Automated PR provided by Codex via Gitea API. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #483
98 lines
4.3 KiB
Markdown
98 lines
4.3 KiB
Markdown
---
|
|
name: tenantpilot-customer-output-gate
|
|
description: Hard-gate customer-safe output, review/report downloads, and customer/auditor visibility boundaries.
|
|
---
|
|
|
|
## Purpose
|
|
|
|
Use this skill to prevent internal evidence, permissions, OperationRun details, raw payloads, and technical diagnostics from being exposed as customer-safe output or product-default proof.
|
|
|
|
## Activate When
|
|
|
|
- Touching review packs, environment reviews, stored reports, rendered reports, management PDFs, customer review workspace, customer/auditor routes, report downloads, or review publication.
|
|
- Adding output labels such as customer-safe, ready, blocked, publishable, downloadable, complete, or current.
|
|
- Changing controller-backed downloads, signed links, streamed reports, or internal preview paths.
|
|
|
|
## Do Not Activate When
|
|
|
|
- The task has no customer/auditor output, report, download, review, or rendered product proof behavior.
|
|
- The task is an internal-only docs/tooling change and cannot alter runtime output.
|
|
|
|
## Maturity
|
|
|
|
L4 hard gate.
|
|
|
|
## Gate Type
|
|
|
|
hard-gate.
|
|
|
|
## Source Evidence
|
|
|
|
- `docs/product/standards/product-surface-contract.md`
|
|
- `docs/security-guidelines.md`
|
|
- `specs/400-product-contract-spec-completeness-audit/spec.md`
|
|
- `specs/402-resource-policy-authorization-proof-matrix/implementation-report.md`
|
|
- `apps/platform/app/Support/ReviewPacks/CustomerOutputGate.php`
|
|
- `apps/platform/app/Support/ReviewPacks/CustomerOutputGateDecision.php`
|
|
- `apps/platform/app/Http/Controllers/ReviewPackDownloadController.php`
|
|
- `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php`
|
|
- `apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php`
|
|
- `apps/platform/tests/Feature/ReviewPack/Spec392CustomerOutputRouteGateTest.php`
|
|
- `apps/platform/tests/Unit/Support/ReviewPacks/Spec392CustomerOutputGateTest.php`
|
|
|
|
## External Anchors
|
|
|
|
Not applicable.
|
|
|
|
## Required Repo Context
|
|
|
|
- Output route/controller and authorization path.
|
|
- `CustomerOutputGate` decision logic.
|
|
- Source evidence and currentness contract for the output.
|
|
- Audience mode: customer/read-only, operator/MSP, or support/platform.
|
|
- Default-visible content and hidden technical detail boundaries.
|
|
- Download/streaming tests and route tests.
|
|
|
|
## Execution Checklist
|
|
|
|
- Gate output through explicit customer-output decision logic, not permissions alone.
|
|
- Confirm workspace/managed-environment scope before streaming or downloading.
|
|
- Keep raw JSON, payloads, fingerprints, source keys, provider request details, and internal reason ownership out of customer defaults.
|
|
- Demote OperationRun, raw evidence, and technical audit details to authorized internal paths.
|
|
- Use canonical customer-safe status vocabulary from Product Surface Contract.
|
|
- Preserve one dominant customer/operator next action.
|
|
- Add tests for authorized output, denied output, blocked output, and internal-preview behavior where runtime output changes.
|
|
|
|
## Stop Conditions
|
|
|
|
- Output is allowed solely because the actor has permission.
|
|
- Blocked output can still be streamed or downloaded.
|
|
- Customer-safe label is applied without evidence/currentness proof.
|
|
- Customer CTA points directly to internal-only technical detail as the primary path.
|
|
- Page-local readiness logic duplicates or bypasses `CustomerOutputGate`.
|
|
- Raw provider/evidence payloads are default-visible to customer/read-only users.
|
|
|
|
## Required Evidence After Use
|
|
|
|
- Route/controller and gate decision proof.
|
|
- Scope and authorization proof.
|
|
- Customer-visible default content summary.
|
|
- Technical/internal detail demotion proof.
|
|
- Tests or explicit N/A for docs-only work.
|
|
|
|
## Common Failure Modes
|
|
|
|
- Treating report existence as publishability.
|
|
- Exposing internal preview links in customer paths.
|
|
- Letting OperationRun or evidence snapshot IDs become customer proof.
|
|
- Adding download verbs without blocked-state tests.
|
|
- Using stale or internal readiness labels as customer-facing truth.
|
|
|
|
## Quarantined Rules
|
|
|
|
Full Spec 416 quarantine list applies. Especially quarantined here: OperationRun as default customer proof; limited customer download vocabulary; raw provider/evidence payload default display; fallback-to-latest evidence; historical audits as current truth.
|
|
|
|
## Review / Expiry
|
|
|
|
Review whenever customer output gates, review/report downloads, rendered reports, or customer/auditor boundary semantics change. No planned expiry.
|