cesnimda/jobtrackingapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
jobtrackingapp/.gsd/REQUIREMENTS.md
T

21 KiB
Raw Permalink Blame History

Requirements

This file is the explicit capability and coverage contract for the project.

Active

R008 — The app may draft application, reply, and follow-up content, but it must not auto-send emails or auto-apply to jobs.

  • Class: constraint
  • Status: active
  • Description: The app may draft application, reply, and follow-up content, but it must not auto-send emails or auto-apply to jobs.
  • Why it matters: The user called auto-sending dangerous and explicitly does not want that behavior.
  • Source: user
  • Primary owning slice: M001/S03
  • Supporting slices: M001/S05
  • Validation: Constrained by S03 follow-up tests and workspace UX: focused backend/frontend verification proves drafting uses context while outbound follow-up still requires an explicit manual send/log action.
  • Notes: S03 re-checked the manual-send boundary inside the follow-up workspace: users edit drafts locally and POST /api/jobapplications/{id}/send-followup fires only from the explicit send/log action. The broader anti-autonomy constraint still remains active across later milestone validation.

R009 — Core UX, data model emphasis, and roadmap decisions should optimize for one person managing their own search.

  • Class: constraint
  • Status: active
  • Description: Core UX, data model emphasis, and roadmap decisions should optimize for one person managing their own search.
  • Why it matters: Individual-first scope keeps product decisions sharp and prevents premature recruiter/CRM drift.
  • Source: user
  • Primary owning slice: M001/S04
  • Supporting slices: M002/S01, M004/S01
  • Validation: mapped
  • Notes: Shared/team workflows are not the current product target.

R018 — Run an adversarial security assessment against the application across input validation, authentication, authorization, API exposure, file uploads, and data exposure.

  • Class: operational
  • Status: active
  • Description: Run an adversarial security assessment against the application across input validation, authentication, authorization, API exposure, file uploads, and data exposure.
  • Why it matters: The next milestone is explicitly a hostile security-testing pass intended to find vulnerabilities before attackers do.
  • Source: user-security-milestone
  • Primary owning slice: M013
  • Validation: Produce verified findings or an explicit no-finding result for each requested attack category.
  • Notes: Assessment should assume weak protections and behave like an aggressive tester, not a happy-path reviewer.

R019 — For each security issue found, record the vulnerability description, an example exploit input, risk level, and a clear remediation recommendation.

  • Class: functional
  • Status: active
  • Description: For each security issue found, record the vulnerability description, an example exploit input, risk level, and a clear remediation recommendation.
  • Why it matters: Security testing is only useful if the output is actionable for remediation and triage.
  • Source: user-security-milestone
  • Primary owning slice: M013
  • Validation: Each finding includes description, exploit example, risk rating, and fix guidance.
  • Notes: If no issue is found in a category, the milestone should still document what was tested and the observed boundary.

Validated

R001 — The user finds a job outside the app, imports it into the app, and starts the application workflow from that imported role.

  • Class: primary-user-loop
  • Status: validated
  • Description: The user finds a job outside the app, imports it into the app, and starts the application workflow from that imported role.
  • Why it matters: The product is not a job board replacement; the import step is the real start of the user loop.
  • Source: user
  • Primary owning slice: M001/S01
  • Supporting slices: M001/S05
  • Validation: S01 completed with a job-scoped Gmail import loop wired into the job workspace: backend GET /api/gmail/job-candidates uses the owned job as context, imports target that job directly, and focused UI verification passed in job-tracker-ui/src/correspondence-gmail-import.test.tsx.
  • Notes: Validation is contract/UI-level plus workspace integration. Live user UAT of the broader milestone loop still remains for later slices.

R002 — Gmail connection, message retrieval, single-message/thread import, and linked-thread refresh must help the user pull real correspondence into the right job, preserve full thread continuity, and automatically surface later inbound or user-sent replies without requiring manual re-import of the thread.

  • Class: integration
  • Status: validated
  • Description: Gmail connection, message retrieval, single-message/thread import, and linked-thread refresh must help the user pull real correspondence into the right job, preserve full thread continuity, and automatically surface later inbound or user-sent replies without requiring manual re-import of the thread.
  • Why it matters: Gmail import is one of the two clearest current weaknesses and a major trust surface for daily use; one-time import alone is not enough if the thread immediately goes stale.
  • Source: user
  • Primary owning slice: M001/S01
  • Supporting slices: M001/S03, M001/S05
  • Validation: Validated by M001/S01: backend POST /api/gmail/refresh-linked-threads now refreshes already-linked Gmail thread ids for one owned job, imports only unseen replies into the same job with duplicate-safe counts, focused GmailControllerTests pass via dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter GmailControllerTests, and job-tracker-ui/src/correspondence-gmail-import.test.tsx proves the workspace auto-refresh path shows a later Gmail reply without manual re-import.
  • Notes: S01 now covers job-aware Gmail candidate ranking, duplicate-safe single-message/thread import, persisted Gmail thread/from/to metadata, and automatic linked-thread continuity inside the correspondence workspace.

