ahmido/TenantAtlas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects 1 Releases Wiki Activity
b3e6dfdb7c
TenantAtlas/specs/378-management-report-pdf-v1/checklists/requirements.md
ahmido d43ebcb4ee feat(report): implement management report pdf v1 (#449) 
Added PDF generation service for management reports as per Spec 378, including Gotenberg integration in docker-compose and configuration updates.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #449
2026-06-14 18:36:07 +00:00

60 lines
4.3 KiB
Markdown
Raw Blame History

# Requirements Checklist: Spec 378 - Management Report PDF v1
**Purpose**: Preparation readiness review for Spec 378 before application implementation.
**Created**: 2026-06-14
**Feature**: `specs/378-management-report-pdf-v1/spec.md`
## Candidate And Scope
- [x] CHK001 The selected candidate is directly user-provided and not invented from the automatic queue.
- [x] CHK002 Related completed specs are treated as historical context only and are not rewritten.
- [x] CHK003 The smallest v1 slice is one `customer_executive` management PDF artifact from existing ready/current review-pack truth.
- [x] CHK004 Technical/Auditor Evidence Report, Delivery Center, scheduled delivery, portal, AI, and raw JSON appendix are out of scope.
- [x] CHK005 The spec records close alternatives and follow-up candidates instead of hiding them inside v1.
## Repo Truth And Dependencies
- [x] CHK006 The spec reuses the existing rendered-report route/controller/view family from Specs 356, 357, and 366.
- [x] CHK007 The spec requires `ReportProfileRegistry` and `ReportDisclosurePolicy` rather than inventing parallel profile/disclosure rules.
- [x] CHK008 The plan records that no native PDF runtime package is currently approved in `apps/platform/composer.json`.
- [x] CHK009 The tasks include a hard package/renderer governance gate before runtime implementation.
- [x] CHK010 The plan records that current `StoredReport` is narrow and may need a bounded substrate extension.
## Security, RBAC, And Isolation
- [x] CHK011 Workspace, tenant, and managed-environment scope are explicit for generation, storage, lookup, and download.
- [x] CHK012 Unauthorized non-member or wrong-scope access uses deny-as-not-found semantics.
- [x] CHK013 Member-without-capability handling is specified as 403 after scope is established.
- [x] CHK014 The PDF and audit metadata forbid secrets, signed URLs, raw provider payloads, raw operation context, SQL errors, stack traces, and serialized jobs.
- [x] CHK015 Download is required to be signed and/or server-authorized and to re-resolve scope server-side.
## OperationRun, Audit, And Artifact Truth
- [x] CHK016 The preferred implementation creates or reuses an OperationRun for generation.
- [x] CHK017 The spec requires safe OperationRun outcomes for success, renderer failure, storage failure, and blocked source/readiness cases.
- [x] CHK018 Generation audit and download audit metadata are specified.
- [x] CHK019 Artifact truth is required to carry workspace, tenant scope, managed environment, source review/pack, profile, format, actor, generated time, and operation-run provenance.
- [x] CHK020 A new artifact entity is not approved; implementation must stop and update spec/plan if one is required.
## UI And Productization Coverage
- [x] CHK021 UI Surface Impact is marked as changed reachable surfaces, not `No UI surface impact`.
- [x] CHK022 The affected surfaces are bounded to existing rendered report, Environment Review/Review Pack owner actions, optional download route, and StoredReport only if reused.
- [x] CHK023 The plan defines deterministic UI coverage update rules for UI-099/UI-042/UI-048, route inventory, and design coverage artifacts.
- [x] CHK024 The generate action is classified as high-impact artifact creation, not destructive Microsoft-tenant mutation, and requires explicit confirmation.
- [x] CHK025 Filament v5 / Livewire v4 compliance, provider registration, global-search posture, action safety, asset strategy, and testing plan are called out for implementation close-out.
## Testing And Validation
- [x] CHK026 Unit tests are required for payload, readiness, disclosure, and renderer failure mapping.
- [x] CHK027 Feature tests are required for generation, storage, OperationRun, audit, authorization, and download.
- [x] CHK028 Filament/Livewire action tests are required for action visibility/disabled state on the chosen owner surface.
- [x] CHK029 Browser/content smoke is required for customer-facing PDF content and leakage boundaries.
- [x] CHK030 PostgreSQL lane is required if migrations/indexes/schema constraints are introduced.
## Review Outcome
- [x] CHK031 Review outcome class: `acceptable-special-case` for preparation, with renderer/package gate preserved for implementation.
- [x] CHK032 Workflow outcome: `keep` for the prepared scope, with follow-up specs separated.
- [x] CHK033 No application implementation was performed during preparation.
Reference in New Issue View Git Blame Copy Permalink