# Requirements Checklist: Spec 378 - Management Report PDF v1 **Purpose**: Preparation readiness review for Spec 378 before application implementation. **Created**: 2026-06-14 **Feature**: `specs/378-management-report-pdf-v1/spec.md` ## Candidate And Scope - [x] CHK001 The selected candidate is directly user-provided and not invented from the automatic queue. - [x] CHK002 Related completed specs are treated as historical context only and are not rewritten. - [x] CHK003 The smallest v1 slice is one `customer_executive` management PDF artifact from existing ready/current review-pack truth. - [x] CHK004 Technical/Auditor Evidence Report, Delivery Center, scheduled delivery, portal, AI, and raw JSON appendix are out of scope. - [x] CHK005 The spec records close alternatives and follow-up candidates instead of hiding them inside v1. ## Repo Truth And Dependencies - [x] CHK006 The spec reuses the existing rendered-report route/controller/view family from Specs 356, 357, and 366. - [x] CHK007 The spec requires `ReportProfileRegistry` and `ReportDisclosurePolicy` rather than inventing parallel profile/disclosure rules. - [x] CHK008 The plan records that no native PDF runtime package is currently approved in `apps/platform/composer.json`. - [x] CHK009 The tasks include a hard package/renderer governance gate before runtime implementation. - [x] CHK010 The plan records that current `StoredReport` is narrow and may need a bounded substrate extension. ## Security, RBAC, And Isolation - [x] CHK011 Workspace, tenant, and managed-environment scope are explicit for generation, storage, lookup, and download. - [x] CHK012 Unauthorized non-member or wrong-scope access uses deny-as-not-found semantics. - [x] CHK013 Member-without-capability handling is specified as 403 after scope is established. - [x] CHK014 The PDF and audit metadata forbid secrets, signed URLs, raw provider payloads, raw operation context, SQL errors, stack traces, and serialized jobs. - [x] CHK015 Download is required to be signed and/or server-authorized and to re-resolve scope server-side. ## OperationRun, Audit, And Artifact Truth - [x] CHK016 The preferred implementation creates or reuses an OperationRun for generation. - [x] CHK017 The spec requires safe OperationRun outcomes for success, renderer failure, storage failure, and blocked source/readiness cases. - [x] CHK018 Generation audit and download audit metadata are specified. - [x] CHK019 Artifact truth is required to carry workspace, tenant scope, managed environment, source review/pack, profile, format, actor, generated time, and operation-run provenance. - [x] CHK020 A new artifact entity is not approved; implementation must stop and update spec/plan if one is required. ## UI And Productization Coverage - [x] CHK021 UI Surface Impact is marked as changed reachable surfaces, not `No UI surface impact`. - [x] CHK022 The affected surfaces are bounded to existing rendered report, Environment Review/Review Pack owner actions, optional download route, and StoredReport only if reused. - [x] CHK023 The plan defines deterministic UI coverage update rules for UI-099/UI-042/UI-048, route inventory, and design coverage artifacts. - [x] CHK024 The generate action is classified as high-impact artifact creation, not destructive Microsoft-tenant mutation, and requires explicit confirmation. - [x] CHK025 Filament v5 / Livewire v4 compliance, provider registration, global-search posture, action safety, asset strategy, and testing plan are called out for implementation close-out. ## Testing And Validation - [x] CHK026 Unit tests are required for payload, readiness, disclosure, and renderer failure mapping. - [x] CHK027 Feature tests are required for generation, storage, OperationRun, audit, authorization, and download. - [x] CHK028 Filament/Livewire action tests are required for action visibility/disabled state on the chosen owner surface. - [x] CHK029 Browser/content smoke is required for customer-facing PDF content and leakage boundaries. - [x] CHK030 PostgreSQL lane is required if migrations/indexes/schema constraints are introduced. ## Review Outcome - [x] CHK031 Review outcome class: `acceptable-special-case` for preparation, with renderer/package gate preserved for implementation. - [x] CHK032 Workflow outcome: `keep` for the prepared scope, with follow-up specs separated. - [x] CHK033 No application implementation was performed during preparation.