TenantAtlas/specs/307-decision-register-evidence-operationrun-link-polish/checklists/requirements.md
Ahmed Darrazi be780a8b48
Some checks failed
PR Fast Feedback / fast-feedback (pull_request) Failing after 1m36s
chore(decision-register): polish evidence operation run link and tests
2026-05-15 13:41:43 +02:00

61 lines
3.9 KiB
Markdown

# Requirements Checklist: Decision Register Evidence / OperationRun Link Polish
**Purpose**: Validate Spec 307 preparation quality before runtime implementation.
**Created**: 2026-05-15
**Feature**: `/specs/307-decision-register-evidence-operationrun-link-polish/spec.md`
## Candidate and Scope
- [x] Candidate is selected from current product roadmap/spec-candidates and matches the user-provided full draft.
- [x] Completed Spec 265 and Spec 306 are treated as context only and are not modified.
- [x] Scope is narrow productization polish over the existing Decision Register, not a greenfield rebuild.
- [x] Explicit non-goals block new decision persistence, workflow engine, lifecycle actions, evidence storage, Review Pack redesign, customer portal/export, notifications, provider changes, and broad navigation redesign.
- [x] The proportionality review explains why derived link metadata is sufficient and why new persistence/abstractions are rejected.
## Requirements Quality
- [x] Functional requirements are testable and avoid implementation-only wording where user behavior is the point.
- [x] Evidence/report links are allowed only for repo-real references and existing canonical destinations.
- [x] OperationRun links are allowed only for repo-real run references and existing link helpers.
- [x] Missing proof/run states are truthful and non-alarming.
- [x] No fake links may be inferred from labels, counts, statuses, loose text, or timestamps.
- [x] No source-of-truth duplication is allowed for evidence payloads, stored report payloads, or OperationRun lifecycle truth.
- [x] Existing row-to-FindingException detail handoff is preserved.
- [x] Lifecycle action ownership remains on existing queue/detail surfaces.
## Security, Scope, and Authorization
- [x] Workspace isolation is explicitly required and tested.
- [x] Environment isolation is explicitly required and tested.
- [x] Destination pages keep server-side authorization; UI visibility is not treated as authorization.
- [x] Non-member/out-of-scope behavior remains deny-as-not-found where existing policy semantics require it.
- [x] Member-without-capability destination behavior remains governed by existing policies.
- [x] Legacy `/admin/t` URL generation is explicitly forbidden and tested.
- [x] Canonical workspace/environment/admin routes are required.
## Filament and Laravel Compliance
- [x] Filament v5 and Livewire v4.0+ compliance is stated.
- [x] Provider registration location remains `apps/platform/bootstrap/providers.php`; no provider changes are planned.
- [x] Relevant globally searchable resources are disabled for global search, so the Edit/View-page hard rule is not newly triggered.
- [x] No destructive Decision Register actions are introduced; existing destructive-like detail actions keep confirmation and authorization.
- [x] Asset strategy is asset-neutral unless implementation proves otherwise; `filament:assets` deploy impact is called out if assets are added.
- [x] Native Filament UI patterns are required and ad-hoc styling is forbidden.
## Testing and Validation
- [x] Builder unit tests cover proof count, missing proof, direct links where real, multiple-reference fallback, and missing OperationRun.
- [x] Feature tests cover page rendering, missing copy, no legacy URLs, detail handoff, lifecycle action absence, and authorization.
- [x] Isolation tests cover cross-workspace and cross-environment proof/run link denial.
- [x] Artifact and OperationRun link guard lanes are included.
- [x] FindingException lifecycle/audit lane is included to prove ownership is unchanged.
- [x] `git diff --check` is included.
- [x] Browser smoke is recommended and has concrete steps.
## Readiness Result
- [x] No unresolved clarification markers are required for preparation.
- [x] Requirements, plan, and tasks are mutually aligned.
- [x] Runtime implementation can start from `tasks.md` after explicit approval.
- [x] Preparation stops before application implementation.