ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
a5b7300ca9
TenantAtlas/specs/378-management-report-pdf-v1/checklists/requirements.md
ahmido d43ebcb4ee feat(report): implement management report pdf v1 (#449) 
Added PDF generation service for management reports as per Spec 378, including Gotenberg integration in docker-compose and configuration updates.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #449
2026-06-14 18:36:07 +00:00

4.3 KiB
Raw Blame History

Requirements Checklist: Spec 378 - Management Report PDF v1

Purpose: Preparation readiness review for Spec 378 before application implementation. Created: 2026-06-14 Feature: specs/378-management-report-pdf-v1/spec.md

Candidate And Scope

  • CHK001 The selected candidate is directly user-provided and not invented from the automatic queue.
  • CHK002 Related completed specs are treated as historical context only and are not rewritten.
  • CHK003 The smallest v1 slice is one customer_executive management PDF artifact from existing ready/current review-pack truth.
  • CHK004 Technical/Auditor Evidence Report, Delivery Center, scheduled delivery, portal, AI, and raw JSON appendix are out of scope.
  • CHK005 The spec records close alternatives and follow-up candidates instead of hiding them inside v1.

Repo Truth And Dependencies

  • CHK006 The spec reuses the existing rendered-report route/controller/view family from Specs 356, 357, and 366.
  • CHK007 The spec requires ReportProfileRegistry and ReportDisclosurePolicy rather than inventing parallel profile/disclosure rules.
  • CHK008 The plan records that no native PDF runtime package is currently approved in apps/platform/composer.json.
  • CHK009 The tasks include a hard package/renderer governance gate before runtime implementation.
  • CHK010 The plan records that current StoredReport is narrow and may need a bounded substrate extension.

Security, RBAC, And Isolation

  • CHK011 Workspace, tenant, and managed-environment scope are explicit for generation, storage, lookup, and download.
  • CHK012 Unauthorized non-member or wrong-scope access uses deny-as-not-found semantics.
  • CHK013 Member-without-capability handling is specified as 403 after scope is established.
  • CHK014 The PDF and audit metadata forbid secrets, signed URLs, raw provider payloads, raw operation context, SQL errors, stack traces, and serialized jobs.
  • CHK015 Download is required to be signed and/or server-authorized and to re-resolve scope server-side.

OperationRun, Audit, And Artifact Truth

  • CHK016 The preferred implementation creates or reuses an OperationRun for generation.
  • CHK017 The spec requires safe OperationRun outcomes for success, renderer failure, storage failure, and blocked source/readiness cases.
  • CHK018 Generation audit and download audit metadata are specified.
  • CHK019 Artifact truth is required to carry workspace, tenant scope, managed environment, source review/pack, profile, format, actor, generated time, and operation-run provenance.
  • CHK020 A new artifact entity is not approved; implementation must stop and update spec/plan if one is required.

UI And Productization Coverage

  • CHK021 UI Surface Impact is marked as changed reachable surfaces, not No UI surface impact.
  • CHK022 The affected surfaces are bounded to existing rendered report, Environment Review/Review Pack owner actions, optional download route, and StoredReport only if reused.
  • CHK023 The plan defines deterministic UI coverage update rules for UI-099/UI-042/UI-048, route inventory, and design coverage artifacts.
  • CHK024 The generate action is classified as high-impact artifact creation, not destructive Microsoft-tenant mutation, and requires explicit confirmation.
  • CHK025 Filament v5 / Livewire v4 compliance, provider registration, global-search posture, action safety, asset strategy, and testing plan are called out for implementation close-out.

Testing And Validation

  • CHK026 Unit tests are required for payload, readiness, disclosure, and renderer failure mapping.
  • CHK027 Feature tests are required for generation, storage, OperationRun, audit, authorization, and download.
  • CHK028 Filament/Livewire action tests are required for action visibility/disabled state on the chosen owner surface.
  • CHK029 Browser/content smoke is required for customer-facing PDF content and leakage boundaries.
  • CHK030 PostgreSQL lane is required if migrations/indexes/schema constraints are introduced.

Review Outcome

  • CHK031 Review outcome class: acceptable-special-case for preparation, with renderer/package gate preserved for implementation.
  • CHK032 Workflow outcome: keep for the prepared scope, with follow-up specs separated.
  • CHK033 No application implementation was performed during preparation.