R003 — Tailored CV and cover-letter drafts must feel specific, credible, and good enough that the user wants to start from them.

  • Class: differentiator
  • Status: validated
  • Description: Tailored CV and cover-letter drafts must feel specific, credible, and good enough that the user wants to start from them.
  • Why it matters: Draft generation exists already, but the milestone bar is actual usefulness rather than feature presence.
  • Source: user
  • Primary owning slice: M001/S02
  • Supporting slices: M001/S05
  • Validation: Validated by M001/S02: dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter JobApplicationsApplicationPackageTests now passes with package generation using recruiter/job/profile/attachment/imported-correspondence context, and CI=true npm --prefix job-tracker-ui test -- --watch=false --runTestsByPath src/job-details-generated-drafts.test.tsx proves generation, editing, save, and saved-state redisplay behavior in the job workspace.
  • Notes: S02 also proved the saved application-answer loop by replacing the marker-delimited notes block instead of appending indefinitely.

R004 — The app must generate follow-up and reply drafts from the imported job, saved application material, and correspondence context tied to that job.

  • Class: primary-user-loop
  • Status: validated
  • Description: The app must generate follow-up and reply drafts from the imported job, saved application material, and correspondence context tied to that job.
  • Why it matters: Follow-through is part of the core value, not an optional afterthought.
  • Source: user
  • Primary owning slice: M001/S03
  • Supporting slices: M001/S01, M001/S02, M001/S05
  • Validation: Validated by M001/S03: follow-up draft generation now consumes imported correspondence plus saved application package material, focused backend follow-up tests pass in an isolated harness, the focused React follow-up test passes, and browser verification on the built branch UI proved the grounded follow-up draft plus manual send/log flow back into correspondence.
  • Notes: S03 validated the follow-up half of the requirement. Explicit reply drafting may still be deepened later, but the requirement-level milestone bar is now met for job-grounded follow-up/reply assistance without autonomous sending.

R005 — The first page should give the user a clear overview of jobs, status, readiness, and what needs attention.

  • Class: continuity
  • Status: validated
  • Description: The first page should give the user a clear overview of jobs, status, readiness, and what needs attention.
  • Why it matters: The user explicitly wants to start from the job table each day.
  • Source: user
  • Primary owning slice: M001/S04
  • Supporting slices: M001/S05
  • Validation: Validated by M001/S04: the job table now exposes actionable urgency chips that route directly into the relevant job workspace tab, focused daily-loop UI tests pass, and browser verification confirmed the table/dashboard/reminders flow routes into the same workspace model.
  • Notes: S04 made the table a practical first-stop overview for daily use rather than a passive list.

R006 — The dashboard and follow-up surfaces must clearly show next actions, neglected threads, and jobs that need attention now.

  • Class: continuity
  • Status: validated
  • Description: The dashboard and follow-up surfaces must clearly show next actions, neglected threads, and jobs that need attention now.
  • Why it matters: Tracking is only valuable if it turns state into action.
  • Source: user
  • Primary owning slice: M001/S04
  • Supporting slices: M001/S05
  • Validation: Validated by M001/S04: dashboard and reminders now expose actionable attention items routed into the existing job workspace, focused daily-loop UI tests pass, and browser verification confirmed those surfaces open the correct job workspace state.
  • Notes: S04 made the follow-up/dashboard surfaces show actionable urgency instead of dead-end summaries.

R007 — Each job needs a workspace where the user can update status, review/import correspondence, edit drafts, and prepare follow-ups.

  • Class: core-capability
  • Status: validated
  • Description: Each job needs a workspace where the user can update status, review/import correspondence, edit drafts, and prepare follow-ups.
  • Why it matters: The users third step in the daily flow is to drop into a specific job and do focused work.
  • Source: inferred
  • Primary owning slice: M001/S03
  • Supporting slices: M001/S02, M001/S04
  • Validation: Validated by M001/S03 and M001/S04: the per-job workspace now supports imported correspondence review, package drafting, follow-up drafting, and routed entry from overview surfaces, with focused tests and browser verification covering package and follow-up loops.
  • Notes: S01-S04 now make the individual job workspace the real execution surface for import, drafting, and follow-up work. The reopened Gmail continuity work extends what that correspondence review surface must keep current over time.

R010 — The app must preserve a coherent history across manual status changes, imported Gmail correspondence, linked-thread updates, reminders, and follow-up work.

