---
arc42: "10 — Quality Requirements"
status: stub
---

## 10.1 Quality Tree

```
Quality
├── Functionality
│   ├── Capability search returns relevant results
│   ├── HATEOAS navigation works from root URL without prior knowledge
│   └── BSM validation rejects invalid submissions with actionable errors
├── Reliability
│   ├── Liveness status reflects actual service state within one check interval
│   └── Registry survives VPS restart (data persisted to volume)
├── Security Hygiene
│   ├── All traffic over HTTPS
│   ├── Write endpoints reject unauthenticated requests
│   └── No credentials or PII in logs or Git
└── Operability
    ├── Deployable from scratch on a new Hetzner VPS in < 30 minutes
    ├── Health endpoint reflects actual DB connectivity
    └── Logs provide enough context to diagnose a registration failure without a debugger
```

## 10.2 Quality Scenarios

| # | Stimulus | Response | Measurable Outcome |
|---|---|---|---|
| QS-01 | Agent sends `GET /api/services?capability=inventory.read` | Returns list of matching services with BSM summaries and `_links` | Response time < 500ms; result includes at least 1 registered service |
| QS-02 | Registrant submits BSM with missing required field | API returns 422 with field-level error identifying the missing field | Error response includes field name and reason; no partial write to DB |
| QS-03 | Registered service goes offline | Spider marks it `unreachable` within 15 min | `liveness_status=unreachable` and updated `last_checked_at` in API response |
| QS-04 | Agent sends `GET /api/` (root) | Returns JSON with `_links` to search, register, and health endpoints | No prior knowledge of path structure required; all links resolvable |
| QS-05 | VPS is rebooted | All services come back up automatically; registry data intact | `docker compose up` on restart (via restart policy); 0 data loss |
| QS-06 | Unauthenticated POST to `/api/register` | 401 Unauthorized | No registration created; API key required |
| QS-07 | STF reviewer opens portal in browser | Homepage shows registry stats + search; registration form works | Zero errors in browser console; form submits successfully |

## 10.3 MVP Acceptance Criteria

The PoC is **done** when all of the following are true:

- [ ] Public URL is reachable over HTTPS
- [ ] `GET /api/` returns valid HATEOAS navigation links
- [ ] `GET /api/services?capability=X` returns at least 1 result for at least 3 distinct capability queries
- [ ] At least 5 real services are registered (not demo fixtures)
- [ ] Spider has run at least one full check cycle and updated liveness status for all registered services
- [ ] Portal registration form accepts a valid BSM and shows confirmation
- [ ] Admin O-level assignment works via portal
- [ ] `GET /api/health` returns 200 with DB status
- [ ] No credentials or PII appear in `docker compose logs` output
- [ ] `infra/hetzner/provision.sh` + `deploy.sh` installs and starts the full stack on a fresh Hetzner VPS