ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
website-dev
TenantAtlas/specs/405-dach-trust-datenschutz-security-website-surface/tasks.md
ahmido 714b910734 405: DACH Trust, Datenschutz & Security Website Surface (#400) 
## Summary
- add a dedicated public trust, privacy, and security surface for DACH evaluation
- expand homepage trust discoverability and localized trust handoff copy
- add and update smoke coverage plus Spec Kit artifacts for feature 405

## Validation
- corepack pnpm --dir apps/website build
- WEBSITE_PORT=4322 corepack pnpm exec playwright test tests/smoke/public-routes.spec.ts tests/smoke/interaction.spec.ts

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #400
2026-05-26 00:11:27 +00:00

18 KiB
Raw Permalink Blame History

Tasks: DACH Trust, Datenschutz & Security Website Surface

Input: Design documents from /Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/ Prerequisites: /Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/plan.md, /Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/spec.md, /Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/research.md, /Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/data-model.md, /Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/contracts/public-trust-routes.openapi.yaml

Tests: Browser/static website validation is required for this feature. Use the existing Astro build and Playwright smoke suite in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/.

Scope: Implement Spec 405 in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/ only. Do not edit /Users/ahmeddarrazi/Documents/projects/wt-website/apps/platform/, root workspace contracts, dependencies, or generated build artifacts unless the verified workflow requires rerendered output.

Phase 1: Setup (Project Initialization)

Purpose: Confirm the active website contracts, route mirrors, and validation surface before implementation starts.

  • T001 [P] Verify workspace website contracts in /Users/ahmeddarrazi/Documents/projects/wt-website/package.json, /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/package.json, /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/playwright.config.ts, and /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/i18n.ts
  • T002 [P] Audit current trust and homepage content seams in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts, /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro, and /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro
  • T003 [P] Audit current browser validation coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts, /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts, and /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts

Phase 2: Foundational (Blocking Prerequisites)

Purpose: Establish the shared trust data structure and page/test scaffolding that all user stories depend on.

⚠️ CRITICAL: No user story work should start until this phase is complete.

  • T004 Refactor the shared trust data shape for both locales in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts to support claim statuses, trust topics, data categories, permission posture, and real handoff CTA data
  • T005 Update /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro to consume the new shared trust data shape and reserve section slots for all required trust topics
  • T006 [P] Extend reusable trust-claim and real-handoff assertions in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts for both German and English trust-route coverage

Checkpoint: Shared trust data, page scaffolding, and reusable smoke helpers are ready.

Phase 3: User Story 1 - DACH Evaluator Reviews Trust Posture (Priority: P1) 🎯 MVP

Goal: Deliver the core trust page so a DACH evaluator can understand the main trust posture without unsupported legal or certification claims.

Independent Test: Open /trust and /en/trust; confirm the page shows the trust hero, trust principles, hosting posture, privacy posture, auditability, retention/export/deletion/support posture, claim-safe localized metadata, and primary trust copy that remains visible with JavaScript disabled.

Tests for User Story 1

  • T007 [US1] Add failing core trust-route coverage for evaluator-facing sections and conservative metadata in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts
  • T008 [P] [US1] Add failing desktop/mobile and no-JavaScript trust-route readability checks in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts

Implementation for User Story 1

  • T009 [US1] Populate localized core evaluator-facing trust copy in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts
  • T010 [US1] Implement the trust hero, trust principles, hosting/privacy posture, auditability, and retention/export/deletion/support summary sections in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro
  • T011 [US1] Align /trust and /en/trust page-title and meta-description strings in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts

Checkpoint: User Story 1 is independently functional and can be validated from the trust route alone.

Phase 4: User Story 2 - Procurement Or Privacy Reviewer Requests Documents Safely (Priority: P1)

Goal: Show document readiness and request-safe handoff so procurement and privacy reviewers can evaluate AVV/DPA, TOM, subprocessors, and security follow-up without fake downloads or dead links.

Independent Test: Open /trust; confirm AVV/DPA, TOM, subprocessors, support access, and security-contact topics show explicit status language and only real request destinations.

