TenantAtlas/specs/385-evidence-review-readiness/checklists/requirements.md
ahmido 3a9402998a feat(evidence): implement baseline review readiness integration (#456)
Added `BaselineReadinessGate`, resolution propagation, and disclosure semantics logic per Spec 385. Integrates baseline unreadiness into Customer Review Workspace and Review Packs to prevent report generation when identity bindings are unresolved.

Co-authored-by: Ahmed Darrazi <ahmed.darrazi@live.de>
Reviewed-on: #456
2026-06-17 22:54:11 +00:00

71 lines
4.6 KiB
Markdown

# Requirements Checklist: Spec 385 - Evidence and Review Readiness Integration v1
**Purpose**: Preparation quality and constitution gate for Spec 385 before implementation.
**Created**: 2026-06-17
**Feature**: `specs/385-evidence-review-readiness/spec.md`
## Candidate And Scope
- [x] CHK001 The selected candidate is directly user-provided and not invented from an empty auto-prep queue.
- [x] CHK002 The candidate is not already covered by an existing `specs/385-*` package.
- [x] CHK003 Completed dependency specs 381, 382, 383, and 384 are treated as read-only historical context.
- [x] CHK004 The smallest viable slice is Evidence, Environment Review, and Review Pack readiness integration only.
- [x] CHK005 Matching, compare semantics, resolution UI, workflow engines, report/PDF runtime, and legacy compatibility are explicitly out of scope.
## Spec Approval Rubric
- [x] CHK006 The Spec Candidate Check answers the operator workflow, trust/safety, smallest version, complexity, and why-now questions.
- [x] CHK007 The spec is classified as Core Enterprise.
- [x] CHK008 Red flags are named and defended.
- [x] CHK009 The score is at least 7/12 and the decision is approve.
- [x] CHK010 The proportionality review covers current problem, insufficiency, narrowest implementation, ownership cost, rejected alternative, and release truth.
## Repository Truth
- [x] CHK011 Existing affected surfaces are named from repo truth, including `BaselineDriftPostureSource`, `EvidenceCompletenessEvaluator`, `EnvironmentReviewReadinessGate`, `ReviewPackOutputReadiness`, `ReviewPackOutputResolutionGuidance`, and `ReportDisclosurePolicy`.
- [x] CHK012 Existing source-of-truth boundaries are preserved: OperationRun compare proof, provider resource bindings, Evidence Snapshot, Environment Review, Review Pack, and Stored Report.
- [x] CHK013 Readiness remains derived unless implementation updates the spec/plan/tasks before adding persistence.
- [x] CHK014 Pre-production compatibility posture rejects old payload compatibility readers.
## UI And Surface Coverage
- [x] CHK015 The spec includes a coherent UI Surface Impact decision for changed existing surfaces.
- [x] CHK016 UI/Productization Coverage names affected surfaces and page-report expectations.
- [x] CHK017 Customer-safe review requirements are explicit.
- [x] CHK018 Dangerous-action review is marked not applicable because no new destructive/high-impact action is planned.
- [x] CHK019 Tasks include UI coverage/page-report update decisions for affected existing surfaces.
- [x] CHK020 The spec includes a UI Action Matrix for changed existing Filament surfaces and records that no new actions are planned.
## Shared Patterns And OperationRun
- [x] CHK021 Cross-cutting shared pattern reuse names existing helpers before any new mapper.
- [x] CHK022 Any new mapper/helper is bounded to baseline readiness and barred from becoming a generic readiness/workflow framework.
- [x] CHK023 OperationRun impact is limited to proof and next-action links; no lifecycle transition or new run type is planned.
- [x] CHK024 Provider boundary rules keep provider identifiers internal/proof-only and primary readiness language provider-neutral.
## RBAC, Security, And Disclosure
- [x] CHK025 Workspace/environment entitlement and deny-as-not-found boundaries are required for all affected links and surfaces.
- [x] CHK026 Customer-safe output forbids raw provider IDs, canonical subject keys, binding internals, internal enum names, database IDs, and raw OperationRun JSON.
- [x] CHK027 Internal/support diagnostics are allowed only according to existing profile/disclosure rules.
- [x] CHK028 No Graph/provider calls are allowed during readiness derivation or UI render.
## Test And Validation Readiness
- [x] CHK029 Test purpose and lanes are explicit.
- [x] CHK030 Tasks include tests before runtime mapping implementation.
- [x] CHK031 Tasks cover false-green and false-red cases.
- [x] CHK032 Tasks include customer-safe leakage tests.
- [x] CHK033 Tasks include Filament/Livewire and browser-smoke decisions for changed rendered surfaces.
- [x] CHK034 Validation commands are present in the spec, plan, and tasks.
## Review Outcome
- [x] CHK035 Review outcome class: acceptable-special-case.
- [x] CHK036 Workflow outcome: keep.
- [x] CHK037 Final note location: implementation close-out entry `Evidence and Review Readiness Integration`.
## Notes
Preparation is ready for implementation review. The later implementation loop must stop and update spec/plan/tasks before adding any new persisted readiness entity, public state family, route, panel provider, provider call, workflow engine, report/PDF runtime change, or legacy compatibility reader.