TenantAtlas/specs/347-review-pack-output-contract-readiness-semantics/contracts/customer-safe-output-boundary.md
Ahmed Darrazi 549a9a0004
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 1m0s
feat: review pack output contract and readiness semantics (spec 347)
Implemented the output contract and readiness semantics for review packs. Also added spec 348.
Includes changes to ChooseEnvironment, CustomerReviewWorkspace, GenerateReviewPackJob and related blade views.
Added comprehensive tests.
2026-06-03 01:14:29 +02:00

3.3 KiB

Customer-Safe Output Boundary

Status: prepared
Created: 2026-06-02
Scope: Derived customer-safe vs internal-only boundary for review-derived Review Pack output

This document defines what Spec 347 may present as customer-safe, internal-only, or limitations-bearing output.

1. Boundary Principles

  • customer-safe is a derived presentation boundary, not a new persisted entity
  • internal-only is a derived presentation boundary, not a new persisted entity
  • PII visibility must be explicit
  • redaction visibility must be explicit
  • diagnostics and raw/support detail remain secondary or hidden on default customer-safe paths
  • non-certification disclosure is mandatory

2. Customer-Safe Minimum Conditions

A package may be described as customer-safe only when repo truth supports all of:

  1. released review exists
  2. current package artifact exists and is valid for download/use
  3. evidence basis is not silently incomplete
  4. required section limitations are either absent or clearly disclosed
  5. no internal-only/raw/support detail is exposed by default
  6. PII handling is explicit
  7. redaction integrity is explicit
  8. non-certification disclosure is present

If any of these are missing or ambiguous, the package must use a more conservative label.

3. Internal Package Conditions

A package should be treated as internal or review-required when any of these are true:

  • evidence basis is incomplete, stale, or missing
  • required sections are incomplete and limitations are material
  • include_pii is true and external sharing still requires operator review
  • export exists but customer-safe readiness is not fully supported by repo truth
  • current wording would otherwise overclaim confidence

4. PII And Redaction Rules

Current repo truth already provides:

  • options.include_pii
  • redaction_integrity.protected_values_hidden

Spec 347 must make these visible in the output contract and/or workspace rendering.

Rules:

  • include_pii=true must never be invisible on the operator decision path
  • protected_values_hidden=true must be visible as redaction integrity context where relevant
  • PII included does not automatically forbid sharing, but it does require explicit operator awareness

5. Disclosure Rules

Customer-safe default paths must show:

  • what the package is
  • what evidence basis it uses
  • whether limitations exist
  • whether PII is included
  • what the next action is

Customer-safe default paths must not show by default:

  • raw JSON
  • raw payloads
  • stack traces
  • support-only diagnostics
  • fingerprints unless explicitly needed and safe
  • internal reason ownership or platform debug semantics

6. Download Boundary

Current signed downloads remain valid proof/artifact delivery.

Spec 347 must not treat download availability alone as sufficient proof of customer-safe readiness.

Download labeling should therefore distinguish between:

  • customer-safe ready package
  • package with limitations
  • internal package

7. Executive Summary Boundary

The executive summary must:

  • include a limitations note when the package is not clearly customer-safe ready
  • retain non-certification disclosure
  • avoid raw/internal-only detail

It may describe:

  • published review
  • evidence basis
  • top findings
  • accepted risks
  • governance decisions
  • next actions

It must not imply:

  • certification
  • legal attestation
  • guaranteed compliance