ahmido
12ea7f9924
Implemented the output contract and readiness semantics for review packs. Also added spec 348. Includes changes to ChooseEnvironment, CustomerReviewWorkspace, GenerateReviewPackJob and related blade views. Added comprehensive tests. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #419
3.3 KiB
Customer-Safe Output Boundary
Status: prepared
Created: 2026-06-02
Scope: Derived customer-safe vs internal-only boundary for review-derived Review Pack output
This document defines what Spec 347 may present as customer-safe, internal-only, or limitations-bearing output.
1. Boundary Principles
- customer-safe is a derived presentation boundary, not a new persisted entity
- internal-only is a derived presentation boundary, not a new persisted entity
- PII visibility must be explicit
- redaction visibility must be explicit
- diagnostics and raw/support detail remain secondary or hidden on default customer-safe paths
- non-certification disclosure is mandatory
2. Customer-Safe Minimum Conditions
A package may be described as customer-safe only when repo truth supports all of:
- released review exists
- current package artifact exists and is valid for download/use
- evidence basis is not silently incomplete
- required section limitations are either absent or clearly disclosed
- no internal-only/raw/support detail is exposed by default
- PII handling is explicit
- redaction integrity is explicit
- non-certification disclosure is present
If any of these are missing or ambiguous, the package must use a more conservative label.
3. Internal Package Conditions
A package should be treated as internal or review-required when any of these are true:
- evidence basis is incomplete, stale, or missing
- required sections are incomplete and limitations are material
include_piiis true and external sharing still requires operator review- export exists but customer-safe readiness is not fully supported by repo truth
- current wording would otherwise overclaim confidence
4. PII And Redaction Rules
Current repo truth already provides:
options.include_piiredaction_integrity.protected_values_hidden
Spec 347 must make these visible in the output contract and/or workspace rendering.
Rules:
include_pii=truemust never be invisible on the operator decision pathprotected_values_hidden=truemust be visible as redaction integrity context where relevant- PII included does not automatically forbid sharing, but it does require explicit operator awareness
5. Disclosure Rules
Customer-safe default paths must show:
- what the package is
- what evidence basis it uses
- whether limitations exist
- whether PII is included
- what the next action is
Customer-safe default paths must not show by default:
- raw JSON
- raw payloads
- stack traces
- support-only diagnostics
- fingerprints unless explicitly needed and safe
- internal reason ownership or platform debug semantics
6. Download Boundary
Current signed downloads remain valid proof/artifact delivery.
Spec 347 must not treat download availability alone as sufficient proof of customer-safe readiness.
Download labeling should therefore distinguish between:
- customer-safe ready package
- package with limitations
- internal package
7. Executive Summary Boundary
The executive summary must:
- include a limitations note when the package is not clearly customer-safe ready
- retain non-certification disclosure
- avoid raw/internal-only detail
It may describe:
- published review
- evidence basis
- top findings
- accepted risks
- governance decisions
- next actions
It must not imply:
- certification
- legal attestation
- guaranteed compliance