fraqtal/agentic-dev
Template
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity
Files
0c880730dfa5ecc464b8853007a2b6b6d02e10d2
agentic-dev/docs/work/epics/compliance-docs-scaffolds/03-policy-templates/_story.md

4.5 KiB
Raw Blame History

id, epic, title, type, status, feature, depends-on, blocks, created, updated
id epic title type status feature depends-on blocks created updated
03-policy-templates compliance-docs-scaffolds Write seven policy templates in docs/compliance/templates/ user-story done ~
04-pre-launch-compliance-checklist
05-compliance-overview
2026-05-20T12:00:00Z 2026-05-20T12:21:53.062Z

Goal

Create docs/compliance/templates/ and populate it with seven *.template.md files: two anchored templates (incident-runbook, dsr-procedure) cross-referencing real shipped features, and five skeleton templates (backup-policy, password-policy, device-policy, onboarding, offboarding) with "not code-enforced" banners. All templates use the [FILL IN: <description>] marker convention throughout.

Why

A downstream consumer preparing for a DPA audit currently writes organizational policy documents from a blank page. These templates reduce that to copy-and-fill work. The anchored templates are substantive because the template ships the relevant code (DSR endpoints, audit channel, Sentry alerting, security headers, rate-limit) — they reference real ADR numbers and pnpm commands so the procedure matches the shipped system. The skeleton templates provide the document structure; the consumer supplies the organization-specific content.

Done when

  • docs/compliance/templates/ directory exists with exactly 7 files: incident-runbook.template.md, dsr-procedure.template.md, backup-policy.template.md, password-policy.template.md, device-policy.template.md, onboarding.template.md, offboarding.template.md.
  • Each template has YAML frontmatter with status: template and playbook-section: <n>.
  • Anchored templates (incident-runbook, dsr-procedure) each reference at least one ADR number and one pnpm command or shipped interface/endpoint; each still contains [FILL IN:] markers for org-specific values (contacts, SLA targets, etc.).
  • Skeleton templates all open with the "not code-enforced" banner; password-policy.template.md's banner cites ADR-025's explicit deferral of MFA + password policy + lockout by ADR number.
  • grep -rn '\[FILL IN:' docs/compliance/templates/ returns hits in every template.
  • Every relative Markdown link in the new files resolves to an existing file.
  • pnpm lint && pnpm typecheck && pnpm test && pnpm conformance && pnpm fallow:audit all pass.

In scope

  • docs/compliance/templates/incident-runbook.template.md — breach detection → triage → containment → notification (GDPR Art. 33 72h / DPA 24h) → post-mortem; cross-references ADR-018 (audit channel), ADR-014 (Sentry alerting), Epic C (security-headers + rate-limit surfaces).
  • docs/compliance/templates/dsr-procedure.template.md — DSR receipt → validation → fulfilment → recording; cross-references Epic B DSR endpoints (/api/gdpr/*), core-dsr interfaces, audit CONSENT_*/RESTRICT actions, compliance/data-map.yml (Epic A).
  • docs/compliance/templates/backup-policy.template.md — skeleton with banner.
  • docs/compliance/templates/password-policy.template.md — skeleton with banner; banner cites ADR-025 MFA/password/lockout deferral.
  • docs/compliance/templates/device-policy.template.md — skeleton with banner.
  • docs/compliance/templates/onboarding.template.md — skeleton with banner.
  • docs/compliance/templates/offboarding.template.md — skeleton with banner.

Out of scope

  • Filling in org-specific values — the [FILL IN:] markers are intentionally left for the consumer.
  • Any changes to existing compliance guides (dsr.md, consent.md, etc.).
  • A CI gate enforcing no [FILL IN:] in compliance/ (deferred).

Tasks

  • Create docs/compliance/templates/ and write incident-runbook.template.md + dsr-procedure.template.md: both anchored with YAML frontmatter (status: template, playbook-section), procedure skeleton cross-referencing real ADRs/commands/interfaces/endpoints, and [FILL IN:] markers for org-specific values; commit as docs(compliance): add anchored policy templates (incident-runbook, dsr-procedure).
  • Write backup-policy.template.md, password-policy.template.md, device-policy.template.md, onboarding.template.md, and offboarding.template.md in docs/compliance/templates/: each with YAML frontmatter, the "not code-enforced" banner (password-policy's banner cites ADR-025 MFA/lockout deferral by number), and [FILL IN:] markers throughout; commit as docs(compliance): add skeleton policy templates (backup, password, device, onboarding, offboarding).