun as default customer proof; limited customer download vocabulary; raw provider/evidence payload default display; fallback-to-latest evidence; historical audits as current truth. ## Review / Expiry Review whenever customer output gates, review/report downloads, rendered reports, or customer/auditor boundary semantics change. No planned expiry.