TenantAtlas/.agent/skills/repo-contracts/customer-output-gate/SKILL.md
ahmido 332f6325cb feat: add tenantpilot agent skill layer v1 (#483)
Automated PR provided by Codex via Gitea API.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #483
2026-06-25 23:03:47 +00:00

98 lines
4.3 KiB
Markdown

---
name: tenantpilot-customer-output-gate
description: Hard-gate customer-safe output, review/report downloads, and customer/auditor visibility boundaries.
---
## Purpose
Use this skill to prevent internal evidence, permissions, OperationRun details, raw payloads, and technical diagnostics from being exposed as customer-safe output or product-default proof.
## Activate When
- Touching review packs, environment reviews, stored reports, rendered reports, management PDFs, customer review workspace, customer/auditor routes, report downloads, or review publication.
- Adding output labels such as customer-safe, ready, blocked, publishable, downloadable, complete, or current.
- Changing controller-backed downloads, signed links, streamed reports, or internal preview paths.
## Do Not Activate When
- The task has no customer/auditor output, report, download, review, or rendered product proof behavior.
- The task is an internal-only docs/tooling change and cannot alter runtime output.
## Maturity
L4 hard gate.
## Gate Type
hard-gate.
## Source Evidence
- `docs/product/standards/product-surface-contract.md`
- `docs/security-guidelines.md`
- `specs/400-product-contract-spec-completeness-audit/spec.md`
- `specs/402-resource-policy-authorization-proof-matrix/implementation-report.md`
- `apps/platform/app/Support/ReviewPacks/CustomerOutputGate.php`
- `apps/platform/app/Support/ReviewPacks/CustomerOutputGateDecision.php`
- `apps/platform/app/Http/Controllers/ReviewPackDownloadController.php`
- `apps/platform/app/Http/Controllers/ReviewPackRenderedReportController.php`
- `apps/platform/app/Http/Controllers/ManagementReportPdfDownloadController.php`
- `apps/platform/tests/Feature/ReviewPack/Spec392CustomerOutputRouteGateTest.php`
- `apps/platform/tests/Unit/Support/ReviewPacks/Spec392CustomerOutputGateTest.php`
## External Anchors
Not applicable.
## Required Repo Context
- Output route/controller and authorization path.
- `CustomerOutputGate` decision logic.
- Source evidence and currentness contract for the output.
- Audience mode: customer/read-only, operator/MSP, or support/platform.
- Default-visible content and hidden technical detail boundaries.
- Download/streaming tests and route tests.
## Execution Checklist
- Gate output through explicit customer-output decision logic, not permissions alone.
- Confirm workspace/managed-environment scope before streaming or downloading.
- Keep raw JSON, payloads, fingerprints, source keys, provider request details, and internal reason ownership out of customer defaults.
- Demote OperationRun, raw evidence, and technical audit details to authorized internal paths.
- Use canonical customer-safe status vocabulary from Product Surface Contract.
- Preserve one dominant customer/operator next action.
- Add tests for authorized output, denied output, blocked output, and internal-preview behavior where runtime output changes.
## Stop Conditions
- Output is allowed solely because the actor has permission.
- Blocked output can still be streamed or downloaded.
- Customer-safe label is applied without evidence/currentness proof.
- Customer CTA points directly to internal-only technical detail as the primary path.
- Page-local readiness logic duplicates or bypasses `CustomerOutputGate`.
- Raw provider/evidence payloads are default-visible to customer/read-only users.
## Required Evidence After Use
- Route/controller and gate decision proof.
- Scope and authorization proof.
- Customer-visible default content summary.
- Technical/internal detail demotion proof.
- Tests or explicit N/A for docs-only work.
## Common Failure Modes
- Treating report existence as publishability.
- Exposing internal preview links in customer paths.
- Letting OperationRun or evidence snapshot IDs become customer proof.
- Adding download verbs without blocked-state tests.
- Using stale or internal readiness labels as customer-facing truth.
## Quarantined Rules
Full Spec 416 quarantine list applies. Especially quarantined here: OperationRun as default customer proof; limited customer download vocabulary; raw provider/evidence payload default display; fallback-to-latest evidence; historical audits as current truth.
## Review / Expiry
Review whenever customer output gates, review/report downloads, rendered reports, or customer/auditor boundary semantics change. No planned expiry.