ahmido
714b910734
## Summary - add a dedicated public trust, privacy, and security surface for DACH evaluation - expand homepage trust discoverability and localized trust handoff copy - add and update smoke coverage plus Spec Kit artifacts for feature 405 ## Validation - corepack pnpm --dir apps/website build - WEBSITE_PORT=4322 corepack pnpm exec playwright test tests/smoke/public-routes.spec.ts tests/smoke/interaction.spec.ts Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #400
230 lines
6.2 KiB
YAML
230 lines
6.2 KiB
YAML
openapi: 3.1.0
|
|
info:
|
|
title: Tenantial Public Trust Website Surface
|
|
version: 0.1.0
|
|
summary: Observable HTTP contract for Spec 405 public website routes
|
|
description: >
|
|
This contract documents the public HTTP surface for the trust-related website
|
|
flow in Spec 405. The implementation is a static Astro website that returns
|
|
HTML pages, not a backend JSON API. OpenAPI is used here only to make the
|
|
route-level obligations explicit.
|
|
servers:
|
|
- url: https://tenantial.com
|
|
description: Production hostname
|
|
- url: http://127.0.0.1:4321
|
|
description: Local preview using WEBSITE_PORT default
|
|
tags:
|
|
- name: public-website
|
|
description: Static public website routes
|
|
paths:
|
|
/:
|
|
get:
|
|
tags: [public-website]
|
|
summary: Render German homepage
|
|
operationId: getHomeDe
|
|
description: >
|
|
Returns the default-locale homepage. The homepage is required to expose
|
|
a trust teaser or equivalent summary with a real link to the canonical
|
|
trust route.
|
|
x-page-contract:
|
|
locale: de
|
|
requiredLinks:
|
|
- label: Vertrauen
|
|
href: /trust
|
|
requiredSections:
|
|
- hero
|
|
- trust teaser
|
|
- footer trust link
|
|
requiredOutcomes:
|
|
- buyer can discover the trust surface in one click
|
|
forbiddenPatterns:
|
|
- href="#"
|
|
- lorem ipsum
|
|
- DSGVO compliant
|
|
- GDPR compliant
|
|
- ISO certified
|
|
responses:
|
|
'200':
|
|
description: Static HTML homepage
|
|
content:
|
|
text/html:
|
|
schema:
|
|
type: string
|
|
/trust:
|
|
get:
|
|
tags: [public-website]
|
|
summary: Render German trust page
|
|
operationId: getTrustDe
|
|
description: >
|
|
Returns the German trust surface for DACH evaluation.
|
|
x-page-contract:
|
|
locale: de
|
|
requiredSections:
|
|
- hero
|
|
- trust principles
|
|
- claim status legend
|
|
- hosting posture
|
|
- privacy and DSGVO posture
|
|
- AVV/DPA and TOM readiness
|
|
- data categories
|
|
- provider permissions
|
|
- RBAC and least privilege
|
|
- auditability
|
|
- encryption and secrets posture
|
|
- retention, export, and deletion posture
|
|
- subprocessors
|
|
- support access posture
|
|
- security contact or trust handoff
|
|
allowedClaimStatuses:
|
|
- documented
|
|
- on request
|
|
- in preparation
|
|
- planned
|
|
- not claimed
|
|
- not applicable
|
|
primaryHandoff:
|
|
route: /contact
|
|
responses:
|
|
'200':
|
|
description: Static HTML trust page
|
|
content:
|
|
text/html:
|
|
schema:
|
|
type: string
|
|
/contact:
|
|
get:
|
|
tags: [public-website]
|
|
summary: Render German contact route
|
|
operationId: getContactDe
|
|
description: >
|
|
Returns the existing contact route used as the trust-page request and
|
|
escalation handoff when no dedicated document download or security
|
|
mailbox is verified.
|
|
x-page-contract:
|
|
locale: de
|
|
acceptedRoles:
|
|
- walkthrough request
|
|
- trust question
|
|
- privacy/procurement follow-up
|
|
constraints:
|
|
- no secrets or credentials submitted via the public website
|
|
responses:
|
|
'200':
|
|
description: Static HTML contact page
|
|
content:
|
|
text/html:
|
|
schema:
|
|
type: string
|
|
/en/:
|
|
get:
|
|
tags: [public-website]
|
|
summary: Render English homepage
|
|
operationId: getHomeEn
|
|
description: >
|
|
Returns the English mirrored homepage with the same trust discoverability
|
|
obligations as the default locale.
|
|
x-page-contract:
|
|
locale: en
|
|
requiredLinks:
|
|
- label: Trust
|
|
href: /en/trust
|
|
responses:
|
|
'200':
|
|
description: Static HTML homepage
|
|
content:
|
|
text/html:
|
|
schema:
|
|
type: string
|
|
/en/trust:
|
|
get:
|
|
tags: [public-website]
|
|
summary: Render English trust page
|
|
operationId: getTrustEn
|
|
description: >
|
|
Returns the English mirrored trust surface with the same claim-status and
|
|
topic coverage obligations as the German route.
|
|
x-page-contract:
|
|
locale: en
|
|
mirrors:
|
|
sourceRoute: /trust
|
|
parityRequired: true
|
|
primaryHandoff:
|
|
route: /en/contact
|
|
responses:
|
|
'200':
|
|
description: Static HTML trust page
|
|
content:
|
|
text/html:
|
|
schema:
|
|
type: string
|
|
/en/contact:
|
|
get:
|
|
tags: [public-website]
|
|
summary: Render English contact route
|
|
operationId: getContactEn
|
|
responses:
|
|
'200':
|
|
description: Static HTML contact page
|
|
content:
|
|
text/html:
|
|
schema:
|
|
type: string
|
|
components:
|
|
schemas:
|
|
ClaimStatus:
|
|
type: string
|
|
enum:
|
|
- documented
|
|
- on request
|
|
- in preparation
|
|
- planned
|
|
- not claimed
|
|
- not applicable
|
|
TrustTopic:
|
|
type: object
|
|
additionalProperties: false
|
|
required:
|
|
- slug
|
|
- title
|
|
- summary
|
|
- claimStatus
|
|
properties:
|
|
slug:
|
|
type: string
|
|
title:
|
|
type: string
|
|
summary:
|
|
type: string
|
|
claimStatus:
|
|
$ref: '#/components/schemas/ClaimStatus'
|
|
requestPath:
|
|
type: string
|
|
description: Optional real route or mailto destination
|
|
TrustPageContract:
|
|
type: object
|
|
additionalProperties: false
|
|
required:
|
|
- locale
|
|
- requiredSections
|
|
- primaryHandoff
|
|
properties:
|
|
locale:
|
|
type: string
|
|
enum: [de, en]
|
|
requiredSections:
|
|
type: array
|
|
items:
|
|
type: string
|
|
primaryHandoff:
|
|
type: object
|
|
additionalProperties: false
|
|
required:
|
|
- route
|
|
properties:
|
|
route:
|
|
type: string
|
|
requiredTopics:
|
|
type: array
|
|
items:
|
|
$ref: '#/components/schemas/TrustTopic'
|