Tests for User Story 2

  • T012 [US2] Add failing document-readiness, status-language, and trust-request CTA assertions in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts
  • T013 [P] [US2] Add failing fake-download and placeholder-request-link coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts

Implementation for User Story 2

  • T014 [US2] Add localized AVV/DPA, TOM, subprocessor, support-access, and security-contact readiness copy in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts
  • T015 [US2] Render document-readiness status sections and real request handoffs in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro
  • T016 [US2] Preserve the existing trust-request handoff through real contact destinations in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro and /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts

Checkpoint: User Story 2 is independently functional and document-readiness review can proceed without hidden dependencies on other stories.

Phase 5: User Story 3 - Technical Reviewer Understands Data And Permission Boundaries (Priority: P2)

Goal: Explain data categories, what Tenantial does not aim to store unnecessarily, and provider-permission posture with clear read/write and least-privilege distinctions.

Independent Test: Open /trust; confirm the data-category, provider-permission, RBAC/least-privilege, and encryption/secrets sections make the governance/evidence boundaries and read/write distinction understandable in one pass.

Tests for User Story 3

  • T017 [US3] Add failing data-category, provider-permission, RBAC/least-privilege, and encryption/secrets expectations in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts
  • T018 [P] [US3] Add failing overclaim coverage for provider support and data-minimization wording in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts

Implementation for User Story 3

  • T019 [US3] Add localized data-category and productive-content-avoidance copy in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts
  • T020 [US3] Add localized provider-permission, read/write, RBAC/least-privilege, and encryption/secrets posture copy in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts
  • T021 [US3] Render the data-category, provider-permission, RBAC/least-privilege, encryption/secrets, and claim-status-legend sections in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro

Checkpoint: User Story 3 is independently functional and technical reviewers can assess data and permission boundaries without stale implementation detail.

Phase 6: User Story 4 - Public Visitor Can Reach The Trust Surface Easily (Priority: P3)

Goal: Make the trust surface easy to discover from homepage, footer, and navigation without duplicating the full trust content outside the canonical route.

Independent Test: Visit the homepage on desktop and mobile, open the navigation/footer links, and confirm the trust page is reachable in one click with localized destinations for both route families.

Tests for User Story 4

  • T022 [US4] Add failing homepage, footer, and localized trust-link discoverability assertions in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts
  • T023 [P] [US4] Add failing mobile-navigation and keyboard-flow trust-link coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts

Implementation for User Story 4

  • T024 [US4] Update localized homepage trust-teaser copy and CTA targets in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts
  • T025 [US4] Update trust-teaser rendering and canonical trust-route linkage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro
  • T026 [US4] Preserve localized trust discoverability for navigation and footer entries in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts

Checkpoint: User Story 4 is independently functional and trust discoverability works across homepage, footer, and navigation.

Phase 7: Polish & Cross-Cutting Concerns

Purpose: Final validation, scope protection, and cross-story consistency checks.

  • T027 [P] Run the forbidden-claim and placeholder-link scan from /Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/quickstart.md against /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src, /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/public, and /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/dist
  • T028 Run corepack pnpm build:website and corepack pnpm --filter @tenantatlas/website test using /Users/ahmeddarrazi/Documents/projects/wt-website/package.json, /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/package.json, and /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/playwright.config.ts
  • T029 Review final localized trust and homepage copy for unsupported hard claims, route parity, and duplicate-truth drift in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts, /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro, and /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro, and record the exact text, verification source, and publication rationale in PR notes for any retained hard trust claim
  • T030 Run the final scope and diff check from /Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/quickstart.md against /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/ and /Users/ahmeddarrazi/Documents/projects/wt-website/apps/platform/, and record any required follow-up spec IDs for deferred permission docs, procurement workflows, or automated claim-guardrail work

Dependencies & Execution Order

Phase Dependencies

  • Phase 1: Setup: No dependencies, can start immediately.
  • Phase 2: Foundational: Depends on Phase 1 completion and blocks all user stories.
  • Phase 3: User Story 1: Depends on Phase 2 completion.
  • Phase 4: User Story 2: Depends on Phase 2 completion; lowest merge friction comes after US1 because it extends the same trust page.
  • Phase 5: User Story 3: Depends on Phase 2 completion; lowest merge friction comes after US1 because it extends the same trust page.
  • Phase 6: User Story 4: Depends on Phase 2 completion and should land after the trust-page content stories so homepage discoverability points to the finished surface.
  • Phase 7: Polish: Depends on all desired user stories being complete.

