Capablio

Prompt 17 — Accessibility, security, observability, and test hardening

Run a cross-product hardening pass. This prompt is not for adding new product features except fixes required to meet documented acceptance criteria.

Updated

Required context

  • All implemented workspaces and public surfaces
  • Current test/CI and observability stack
  • Authorization, encryption, privacy, and data-retention specs
  • Release gates

Prompt

Run a cross-product hardening pass. This prompt is not for adding new product features except fixes required to meet documented acceptance criteria.

1. Accessibility audit

Test representative paths:

  • Marketing home and pricing
  • Docs search/article
  • Sign-in/invite/recovery
  • Individual Today and survey completion
  • Results with charts/table alternative
  • PDP creation/share
  • Manager nominations
  • HR campaign/completion
  • Tenant people/roles/import
  • Global tenant detail/support access

Use automated and manual checks:

  • Keyboard only
  • Visible focus and focus order
  • Screen reader on at least one desktop browser/platform supported by the team
  • 200% and 400% zoom/reflow
  • Color contrast
  • Reduced motion
  • Error identification and recovery
  • Dialog/drawer focus
  • Table/tree semantics
  • Chart alternatives

Create an accessibility defect list, fix release blockers, and document accepted exceptions with owner/date.

2. Security verification

Test:

  • Cross-tenant access across all object types
  • Org-scope bypass
  • Role/permission revocation
  • Export and bulk endpoints
  • Invite/token replay and expiry
  • Open redirect and unsafe return URL
  • Support access scope/expiry
  • Secret leakage in client/log/error/analytics
  • File upload validation and processing isolation
  • Webhook signing/replay
  • Rate limits/abuse controls
  • Encryption/recovery flows
  • Suppression/difference attacks

Use existing security tooling. Do not claim a penetration test or certification unless one actually occurred.

3. Observability

Instrument critical flows with privacy-safe events/metrics/traces:

  • Auth/invite success/failure category
  • Survey load/save/submit without answers
  • Campaign transition/job outcomes
  • Notification delivery
  • Import processing
  • Coverage assembly outcome
  • Report generation/release
  • PDP recurrence scheduling
  • Integration sync
  • Entitlement/billing evaluation

Use correlation IDs. Exclude ratings, comments, goals, key material, and sensitive free text.

Build operational dashboards/alerts and link runbooks for critical errors.

4. Reliability and data integrity

  • Idempotency for transitions, imports, notifications, tenant creation, webhooks
  • Retry/dead-letter/reconciliation
  • Database constraints and tenant keys
  • Migration verification
  • Backup/restore test appropriate to the environment
  • Graceful partial failures
  • Timezone/DST/calendar cases
  • Large-tenant performance and pagination

5. Test suite

Ensure coverage includes:

  • Domain unit tests
  • API integration tests
  • Authorization negative tests
  • Component accessibility tests
  • End-to-end persona journeys
  • Visual regression for shells/core components
  • Contract tests for integrations/webhooks
  • Documentation/link validation
  • Build/type/lint

Create deterministic synthetic fixtures for all roles and no production PII.

6. Quality report

Create:

wiki/internal/operations/release-quality-report.md
wiki/internal/security/security-verification-report.md
wiki/internal/product/accessibility-conformance-status.md
wiki/internal/operations/observability-map.md

Reports must state what was tested, tools/versions, environment, failures, exceptions, and owners. Avoid unsupported compliance language.

Acceptance gates

  • No known critical cross-tenant, plaintext-access, secret-leakage, or invite-replay issue.
  • Core journeys are keyboard and screen-reader usable.
  • Critical background jobs are observable and recoverable.
  • CI includes required build, test, authorization, docs, and accessibility gates.