TenantAtlas/.agent/skills/repo-contracts/customer-output-gate/SKILL.md
ahmido 332f6325cb feat: add tenantpilot agent skill layer v1 (#483)
Automated PR provided by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #483
2026-06-25 23:03:47 +00:00

4.3 KiB

name description
tenantpilot-customer-output-gate Hard-gate customer-safe output, review/report downloads, and customer/auditor visibility boundaries.

Purpose

Use this skill to prevent internal evidence, permissions, OperationRun details, raw payloads, and technical diagnostics from being exposed as customer-safe output or product-default proof.

Activate When

  • Touching review packs, environment reviews, stored reports, rendered reports, management PDFs, customer review workspace, customer/auditor routes, report downloads, or review publication.
  • Adding output labels such as customer-safe, ready, blocked, publishable, downloadable, complete, or current.
  • Changing controller-backed downloads, signed links, streamed reports, or internal preview paths.

Do Not Activate When

  • The task has no customer/auditor output, report, download, review, or rendered product proof behavior.
  • The task is an internal-only docs/tooling change and cannot alter runtime output.

Maturity

L4 hard gate.

Gate Type

hard-gate.

Source Evidence

  • docs/product/standards/product-surface-contract.md
  • docs/security-guidelines.md
  • specs/400-product-contract-spec-completeness-audit/spec.md
  • specs/402-resource-policy-authorization-proof-matrix/implementation-report.md
  • apps/platform/app/Support/ReviewPacks/CustomerOutputGate.php
  • apps/platform/app/Support/ReviewPacks/CustomerOutputGateDecision.php
  • apps/platform/app/Http/Controllers/ReviewPackDownloadController.php
  • apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php
  • apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php
  • apps/platform/tests/Feature/ReviewPack/Spec392CustomerOutputRouteGateTest.php
  • apps/platform/tests/Unit/Support/ReviewPacks/Spec392CustomerOutputGateTest.php

External Anchors

Not applicable.

Required Repo Context

  • Output route/controller and authorization path.
  • CustomerOutputGate decision logic.
  • Source evidence and currentness contract for the output.
  • Audience mode: customer/read-only, operator/MSP, or support/platform.
  • Default-visible content and hidden technical detail boundaries.
  • Download/streaming tests and route tests.

Execution Checklist

  • Gate output through explicit customer-output decision logic, not permissions alone.
  • Confirm workspace/managed-environment scope before streaming or downloading.
  • Keep raw JSON, payloads, fingerprints, source keys, provider request details, and internal reason ownership out of customer defaults.
  • Demote OperationRun, raw evidence, and technical audit details to authorized internal paths.
  • Use canonical customer-safe status vocabulary from Product Surface Contract.
  • Preserve one dominant customer/operator next action.
  • Add tests for authorized output, denied output, blocked output, and internal-preview behavior where runtime output changes.

Stop Conditions

  • Output is allowed solely because the actor has permission.
  • Blocked output can still be streamed or downloaded.
  • Customer-safe label is applied without evidence/currentness proof.
  • Customer CTA points directly to internal-only technical detail as the primary path.
  • Page-local readiness logic duplicates or bypasses CustomerOutputGate.
  • Raw provider/evidence payloads are default-visible to customer/read-only users.

Required Evidence After Use

  • Route/controller and gate decision proof.
  • Scope and authorization proof.
  • Customer-visible default content summary.
  • Technical/internal detail demotion proof.
  • Tests or explicit N/A for docs-only work.

Common Failure Modes

  • Treating report existence as publishability.
  • Exposing internal preview links in customer paths.
  • Letting OperationRun or evidence snapshot IDs become customer proof.
  • Adding download verbs without blocked-state tests.
  • Using stale or internal readiness labels as customer-facing truth.

Quarantined Rules

Full Spec 416 quarantine list applies. Especially quarantined here: OperationRun as default customer proof; limited customer download vocabulary; raw provider/evidence payload default display; fallback-to-latest evidence; historical audits as current truth.

Review / Expiry

Review whenever customer output gates, review/report downloads, rendered reports, or customer/auditor boundary semantics change. No planned expiry.