Review builder

Stakeholder check-ins for system design and web delivery. Toggle appendix packs to surface rows; promotions raise effective P-tier automatically.

Checklist 2026.05.14 · Review

On the live hub after you publish: this page is static HTML/JS from Cloudflare Pages. Copy Markdown and Download JSON run entirely in your browser—no Worker call. Deploy a new hub build to pick up checklist or export-rule changes, then hard-refresh once (⌘⇧R / Ctrl+Shift+R) if the old export behavior persists.Generate Cursor prompt copies (or downloads) instructions plus the full checklist manifest for Cursor in the website-v4 repo; paste there, let Cursor research the code, then save its JSON and use Import JSON here. Part scope defaults to both parts; narrow it to match the rows you want in the prompt. Markdown export uses the same filters as the list (part, tier, packs) and only rows with a saved decision. Drafts persist in this browser until you export.

Bookmark: /review-builder (path is the same on production and preview; host depends on your Pages URL).

Preset

Presets set default appendix packs; you can still toggle packs afterward.

No appendix packs on by default — you toggle packs manually.

Tier filter

Filters which checklist rows appear below (effective tier, after promotions).

Part scope

Defaults to both parts. Same filter for the checklist, Markdown export, and the Cursor prompt row list.

Appendix packs

Turning a pack on can add rows and can promote items via rules in the manifest.

  • Enable when: PHI, BAAs, HIPAA-style obligations, or clinical adjacent workflows.

    reg_health

  • Enable when: cards, bank debits, stored payment methods, or merchant-of-record flows.

    payments_pci

  • Enable when: under-13, school rosters, FERPA/COPPA-style workflows.

    edu_child

  • Enable when: public sector, formal security questionnaires, stronger audit evidence.

    gov_procurement

  • Enable when: multiple orgs, delegated admins, cross-tenant isolation concerns.

    marketplace_multi_tenant

  • Enable when: posts, chat, uploads, public profiles, moderation workflows.

    ugc_social

  • Enable when: presence, co-editing, sustained WebSockets, fan-out.

    realtime_collab

  • Enable when: IndexedDB/service worker sync, unreliable networks, technicians in the field.

    offline_field

  • Enable when: region locks, cross-border transfers, sovereign/tribal data commitments.

    data_residency

  • Enable when: SAML/SSO mandates, SCIM, IP allowlists, strict admin separation.

    high_sec_enterprise

  • Enable when: LLM features, automated decisions, prompt injection risk, model change management.

    ai_product

  • Enable when: pixels, remarketing, affiliate measurement, marketing consent complexity.

    ads_measurement

  • Enable when: premium video/audio, geoblocked rights, entitlement services.

    media_rights

  • Enable when: inventory, tax, shipping, subscriptions, QBO-style accounting sync.

    commerce_ops

Checklist (20 rows)

Networking & edgePart I

  • DNS strategy (records, delegation, failover)

    p1-dns

    Effective P1Base P1
  • CDN / edge caching for static and dynamic assets

    p1-cdn

    Effective P1Base P1
  • TLS termination, cert lifecycle, HTTPS enforcement

    p1-tls-edge

    Effective P0Base P0
  • DDoS / WAF posture at edge (vendor features + rules)

    p1-ddos-waf

    Effective P1Base P1

Storage & cachingPart I

  • Primary database choice + backup / restore drills

    p1-db-primary

    Effective P0Base P0
  • Object storage for files (signed URLs, access control)

    p1-object-storage

    Effective P1Base P1

Compute & hostingPart I

  • Compute model (serverless vs containers vs VMs) + rationale

    p1-compute-model

    Effective P1Base P1

Communication & APIsPart I

  • API style (REST/GraphQL/gRPC) + versioning / deprecation policy

    p1-api-style

    Effective P1Base P1

SecurityPart I

  • Authentication (sessions, OAuth/OIDC, MFA where required)

    p1-authn

    Effective P0Base P0
  • Authorization model (RBAC/ABAC) + admin vs user surfaces

    p1-authz

    Effective P0Base P0
  • CSP / security headers baseline (XSS, clickjacking, MIME sniffing)

    Promotes to P0 when UGC or procurement pack is on.

    p1-csp-headers

    Effective P1Base P1
  • Secrets management (no secrets in repo; rotation story)

    p1-secrets

    Effective P0Base P0

Scalability & reliabilityPart I

  • Disaster recovery objectives (RPO/RTO) + failover drill evidence

    p1-dr

    Effective P1Base P1

ObservabilityPart I

  • SLOs / alerting + error budgets tied to user journeys

    p1-observe-slo

    Effective P1Base P1

Web client & UXPart II

  • Rendering model (MPA/SPA/SSR/SSG/ISR) + hydration boundaries

    p2-rendering

    Effective P1Base P1
  • Design system / component standards for shipped UI

    p2-design-system

    Effective P1Base P1

Performance & resiliencePart II

  • Core Web Vitals targets + measurement (LCP/INP/CLS)

    p2-cwv

    Effective P1Base P1

Accessibility & i18nPart II

  • Accessibility program (WCAG target, CI checks, manual audit cadence)

    p2-a11y

    Effective P1Base P1

Privacy, analytics & data lifecyclePart II

  • PII inventory + retention + deletion/export flows

    p2-privacy-pii

    Effective P1Base P1

Release engineering & operationsPart II

  • CI/CD pipeline, required checks, environment promotion

    p2-cicd

    Effective P1Base P1