# Requirements Checklist: Spec 412 - Pilot Readiness Remediation Pack **Purpose**: Preparation readiness checklist for a bounded Spec 407 remediation package. **Created**: 2026-06-24 **Feature**: `specs/412-pilot-readiness-remediation-pack/` ## Candidate Selection - [x] The selected candidate was directly provided by the operator as the "Spec 408 - Pilot Readiness Remediation Pack" draft. - [x] The package records the numbering deviation because branches 408 through 411 are already reserved by existing local/remote work. - [x] `docs/product/spec-candidates.md` was reviewed and reports no safe automatic next-best-prep target. - [x] `docs/product/roadmap.md` was reviewed and supports management-report/customer-facing hardening as a near-term manual follow-through area. - [x] The selected candidate is not already present as `specs/412-pilot-readiness-remediation-pack/`. - [x] Related completed and historical specs are read-only context. - [x] The smallest viable slice is limited to four Spec 407 findings. - [x] Close alternatives are deferred instead of hidden inside this package. - [x] Candidate Selection Gate result: PASS WITH NUMBERING DEVIATION. ## Completed-Spec Guardrail - [x] Spec 407 was checked as source context and not selected for rewrite. - [x] Specs 400-406 are treated as completed/validated/implementation-history context where applicable. - [x] No completed-spec close-out, validation results, completed task markers, smoke results, browser evidence, screenshots, or review language are removed or normalized. - [x] Existing branch/spec number 408 belongs to unrelated public website work on another branch and is not overwritten. ## Spec Completeness - [x] Problem statement is clear and product-oriented. - [x] Business/product value is explicit. - [x] Primary users/operators are named. - [x] Scope fields cover routes/surfaces, ownership, RBAC, and leakage checks. - [x] Functional requirements are testable. - [x] Non-functional requirements cover security, reliability, auditability, performance, product safety, and test governance. - [x] User stories include independent tests and acceptance criteria. - [x] Edge cases are documented. - [x] Out-of-scope boundaries forbid broad rewrites, new surfaces, new product concepts, and full browser audit. - [x] Success criteria are measurable. - [x] Assumptions, risks, and open questions are explicit. ## Constitution / Spec Gate - [x] Spec Candidate Check is filled out. - [x] Approval class is exactly one class: Core Enterprise. - [x] Score is recorded and above the minimum threshold. - [x] Proportionality Review is completed. - [x] No new persisted entity, table, enum, status family, abstraction, taxonomy, or UI framework is approved. - [x] The plan reuses existing report/PDF, OperationRun, RBAC, Filament, and provider/finding surfaces. - [x] Runtime implementation must stop if broader architecture or product decisions are required. ## Product Surface Contract - [x] `docs/product/standards/product-surface-contract.md` is referenced. - [x] No-legacy posture is recorded. - [x] UI Surface Impact is concrete and does not claim no-impact. - [x] Product Surface Impact is completed for review/report, operations, finding, and provider no-access surfaces. - [x] Page archetypes, surface budgets, Technical Annex/deep-link demotion, and canonical vocabulary are recorded. - [x] UI Action Matrix is recorded for the changed operator-facing surfaces. - [x] Browser proof is required for rendered UI changes. - [x] Human Product Sanity is required. - [x] Product Surface exceptions are `none` for preparation. - [x] Implementation report close-out fields are required. ## Plan Completeness - [x] Plan identifies PHP/Laravel/Filament/Livewire/Pest/PostgreSQL/Sail context. - [x] Plan names likely affected existing runtime surfaces without making code changes. - [x] Plan distinguishes remediation from broad audit or architecture rewrite. - [x] Plan includes UI/Product Surface, Filament/Livewire/deployment, RBAC, audit, evidence/result truth, OperationRun, provider boundary, and test-governance posture. - [x] Plan defines implementation phases, output strategy, stop conditions, and risk controls. - [x] Plan does not contradict repository architecture or current code truth. ## Task Completeness - [x] Tasks are ordered by safety/inventory, reproduction, tests, implementation, browser proof, and close-out. - [x] Tasks are small and verifiable. - [x] Tasks include dirty-state checks before/after. - [x] Tasks include reproduction/validation of each Spec 407 finding before fixing. - [x] Tasks include targeted tests for report/PDF, operations, finding detail, and provider no-access behavior. - [x] Tasks include authenticated-provider-denial coverage so no-access clarity is measurable. - [x] Tasks include focused browser proof and explicitly forbid claiming a full browser audit. - [x] Tasks include Product Surface and Filament output-contract close-out fields. - [x] Tasks include explicit non-goals and stop conditions. ## Open Questions / Readiness - [x] No open product question blocks starting implementation. - [x] Any non-reproducible finding must be documented during implementation rather than silently marked fixed. - [x] Required final report matrices are named. - [x] Spec Readiness Gate result: PASS. ## Review Outcome - [x] Review outcome class: `acceptable-special-case` for a focused pilot-readiness remediation pack after a broad browser audit. - [x] Workflow outcome: `keep`. - [x] Final note location: `specs/412-pilot-readiness-remediation-pack/implementation-report.md` during implementation. - [x] No application implementation was performed during preparation.