# Specification Quality Checklist: Stored Reports Surface v1 **Purpose**: Validate specification completeness, boundedness, and readiness before implementation **Created**: 2026-05-06 **Feature**: [spec.md](../spec.md) ## Content Quality - [x] The package stays on repo-real stored-report truth instead of inventing a report engine, analytics console, or generic artifact framework. - [x] The spec remains product- and behavior-oriented rather than reading like a low-level code diff. - [x] The package explicitly names the repo-real anchors it builds on: `StoredReport`, `ArtifactTruthPresenter`, `AdminRolesSummaryWidget`, `EntraAdminRolesReportService`, and `PermissionPostureFindingGenerator`. - [x] Mandatory repo sections for scope, RBAC, shared-pattern reuse, testing, proportionality, and candidate rationale are completed. ## Requirement Completeness - [x] No `[NEEDS CLARIFICATION]` markers remain. - [x] Requirements are testable and bounded to one tenant register, one read-only detail surface, two supported report families, one new read capability, and current repo-real drilldown seams only. - [x] The package explicitly forbids report generation, raw export, global search, cross-tenant browse, and lifecycle mutation. - [x] The package keeps evidence snapshots, tenant reviews, review packs, and stored reports as separate artifacts. - [x] Canonical proof commands match across `spec.md`, `plan.md`, `quickstart.md`, and `tasks.md`. ## Repo Truth Anchoring - [x] The package reflects that `StoredReport` already exists and is tenant-owned with both `workspace_id` and `tenant_id`. - [x] The package reflects that `ArtifactTruthPresenter::forStoredReport()` already provides current versus historical retained lifecycle truth. - [x] The package reflects that `AdminRolesSummaryWidget` currently resolves report data but leaves `viewReportUrl` unset. - [x] The package does not assume a broader existing Filament stored-report viewer than the repo currently shows. ## Feature Readiness - [x] The package keeps Filament on Livewire v4, provider registration unchanged in `apps/platform/bootstrap/providers.php`, stored-report global search disabled, and assets unchanged. - [x] The package keeps authorization tenant-scoped and family-aware, with non-members denied as `404` and in-scope capability denials as `403`. - [x] The package introduces only one new bounded capability, `permission_posture.view`, rather than a generic reporting permission family. - [x] V1 stays limited to the two supported report families, and any unexpected family remains outside browse and detail scope until a follow-up spec expands support. ## Test Governance - [x] Planned proof stays bounded to focused `Feature` suites plus one updated widget test. - [x] No new heavy-governance or browser family is introduced by default. - [x] Fixture growth remains bounded to existing tenant, membership, and stored-report factory setup. - [x] The review outcome, workflow outcome, and test-governance outcome are carried into `plan.md` and `tasks.md`. ## Notes - Reviewed against `.specify/memory/constitution.md`, `docs/product/spec-candidates.md`, `docs/product/roadmap.md`, `specs/267-artifact-lifecycle-retention/spec.md`, and current stored-report, widget, evidence, and review code under `apps/platform` on 2026-05-06. `docs/product/implementation-ledger.md` was not used as candidate source-of-truth because the current section contains unresolved conflict markers. - No application implementation was performed while preparing this package. ## Review Outcome - **Outcome class**: `acceptable-special-case` - **Workflow outcome**: `keep` - **Test-governance outcome**: `keep` - **Reason**: The package productizes one real operator gap on top of existing stored-report truth, stays read-only, and resists drift into generic reporting infrastructure. - **Workflow result**: Ready for implementation.