Automated PR provided by Codex via Gitea API. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #483
4.3 KiB
4.3 KiB
| name | description |
|---|---|
| tenantpilot-customer-output-gate | Hard-gate customer-safe output, review/report downloads, and customer/auditor visibility boundaries. |
Purpose
Use this skill to prevent internal evidence, permissions, OperationRun details, raw payloads, and technical diagnostics from being exposed as customer-safe output or product-default proof.
Activate When
- Touching review packs, environment reviews, stored reports, rendered reports, management PDFs, customer review workspace, customer/auditor routes, report downloads, or review publication.
- Adding output labels such as customer-safe, ready, blocked, publishable, downloadable, complete, or current.
- Changing controller-backed downloads, signed links, streamed reports, or internal preview paths.
Do Not Activate When
- The task has no customer/auditor output, report, download, review, or rendered product proof behavior.
- The task is an internal-only docs/tooling change and cannot alter runtime output.
Maturity
L4 hard gate.
Gate Type
hard-gate.
Source Evidence
docs/product/standards/product-surface-contract.mddocs/security-guidelines.mdspecs/400-product-contract-spec-completeness-audit/spec.mdspecs/402-resource-policy-authorization-proof-matrix/implementation-report.mdapps/platform/app/Support/ReviewPacks/CustomerOutputGate.phpapps/platform/app/Support/ReviewPacks/CustomerOutputGateDecision.phpapps/platform/app/Http/Controllers/ReviewPackDownloadController.phpapps/platform/app/Http/Controllers/ReviewPackRenderedReportController.phpapps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.phpapps/platform/tests/Feature/ReviewPack/Spec392CustomerOutputRouteGateTest.phpapps/platform/tests/Unit/Support/ReviewPacks/Spec392CustomerOutputGateTest.php
External Anchors
Not applicable.
Required Repo Context
- Output route/controller and authorization path.
CustomerOutputGatedecision logic.- Source evidence and currentness contract for the output.
- Audience mode: customer/read-only, operator/MSP, or support/platform.
- Default-visible content and hidden technical detail boundaries.
- Download/streaming tests and route tests.
Execution Checklist
- Gate output through explicit customer-output decision logic, not permissions alone.
- Confirm workspace/managed-environment scope before streaming or downloading.
- Keep raw JSON, payloads, fingerprints, source keys, provider request details, and internal reason ownership out of customer defaults.
- Demote OperationRun, raw evidence, and technical audit details to authorized internal paths.
- Use canonical customer-safe status vocabulary from Product Surface Contract.
- Preserve one dominant customer/operator next action.
- Add tests for authorized output, denied output, blocked output, and internal-preview behavior where runtime output changes.
Stop Conditions
- Output is allowed solely because the actor has permission.
- Blocked output can still be streamed or downloaded.
- Customer-safe label is applied without evidence/currentness proof.
- Customer CTA points directly to internal-only technical detail as the primary path.
- Page-local readiness logic duplicates or bypasses
CustomerOutputGate. - Raw provider/evidence payloads are default-visible to customer/read-only users.
Required Evidence After Use
- Route/controller and gate decision proof.
- Scope and authorization proof.
- Customer-visible default content summary.
- Technical/internal detail demotion proof.
- Tests or explicit N/A for docs-only work.
Common Failure Modes
- Treating report existence as publishability.
- Exposing internal preview links in customer paths.
- Letting OperationRun or evidence snapshot IDs become customer proof.
- Adding download verbs without blocked-state tests.
- Using stale or internal readiness labels as customer-facing truth.
Quarantined Rules
Full Spec 416 quarantine list applies. Especially quarantined here: OperationRun as default customer proof; limited customer download vocabulary; raw provider/evidence payload default display; fallback-to-latest evidence; historical audits as current truth.
Review / Expiry
Review whenever customer output gates, review/report downloads, rendered reports, or customer/auditor boundary semantics change. No planned expiry.