# Requirements Checklist: Spec 379 - Management Report PDF Runtime Validation & Generation Completion **Purpose**: Preparation readiness review for Spec 379 before application implementation. **Created**: 2026-06-14 **Feature**: `specs/379-management-report-pdf-runtime/spec.md` ## Candidate And Scope - [x] CHK001 The selected candidate is directly user-provided and not invented from the automatic queue. - [x] CHK002 The active automatic candidate queue was not used as an auto-prep source. - [x] CHK003 Spec 378 is treated as read-only renderer/gateway baseline context, not rewritten. - [x] CHK004 The smallest v1 slice is staging/Dokploy runtime validation plus one customer-executive Management Report PDF generation/download flow. - [x] CHK005 New renderer infrastructure, package-governance redo, delivery center, auditor report, billing PDF, AI, and portal scope are out of scope. ## Repo Truth And Dependencies - [x] CHK006 The package reuses the existing Spec 378 `PdfRenderingGateway` / `PdfRendererClient`. - [x] CHK007 The package reuses existing rendered-report, profile, disclosure, theme, Review Pack, OperationRun, and audit paths. - [x] CHK008 The spec records the repo-truth adjustment that Spec 378 contains pending downstream tasks but remains read-only historical baseline. - [x] CHK009 Runtime validation is a hard gate before generation enablement. - [x] CHK010 The plan includes deployment impact for staging/Dokploy, env/config, queues, storage, and migrations. ## Security, RBAC, And Isolation - [x] CHK011 Workspace and managed-environment scope are explicit for generation, storage, lookup, operation, and download. - [x] CHK012 Non-member or wrong-scope access uses deny-as-not-found semantics. - [x] CHK013 Scoped member without capability receives 403 after scope is established. - [x] CHK014 PDF content and audit metadata forbid secrets, signed URLs, raw provider payloads, raw operation context, SQL errors, stack traces, and serialized jobs. - [x] CHK015 Download must be signed and/or server-authorized and must re-resolve scope before returning bytes. ## OperationRun, Audit, And Artifact Truth - [x] CHK016 The preferred implementation creates or reuses an OperationRun for generation. - [x] CHK017 OperationRun lifecycle must flow through `OperationRunService`. - [x] CHK018 Generation and download audit metadata are specified. - [x] CHK019 Artifact truth carries source review/pack, workspace, environment, profile, actor, generated time, private storage, and operation-run provenance. - [x] CHK020 A new artifact table/entity is not approved by default; implementation must stop and update spec/plan if one is required. ## UI And Productization Coverage - [x] CHK021 UI Surface Impact is marked as changed reachable surfaces, not no-impact. - [x] CHK022 Affected surfaces are bounded to existing owner detail pages, existing rendered-report source, optional PDF route, and artifact registry only if reused. - [x] CHK023 Generate action is classified as high-impact artifact creation and requires explicit confirmation. - [x] CHK024 UI coverage artifacts or checked no-update rationale are required during implementation close-out. - [x] CHK025 No panel provider or navigation change is planned. ## Testing And Validation - [x] CHK026 Unit tests are required for runtime validation, payload, readiness, disclosure, and renderer adapter behavior. - [x] CHK027 Feature tests are required for generation, storage, OperationRun, audit, authorization, and download. - [x] CHK028 Filament/Livewire action tests are required for the selected owner surface. - [x] CHK029 Browser/content smoke is required if local fixtures can cover generation/download. - [x] CHK030 PostgreSQL lane is required if migrations/indexes/schema constraints are introduced. - [x] CHK031 Spec378 gateway regression is included in validation. ## Filament / Livewire / Deployment Contract - [x] CHK032 Livewire v4.0+ compliance is explicit; no Livewire v3 APIs are planned. - [x] CHK033 Provider registration location remains `apps/platform/bootstrap/providers.php`; no panel provider change is planned. - [x] CHK034 Global search posture remains disabled for StoredReport unless a future spec updates it safely. - [x] CHK035 Asset strategy expects no new Filament assets; deploy uses existing `filament:assets` only if assets are registered. - [x] CHK036 Runtime validation is a staging/production promotion gate. ## Review Outcome - [x] CHK037 Candidate Selection Gate result: PASS with repo-truth adjustment. - [x] CHK038 Spec Readiness Gate result: PASS for preparation. - [x] CHK039 Preparation is implementation-ready for a later implementation loop. - [x] CHK040 No application implementation was performed during preparation.