TenantAtlas/specs/307-decision-register-evidence-operationrun-link-polish/checklists/requirements.md

Requirements Checklist: Decision Register Evidence / OperationRun Link Polish

Purpose: Validate Spec 307 preparation quality before runtime implementation.
Created: 2026-05-15
Feature: /specs/307-decision-register-evidence-operationrun-link-polish/spec.md

Candidate and Scope

• Candidate is selected from current product roadmap/spec-candidates and matches the user-provided full draft.
• Completed Spec 265 and Spec 306 are treated as context only and are not modified.
• Scope is narrow productization polish over the existing Decision Register, not a greenfield rebuild.
• Explicit non-goals block new decision persistence, workflow engine, lifecycle actions, evidence storage, Review Pack redesign, customer portal/export, notifications, provider changes, and broad navigation redesign.
• The proportionality review explains why derived link metadata is sufficient and why new persistence/abstractions are rejected.

Requirements Quality

• Functional requirements are testable and avoid implementation-only wording where user behavior is the point.
• Evidence/report links are allowed only for repo-real references and existing canonical destinations.
• OperationRun links are allowed only for repo-real run references and existing link helpers.
• Missing proof/run states are truthful and non-alarming.
• No fake links may be inferred from labels, counts, statuses, loose text, or timestamps.
• No source-of-truth duplication is allowed for evidence payloads, stored report payloads, or OperationRun lifecycle truth.
• Existing row-to-FindingException detail handoff is preserved.
• Lifecycle action ownership remains on existing queue/detail surfaces.

Security, Scope, and Authorization

• Workspace isolation is explicitly required and tested.
• Environment isolation is explicitly required and tested.
• Destination pages keep server-side authorization; UI visibility is not treated as authorization.
• Non-member/out-of-scope behavior remains deny-as-not-found where existing policy semantics require it.
• Member-without-capability destination behavior remains governed by existing policies.
• Legacy /admin/t URL generation is explicitly forbidden and tested.
• Canonical workspace/environment/admin routes are required.

Filament and Laravel Compliance

• Filament v5 and Livewire v4.0+ compliance is stated.
• Provider registration location remains apps/platform/bootstrap/providers.php; no provider changes are planned.
• Relevant globally searchable resources are disabled for global search, so the Edit/View-page hard rule is not newly triggered.
• No destructive Decision Register actions are introduced; existing destructive-like detail actions keep confirmation and authorization.
• Asset strategy is asset-neutral unless implementation proves otherwise; filament:assets deploy impact is called out if assets are added.
• Native Filament UI patterns are required and ad-hoc styling is forbidden.

Testing and Validation

• Builder unit tests cover proof count, missing proof, direct links where real, multiple-reference fallback, and missing OperationRun.
• Feature tests cover page rendering, missing copy, no legacy URLs, detail handoff, lifecycle action absence, and authorization.
• Isolation tests cover cross-workspace and cross-environment proof/run link denial.
• Artifact and OperationRun link guard lanes are included.
• FindingException lifecycle/audit lane is included to prove ownership is unchanged.
• git diff --check is included.
• Browser smoke is recommended and has concrete steps.

Readiness Result

• No unresolved clarification markers are required for preparation.
• Requirements, plan, and tasks are mutually aligned.
• Runtime implementation can start from tasks.md after explicit approval.
• Preparation stops before application implementation.