ahmido
714b910734
## Summary - add a dedicated public trust, privacy, and security surface for DACH evaluation - expand homepage trust discoverability and localized trust handoff copy - add and update smoke coverage plus Spec Kit artifacts for feature 405 ## Validation - corepack pnpm --dir apps/website build - WEBSITE_PORT=4322 corepack pnpm exec playwright test tests/smoke/public-routes.spec.ts tests/smoke/interaction.spec.ts Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #400
236 lines
18 KiB
Markdown
236 lines
18 KiB
Markdown
# Tasks: DACH Trust, Datenschutz & Security Website Surface
|
|
|
|
**Input**: Design documents from `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/`
|
|
**Prerequisites**: `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/plan.md`, `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/spec.md`, `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/research.md`, `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/data-model.md`, `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/contracts/public-trust-routes.openapi.yaml`
|
|
|
|
**Tests**: Browser/static website validation is required for this feature. Use the existing Astro build and Playwright smoke suite in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/`.
|
|
|
|
**Scope**: Implement Spec 405 in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/` only. Do not edit `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/platform/`, root workspace contracts, dependencies, or generated build artifacts unless the verified workflow requires rerendered output.
|
|
|
|
## Phase 1: Setup (Project Initialization)
|
|
|
|
**Purpose**: Confirm the active website contracts, route mirrors, and validation surface before implementation starts.
|
|
|
|
- [X] T001 [P] Verify workspace website contracts in `/Users/ahmeddarrazi/Documents/projects/wt-website/package.json`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/package.json`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/playwright.config.ts`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/i18n.ts`
|
|
- [X] T002 [P] Audit current trust and homepage content seams in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro`
|
|
- [X] T003 [P] Audit current browser validation coverage in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts`
|
|
|
|
---
|
|
|
|
## Phase 2: Foundational (Blocking Prerequisites)
|
|
|
|
**Purpose**: Establish the shared trust data structure and page/test scaffolding that all user stories depend on.
|
|
|
|
**⚠️ CRITICAL**: No user story work should start until this phase is complete.
|
|
|
|
- [X] T004 Refactor the shared trust data shape for both locales in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` to support claim statuses, trust topics, data categories, permission posture, and real handoff CTA data
|
|
- [X] T005 Update `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` to consume the new shared trust data shape and reserve section slots for all required trust topics
|
|
- [X] T006 [P] Extend reusable trust-claim and real-handoff assertions in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts` for both German and English trust-route coverage
|
|
|
|
**Checkpoint**: Shared trust data, page scaffolding, and reusable smoke helpers are ready.
|
|
|
|
---
|
|
|
|
## Phase 3: User Story 1 - DACH Evaluator Reviews Trust Posture (Priority: P1) 🎯 MVP
|
|
|
|
**Goal**: Deliver the core trust page so a DACH evaluator can understand the main trust posture without unsupported legal or certification claims.
|
|
|
|
**Independent Test**: Open `/trust` and `/en/trust`; confirm the page shows the trust hero, trust principles, hosting posture, privacy posture, auditability, retention/export/deletion/support posture, claim-safe localized metadata, and primary trust copy that remains visible with JavaScript disabled.
|
|
|
|
### Tests for User Story 1
|
|
|
|
- [X] T007 [US1] Add failing core trust-route coverage for evaluator-facing sections and conservative metadata in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts`
|
|
- [X] T008 [P] [US1] Add failing desktop/mobile and no-JavaScript trust-route readability checks in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts`
|
|
|
|
### Implementation for User Story 1
|
|
|
|
- [X] T009 [US1] Populate localized core evaluator-facing trust copy in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`
|
|
- [X] T010 [US1] Implement the trust hero, trust principles, hosting/privacy posture, auditability, and retention/export/deletion/support summary sections in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro`
|
|
- [X] T011 [US1] Align `/trust` and `/en/trust` page-title and meta-description strings in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`
|
|
|
|
**Checkpoint**: User Story 1 is independently functional and can be validated from the trust route alone.
|
|
|
|
---
|
|
|
|
## Phase 4: User Story 2 - Procurement Or Privacy Reviewer Requests Documents Safely (Priority: P1)
|
|
|
|
**Goal**: Show document readiness and request-safe handoff so procurement and privacy reviewers can evaluate AVV/DPA, TOM, subprocessors, and security follow-up without fake downloads or dead links.
|
|
|
|
**Independent Test**: Open `/trust`; confirm AVV/DPA, TOM, subprocessors, support access, and security-contact topics show explicit status language and only real request destinations.
|
|
|
|
### Tests for User Story 2
|
|
|
|
- [X] T012 [US2] Add failing document-readiness, status-language, and trust-request CTA assertions in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts`
|
|
- [X] T013 [P] [US2] Add failing fake-download and placeholder-request-link coverage in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts`
|
|
|
|
### Implementation for User Story 2
|
|
|
|
- [X] T014 [US2] Add localized AVV/DPA, TOM, subprocessor, support-access, and security-contact readiness copy in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`
|
|
- [X] T015 [US2] Render document-readiness status sections and real request handoffs in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro`
|
|
- [X] T016 [US2] Preserve the existing trust-request handoff through real contact destinations in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`
|
|
|
|
**Checkpoint**: User Story 2 is independently functional and document-readiness review can proceed without hidden dependencies on other stories.
