surface/PRD.json at main · openthreadsdev/surface · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
{
  "projectMetadata": {
    "projectName": "OpenThreads Trace | Compliance Exposure Scanner Browser Extension",
    "version": "1.0.0",
    "lastUpdated": "2026-02-28",
    "projectLead": "OpenThreads.dev",
    "distributionWedge": "Cross-platform (any product page)",
    "restructuredFor": "Long-running agent workflows per Anthropic recommendations"
  },
  "productScope": {
    "mvp": {
      "description": "A cross-browser extension that scans any consumer-product page (Shopify, WooCommerce, Amazon, Etsy, DTC sites) for compliance-surface completeness signals, flags potentially risky marketing claims, and generates a shareable/reportable checklist with export to Threadmark-compatible JSON.",
      "coreFeatures": [
        "One-click scan of current page and extraction of page metadata (URL, title, SKU hints)",
        "Rule-based detection of required/expected disclosure fields (materials, origin, manufacturer/contact, warnings, instructions, certifications)",
        "Claim risk detection (eco, sustainable, biodegradable, non-toxic, etc.) with 'evidence required' prompts",
        "Manual product category selector (textiles, children, cosmetics, electronics, general)",
        "Risk score with explainable breakdown",
        "Evidence capture (selected text + optional screenshot)",
        "Export Threadmark-compatible JSON bundle"
      ]
    },
    "explicitExclusions": {
      "description": "Out of scope for v1:",
      "exclusions": [
        "Legal advice or guarantees of compliance",
        "Automated regulator submissions",
        "Automated platform enforcement",
        "Authenticated scraping behind private portals",
        "Machine-learning-based classification",
        "Full supply-chain traceability"
      ]
    },
    "boundaryNotes": "The extension provides heuristic completeness signals only. Users remain responsible for compliance decisions."
  },
  "personas": [
    {
      "name": "DTC Merchant",
      "role": "Primary",
      "painPoints": [
        "Unsure what information is missing",
        "Fear of marketplace takedowns",
        "Compliance feels vague"
      ],
      "goals": ["Clear checklist", "Avoid risky claims", "Structured export"]
    },
    {
      "name": "Compliance Consultant",
      "role": "Secondary",
      "painPoints": [
        "Manual reviews are slow",
        "Clients provide incomplete evidence"
      ],
      "goals": [
        "Fast exposure triage",
        "Shareable report",
        "Drive structured workflows"
      ]
    }
  ],
  "complianceAttributes": {
    "v1FieldGroups": [
      {
        "group": "Identity & Contacts",
        "fields": [
          { "key": "product_name", "required": true },
          { "key": "brand", "required": true },
          { "key": "manufacturer_name", "required": false },
          { "key": "manufacturer_address", "required": false },
          { "key": "contact_email_or_url", "required": false }
        ]
      },
      {
        "group": "Composition & Origin",
        "fields": [
          { "key": "materials", "required": false },
          { "key": "country_of_origin", "required": false }
        ]
      },
      {
        "group": "Safety & Use",
        "fields": [
          { "key": "warnings", "required": false },
          { "key": "instructions", "required": false },
          { "key": "care_instructions", "required": false }
        ]
      },
      {
        "group": "Claims & Evidence",
        "fields": [
          { "key": "marketing_claims", "required": false },
          { "key": "certifications", "required": false }
        ]
      }
    ]
  },
  "enterpriseRequirements": {
    "definitionOfDone": [
      "GitHub Actions CI runs on PR: lint, format check, typecheck, unit tests, build, and packages an artifact",
      "Pre-commit hook enforces formatting + linting + typecheck (fast path)",
      "Pre-push hook runs unit tests (fast path); full build/test enforcement is in CI",
      "CodeQL enabled (PR + weekly scheduled scan)",
      "Coverage reporting enabled (Codecov or equivalent) with an initial floor threshold",
      "Release workflow on tag produces signed/hashed artifacts and release notes"
    ],
    "nonFunctionalRequirements": {
      "performance": ["Scan completes within 2 seconds"],
      "security": [
        "No automatic data exfiltration",
        "User-initiated scan only",
        "Sanitized DOM parsing"
      ],
      "maintainability": ["Rules defined as JSON", "Unit tests per rule"]
    }
  },
  "riskRegister": [
    {
      "id": "R001",
      "risk": "Users interpret score as legal advice",
      "impact": "High",
      "mitigation": ["Clear disclaimers", "Use 'signals' language"]
    },
    {
      "id": "R002",
      "risk": "False positives/negatives",
      "impact": "Medium",
      "mitigation": ["Confidence levels", "Manual override option"]
    }
  ],
  "features": [
    {
      "id": "F005",
      "phase": 0,
      "name": "Engineering Baseline: Hooks + CI + Security Scanning",
      "description": "Establish OpenThreads extension engineering baseline to support a public wedge and future suite products.",
      "acceptanceCriteria": [
        "Pre-commit runs format + lint + typecheck in < 15s on typical changes",
        "Pre-push runs unit tests in < 60s on typical changes",
        "CI required checks: lint, typecheck, unit tests, build, package artifact",
        "CodeQL alerts visible in GitHub Security tab; scheduled weekly scan configured",
        "Coverage uploaded on CI; project threshold configured (start low, ratchet up)",
        "A reusable workflow/template exists for future OpenThreads extensions"
      ],
      "notes": [
        "Prefer shared reusable GitHub Actions workflows for suite scalability.",
        "Avoid strict per-file coverage gates early to prevent busywork."
      ],
      "status": "passes"
    },
    {
      "id": "F010",
      "phase": 1,
      "name": "Extension Shell UI",
      "description": "Popup with Scan button and category selector",
      "status": "passes"
    },
    {
      "id": "F020",
      "phase": 1,
      "name": "DOM Snapshot Capture",
      "description": "Capture page snapshot on user click",
      "status": "passes"
    },
    {
      "id": "F030",
      "phase": 1,
      "name": "Rule Engine v1",
      "description": "Data-driven JSON rules",
      "status": "passes"
    },
    {
      "id": "F040",
      "phase": 1,
      "name": "Risk Score Model",
      "description": "Explainable scoring based on missing disclosures and risky claims",
      "status": "passes"
    },
    {
      "id": "F050",
      "phase": 2,
      "name": "Evidence Clipper",
      "description": "Highlight and save text as evidence",
      "status": "passes"
    },
    {
      "id": "F060",
      "phase": 2,
      "name": "Threadmark JSON Export",
      "description": "Export structured bundle",
      "status": "passes"
    }
  ],
  "successMetrics": [
    {
      "metric": "Time to first scan",
      "target": "< 30 seconds from install"
    },
    {
      "metric": "Export rate",
      "target": "20% of active users export at least one bundle"
    }
  ],
  "originalPRD": {
    "summary": "Defines a cross-platform compliance exposure scanner extension to accelerate structured compliance capture and drive Threadmark adoption."
  }
}