Handbook
Prompt 17 — Accessibility, security, observability, and test hardening
Run a cross-product hardening pass. This prompt is not for adding new product features except fixes required to meet documented acceptance criteria.
Updated
Required context
- All implemented workspaces and public surfaces
- Current test/CI and observability stack
- Authorization, encryption, privacy, and data-retention specs
- Release gates
Prompt
Run a cross-product hardening pass. This prompt is not for adding new product features except fixes required to meet documented acceptance criteria.
1. Accessibility audit
Test representative paths:
- Marketing home and pricing
- Docs search/article
- Sign-in/invite/recovery
- Individual Today and survey completion
- Results with charts/table alternative
- PDP creation/share
- Manager nominations
- HR campaign/completion
- Tenant people/roles/import
- Global tenant detail/support access
Use automated and manual checks:
- Keyboard only
- Visible focus and focus order
- Screen reader on at least one desktop browser/platform supported by the team
- 200% and 400% zoom/reflow
- Color contrast
- Reduced motion
- Error identification and recovery
- Dialog/drawer focus
- Table/tree semantics
- Chart alternatives
Create an accessibility defect list, fix release blockers, and document accepted exceptions with owner/date.
2. Security verification
Test:
- Cross-tenant access across all object types
- Org-scope bypass
- Role/permission revocation
- Export and bulk endpoints
- Invite/token replay and expiry
- Open redirect and unsafe return URL
- Support access scope/expiry
- Secret leakage in client/log/error/analytics
- File upload validation and processing isolation
- Webhook signing/replay
- Rate limits/abuse controls
- Encryption/recovery flows
- Suppression/difference attacks
Use existing security tooling. Do not claim a penetration test or certification unless one actually occurred.
3. Observability
Instrument critical flows with privacy-safe events/metrics/traces:
- Auth/invite success/failure category
- Survey load/save/submit without answers
- Campaign transition/job outcomes
- Notification delivery
- Import processing
- Coverage assembly outcome
- Report generation/release
- PDP recurrence scheduling
- Integration sync
- Entitlement/billing evaluation
Use correlation IDs. Exclude ratings, comments, goals, key material, and sensitive free text.
Build operational dashboards/alerts and link runbooks for critical errors.
4. Reliability and data integrity
- Idempotency for transitions, imports, notifications, tenant creation, webhooks
- Retry/dead-letter/reconciliation
- Database constraints and tenant keys
- Migration verification
- Backup/restore test appropriate to the environment
- Graceful partial failures
- Timezone/DST/calendar cases
- Large-tenant performance and pagination
5. Test suite
Ensure coverage includes:
- Domain unit tests
- API integration tests
- Authorization negative tests
- Component accessibility tests
- End-to-end persona journeys
- Visual regression for shells/core components
- Contract tests for integrations/webhooks
- Documentation/link validation
- Build/type/lint
Create deterministic synthetic fixtures for all roles and no production PII.
6. Quality report
Create:
wiki/internal/operations/release-quality-report.md
wiki/internal/security/security-verification-report.md
wiki/internal/product/accessibility-conformance-status.md
wiki/internal/operations/observability-map.md
Reports must state what was tested, tools/versions, environment, failures, exceptions, and owners. Avoid unsupported compliance language.
Acceptance gates
- No known critical cross-tenant, plaintext-access, secret-leakage, or invite-replay issue.
- Core journeys are keyboard and screen-reader usable.
- Critical background jobs are observable and recoverable.
- CI includes required build, test, authorization, docs, and accessibility gates.