# Definition of Done

Copy the section below into every Pull Request description. Tick what applies or leave unchecked if it doesnt apply.

---


**Type of PR** — pick one:

- [ ] Functional       — adds or changes user-visible behavior
- [ ] Non-functional   — improves a measurable property (perf, security, a11y …)
- [ ] Mixed            — both
- [ ] Internal         — refactor / docs / tests only

---

## 1 Process baseline — every box must be ticked, on every PR

- [ ] All acceptance criteria in the linked issue are met
- [ ] 1 review approval from a non-author
- [ ] CI green: lint, type-check, unit tests, build, secret-scan
- [ ] No secrets / tokens / credentials in the diff
- [ ] No new `TODO` / `FIXME` without a follow-up issue
- [ ] Docs updated if behavior, API, config, or architecture changed
- [ ] **No regression** of other NFR baselines (a11y / perf / security)

---

## 2 Outcome proof — fill the bullets that match your PR type

**Functional / Mixed PR:**

- [ ] ≥ 1 **black-box test** that exercises the acceptance criteria
  *e.g. upload a markdown file, then assert the chat answer cites it*


**Non-functional / Mixed PR:**

- [ ] **Measurement** that proves the acceptance criteria, attached to the PR
  *e.g. benchmark output for `chat p95 < 2 s`, axe audit for `a11y ≥ 90`, scan report for `0 critical CVEs`*


---

## 3 Cross-cutting impact — tick the areas this PR touches

For each area below, ask: **"does my PR touch this?"**

-> If **yes** → tick the area and complete its sub-checks (they become mandatory).\
-> If **no** → skip it.\
-> If nothing applies → tick *"None of the above"*.


- [ ] **UI touched**
  - [ ] Responsive on desktop **and** mobile
  - [ ] Contrast + visible focus state, no color-only signals
  *e.g. new button has a focus ring and is readable on a 360 px screen*

- [ ] **Backend endpoint added or changed**
  - [ ] Behind authentication — not accidentally public
  - [ ] Input validation (size / type / allowed values)
  - [ ] OpenAPI spec updated
  *e.g. `/upload` rejects files > 10 MB with a clear error*

- [ ] **Stores user data, ingested content, or LLM output**
  - [ ] Logged with the standard fields (request id, source, latency)
  - [ ] No PII / credentials in log output


- [ ] **New env var or config**
  - [ ] Added to `.env.example` and mentioned in `README.md`
  - [ ] No real value committed
  *e.g. `LLM_API_KEY=...` — only the key name lives in `.env.example`*

- [ ] **Deployment / build changed**
  - [ ] Deployable via the standard pipeline (no undocumented manual steps)
  - [ ] Local dev setup still works


- [ ] **None of the above** — purely internal change

---