|
|
|
|
---
|
|
|
|
## Phase 5: User Story 3 - Technical Reviewer Understands Data And Permission Boundaries (Priority: P2)
|
|
|
|
**Goal**: Explain data categories, what Tenantial does not aim to store unnecessarily, and provider-permission posture with clear read/write and least-privilege distinctions.
|
|
|
|
**Independent Test**: Open `/trust`; confirm the data-category, provider-permission, RBAC/least-privilege, and encryption/secrets sections make the governance/evidence boundaries and read/write distinction understandable in one pass.
|
|
|
|
### Tests for User Story 3
|
|
|
|
- [X] T017 [US3] Add failing data-category, provider-permission, RBAC/least-privilege, and encryption/secrets expectations in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts`
|
|
- [X] T018 [P] [US3] Add failing overclaim coverage for provider support and data-minimization wording in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts`
|
|
|
|
### Implementation for User Story 3
|
|
|
|
- [X] T019 [US3] Add localized data-category and productive-content-avoidance copy in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`
|
|
- [X] T020 [US3] Add localized provider-permission, read/write, RBAC/least-privilege, and encryption/secrets posture copy in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`
|
|
- [X] T021 [US3] Render the data-category, provider-permission, RBAC/least-privilege, encryption/secrets, and claim-status-legend sections in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro`
|
|
|
|
**Checkpoint**: User Story 3 is independently functional and technical reviewers can assess data and permission boundaries without stale implementation detail.
|
|
|
|
---
|
|
|
|
## Phase 6: User Story 4 - Public Visitor Can Reach The Trust Surface Easily (Priority: P3)
|
|
|
|
**Goal**: Make the trust surface easy to discover from homepage, footer, and navigation without duplicating the full trust content outside the canonical route.
|
|
|
|
**Independent Test**: Visit the homepage on desktop and mobile, open the navigation/footer links, and confirm the trust page is reachable in one click with localized destinations for both route families.
|
|
|
|
### Tests for User Story 4
|
|
|
|
- [X] T022 [US4] Add failing homepage, footer, and localized trust-link discoverability assertions in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts`
|
|
- [X] T023 [P] [US4] Add failing mobile-navigation and keyboard-flow trust-link coverage in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts`
|
|
|
|
### Implementation for User Story 4
|
|
|
|
- [X] T024 [US4] Update localized homepage trust-teaser copy and CTA targets in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`
|
|
- [X] T025 [US4] Update trust-teaser rendering and canonical trust-route linkage in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro`
|
|
- [X] T026 [US4] Preserve localized trust discoverability for navigation and footer entries in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`
|
|
|
|
**Checkpoint**: User Story 4 is independently functional and trust discoverability works across homepage, footer, and navigation.
|
|
|
|
---
|
|
|
|
## Phase 7: Polish & Cross-Cutting Concerns
|
|
|
|
**Purpose**: Final validation, scope protection, and cross-story consistency checks.
|
|
|
|
- [X] T027 [P] Run the forbidden-claim and placeholder-link scan from `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/quickstart.md` against `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/public`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/dist`
|
|
- [X] T028 Run `corepack pnpm build:website` and `corepack pnpm --filter @tenantatlas/website test` using `/Users/ahmeddarrazi/Documents/projects/wt-website/package.json`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/package.json`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/playwright.config.ts`
|
|
- [X] T029 Review final localized trust and homepage copy for unsupported hard claims, route parity, and duplicate-truth drift in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts`, `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro`, and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro`, and record the exact text, verification source, and publication rationale in PR notes for any retained hard trust claim
|
|
- [X] T030 Run the final scope and diff check from `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/quickstart.md` against `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/` and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/platform/`, and record any required follow-up spec IDs for deferred permission docs, procurement workflows, or automated claim-guardrail work
|
|
|
|
---
|
|
|
|
## Dependencies & Execution Order
|
|
|
|
### Phase Dependencies
|
|
|
|
- **Phase 1: Setup**: No dependencies, can start immediately.
|
|
- **Phase 2: Foundational**: Depends on Phase 1 completion and blocks all user stories.
|
|
- **Phase 3: User Story 1**: Depends on Phase 2 completion.
|
|
- **Phase 4: User Story 2**: Depends on Phase 2 completion; lowest merge friction comes after US1 because it extends the same trust page.
|
|
- **Phase 5: User Story 3**: Depends on Phase 2 completion; lowest merge friction comes after US1 because it extends the same trust page.
|
|
- **Phase 6: User Story 4**: Depends on Phase 2 completion and should land after the trust-page content stories so homepage discoverability points to the finished surface.
|
|
- **Phase 7: Polish**: Depends on all desired user stories being complete.