  • Class: continuity
  • Status: validated
  • Description: The app must preserve a coherent history across manual status changes, imported Gmail correspondence, linked-thread updates, reminders, and follow-up work.
  • Why it matters: The product promise is to keep the thread of the job search intact over time, including new Gmail replies that happen after the first import.
  • Source: user
  • Primary owning slice: M001/S04
  • Supporting slices: M001/S01, M001/S03, M001/S05
  • Validation: Validated by M001/S05: dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter JobApplicationsWorkflowSignalsTests proves backend reminders/readiness return normalized workflow trust signals, CI=true ./node_modules/.bin/react-scripts test --watch=false --runTestsByPath src/workflow-trust-signals.test.tsx src/end-to-end-trust-loop.test.tsx src/correspondence-gmail-import.test.tsx src/job-details-generated-drafts.test.tsx src/job-details-followup-drafts.test.tsx src/daily-control-loop.test.tsx proves /jobs, /dashboard, and /reminders route into the same workspace semantics while preserving saved package reuse, linked-thread continuity, and grounded follow-up drafting, and CI=true ./node_modules/.bin/react-scripts build confirms the integrated UI ships as one coherent loop.
  • Notes: S05 centralized workflow signals in job-tracker-ui/src/jobWorkflowSignals.ts, re-proved linked Gmail continuity in the shared workspace, and added an integrated trust-loop regression so coherence no longer depends on per-surface string heuristics.

Deferred

R011 — The app should later expand overview analytics, saved views, and clearer strategy readouts beyond the core daily loop.

  • Class: operability
  • Status: deferred
  • Description: The app should later expand overview analytics, saved views, and clearer strategy readouts beyond the core daily loop.
  • Why it matters: This can improve search strategy, but it is not the first trust gap to close.
  • Source: inferred
  • Primary owning slice: M002/S02
  • Supporting slices: none
  • Validation: unmapped
  • Notes: Deferred because Gmail import and draft quality are higher-value first fixes.

R012 — The app may later add richer message understanding, smarter thread handling, and broader inbox-aware assistance after the first Gmail milestone.

  • Class: integration
  • Status: deferred
  • Description: The app may later add richer message understanding, smarter thread handling, and broader inbox-aware assistance after the first Gmail milestone.
  • Why it matters: This extends the correspondence workflow, but it depends on getting the initial import/matching loop right first.
  • Source: inferred
  • Primary owning slice: M003/S01
  • Supporting slices: none
  • Validation: unmapped
  • Notes: This is the natural next step after M001 proves the core Gmail path, including linked-thread continuity.

R013 — The app may later add broader strategic coaching and more advanced guidance beyond application package and follow-up/reply drafting.

  • Class: differentiator
  • Status: deferred
  • Description: The app may later add broader strategic coaching and more advanced guidance beyond application package and follow-up/reply drafting.
  • Why it matters: There is room to deepen the assistant, but the current product bar is a stronger core workflow.
  • Source: inferred
  • Primary owning slice: M003/S02
  • Supporting slices: none
  • Validation: unmapped
  • Notes: Deferred to avoid scattering the first milestone.

Out of Scope

R014 — The app will not automatically submit applications to external job sites.

  • Class: anti-feature
  • Status: out-of-scope
  • Description: The app will not automatically submit applications to external job sites.
  • Why it matters: This prevents product drift into risky, low-trust automation the user explicitly does not want.
  • Source: user
  • Primary owning slice: none
  • Supporting slices: none
  • Validation: n/a
  • Notes: The app starts after discovery/import, not at job search submission.

R015 — The app will not send replies, follow-ups, or other communication autonomously.

  • Class: anti-feature
  • Status: out-of-scope
  • Description: The app will not send replies, follow-ups, or other communication autonomously.
  • Why it matters: Manual control over outbound communication is a hard trust requirement.
  • Source: user
  • Primary owning slice: none
  • Supporting slices: none
  • Validation: n/a
  • Notes: Drafting is allowed; autonomous sending is not. Automatic thread refresh/import of already-sent Gmail replies is allowed because it reflects history after the user sends manually.

R016 — The product will not optimize for shared pipelines, recruiter operations, or multi-user coaching workflows right now.

  • Class: out-of-scope
  • Status: out-of-scope
  • Description: The product will not optimize for shared pipelines, recruiter operations, or multi-user coaching workflows right now.
  • Why it matters: This protects the individual-first product shape.
  • Source: user
  • Primary owning slice: none
  • Supporting slices: none
  • Validation: n/a
  • Notes: Multi-user admin surfaces may exist technically, but they are not the roadmap center.

R017 — The app will not try to replace external job boards as the main discovery surface.

