CONSTRAINT SPEC (ONE-PAGE TEMPLATE)

Purpose
- What user problem are we solving? (One sentence, no solution words.)
- Who is the primary user? Who is explicitly NOT the user?

Non-Negotiable Constraints (fill these before design/code)
1) Data classification
- What data types touch this feature? (PII, payment data, health data, internal-only, etc.)
- Where will data be stored and for how long? What is the deletion story?
- Is any data sent to third parties (analytics, LLM providers, email/SMS, support tools)? List them.

2) Permissions & tenancy
- What actions are allowed per role? (viewer/editor/admin)
- Any cross-tenant risk? State the invariant: “No user can ever access another tenant’s data.”
- Export, sharing, impersonation, and search: allowed or disallowed. Be explicit.

3) Policy surface area
- What policies does this create or modify? (refunds, appeals, moderation, rate limits, content rules)
- Who owns each policy decision? (Product, Legal, Security, Support, Finance)

4) Abuse & failure modes
- List the top 5 ways this can be abused or can break.
- For each: what is the user harm and what is the company risk?

5) Rollout controls
- Feature flag name:
- Default state (off/on):
- Eligibility rules (internal-only, allowlist, by plan tier, by region):
- Kill switch: what exactly gets disabled first?

6) Observability (decide before launch)
- Required audit events (action, actor, tenant, target, timestamp):
- Key logs/metrics that indicate risk (auth errors, export volume spikes, elevated failures):
- Where do alerts go and who is on call?

Definition of Done (must be testable)
- Tests required (unit/integration/e2e) for: auth, data retention/deletion, billing impact
- Documentation required: user docs, admin docs, support runbook
- Support readiness: macros, escalation path, known-issues list

Decision Record
- What tradeoff did we choose and why?
- What did we explicitly reject?
- Date + approvers (names/roles)

Launch Checklist (yes/no)
- Constraints approved by Product + Eng + Security + Legal (as needed)
- Flag + kill switch implemented and tested
- Audit logs verified in staging
- Support runbook published
- Post-launch owner assigned for first two weeks