TenantAtlas/specs/372-customer-auditor-surface-safety-pass/artifacts/customer-surface-contracts.md

Customer Surface Contracts

Status: implemented and browser-verified.

Customer Review Workspace

Field	Contract
Page	Customer Review Workspace
Primary audience	customer, auditor, operator-as-facilitator
Primary question	What needs customer decision, and what is ready to review?
Implemented first viewport	Review output state, reason/impact, latest released review, one primary action, subordinate supporting actions, limitations, acknowledgement, findings, and evidence/review-pack side proof.
Allowed default content	Customer-safe outcome, evidence snapshot, review pack state, decision trail, accepted-risk summary, limitations, visible environment filter.
Collapsed/hidden content	Technical details, diagnostics, raw/support detail, and operation proof.
Primary action	State-specific customer-safe action such as open review or download qualified review pack.
Secondary actions	Supporting download/evidence links only when URL/action is available.
Evidence access	Evidence snapshot, review pack, and decision trail remain clear in the side panel.
Diagnostics access	Collapsed diagnostics panel.
Customer-safety notes	Default path no longer exposes Operation proof or operation initiator.

Environment Review View

Field	Contract
Page	Environment Review View
Primary audience	customer, auditor, operator-as-facilitator
Primary question	What is the review outcome, and what proof/limitations support it?
Implemented first viewport	Outcome summary, output guidance, executive posture, evidence basis, then collapsed technical details.
Allowed default content	Outcome, output readiness, publication/sharing boundary, review summary, tenant/generated/published dates, evidence snapshot completeness, and current export state.
Collapsed/hidden content	Review status/completeness/fingerprint and deeper section payload details.
Primary action	Existing header actions remain source-owned; rendered-report handoff remains the current ready-pack detail action.
Secondary actions	Evidence and review-pack links inside evidence basis.
Evidence access	Evidence snapshot and current export links stay visible before technical details.
Diagnostics access	Technical details and section details are collapsed.
Customer-safety notes	No review lifecycle, accepted-risk, evidence, generation, or action runtime changes.

Review Pack View

Field	Contract
Page	Review Pack View
Primary audience	customer, auditor, operator
Primary question	Is this review pack ready, and what does it include?
Implemented first viewport	Outcome summary, output guidance, pack readiness and contents, then collapsed technical pack details.
Allowed default content	Pack readiness, environment, generated/expires, download size, finding/report counts, evidence resolution, evidence basis, and released review.
Collapsed/hidden content	Options, initiator, customer-workspace link, review status, OperationRun link, operation count, freshness, SHA/fingerprints, and creation timestamp.
Primary action	Existing rendered-report/download actions remain in the page header when available.
Secondary actions	Evidence and released-review links.
Evidence access	Evidence basis and released review links stay visible before technical metadata.
Diagnostics access	Collapsed technical pack details; hidden entirely in customer-workspace flow.
Customer-safety notes	No generator, renderer, disclosure-policy, or download authorization changes.

Stored Report View

Field	Contract
Page	Stored Report View
Primary audience	auditor, customer, operator
Primary question	What report is this, what is its scope/readiness, and what summary matters?
Implemented first viewport	Outcome summary, report scope/readiness, report-specific summary, technical report details collapsed, raw payload collapsed.
Allowed default content	Report type, environment, measured time, lifecycle, retention, and permission/role summary.
Collapsed/hidden content	Artifact reference, source family/kind/target, control/detector/provider keys, integrity anchors, previous fingerprint, and raw payload.
Primary action	Existing read-only current-report navigation remains capability-gated.
Secondary actions	None added.
Evidence access	Report summary remains readable before raw/source internals.
Diagnostics access	Technical report details and raw payload are collapsed.
Customer-safety notes	Report is framed as an output artifact, not a storage object.

Evidence Snapshot View

Field	Contract
Page	Evidence Snapshot View
Primary audience	auditor, customer, operator
Primary question	What evidence was captured, and what review/report context does it support?
Implemented first viewport	Outcome summary, evidence basis/readiness, coverage summary, related review/report context, then collapsed technical evidence details.
Allowed default content	Evidence state, completeness, environment, captured/expires dates, finding/report/missing/stale counts, review-pack link, customer-workspace link, evidence dimensions with summary.
Collapsed/hidden content	OperationRun link, fingerprints, operation count, source descriptors, provider source detail, and raw summary JSON.
Primary action	Existing refresh evidence / expire snapshot header actions preserved.
Secondary actions	Review pack and customer workspace related-context links.
Evidence access	Evidence dimensions are readable before technical per-dimension metadata.
Diagnostics access	Technical evidence and technical dimension details are collapsed.
Customer-safety notes	Evidence Snapshot was reachable in Spec 372 browser smoke; operation-run related context was removed.