User Story Dependencies

  • US1 (P1): No dependency on other stories after the foundational phase.
  • US2 (P1): Independent from US3, but shares /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts and /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro with other trust-page stories.
  • US3 (P2): Independent from US2, but shares the same trust-page files and should be coordinated accordingly.
  • US4 (P3): Independent in outcome terms, but depends on the canonical trust content being in place to avoid duplicating unfinished messaging.

Within Each User Story

  • Tests should be written first and should fail before implementation is considered complete.
  • Shared localized copy changes in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts should land before Astro rendering tasks that consume them.
  • Trust-page rendering changes in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro should land before final smoke validation.
  • Homepage discoverability changes in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro should land before keyboard/mobile discoverability validation closes.

Parallel Opportunities

  • Setup audit tasks T001-T003 can run in parallel.
  • Foundational helper work T006 can run in parallel once T004 and T005 have clarified the shared shape.
  • In each user story, the two test tasks can run in parallel because they touch different test files.
  • US2 and US3 can be worked in parallel by different people only if edits to site-copy.ts and TrustPage.astro are coordinated carefully.
  • Polish tasks T027 and T029 can run in parallel after implementation is complete.

Parallel Example: User Story 1

# Run the story-specific browser checks in parallel:
Task: "T007 Add failing core trust-route coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts"
Task: "T008 Add failing desktop/mobile and no-JavaScript trust-route readability checks in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts"

Parallel Example: User Story 2

# Prepare document-readiness browser checks in parallel:
Task: "T012 Add failing document-readiness assertions in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts"
Task: "T013 Add failing fake-download coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts"

Parallel Example: User Story 3

# Prepare technical-review trust checks in parallel:
Task: "T017 Add failing data-category, provider-permission, RBAC/least-privilege, and encryption/secrets expectations in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts"
Task: "T018 Add failing provider-overclaim coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts"

Parallel Example: User Story 4

# Prepare discoverability checks in parallel:
Task: "T022 Add failing homepage/footer trust-link assertions in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts"
Task: "T023 Add failing mobile-navigation and keyboard-flow trust-link coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts"

Implementation Strategy

MVP First (User Story 1 Only)

  1. Complete Phase 1: Setup.
  2. Complete Phase 2: Foundational.
  3. Complete Phase 3: User Story 1.
  4. Stop and validate /trust and /en/trust independently.
  5. Demo or review the core trust surface before adding request/readiness and technical-detail sections.

Incremental Delivery

  1. Finish Setup + Foundational to stabilize the trust data model and page scaffolding.
  2. Deliver US1 for core evaluator-facing trust posture.
  3. Add US2 for document readiness and safe request handoff.
  4. Add US3 for technical reviewer depth on data and permissions.
  5. Add US4 for homepage/footer/navigation discoverability.
  6. Finish with Phase 7 validation and scope checks.

Parallel Team Strategy

  1. One person completes Phase 1 and Phase 2.
  2. After foundational work:
    • Person A: US1 and US4 flow/discoverability tasks
    • Person B: US2 document-readiness tasks
    • Person C: US3 technical-detail tasks
  3. Coordinate merges to /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts and /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro because they are shared hotspots.

Notes

  • [P] tasks touch different files and can be executed in parallel.
  • [US1]-[US4] labels map directly to the user stories in /Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/spec.md.
  • Every task includes an exact file path and is scoped tightly enough for direct execution.
  • Browser tests are required because this feature changes rendered public routes and localized metadata.
  • /Users/ahmeddarrazi/Documents/projects/wt-website/apps/platform/ remains out of scope for every phase.