  • Class: out-of-scope
  • Status: out-of-scope
  • Description: The app will not try to replace external job boards as the main discovery surface.
  • Why it matters: The user explicitly described a workflow that starts after finding the job elsewhere.
  • Source: user
  • Primary owning slice: none
  • Supporting slices: none
  • Validation: n/a
  • Notes: Job import is the bridge from external discovery into the app.

Traceability

ID Class Status Primary owner Supporting Proof
R001 primary-user-loop validated M001/S01 M001/S05 S01 completed with a job-scoped Gmail import loop wired into the job workspace: backend GET /api/gmail/job-candidates uses the owned job as context, imports target that job directly, and focused UI verification passed in job-tracker-ui/src/correspondence-gmail-import.test.tsx.
R002 integration validated M001/S01 M001/S03, M001/S05 Validated by M001/S01: backend POST /api/gmail/refresh-linked-threads now refreshes already-linked Gmail thread ids for one owned job, imports only unseen replies into the same job with duplicate-safe counts, focused GmailControllerTests pass via dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter GmailControllerTests, and job-tracker-ui/src/correspondence-gmail-import.test.tsx proves the workspace auto-refresh path shows a later Gmail reply without manual re-import.
R003 differentiator validated M001/S02 M001/S05 Validated by M001/S02: dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter JobApplicationsApplicationPackageTests now passes with package generation using recruiter/job/profile/attachment/imported-correspondence context, and CI=true npm --prefix job-tracker-ui test -- --watch=false --runTestsByPath src/job-details-generated-drafts.test.tsx proves generation, editing, save, and saved-state redisplay behavior in the job workspace.
R004 primary-user-loop validated M001/S03 M001/S01, M001/S02, M001/S05 Validated by M001/S03: follow-up draft generation now consumes imported correspondence plus saved application package material, focused backend follow-up tests pass in an isolated harness, the focused React follow-up test passes, and browser verification on the built branch UI proved the grounded follow-up draft plus manual send/log flow back into correspondence.
R005 continuity validated M001/S04 M001/S05 Validated by M001/S04: the job table now exposes actionable urgency chips that route directly into the relevant job workspace tab, focused daily-loop UI tests pass, and browser verification confirmed the table/dashboard/reminders flow routes into the same workspace model.
R006 continuity validated M001/S04 M001/S05 Validated by M001/S04: dashboard and reminders now expose actionable attention items routed into the existing job workspace, focused daily-loop UI tests pass, and browser verification confirmed those surfaces open the correct job workspace state.
R007 core-capability validated M001/S03 M001/S02, M001/S04 Validated by M001/S03 and M001/S04: the per-job workspace now supports imported correspondence review, package drafting, follow-up drafting, and routed entry from overview surfaces, with focused tests and browser verification covering package and follow-up loops.
R008 constraint active M001/S03 M001/S05 Constrained by S03 follow-up tests and workspace UX: focused backend/frontend verification proves drafting uses context while outbound follow-up still requires an explicit manual send/log action.
R009 constraint active M001/S04 M002/S01, M004/S01 mapped
R010 continuity validated M001/S04 M001/S01, M001/S03, M001/S05 Validated by M001/S05: dotnet test JobTrackerApi.Tests/JobTrackerApi.Tests.csproj --filter JobApplicationsWorkflowSignalsTests proves backend reminders/readiness return normalized workflow trust signals, CI=true ./node_modules/.bin/react-scripts test --watch=false --runTestsByPath src/workflow-trust-signals.test.tsx src/end-to-end-trust-loop.test.tsx src/correspondence-gmail-import.test.tsx src/job-details-generated-drafts.test.tsx src/job-details-followup-drafts.test.tsx src/daily-control-loop.test.tsx proves /jobs, /dashboard, and /reminders route into the same workspace semantics while preserving saved package reuse, linked-thread continuity, and grounded follow-up drafting, and CI=true ./node_modules/.bin/react-scripts build confirms the integrated UI ships as one coherent loop.
R011 operability deferred M002/S02 none unmapped
R012 integration deferred M003/S01 none unmapped
R013 differentiator deferred M003/S02 none unmapped
R014 anti-feature out-of-scope none none n/a
R015 anti-feature out-of-scope none none n/a
R016 out-of-scope out-of-scope none none n/a
R017 out-of-scope out-of-scope none none n/a
R018 operational active M013 none Produce verified findings or an explicit no-finding result for each requested attack category.
R019 functional active M013 none Each finding includes description, exploit example, risk rating, and fix guidance.

Coverage Summary

  • Active requirements: 4
  • Mapped to slices: 4
  • Validated: 8 (R001, R002, R003, R004, R005, R006, R007, R010)
  • Unmapped active requirements: 0
Reference in New Issue View Git Blame Copy Permalink