# Requirements Checklist: Decision Register Evidence / OperationRun Link Polish **Purpose**: Validate Spec 307 preparation quality before runtime implementation. **Created**: 2026-05-15 **Feature**: `/specs/307-decision-register-evidence-operationrun-link-polish/spec.md` ## Candidate and Scope - [x] Candidate is selected from current product roadmap/spec-candidates and matches the user-provided full draft. - [x] Completed Spec 265 and Spec 306 are treated as context only and are not modified. - [x] Scope is narrow productization polish over the existing Decision Register, not a greenfield rebuild. - [x] Explicit non-goals block new decision persistence, workflow engine, lifecycle actions, evidence storage, Review Pack redesign, customer portal/export, notifications, provider changes, and broad navigation redesign. - [x] The proportionality review explains why derived link metadata is sufficient and why new persistence/abstractions are rejected. ## Requirements Quality - [x] Functional requirements are testable and avoid implementation-only wording where user behavior is the point. - [x] Evidence/report links are allowed only for repo-real references and existing canonical destinations. - [x] OperationRun links are allowed only for repo-real run references and existing link helpers. - [x] Missing proof/run states are truthful and non-alarming. - [x] No fake links may be inferred from labels, counts, statuses, loose text, or timestamps. - [x] No source-of-truth duplication is allowed for evidence payloads, stored report payloads, or OperationRun lifecycle truth. - [x] Existing row-to-FindingException detail handoff is preserved. - [x] Lifecycle action ownership remains on existing queue/detail surfaces. ## Security, Scope, and Authorization - [x] Workspace isolation is explicitly required and tested. - [x] Environment isolation is explicitly required and tested. - [x] Destination pages keep server-side authorization; UI visibility is not treated as authorization. - [x] Non-member/out-of-scope behavior remains deny-as-not-found where existing policy semantics require it. - [x] Member-without-capability destination behavior remains governed by existing policies. - [x] Legacy `/admin/t` URL generation is explicitly forbidden and tested. - [x] Canonical workspace/environment/admin routes are required. ## Filament and Laravel Compliance - [x] Filament v5 and Livewire v4.0+ compliance is stated. - [x] Provider registration location remains `apps/platform/bootstrap/providers.php`; no provider changes are planned. - [x] Relevant globally searchable resources are disabled for global search, so the Edit/View-page hard rule is not newly triggered. - [x] No destructive Decision Register actions are introduced; existing destructive-like detail actions keep confirmation and authorization. - [x] Asset strategy is asset-neutral unless implementation proves otherwise; `filament:assets` deploy impact is called out if assets are added. - [x] Native Filament UI patterns are required and ad-hoc styling is forbidden. ## Testing and Validation - [x] Builder unit tests cover proof count, missing proof, direct links where real, multiple-reference fallback, and missing OperationRun. - [x] Feature tests cover page rendering, missing copy, no legacy URLs, detail handoff, lifecycle action absence, and authorization. - [x] Isolation tests cover cross-workspace and cross-environment proof/run link denial. - [x] Artifact and OperationRun link guard lanes are included. - [x] FindingException lifecycle/audit lane is included to prove ownership is unchanged. - [x] `git diff --check` is included. - [x] Browser smoke is recommended and has concrete steps. ## Readiness Result - [x] No unresolved clarification markers are required for preparation. - [x] Requirements, plan, and tasks are mutually aligned. - [x] Runtime implementation can start from `tasks.md` after explicit approval. - [x] Preparation stops before application implementation.