# Requirements And Sign-Off Checklist ## Scope This project is a PHP template shell for an admin-style interface with server-rendered fragments and client-side AJAX navigation. ## How To Use This File 1. Treat this as the release and PR acceptance checklist. 2. `Must` items are mandatory for sign-off. 3. `Should` items are expected unless a documented exception is approved. 4. `Could` items are optional improvements. ## Must (Sign-Off Required) ### Core Routing And Rendering - [ ] Requests route through a single entry point. - [ ] Page fragments are loaded only from an allow-list. - [ ] App supports both full-page and AJAX fragment render modes. - [ ] Unknown or invalid routes fail safely. ### Shared Layout And Navigation - [ ] Shared layout components exist and render consistently: sidebar, topbar, footer. - [ ] Navigation updates content without full page reload. - [ ] Browser back/forward behavior works with route history. - [ ] Active nav and breadcrumb reflect current page. ### UX Baseline - [ ] Loading feedback exists for page transitions (progress and spinner behavior). - [ ] Toast notifications provide user feedback for key actions. - [ ] Responsive behavior is usable on desktop, tablet, and mobile. - [ ] Minimum page set is available: `mainContent`, `content2`, `online`. ### Security Baseline - [ ] Request input is sanitized and validated before route/file resolution. - [ ] Dynamic output in HTML context is escaped. - [ ] Route traversal attempts are blocked. - [ ] Error output does not expose sensitive internals. ### Quality And Process Baseline - [ ] Manual pre-PR checks in [docs/TESTING_RULES.md](TESTING_RULES.md) are completed. - [ ] Security gate checks in [../SECURITY.md](../SECURITY.md) are completed. - [ ] Behavior changes are documented in project docs. ## Should (Expected) ### Maintainability - [ ] New routes can be added without editing core router logic directly (prefer route config file). - [ ] Naming remains consistent across route key, menu label, and page title. - [ ] Reusable behavior is centralized in `assets/app.js`. - [ ] Reusable presentation is centralized in `assets/app.css`. ### Reliability - [ ] Exceptions are logged server-side for diagnostics. - [ ] CDN dependency failures degrade gracefully. - [ ] Dynamic content re-initialization does not duplicate listeners or leak state. ### Settings And Persistence - [ ] System settings live on the server and are controlled by runtime/config values. - [ ] Application settings live on the server and define app-wide behavior defaults. - [ ] User settings live in the browser/local storage unless a server profile store is added later. - [ ] Theme preference supports `light`, `dark`, and `auto` modes. - [ ] Debug mode can be turned on or off independently of other preferences. - [ ] Footer timing defaults on when debug is on and can also be enabled independently. - [ ] Users can turn selected UI features on or off where supported. - [ ] Admin-only controls manage server defaults for system and application behavior. - [ ] User profile local storage includes extended fields (name, email, phone, education, location, skills, notes, and social counters). ### Documentation - [ ] Contributor workflow is kept current in [../CONTRIBUTING.md](../CONTRIBUTING.md). - [ ] Local setup and troubleshooting remain current in [docs/WORKING_ENVIRONMENT.md](WORKING_ENVIRONMENT.md). ## Could (Optional Improvements) ### Product And Platform Growth - [ ] Add authentication and role-based authorization. - [ ] Add data integration layer (API or database-backed content). - [ ] Add CI pipeline for lint/smoke checks. - [ ] Add accessibility audit and remediation backlog. - [ ] Add observability dashboards and release health metrics. ## Current Gaps To Track 1. Authentication and authorization rules are not yet implemented. 2. API/database integration strategy is not defined. 3. CI/deployment requirements are not yet formalized. 4. Accessibility and advanced security coverage are partial. 5. Route registration still requires editing router internals. 6. Settings persistence strategy is browser-first for user preferences and server-first for system/application behavior. ## Sign-Off Record (Per Release Or Major PR) - [ ] Must items complete. - [ ] Any Should exceptions documented and approved. - [ ] Risk notes captured in PR or release notes. - [ ] Reviewer and maintainer sign-off completed.