Files
alla-allaos-fullstack/docs/standards/task-review-checklist.md
phaichayon c1ecd5ea50 commit
2026-06-23 22:13:08 +07:00

83 lines
2.9 KiB
Markdown

# Task Review Checklist
Complete this checklist before implementation starts.
## Foundation Review
- [ ] Reviewed `AGENTS.md`
- [ ] Reviewed `docs/standards/project-foundations.md`
- [ ] Reviewed the relevant reusable foundations under `src/features/foundation/**`
- [ ] Reviewed the relevant CRM feature foundations under `src/features/crm/**`
- [ ] Confirmed whether the task extends an existing service before creating a new one
## ADR Review
- [ ] Reviewed relevant `docs/adr/**`
- [ ] Confirmed whether the requested behavior conflicts with an accepted ADR
- [ ] Documented if a new ADR is required
## Historical Task Review
- [ ] Identified related foundations in `docs/standards/project-foundations.md`
- [ ] Identified related ADRs
- [ ] Identified the tasks that created or changed those foundations in `docs/standards/task-catalog.md`
- [ ] Reviewed the related completed task documents in `docs/implementation/**`
- [ ] Documented historical findings before implementation
Implementation without historical review is prohibited.
## Business Context Review
- [ ] Reviewed relevant `docs/business/**`
- [ ] Confirmed business terminology and scope
- [ ] Checked whether Thai CRM terminology rules apply
## API Review
- [ ] Reviewed existing route handlers under the affected `src/app/api/**` area
- [ ] Confirmed whether an existing API can be extended instead of duplicated
- [ ] Confirmed request/response contracts and validation approach
## Permission Review
- [ ] Reviewed `src/lib/auth/session.ts`
- [ ] Reviewed `src/lib/auth/crm-access.ts` if CRM scope is involved
- [ ] Reviewed `src/features/crm/security/server/service.ts` if CRM security is involved
- [ ] Reviewed relevant `docs/security/**`
- [ ] Confirmed server-side enforcement points
## Audit Review
- [ ] Reviewed `src/features/foundation/audit-log/service.ts`
- [ ] Checked existing entity/action names for the affected module
- [ ] Confirmed whether security-denial auditing is required
- [ ] Confirmed audit payload expectations
## Duplication Review
- [ ] No duplicate services
- [ ] No duplicate APIs
- [ ] No duplicate permissions or role models
- [ ] No duplicate export/report systems
- [ ] No duplicate PDF rendering path
- [ ] No duplicate approval workflow logic
## Security Review
- [ ] Direct role-string authorization is not used
- [ ] Scope enforcement is server-side
- [ ] Branch/product/ownership/pricing visibility is enforced where applicable
- [ ] Client-side visibility is treated as UX-only, not as security
## UI / UX Review
- [ ] Reviewed `docs/standards/ui-ux-rules.md`
- [ ] Reused `PageContainer`, table, filter, and form patterns where applicable
- [ ] Confirmed terminology consistency with `docs/business/crm-terminology.md`
## Verification Review
- [ ] Defined typecheck/lint/test verification
- [ ] Defined manual scenarios for scope/security-sensitive work
- [ ] Recorded known risks and follow-up items