# Task Review Checklist Complete this checklist before implementation starts. ## Foundation Review - [ ] Reviewed `AGENTS.md` - [ ] Reviewed `docs/standards/project-foundations.md` - [ ] Reviewed the relevant reusable foundations under `src/features/foundation/**` - [ ] Reviewed the relevant CRM feature foundations under `src/features/crm/**` - [ ] Confirmed whether the task extends an existing service before creating a new one ## ADR Review - [ ] Reviewed relevant `docs/adr/**` - [ ] Confirmed whether the requested behavior conflicts with an accepted ADR - [ ] Documented if a new ADR is required ## Historical Task Review - [ ] Identified related foundations in `docs/standards/project-foundations.md` - [ ] Identified related ADRs - [ ] Identified the tasks that created or changed those foundations in `docs/standards/task-catalog.md` - [ ] Reviewed the related completed task documents in `docs/implementation/**` - [ ] Documented historical findings before implementation Implementation without historical review is prohibited. ## Business Context Review - [ ] Reviewed relevant `docs/business/**` - [ ] Confirmed business terminology and scope - [ ] Checked whether Thai CRM terminology rules apply ## API Review - [ ] Reviewed existing route handlers under the affected `src/app/api/**` area - [ ] Confirmed whether an existing API can be extended instead of duplicated - [ ] Confirmed request/response contracts and validation approach ## Permission Review - [ ] Reviewed `src/lib/auth/session.ts` - [ ] Reviewed `src/lib/auth/crm-access.ts` if CRM scope is involved - [ ] Reviewed `src/features/crm/security/server/service.ts` if CRM security is involved - [ ] Reviewed relevant `docs/security/**` - [ ] Confirmed server-side enforcement points ## Audit Review - [ ] Reviewed `src/features/foundation/audit-log/service.ts` - [ ] Checked existing entity/action names for the affected module - [ ] Confirmed whether security-denial auditing is required - [ ] Confirmed audit payload expectations ## Duplication Review - [ ] No duplicate services - [ ] No duplicate APIs - [ ] No duplicate permissions or role models - [ ] No duplicate export/report systems - [ ] No duplicate PDF rendering path - [ ] No duplicate approval workflow logic ## Security Review - [ ] Direct role-string authorization is not used - [ ] Scope enforcement is server-side - [ ] Branch/product/ownership/pricing visibility is enforced where applicable - [ ] Client-side visibility is treated as UX-only, not as security ## UI / UX Review - [ ] Reviewed `docs/standards/ui-ux-rules.md` - [ ] Reused `PageContainer`, table, filter, and form patterns where applicable - [ ] Confirmed terminology consistency with `docs/business/crm-terminology.md` ## Verification Review - [ ] Defined typecheck/lint/test verification - [ ] Defined manual scenarios for scope/security-sensitive work - [ ] Recorded known risks and follow-up items