|
|
|
|
### User Story Dependencies
|
|
|
|
- **US1 (P1)**: No dependency on other stories after the foundational phase.
|
|
- **US2 (P1)**: Independent from US3, but shares `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` with other trust-page stories.
|
|
- **US3 (P2)**: Independent from US2, but shares the same trust-page files and should be coordinated accordingly.
|
|
- **US4 (P3)**: Independent in outcome terms, but depends on the canonical trust content being in place to avoid duplicating unfinished messaging.
|
|
|
|
### Within Each User Story
|
|
|
|
- Tests should be written first and should fail before implementation is considered complete.
|
|
- Shared localized copy changes in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` should land before Astro rendering tasks that consume them.
|
|
- Trust-page rendering changes in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` should land before final smoke validation.
|
|
- Homepage discoverability changes in `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/HomePage.astro` should land before keyboard/mobile discoverability validation closes.
|
|
|
|
### Parallel Opportunities
|
|
|
|
- Setup audit tasks `T001`-`T003` can run in parallel.
|
|
- Foundational helper work `T006` can run in parallel once `T004` and `T005` have clarified the shared shape.
|
|
- In each user story, the two test tasks can run in parallel because they touch different test files.
|
|
- `US2` and `US3` can be worked in parallel by different people only if edits to `site-copy.ts` and `TrustPage.astro` are coordinated carefully.
|
|
- Polish tasks `T027` and `T029` can run in parallel after implementation is complete.
|
|
|
|
---
|
|
|
|
## Parallel Example: User Story 1
|
|
|
|
```bash
|
|
# Run the story-specific browser checks in parallel:
|
|
Task: "T007 Add failing core trust-route coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts"
|
|
Task: "T008 Add failing desktop/mobile and no-JavaScript trust-route readability checks in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts"
|
|
```
|
|
|
|
## Parallel Example: User Story 2
|
|
|
|
```bash
|
|
# Prepare document-readiness browser checks in parallel:
|
|
Task: "T012 Add failing document-readiness assertions in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts"
|
|
Task: "T013 Add failing fake-download coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts"
|
|
```
|
|
|
|
## Parallel Example: User Story 3
|
|
|
|
```bash
|
|
# Prepare technical-review trust checks in parallel:
|
|
Task: "T017 Add failing data-category, provider-permission, RBAC/least-privilege, and encryption/secrets expectations in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts"
|
|
Task: "T018 Add failing provider-overclaim coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/smoke-helpers.ts"
|
|
```
|
|
|
|
## Parallel Example: User Story 4
|
|
|
|
```bash
|
|
# Prepare discoverability checks in parallel:
|
|
Task: "T022 Add failing homepage/footer trust-link assertions in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/public-routes.spec.ts"
|
|
Task: "T023 Add failing mobile-navigation and keyboard-flow trust-link coverage in /Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/tests/smoke/interaction.spec.ts"
|
|
```
|
|
|
|
---
|
|
|
|
## Implementation Strategy
|
|
|
|
### MVP First (User Story 1 Only)
|
|
|
|
1. Complete Phase 1: Setup.
|
|
2. Complete Phase 2: Foundational.
|
|
3. Complete Phase 3: User Story 1.
|
|
4. Stop and validate `/trust` and `/en/trust` independently.
|
|
5. Demo or review the core trust surface before adding request/readiness and technical-detail sections.
|
|
|
|
### Incremental Delivery
|
|
|
|
1. Finish Setup + Foundational to stabilize the trust data model and page scaffolding.
|
|
2. Deliver US1 for core evaluator-facing trust posture.
|
|
3. Add US2 for document readiness and safe request handoff.
|
|
4. Add US3 for technical reviewer depth on data and permissions.
|
|
5. Add US4 for homepage/footer/navigation discoverability.
|
|
6. Finish with Phase 7 validation and scope checks.
|
|
|
|
### Parallel Team Strategy
|
|
|
|
1. One person completes Phase 1 and Phase 2.
|
|
2. After foundational work:
|
|
- Person A: US1 and US4 flow/discoverability tasks
|
|
- Person B: US2 document-readiness tasks
|
|
- Person C: US3 technical-detail tasks
|
|
3. Coordinate merges to `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/data_files/site-copy.ts` and `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/website/src/components/pages/TrustPage.astro` because they are shared hotspots.
|
|
|
|
---
|
|
|
|
## Notes
|
|
|
|
- [P] tasks touch different files and can be executed in parallel.
|
|
- `[US1]`-`[US4]` labels map directly to the user stories in `/Users/ahmeddarrazi/Documents/projects/wt-website/specs/405-dach-trust-datenschutz-security-website-surface/spec.md`.
|
|
- Every task includes an exact file path and is scoped tightly enough for direct execution.
|
|
- Browser tests are required because this feature changes rendered public routes and localized metadata.
|
|
- `/Users/ahmeddarrazi/Documents/projects/wt-website/apps/platform/` remains out of scope for every phase.
|