Added PDF generation service for management reports as per Spec 378, including Gotenberg integration in docker-compose and configuration updates. Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de> Reviewed-on: #449
5.8 KiB
5.8 KiB
Spec 378 Constitution Renderer Gate Review
Date: 2026-06-14 Review type: renderer/package/runtime governance gate. Decision: renderer gate approved with controls; implementation may proceed after a scoped runtime config task.
Repo Safety
- Branch:
378-management-report-pdf-v1 - HEAD:
f1eadadf docs: add spec 377 post-productization browser reaudit closeout gate (#448) - Dirty files before governance update: untracked
specs/378-management-report-pdf-v1/ - Staged files before governance update: none observed
- Untracked files before governance update:
specs/378-management-report-pdf-v1/ git diff --name-onlybefore governance update: no tracked-file diff- Spec 378 files already changed before governance update: yes, active Spec 378 directory existed as untracked content
- Other specs affected before governance update: none observed
Runtime Surface Read
docker-compose.yml: present at repo root; containslaravel.test,queue,pgsql,redis, and asailbridge network.apps/platform/docker-compose.yml: not present.apps/platform/Dockerfile: not present.apps/platform/docker/: not present.apps/platform/composer.json: no runtime PDF renderer package.apps/platform/package.json:playwrightappears underdevDependencies; no production PDF runtime is declared.
Gate State
Result: gate can be updated with approved renderer.
- Previous gate stop was valid.
- Missing renderer evidence was documented in Spec 378.
- Downstream implementation tasks remain open.
- No tracked app-code, runtime compose, Composer, npm, StoredReport, OperationRun, UI, or template implementation was started.
- Gotenberg is not currently deployed or configured in the repo.
- This review approves the renderer architecture only; runtime config remains pending.
Constitution Alignment
| Area | Result | Review |
|---|---|---|
| Package Governance | PASS with controls | Gotenberg is a runtime service, not a Composer/npm package. The decision is documented in Spec 378 artifacts and docs/package-governance.md, with pinning, security, maintenance, and review-date controls. |
| Security | PASS with controls | The approved model keeps the browser runtime out of Laravel containers, internal-only, no public port, server-generated HTML only, no signed URLs/secrets in HTML, outbound access restricted, and safe error mapping required. |
| RBAC / Isolation | PASS | Renderer selection does not weaken RBAC. Generation/download still require workspace, tenant, managed-environment, and capability checks before renderer invocation or artifact return. |
| Auditability | PASS | The renderer gateway must pass correlation/OperationRun metadata and map success/failure into OperationRun and audit records without raw renderer errors. |
| Proportionality / BLOAT | PASS | A separate internal renderer service plus narrow Laravel gateway is justified by customer-facing PDF artifact quality, queue failure isolation, and avoiding browser binaries in the app container. It is narrower than a generic report engine. |
| No Premature Abstraction | PASS with controls | Only PdfRenderingGateway / PdfRendererClient is approved as shared infrastructure. Domain generators remain separate; no report center, billing framework, or generic document engine is approved. |
| UI-COV | PASS | Renderer governance changes no reachable UI by itself. Spec 378 still records that implementation will change report/action/download surfaces and must update or close out UI coverage then. |
| Test Governance | PASS | This docs-only gate requires no PHP tests. Future runtime implementation must cover gateway, failure mapping, authorization-before-render, artifact storage, OperationRun, audit, and content smoke. |
| Operational Readiness | PASS with controls | Docker/Dokploy fit is strong, but runtime service config, health check, env/config, timeouts, request limits, logs, and image pinning remain required implementation tasks. |
| Billing / Invoice Boundary | PASS | Approval is explicitly limited to report-style PDF rendering. BillingDocument, invoice numbering, tax/e-invoice XML, and invoice archival remain separate future domains. |
SaaS Invoice Future Boundary
PDF Rendering Infrastructure is shared. Report Domain is separate. Billing / Invoice Domain is separate. E-Invoice XML Compliance is separate.
Target architecture:
Shared PDF Rendering Infrastructure
-> Gotenberg / Chromium Renderer
-> PdfRenderingGateway
-> Storage
-> Audit
-> OperationRun
Domain-specific generators
-> ManagementReportGenerator
-> EvidenceReportGenerator
-> InvoiceDocumentGenerator
-> CreditNoteDocumentGenerator
Identity boundaries:
StoredReportis notBillingDocument.Report IDis notInvoice Number.OperationRun IDis notInvoice Number.StoredReport IDis notInvoice Number.
Future billing specs must define these separately before implementation:
BillingDocumentInvoiceNumberAllocatorInvoiceTaxCalculatorEInvoiceXmlBuilderZugferdFacturXBuilderXRechnungBuilderInvoicePdfRenderer via PdfRenderingGatewayBillingDocumentArchiveBillingAuditTrail
Final Gate Result
renderer gate approved - implementation may proceed after runtime config task.
Required next scoped task before report runtime implementation:
- Add and validate Gotenberg runtime service configuration for Sail/Dokploy with the controls from
spec378-gotenberg-security-controls.md. - Add config keys for renderer base URL, timeout, body/output size limits, and disabled/unavailable behavior.
- Implement
PdfRenderingGateway/PdfRendererClientonly after the runtime config task is scoped. - Do not implement management report payload, StoredReport integration, OperationRun integration, UI action, PDF templates, or report generation before that runtime path exists.